Edit tour

Windows Analysis Report
Ym9pCkdQCN.exe

Overview

General Information

Sample name:	Ym9pCkdQCN.exe renamed because original name is a hash value
Original sample name:	320d22e3d94232bf94d984a3f58ff702.exe
Analysis ID:	1526605
MD5:	320d22e3d94232bf94d984a3f58ff702
SHA1:	3493e2e6fcea69f57bc6009b499daf4c72f3d291
SHA256:	b31cd6ff73ee1167c0c40bba43ce9b665160383d0c2714986b56bed241c9711a
Tags:	DCRatexeuser-abuse_ch
Infos:

Detection

DCRat

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Schedule system process

Yara detected DCRat

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected suspicious sample

Creates processes via WMI

Drops PE files with benign system names

Drops executable to a common third party application directory

Machine Learning detection for dropped file

Machine Learning detection for sample

Sigma detected: Files With System Process Name In Unsuspected Locations

Uses schtasks.exe or at.exe to add and modify task schedules

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to communicate with device drivers

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

File is packed with WinRar

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

Ym9pCkdQCN.exe (PID: 7612 cmdline: "C:\Users\user\Desktop\Ym9pCkdQCN.exe" MD5: 320D22E3D94232BF94D984A3F58FF702)

wscript.exe (PID: 7692 cmdline: "C:\Windows\System32\WScript.exe" "C:\driverruntimeperfCommon\APcholoL7ETBvvAkO3nQrcw9B.vbe" MD5: FF00E0480075B095948000BDC66E81F0)

cmd.exe (PID: 7752 cmdline: C:\Windows\system32\cmd.exe /c ""C:\driverruntimeperfCommon\RppzIJI6o4vFZ4Y4XgyK.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7760 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sessioncrt.exe (PID: 7804 cmdline: "C:\driverruntimeperfCommon\sessioncrt.exe" MD5: 3BB547F1542863E0A6E80E2C6F330C0C)

schtasks.exe (PID: 7868 cmdline: schtasks.exe /create /tn "rxlSpmEkQUyDvxlFicr" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\windows media player\Network Sharing\rxlSpmEkQUyDvxlFic.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7884 cmdline: schtasks.exe /create /tn "rxlSpmEkQUyDvxlFic" /sc ONLOGON /tr "'C:\Program Files (x86)\windows media player\Network Sharing\rxlSpmEkQUyDvxlFic.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7900 cmdline: schtasks.exe /create /tn "rxlSpmEkQUyDvxlFicr" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\windows media player\Network Sharing\rxlSpmEkQUyDvxlFic.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7916 cmdline: schtasks.exe /create /tn "rxlSpmEkQUyDvxlFicr" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\rxlSpmEkQUyDvxlFic.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7932 cmdline: schtasks.exe /create /tn "rxlSpmEkQUyDvxlFic" /sc ONLOGON /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\rxlSpmEkQUyDvxlFic.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7948 cmdline: schtasks.exe /create /tn "rxlSpmEkQUyDvxlFicr" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\rxlSpmEkQUyDvxlFic.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7964 cmdline: schtasks.exe /create /tn "rxlSpmEkQUyDvxlFicr" /sc MINUTE /mo 12 /tr "'C:\Recovery\rxlSpmEkQUyDvxlFic.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7980 cmdline: schtasks.exe /create /tn "rxlSpmEkQUyDvxlFic" /sc ONLOGON /tr "'C:\Recovery\rxlSpmEkQUyDvxlFic.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7996 cmdline: schtasks.exe /create /tn "rxlSpmEkQUyDvxlFicr" /sc MINUTE /mo 12 /tr "'C:\Recovery\rxlSpmEkQUyDvxlFic.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 8012 cmdline: schtasks.exe /create /tn "rxlSpmEkQUyDvxlFicr" /sc MINUTE /mo 5 /tr "'C:\driverruntimeperfCommon\rxlSpmEkQUyDvxlFic.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 8032 cmdline: schtasks.exe /create /tn "rxlSpmEkQUyDvxlFic" /sc ONLOGON /tr "'C:\driverruntimeperfCommon\rxlSpmEkQUyDvxlFic.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 8048 cmdline: schtasks.exe /create /tn "rxlSpmEkQUyDvxlFicr" /sc MINUTE /mo 11 /tr "'C:\driverruntimeperfCommon\rxlSpmEkQUyDvxlFic.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 8088 cmdline: schtasks.exe /create /tn "rxlSpmEkQUyDvxlFicr" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\microsoft office\Office16\rxlSpmEkQUyDvxlFic.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 8104 cmdline: schtasks.exe /create /tn "rxlSpmEkQUyDvxlFic" /sc ONLOGON /tr "'C:\Program Files (x86)\microsoft office\Office16\rxlSpmEkQUyDvxlFic.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 8120 cmdline: schtasks.exe /create /tn "rxlSpmEkQUyDvxlFicr" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\microsoft office\Office16\rxlSpmEkQUyDvxlFic.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 8136 cmdline: schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Windows\Setup\State\RuntimeBroker.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 8152 cmdline: schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\Setup\State\RuntimeBroker.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 8168 cmdline: schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Windows\Setup\State\RuntimeBroker.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 8184 cmdline: schtasks.exe /create /tn "rxlSpmEkQUyDvxlFicr" /sc MINUTE /mo 13 /tr "'C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\rxlSpmEkQUyDvxlFic.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 5220 cmdline: schtasks.exe /create /tn "rxlSpmEkQUyDvxlFic" /sc ONLOGON /tr "'C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\rxlSpmEkQUyDvxlFic.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7216 cmdline: schtasks.exe /create /tn "rxlSpmEkQUyDvxlFicr" /sc MINUTE /mo 8 /tr "'C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\rxlSpmEkQUyDvxlFic.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7276 cmdline: schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\driverruntimeperfCommon\wininit.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7412 cmdline: schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\driverruntimeperfCommon\wininit.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 756 cmdline: schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\driverruntimeperfCommon\wininit.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 964 cmdline: schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Windows\TAPI\winlogon.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 6052 cmdline: schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\TAPI\winlogon.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 1196 cmdline: schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Windows\TAPI\winlogon.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 1036 cmdline: schtasks.exe /create /tn "rxlSpmEkQUyDvxlFicr" /sc MINUTE /mo 11 /tr "'C:\Recovery\rxlSpmEkQUyDvxlFic.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 1796 cmdline: schtasks.exe /create /tn "rxlSpmEkQUyDvxlFic" /sc ONLOGON /tr "'C:\Recovery\rxlSpmEkQUyDvxlFic.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 1872 cmdline: schtasks.exe /create /tn "rxlSpmEkQUyDvxlFicr" /sc MINUTE /mo 6 /tr "'C:\Recovery\rxlSpmEkQUyDvxlFic.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 1984 cmdline: schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Mail\TextInputHost.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 3116 cmdline: schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\TextInputHost.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

rxlSpmEkQUyDvxlFic.exe (PID: 7416 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\rxlSpmEkQUyDvxlFic.exe" MD5: 3BB547F1542863E0A6E80E2C6F330C0C)

rxlSpmEkQUyDvxlFic.exe (PID: 752 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\rxlSpmEkQUyDvxlFic.exe" MD5: 3BB547F1542863E0A6E80E2C6F330C0C)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
DCRat	DCRat is a typical RAT that has been around since at least June 2019.	No Attribution	https://axmahr.github.io/posts/asyncrat-detection/ https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/ https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html https://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus	https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat

Malware Configuration

Threatname: DCRat

{"SCRT": "{\"w\":\"(\",\"B\":\"|\",\"g\":\"#\",\"O\":\"^\",\"u\":\">\",\"s\":\")\",\"L\":\"%\",\"R\":\"$\",\"o\":\"!\",\"m\":\"~\",\"U\":\"<\",\"3\":\"&\",\"M\":\"-\",\"X\":\".\",\"J\":\",\",\"i\":\"@\",\"9\":\"*\",\"l\":\" \",\"Z\":\"`\",\"c\":\"_\",\"y\":\";\"}", "PCRT": "{\"S\":\",\",\"Q\":\")\",\"I\":\"(\",\"l\":\"@\",\"D\":\".\",\"b\":\"#\",\"=\":\";\",\"c\":\"!\",\"6\":\"$\",\"w\":\"*\",\"e\":\"<\",\"i\":\"`\",\"x\":\"^\",\"p\":\"&\",\"f\":\"%\",\"X\":\"-\",\"0\":\"_\",\"y\":\">\",\"M\":\"|\",\"j\":\" \"}", "TAG": "", "MUTEX": "DCR_MUTEX-x64VGaVbuWCA9cgqvN7U", "LDTM": false, "DBG": false, "SST": 5, "SMST": 2, "BCS": 0, "AUR": 1, "ASCFG": {"searchpath": "%UsersFolder% - Fast"}, "AS": false, "ASO": false, "AD": false}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000005.00000002.1476943848.0000000002E41000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000021.00000002.1557234858.0000000002809000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000005.00000002.1476943848.0000000002961000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000021.00000002.1557234858.00000000027C1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
0000001F.00000002.1557304331.00000000028D1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: sessioncrt.exe PID: 7804	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: rxlSpmEkQUyDvxlFic.exe PID: 7416	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: rxlSpmEkQUyDvxlFic.exe PID: 752	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Click to see the 3 entries

Sigma Signatures

System Summary

Sigma detected: Files With System Process Name In Unsuspected Locations

Source: File created

Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\driverruntimeperfCommon\sessioncrt.exe, ProcessId: 7804, TargetFilename: C:\Windows\Setup\State\RuntimeBroker.exe

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\driverruntimeperfCommon\APcholoL7ETBvvAkO3nQrcw9B.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\driverruntimeperfCommon\APcholoL7ETBvvAkO3nQrcw9B.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\Ym9pCkdQCN.exe", ParentImage: C:\Users\user\Desktop\Ym9pCkdQCN.exe, ParentProcessId: 7612, ParentProcessName: Ym9pCkdQCN.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\driverruntimeperfCommon\APcholoL7ETBvvAkO3nQrcw9B.vbe" , ProcessId: 7692, ProcessName: wscript.exe

Persistence and Installation Behavior

Sigma detected: Schedule system process

Source: Process started

Author: Joe Security: Data: Command: schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Windows\Setup\State\RuntimeBroker.exe'" /f, CommandLine: schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Windows\Setup\State\RuntimeBroker.exe'" /f, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\driverruntimeperfCommon\sessioncrt.exe", ParentImage: C:\driverruntimeperfCommon\sessioncrt.exe, ParentProcessId: 7804, ParentProcessName: sessioncrt.exe, ProcessCommandLine: schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Windows\Setup\State\RuntimeBroker.exe'" /f, ProcessId: 8136, ProcessName: schtasks.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Ym9pCkdQCN.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\driverruntimeperfCommon\wininit.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Windows\TAPI\winlogon.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files\Windows Mail\TextInputHost.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files (x86)\Microsoft Office\Office16\rxlSpmEkQUyDvxlFic.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files (x86)\Microsoft Office\Office16\rxlSpmEkQUyDvxlFic.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files (x86)\Microsoft Office\Office16\rxlSpmEkQUyDvxlFic.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files (x86)\Microsoft Office\Office16\rxlSpmEkQUyDvxlFic.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\driverruntimeperfCommon\APcholoL7ETBvvAkO3nQrcw9B.vbe	Avira: detection malicious, Label: VBS/Runner.VPG
Source: C:\Program Files (x86)\Microsoft Office\Office16\rxlSpmEkQUyDvxlFic.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\driverruntimeperfCommon\dllhost.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files (x86)\Reference Assemblies\csrss.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files (x86)\Microsoft Office\Office16\rxlSpmEkQUyDvxlFic.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Windows\Setup\State\RuntimeBroker.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Windows\ImmersiveControlPanel\pris\ApplicationFrameHost.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\driverruntimeperfCommon\sessioncrt.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files (x86)\Microsoft Office\Office16\rxlSpmEkQUyDvxlFic.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984

Found malware configuration

Source: 00000005.00000002.1476943848.0000000002961000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: DCRat {"SCRT": "{\"w\":\"(\",\"B\":\"|\",\"g\":\"#\",\"O\":\"^\",\"u\":\">\",\"s\":\")\",\"L\":\"%\",\"R\":\"$\",\"o\":\"!\",\"m\":\"~\",\"U\":\"<\",\"3\":\"&\",\"M\":\"-\",\"X\":\".\",\"J\":\",\",\"i\":\"@\",\"9\":\"*\",\"l\":\" \",\"Z\":\"`\",\"c\":\"_\",\"y\":\";\"}", "PCRT": "{\"S\":\",\",\"Q\":\")\",\"I\":\"(\",\"l\":\"@\",\"D\":\".\",\"b\":\"#\",\"=\":\";\",\"c\":\"!\",\"6\":\"$\",\"w\":\"*\",\"e\":\"<\",\"i\":\"`\",\"x\":\"^\",\"p\":\"&\",\"f\":\"%\",\"X\":\"-\",\"0\":\"_\",\"y\":\">\",\"M\":\"|\",\"j\":\" \"}", "TAG": "", "MUTEX": "DCR_MUTEX-x64VGaVbuWCA9cgqvN7U", "LDTM": false, "DBG": false, "SST": 5, "SMST": 2, "BCS": 0, "AUR": 1, "ASCFG": {"searchpath": "%UsersFolder% - Fast"}, "AS": false, "ASO": false, "AD": false}

Multi AV Scanner detection for dropped file

Source: C:\Program Files (x86)\Microsoft Office\Office16\rxlSpmEkQUyDvxlFic.exe	ReversingLabs: Detection: 81%
Source: C:\Program Files (x86)\Reference Assemblies\csrss.exe	ReversingLabs: Detection: 81%
Source: C:\Program Files (x86)\Windows Media Player\Network Sharing\rxlSpmEkQUyDvxlFic.exe	ReversingLabs: Detection: 81%
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\rxlSpmEkQUyDvxlFic.exe	ReversingLabs: Detection: 81%
Source: C:\Program Files\Windows Mail\TextInputHost.exe	ReversingLabs: Detection: 81%
Source: C:\Program Files\Windows Portable Devices\rxlSpmEkQUyDvxlFic.exe	ReversingLabs: Detection: 81%
Source: C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\rxlSpmEkQUyDvxlFic.exe	ReversingLabs: Detection: 81%
Source: C:\Recovery\rxlSpmEkQUyDvxlFic.exe	ReversingLabs: Detection: 81%
Source: C:\Windows\ImmersiveControlPanel\pris\ApplicationFrameHost.exe	ReversingLabs: Detection: 81%
Source: C:\Windows\Setup\State\RuntimeBroker.exe	ReversingLabs: Detection: 81%
Source: C:\Windows\TAPI\winlogon.exe	ReversingLabs: Detection: 81%
Source: C:\driverruntimeperfCommon\dllhost.exe	ReversingLabs: Detection: 81%
Source: C:\driverruntimeperfCommon\rxlSpmEkQUyDvxlFic.exe	ReversingLabs: Detection: 81%
Source: C:\driverruntimeperfCommon\sessioncrt.exe	ReversingLabs: Detection: 81%
Source: C:\driverruntimeperfCommon\wininit.exe	ReversingLabs: Detection: 81%

Multi AV Scanner detection for submitted file

Source: Ym9pCkdQCN.exe	Virustotal: Detection: 73%			Perma Link
Source: Ym9pCkdQCN.exe	ReversingLabs: Detection: 71%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.7% probability

Machine Learning detection for dropped file

Source: C:\driverruntimeperfCommon\wininit.exe	Joe Sandbox ML: detected
Source: C:\Windows\TAPI\winlogon.exe	Joe Sandbox ML: detected
Source: C:\Program Files\Windows Mail\TextInputHost.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Microsoft Office\Office16\rxlSpmEkQUyDvxlFic.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Microsoft Office\Office16\rxlSpmEkQUyDvxlFic.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Microsoft Office\Office16\rxlSpmEkQUyDvxlFic.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Microsoft Office\Office16\rxlSpmEkQUyDvxlFic.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Microsoft Office\Office16\rxlSpmEkQUyDvxlFic.exe	Joe Sandbox ML: detected
Source: C:\driverruntimeperfCommon\dllhost.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Reference Assemblies\csrss.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Microsoft Office\Office16\rxlSpmEkQUyDvxlFic.exe	Joe Sandbox ML: detected
Source: C:\Windows\Setup\State\RuntimeBroker.exe	Joe Sandbox ML: detected
Source: C:\Windows\ImmersiveControlPanel\pris\ApplicationFrameHost.exe	Joe Sandbox ML: detected
Source: C:\driverruntimeperfCommon\sessioncrt.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Microsoft Office\Office16\rxlSpmEkQUyDvxlFic.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: Ym9pCkdQCN.exe

Joe Sandbox ML: detected

Source: Ym9pCkdQCN.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\driverruntimeperfCommon\sessioncrt.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\rxlSpmEkQUyDvxlFic.exe	Jump to behavior
Source: C:\driverruntimeperfCommon\sessioncrt.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\24fab4fe41bce1	Jump to behavior
Source: C:\driverruntimeperfCommon\sessioncrt.exe	Directory created: C:\Program Files\Windows Mail\TextInputHost.exe	Jump to behavior
Source: C:\driverruntimeperfCommon\sessioncrt.exe	Directory created: C:\Program Files\Windows Mail\22eafd247d37c3	Jump to behavior
Source: C:\driverruntimeperfCommon\sessioncrt.exe	Directory created: C:\Program Files\Windows Portable Devices\rxlSpmEkQUyDvxlFic.exe	Jump to behavior
Source: C:\driverruntimeperfCommon\sessioncrt.exe	Directory created: C:\Program Files\Windows Portable Devices\24fab4fe41bce1	Jump to behavior

Source: Ym9pCkdQCN.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:

Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: Ym9pCkdQCN.exe

Source: C:\Users\user\Desktop\Ym9pCkdQCN.exe	Code function: 0_2_00E8A5F4 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	0_2_00E8A5F4
Source: C:\Users\user\Desktop\Ym9pCkdQCN.exe	Code function: 0_2_00E9B8E0 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	0_2_00E9B8E0
Source: C:\Users\user\Desktop\Ym9pCkdQCN.exe	Code function: 0_2_00EAAAA8 FindFirstFileExA,	0_2_00EAAAA8

Source: unknown

DNS traffic detected: query: 206.23.85.13.in-addr.arpa replaycode: Name error (3)

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: 206.23.85.13.in-addr.arpa

Source: sessioncrt.exe, 00000005.00000002.1476943848.0000000002E41000.00000004.00000800.00020000.00000000.sdmp

String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

System Summary

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\SysWOW64\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Source: C:\Users\user\Desktop\Ym9pCkdQCN.exe

Code function: 0_2_00E8718C: __EH_prolog,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,

0_2_00E8718C

Source: C:\driverruntimeperfCommon\sessioncrt.exe	File created: C:\Windows\Setup\State\RuntimeBroker.exe	Jump to behavior
Source: C:\driverruntimeperfCommon\sessioncrt.exe	File created: C:\Windows\Setup\State\9e8d7a4ca61bd9	Jump to behavior
Source: C:\driverruntimeperfCommon\sessioncrt.exe	File created: C:\Windows\TAPI\winlogon.exe	Jump to behavior
Source: C:\driverruntimeperfCommon\sessioncrt.exe	File created: C:\Windows\TAPI\cc11b995f2a76d	Jump to behavior
Source: C:\driverruntimeperfCommon\sessioncrt.exe	File created: C:\Windows\ImmersiveControlPanel\pris\ApplicationFrameHost.exe	Jump to behavior
Source: C:\driverruntimeperfCommon\sessioncrt.exe	File created: C:\Windows\ImmersiveControlPanel\pris\6dd19aba3e2428	Jump to behavior

Source: C:\Users\user\Desktop\Ym9pCkdQCN.exe	Code function: 0_2_00E8857B	0_2_00E8857B
Source: C:\Users\user\Desktop\Ym9pCkdQCN.exe	Code function: 0_2_00E970BF	0_2_00E970BF
Source: C:\Users\user\Desktop\Ym9pCkdQCN.exe	Code function: 0_2_00E8407E	0_2_00E8407E
Source: C:\Users\user\Desktop\Ym9pCkdQCN.exe	Code function: 0_2_00EAD00E	0_2_00EAD00E
Source: C:\Users\user\Desktop\Ym9pCkdQCN.exe	Code function: 0_2_00EB1194	0_2_00EB1194
Source: C:\Users\user\Desktop\Ym9pCkdQCN.exe	Code function: 0_2_00EA02F6	0_2_00EA02F6
Source: C:\Users\user\Desktop\Ym9pCkdQCN.exe	Code function: 0_2_00E8E2A0	0_2_00E8E2A0
Source: C:\Users\user\Desktop\Ym9pCkdQCN.exe	Code function: 0_2_00E83281	0_2_00E83281
Source: C:\Users\user\Desktop\Ym9pCkdQCN.exe	Code function: 0_2_00E96646	0_2_00E96646
Source: C:\Users\user\Desktop\Ym9pCkdQCN.exe	Code function: 0_2_00E827E8	0_2_00E827E8
Source: C:\Users\user\Desktop\Ym9pCkdQCN.exe	Code function: 0_2_00E937C1	0_2_00E937C1
Source: C:\Users\user\Desktop\Ym9pCkdQCN.exe	Code function: 0_2_00EA473A	0_2_00EA473A
Source: C:\Users\user\Desktop\Ym9pCkdQCN.exe	Code function: 0_2_00EA070E	0_2_00EA070E
Source: C:\Users\user\Desktop\Ym9pCkdQCN.exe	Code function: 0_2_00E8E8A0	0_2_00E8E8A0
Source: C:\Users\user\Desktop\Ym9pCkdQCN.exe	Code function: 0_2_00E8F968	0_2_00E8F968
Source: C:\Users\user\Desktop\Ym9pCkdQCN.exe	Code function: 0_2_00EA4969	0_2_00EA4969
Source: C:\Users\user\Desktop\Ym9pCkdQCN.exe	Code function: 0_2_00E96A7B	0_2_00E96A7B
Source: C:\Users\user\Desktop\Ym9pCkdQCN.exe	Code function: 0_2_00E93A3C	0_2_00E93A3C
Source: C:\Users\user\Desktop\Ym9pCkdQCN.exe	Code function: 0_2_00EACB60	0_2_00EACB60
Source: C:\Users\user\Desktop\Ym9pCkdQCN.exe	Code function: 0_2_00EA0B43	0_2_00EA0B43
Source: C:\Users\user\Desktop\Ym9pCkdQCN.exe	Code function: 0_2_00E95C77	0_2_00E95C77
Source: C:\Users\user\Desktop\Ym9pCkdQCN.exe	Code function: 0_2_00E9FDFA	0_2_00E9FDFA
Source: C:\Users\user\Desktop\Ym9pCkdQCN.exe	Code function: 0_2_00E93D6D	0_2_00E93D6D
Source: C:\Users\user\Desktop\Ym9pCkdQCN.exe	Code function: 0_2_00E8ED14	0_2_00E8ED14
Source: C:\Users\user\Desktop\Ym9pCkdQCN.exe	Code function: 0_2_00E8DE6C	0_2_00E8DE6C
Source: C:\Users\user\Desktop\Ym9pCkdQCN.exe	Code function: 0_2_00E8BE13	0_2_00E8BE13
Source: C:\Users\user\Desktop\Ym9pCkdQCN.exe	Code function: 0_2_00EA0F78	0_2_00EA0F78
Source: C:\Users\user\Desktop\Ym9pCkdQCN.exe	Code function: 0_2_00E85F3C	0_2_00E85F3C
Source: C:\driverruntimeperfCommon\sessioncrt.exe	Code function: 5_2_00007FFB4AE2C70D	5_2_00007FFB4AE2C70D
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\rxlSpmEkQUyDvxlFic.exe	Code function: 31_2_00007FFB4AE4C70D	31_2_00007FFB4AE4C70D

Source: C:\Users\user\Desktop\Ym9pCkdQCN.exe	Code function: String function: 00E9ED00 appears 31 times
Source: C:\Users\user\Desktop\Ym9pCkdQCN.exe	Code function: String function: 00E9E360 appears 52 times
Source: C:\Users\user\Desktop\Ym9pCkdQCN.exe	Code function: String function: 00E9E28C appears 35 times

Source: sessioncrt.exe.0.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: winlogon.exe.5.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: TextInputHost.exe.5.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970

Source: Ym9pCkdQCN.exe, 00000000.00000003.1414900933.0000000006662000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelibGLESv2.dll4 vs Ym9pCkdQCN.exe
Source: Ym9pCkdQCN.exe, 00000000.00000002.1419831564.0000000000D7F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamewscript.exe.mui` vs Ym9pCkdQCN.exe
Source: Ym9pCkdQCN.exe, 00000000.00000003.1419029683.0000000000D7F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamewscript.exe.mui` vs Ym9pCkdQCN.exe
Source: Ym9pCkdQCN.exe, 00000000.00000003.1415964810.0000000006F76000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelibGLESv2.dll4 vs Ym9pCkdQCN.exe
Source: Ym9pCkdQCN.exe, 00000000.00000003.1416464379.0000000006F7A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelibGLESv2.dll4 vs Ym9pCkdQCN.exe
Source: Ym9pCkdQCN.exe	Binary or memory string: OriginalFilenamelibGLESv2.dll4 vs Ym9pCkdQCN.exe

Source: Ym9pCkdQCN.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.3.Ym9pCkdQCN.exe.66af545.0.raw.unpack, o7wlFyWDDTJvaeWxg9D.cs	Cryptographic APIs: 'TransformBlock'
Source: 0.3.Ym9pCkdQCN.exe.66af545.0.raw.unpack, o7wlFyWDDTJvaeWxg9D.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.3.Ym9pCkdQCN.exe.66af545.0.raw.unpack, fGmHnKBdURQ7ib5AkZe.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.3.Ym9pCkdQCN.exe.66af545.0.raw.unpack, fGmHnKBdURQ7ib5AkZe.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.3.Ym9pCkdQCN.exe.6fc3545.1.raw.unpack, o7wlFyWDDTJvaeWxg9D.cs	Cryptographic APIs: 'TransformBlock'
Source: 0.3.Ym9pCkdQCN.exe.6fc3545.1.raw.unpack, o7wlFyWDDTJvaeWxg9D.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.3.Ym9pCkdQCN.exe.6fc3545.1.raw.unpack, fGmHnKBdURQ7ib5AkZe.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.3.Ym9pCkdQCN.exe.6fc3545.1.raw.unpack, fGmHnKBdURQ7ib5AkZe.cs	Cryptographic APIs: 'CreateDecryptor'

Source: 0.3.Ym9pCkdQCN.exe.6fc3545.1.raw.unpack, EsTQ0bm1tMuIDJPgQt5.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.3.Ym9pCkdQCN.exe.6fc3545.1.raw.unpack, EsTQ0bm1tMuIDJPgQt5.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.3.Ym9pCkdQCN.exe.66af545.0.raw.unpack, EsTQ0bm1tMuIDJPgQt5.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.3.Ym9pCkdQCN.exe.66af545.0.raw.unpack, EsTQ0bm1tMuIDJPgQt5.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.evad.winEXE@44/33@1/0

Source: C:\Users\user\Desktop\Ym9pCkdQCN.exe

Code function: 0_2_00E86EC9 GetLastError,FormatMessageW,

0_2_00E86EC9

Source: C:\Users\user\Desktop\Ym9pCkdQCN.exe

Code function: 0_2_00E99E1C FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,CreateStreamOnHGlobal,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,

0_2_00E99E1C

Source: C:\driverruntimeperfCommon\sessioncrt.exe

File created: C:\Program Files (x86)\windows media player\Network Sharing\rxlSpmEkQUyDvxlFic.exe

Jump to behavior

Source: C:\driverruntimeperfCommon\sessioncrt.exe

File created: C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\rxlSpmEkQUyDvxlFic.exe

Jump to behavior

Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\rxlSpmEkQUyDvxlFic.exe	Mutant created: NULL
Source: C:\driverruntimeperfCommon\sessioncrt.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\921bc9384fb720506d7e0290aac2ddda08769377
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7760:120:WilError_03

Source: C:\Windows\SysWOW64\wscript.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\driverruntimeperfCommon\RppzIJI6o4vFZ4Y4XgyK.bat" "

Source: C:\Users\user\Desktop\Ym9pCkdQCN.exe	Command line argument: sfxname	0_2_00E9D5D4
Source: C:\Users\user\Desktop\Ym9pCkdQCN.exe	Command line argument: sfxstime	0_2_00E9D5D4
Source: C:\Users\user\Desktop\Ym9pCkdQCN.exe	Command line argument: STARTDLG	0_2_00E9D5D4
Source: C:\Users\user\Desktop\Ym9pCkdQCN.exe	Command line argument: xj	0_2_00E9D5D4

Source: Ym9pCkdQCN.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Ym9pCkdQCN.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\driverruntimeperfCommon\sessioncrt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\driverruntimeperfCommon\sessioncrt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\driverruntimeperfCommon\sessioncrt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\driverruntimeperfCommon\sessioncrt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\driverruntimeperfCommon\sessioncrt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\driverruntimeperfCommon\sessioncrt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\driverruntimeperfCommon\sessioncrt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\driverruntimeperfCommon\sessioncrt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\driverruntimeperfCommon\sessioncrt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\driverruntimeperfCommon\sessioncrt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\driverruntimeperfCommon\sessioncrt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\driverruntimeperfCommon\sessioncrt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\driverruntimeperfCommon\sessioncrt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\driverruntimeperfCommon\sessioncrt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\driverruntimeperfCommon\sessioncrt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\driverruntimeperfCommon\sessioncrt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\driverruntimeperfCommon\sessioncrt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\driverruntimeperfCommon\sessioncrt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\driverruntimeperfCommon\sessioncrt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\driverruntimeperfCommon\sessioncrt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\driverruntimeperfCommon\sessioncrt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\driverruntimeperfCommon\sessioncrt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\driverruntimeperfCommon\sessioncrt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\driverruntimeperfCommon\sessioncrt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\driverruntimeperfCommon\sessioncrt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\driverruntimeperfCommon\sessioncrt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\driverruntimeperfCommon\sessioncrt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\driverruntimeperfCommon\sessioncrt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\driverruntimeperfCommon\sessioncrt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\driverruntimeperfCommon\sessioncrt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\driverruntimeperfCommon\sessioncrt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\driverruntimeperfCommon\sessioncrt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\driverruntimeperfCommon\sessioncrt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\driverruntimeperfCommon\sessioncrt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\driverruntimeperfCommon\sessioncrt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\driverruntimeperfCommon\sessioncrt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\driverruntimeperfCommon\sessioncrt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\driverruntimeperfCommon\sessioncrt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\driverruntimeperfCommon\sessioncrt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\driverruntimeperfCommon\sessioncrt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\driverruntimeperfCommon\sessioncrt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\driverruntimeperfCommon\sessioncrt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\driverruntimeperfCommon\sessioncrt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\driverruntimeperfCommon\sessioncrt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\driverruntimeperfCommon\sessioncrt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\driverruntimeperfCommon\sessioncrt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\driverruntimeperfCommon\sessioncrt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\driverruntimeperfCommon\sessioncrt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\driverruntimeperfCommon\sessioncrt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\driverruntimeperfCommon\sessioncrt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\driverruntimeperfCommon\sessioncrt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create

Source: C:\Users\user\Desktop\Ym9pCkdQCN.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\Desktop\Ym9pCkdQCN.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Ym9pCkdQCN.exe	Virustotal: Detection: 73%
Source: Ym9pCkdQCN.exe	ReversingLabs: Detection: 71%

Source: C:\Users\user\Desktop\Ym9pCkdQCN.exe

File read: C:\Users\user\Desktop\Ym9pCkdQCN.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Ym9pCkdQCN.exe "C:\Users\user\Desktop\Ym9pCkdQCN.exe"
Source: C:\Users\user\Desktop\Ym9pCkdQCN.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\driverruntimeperfCommon\APcholoL7ETBvvAkO3nQrcw9B.vbe"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\driverruntimeperfCommon\RppzIJI6o4vFZ4Y4XgyK.bat" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\driverruntimeperfCommon\sessioncrt.exe "C:\driverruntimeperfCommon\sessioncrt.exe"
Source: C:\driverruntimeperfCommon\sessioncrt.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "rxlSpmEkQUyDvxlFicr" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\windows media player\Network Sharing\rxlSpmEkQUyDvxlFic.exe'" /f
Source: C:\driverruntimeperfCommon\sessioncrt.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "rxlSpmEkQUyDvxlFic" /sc ONLOGON /tr "'C:\Program Files (x86)\windows media player\Network Sharing\rxlSpmEkQUyDvxlFic.exe'" /rl HIGHEST /f
Source: C:\driverruntimeperfCommon\sessioncrt.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "rxlSpmEkQUyDvxlFicr" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\windows media player\Network Sharing\rxlSpmEkQUyDvxlFic.exe'" /rl HIGHEST /f
Source: C:\driverruntimeperfCommon\sessioncrt.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "rxlSpmEkQUyDvxlFicr" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\rxlSpmEkQUyDvxlFic.exe'" /f
Source: C:\driverruntimeperfCommon\sessioncrt.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "rxlSpmEkQUyDvxlFic" /sc ONLOGON /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\rxlSpmEkQUyDvxlFic.exe'" /rl HIGHEST /f
Source: C:\driverruntimeperfCommon\sessioncrt.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "rxlSpmEkQUyDvxlFicr" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\rxlSpmEkQUyDvxlFic.exe'" /rl HIGHEST /f
Source: C:\driverruntimeperfCommon\sessioncrt.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "rxlSpmEkQUyDvxlFicr" /sc MINUTE /mo 12 /tr "'C:\Recovery\rxlSpmEkQUyDvxlFic.exe'" /f
Source: C:\driverruntimeperfCommon\sessioncrt.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "rxlSpmEkQUyDvxlFic" /sc ONLOGON /tr "'C:\Recovery\rxlSpmEkQUyDvxlFic.exe'" /rl HIGHEST /f
Source: C:\driverruntimeperfCommon\sessioncrt.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "rxlSpmEkQUyDvxlFicr" /sc MINUTE /mo 12 /tr "'C:\Recovery\rxlSpmEkQUyDvxlFic.exe'" /rl HIGHEST /f
Source: C:\driverruntimeperfCommon\sessioncrt.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "rxlSpmEkQUyDvxlFicr" /sc MINUTE /mo 5 /tr "'C:\driverruntimeperfCommon\rxlSpmEkQUyDvxlFic.exe'" /f
Source: C:\driverruntimeperfCommon\sessioncrt.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "rxlSpmEkQUyDvxlFic" /sc ONLOGON /tr "'C:\driverruntimeperfCommon\rxlSpmEkQUyDvxlFic.exe'" /rl HIGHEST /f
Source: C:\driverruntimeperfCommon\sessioncrt.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "rxlSpmEkQUyDvxlFicr" /sc MINUTE /mo 11 /tr "'C:\driverruntimeperfCommon\rxlSpmEkQUyDvxlFic.exe'" /rl HIGHEST /f
Source: C:\driverruntimeperfCommon\sessioncrt.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "rxlSpmEkQUyDvxlFicr" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\microsoft office\Office16\rxlSpmEkQUyDvxlFic.exe'" /f
Source: C:\driverruntimeperfCommon\sessioncrt.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "rxlSpmEkQUyDvxlFic" /sc ONLOGON /tr "'C:\Program Files (x86)\microsoft office\Office16\rxlSpmEkQUyDvxlFic.exe'" /rl HIGHEST /f
Source: C:\driverruntimeperfCommon\sessioncrt.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "rxlSpmEkQUyDvxlFicr" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\microsoft office\Office16\rxlSpmEkQUyDvxlFic.exe'" /rl HIGHEST /f
Source: C:\driverruntimeperfCommon\sessioncrt.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Windows\Setup\State\RuntimeBroker.exe'" /f
Source: C:\driverruntimeperfCommon\sessioncrt.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\Setup\State\RuntimeBroker.exe'" /rl HIGHEST /f
Source: C:\driverruntimeperfCommon\sessioncrt.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Windows\Setup\State\RuntimeBroker.exe'" /rl HIGHEST /f
Source: C:\driverruntimeperfCommon\sessioncrt.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "rxlSpmEkQUyDvxlFicr" /sc MINUTE /mo 13 /tr "'C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\rxlSpmEkQUyDvxlFic.exe'" /f
Source: C:\driverruntimeperfCommon\sessioncrt.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "rxlSpmEkQUyDvxlFic" /sc ONLOGON /tr "'C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\rxlSpmEkQUyDvxlFic.exe'" /rl HIGHEST /f
Source: C:\driverruntimeperfCommon\sessioncrt.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "rxlSpmEkQUyDvxlFicr" /sc MINUTE /mo 8 /tr "'C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\rxlSpmEkQUyDvxlFic.exe'" /rl HIGHEST /f
Source: C:\driverruntimeperfCommon\sessioncrt.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\driverruntimeperfCommon\wininit.exe'" /f
Source: C:\driverruntimeperfCommon\sessioncrt.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\driverruntimeperfCommon\wininit.exe'" /rl HIGHEST /f
Source: unknown	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\rxlSpmEkQUyDvxlFic.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\rxlSpmEkQUyDvxlFic.exe"
Source: C:\driverruntimeperfCommon\sessioncrt.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\driverruntimeperfCommon\wininit.exe'" /rl HIGHEST /f
Source: unknown	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\rxlSpmEkQUyDvxlFic.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\rxlSpmEkQUyDvxlFic.exe"
Source: C:\driverruntimeperfCommon\sessioncrt.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Windows\TAPI\winlogon.exe'" /f
Source: C:\driverruntimeperfCommon\sessioncrt.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\TAPI\winlogon.exe'" /rl HIGHEST /f
Source: C:\driverruntimeperfCommon\sessioncrt.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Windows\TAPI\winlogon.exe'" /rl HIGHEST /f
Source: C:\driverruntimeperfCommon\sessioncrt.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "rxlSpmEkQUyDvxlFicr" /sc MINUTE /mo 11 /tr "'C:\Recovery\rxlSpmEkQUyDvxlFic.exe'" /f
Source: C:\driverruntimeperfCommon\sessioncrt.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "rxlSpmEkQUyDvxlFic" /sc ONLOGON /tr "'C:\Recovery\rxlSpmEkQUyDvxlFic.exe'" /rl HIGHEST /f
Source: C:\driverruntimeperfCommon\sessioncrt.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "rxlSpmEkQUyDvxlFicr" /sc MINUTE /mo 6 /tr "'C:\Recovery\rxlSpmEkQUyDvxlFic.exe'" /rl HIGHEST /f
Source: C:\driverruntimeperfCommon\sessioncrt.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Mail\TextInputHost.exe'" /f
Source: C:\driverruntimeperfCommon\sessioncrt.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\TextInputHost.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\Ym9pCkdQCN.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\driverruntimeperfCommon\APcholoL7ETBvvAkO3nQrcw9B.vbe"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\driverruntimeperfCommon\RppzIJI6o4vFZ4Y4XgyK.bat" "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\driverruntimeperfCommon\sessioncrt.exe "C:\driverruntimeperfCommon\sessioncrt.exe"	Jump to behavior
Source: C:\driverruntimeperfCommon\sessioncrt.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\Ym9pCkdQCN.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ym9pCkdQCN.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ym9pCkdQCN.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ym9pCkdQCN.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ym9pCkdQCN.exe	Section loaded: <pi-ms-win-core-localization-l1-2-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ym9pCkdQCN.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ym9pCkdQCN.exe	Section loaded: dxgidebug.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ym9pCkdQCN.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ym9pCkdQCN.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ym9pCkdQCN.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ym9pCkdQCN.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ym9pCkdQCN.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ym9pCkdQCN.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ym9pCkdQCN.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ym9pCkdQCN.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ym9pCkdQCN.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ym9pCkdQCN.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ym9pCkdQCN.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ym9pCkdQCN.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ym9pCkdQCN.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ym9pCkdQCN.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ym9pCkdQCN.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ym9pCkdQCN.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ym9pCkdQCN.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ym9pCkdQCN.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ym9pCkdQCN.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ym9pCkdQCN.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ym9pCkdQCN.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ym9pCkdQCN.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ym9pCkdQCN.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ym9pCkdQCN.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ym9pCkdQCN.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ym9pCkdQCN.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ym9pCkdQCN.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ym9pCkdQCN.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ym9pCkdQCN.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ym9pCkdQCN.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ym9pCkdQCN.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ym9pCkdQCN.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ym9pCkdQCN.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ym9pCkdQCN.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ym9pCkdQCN.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ym9pCkdQCN.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ym9pCkdQCN.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ym9pCkdQCN.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ym9pCkdQCN.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ym9pCkdQCN.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ym9pCkdQCN.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\driverruntimeperfCommon\sessioncrt.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\driverruntimeperfCommon\sessioncrt.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\driverruntimeperfCommon\sessioncrt.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\driverruntimeperfCommon\sessioncrt.exe	Section loaded: version.dll	Jump to behavior
Source: C:\driverruntimeperfCommon\sessioncrt.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\driverruntimeperfCommon\sessioncrt.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\driverruntimeperfCommon\sessioncrt.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\driverruntimeperfCommon\sessioncrt.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\driverruntimeperfCommon\sessioncrt.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\driverruntimeperfCommon\sessioncrt.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\driverruntimeperfCommon\sessioncrt.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\driverruntimeperfCommon\sessioncrt.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\driverruntimeperfCommon\sessioncrt.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\driverruntimeperfCommon\sessioncrt.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\driverruntimeperfCommon\sessioncrt.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\driverruntimeperfCommon\sessioncrt.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\driverruntimeperfCommon\sessioncrt.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\driverruntimeperfCommon\sessioncrt.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\driverruntimeperfCommon\sessioncrt.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\driverruntimeperfCommon\sessioncrt.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\driverruntimeperfCommon\sessioncrt.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\driverruntimeperfCommon\sessioncrt.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\driverruntimeperfCommon\sessioncrt.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\driverruntimeperfCommon\sessioncrt.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\driverruntimeperfCommon\sessioncrt.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\driverruntimeperfCommon\sessioncrt.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\driverruntimeperfCommon\sessioncrt.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\driverruntimeperfCommon\sessioncrt.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\driverruntimeperfCommon\sessioncrt.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\driverruntimeperfCommon\sessioncrt.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\driverruntimeperfCommon\sessioncrt.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\driverruntimeperfCommon\sessioncrt.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\driverruntimeperfCommon\sessioncrt.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\rxlSpmEkQUyDvxlFic.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\rxlSpmEkQUyDvxlFic.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\rxlSpmEkQUyDvxlFic.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\rxlSpmEkQUyDvxlFic.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\rxlSpmEkQUyDvxlFic.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\rxlSpmEkQUyDvxlFic.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\rxlSpmEkQUyDvxlFic.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\rxlSpmEkQUyDvxlFic.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\rxlSpmEkQUyDvxlFic.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\rxlSpmEkQUyDvxlFic.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\rxlSpmEkQUyDvxlFic.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\rxlSpmEkQUyDvxlFic.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\rxlSpmEkQUyDvxlFic.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\rxlSpmEkQUyDvxlFic.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\rxlSpmEkQUyDvxlFic.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\rxlSpmEkQUyDvxlFic.exe	Section loaded: mscoree.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\rxlSpmEkQUyDvxlFic.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\rxlSpmEkQUyDvxlFic.exe	Section loaded: version.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\rxlSpmEkQUyDvxlFic.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\rxlSpmEkQUyDvxlFic.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\rxlSpmEkQUyDvxlFic.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\rxlSpmEkQUyDvxlFic.exe	Section loaded: uxtheme.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\rxlSpmEkQUyDvxlFic.exe	Section loaded: windows.storage.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\rxlSpmEkQUyDvxlFic.exe	Section loaded: wldp.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\rxlSpmEkQUyDvxlFic.exe	Section loaded: profapi.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\rxlSpmEkQUyDvxlFic.exe	Section loaded: cryptsp.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\rxlSpmEkQUyDvxlFic.exe	Section loaded: rsaenh.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\rxlSpmEkQUyDvxlFic.exe	Section loaded: cryptbase.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\rxlSpmEkQUyDvxlFic.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll

Source: C:\Users\user\Desktop\Ym9pCkdQCN.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\driverruntimeperfCommon\sessioncrt.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\rxlSpmEkQUyDvxlFic.exe	Jump to behavior
Source: C:\driverruntimeperfCommon\sessioncrt.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\24fab4fe41bce1	Jump to behavior
Source: C:\driverruntimeperfCommon\sessioncrt.exe	Directory created: C:\Program Files\Windows Mail\TextInputHost.exe	Jump to behavior
Source: C:\driverruntimeperfCommon\sessioncrt.exe	Directory created: C:\Program Files\Windows Mail\22eafd247d37c3	Jump to behavior
Source: C:\driverruntimeperfCommon\sessioncrt.exe	Directory created: C:\Program Files\Windows Portable Devices\rxlSpmEkQUyDvxlFic.exe	Jump to behavior
Source: C:\driverruntimeperfCommon\sessioncrt.exe	Directory created: C:\Program Files\Windows Portable Devices\24fab4fe41bce1	Jump to behavior

Source: Ym9pCkdQCN.exe

Static file information: File size 1163420 > 1048576

Source: Ym9pCkdQCN.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Ym9pCkdQCN.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Ym9pCkdQCN.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Ym9pCkdQCN.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Ym9pCkdQCN.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Ym9pCkdQCN.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: Ym9pCkdQCN.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: Ym9pCkdQCN.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: Ym9pCkdQCN.exe

Source: Ym9pCkdQCN.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Ym9pCkdQCN.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Ym9pCkdQCN.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Ym9pCkdQCN.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Ym9pCkdQCN.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 0.3.Ym9pCkdQCN.exe.66af545.0.raw.unpack, fGmHnKBdURQ7ib5AkZe.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 0.3.Ym9pCkdQCN.exe.6fc3545.1.raw.unpack, fGmHnKBdURQ7ib5AkZe.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

.NET source code contains potential unpacker

Source: 0.3.Ym9pCkdQCN.exe.66af545.0.raw.unpack, M3dAm3RfSkbYAcjh1FZ.cs	.Net Code: iNQmGm6ppZ System.AppDomain.Load(byte[])
Source: 0.3.Ym9pCkdQCN.exe.66af545.0.raw.unpack, M3dAm3RfSkbYAcjh1FZ.cs	.Net Code: iNQmGm6ppZ System.Reflection.Assembly.Load(byte[])
Source: 0.3.Ym9pCkdQCN.exe.66af545.0.raw.unpack, M3dAm3RfSkbYAcjh1FZ.cs	.Net Code: iNQmGm6ppZ
Source: 0.3.Ym9pCkdQCN.exe.6fc3545.1.raw.unpack, M3dAm3RfSkbYAcjh1FZ.cs	.Net Code: iNQmGm6ppZ System.AppDomain.Load(byte[])
Source: 0.3.Ym9pCkdQCN.exe.6fc3545.1.raw.unpack, M3dAm3RfSkbYAcjh1FZ.cs	.Net Code: iNQmGm6ppZ System.Reflection.Assembly.Load(byte[])
Source: 0.3.Ym9pCkdQCN.exe.6fc3545.1.raw.unpack, M3dAm3RfSkbYAcjh1FZ.cs	.Net Code: iNQmGm6ppZ

Source: C:\Users\user\Desktop\Ym9pCkdQCN.exe

File created: C:\driverruntimeperfCommon\__tmp_rar_sfx_access_check_7246312

Jump to behavior

Source: Ym9pCkdQCN.exe

Static PE information: section name: .didat

Source: C:\Users\user\Desktop\Ym9pCkdQCN.exe	Code function: 0_2_00E9E28C push eax; ret		0_2_00E9E2AA
Source: C:\Users\user\Desktop\Ym9pCkdQCN.exe	Code function: 0_2_00E9ED46 push ecx; ret		0_2_00E9ED59

Source: 0.3.Ym9pCkdQCN.exe.66af545.0.raw.unpack, SYeH8AWb9CZlcXBf1BE.cs	High entropy of concatenated method names: 'YBJ4fy9ite', 'vBI4TfQcM9', 'Ixj4x28fp2', '_3Gf', '_4XH', '_3mv', '_684', '_555', 'Z9E', 'QPr4JeWnRU'
Source: 0.3.Ym9pCkdQCN.exe.66af545.0.raw.unpack, dd5ZAFRsYcrNSZl1bYy.cs	High entropy of concatenated method names: 'DoBp6byya2', 'knUpa4jO44', 'Am1ps6Y4i9', 'gb4p5D4hvT', 'AEUp9Gqt23', 'jf7YUaU1u5N6ekRYRJq', 'pHD8ccUYaNP5GpsJiW0', 'Ah5Jo04DERoy03Kg6BI', 'DAyWqa4zqhmIEcH0qq6', 'FJbqJJUNIIwoNmKO7aL'
Source: 0.3.Ym9pCkdQCN.exe.66af545.0.raw.unpack, uUXbgXWa8PjVdBfIVa2.cs	High entropy of concatenated method names: 'ktTUXyu5q2', 'PJIU6pepdp', 'A1GUaawSrZ', 'DXhUs35f4I', 'q7AU5DSkxA', 'Aki3YbGnjem4J2eYdPr', 'B8vFmwGKgPm2oJ5o6s7', 'iVSiTIGDBa4IQVB7diY', 'FNkxxEGzSB63vMGr2SM', 'u2Tcati1gwGmP9OPkxS'
Source: 0.3.Ym9pCkdQCN.exe.66af545.0.raw.unpack, xE6bg4mzq2g2FCUTw9q.cs	High entropy of concatenated method names: 'tUdTCFZyii', 'WlQTbqK8b7', 'zakTMyY0DY', 'gKO8Htvi9Hb1Lu0pk9C', 'skvvD5vVF4PapHkaNTf', 'qo6fotvlocrCVL79Nyn', 'mdO8pdvG1ctL1WC76no', 'waiKQjvq6dEEL5WRKE0', 'z33dQAvrN0uTvD63RdV', 'UFIPAKvH2cWV5nduLUj'
Source: 0.3.Ym9pCkdQCN.exe.66af545.0.raw.unpack, YNKPnDWRWSlKqnYmH4F.cs	High entropy of concatenated method names: 'lTvUiJ1jF0', 'wK8UfFS20A', '_8r1', 'tTEUTPmT7i', 'LKoUxNnmqf', 'zkXUJO3axI', 'jFuUvDVRPo', 'GHTlG6GUDaKjDrSRt0J', 'lNZvsIGsf1LN2YjiXIU', 'iQ0eOiGtWgRWTLsYXo1'
Source: 0.3.Ym9pCkdQCN.exe.66af545.0.raw.unpack, WZAIgbWqAJMvhNR9DMp.cs	High entropy of concatenated method names: 'H81MsS73F1', '_1kO', '_9v4', '_294', 'duVM5UiPVg', 'euj', 'dJUM920Vo6', 'jKSMN9iHdV', 'o87', 'gsoMUOs3Rp'
Source: 0.3.Ym9pCkdQCN.exe.66af545.0.raw.unpack, Dw2wEBpYF3JcXOSfKbP.cs	High entropy of concatenated method names: '_7zt', 'DCqv19ePgG', 'ipyvXXxSrT', 'EgDv6fkbPm', 'gjuvasV2LH', 'tsGvsOqMBm', 'tQSv5OF0TX', 'xDuYAxBI8Z52r2B4SAQ', 'p8VJ2mB3bmDkM5q3nkU', 'aq1Q2VBMUMlDxwAV0Au'
Source: 0.3.Ym9pCkdQCN.exe.66af545.0.raw.unpack, tUVbQApAnhZSPSpC1ki.cs	High entropy of concatenated method names: 'L4evp4M0ey', 'DWEveDlNkt', 'V4rvWGLPw7', 'BWlM9QBsQgJiPh5a1so', 'cc5tyUBte4xPhHMiVou', 'iupJkBB4TLuS2CyIOoJ', 'nGnRZMBUfKHVde1bpkT', 'DAKGDGBZSLkQ6ZyJsKO', 'EU4TfuBk9QNWGCxQiXh', 'M0tBumB2AKgvL3a3CnO'
Source: 0.3.Ym9pCkdQCN.exe.66af545.0.raw.unpack, IY2fORE7kx5mg0Qw6vw.cs	High entropy of concatenated method names: '_981', 'YZ8', 'd52', 'G9C', 'BfUDUu0oPWBXPRKW2cu', 'vX9wEj0XKgef1u808Dd', 'HnwaFv0AaxfFtWPNV6Y', 'D8NA4b0CFjfyfHQIwRq', 'pv9Kca0niMpLOVL6Wt7', 'aH2ECS0KKI7c78eK7Pr'
Source: 0.3.Ym9pCkdQCN.exe.66af545.0.raw.unpack, RbHI8BRAEWTmDULj7Jm.cs	High entropy of concatenated method names: 'lT5mwibaT5', 'xcqmQOnbDM', 'nW95nWWkBgh7Cf7Y2Fv', 'dIcWN0W2yLGVotq37sr', 'iLcGhfWMP6G5L6QMrrW', 'cLudjWWekSYSXVR35M1', 'kP1hKdWIF6X9maW8r0p', 'AeoghEW3ZyiILl22Fsl', 'NnLucVWv4GY3Tv36f9w', 'NlYjUvW6MA7ud45pnec'
Source: 0.3.Ym9pCkdQCN.exe.66af545.0.raw.unpack, m8Ixwcm9hrh2fjMYwfB.cs	High entropy of concatenated method names: 'GiafIOWate', 'uOvfhDJgtE', 'mhWVqEIZBrkxuwCLxh8', 'YU7E3qIkoxnDsnMpxTh', 'EppdrCIseabOLRqaHZt', 'S849j8ItUbU4gFQelTB', 'yVuhXvI2VgifjXApVnm', 'tsJkkLIMEU5wGcWu3p6'
Source: 0.3.Ym9pCkdQCN.exe.66af545.0.raw.unpack, eYKhuUWF080W1rLh24m.cs	High entropy of concatenated method names: '_159', 'rI9', '_2Cj', 'sV94Nah4CG', 'mZj4UX3jvH', 'vjK449goXX', 'qrZ4CoogDP', 'CF04bGfua1', 'pfg4Mg7cxZ', 'CB7QYgVmSscBqZDswSA'
Source: 0.3.Ym9pCkdQCN.exe.66af545.0.raw.unpack, bLrktyFKKN5dfsuYwM.cs	High entropy of concatenated method names: '_52Y', 'YZ8', 'Eg4', 'G9C', 'R2pHtaxif', 'P0BqY7NkysmrlBnPIpM', 'Q2JcRFN2QQ7XJQjgs3J', 'AnxXfkNM73vlMHUqxcQ', 'i8ejJENeYV7oHbwcwit', 'WRHRa3NIRoR4iFQNMhr'
Source: 0.3.Ym9pCkdQCN.exe.66af545.0.raw.unpack, OTLNchpeEqRT4XPkJam.cs	High entropy of concatenated method names: 't0LJA6JdUy', 'YsKnrK6ZQcm9lsQrrte', 'swU7nE6kal72aV98adn', 'g0vX3G6sfhem3DWJd9b', 'veSDxi6t18qkHf9nEqI', 'y84Tu6QiIR', 'nQHTFsaxRP', 'xQoTIOouX7', 'lJuThrsvyE', 'IoZT2DhAVu'
Source: 0.3.Ym9pCkdQCN.exe.66af545.0.raw.unpack, cypyELeQZTe9yknq1Pu.cs	High entropy of concatenated method names: 'idQNC0lEK3', 'wl8NbunmRv', 'F8e', 'bLw', 'U96', '_71a', 'O52', 'hChNMuvYwi', '_5f9', 'A6Y'
Source: 0.3.Ym9pCkdQCN.exe.66af545.0.raw.unpack, WgxeUuBNjsJX7iBjy7h.cs	High entropy of concatenated method names: 'K4NF9qilZu', 'PGBFNBdlgu', 'kpRFU7RdPS', 'pi7F4ABVRR', 'VvAFCfHa75', 'VrHFbWiWWE', 'NXIFMHTvgw', 'CoWFuQlCD0', 'jhCFFsXXIM', 'o8cFIPorMr'
Source: 0.3.Ym9pCkdQCN.exe.66af545.0.raw.unpack, Wc7fwjm7peZvwjhNfme.cs	High entropy of concatenated method names: 'mCiiymvwYc', 'UPBiqpAjvL', 'JoBiSE85BO', 'JCcJjOMHIACrHkJtgss', 'L7dOQfMTc2ELNEAp6bM', 'RogHg4MQZXANwCycThv', 'hbhyvOMF0LG7RkdM43M', 'HlSZUBMRMqvPv2acRd3', 'DOWgusM9B8nJvk8fGMl', 'G2EVXTMoe7d2ErSCwsK'
Source: 0.3.Ym9pCkdQCN.exe.66af545.0.raw.unpack, s1AYIImvmwZkEgVptu6.cs	High entropy of concatenated method names: '_223', 'JhdjQeMtiwyGnD0Cw4j', 'zCQj8EMZB84479c0l3w', 's0dtg0MkUiTZeJWjOKH', 'JRyoTPM2tk8Y0OxFHQ6', 'bs2a7vMMQpe8q9p7koh', 'KSSa9XMeT3ofmWNTANC', 'BGbwepMIbFpDAy9IKxh', 'OcWCD6M3USVnC2AMg3j', 'Q7gRqaMvgrZofSuKWJY'
Source: 0.3.Ym9pCkdQCN.exe.66af545.0.raw.unpack, B6TMugefmMU4jC4pOdu.cs	High entropy of concatenated method names: 'yKm9XxdreS', 'Fv596bRqwo', 'Dcd5W4wXKVx7JLFyyH3', 'a5g2AGwArwvPJB2hXeo', 'OCspeHwCDyAA7HLJTZP', 'UnAaxnwnZKmGGl1RNXZ', 'dey1B4wKI0E5YSJ7u4P', 'XIM85IwDWpdfwoHLEjr', 'ggMqnOwzKZoATD8BXuq', 'DbKJsMm1POlU4sV5oqs'
Source: 0.3.Ym9pCkdQCN.exe.66af545.0.raw.unpack, Xyeph9CNINwHUJ7qup.cs	High entropy of concatenated method names: 'T43', 'YZ8', '_56i', 'G9C', 'jyvqnKN7vHmX3x5IHfn', 'bFRrPvNdvDPJRXIpX25', 'jsnRDONa3R6Nc35wioC', 'MXGa9oNSyj4Iq48Gbi2', 'QjSBWlNWmcKbhIslK6A', 'FqCaToN4wpeQ2XIB2Mk'
Source: 0.3.Ym9pCkdQCN.exe.66af545.0.raw.unpack, AwES5CEcJ6vallVO2EO.cs	High entropy of concatenated method names: '_2WU', 'YZ8', '_743', 'G9C', 'j1SPFc7htQErltXQhT6', 'eoTxUN70WoonDKvvq80', 'idMYgk7fKJZJmAPc95D', 'oy9kFI7uwf14FJSAd1w', 'a62EAh7OoKjeFsqZw78', 'Ff9ftk7pOYd0lfHrq9C'
Source: 0.3.Ym9pCkdQCN.exe.66af545.0.raw.unpack, UXToJltRnv0DdIIICe.cs	High entropy of concatenated method names: '_59M', 'YZ8', '_1zA', 'G9C', 'xPLMdFgwpv3Of4whK34', 'ega46mgm4qo5AOdOtLd', 'vlWDDjgjNE2r6ebhv6Z', 'FsKXthglbIaPq90OACk', 'SjcU76gG3vLnbEcqied', 'uCUaltgih7dEDjvEy2u'
Source: 0.3.Ym9pCkdQCN.exe.66af545.0.raw.unpack, WEcIGPpog5LEcg8q17X.cs	High entropy of concatenated method names: 'Cq5Gwtg5tl', 'RGOG2avIgG', 'fj3GjR9S8a', 'gRIGOPpd7P', 'cXEGtecXHY', 'cEmGnwBdU9', 'RfoGHEhAdk', 'zv9GKsKKHP', 'ULvGkIOSpZ', 'LaCGPwGYpc'
Source: 0.3.Ym9pCkdQCN.exe.66af545.0.raw.unpack, M3dAm3RfSkbYAcjh1FZ.cs	High entropy of concatenated method names: 'GutmIjCYFs', 'jjKmhZu97L', 'ynKm2TYvkF', 'KDrmjcMPSk', 'nXHmOHnfgy', 'nREmtEPOMt', 'NL5mnm0gBV', 'UxH7txSv6QGOxCQPWls', 'SoxbBsSI88uVUUURY75', 'BOJMqHS3rtlPjfxtq27'
Source: 0.3.Ym9pCkdQCN.exe.66af545.0.raw.unpack, gGfTJtEBjgRJqeF3w9u.cs	High entropy of concatenated method names: '_6H9', 'YZ8', '_66N', 'G9C', 'SbDQqwhAAIhBE0ymu7r', 'jQMnlRhCLoqs0TRVLmk', 'A672QDhnWsDCTMwY1mw', 'ftlRSAhK9j1RN7J9Xp9', 'Npj136hD5Y7iLmklMPG', 'BigkZchzX1Iyj0D4di0'
Source: 0.3.Ym9pCkdQCN.exe.66af545.0.raw.unpack, aXe5ovR2RvUUSrDy20Y.cs	High entropy of concatenated method names: 'KDXeMe5ovR', 'u1XgBFsK1kAjXUAycxW', 'i9vVdcsDhZdMYSZ24FR', 'oApebjsC9XcaJg6s7iT', 'RpZoJFsn2kUFaZUBM4X', 'KLYwMsszJE59dQj1Kbr', 'oQ5sYIt1HKkbnwtncDX', 'FuDwGPtYHy5ABMd0cC9', 'jB52whtNI9msOsP0PmU', 'EJgRBAtguUNpixYeraE'
Source: 0.3.Ym9pCkdQCN.exe.66af545.0.raw.unpack, xAjrHRjbFQexHZKarg.cs	High entropy of concatenated method names: '_3OK', 'YZ8', '_321', 'G9C', 'e1f5a6NKxklRouiyA4c', 'spIWeeNDn0Fn2DlryW3', 'PjYqofNz6SQYoxpuX2E', 'OZeinUg1y2ECICiYjCK', 'wqJhdkgYR5ajrkp8qUj', 'bbAZFfgNt4fbnb4j8UM'
Source: 0.3.Ym9pCkdQCN.exe.66af545.0.raw.unpack, moXbS2EfHcvrAghmoyH.cs	High entropy of concatenated method names: '_3fO', 'YZ8', '_48A', 'G9C', 'sPswGK00iBS25TkPIoj', 'rBjZp40fnUAJmOBHH8r', 'PE6FhX0uip4OBZ4fdEh', 'cY6xL60cumA9wlXFWHS', 'klojwX07FJngrt9pwoM', 'fX4A0D0drp5nvMjyJMb'
Source: 0.3.Ym9pCkdQCN.exe.66af545.0.raw.unpack, mnBbkCEtoG1anPY7TjG.cs	High entropy of concatenated method names: 'XSREwJN3Dk', 'c5qsvWcmrHFPZf3gUW8', 'vHAGXBcjUEMKUMm6Cnh', 'dLW7Wic8I9UD6ggKhcc', 'u0X3S7cwo69NITusSkU', 'Vj1WRWclhTQiWKuqB1Q', '_3Xh', 'YZ8', '_123', 'G9C'
Source: 0.3.Ym9pCkdQCN.exe.66af545.0.raw.unpack, cLo9uLmo1hTqydkd2mM.cs	High entropy of concatenated method names: '_269', '_5E7', 'GXniCh4GOD', 'Mz8', 'JZOimUov61', 'jiVMwZ39a1K87qV7mhW', 'h0PjmG3olbt24xUV4n4', 'kJHI583XSwGTs783goU', 'Kl6JBc3AdxKlDQB4esf', 'jTarkf3C9DxQ2tGFFED'
Source: 0.3.Ym9pCkdQCN.exe.66af545.0.raw.unpack, KMKZJPgPrZSRJN3Dky.cs	High entropy of concatenated method names: '_88Z', 'YZ8', 'ffV', 'G9C', 'ITWyMIprxeU6gUZbh5d', 'P2pXFRpHDt4BMUYnIAv', 'ifZtMjpTxrPdZWdb7bY', 'B8JAtIpQTcQGgGJNDV1', 'nGugYOpFIbXjKaRWytV', 'eBpfrYpRVtSBH0vM245'
Source: 0.3.Ym9pCkdQCN.exe.66af545.0.raw.unpack, uicB0QElv8gK4jeDpwo.cs	High entropy of concatenated method names: 'sCvRxWK1D0', 'Vf1RJmYs0b', 'QvHCOy7dZyPoD1yJain', 'eflZe17cyeLgUI8ajo0', 'qLp9gO779L0kU3PsEut', 'V881pX7a0vWs5ucwYxV', 'KvJWxk7SpY1N8OacO2P', 'EsgQO67WXcTgxKbNDot', 'I6sRvy74c9hfXpTXSjV', 'FH3uCC7UTlyp7Anq3X2'
Source: 0.3.Ym9pCkdQCN.exe.66af545.0.raw.unpack, k019sqmyQOlADwWFyTa.cs	High entropy of concatenated method names: '_9YY', '_57I', 'w51', 'A3si2JuHt8', '_168', 'A6xFmr36Lug1VFqGRwt', 'aw2dXx3BxDeHv3clpy8', 'YRigmf3ykMeSxtV8wRS', 'ahI1YK3Lw3FEWGFc4cu', 'dGqm7E35nXFvmsSZQkJ'
Source: 0.3.Ym9pCkdQCN.exe.66af545.0.raw.unpack, XRHZt2sxEyUJZTuJFA.cs	High entropy of concatenated method names: 'PuD93HXBJ', 'GRRNQbUYq', 'mEDUd7vLq', 'IdO4Kxd6Y', 'axSCQ0kdP', 'Jt6biZ6Uw', 'QJ3MO9MmU', 'zgZ4sRYfWfeivBQjCD5', 'LyilCSYucB4D7LMZwdu', 'qasc7hYc0kUd60uswoN'
Source: 0.3.Ym9pCkdQCN.exe.66af545.0.raw.unpack, nKw09ip6AfP9Kfce3L2.cs	High entropy of concatenated method names: 'M1QvhdHdjR', 'wVKv2ZudBv', 'HHsvje73xa', 'CKNvOOoyvI', 'dEIvtvIrCd', 'YhnRxIB8a3CvBLBa3D2', 'TwaZt5BwWNBhSj5TW4t', 'ahNaCrBPBKKa01EjYX1', 'ciksLCBEaMpr8vvyM65', 'jD2gXEBmNwwm3y8u4Z9'
Source: 0.3.Ym9pCkdQCN.exe.66af545.0.raw.unpack, dWOCohRGxpKbFNoe7ng.cs	High entropy of concatenated method names: 'M5vmgMvQ3d', 'dZnPsqWgEJYCi2lYhjx', 'bI7duZWOo5fpOd4Po5A', 'KwFdYGWY7vrL5jQfwYg', 'KLTYlFWNPwKsR2d79RR', 'tDmQmmWpKGKvZPfjTDr', 'WxehOxWhd0dkXQHoMTB', 'nGrEbEW0v88dExZAFxS', 'bBVywoWf4M8mgVFwvTZ', 'IgaexxWuTCiDwbq6TKt'
Source: 0.3.Ym9pCkdQCN.exe.66af545.0.raw.unpack, cP1YX1hCYXg1i4ox5V.cs	High entropy of concatenated method names: 'g25', 'YZ8', '_23T', 'G9C', 'HdXPZXoBs', 'IPXm39N8aSH8tFMWbgS', 'HTVGLANwDmVZRoseHOA', 'hrul2INm4ATaDj9Zbrb', 'XeRuLENjxfs4AeQNtLp', 'PgO34ONlBx5bV3dPQYm'
Source: 0.3.Ym9pCkdQCN.exe.66af545.0.raw.unpack, YKKjQeEyTZWvqWa7nwy.cs	High entropy of concatenated method names: '_625', 'YZ8', '_9pX', 'G9C', 'FT16Nl7MQrmBPXVZ62j', 'DrLq0R7eGy2Xsh9abmJ', 'nXCyTN7IMdRlIe6Q2jY', 'ldZcl773I8Hnj107U0O', 'S7iLa77vThfLNkdTN3S', 'DTMJQJ76jSVhIC20Z0J'
Source: 0.3.Ym9pCkdQCN.exe.66af545.0.raw.unpack, vh4ejIRD1nXpnUeVPYo.cs	High entropy of concatenated method names: 'q6URNsxEnD', 'D1nRUvaV65', 'NVDR4lQDDw', 'stApAldPj6j0TPor9nf', 'NkWKWLdEeMtZHTZgsqy', 'XKbOLjd8FbvmfHgAtMM', 'SqIyAVdwCm6cbweD4Q8', 'i002mZdmTLVb9eG8vsc', 'fuRMLldjDOHo9tUb1A6', 'PocBiWdbig7I3OQNnxf'
Source: 0.3.Ym9pCkdQCN.exe.66af545.0.raw.unpack, kMvQ3dEShI8ZE4KPvT5.cs	High entropy of concatenated method names: '_7v4', 'YZ8', '_888', 'G9C', 'CLT3G07xgne7iVuCE9k', 'YZ9In17PWEwLkFAxy8G', 'Y0xGPe7EHHuAO2uCwFR', 'HrXO8d78kHvC9a7A9nL', 'uBG0HD7w637RNvCnMIy', 'frSCZR7mUm7CWKdOxJo'
Source: 0.3.Ym9pCkdQCN.exe.66af545.0.raw.unpack, MjylP3ENeqUKBov4lbO.cs	High entropy of concatenated method names: 'p23', 'YZ8', 'Gog', 'G9C', 'aLHrglfToBSmLbUhbkI', 'Xgh0UYfQ3aqpTNSonZy', 'hLS9CqfF2kpKcXpEsXP', 'V4wXjufRCDYI7KGJUlq', 'r90aGdf9VVCUpBo0tHW', 'ld1sa8foXyvUOarWqk5'
Source: 0.3.Ym9pCkdQCN.exe.66af545.0.raw.unpack, bHoPYqRQ5e20heNha0s.cs	High entropy of concatenated method names: 'WinBNRDrR7', 'VmcsZcZRegOi74XDGGE', 'KC19oFZQO9l85r98a9P', 'gX7jrsZFU0jrIAJZ8Y7', 'IJWw3EZ91rBHNtPTEFK', 'RGTaqFZo1swt3YUGvlT', 'Ck7BYllywE', 'MYTB1ZoYL1', 'dh3BXoAHoi', 'x9aB6wfAxV'
Source: 0.3.Ym9pCkdQCN.exe.66af545.0.raw.unpack, NVDlQDExDwcHr5jyZ2f.cs	High entropy of concatenated method names: '_6U6', 'YZ8', '_694', 'G9C', 'awUp5E0kUk2VNKNu9JT', 'gas6K502R8lWjXT2AMr', 'CeH2oY0MfX4o74QFy7f', 'loo0bJ0eDFgSPi2kA5C', 'oM75Ty0ILAkB45hQdHA', 'YqhTUI03F2jSRmo6w41'
Source: 0.3.Ym9pCkdQCN.exe.66af545.0.raw.unpack, A1i5PVE2bqQZkkCThgs.cs	High entropy of concatenated method names: 'PU2EotB3sw', 'DQNRh1cv1VqjedUKZwN', 'DJux57c6tQdoPZs7C20', 'DN1ryHcIKMghxDQogju', 'P7mRMxc3Yqe2T1bPgNb', 'E90L5mcBGp2kfuovkrf', 'QLw', 'YZ8', 'cC5', 'G9C'
Source: 0.3.Ym9pCkdQCN.exe.66af545.0.raw.unpack, yi87aSUmrrSmYdI8vU.cs	High entropy of concatenated method names: 'say2ivsMK', 'SKLjE7QlB', 'YS6OpPvaZ', 'w3XsWgYjVX4RgFR2JQf', 'SVDj20YwtOHt7O7NRxu', 'T2VlKmYmSrDfq4Eh9PK', 'p0WwV4YlA8qTDTbFpc7', 'tfHuySYGoSTGnmi8rCC', 'rlJBUAYiNXdOD8La6tS', 'uyw2wJYVnQXoqqsZ5hr'
Source: 0.3.Ym9pCkdQCN.exe.66af545.0.raw.unpack, o7wlFyWDDTJvaeWxg9D.cs	High entropy of concatenated method names: 'sjdNLxEylu', 'FBNNlCfsmL', 'NT5NVaUkAp', 'GBoNySHc81', 'I2oNqXyyVI', 'EnPNSg9xcR', '_838', 'vVb', 'g24', '_9oL'
Source: 0.3.Ym9pCkdQCN.exe.66af545.0.raw.unpack, IS8A3qEmcCAhgl1gShE.cs	High entropy of concatenated method names: 'R1x', 'YZ8', '_8U7', 'G9C', 'oVlqjRhJlNPKOju60gk', 'vt7PvThbQTWGerUyf8g', 'l8rBfGhxZTj2iN3V6Ii', 'W4HMrKhPknnccc94Viw', 'esVpTFhESXVqnCu1oww', 'wxqDQgh8GUaF8iG1O6a'
Source: 0.3.Ym9pCkdQCN.exe.66af545.0.raw.unpack, MWTZdZmknW4OREkjIWW.cs	High entropy of concatenated method names: 'sg9', 'ygdiwXZW9s', 'xrvfw5Ru9L', 'KgMiciJIQU', 'iSyj78IQs6wdmsw40ZN', 'RfRjpYIFiuuhYNxSXHF', 'vq84YuIRETUWieSIbl1', 'JIROfvIH27dLYqW9lKt', 'kl720MITppV4nxCh5vC', 'LZ6f6dI91mG2PSWLfkD'
Source: 0.3.Ym9pCkdQCN.exe.66af545.0.raw.unpack, MyO24gmEnPw0QkSnwa1.cs	High entropy of concatenated method names: 'ExBBMIR1pt', 'NiDBuuiugC', 'QmOBFjCPTx', 'XGCBIyj4A1', 'gOln3GZzHmHfRB9rwPY', 'wd9QSEZKTCrO57FYp4y', 'vyy4r3ZDwRs95e2GeLA', 'zDfYF0k15gDq0po8kpt', 'r1wJlpkYYvUBSKEm4qf', 'dqvaTmkNFOIbkiWvs3C'
Source: 0.3.Ym9pCkdQCN.exe.66af545.0.raw.unpack, gAFix0ermFHigbk4suQ.cs	High entropy of concatenated method names: 'w73NpN3Uxa', 'jysNeK8HvP', 'fV6NWT7BQr', 'QouNBmBX0M', 'PMFNiuVmvf', 'rJHNf7XOld', 'moMNTQTgi5', 'f0wNxMNP5F', 'qxBNJogaNi', 'SWcNvSWlVc'
Source: 0.3.Ym9pCkdQCN.exe.66af545.0.raw.unpack, QIflb9WN4urpDE0ZZ2Q.cs	High entropy of concatenated method names: '_7tu', '_8ge', 'DyU', '_58f', '_254', '_6Q3', '_7f4', 'B3I', '_75k', 'd4G'
Source: 0.3.Ym9pCkdQCN.exe.66af545.0.raw.unpack, fAqZpTBxLWhwh1kLxZ4.cs	High entropy of concatenated method names: 'L9MFoBZZUQSfF', 'vjL2P5H4yx7fJDLE8FG', 'zAVQEaHUnZXA745ORwa', 'a027pHHsYOiM5TKOXXc', 'j1dk8FHtViet4Suh7M1', 'R4v3VaHZRlI0ovGkv5S', 'SMwSfNHS5rtPJP94kMK', 'oQufJcHWqrZwBte0DmU', 'b3GvctHkEmelddc92xO', 'U9X4bpH2UanMGrsWxsV'
Source: 0.3.Ym9pCkdQCN.exe.66af545.0.raw.unpack, Q7mXCXRXoO6PyZLZp84.cs	High entropy of concatenated method names: 'zSvpdsh4ej', 'E1npGXpnUe', 'xjayVw4voLHPZR83U6X', 'zWeaF846cHngUMnyXo7', 'Fn6iji4IwnbHlSm4BVo', 'qySOXx43aEaaZhouuDp', 'm5PJSE4BpEg43cVH4t8', 'jVCk8H4ybqYpJQtsNuR', 'N1ON7Y4Ln7T3PljFSpM', 'hK5frK45ijQxa7UQwxf'
Source: 0.3.Ym9pCkdQCN.exe.66af545.0.raw.unpack, EsTQ0bm1tMuIDJPgQt5.cs	High entropy of concatenated method names: 'F7Tf3Suw3K', 'Y09f7iAfP9', 'LfcfAe3L2q', 'aKPosWeqiYhmEuRni0A', 'meQU64eixXbNE2Yy8lt', 'qqcs4DeVl33MBlpmWis', 'x0GMoyer9NTlrT6Gouo', 'G6UfWVbQAn', 'FZSfBPSpC1', 'Lirfirbdvv'
Source: 0.3.Ym9pCkdQCN.exe.66af545.0.raw.unpack, F4pU7qpf1twyqw3CERG.cs	High entropy of concatenated method names: 'uxk', 'q7W', '_327', '_958', '_4Oz', 'r6z', 'r7o', 'Z83', 'L5N', 'VTw'
Source: 0.3.Ym9pCkdQCN.exe.66af545.0.raw.unpack, gE85BOpxDWlYVcJa0PY.cs	High entropy of concatenated method names: '_4J6', '_5Di', '_1y5', '_77a', '_1X1', '_7fn', 'OUK', '_8S4', 'wUn', '_447'
Source: 0.3.Ym9pCkdQCN.exe.66af545.0.raw.unpack, POxYb6majCugg930xK1.cs	High entropy of concatenated method names: '_525', 'L97', '_3t2', 'UL2', '_6V2', '_968', 'oSRPHBISNiRxZSWsUEi', 'EfHPv7IWmxjWtQ9BxjY', 'smJyYdI4Ie6Z1Pcv2Kj', 'RZi8UgIUIXK7C4d4LEK'
Source: 0.3.Ym9pCkdQCN.exe.66af545.0.raw.unpack, j1aI6IWWrtxLEDrMRcM.cs	High entropy of concatenated method names: 'Qkp', '_72e', 'R26', '_7w6', 'Awi', 'n73', 'cek', 'ro1', '_9j4', '_453'
Source: 0.3.Ym9pCkdQCN.exe.66af545.0.raw.unpack, oUEOvMmSVVyymVXQA0n.cs	High entropy of concatenated method names: '_3VT', 'O5t', '_1W5', 'GSPTxlW6ZX', 'PwrihR4SNo', 'mWRTJ3ZOna', 'D7Gi0C0sC9', 'NCEYtn3jWK8Xvn79HrN', 'ilOdUR3lxlnFmPC4Rvo', 'hq2MhF3wirKl1Hd2qNl'
Source: 0.3.Ym9pCkdQCN.exe.66af545.0.raw.unpack, aICqgXowTHrlU2tB3s.cs	High entropy of concatenated method names: 'pHw', 'YZ8', 'v2R', 'G9C', 'bRl5wLpLg5SgWZBOj0o', 'GQNtYop5UFefIqOCAsI', 'CebtugpJ0Ar8islRw2y', 'pFgXN4pb3aOWahIaWfp', 'QWWxkTpxjw0gGd2x6R3', 'RPV47opPRbdZRFVuUQn'
Source: 0.3.Ym9pCkdQCN.exe.66af545.0.raw.unpack, DhySBZE0EOxtKUBA5NB.cs	High entropy of concatenated method names: 'yiQ', 'YZ8', '_5li', 'G9C', 'pf4TO4f1xuF2BQnx2j2', 'b10KHCfYvD59lJuN7Vd', 'UoH4rRfNjyr0XkCYBig', 'dXbf2AfgnrgAUidcMQx', 'zY1NF3fOq6vC6J6JGTO', 'qZhCxLfpFxAJohlCvP3'
Source: 0.3.Ym9pCkdQCN.exe.66af545.0.raw.unpack, uU8Zjfe4kU02iDkuefw.cs	High entropy of concatenated method names: 'FSF9neVIFo', 'ywI9HYRj3q', 'DRa9KNoV63', 'Kid9ki2cKS', 'VkL9PxcJBy', 'eU2vhJmLhy7xSMDctZo', 'EjYNmqmBoubPAbvo5v0', 'V2Ev5KmyTcTlPxdDoBs', 'FgmA3Rm5tk64yFR4F65', 'Ldj0lImJILTDH38ODQe'
Source: 0.3.Ym9pCkdQCN.exe.66af545.0.raw.unpack, biumxsEeoT3jqNjwiiZ.cs	High entropy of concatenated method names: 'K55', 'YZ8', '_9yX', 'G9C', 'U1FUUxhHJyVVH3DEYXX', 'TQcUhghTKZU8G0lELy1', 'L1Vv0ahQwpq634742C8', 'IOPAJ7hFV7or0ynTmsv', 'hq8BSDhRaCU1jGxBmX1', 'Q1Cv2Yh97JfI8GuB1oO'
Source: 0.3.Ym9pCkdQCN.exe.66af545.0.raw.unpack, oP1wk2WV0ocNtQD9axy.cs	High entropy of concatenated method names: 'jHR', 'B92', 'ExKemOqD4w34hFvbBMD', 'DnxLpcqzPNQLlh6XJcu', 'ftMTtDr16RUig8RNyLS', 'qv0b8WrYjTnPBsZ3dyu'
Source: 0.3.Ym9pCkdQCN.exe.66af545.0.raw.unpack, uTLPDpBcRAAMBPVaLj.cs	High entropy of concatenated method names: 'OPDdpcRAA', 'jsIkRMPYwQPA6QvEeC', 'xiLAYqbSvc1ln5nbuW', 'dUDJAex7yOAOwIF4Ur', 'elihkOEUTpgw1k1agg', 'xDonJu8fr9VeNY5wZ7', 'M8aRGu1qj', 'e5YmNLeYh', 'IlppkKGdy', 'BLsehlO9e'
Source: 0.3.Ym9pCkdQCN.exe.66af545.0.raw.unpack, cNbgUcp4moXOCXEoowB.cs	High entropy of concatenated method names: 'OyGdh7T15F', 'dyud2hm5ho', 'rv7djiZ5ge', 'U5GdOqBWLU', 'gKddtndT3R', 'oEb7fRykTxaPXg6hTrZ', 'DmyEDfytJW6cS8E1yMa', 'St5GNeyZq0VoU1xQ4Nt', 'Smq98by2mOcnr9WIiiB', 'fppYhpyMaHQB4vQKB57'
Source: 0.3.Ym9pCkdQCN.exe.66af545.0.raw.unpack, VW8AxnpqZalpIcTgpEl.cs	High entropy of concatenated method names: 'P29', '_3xW', 'bOP', 'Th1', '_36d', 'LLxG3Z4MD4', 'uIvG7Y4Q0R', 'r8j', 'LS1', '_55S'
Source: 0.3.Ym9pCkdQCN.exe.66af545.0.raw.unpack, bZ6nWBwh8Rr2yThs8W.cs	High entropy of concatenated method names: '_52U', 'YZ8', 'M5A', 'G9C', 'tKa3xdpXwQThjXoQ5uS', 'd9JB7npAXFppls5XpUo', 'QUPmw3pCd003WMhe29j', 'mBi4qlpnLYbp9xgy1Sd', 'UtHY7KpKdrjNTdZmTPH', 'sHDOTppD8QKZfeDs82W'
Source: 0.3.Ym9pCkdQCN.exe.66af545.0.raw.unpack, m4AubceZAIrAiFiBJA2.cs	High entropy of concatenated method names: 'q4Y', '_71O', '_6H6', 'KreN5hf4r4', '_13H', 'I64', '_67a', '_71t', 'fEj', '_9OJ'
Source: 0.3.Ym9pCkdQCN.exe.66af545.0.raw.unpack, ANFsC2mG4eSh44SNglm.cs	High entropy of concatenated method names: 'APNiPvQfkh', 'nL7icuUfQj', 'YYxiLLpf01', 'F4pilU7q1t', 'DhxLxSME1NKc4ir6VHN', 'EaHE6JM8oeXDUXGK6dY', 'CnINaKMw2JUgo3vChEb', 'u6sEmQMxK1AFkvubQFd', 'IprDTHMPOnvVcUWjWMQ', 'MdPfm6MmyaSo79Zt9yi'
Source: 0.3.Ym9pCkdQCN.exe.66af545.0.raw.unpack, wZhljfcZtxTyOAv0hi.cs	High entropy of concatenated method names: '_468', 'YZ8', '_2M1', 'G9C', 'eoorDFOtdPOK1XMlB9S', 'ck9UZuOZ6REwmkuHLiZ', 'bSq0TQOkmrGFFQYbhSG', 'zwxR8wO2yMfRoRxPrtq', 'Mes56wOMFqehmvrSRtD', 'hvtClBOeMkORnkPrwen'
Source: 0.3.Ym9pCkdQCN.exe.66af545.0.raw.unpack, p2jY4PRtk11uAj9C9UI.cs	High entropy of concatenated method names: '_0023Nn', 'Dispose', 'woUe291PaO', 'ecaejnA2jY', 'zPkeO11uAj', 'xC9etUIKsN', 'kTcenoGbNu', 'AW92lStuZDCafNLMc91', 'j1qU4ktcEHR6I9Ql7DO', 'gB90Rat0xg7kgCHAq4g'
Source: 0.3.Ym9pCkdQCN.exe.66af545.0.raw.unpack, vBq3kBEQEHS2iKodEQd.cs	High entropy of concatenated method names: 'wurRsf2Cdo', 'sbSR52Hcvr', 'pghR9moyHQ', 'O3sGaid739JF6mmSJJB', 'LuwMX4dub7JEbS649bC', 'LGCaJFdcWRHs8FksLvH', 'rg3oeMddNFLPVX3tWCR', 'RZlAIedaO1Sbfw9WbkA', 'iOxUeGdSDI5l9qvabps', 'v9vOqOdWh0AxaHSnyKM'
Source: 0.3.Ym9pCkdQCN.exe.66af545.0.raw.unpack, y7F7sUebMYhoaGJEpjQ.cs	High entropy of concatenated method names: 'drL9cl1iC8', 'sUJ9LnbxMD', 'buW9ljgpxO', 'Ecupovm8QTG7mpJJQPX', 'DOlMZamP57pd2h0risw', 'BjtuM6mESSaAt9vH77T', 'nWtsbXmw3ZX58jEtUWU', 'nk6L5bmmfYKSLf94bnH'
Source: 0.3.Ym9pCkdQCN.exe.66af545.0.raw.unpack, Bfs063EgiG4cxguM0ZR.cs	High entropy of concatenated method names: 'KvVR1bBGfT', 'CR9cTadh82LpyICFMaC', 'tir71Sd04ws1u4JhT5a', 'xLy7ZYdO6ebPNaPaaXA', 't6GYDSdpoKIXbh0AbLR', 'Jj1t9odfA6G4RG24tdk', '_5q7', 'YZ8', '_6kf', 'G9C'
Source: 0.3.Ym9pCkdQCN.exe.66af545.0.raw.unpack, jsSHfiEbsWRKDDQM2qF.cs	High entropy of concatenated method names: 'GvP', 'YZ8', 'bp6', 'G9C', 'fqs18WuwKdX3tuxwDU5', 'WB7qDbumtgJeAVjilUd', 'fVavATujigNjWUmQGvp', 'LV3tvlulSpelVyLcZUD', 'C9loPbuGfWslMlNqRLG', 'wcoEgeuijJofDB2iCQe'
Source: 0.3.Ym9pCkdQCN.exe.66af545.0.raw.unpack, WfERI7eI0pYNLQeXJbI.cs	High entropy of concatenated method names: 'B1598Rup7J', 'zPC9oS9nNG', 'xty9ruaTUn', 'UGN9gr9pQG', 'BDj9ZPX31W', 'Prj9wUUxCd', 'L2IRKvmQkCtju4OWfa8', 'zfXwSdmH0VY1s5AiaE8', 'AIxSupmT5uweKOOw81Z', 'xg3nkbmFH7juiYFnyCO'
Source: 0.3.Ym9pCkdQCN.exe.66af545.0.raw.unpack, hrBgdheuXMIqfqB8hOL.cs	High entropy of concatenated method names: 'oys9VESu7H', 'WBo9ynCO7y', 'gtb9q9orOh', 'ssSeYjmGgkyiJbc4cVg', 'tEHep8mj3GSfd2iWBuX', 'sBbNZlmlqXoY3eTfYws', 'qlaXUJmitkBHWxG7DnN', 'OWGGbqmVKshaMhltmbH', 'yUL4u1mqQckendhO2B3', 'lwLcavmr40sH4ITtvkj'
Source: 0.3.Ym9pCkdQCN.exe.66af545.0.raw.unpack, pb7pPGp9AZ4mC5YV5d4.cs	High entropy of concatenated method names: '_45b', 'ne2', '_115', '_3vY', 'IA8dDGaA03', '_3il', 'FPjdENCT6e', 'CP7dRASoaR', '_78N', 'z3K'
Source: 0.3.Ym9pCkdQCN.exe.66af545.0.raw.unpack, mFZyiipwZlQqK8b74ak.cs	High entropy of concatenated method names: 'ICU', 'j9U', 'IBK', '_6qM', 'Amn', 'Mc2', 'og6', 'z6i', '_5G6', 'r11'
Source: 0.3.Ym9pCkdQCN.exe.66af545.0.raw.unpack, KE4PLJmceuuCbxsJR1t.cs	High entropy of concatenated method names: '_5u9', 'j0cirRWIvL', 'wWITDUsqEY', 'HSUiRoK8Hv', 'eksscTInJcaKrTcj0XD', 'WtZ16YIKX4UQ5oeJg71', 'YY6lJJIDDnL9tUjZN2j', 'fjmKy6IAuXGaf2DTZ4B', 'yYPDN0ICiua3b32DGOa', 'wLRe0rIzB6xhWotwpBc'
Source: 0.3.Ym9pCkdQCN.exe.66af545.0.raw.unpack, SYL6b6RYj4fb8tkUjhR.cs	High entropy of concatenated method names: 'ULPmz0o2rQ', 'KZjpDBZqpk', 'Bd7pEW9BAW', 'gEDpRV4jqM', 'dRipmXXlbf', 'v06pp3iG4c', 'jgupeM0ZRE', 'QwMpWHlxKV', 'ajQpB0jHOB', 'tv5piWCWEg'
Source: 0.3.Ym9pCkdQCN.exe.66af545.0.raw.unpack, B0Rxcee2nhNGXnakp0k.cs	High entropy of concatenated method names: 'zeSNDUFIgU', 'qOBW5SmnYhoSaVUWc8g', 'xSngIHmAPwnEKa9FFK2', 'Lc6u0RmC6Cfb4CiYbat', 'MmCYlfmKYZ0MLswgkkc', 'H1dNu1mDnHO8Vxrvx78', 'qIQQxJmzdFNpEgPuNVx'
Source: 0.3.Ym9pCkdQCN.exe.66af545.0.raw.unpack, lnRlHZpvKenufxL5BKI.cs	High entropy of concatenated method names: 'KNTJjSUYq1', 'GhgJO1h9jJ', 'zmyJtpyELZ', 'ie9Jnyknq1', 'NuxJHZJPLh', 'rc0rUy6DKtqu6GTHGYo', 'u3uKkE6zLpsFfEVQnD3', 'cSqwAY6nMKWIypDIUZe', 'fOSBMP6KPuu7nV7JQBq', 'HpOuFrB1wSETdfFAjTI'
Source: 0.3.Ym9pCkdQCN.exe.66af545.0.raw.unpack, lueHrpEaE9C2rHutk8x.cs	High entropy of concatenated method names: 'gHL', 'YZ8', 'vF9', 'G9C', 'VF6XaofvfTlb7fn6v9Y', 'qRNCDaf6WlTTd86gNiv', 'jQvi1pfBaj6ibG9SKB9', 'jA2OiYfyvsB4nI5Q2d6', 'KLSc3CfLsEW9D4mNuBs', 'TFgkBBf5ideuaW3pPDT'
Source: 0.3.Ym9pCkdQCN.exe.66af545.0.raw.unpack, yORkFllFZYooQnivbT.cs	High entropy of concatenated method names: 'P37', 'YZ8', 'b2I', 'G9C', 'ijvxa4OqYg3jRMF5tEK', 'NexBQ1Or2D4hZWnrEw9', 'a2smeoOHmAGfvsNKCXg', 'hF3NEuOTSSM9iTKgp9E', 'fpGISVOQ7Iu5PyqkvPW', 'FaUpmDOF4k9AogrnY5c'
Source: 0.3.Ym9pCkdQCN.exe.66af545.0.raw.unpack, IA8GaAWh032PjNCT6eu.cs	High entropy of concatenated method names: 'SSa9QtqOMpCDcAOjgSf', 'KTcAP9qpTi2rFBylIVN', 'eMt6V9qN1rSUkw6w5QE', 'wyby7iqgZUa7jQ5tBf4', 'dwP423jvvf', 'WM4', '_499', 'GvA4jW0jln', 'hnW4OgLTTd', 'Ym04tPsdmJ'
Source: 0.3.Ym9pCkdQCN.exe.66af545.0.raw.unpack, t7YdHdEE4DJM2Aa5ipN.cs	High entropy of concatenated method names: 'tO4', 'YZ8', '_4kf', 'G9C', 'kdy3GyhkgpUTEFYYl1t', 'T2EaHPh2SUm6Z2V1HVV', 'n9iGSShMJWFVTxu0VIm', 'RK4VWrhephxQVGSoO3k', 'V5IwGbhIjW5SPq1gckr', 'C1P1f1h3xcXnENcHxDo'
Source: 0.3.Ym9pCkdQCN.exe.66af545.0.raw.unpack, JA3Md0RHvxIX3IB3rGH.cs	High entropy of concatenated method names: 'LS3Wi2oLBY', 'jJtWfkkoiO', 'B4BBpMtAHpwXOOfIKkg', 'y6648UtCRojbWFOG8U9', 'e7bjeutor6DVnOfEeKS', 'tWWQejtXNZwLOWcfoo7', 'KoPWAYq5e2', 'MB6mKyZ1Z52tEO1SMAe', 'l4MBdmZYxUmRFW3SZjv', 'qT1YortDPrVbAsLCgBb'
Source: 0.3.Ym9pCkdQCN.exe.66af545.0.raw.unpack, OrsLgkE54PqfkeCl8hr.cs	High entropy of concatenated method names: 'kNf', 'YZ8', 'U31', 'G9C', 'yk5KPGf8xonjqglN4pO', 'bZNaA5fwvItw0cDJeCx', 'KaolrnfmdZ9awNCYAWs', 'lSLiNefjh6vpJmvwIOe', 'exIjASfl2NQfp4ulm00', 'hV9FZJfGhxUsmfRNkdK'
Source: 0.3.Ym9pCkdQCN.exe.66af545.0.raw.unpack, QXefLhRRtOVcpUiEVt9.cs	High entropy of concatenated method names: 'gklRVIU0QC', 'UJ4RyqQdbV', 'hslRq7RJJw', 'X14RS6ncso', 'SMjR81PF3p', 'mMJRoDCUBy', 'ldhHNNat87pcfrtpvdN', 'gWyFEnaZxQ2ycXlxDWN', 'q9muoSaUMpUYYYnB3Sq', 'Po8AXXasj6atmrPRyGP'
Source: 0.3.Ym9pCkdQCN.exe.66af545.0.raw.unpack, HH2Wh7S0SryegZOlsk.cs	High entropy of concatenated method names: '_8Ok', 'YZ8', 'InF', 'G9C', 'MCVObHp4hO8e8grERtA', 'CsLeMrpUHppFe3n2mLy', 'p1HkAJpsqH4HcAd3CIq', 'c1AKwtptnF3jhauGBYA', 'atPmripZddGgdLAotIe', 'AI0IHrpkRsVfJROdsX2'
Source: 0.3.Ym9pCkdQCN.exe.66af545.0.raw.unpack, S7F25iRbV8LQs5jqHFE.cs	High entropy of concatenated method names: 'BkopwIfAIL', 'BA2pQ82s4Z', 'GV7pzmXCXo', 'I6PeDyZLZp', 'T4VeEW359Z', 'JOPeReX3rK', 'WUgemEC6FQ', 'uqmepUA6cf', 'n1Wee2md5Z', 'tUYiIKUAksP66B4QK8j'
Source: 0.3.Ym9pCkdQCN.exe.66af545.0.raw.unpack, JmHFgpEu9uMXjlh24cS.cs	High entropy of concatenated method names: 'yvgELD05K1', 's04Y1ucN6Mem4pnn8L4', 'TVpPNlcgPgNmPQmPdws', 'JME8YMc1EbVQK3nYsuT', 'xhcXEocY8bLequLdK37', 'dt3WCPcOILIUOL2EBdQ', 'zAPJjAcpIqDDyVDjlT2', 'vQYR5xchl9xxdnZMFsk', 'F70EVSryeg', 'mvDr5ncuMGrLIxU9FxX'
Source: 0.3.Ym9pCkdQCN.exe.66af545.0.raw.unpack, er1YdPEvrXsYWlyKdrW.cs	High entropy of concatenated method names: 'd43', 'YZ8', 'g67', 'G9C', 'We4akj0yyXmW167ptfn', 'jEOPWB0LhGmsxQB8XLa', 'LMsjvR05lwaCecEP60g', 'cWyNUT0J4lQREwAhbqQ', 'RSSHL60b2jjZ3LgU4e2', 'HBMo2T0xqwmI2bSQwiu'
Source: 0.3.Ym9pCkdQCN.exe.66af545.0.raw.unpack, n68hGYEGvf5cnhjLA6U.cs	High entropy of concatenated method names: 'rU3', 'YZ8', 'M54', 'G9C', 'RlNVjK0lO7qoLH66l1O', 'EMU7Xr0GF27umpZ7XqX', 'OKJlMr0i10JAl1mytr2', 'tUlH7g0Vkdino83LSnH', 'KnNEd20qJiNkrr5qcEn', 'PTjZXf0riCeeaot15lf'
Source: 0.3.Ym9pCkdQCN.exe.66af545.0.raw.unpack, TififXHA1sdTkMFlkn.cs	High entropy of concatenated method names: '_23T', 'YZ8', 'ELp', 'G9C', 'iGpc8tgCUFtM1un0tIs', 'NGO7V2gniGPaEr049tt', 'qmlq5QgK9NdEZ4pbqlu', 'eo4UN7gDiWpYad4qt95', 'brFgDEgzEPLKfIUDXmx', 'zuO02UO1yDnFdmrvmSb'
Source: 0.3.Ym9pCkdQCN.exe.66af545.0.raw.unpack, U2rQKZEojBZqpkbd7W9.cs	High entropy of concatenated method names: '_589', 'YZ8', '_491', 'G9C', 'saF51g7FLomBU6EGx2i', 'VY8owG7RHwy0tUOQMrQ', 'KffDMr79cg56X2A8VJV', 'mbuNm07oF98AVfoBCvu', 'X7XQWv7XTrYTduHK8Xr', 't4tNxm7AeHAmlZEkd9m'
Source: 0.3.Ym9pCkdQCN.exe.66af545.0.raw.unpack, hUDA9aE4yJAbGEOAy0X.cs	High entropy of concatenated method names: 'Ai7', 'YZ8', '_56U', 'G9C', 'mJ7afrfDWoUcWDnPTve', 'dH4sp7fzeI2XLw2gF6o', 'xelQOEu1JKCWlIdEMrh', 'yUfFUCuYScwCoIBTRMo', 'DxZ0yMuN6F8tybowcXd', 'Gy81pGugVG1HPjFlRmG'
Source: 0.3.Ym9pCkdQCN.exe.66af545.0.raw.unpack, h11mfypgOV72dV5reUT.cs	High entropy of concatenated method names: 'l9C3NIxAGx', 'cEs34hFRLW', 'R1s3d6qZhA', 'z7r3GRT85O', 'vZ933Ymj3p', 'Gsx37LIi4b', 'I7n3A2WI2C', 'tdA303O2uR', 'nZh3YABnHw', 'hhc31AuyFS'
Source: 0.3.Ym9pCkdQCN.exe.66af545.0.raw.unpack, uZvJh8e8RT58irHW94y.cs	High entropy of concatenated method names: '_14Y', 'b41', 'D7Y', 'xMq', 'i39', '_77u', '_4PG', '_5u8', 'h12', '_2KT'
Source: 0.3.Ym9pCkdQCN.exe.66af545.0.raw.unpack, DKhZAwmTgEMvXQVXlQD.cs	High entropy of concatenated method names: 'NWDihO6BqI', 'ekWi2X2er3', 'eSTijfaAoD', 'sUOPgdMWAn2LoCmgtWL', 'APfBRFMaraBg5LUHXFX', 'H6O6YbMSn2eeU3ohx9B', 'VMd80yM4Q7MUlUgNZpx', 'iqyi3dkd2m', 'Bfai7XueYC', 'sb1iAsP5ce'
Source: 0.3.Ym9pCkdQCN.exe.66af545.0.raw.unpack, VQyVNompyNMGEYWdyyG.cs	High entropy of concatenated method names: 'eO6Bkn9Urb', 'XxSBPjx3PA', 'b45Bc3YBgi', 'HTfBL4apwM', 'pDdBll457g', 'WhlBV3NM2m', 'f8ncNKk5pBYcAL4swON', 'u29ZASkyCsIeT7SFvDx', 'rwYX6jkLb81Luxo956R', 'k4IAJXkJCV2gWsATSSq'
Source: 0.3.Ym9pCkdQCN.exe.66af545.0.raw.unpack, u1YxZWzFCSrll20fKr.cs	High entropy of concatenated method names: 'Y29', 'YZ8', 'jn6', 'G9C', 'b653nDhgNjjpRd1fitW', 'Uo4t9hhO5DbW3DYfxnm', 'Dl0WSChpnqbL4lBj4Fj', 'rxQoYChhiHmqVGS38th', 'Ns1uhDh0R03PEKPGB1u', 'fiK6AIhfkj8cXid5MrA'
Source: 0.3.Ym9pCkdQCN.exe.66af545.0.raw.unpack, y7vaStWcs8D6Fg3e07e.cs	High entropy of concatenated method names: 'PJ1', 'jo3', 'lHKMfNkhSF', 'ciBMTqqks6', 'hGPMxUne05', 'EC9', '_74a', '_8pl', '_27D', '_524'
Source: 0.3.Ym9pCkdQCN.exe.66af545.0.raw.unpack, mBvOHsW5e73xaMKNOoy.cs	High entropy of concatenated method names: 'IGD', 'CV5', 'n6YU964uoB', '_3k4', 'elq', 'hlH', 'yc1', 'Y17', '_2QC', 'En1'
Source: 0.3.Ym9pCkdQCN.exe.66af545.0.raw.unpack, zqQdbVE1isl7RJJww14.cs	High entropy of concatenated method names: 'SGCEMxWYfC', 'wvR3WyftIwPfOEis8a5', 'lCEq0FfZZNKiedZU3a5', 'NBFLn5fUTVYD12geD4Q', 'krkfYffsCIRPp3T0YIc', 'd5xSw3fkWljYZrVNUDG', 'b8V9qPf27Fh6t6aSQyN', 'oL8c7LfMCt8mvpcXBq3', 'KAZFF2feTdE72bADCXZ', 'f28'
Source: 0.3.Ym9pCkdQCN.exe.66af545.0.raw.unpack, oPCFRfm0xAx8T5pPC3m.cs	High entropy of concatenated method names: 'aWli8YVcJa', 'qPYio2ZmFP', 'PggirFRpKJ', 'SnQigfvnRl', 'KZKiZenufx', 'tYwIsgehiKJdk4VI1AO', 'iyMdcNe0ZmRKCqjjqdD', 'tOHY1JeODU48JQfs6De', 'eRaJSBep5j3SYdlaj6e', 'vd4VToefChqcZK7uYro'
Source: 0.3.Ym9pCkdQCN.exe.66af545.0.raw.unpack, fGmHnKBdURQ7ib5AkZe.cs	High entropy of concatenated method names: 'nYjEKoHBAAxNyKQVFhc', 'vLgoK8Hyc7P5DUWj7PP', 'CdK8BSHvpC8jakV9KcB', 'q9Wkh7H6gW7f6uPrQTR', 'ATYFG7ovbf', 'ylU1kkHJmSye5KZEeLq', 'DujJDlHbTlTSuBEoB0c', 'wU5UdSHxqvACiym5gfX', 'x08BJkHP4em2KBUJj4W', 'miEX64HE3kjN9KS7Ko7'
Source: 0.3.Ym9pCkdQCN.exe.66af545.0.raw.unpack, X4S7XSmgnmpUPJ1oAqe.cs	High entropy of concatenated method names: 'D1Y6Arvm2pxIUuNdLm5', 'R5yEZ7vjs1mwPkhY1W4', 'M7TVpLv85uoa6umwjc9', 'cAcIQXvw8CQ7x56HwZC', 'IWF', 'j72', 'WpETAlT0RF', 'amNT0deIBR', 'j4z', 'QfITY5kjds'
Source: 0.3.Ym9pCkdQCN.exe.66af545.0.raw.unpack, gJCUBYy6WT3cuTayuu.cs	High entropy of concatenated method names: 'kcq', 'YZ8', '_4bQ', 'G9C', 'LZLWeAph6ScxRRlF13k', 'DPRwVhp08cjnJpemqKN', 'VKhbI8pfAFyt1cAq4r0', 'goBh4xpuWD1xlbKBAJo', 'CMligApcYxgqiRPUYhE', 'TN5MHup7oaiY2CLhvk2'
Source: 0.3.Ym9pCkdQCN.exe.66af545.0.raw.unpack, tnl1eqemJrl1cVGgqj1.cs	High entropy of concatenated method names: 'TP9mgPPIUlDyb1uNlah', 'LiE3EUP3xP08CRw3aRe', 'AO8rl3PMjd0r6BRP8kT', 'f1QIRTPeJ05Ha5otwDG', 'sZqX9S39aA', 'Xxqy7yPBN07xpkJxmVA', 'p3keQYPygU5hfkXrBAl', 'gNVBtYPvy1U2D3INFdl', 'sKwukbP6L87WP2gwaDl', 'ebigOePLwFvamAsq55A'
Source: 0.3.Ym9pCkdQCN.exe.66af545.0.raw.unpack, miOSaUmlPkYx18UQf5H.cs	High entropy of concatenated method names: 'oYo', '_1Z5', 'hDjiuerjHW', 'LA2TpCyykl', 'es7isjbK3f', 'agBTPX3SWPSIsDNQgUk', 'a1oNcD3W4yhUq4wVDgb', 'Ixmoa734ncttfwRo9Xd', 'o35nkN3UbEB6AtcOM2V', 'vMGYn33sJcaunehWvSl'
Source: 0.3.Ym9pCkdQCN.exe.66af545.0.raw.unpack, UCCsvDW48hcGKESkKic.cs	High entropy of concatenated method names: 'D4M', '_4DP', 'HU2', '_4Ke', '_5C9', '_7b1', 'lV5', 'H7p', 'V5L', '_736'
Source: 0.3.Ym9pCkdQCN.exe.66af545.0.raw.unpack, GUijQiWOQTfsouGkJQG.cs	High entropy of concatenated method names: 'Qjjbtdqct0', 'qugeQvqJiwedXgbIYmN', 'Qn0sEdqbwWiwRPwVx72', 'nCJyKuqLDmHkkfhIYxN', 'n5c2lgq5fMLvfvp0bgA', '_1fi', 'zmOCSp592i', '_676', 'IG9', 'mdP'
Source: 0.3.Ym9pCkdQCN.exe.66af545.0.raw.unpack, JKTYvkEKFKDrcMPSk3X.cs	High entropy of concatenated method names: 'E8RREr2yTh', 'v8WRRli7HM', 'TrGRmigKWM', 'kiy6kec98XawQujncGB', 'yQfoLccoZqt3bSfGvDH', 'z01NIecFHbTEcav1QEv', 'llM8RZcRFxjfYkN2vuG', 'NueQHKcXwkNRWro5c0f', 'Mc1Xx0cAMyjxPFH5sxO', 'ya6JSqcCkXG5EjEpTno'
Source: 0.3.Ym9pCkdQCN.exe.6fc3545.1.raw.unpack, SYeH8AWb9CZlcXBf1BE.cs	High entropy of concatenated method names: 'YBJ4fy9ite', 'vBI4TfQcM9', 'Ixj4x28fp2', '_3Gf', '_4XH', '_3mv', '_684', '_555', 'Z9E', 'QPr4JeWnRU'
Source: 0.3.Ym9pCkdQCN.exe.6fc3545.1.raw.unpack, dd5ZAFRsYcrNSZl1bYy.cs	High entropy of concatenated method names: 'DoBp6byya2', 'knUpa4jO44', 'Am1ps6Y4i9', 'gb4p5D4hvT', 'AEUp9Gqt23', 'jf7YUaU1u5N6ekRYRJq', 'pHD8ccUYaNP5GpsJiW0', 'Ah5Jo04DERoy03Kg6BI', 'DAyWqa4zqhmIEcH0qq6', 'FJbqJJUNIIwoNmKO7aL'
Source: 0.3.Ym9pCkdQCN.exe.6fc3545.1.raw.unpack, uUXbgXWa8PjVdBfIVa2.cs	High entropy of concatenated method names: 'ktTUXyu5q2', 'PJIU6pepdp', 'A1GUaawSrZ', 'DXhUs35f4I', 'q7AU5DSkxA', 'Aki3YbGnjem4J2eYdPr', 'B8vFmwGKgPm2oJ5o6s7', 'iVSiTIGDBa4IQVB7diY', 'FNkxxEGzSB63vMGr2SM', 'u2Tcati1gwGmP9OPkxS'
Source: 0.3.Ym9pCkdQCN.exe.6fc3545.1.raw.unpack, xE6bg4mzq2g2FCUTw9q.cs	High entropy of concatenated method names: 'tUdTCFZyii', 'WlQTbqK8b7', 'zakTMyY0DY', 'gKO8Htvi9Hb1Lu0pk9C', 'skvvD5vVF4PapHkaNTf', 'qo6fotvlocrCVL79Nyn', 'mdO8pdvG1ctL1WC76no', 'waiKQjvq6dEEL5WRKE0', 'z33dQAvrN0uTvD63RdV', 'UFIPAKvH2cWV5nduLUj'
Source: 0.3.Ym9pCkdQCN.exe.6fc3545.1.raw.unpack, YNKPnDWRWSlKqnYmH4F.cs	High entropy of concatenated method names: 'lTvUiJ1jF0', 'wK8UfFS20A', '_8r1', 'tTEUTPmT7i', 'LKoUxNnmqf', 'zkXUJO3axI', 'jFuUvDVRPo', 'GHTlG6GUDaKjDrSRt0J', 'lNZvsIGsf1LN2YjiXIU', 'iQ0eOiGtWgRWTLsYXo1'
Source: 0.3.Ym9pCkdQCN.exe.6fc3545.1.raw.unpack, WZAIgbWqAJMvhNR9DMp.cs	High entropy of concatenated method names: 'H81MsS73F1', '_1kO', '_9v4', '_294', 'duVM5UiPVg', 'euj', 'dJUM920Vo6', 'jKSMN9iHdV', 'o87', 'gsoMUOs3Rp'
Source: 0.3.Ym9pCkdQCN.exe.6fc3545.1.raw.unpack, Dw2wEBpYF3JcXOSfKbP.cs	High entropy of concatenated method names: '_7zt', 'DCqv19ePgG', 'ipyvXXxSrT', 'EgDv6fkbPm', 'gjuvasV2LH', 'tsGvsOqMBm', 'tQSv5OF0TX', 'xDuYAxBI8Z52r2B4SAQ', 'p8VJ2mB3bmDkM5q3nkU', 'aq1Q2VBMUMlDxwAV0Au'
Source: 0.3.Ym9pCkdQCN.exe.6fc3545.1.raw.unpack, tUVbQApAnhZSPSpC1ki.cs	High entropy of concatenated method names: 'L4evp4M0ey', 'DWEveDlNkt', 'V4rvWGLPw7', 'BWlM9QBsQgJiPh5a1so', 'cc5tyUBte4xPhHMiVou', 'iupJkBB4TLuS2CyIOoJ', 'nGnRZMBUfKHVde1bpkT', 'DAKGDGBZSLkQ6ZyJsKO', 'EU4TfuBk9QNWGCxQiXh', 'M0tBumB2AKgvL3a3CnO'
Source: 0.3.Ym9pCkdQCN.exe.6fc3545.1.raw.unpack, IY2fORE7kx5mg0Qw6vw.cs	High entropy of concatenated method names: '_981', 'YZ8', 'd52', 'G9C', 'BfUDUu0oPWBXPRKW2cu', 'vX9wEj0XKgef1u808Dd', 'HnwaFv0AaxfFtWPNV6Y', 'D8NA4b0CFjfyfHQIwRq', 'pv9Kca0niMpLOVL6Wt7', 'aH2ECS0KKI7c78eK7Pr'
Source: 0.3.Ym9pCkdQCN.exe.6fc3545.1.raw.unpack, RbHI8BRAEWTmDULj7Jm.cs	High entropy of concatenated method names: 'lT5mwibaT5', 'xcqmQOnbDM', 'nW95nWWkBgh7Cf7Y2Fv', 'dIcWN0W2yLGVotq37sr', 'iLcGhfWMP6G5L6QMrrW', 'cLudjWWekSYSXVR35M1', 'kP1hKdWIF6X9maW8r0p', 'AeoghEW3ZyiILl22Fsl', 'NnLucVWv4GY3Tv36f9w', 'NlYjUvW6MA7ud45pnec'
Source: 0.3.Ym9pCkdQCN.exe.6fc3545.1.raw.unpack, m8Ixwcm9hrh2fjMYwfB.cs	High entropy of concatenated method names: 'GiafIOWate', 'uOvfhDJgtE', 'mhWVqEIZBrkxuwCLxh8', 'YU7E3qIkoxnDsnMpxTh', 'EppdrCIseabOLRqaHZt', 'S849j8ItUbU4gFQelTB', 'yVuhXvI2VgifjXApVnm', 'tsJkkLIMEU5wGcWu3p6'
Source: 0.3.Ym9pCkdQCN.exe.6fc3545.1.raw.unpack, eYKhuUWF080W1rLh24m.cs	High entropy of concatenated method names: '_159', 'rI9', '_2Cj', 'sV94Nah4CG', 'mZj4UX3jvH', 'vjK449goXX', 'qrZ4CoogDP', 'CF04bGfua1', 'pfg4Mg7cxZ', 'CB7QYgVmSscBqZDswSA'
Source: 0.3.Ym9pCkdQCN.exe.6fc3545.1.raw.unpack, bLrktyFKKN5dfsuYwM.cs	High entropy of concatenated method names: '_52Y', 'YZ8', 'Eg4', 'G9C', 'R2pHtaxif', 'P0BqY7NkysmrlBnPIpM', 'Q2JcRFN2QQ7XJQjgs3J', 'AnxXfkNM73vlMHUqxcQ', 'i8ejJENeYV7oHbwcwit', 'WRHRa3NIRoR4iFQNMhr'
Source: 0.3.Ym9pCkdQCN.exe.6fc3545.1.raw.unpack, OTLNchpeEqRT4XPkJam.cs	High entropy of concatenated method names: 't0LJA6JdUy', 'YsKnrK6ZQcm9lsQrrte', 'swU7nE6kal72aV98adn', 'g0vX3G6sfhem3DWJd9b', 'veSDxi6t18qkHf9nEqI', 'y84Tu6QiIR', 'nQHTFsaxRP', 'xQoTIOouX7', 'lJuThrsvyE', 'IoZT2DhAVu'
Source: 0.3.Ym9pCkdQCN.exe.6fc3545.1.raw.unpack, cypyELeQZTe9yknq1Pu.cs	High entropy of concatenated method names: 'idQNC0lEK3', 'wl8NbunmRv', 'F8e', 'bLw', 'U96', '_71a', 'O52', 'hChNMuvYwi', '_5f9', 'A6Y'
Source: 0.3.Ym9pCkdQCN.exe.6fc3545.1.raw.unpack, WgxeUuBNjsJX7iBjy7h.cs	High entropy of concatenated method names: 'K4NF9qilZu', 'PGBFNBdlgu', 'kpRFU7RdPS', 'pi7F4ABVRR', 'VvAFCfHa75', 'VrHFbWiWWE', 'NXIFMHTvgw', 'CoWFuQlCD0', 'jhCFFsXXIM', 'o8cFIPorMr'
Source: 0.3.Ym9pCkdQCN.exe.6fc3545.1.raw.unpack, Wc7fwjm7peZvwjhNfme.cs	High entropy of concatenated method names: 'mCiiymvwYc', 'UPBiqpAjvL', 'JoBiSE85BO', 'JCcJjOMHIACrHkJtgss', 'L7dOQfMTc2ELNEAp6bM', 'RogHg4MQZXANwCycThv', 'hbhyvOMF0LG7RkdM43M', 'HlSZUBMRMqvPv2acRd3', 'DOWgusM9B8nJvk8fGMl', 'G2EVXTMoe7d2ErSCwsK'
Source: 0.3.Ym9pCkdQCN.exe.6fc3545.1.raw.unpack, s1AYIImvmwZkEgVptu6.cs	High entropy of concatenated method names: '_223', 'JhdjQeMtiwyGnD0Cw4j', 'zCQj8EMZB84479c0l3w', 's0dtg0MkUiTZeJWjOKH', 'JRyoTPM2tk8Y0OxFHQ6', 'bs2a7vMMQpe8q9p7koh', 'KSSa9XMeT3ofmWNTANC', 'BGbwepMIbFpDAy9IKxh', 'OcWCD6M3USVnC2AMg3j', 'Q7gRqaMvgrZofSuKWJY'
Source: 0.3.Ym9pCkdQCN.exe.6fc3545.1.raw.unpack, B6TMugefmMU4jC4pOdu.cs	High entropy of concatenated method names: 'yKm9XxdreS', 'Fv596bRqwo', 'Dcd5W4wXKVx7JLFyyH3', 'a5g2AGwArwvPJB2hXeo', 'OCspeHwCDyAA7HLJTZP', 'UnAaxnwnZKmGGl1RNXZ', 'dey1B4wKI0E5YSJ7u4P', 'XIM85IwDWpdfwoHLEjr', 'ggMqnOwzKZoATD8BXuq', 'DbKJsMm1POlU4sV5oqs'
Source: 0.3.Ym9pCkdQCN.exe.6fc3545.1.raw.unpack, Xyeph9CNINwHUJ7qup.cs	High entropy of concatenated method names: 'T43', 'YZ8', '_56i', 'G9C', 'jyvqnKN7vHmX3x5IHfn', 'bFRrPvNdvDPJRXIpX25', 'jsnRDONa3R6Nc35wioC', 'MXGa9oNSyj4Iq48Gbi2', 'QjSBWlNWmcKbhIslK6A', 'FqCaToN4wpeQ2XIB2Mk'
Source: 0.3.Ym9pCkdQCN.exe.6fc3545.1.raw.unpack, AwES5CEcJ6vallVO2EO.cs	High entropy of concatenated method names: '_2WU', 'YZ8', '_743', 'G9C', 'j1SPFc7htQErltXQhT6', 'eoTxUN70WoonDKvvq80', 'idMYgk7fKJZJmAPc95D', 'oy9kFI7uwf14FJSAd1w', 'a62EAh7OoKjeFsqZw78', 'Ff9ftk7pOYd0lfHrq9C'
Source: 0.3.Ym9pCkdQCN.exe.6fc3545.1.raw.unpack, UXToJltRnv0DdIIICe.cs	High entropy of concatenated method names: '_59M', 'YZ8', '_1zA', 'G9C', 'xPLMdFgwpv3Of4whK34', 'ega46mgm4qo5AOdOtLd', 'vlWDDjgjNE2r6ebhv6Z', 'FsKXthglbIaPq90OACk', 'SjcU76gG3vLnbEcqied', 'uCUaltgih7dEDjvEy2u'
Source: 0.3.Ym9pCkdQCN.exe.6fc3545.1.raw.unpack, WEcIGPpog5LEcg8q17X.cs	High entropy of concatenated method names: 'Cq5Gwtg5tl', 'RGOG2avIgG', 'fj3GjR9S8a', 'gRIGOPpd7P', 'cXEGtecXHY', 'cEmGnwBdU9', 'RfoGHEhAdk', 'zv9GKsKKHP', 'ULvGkIOSpZ', 'LaCGPwGYpc'
Source: 0.3.Ym9pCkdQCN.exe.6fc3545.1.raw.unpack, M3dAm3RfSkbYAcjh1FZ.cs	High entropy of concatenated method names: 'GutmIjCYFs', 'jjKmhZu97L', 'ynKm2TYvkF', 'KDrmjcMPSk', 'nXHmOHnfgy', 'nREmtEPOMt', 'NL5mnm0gBV', 'UxH7txSv6QGOxCQPWls', 'SoxbBsSI88uVUUURY75', 'BOJMqHS3rtlPjfxtq27'
Source: 0.3.Ym9pCkdQCN.exe.6fc3545.1.raw.unpack, gGfTJtEBjgRJqeF3w9u.cs	High entropy of concatenated method names: '_6H9', 'YZ8', '_66N', 'G9C', 'SbDQqwhAAIhBE0ymu7r', 'jQMnlRhCLoqs0TRVLmk', 'A672QDhnWsDCTMwY1mw', 'ftlRSAhK9j1RN7J9Xp9', 'Npj136hD5Y7iLmklMPG', 'BigkZchzX1Iyj0D4di0'
Source: 0.3.Ym9pCkdQCN.exe.6fc3545.1.raw.unpack, aXe5ovR2RvUUSrDy20Y.cs	High entropy of concatenated method names: 'KDXeMe5ovR', 'u1XgBFsK1kAjXUAycxW', 'i9vVdcsDhZdMYSZ24FR', 'oApebjsC9XcaJg6s7iT', 'RpZoJFsn2kUFaZUBM4X', 'KLYwMsszJE59dQj1Kbr', 'oQ5sYIt1HKkbnwtncDX', 'FuDwGPtYHy5ABMd0cC9', 'jB52whtNI9msOsP0PmU', 'EJgRBAtguUNpixYeraE'
Source: 0.3.Ym9pCkdQCN.exe.6fc3545.1.raw.unpack, xAjrHRjbFQexHZKarg.cs	High entropy of concatenated method names: '_3OK', 'YZ8', '_321', 'G9C', 'e1f5a6NKxklRouiyA4c', 'spIWeeNDn0Fn2DlryW3', 'PjYqofNz6SQYoxpuX2E', 'OZeinUg1y2ECICiYjCK', 'wqJhdkgYR5ajrkp8qUj', 'bbAZFfgNt4fbnb4j8UM'
Source: 0.3.Ym9pCkdQCN.exe.6fc3545.1.raw.unpack, moXbS2EfHcvrAghmoyH.cs	High entropy of concatenated method names: '_3fO', 'YZ8', '_48A', 'G9C', 'sPswGK00iBS25TkPIoj', 'rBjZp40fnUAJmOBHH8r', 'PE6FhX0uip4OBZ4fdEh', 'cY6xL60cumA9wlXFWHS', 'klojwX07FJngrt9pwoM', 'fX4A0D0drp5nvMjyJMb'
Source: 0.3.Ym9pCkdQCN.exe.6fc3545.1.raw.unpack, mnBbkCEtoG1anPY7TjG.cs	High entropy of concatenated method names: 'XSREwJN3Dk', 'c5qsvWcmrHFPZf3gUW8', 'vHAGXBcjUEMKUMm6Cnh', 'dLW7Wic8I9UD6ggKhcc', 'u0X3S7cwo69NITusSkU', 'Vj1WRWclhTQiWKuqB1Q', '_3Xh', 'YZ8', '_123', 'G9C'
Source: 0.3.Ym9pCkdQCN.exe.6fc3545.1.raw.unpack, cLo9uLmo1hTqydkd2mM.cs	High entropy of concatenated method names: '_269', '_5E7', 'GXniCh4GOD', 'Mz8', 'JZOimUov61', 'jiVMwZ39a1K87qV7mhW', 'h0PjmG3olbt24xUV4n4', 'kJHI583XSwGTs783goU', 'Kl6JBc3AdxKlDQB4esf', 'jTarkf3C9DxQ2tGFFED'
Source: 0.3.Ym9pCkdQCN.exe.6fc3545.1.raw.unpack, KMKZJPgPrZSRJN3Dky.cs	High entropy of concatenated method names: '_88Z', 'YZ8', 'ffV', 'G9C', 'ITWyMIprxeU6gUZbh5d', 'P2pXFRpHDt4BMUYnIAv', 'ifZtMjpTxrPdZWdb7bY', 'B8JAtIpQTcQGgGJNDV1', 'nGugYOpFIbXjKaRWytV', 'eBpfrYpRVtSBH0vM245'
Source: 0.3.Ym9pCkdQCN.exe.6fc3545.1.raw.unpack, uicB0QElv8gK4jeDpwo.cs	High entropy of concatenated method names: 'sCvRxWK1D0', 'Vf1RJmYs0b', 'QvHCOy7dZyPoD1yJain', 'eflZe17cyeLgUI8ajo0', 'qLp9gO779L0kU3PsEut', 'V881pX7a0vWs5ucwYxV', 'KvJWxk7SpY1N8OacO2P', 'EsgQO67WXcTgxKbNDot', 'I6sRvy74c9hfXpTXSjV', 'FH3uCC7UTlyp7Anq3X2'
Source: 0.3.Ym9pCkdQCN.exe.6fc3545.1.raw.unpack, k019sqmyQOlADwWFyTa.cs	High entropy of concatenated method names: '_9YY', '_57I', 'w51', 'A3si2JuHt8', '_168', 'A6xFmr36Lug1VFqGRwt', 'aw2dXx3BxDeHv3clpy8', 'YRigmf3ykMeSxtV8wRS', 'ahI1YK3Lw3FEWGFc4cu', 'dGqm7E35nXFvmsSZQkJ'
Source: 0.3.Ym9pCkdQCN.exe.6fc3545.1.raw.unpack, XRHZt2sxEyUJZTuJFA.cs	High entropy of concatenated method names: 'PuD93HXBJ', 'GRRNQbUYq', 'mEDUd7vLq', 'IdO4Kxd6Y', 'axSCQ0kdP', 'Jt6biZ6Uw', 'QJ3MO9MmU', 'zgZ4sRYfWfeivBQjCD5', 'LyilCSYucB4D7LMZwdu', 'qasc7hYc0kUd60uswoN'
Source: 0.3.Ym9pCkdQCN.exe.6fc3545.1.raw.unpack, nKw09ip6AfP9Kfce3L2.cs	High entropy of concatenated method names: 'M1QvhdHdjR', 'wVKv2ZudBv', 'HHsvje73xa', 'CKNvOOoyvI', 'dEIvtvIrCd', 'YhnRxIB8a3CvBLBa3D2', 'TwaZt5BwWNBhSj5TW4t', 'ahNaCrBPBKKa01EjYX1', 'ciksLCBEaMpr8vvyM65', 'jD2gXEBmNwwm3y8u4Z9'
Source: 0.3.Ym9pCkdQCN.exe.6fc3545.1.raw.unpack, dWOCohRGxpKbFNoe7ng.cs	High entropy of concatenated method names: 'M5vmgMvQ3d', 'dZnPsqWgEJYCi2lYhjx', 'bI7duZWOo5fpOd4Po5A', 'KwFdYGWY7vrL5jQfwYg', 'KLTYlFWNPwKsR2d79RR', 'tDmQmmWpKGKvZPfjTDr', 'WxehOxWhd0dkXQHoMTB', 'nGrEbEW0v88dExZAFxS', 'bBVywoWf4M8mgVFwvTZ', 'IgaexxWuTCiDwbq6TKt'
Source: 0.3.Ym9pCkdQCN.exe.6fc3545.1.raw.unpack, cP1YX1hCYXg1i4ox5V.cs	High entropy of concatenated method names: 'g25', 'YZ8', '_23T', 'G9C', 'HdXPZXoBs', 'IPXm39N8aSH8tFMWbgS', 'HTVGLANwDmVZRoseHOA', 'hrul2INm4ATaDj9Zbrb', 'XeRuLENjxfs4AeQNtLp', 'PgO34ONlBx5bV3dPQYm'
Source: 0.3.Ym9pCkdQCN.exe.6fc3545.1.raw.unpack, YKKjQeEyTZWvqWa7nwy.cs	High entropy of concatenated method names: '_625', 'YZ8', '_9pX', 'G9C', 'FT16Nl7MQrmBPXVZ62j', 'DrLq0R7eGy2Xsh9abmJ', 'nXCyTN7IMdRlIe6Q2jY', 'ldZcl773I8Hnj107U0O', 'S7iLa77vThfLNkdTN3S', 'DTMJQJ76jSVhIC20Z0J'
Source: 0.3.Ym9pCkdQCN.exe.6fc3545.1.raw.unpack, vh4ejIRD1nXpnUeVPYo.cs	High entropy of concatenated method names: 'q6URNsxEnD', 'D1nRUvaV65', 'NVDR4lQDDw', 'stApAldPj6j0TPor9nf', 'NkWKWLdEeMtZHTZgsqy', 'XKbOLjd8FbvmfHgAtMM', 'SqIyAVdwCm6cbweD4Q8', 'i002mZdmTLVb9eG8vsc', 'fuRMLldjDOHo9tUb1A6', 'PocBiWdbig7I3OQNnxf'
Source: 0.3.Ym9pCkdQCN.exe.6fc3545.1.raw.unpack, kMvQ3dEShI8ZE4KPvT5.cs	High entropy of concatenated method names: '_7v4', 'YZ8', '_888', 'G9C', 'CLT3G07xgne7iVuCE9k', 'YZ9In17PWEwLkFAxy8G', 'Y0xGPe7EHHuAO2uCwFR', 'HrXO8d78kHvC9a7A9nL', 'uBG0HD7w637RNvCnMIy', 'frSCZR7mUm7CWKdOxJo'
Source: 0.3.Ym9pCkdQCN.exe.6fc3545.1.raw.unpack, MjylP3ENeqUKBov4lbO.cs	High entropy of concatenated method names: 'p23', 'YZ8', 'Gog', 'G9C', 'aLHrglfToBSmLbUhbkI', 'Xgh0UYfQ3aqpTNSonZy', 'hLS9CqfF2kpKcXpEsXP', 'V4wXjufRCDYI7KGJUlq', 'r90aGdf9VVCUpBo0tHW', 'ld1sa8foXyvUOarWqk5'
Source: 0.3.Ym9pCkdQCN.exe.6fc3545.1.raw.unpack, bHoPYqRQ5e20heNha0s.cs	High entropy of concatenated method names: 'WinBNRDrR7', 'VmcsZcZRegOi74XDGGE', 'KC19oFZQO9l85r98a9P', 'gX7jrsZFU0jrIAJZ8Y7', 'IJWw3EZ91rBHNtPTEFK', 'RGTaqFZo1swt3YUGvlT', 'Ck7BYllywE', 'MYTB1ZoYL1', 'dh3BXoAHoi', 'x9aB6wfAxV'
Source: 0.3.Ym9pCkdQCN.exe.6fc3545.1.raw.unpack, NVDlQDExDwcHr5jyZ2f.cs	High entropy of concatenated method names: '_6U6', 'YZ8', '_694', 'G9C', 'awUp5E0kUk2VNKNu9JT', 'gas6K502R8lWjXT2AMr', 'CeH2oY0MfX4o74QFy7f', 'loo0bJ0eDFgSPi2kA5C', 'oM75Ty0ILAkB45hQdHA', 'YqhTUI03F2jSRmo6w41'
Source: 0.3.Ym9pCkdQCN.exe.6fc3545.1.raw.unpack, A1i5PVE2bqQZkkCThgs.cs	High entropy of concatenated method names: 'PU2EotB3sw', 'DQNRh1cv1VqjedUKZwN', 'DJux57c6tQdoPZs7C20', 'DN1ryHcIKMghxDQogju', 'P7mRMxc3Yqe2T1bPgNb', 'E90L5mcBGp2kfuovkrf', 'QLw', 'YZ8', 'cC5', 'G9C'
Source: 0.3.Ym9pCkdQCN.exe.6fc3545.1.raw.unpack, yi87aSUmrrSmYdI8vU.cs	High entropy of concatenated method names: 'say2ivsMK', 'SKLjE7QlB', 'YS6OpPvaZ', 'w3XsWgYjVX4RgFR2JQf', 'SVDj20YwtOHt7O7NRxu', 'T2VlKmYmSrDfq4Eh9PK', 'p0WwV4YlA8qTDTbFpc7', 'tfHuySYGoSTGnmi8rCC', 'rlJBUAYiNXdOD8La6tS', 'uyw2wJYVnQXoqqsZ5hr'
Source: 0.3.Ym9pCkdQCN.exe.6fc3545.1.raw.unpack, o7wlFyWDDTJvaeWxg9D.cs	High entropy of concatenated method names: 'sjdNLxEylu', 'FBNNlCfsmL', 'NT5NVaUkAp', 'GBoNySHc81', 'I2oNqXyyVI', 'EnPNSg9xcR', '_838', 'vVb', 'g24', '_9oL'
Source: 0.3.Ym9pCkdQCN.exe.6fc3545.1.raw.unpack, IS8A3qEmcCAhgl1gShE.cs	High entropy of concatenated method names: 'R1x', 'YZ8', '_8U7', 'G9C', 'oVlqjRhJlNPKOju60gk', 'vt7PvThbQTWGerUyf8g', 'l8rBfGhxZTj2iN3V6Ii', 'W4HMrKhPknnccc94Viw', 'esVpTFhESXVqnCu1oww', 'wxqDQgh8GUaF8iG1O6a'
Source: 0.3.Ym9pCkdQCN.exe.6fc3545.1.raw.unpack, MWTZdZmknW4OREkjIWW.cs	High entropy of concatenated method names: 'sg9', 'ygdiwXZW9s', 'xrvfw5Ru9L', 'KgMiciJIQU', 'iSyj78IQs6wdmsw40ZN', 'RfRjpYIFiuuhYNxSXHF', 'vq84YuIRETUWieSIbl1', 'JIROfvIH27dLYqW9lKt', 'kl720MITppV4nxCh5vC', 'LZ6f6dI91mG2PSWLfkD'
Source: 0.3.Ym9pCkdQCN.exe.6fc3545.1.raw.unpack, MyO24gmEnPw0QkSnwa1.cs	High entropy of concatenated method names: 'ExBBMIR1pt', 'NiDBuuiugC', 'QmOBFjCPTx', 'XGCBIyj4A1', 'gOln3GZzHmHfRB9rwPY', 'wd9QSEZKTCrO57FYp4y', 'vyy4r3ZDwRs95e2GeLA', 'zDfYF0k15gDq0po8kpt', 'r1wJlpkYYvUBSKEm4qf', 'dqvaTmkNFOIbkiWvs3C'
Source: 0.3.Ym9pCkdQCN.exe.6fc3545.1.raw.unpack, gAFix0ermFHigbk4suQ.cs	High entropy of concatenated method names: 'w73NpN3Uxa', 'jysNeK8HvP', 'fV6NWT7BQr', 'QouNBmBX0M', 'PMFNiuVmvf', 'rJHNf7XOld', 'moMNTQTgi5', 'f0wNxMNP5F', 'qxBNJogaNi', 'SWcNvSWlVc'
Source: 0.3.Ym9pCkdQCN.exe.6fc3545.1.raw.unpack, QIflb9WN4urpDE0ZZ2Q.cs	High entropy of concatenated method names: '_7tu', '_8ge', 'DyU', '_58f', '_254', '_6Q3', '_7f4', 'B3I', '_75k', 'd4G'
Source: 0.3.Ym9pCkdQCN.exe.6fc3545.1.raw.unpack, fAqZpTBxLWhwh1kLxZ4.cs	High entropy of concatenated method names: 'L9MFoBZZUQSfF', 'vjL2P5H4yx7fJDLE8FG', 'zAVQEaHUnZXA745ORwa', 'a027pHHsYOiM5TKOXXc', 'j1dk8FHtViet4Suh7M1', 'R4v3VaHZRlI0ovGkv5S', 'SMwSfNHS5rtPJP94kMK', 'oQufJcHWqrZwBte0DmU', 'b3GvctHkEmelddc92xO', 'U9X4bpH2UanMGrsWxsV'
Source: 0.3.Ym9pCkdQCN.exe.6fc3545.1.raw.unpack, Q7mXCXRXoO6PyZLZp84.cs	High entropy of concatenated method names: 'zSvpdsh4ej', 'E1npGXpnUe', 'xjayVw4voLHPZR83U6X', 'zWeaF846cHngUMnyXo7', 'Fn6iji4IwnbHlSm4BVo', 'qySOXx43aEaaZhouuDp', 'm5PJSE4BpEg43cVH4t8', 'jVCk8H4ybqYpJQtsNuR', 'N1ON7Y4Ln7T3PljFSpM', 'hK5frK45ijQxa7UQwxf'
Source: 0.3.Ym9pCkdQCN.exe.6fc3545.1.raw.unpack, EsTQ0bm1tMuIDJPgQt5.cs	High entropy of concatenated method names: 'F7Tf3Suw3K', 'Y09f7iAfP9', 'LfcfAe3L2q', 'aKPosWeqiYhmEuRni0A', 'meQU64eixXbNE2Yy8lt', 'qqcs4DeVl33MBlpmWis', 'x0GMoyer9NTlrT6Gouo', 'G6UfWVbQAn', 'FZSfBPSpC1', 'Lirfirbdvv'
Source: 0.3.Ym9pCkdQCN.exe.6fc3545.1.raw.unpack, F4pU7qpf1twyqw3CERG.cs	High entropy of concatenated method names: 'uxk', 'q7W', '_327', '_958', '_4Oz', 'r6z', 'r7o', 'Z83', 'L5N', 'VTw'
Source: 0.3.Ym9pCkdQCN.exe.6fc3545.1.raw.unpack, gE85BOpxDWlYVcJa0PY.cs	High entropy of concatenated method names: '_4J6', '_5Di', '_1y5', '_77a', '_1X1', '_7fn', 'OUK', '_8S4', 'wUn', '_447'
Source: 0.3.Ym9pCkdQCN.exe.6fc3545.1.raw.unpack, POxYb6majCugg930xK1.cs	High entropy of concatenated method names: '_525', 'L97', '_3t2', 'UL2', '_6V2', '_968', 'oSRPHBISNiRxZSWsUEi', 'EfHPv7IWmxjWtQ9BxjY', 'smJyYdI4Ie6Z1Pcv2Kj', 'RZi8UgIUIXK7C4d4LEK'
Source: 0.3.Ym9pCkdQCN.exe.6fc3545.1.raw.unpack, j1aI6IWWrtxLEDrMRcM.cs	High entropy of concatenated method names: 'Qkp', '_72e', 'R26', '_7w6', 'Awi', 'n73', 'cek', 'ro1', '_9j4', '_453'
Source: 0.3.Ym9pCkdQCN.exe.6fc3545.1.raw.unpack, oUEOvMmSVVyymVXQA0n.cs	High entropy of concatenated method names: '_3VT', 'O5t', '_1W5', 'GSPTxlW6ZX', 'PwrihR4SNo', 'mWRTJ3ZOna', 'D7Gi0C0sC9', 'NCEYtn3jWK8Xvn79HrN', 'ilOdUR3lxlnFmPC4Rvo', 'hq2MhF3wirKl1Hd2qNl'
Source: 0.3.Ym9pCkdQCN.exe.6fc3545.1.raw.unpack, aICqgXowTHrlU2tB3s.cs	High entropy of concatenated method names: 'pHw', 'YZ8', 'v2R', 'G9C', 'bRl5wLpLg5SgWZBOj0o', 'GQNtYop5UFefIqOCAsI', 'CebtugpJ0Ar8islRw2y', 'pFgXN4pb3aOWahIaWfp', 'QWWxkTpxjw0gGd2x6R3', 'RPV47opPRbdZRFVuUQn'
Source: 0.3.Ym9pCkdQCN.exe.6fc3545.1.raw.unpack, DhySBZE0EOxtKUBA5NB.cs	High entropy of concatenated method names: 'yiQ', 'YZ8', '_5li', 'G9C', 'pf4TO4f1xuF2BQnx2j2', 'b10KHCfYvD59lJuN7Vd', 'UoH4rRfNjyr0XkCYBig', 'dXbf2AfgnrgAUidcMQx', 'zY1NF3fOq6vC6J6JGTO', 'qZhCxLfpFxAJohlCvP3'
Source: 0.3.Ym9pCkdQCN.exe.6fc3545.1.raw.unpack, uU8Zjfe4kU02iDkuefw.cs	High entropy of concatenated method names: 'FSF9neVIFo', 'ywI9HYRj3q', 'DRa9KNoV63', 'Kid9ki2cKS', 'VkL9PxcJBy', 'eU2vhJmLhy7xSMDctZo', 'EjYNmqmBoubPAbvo5v0', 'V2Ev5KmyTcTlPxdDoBs', 'FgmA3Rm5tk64yFR4F65', 'Ldj0lImJILTDH38ODQe'
Source: 0.3.Ym9pCkdQCN.exe.6fc3545.1.raw.unpack, biumxsEeoT3jqNjwiiZ.cs	High entropy of concatenated method names: 'K55', 'YZ8', '_9yX', 'G9C', 'U1FUUxhHJyVVH3DEYXX', 'TQcUhghTKZU8G0lELy1', 'L1Vv0ahQwpq634742C8', 'IOPAJ7hFV7or0ynTmsv', 'hq8BSDhRaCU1jGxBmX1', 'Q1Cv2Yh97JfI8GuB1oO'
Source: 0.3.Ym9pCkdQCN.exe.6fc3545.1.raw.unpack, oP1wk2WV0ocNtQD9axy.cs	High entropy of concatenated method names: 'jHR', 'B92', 'ExKemOqD4w34hFvbBMD', 'DnxLpcqzPNQLlh6XJcu', 'ftMTtDr16RUig8RNyLS', 'qv0b8WrYjTnPBsZ3dyu'
Source: 0.3.Ym9pCkdQCN.exe.6fc3545.1.raw.unpack, uTLPDpBcRAAMBPVaLj.cs	High entropy of concatenated method names: 'OPDdpcRAA', 'jsIkRMPYwQPA6QvEeC', 'xiLAYqbSvc1ln5nbuW', 'dUDJAex7yOAOwIF4Ur', 'elihkOEUTpgw1k1agg', 'xDonJu8fr9VeNY5wZ7', 'M8aRGu1qj', 'e5YmNLeYh', 'IlppkKGdy', 'BLsehlO9e'
Source: 0.3.Ym9pCkdQCN.exe.6fc3545.1.raw.unpack, cNbgUcp4moXOCXEoowB.cs	High entropy of concatenated method names: 'OyGdh7T15F', 'dyud2hm5ho', 'rv7djiZ5ge', 'U5GdOqBWLU', 'gKddtndT3R', 'oEb7fRykTxaPXg6hTrZ', 'DmyEDfytJW6cS8E1yMa', 'St5GNeyZq0VoU1xQ4Nt', 'Smq98by2mOcnr9WIiiB', 'fppYhpyMaHQB4vQKB57'
Source: 0.3.Ym9pCkdQCN.exe.6fc3545.1.raw.unpack, VW8AxnpqZalpIcTgpEl.cs	High entropy of concatenated method names: 'P29', '_3xW', 'bOP', 'Th1', '_36d', 'LLxG3Z4MD4', 'uIvG7Y4Q0R', 'r8j', 'LS1', '_55S'
Source: 0.3.Ym9pCkdQCN.exe.6fc3545.1.raw.unpack, bZ6nWBwh8Rr2yThs8W.cs	High entropy of concatenated method names: '_52U', 'YZ8', 'M5A', 'G9C', 'tKa3xdpXwQThjXoQ5uS', 'd9JB7npAXFppls5XpUo', 'QUPmw3pCd003WMhe29j', 'mBi4qlpnLYbp9xgy1Sd', 'UtHY7KpKdrjNTdZmTPH', 'sHDOTppD8QKZfeDs82W'
Source: 0.3.Ym9pCkdQCN.exe.6fc3545.1.raw.unpack, m4AubceZAIrAiFiBJA2.cs	High entropy of concatenated method names: 'q4Y', '_71O', '_6H6', 'KreN5hf4r4', '_13H', 'I64', '_67a', '_71t', 'fEj', '_9OJ'
Source: 0.3.Ym9pCkdQCN.exe.6fc3545.1.raw.unpack, ANFsC2mG4eSh44SNglm.cs	High entropy of concatenated method names: 'APNiPvQfkh', 'nL7icuUfQj', 'YYxiLLpf01', 'F4pilU7q1t', 'DhxLxSME1NKc4ir6VHN', 'EaHE6JM8oeXDUXGK6dY', 'CnINaKMw2JUgo3vChEb', 'u6sEmQMxK1AFkvubQFd', 'IprDTHMPOnvVcUWjWMQ', 'MdPfm6MmyaSo79Zt9yi'
Source: 0.3.Ym9pCkdQCN.exe.6fc3545.1.raw.unpack, wZhljfcZtxTyOAv0hi.cs	High entropy of concatenated method names: '_468', 'YZ8', '_2M1', 'G9C', 'eoorDFOtdPOK1XMlB9S', 'ck9UZuOZ6REwmkuHLiZ', 'bSq0TQOkmrGFFQYbhSG', 'zwxR8wO2yMfRoRxPrtq', 'Mes56wOMFqehmvrSRtD', 'hvtClBOeMkORnkPrwen'
Source: 0.3.Ym9pCkdQCN.exe.6fc3545.1.raw.unpack, p2jY4PRtk11uAj9C9UI.cs	High entropy of concatenated method names: '_0023Nn', 'Dispose', 'woUe291PaO', 'ecaejnA2jY', 'zPkeO11uAj', 'xC9etUIKsN', 'kTcenoGbNu', 'AW92lStuZDCafNLMc91', 'j1qU4ktcEHR6I9Ql7DO', 'gB90Rat0xg7kgCHAq4g'
Source: 0.3.Ym9pCkdQCN.exe.6fc3545.1.raw.unpack, vBq3kBEQEHS2iKodEQd.cs	High entropy of concatenated method names: 'wurRsf2Cdo', 'sbSR52Hcvr', 'pghR9moyHQ', 'O3sGaid739JF6mmSJJB', 'LuwMX4dub7JEbS649bC', 'LGCaJFdcWRHs8FksLvH', 'rg3oeMddNFLPVX3tWCR', 'RZlAIedaO1Sbfw9WbkA', 'iOxUeGdSDI5l9qvabps', 'v9vOqOdWh0AxaHSnyKM'
Source: 0.3.Ym9pCkdQCN.exe.6fc3545.1.raw.unpack, y7F7sUebMYhoaGJEpjQ.cs	High entropy of concatenated method names: 'drL9cl1iC8', 'sUJ9LnbxMD', 'buW9ljgpxO', 'Ecupovm8QTG7mpJJQPX', 'DOlMZamP57pd2h0risw', 'BjtuM6mESSaAt9vH77T', 'nWtsbXmw3ZX58jEtUWU', 'nk6L5bmmfYKSLf94bnH'
Source: 0.3.Ym9pCkdQCN.exe.6fc3545.1.raw.unpack, Bfs063EgiG4cxguM0ZR.cs	High entropy of concatenated method names: 'KvVR1bBGfT', 'CR9cTadh82LpyICFMaC', 'tir71Sd04ws1u4JhT5a', 'xLy7ZYdO6ebPNaPaaXA', 't6GYDSdpoKIXbh0AbLR', 'Jj1t9odfA6G4RG24tdk', '_5q7', 'YZ8', '_6kf', 'G9C'
Source: 0.3.Ym9pCkdQCN.exe.6fc3545.1.raw.unpack, jsSHfiEbsWRKDDQM2qF.cs	High entropy of concatenated method names: 'GvP', 'YZ8', 'bp6', 'G9C', 'fqs18WuwKdX3tuxwDU5', 'WB7qDbumtgJeAVjilUd', 'fVavATujigNjWUmQGvp', 'LV3tvlulSpelVyLcZUD', 'C9loPbuGfWslMlNqRLG', 'wcoEgeuijJofDB2iCQe'
Source: 0.3.Ym9pCkdQCN.exe.6fc3545.1.raw.unpack, WfERI7eI0pYNLQeXJbI.cs	High entropy of concatenated method names: 'B1598Rup7J', 'zPC9oS9nNG', 'xty9ruaTUn', 'UGN9gr9pQG', 'BDj9ZPX31W', 'Prj9wUUxCd', 'L2IRKvmQkCtju4OWfa8', 'zfXwSdmH0VY1s5AiaE8', 'AIxSupmT5uweKOOw81Z', 'xg3nkbmFH7juiYFnyCO'
Source: 0.3.Ym9pCkdQCN.exe.6fc3545.1.raw.unpack, hrBgdheuXMIqfqB8hOL.cs	High entropy of concatenated method names: 'oys9VESu7H', 'WBo9ynCO7y', 'gtb9q9orOh', 'ssSeYjmGgkyiJbc4cVg', 'tEHep8mj3GSfd2iWBuX', 'sBbNZlmlqXoY3eTfYws', 'qlaXUJmitkBHWxG7DnN', 'OWGGbqmVKshaMhltmbH', 'yUL4u1mqQckendhO2B3', 'lwLcavmr40sH4ITtvkj'
Source: 0.3.Ym9pCkdQCN.exe.6fc3545.1.raw.unpack, pb7pPGp9AZ4mC5YV5d4.cs	High entropy of concatenated method names: '_45b', 'ne2', '_115', '_3vY', 'IA8dDGaA03', '_3il', 'FPjdENCT6e', 'CP7dRASoaR', '_78N', 'z3K'
Source: 0.3.Ym9pCkdQCN.exe.6fc3545.1.raw.unpack, mFZyiipwZlQqK8b74ak.cs	High entropy of concatenated method names: 'ICU', 'j9U', 'IBK', '_6qM', 'Amn', 'Mc2', 'og6', 'z6i', '_5G6', 'r11'
Source: 0.3.Ym9pCkdQCN.exe.6fc3545.1.raw.unpack, KE4PLJmceuuCbxsJR1t.cs	High entropy of concatenated method names: '_5u9', 'j0cirRWIvL', 'wWITDUsqEY', 'HSUiRoK8Hv', 'eksscTInJcaKrTcj0XD', 'WtZ16YIKX4UQ5oeJg71', 'YY6lJJIDDnL9tUjZN2j', 'fjmKy6IAuXGaf2DTZ4B', 'yYPDN0ICiua3b32DGOa', 'wLRe0rIzB6xhWotwpBc'
Source: 0.3.Ym9pCkdQCN.exe.6fc3545.1.raw.unpack, SYL6b6RYj4fb8tkUjhR.cs	High entropy of concatenated method names: 'ULPmz0o2rQ', 'KZjpDBZqpk', 'Bd7pEW9BAW', 'gEDpRV4jqM', 'dRipmXXlbf', 'v06pp3iG4c', 'jgupeM0ZRE', 'QwMpWHlxKV', 'ajQpB0jHOB', 'tv5piWCWEg'
Source: 0.3.Ym9pCkdQCN.exe.6fc3545.1.raw.unpack, B0Rxcee2nhNGXnakp0k.cs	High entropy of concatenated method names: 'zeSNDUFIgU', 'qOBW5SmnYhoSaVUWc8g', 'xSngIHmAPwnEKa9FFK2', 'Lc6u0RmC6Cfb4CiYbat', 'MmCYlfmKYZ0MLswgkkc', 'H1dNu1mDnHO8Vxrvx78', 'qIQQxJmzdFNpEgPuNVx'
Source: 0.3.Ym9pCkdQCN.exe.6fc3545.1.raw.unpack, lnRlHZpvKenufxL5BKI.cs	High entropy of concatenated method names: 'KNTJjSUYq1', 'GhgJO1h9jJ', 'zmyJtpyELZ', 'ie9Jnyknq1', 'NuxJHZJPLh', 'rc0rUy6DKtqu6GTHGYo', 'u3uKkE6zLpsFfEVQnD3', 'cSqwAY6nMKWIypDIUZe', 'fOSBMP6KPuu7nV7JQBq', 'HpOuFrB1wSETdfFAjTI'
Source: 0.3.Ym9pCkdQCN.exe.6fc3545.1.raw.unpack, lueHrpEaE9C2rHutk8x.cs	High entropy of concatenated method names: 'gHL', 'YZ8', 'vF9', 'G9C', 'VF6XaofvfTlb7fn6v9Y', 'qRNCDaf6WlTTd86gNiv', 'jQvi1pfBaj6ibG9SKB9', 'jA2OiYfyvsB4nI5Q2d6', 'KLSc3CfLsEW9D4mNuBs', 'TFgkBBf5ideuaW3pPDT'
Source: 0.3.Ym9pCkdQCN.exe.6fc3545.1.raw.unpack, yORkFllFZYooQnivbT.cs	High entropy of concatenated method names: 'P37', 'YZ8', 'b2I', 'G9C', 'ijvxa4OqYg3jRMF5tEK', 'NexBQ1Or2D4hZWnrEw9', 'a2smeoOHmAGfvsNKCXg', 'hF3NEuOTSSM9iTKgp9E', 'fpGISVOQ7Iu5PyqkvPW', 'FaUpmDOF4k9AogrnY5c'
Source: 0.3.Ym9pCkdQCN.exe.6fc3545.1.raw.unpack, IA8GaAWh032PjNCT6eu.cs	High entropy of concatenated method names: 'SSa9QtqOMpCDcAOjgSf', 'KTcAP9qpTi2rFBylIVN', 'eMt6V9qN1rSUkw6w5QE', 'wyby7iqgZUa7jQ5tBf4', 'dwP423jvvf', 'WM4', '_499', 'GvA4jW0jln', 'hnW4OgLTTd', 'Ym04tPsdmJ'
Source: 0.3.Ym9pCkdQCN.exe.6fc3545.1.raw.unpack, t7YdHdEE4DJM2Aa5ipN.cs	High entropy of concatenated method names: 'tO4', 'YZ8', '_4kf', 'G9C', 'kdy3GyhkgpUTEFYYl1t', 'T2EaHPh2SUm6Z2V1HVV', 'n9iGSShMJWFVTxu0VIm', 'RK4VWrhephxQVGSoO3k', 'V5IwGbhIjW5SPq1gckr', 'C1P1f1h3xcXnENcHxDo'
Source: 0.3.Ym9pCkdQCN.exe.6fc3545.1.raw.unpack, JA3Md0RHvxIX3IB3rGH.cs	High entropy of concatenated method names: 'LS3Wi2oLBY', 'jJtWfkkoiO', 'B4BBpMtAHpwXOOfIKkg', 'y6648UtCRojbWFOG8U9', 'e7bjeutor6DVnOfEeKS', 'tWWQejtXNZwLOWcfoo7', 'KoPWAYq5e2', 'MB6mKyZ1Z52tEO1SMAe', 'l4MBdmZYxUmRFW3SZjv', 'qT1YortDPrVbAsLCgBb'
Source: 0.3.Ym9pCkdQCN.exe.6fc3545.1.raw.unpack, OrsLgkE54PqfkeCl8hr.cs	High entropy of concatenated method names: 'kNf', 'YZ8', 'U31', 'G9C', 'yk5KPGf8xonjqglN4pO', 'bZNaA5fwvItw0cDJeCx', 'KaolrnfmdZ9awNCYAWs', 'lSLiNefjh6vpJmvwIOe', 'exIjASfl2NQfp4ulm00', 'hV9FZJfGhxUsmfRNkdK'
Source: 0.3.Ym9pCkdQCN.exe.6fc3545.1.raw.unpack, QXefLhRRtOVcpUiEVt9.cs	High entropy of concatenated method names: 'gklRVIU0QC', 'UJ4RyqQdbV', 'hslRq7RJJw', 'X14RS6ncso', 'SMjR81PF3p', 'mMJRoDCUBy', 'ldhHNNat87pcfrtpvdN', 'gWyFEnaZxQ2ycXlxDWN', 'q9muoSaUMpUYYYnB3Sq', 'Po8AXXasj6atmrPRyGP'
Source: 0.3.Ym9pCkdQCN.exe.6fc3545.1.raw.unpack, HH2Wh7S0SryegZOlsk.cs	High entropy of concatenated method names: '_8Ok', 'YZ8', 'InF', 'G9C', 'MCVObHp4hO8e8grERtA', 'CsLeMrpUHppFe3n2mLy', 'p1HkAJpsqH4HcAd3CIq', 'c1AKwtptnF3jhauGBYA', 'atPmripZddGgdLAotIe', 'AI0IHrpkRsVfJROdsX2'
Source: 0.3.Ym9pCkdQCN.exe.6fc3545.1.raw.unpack, S7F25iRbV8LQs5jqHFE.cs	High entropy of concatenated method names: 'BkopwIfAIL', 'BA2pQ82s4Z', 'GV7pzmXCXo', 'I6PeDyZLZp', 'T4VeEW359Z', 'JOPeReX3rK', 'WUgemEC6FQ', 'uqmepUA6cf', 'n1Wee2md5Z', 'tUYiIKUAksP66B4QK8j'
Source: 0.3.Ym9pCkdQCN.exe.6fc3545.1.raw.unpack, JmHFgpEu9uMXjlh24cS.cs	High entropy of concatenated method names: 'yvgELD05K1', 's04Y1ucN6Mem4pnn8L4', 'TVpPNlcgPgNmPQmPdws', 'JME8YMc1EbVQK3nYsuT', 'xhcXEocY8bLequLdK37', 'dt3WCPcOILIUOL2EBdQ', 'zAPJjAcpIqDDyVDjlT2', 'vQYR5xchl9xxdnZMFsk', 'F70EVSryeg', 'mvDr5ncuMGrLIxU9FxX'
Source: 0.3.Ym9pCkdQCN.exe.6fc3545.1.raw.unpack, er1YdPEvrXsYWlyKdrW.cs	High entropy of concatenated method names: 'd43', 'YZ8', 'g67', 'G9C', 'We4akj0yyXmW167ptfn', 'jEOPWB0LhGmsxQB8XLa', 'LMsjvR05lwaCecEP60g', 'cWyNUT0J4lQREwAhbqQ', 'RSSHL60b2jjZ3LgU4e2', 'HBMo2T0xqwmI2bSQwiu'
Source: 0.3.Ym9pCkdQCN.exe.6fc3545.1.raw.unpack, n68hGYEGvf5cnhjLA6U.cs	High entropy of concatenated method names: 'rU3', 'YZ8', 'M54', 'G9C', 'RlNVjK0lO7qoLH66l1O', 'EMU7Xr0GF27umpZ7XqX', 'OKJlMr0i10JAl1mytr2', 'tUlH7g0Vkdino83LSnH', 'KnNEd20qJiNkrr5qcEn', 'PTjZXf0riCeeaot15lf'
Source: 0.3.Ym9pCkdQCN.exe.6fc3545.1.raw.unpack, TififXHA1sdTkMFlkn.cs	High entropy of concatenated method names: '_23T', 'YZ8', 'ELp', 'G9C', 'iGpc8tgCUFtM1un0tIs', 'NGO7V2gniGPaEr049tt', 'qmlq5QgK9NdEZ4pbqlu', 'eo4UN7gDiWpYad4qt95', 'brFgDEgzEPLKfIUDXmx', 'zuO02UO1yDnFdmrvmSb'
Source: 0.3.Ym9pCkdQCN.exe.6fc3545.1.raw.unpack, U2rQKZEojBZqpkbd7W9.cs	High entropy of concatenated method names: '_589', 'YZ8', '_491', 'G9C', 'saF51g7FLomBU6EGx2i', 'VY8owG7RHwy0tUOQMrQ', 'KffDMr79cg56X2A8VJV', 'mbuNm07oF98AVfoBCvu', 'X7XQWv7XTrYTduHK8Xr', 't4tNxm7AeHAmlZEkd9m'
Source: 0.3.Ym9pCkdQCN.exe.6fc3545.1.raw.unpack, hUDA9aE4yJAbGEOAy0X.cs	High entropy of concatenated method names: 'Ai7', 'YZ8', '_56U', 'G9C', 'mJ7afrfDWoUcWDnPTve', 'dH4sp7fzeI2XLw2gF6o', 'xelQOEu1JKCWlIdEMrh', 'yUfFUCuYScwCoIBTRMo', 'DxZ0yMuN6F8tybowcXd', 'Gy81pGugVG1HPjFlRmG'
Source: 0.3.Ym9pCkdQCN.exe.6fc3545.1.raw.unpack, h11mfypgOV72dV5reUT.cs	High entropy of concatenated method names: 'l9C3NIxAGx', 'cEs34hFRLW', 'R1s3d6qZhA', 'z7r3GRT85O', 'vZ933Ymj3p', 'Gsx37LIi4b', 'I7n3A2WI2C', 'tdA303O2uR', 'nZh3YABnHw', 'hhc31AuyFS'
Source: 0.3.Ym9pCkdQCN.exe.6fc3545.1.raw.unpack, uZvJh8e8RT58irHW94y.cs	High entropy of concatenated method names: '_14Y', 'b41', 'D7Y', 'xMq', 'i39', '_77u', '_4PG', '_5u8', 'h12', '_2KT'
Source: 0.3.Ym9pCkdQCN.exe.6fc3545.1.raw.unpack, DKhZAwmTgEMvXQVXlQD.cs	High entropy of concatenated method names: 'NWDihO6BqI', 'ekWi2X2er3', 'eSTijfaAoD', 'sUOPgdMWAn2LoCmgtWL', 'APfBRFMaraBg5LUHXFX', 'H6O6YbMSn2eeU3ohx9B', 'VMd80yM4Q7MUlUgNZpx', 'iqyi3dkd2m', 'Bfai7XueYC', 'sb1iAsP5ce'
Source: 0.3.Ym9pCkdQCN.exe.6fc3545.1.raw.unpack, VQyVNompyNMGEYWdyyG.cs	High entropy of concatenated method names: 'eO6Bkn9Urb', 'XxSBPjx3PA', 'b45Bc3YBgi', 'HTfBL4apwM', 'pDdBll457g', 'WhlBV3NM2m', 'f8ncNKk5pBYcAL4swON', 'u29ZASkyCsIeT7SFvDx', 'rwYX6jkLb81Luxo956R', 'k4IAJXkJCV2gWsATSSq'
Source: 0.3.Ym9pCkdQCN.exe.6fc3545.1.raw.unpack, u1YxZWzFCSrll20fKr.cs	High entropy of concatenated method names: 'Y29', 'YZ8', 'jn6', 'G9C', 'b653nDhgNjjpRd1fitW', 'Uo4t9hhO5DbW3DYfxnm', 'Dl0WSChpnqbL4lBj4Fj', 'rxQoYChhiHmqVGS38th', 'Ns1uhDh0R03PEKPGB1u', 'fiK6AIhfkj8cXid5MrA'
Source: 0.3.Ym9pCkdQCN.exe.6fc3545.1.raw.unpack, y7vaStWcs8D6Fg3e07e.cs	High entropy of concatenated method names: 'PJ1', 'jo3', 'lHKMfNkhSF', 'ciBMTqqks6', 'hGPMxUne05', 'EC9', '_74a', '_8pl', '_27D', '_524'
Source: 0.3.Ym9pCkdQCN.exe.6fc3545.1.raw.unpack, mBvOHsW5e73xaMKNOoy.cs	High entropy of concatenated method names: 'IGD', 'CV5', 'n6YU964uoB', '_3k4', 'elq', 'hlH', 'yc1', 'Y17', '_2QC', 'En1'
Source: 0.3.Ym9pCkdQCN.exe.6fc3545.1.raw.unpack, zqQdbVE1isl7RJJww14.cs	High entropy of concatenated method names: 'SGCEMxWYfC', 'wvR3WyftIwPfOEis8a5', 'lCEq0FfZZNKiedZU3a5', 'NBFLn5fUTVYD12geD4Q', 'krkfYffsCIRPp3T0YIc', 'd5xSw3fkWljYZrVNUDG', 'b8V9qPf27Fh6t6aSQyN', 'oL8c7LfMCt8mvpcXBq3', 'KAZFF2feTdE72bADCXZ', 'f28'
Source: 0.3.Ym9pCkdQCN.exe.6fc3545.1.raw.unpack, oPCFRfm0xAx8T5pPC3m.cs	High entropy of concatenated method names: 'aWli8YVcJa', 'qPYio2ZmFP', 'PggirFRpKJ', 'SnQigfvnRl', 'KZKiZenufx', 'tYwIsgehiKJdk4VI1AO', 'iyMdcNe0ZmRKCqjjqdD', 'tOHY1JeODU48JQfs6De', 'eRaJSBep5j3SYdlaj6e', 'vd4VToefChqcZK7uYro'
Source: 0.3.Ym9pCkdQCN.exe.6fc3545.1.raw.unpack, fGmHnKBdURQ7ib5AkZe.cs	High entropy of concatenated method names: 'nYjEKoHBAAxNyKQVFhc', 'vLgoK8Hyc7P5DUWj7PP', 'CdK8BSHvpC8jakV9KcB', 'q9Wkh7H6gW7f6uPrQTR', 'ATYFG7ovbf', 'ylU1kkHJmSye5KZEeLq', 'DujJDlHbTlTSuBEoB0c', 'wU5UdSHxqvACiym5gfX', 'x08BJkHP4em2KBUJj4W', 'miEX64HE3kjN9KS7Ko7'
Source: 0.3.Ym9pCkdQCN.exe.6fc3545.1.raw.unpack, X4S7XSmgnmpUPJ1oAqe.cs	High entropy of concatenated method names: 'D1Y6Arvm2pxIUuNdLm5', 'R5yEZ7vjs1mwPkhY1W4', 'M7TVpLv85uoa6umwjc9', 'cAcIQXvw8CQ7x56HwZC', 'IWF', 'j72', 'WpETAlT0RF', 'amNT0deIBR', 'j4z', 'QfITY5kjds'
Source: 0.3.Ym9pCkdQCN.exe.6fc3545.1.raw.unpack, gJCUBYy6WT3cuTayuu.cs	High entropy of concatenated method names: 'kcq', 'YZ8', '_4bQ', 'G9C', 'LZLWeAph6ScxRRlF13k', 'DPRwVhp08cjnJpemqKN', 'VKhbI8pfAFyt1cAq4r0', 'goBh4xpuWD1xlbKBAJo', 'CMligApcYxgqiRPUYhE', 'TN5MHup7oaiY2CLhvk2'
Source: 0.3.Ym9pCkdQCN.exe.6fc3545.1.raw.unpack, tnl1eqemJrl1cVGgqj1.cs	High entropy of concatenated method names: 'TP9mgPPIUlDyb1uNlah', 'LiE3EUP3xP08CRw3aRe', 'AO8rl3PMjd0r6BRP8kT', 'f1QIRTPeJ05Ha5otwDG', 'sZqX9S39aA', 'Xxqy7yPBN07xpkJxmVA', 'p3keQYPygU5hfkXrBAl', 'gNVBtYPvy1U2D3INFdl', 'sKwukbP6L87WP2gwaDl', 'ebigOePLwFvamAsq55A'
Source: 0.3.Ym9pCkdQCN.exe.6fc3545.1.raw.unpack, miOSaUmlPkYx18UQf5H.cs	High entropy of concatenated method names: 'oYo', '_1Z5', 'hDjiuerjHW', 'LA2TpCyykl', 'es7isjbK3f', 'agBTPX3SWPSIsDNQgUk', 'a1oNcD3W4yhUq4wVDgb', 'Ixmoa734ncttfwRo9Xd', 'o35nkN3UbEB6AtcOM2V', 'vMGYn33sJcaunehWvSl'
Source: 0.3.Ym9pCkdQCN.exe.6fc3545.1.raw.unpack, UCCsvDW48hcGKESkKic.cs	High entropy of concatenated method names: 'D4M', '_4DP', 'HU2', '_4Ke', '_5C9', '_7b1', 'lV5', 'H7p', 'V5L', '_736'
Source: 0.3.Ym9pCkdQCN.exe.6fc3545.1.raw.unpack, GUijQiWOQTfsouGkJQG.cs	High entropy of concatenated method names: 'Qjjbtdqct0', 'qugeQvqJiwedXgbIYmN', 'Qn0sEdqbwWiwRPwVx72', 'nCJyKuqLDmHkkfhIYxN', 'n5c2lgq5fMLvfvp0bgA', '_1fi', 'zmOCSp592i', '_676', 'IG9', 'mdP'
Source: 0.3.Ym9pCkdQCN.exe.6fc3545.1.raw.unpack, JKTYvkEKFKDrcMPSk3X.cs	High entropy of concatenated method names: 'E8RREr2yTh', 'v8WRRli7HM', 'TrGRmigKWM', 'kiy6kec98XawQujncGB', 'yQfoLccoZqt3bSfGvDH', 'z01NIecFHbTEcav1QEv', 'llM8RZcRFxjfYkN2vuG', 'NueQHKcXwkNRWro5c0f', 'Mc1Xx0cAMyjxPFH5sxO', 'ya6JSqcCkXG5EjEpTno'

Persistence and Installation Behavior

Creates processes via WMI

Source: C:\driverruntimeperfCommon\sessioncrt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\driverruntimeperfCommon\sessioncrt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\driverruntimeperfCommon\sessioncrt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\driverruntimeperfCommon\sessioncrt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\driverruntimeperfCommon\sessioncrt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\driverruntimeperfCommon\sessioncrt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\driverruntimeperfCommon\sessioncrt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\driverruntimeperfCommon\sessioncrt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\driverruntimeperfCommon\sessioncrt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\driverruntimeperfCommon\sessioncrt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\driverruntimeperfCommon\sessioncrt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\driverruntimeperfCommon\sessioncrt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\driverruntimeperfCommon\sessioncrt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\driverruntimeperfCommon\sessioncrt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\driverruntimeperfCommon\sessioncrt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\driverruntimeperfCommon\sessioncrt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\driverruntimeperfCommon\sessioncrt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\driverruntimeperfCommon\sessioncrt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\driverruntimeperfCommon\sessioncrt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\driverruntimeperfCommon\sessioncrt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\driverruntimeperfCommon\sessioncrt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\driverruntimeperfCommon\sessioncrt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\driverruntimeperfCommon\sessioncrt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\driverruntimeperfCommon\sessioncrt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\driverruntimeperfCommon\sessioncrt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\driverruntimeperfCommon\sessioncrt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\driverruntimeperfCommon\sessioncrt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\driverruntimeperfCommon\sessioncrt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\driverruntimeperfCommon\sessioncrt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\driverruntimeperfCommon\sessioncrt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\driverruntimeperfCommon\sessioncrt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\driverruntimeperfCommon\sessioncrt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\driverruntimeperfCommon\sessioncrt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\driverruntimeperfCommon\sessioncrt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\driverruntimeperfCommon\sessioncrt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\driverruntimeperfCommon\sessioncrt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\driverruntimeperfCommon\sessioncrt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\driverruntimeperfCommon\sessioncrt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\driverruntimeperfCommon\sessioncrt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\driverruntimeperfCommon\sessioncrt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\driverruntimeperfCommon\sessioncrt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\driverruntimeperfCommon\sessioncrt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\driverruntimeperfCommon\sessioncrt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\driverruntimeperfCommon\sessioncrt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\driverruntimeperfCommon\sessioncrt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\driverruntimeperfCommon\sessioncrt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\driverruntimeperfCommon\sessioncrt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\driverruntimeperfCommon\sessioncrt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\driverruntimeperfCommon\sessioncrt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\driverruntimeperfCommon\sessioncrt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\driverruntimeperfCommon\sessioncrt.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create

Drops PE files with benign system names

Source: C:\driverruntimeperfCommon\sessioncrt.exe	File created: C:\driverruntimeperfCommon\wininit.exe			Jump to dropped file
Source: C:\driverruntimeperfCommon\sessioncrt.exe	File created: C:\Program Files (x86)\Reference Assemblies\csrss.exe			Jump to dropped file

Drops executable to a common third party application directory

Source: C:\driverruntimeperfCommon\sessioncrt.exe

File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\rxlSpmEkQUyDvxlFic.exe

Jump to behavior

Source: C:\driverruntimeperfCommon\sessioncrt.exe	File created: C:\Recovery\rxlSpmEkQUyDvxlFic.exe	Jump to dropped file
Source: C:\driverruntimeperfCommon\sessioncrt.exe	File created: C:\Program Files\Windows Mail\TextInputHost.exe	Jump to dropped file
Source: C:\driverruntimeperfCommon\sessioncrt.exe	File created: C:\driverruntimeperfCommon\wininit.exe	Jump to dropped file
Source: C:\driverruntimeperfCommon\sessioncrt.exe	File created: C:\Program Files (x86)\Microsoft Office\Office16\rxlSpmEkQUyDvxlFic.exe	Jump to dropped file
Source: C:\driverruntimeperfCommon\sessioncrt.exe	File created: C:\Program Files (x86)\Reference Assemblies\csrss.exe	Jump to dropped file
Source: C:\driverruntimeperfCommon\sessioncrt.exe	File created: C:\Windows\ImmersiveControlPanel\pris\ApplicationFrameHost.exe	Jump to dropped file
Source: C:\driverruntimeperfCommon\sessioncrt.exe	File created: C:\Windows\Setup\State\RuntimeBroker.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Ym9pCkdQCN.exe	File created: C:\driverruntimeperfCommon\sessioncrt.exe	Jump to dropped file
Source: C:\driverruntimeperfCommon\sessioncrt.exe	File created: C:\Program Files (x86)\Windows Media Player\Network Sharing\rxlSpmEkQUyDvxlFic.exe	Jump to dropped file
Source: C:\driverruntimeperfCommon\sessioncrt.exe	File created: C:\driverruntimeperfCommon\rxlSpmEkQUyDvxlFic.exe	Jump to dropped file
Source: C:\driverruntimeperfCommon\sessioncrt.exe	File created: C:\driverruntimeperfCommon\dllhost.exe	Jump to dropped file
Source: C:\driverruntimeperfCommon\sessioncrt.exe	File created: C:\Program Files\Windows Portable Devices\rxlSpmEkQUyDvxlFic.exe	Jump to dropped file
Source: C:\driverruntimeperfCommon\sessioncrt.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\rxlSpmEkQUyDvxlFic.exe	Jump to dropped file
Source: C:\driverruntimeperfCommon\sessioncrt.exe	File created: C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\rxlSpmEkQUyDvxlFic.exe	Jump to dropped file
Source: C:\driverruntimeperfCommon\sessioncrt.exe	File created: C:\Windows\TAPI\winlogon.exe	Jump to dropped file

Source: C:\driverruntimeperfCommon\sessioncrt.exe

File created: C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\rxlSpmEkQUyDvxlFic.exe

Jump to dropped file

Source: C:\driverruntimeperfCommon\sessioncrt.exe	File created: C:\Windows\ImmersiveControlPanel\pris\ApplicationFrameHost.exe	Jump to dropped file
Source: C:\driverruntimeperfCommon\sessioncrt.exe	File created: C:\Windows\Setup\State\RuntimeBroker.exe	Jump to dropped file
Source: C:\driverruntimeperfCommon\sessioncrt.exe	File created: C:\Windows\TAPI\winlogon.exe	Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\driverruntimeperfCommon\sessioncrt.exe

Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "rxlSpmEkQUyDvxlFicr" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\windows media player\Network Sharing\rxlSpmEkQUyDvxlFic.exe'" /f

Source: C:\Users\user\Desktop\Ym9pCkdQCN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\driverruntimeperfCommon\sessioncrt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\driverruntimeperfCommon\sessioncrt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\driverruntimeperfCommon\sessioncrt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\driverruntimeperfCommon\sessioncrt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\driverruntimeperfCommon\sessioncrt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\driverruntimeperfCommon\sessioncrt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\driverruntimeperfCommon\sessioncrt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\driverruntimeperfCommon\sessioncrt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\driverruntimeperfCommon\sessioncrt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\driverruntimeperfCommon\sessioncrt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\driverruntimeperfCommon\sessioncrt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\driverruntimeperfCommon\sessioncrt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\driverruntimeperfCommon\sessioncrt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\driverruntimeperfCommon\sessioncrt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\driverruntimeperfCommon\sessioncrt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\driverruntimeperfCommon\sessioncrt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\driverruntimeperfCommon\sessioncrt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\driverruntimeperfCommon\sessioncrt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\driverruntimeperfCommon\sessioncrt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\driverruntimeperfCommon\sessioncrt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\driverruntimeperfCommon\sessioncrt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\driverruntimeperfCommon\sessioncrt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\driverruntimeperfCommon\sessioncrt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\driverruntimeperfCommon\sessioncrt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\driverruntimeperfCommon\sessioncrt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\driverruntimeperfCommon\sessioncrt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\driverruntimeperfCommon\sessioncrt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\driverruntimeperfCommon\sessioncrt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\driverruntimeperfCommon\sessioncrt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\driverruntimeperfCommon\sessioncrt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\driverruntimeperfCommon\sessioncrt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\driverruntimeperfCommon\sessioncrt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\driverruntimeperfCommon\sessioncrt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\driverruntimeperfCommon\sessioncrt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\driverruntimeperfCommon\sessioncrt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\driverruntimeperfCommon\sessioncrt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\driverruntimeperfCommon\sessioncrt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\driverruntimeperfCommon\sessioncrt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\driverruntimeperfCommon\sessioncrt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\driverruntimeperfCommon\sessioncrt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\driverruntimeperfCommon\sessioncrt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\driverruntimeperfCommon\sessioncrt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\driverruntimeperfCommon\sessioncrt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\driverruntimeperfCommon\sessioncrt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\rxlSpmEkQUyDvxlFic.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\rxlSpmEkQUyDvxlFic.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\rxlSpmEkQUyDvxlFic.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\rxlSpmEkQUyDvxlFic.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\rxlSpmEkQUyDvxlFic.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\rxlSpmEkQUyDvxlFic.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\rxlSpmEkQUyDvxlFic.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\rxlSpmEkQUyDvxlFic.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\rxlSpmEkQUyDvxlFic.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\rxlSpmEkQUyDvxlFic.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\rxlSpmEkQUyDvxlFic.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\rxlSpmEkQUyDvxlFic.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\rxlSpmEkQUyDvxlFic.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\rxlSpmEkQUyDvxlFic.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\rxlSpmEkQUyDvxlFic.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\rxlSpmEkQUyDvxlFic.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\rxlSpmEkQUyDvxlFic.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\rxlSpmEkQUyDvxlFic.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\rxlSpmEkQUyDvxlFic.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\rxlSpmEkQUyDvxlFic.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\rxlSpmEkQUyDvxlFic.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\rxlSpmEkQUyDvxlFic.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\rxlSpmEkQUyDvxlFic.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\rxlSpmEkQUyDvxlFic.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\rxlSpmEkQUyDvxlFic.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\rxlSpmEkQUyDvxlFic.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\rxlSpmEkQUyDvxlFic.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\rxlSpmEkQUyDvxlFic.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\rxlSpmEkQUyDvxlFic.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\rxlSpmEkQUyDvxlFic.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\rxlSpmEkQUyDvxlFic.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\rxlSpmEkQUyDvxlFic.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\rxlSpmEkQUyDvxlFic.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\rxlSpmEkQUyDvxlFic.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\rxlSpmEkQUyDvxlFic.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\rxlSpmEkQUyDvxlFic.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\rxlSpmEkQUyDvxlFic.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\rxlSpmEkQUyDvxlFic.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\rxlSpmEkQUyDvxlFic.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\rxlSpmEkQUyDvxlFic.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\rxlSpmEkQUyDvxlFic.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\rxlSpmEkQUyDvxlFic.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\rxlSpmEkQUyDvxlFic.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\rxlSpmEkQUyDvxlFic.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\rxlSpmEkQUyDvxlFic.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\rxlSpmEkQUyDvxlFic.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\rxlSpmEkQUyDvxlFic.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\rxlSpmEkQUyDvxlFic.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\rxlSpmEkQUyDvxlFic.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\rxlSpmEkQUyDvxlFic.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\rxlSpmEkQUyDvxlFic.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\rxlSpmEkQUyDvxlFic.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\rxlSpmEkQUyDvxlFic.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\rxlSpmEkQUyDvxlFic.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\rxlSpmEkQUyDvxlFic.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\rxlSpmEkQUyDvxlFic.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\rxlSpmEkQUyDvxlFic.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\rxlSpmEkQUyDvxlFic.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\rxlSpmEkQUyDvxlFic.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\rxlSpmEkQUyDvxlFic.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\rxlSpmEkQUyDvxlFic.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\rxlSpmEkQUyDvxlFic.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\rxlSpmEkQUyDvxlFic.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\rxlSpmEkQUyDvxlFic.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\rxlSpmEkQUyDvxlFic.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\rxlSpmEkQUyDvxlFic.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\driverruntimeperfCommon\sessioncrt.exe	Memory allocated: FF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\driverruntimeperfCommon\sessioncrt.exe	Memory allocated: 1A960000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\rxlSpmEkQUyDvxlFic.exe	Memory allocated: CB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\rxlSpmEkQUyDvxlFic.exe	Memory allocated: 1A8D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\rxlSpmEkQUyDvxlFic.exe	Memory allocated: 960000 memory reserve \| memory write watch
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\rxlSpmEkQUyDvxlFic.exe	Memory allocated: 1A7C0000 memory reserve \| memory write watch

Source: C:\driverruntimeperfCommon\sessioncrt.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\rxlSpmEkQUyDvxlFic.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\rxlSpmEkQUyDvxlFic.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\driverruntimeperfCommon\sessioncrt.exe	Window / User API: threadDelayed 1485	Jump to behavior
Source: C:\driverruntimeperfCommon\sessioncrt.exe	Window / User API: threadDelayed 605	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\rxlSpmEkQUyDvxlFic.exe	Window / User API: threadDelayed 363	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\rxlSpmEkQUyDvxlFic.exe	Window / User API: threadDelayed 369

Source: C:\driverruntimeperfCommon\sessioncrt.exe TID: 7856	Thread sleep count: 1485 > 30	Jump to behavior
Source: C:\driverruntimeperfCommon\sessioncrt.exe TID: 7848	Thread sleep count: 605 > 30	Jump to behavior
Source: C:\driverruntimeperfCommon\sessioncrt.exe TID: 7828	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\rxlSpmEkQUyDvxlFic.exe TID: 5080	Thread sleep count: 363 > 30	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\rxlSpmEkQUyDvxlFic.exe TID: 2168	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\rxlSpmEkQUyDvxlFic.exe TID: 2772	Thread sleep count: 369 > 30
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\rxlSpmEkQUyDvxlFic.exe TID: 6872	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\driverruntimeperfCommon\sessioncrt.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\rxlSpmEkQUyDvxlFic.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\rxlSpmEkQUyDvxlFic.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\Ym9pCkdQCN.exe	Code function: 0_2_00E8A5F4 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	0_2_00E8A5F4
Source: C:\Users\user\Desktop\Ym9pCkdQCN.exe	Code function: 0_2_00E9B8E0 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	0_2_00E9B8E0
Source: C:\Users\user\Desktop\Ym9pCkdQCN.exe	Code function: 0_2_00EAAAA8 FindFirstFileExA,	0_2_00EAAAA8

Source: C:\Users\user\Desktop\Ym9pCkdQCN.exe

Code function: 0_2_00E9DD72 VirtualQuery,GetSystemInfo,

0_2_00E9DD72

Source: C:\driverruntimeperfCommon\sessioncrt.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\rxlSpmEkQUyDvxlFic.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\rxlSpmEkQUyDvxlFic.exe	Thread delayed: delay time: 922337203685477

Source: wscript.exe, 00000002.00000003.1431443455.0000000002BFA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: Ym9pCkdQCN.exe, 00000000.00000003.1418233078.0000000000DF0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\

Source: C:\Users\user\Desktop\Ym9pCkdQCN.exe

API call chain: ExitProcess graph end node

graph_0-24391

Source: C:\driverruntimeperfCommon\sessioncrt.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Ym9pCkdQCN.exe

Code function: 0_2_00EA866F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00EA866F

Source: C:\Users\user\Desktop\Ym9pCkdQCN.exe

Code function: 0_2_00EA753D mov eax, dword ptr fs:[00000030h]

0_2_00EA753D

Source: C:\Users\user\Desktop\Ym9pCkdQCN.exe

Code function: 0_2_00EAB710 GetProcessHeap,

0_2_00EAB710

Source: C:\driverruntimeperfCommon\sessioncrt.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\rxlSpmEkQUyDvxlFic.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\rxlSpmEkQUyDvxlFic.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\Ym9pCkdQCN.exe	Code function: 0_2_00E9F063 SetUnhandledExceptionFilter,	0_2_00E9F063
Source: C:\Users\user\Desktop\Ym9pCkdQCN.exe	Code function: 0_2_00E9F22B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00E9F22B
Source: C:\Users\user\Desktop\Ym9pCkdQCN.exe	Code function: 0_2_00EA866F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00EA866F
Source: C:\Users\user\Desktop\Ym9pCkdQCN.exe	Code function: 0_2_00E9EF05 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00E9EF05

Source: C:\driverruntimeperfCommon\sessioncrt.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\Ym9pCkdQCN.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\driverruntimeperfCommon\APcholoL7ETBvvAkO3nQrcw9B.vbe"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\driverruntimeperfCommon\RppzIJI6o4vFZ4Y4XgyK.bat" "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\driverruntimeperfCommon\sessioncrt.exe "C:\driverruntimeperfCommon\sessioncrt.exe"	Jump to behavior
Source: C:\driverruntimeperfCommon\sessioncrt.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\Ym9pCkdQCN.exe

Code function: 0_2_00E9ED5B cpuid

0_2_00E9ED5B

Source: C:\Users\user\Desktop\Ym9pCkdQCN.exe

Code function: GetLocaleInfoW,GetNumberFormatW,

0_2_00E9A63C

Source: C:\driverruntimeperfCommon\sessioncrt.exe	Queries volume information: C:\driverruntimeperfCommon\sessioncrt.exe VolumeInformation	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\rxlSpmEkQUyDvxlFic.exe	Queries volume information: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\rxlSpmEkQUyDvxlFic.exe VolumeInformation	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\rxlSpmEkQUyDvxlFic.exe	Queries volume information: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\rxlSpmEkQUyDvxlFic.exe VolumeInformation

Source: C:\Users\user\Desktop\Ym9pCkdQCN.exe

Code function: 0_2_00E9D5D4 GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle,

0_2_00E9D5D4

Source: C:\Users\user\Desktop\Ym9pCkdQCN.exe

Code function: 0_2_00E8ACF5 GetVersionExW,

0_2_00E8ACF5

Source: C:\Windows\SysWOW64\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected DCRat

Source: Yara match	File source: 00000005.00000002.1476943848.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.1557234858.0000000002809000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1476943848.0000000002961000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.1557234858.00000000027C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.1557304331.00000000028D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: sessioncrt.exe PID: 7804, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rxlSpmEkQUyDvxlFic.exe PID: 7416, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rxlSpmEkQUyDvxlFic.exe PID: 752, type: MEMORYSTR

Remote Access Functionality

Yara detected DCRat

Source: Yara match	File source: 00000005.00000002.1476943848.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.1557234858.0000000002809000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1476943848.0000000002961000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.1557234858.00000000027C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.1557304331.00000000028D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: sessioncrt.exe PID: 7804, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rxlSpmEkQUyDvxlFic.exe PID: 7416, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rxlSpmEkQUyDvxlFic.exe PID: 752, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	11 Scripting	Valid Accounts	11 Windows Management Instrumentation	1 Scheduled Task/Job	11 Process Injection	223 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	11 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	11 Scripting	1 Scheduled Task/Job	1 Disable or Modify Tools	LSASS Memory	121 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	31 Virtualization/Sandbox Evasion	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	31 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	11 Deobfuscate/Decode Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Obfuscated Files or Information	Cached Domain Credentials	2 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	21 Software Packing	DCSync	37 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Ym9pCkdQCN.exe	74%	Virustotal		Browse
Ym9pCkdQCN.exe	71%	ReversingLabs	ByteCode-MSIL.Trojan.Uztuby
Ym9pCkdQCN.exe	100%	Avira	VBS/Runner.VPG
Ym9pCkdQCN.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\driverruntimeperfCommon\wininit.exe	100%	Avira	HEUR/AGEN.1323984
C:\Windows\TAPI\winlogon.exe	100%	Avira	HEUR/AGEN.1323984
C:\Program Files\Windows Mail\TextInputHost.exe	100%	Avira	HEUR/AGEN.1323984
C:\Program Files (x86)\Microsoft Office\Office16\rxlSpmEkQUyDvxlFic.exe	100%	Avira	HEUR/AGEN.1323984
C:\Program Files (x86)\Microsoft Office\Office16\rxlSpmEkQUyDvxlFic.exe	100%	Avira	HEUR/AGEN.1323984
C:\Program Files (x86)\Microsoft Office\Office16\rxlSpmEkQUyDvxlFic.exe	100%	Avira	HEUR/AGEN.1323984
C:\Program Files (x86)\Microsoft Office\Office16\rxlSpmEkQUyDvxlFic.exe	100%	Avira	HEUR/AGEN.1323984
C:\driverruntimeperfCommon\APcholoL7ETBvvAkO3nQrcw9B.vbe	100%	Avira	VBS/Runner.VPG
C:\Program Files (x86)\Microsoft Office\Office16\rxlSpmEkQUyDvxlFic.exe	100%	Avira	HEUR/AGEN.1323984
C:\driverruntimeperfCommon\dllhost.exe	100%	Avira	HEUR/AGEN.1323984
C:\Program Files (x86)\Reference Assemblies\csrss.exe	100%	Avira	HEUR/AGEN.1323984
C:\Program Files (x86)\Microsoft Office\Office16\rxlSpmEkQUyDvxlFic.exe	100%	Avira	HEUR/AGEN.1323984
C:\Windows\Setup\State\RuntimeBroker.exe	100%	Avira	HEUR/AGEN.1323984
C:\Windows\ImmersiveControlPanel\pris\ApplicationFrameHost.exe	100%	Avira	HEUR/AGEN.1323984
C:\driverruntimeperfCommon\sessioncrt.exe	100%	Avira	HEUR/AGEN.1323984
C:\Program Files (x86)\Microsoft Office\Office16\rxlSpmEkQUyDvxlFic.exe	100%	Avira	HEUR/AGEN.1323984
C:\driverruntimeperfCommon\wininit.exe	100%	Joe Sandbox ML
C:\Windows\TAPI\winlogon.exe	100%	Joe Sandbox ML
C:\Program Files\Windows Mail\TextInputHost.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Microsoft Office\Office16\rxlSpmEkQUyDvxlFic.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Microsoft Office\Office16\rxlSpmEkQUyDvxlFic.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Microsoft Office\Office16\rxlSpmEkQUyDvxlFic.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Microsoft Office\Office16\rxlSpmEkQUyDvxlFic.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Microsoft Office\Office16\rxlSpmEkQUyDvxlFic.exe	100%	Joe Sandbox ML
C:\driverruntimeperfCommon\dllhost.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Reference Assemblies\csrss.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Microsoft Office\Office16\rxlSpmEkQUyDvxlFic.exe	100%	Joe Sandbox ML
C:\Windows\Setup\State\RuntimeBroker.exe	100%	Joe Sandbox ML
C:\Windows\ImmersiveControlPanel\pris\ApplicationFrameHost.exe	100%	Joe Sandbox ML
C:\driverruntimeperfCommon\sessioncrt.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Microsoft Office\Office16\rxlSpmEkQUyDvxlFic.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Microsoft Office\Office16\rxlSpmEkQUyDvxlFic.exe	82%	ReversingLabs	ByteCode-MSIL.Trojan.Mardom
C:\Program Files (x86)\Reference Assemblies\csrss.exe	82%	ReversingLabs	ByteCode-MSIL.Trojan.Mardom
C:\Program Files (x86)\Windows Media Player\Network Sharing\rxlSpmEkQUyDvxlFic.exe	82%	ReversingLabs	ByteCode-MSIL.Trojan.Mardom
C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\rxlSpmEkQUyDvxlFic.exe	82%	ReversingLabs	ByteCode-MSIL.Trojan.Mardom
C:\Program Files\Windows Mail\TextInputHost.exe	82%	ReversingLabs	ByteCode-MSIL.Trojan.Mardom
C:\Program Files\Windows Portable Devices\rxlSpmEkQUyDvxlFic.exe	82%	ReversingLabs	ByteCode-MSIL.Trojan.Mardom
C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\rxlSpmEkQUyDvxlFic.exe	82%	ReversingLabs	ByteCode-MSIL.Trojan.Mardom
C:\Recovery\rxlSpmEkQUyDvxlFic.exe	82%	ReversingLabs	ByteCode-MSIL.Trojan.Mardom
C:\Windows\ImmersiveControlPanel\pris\ApplicationFrameHost.exe	82%	ReversingLabs	ByteCode-MSIL.Trojan.Mardom
C:\Windows\Setup\State\RuntimeBroker.exe	82%	ReversingLabs	ByteCode-MSIL.Trojan.Mardom
C:\Windows\TAPI\winlogon.exe	82%	ReversingLabs	ByteCode-MSIL.Trojan.Mardom
C:\driverruntimeperfCommon\dllhost.exe	82%	ReversingLabs	ByteCode-MSIL.Trojan.Mardom
C:\driverruntimeperfCommon\rxlSpmEkQUyDvxlFic.exe	82%	ReversingLabs	ByteCode-MSIL.Trojan.Mardom
C:\driverruntimeperfCommon\sessioncrt.exe	82%	ReversingLabs	ByteCode-MSIL.Trojan.Mardom
C:\driverruntimeperfCommon\wininit.exe	82%	ReversingLabs	ByteCode-MSIL.Trojan.Mardom

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
206.23.85.13.in-addr.arpa	unknown	unknown	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	sessioncrt.exe, 00000005.00000002.1476943848.0000000002E41000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1526605
Start date and time:	2024-10-06 13:16:06 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 16s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	42
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Ym9pCkdQCN.exe renamed because original name is a hash value
Original Sample Name:	320d22e3d94232bf94d984a3f58ff702.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@44/33@1/0
EGA Information:	Successful, ratio: 25%
HCA Information:	Successful, ratio: 68% Number of executed functions: 288 Number of non-executed functions: 93
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, RuntimeBroker.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target rxlSpmEkQUyDvxlFic.exe, PID 7416 because it is empty
Execution Graph export aborted for target rxlSpmEkQUyDvxlFic.exe, PID 752 because it is empty
Execution Graph export aborted for target sessioncrt.exe, PID 7804 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
13:17:06	Task Scheduler	Run new task: RuntimeBroker path: "C:\Windows\Setup\State\RuntimeBroker.exe"
13:17:06	Task Scheduler	Run new task: RuntimeBrokerR path: "C:\Windows\Setup\State\RuntimeBroker.exe"
13:17:06	Task Scheduler	Run new task: rxlSpmEkQUyDvxlFic path: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\rxlSpmEkQUyDvxlFic.exe"
13:17:06	Task Scheduler	Run new task: rxlSpmEkQUyDvxlFicr path: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\rxlSpmEkQUyDvxlFic.exe"
13:17:08	Task Scheduler	Run new task: ApplicationFrameHost path: "C:\Windows\ImmersiveControlPanel\pris\ApplicationFrameHost.exe"
13:17:08	Task Scheduler	Run new task: ApplicationFrameHostA path: "C:\Windows\ImmersiveControlPanel\pris\ApplicationFrameHost.exe"
13:17:08	Task Scheduler	Run new task: csrss path: "C:\Program Files (x86)\reference assemblies\csrss.exe"
13:17:08	Task Scheduler	Run new task: csrssc path: "C:\Program Files (x86)\reference assemblies\csrss.exe"
13:17:08	Task Scheduler	Run new task: dllhost path: "C:\driverruntimeperfCommon\dllhost.exe"
13:17:08	Task Scheduler	Run new task: dllhostd path: "C:\driverruntimeperfCommon\dllhost.exe"
13:17:08	Task Scheduler	Run new task: TextInputHost path: "C:\Program Files\Windows Mail\TextInputHost.exe"
13:17:08	Task Scheduler	Run new task: TextInputHostT path: "C:\Program Files\Windows Mail\TextInputHost.exe"
13:17:08	Task Scheduler	Run new task: wininit path: "C:\driverruntimeperfCommon\wininit.exe"
13:17:08	Task Scheduler	Run new task: wininitw path: "C:\driverruntimeperfCommon\wininit.exe"
13:17:08	Task Scheduler	Run new task: winlogon path: "C:\Windows\TAPI\winlogon.exe"
13:17:08	Task Scheduler	Run new task: winlogonw path: "C:\Windows\TAPI\winlogon.exe"

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Program Files (x86)\Microsoft Office\Office16\24fab4fe41bce1

Download File

Process:	C:\driverruntimeperfCommon\sessioncrt.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	239
Entropy (8bit):	5.7757997753462
Encrypted:	false
SSDEEP:	6:OHDIaXmGdxY+BnDjn2blPmILMDuVElTTdUeFrs1ukFE:EjxYS2bdTauVc31QukFE
MD5:	C8C0F6E74F18C0978C22B90DD8FACC49
SHA1:	29270CAF39CCC025147D66038A648AE1159DF3ED
SHA-256:	3ACE5E4EEE5F7CE99841FA099327AFE130F881DD8F6F2462DC08F291D8AC323E
SHA-512:	FEBA785295AFA6C7AF8F46701FBF8C1EEBD5C2244DCB666DF0F268343D0C064F9F293B5049C17FDFC1D3C6B331A055718C258DBA3CC38F83A87F279F382F029F
Malicious:	false
Preview:	lWG2y5IMvCiaN2mAbPrtMFHbj2rJT68Wpk9m7X2rkmQmSZrgJVLGedBfOoT6O92yDMum3ADEWAJkzfJJKKA8v22MidYSE6cltciFoFmISHteUbqsfJvD84DKUiDZmu9Zhi0X6DeFi1poJX1Hwpx4LZmyYXvGBMghHT6wkTvcoqfHOZB6q6n67FOI5C8iRYEVVIgzaFhd3UQe3fk9WzZFjjjCFy0iUMKPmKwG2LflYJDmytO

C:\Program Files (x86)\Microsoft Office\Office16\rxlSpmEkQUyDvxlFic.exe

Download File

Process:	C:\driverruntimeperfCommon\sessioncrt.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	846336
Entropy (8bit):	6.07927872147921
Encrypted:	false
SSDEEP:	12288:uNAVD6uoulBt8OlTvU4GBn7cA7T6FQXTLpnghvui9tt6iYfOQ9K9/mEFuJ0xr:3aulBHlTvAX6+DL6wivgiYVK9uE4Jk
MD5:	3BB547F1542863E0A6E80E2C6F330C0C
SHA1:	8460779EB426AC7D14669C82B7752ECE0B2E980A
SHA-256:	70FABB0762AEF63BC896AF593821FFD3E37A3A9B6FA4E5492EA3E0525DD4F880
SHA-512:	E80BD2A9C7198B69C696D57337FC70D40DF44951F4BA319ECD29D4BC25914F52F430A3F2EF4FBFBA797D76ABEBD019E2BB4C9F5BCF210EB7048E9F680B7D8FE7
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 82%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6........... ........@.. .......................`............@.....................................K.... .......................@....................................................... ............... ..H............text........ ...................... ..`.sdata.../.......0..................@....rsrc........ ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Reference Assemblies\886983d96e3d3e

Download File

Process:	C:\driverruntimeperfCommon\sessioncrt.exe
File Type:	ASCII text, with very long lines (781), with no line terminators
Category:	dropped
Size (bytes):	781
Entropy (8bit):	5.892296379205364
Encrypted:	false
SSDEEP:	12:XJoRhC22mo1PvXMI3VUXfzPpEH+gn8MBuzxyhK9OSCdryszIvtKjL2:X+hCmi3X8bBWn8qYxT/cryszIFK32
MD5:	F435124E0FCF28DB1C4C783E52E0EE05
SHA1:	60E97F64D90310A368685E8CB6B0D9F5722EFB77
SHA-256:	E68BB7AF3F263C78DF5B097CED0968DAFBF34C5B67338DFD5FB28AF1F6162286
SHA-512:	AC7A8C457F7C67563D05148C51AFDE5EDCA7A5331FD8F1DE6508927E676ECF2CAA1FC5A7F95264B91201441972CC8C359F61C41A8156723A63AC2198ED5382D2
Malicious:	false
Preview:	2OmGmW7WFo8hCUr0yQJZwlUvokFqcHIIZEX9w6v0L04Xg0wyvQOK7K9R30bCRR48fzH86rE2fTN6q7PyxR5M27KPEFG5esj4661qsx1DMVpo6Dl6lmP9WsFhp240lIXwtT9uFiGAa19gSgSBeKU2djiO0UB03AcE824nD01DgPjesiPJj3WayfTKuv3vhPGZZ5iZlp7oTRVOAEfRE2QAoBPcju2S6GfQIJEx90h45rHhKFKqPmqo9GvXpGz0worNvEF09sROUWE64sRekMDUZ1RBYrH3ArHRA4wF9TrhUcUmCzd7yVPjkWx3wEbSkYNmOw595LfRfgA7hp9jNKEpchroG2T51Y66OrXP3eBmz8EEV0WHE2FZTiKrFR3D2kZGjEs0RtptIczddmSPgL09TgmqgqKmk8tPi7eRIg0UMVR1sqNc8nhrtaxDbBTkjDIKsk5gIAHAVgw7Pv8zdrn7bCfIKbzGMQvJNGIHvqU7fhWNnzxqDdG1ZLtpEwWrLBxEumuJm0ExXqb4qSeUnJDsJ3uBXdD9TmwetRcBEoEMZTestz8wRBDC8E512svIwFdu47KZzdQ9E0TzZBSheRrSjugoVlIV25aU0tywoj6xvE7HvFb1aOofXLLKafDOV4GJa99qMf35V3gfwY3QJQ5oR46pioVIfsc07xrwFvp5UsKeopXCmxEF9c2fCUHhJuZnbqi8qHKYkATiucA2RTgrnX1f5LtvnHvjTgC8HYVfnqe8ITukTPQ0Or9EyDDeXYudOtPNZCv37AE62

C:\Program Files (x86)\Reference Assemblies\csrss.exe

Download File

Process:	C:\driverruntimeperfCommon\sessioncrt.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	846336
Entropy (8bit):	6.07927872147921
Encrypted:	false
SSDEEP:	12288:uNAVD6uoulBt8OlTvU4GBn7cA7T6FQXTLpnghvui9tt6iYfOQ9K9/mEFuJ0xr:3aulBHlTvAX6+DL6wivgiYVK9uE4Jk
MD5:	3BB547F1542863E0A6E80E2C6F330C0C
SHA1:	8460779EB426AC7D14669C82B7752ECE0B2E980A
SHA-256:	70FABB0762AEF63BC896AF593821FFD3E37A3A9B6FA4E5492EA3E0525DD4F880
SHA-512:	E80BD2A9C7198B69C696D57337FC70D40DF44951F4BA319ECD29D4BC25914F52F430A3F2EF4FBFBA797D76ABEBD019E2BB4C9F5BCF210EB7048E9F680B7D8FE7
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 82%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6........... ........@.. .......................`............@.....................................K.... .......................@....................................................... ............... ..H............text........ ...................... ..`.sdata.../.......0..................@....rsrc........ ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Windows Media Player\Network Sharing\24fab4fe41bce1

Download File

Process:	C:\driverruntimeperfCommon\sessioncrt.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	278
Entropy (8bit):	5.774163420184768
Encrypted:	false
SSDEEP:	6:auw2E25551wRTgp92N2CzDnuU3xo60j3Fvrw+baCVnPiLFVchOg:KJ25n1c0X2ht3xCjFTw+N1PiLcp
MD5:	A256FB8864F8165151BCF17600CA217D
SHA1:	9FCB8EB1F1FF8FF510E6E022A83FBCB44CB4B476
SHA-256:	E5FE043780C0DE70734EFCFCDDA7689E6E13A7A51228AC53036409B8A0038BA0
SHA-512:	F374002C11A803C4079E94198E14CB1645AC698040FEE5DFD1EECAECA575A11EFE312DA596429E0EB1FAE5B654BB983646083FB435BEBB419B421C42B1FF5250
Malicious:	false
Preview:	EzXDFadzh8pWEqjVWY0EizDcPfnAXs0VxAEvVLFrzCGtpa5PowB92lsPw4xjwdcyIUjElxALTJPfsUxzkXVkr1cLSy9aXf4WkRlU11n0wzqtWMgcH89ZH1HQ2YvxyjxxO25btc7stfy1KtyGShTZffOsKUcdG0BMC2eeQFspARplDPGJjpfRQXStnNQY9em3elzSOUzMynYNzno4NT3aVu6oju0DyUqgpvHcax4PzScn9F4AiWLqlLhtpKseewXe72iDfMdaYnlDRSpe0zecIA

C:\Program Files (x86)\Windows Media Player\Network Sharing\rxlSpmEkQUyDvxlFic.exe

Download File

Process:	C:\driverruntimeperfCommon\sessioncrt.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	846336
Entropy (8bit):	6.07927872147921
Encrypted:	false
SSDEEP:	12288:uNAVD6uoulBt8OlTvU4GBn7cA7T6FQXTLpnghvui9tt6iYfOQ9K9/mEFuJ0xr:3aulBHlTvAX6+DL6wivgiYVK9uE4Jk
MD5:	3BB547F1542863E0A6E80E2C6F330C0C
SHA1:	8460779EB426AC7D14669C82B7752ECE0B2E980A
SHA-256:	70FABB0762AEF63BC896AF593821FFD3E37A3A9B6FA4E5492EA3E0525DD4F880
SHA-512:	E80BD2A9C7198B69C696D57337FC70D40DF44951F4BA319ECD29D4BC25914F52F430A3F2EF4FBFBA797D76ABEBD019E2BB4C9F5BCF210EB7048E9F680B7D8FE7
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 82%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6........... ........@.. .......................`............@.....................................K.... .......................@....................................................... ............... ..H............text........ ...................... ..`.sdata.../.......0..................@....rsrc........ ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\24fab4fe41bce1

Download File

Process:	C:\driverruntimeperfCommon\sessioncrt.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	30
Entropy (8bit):	4.548394345536403
Encrypted:	false
SSDEEP:	3:KAPnLiKKIczu9D:KYWKOzy
MD5:	20EE691C7B47ED040A8EECFDB697C4A1
SHA1:	46DDA2E359CB1E1C234B49A3D7CCDA764371336C
SHA-256:	974C760A3CB5BB973B566EC24C8160FBCF48B1CC693C12D6D015158940B2BFB9
SHA-512:	CF73EF681B549AAFB0EEBFF1729828DA3C98DA9BD723DA4F8E8BD540CC451CC02480694EFAAF5AECEBCCCA07FD326184C3C391DA57AAD8ADA9970C47590D2464
Malicious:	false
Preview:	4GFD3u5PBgfSbGTiyJppG9V4mlN7ef

C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\rxlSpmEkQUyDvxlFic.exe

Download File

Process:	C:\driverruntimeperfCommon\sessioncrt.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	846336
Entropy (8bit):	6.07927872147921
Encrypted:	false
SSDEEP:	12288:uNAVD6uoulBt8OlTvU4GBn7cA7T6FQXTLpnghvui9tt6iYfOQ9K9/mEFuJ0xr:3aulBHlTvAX6+DL6wivgiYVK9uE4Jk
MD5:	3BB547F1542863E0A6E80E2C6F330C0C
SHA1:	8460779EB426AC7D14669C82B7752ECE0B2E980A
SHA-256:	70FABB0762AEF63BC896AF593821FFD3E37A3A9B6FA4E5492EA3E0525DD4F880
SHA-512:	E80BD2A9C7198B69C696D57337FC70D40DF44951F4BA319ECD29D4BC25914F52F430A3F2EF4FBFBA797D76ABEBD019E2BB4C9F5BCF210EB7048E9F680B7D8FE7
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 82%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6........... ........@.. .......................`............@.....................................K.... .......................@....................................................... ............... ..H............text........ ...................... ..`.sdata.../.......0..................@....rsrc........ ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files\Windows Mail\22eafd247d37c3

Download File

Process:	C:\driverruntimeperfCommon\sessioncrt.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	75
Entropy (8bit):	5.13363248399698
Encrypted:	false
SSDEEP:	3:L29dLjP6gfDcL0xOvHTVVjkxu3:AdLb6gfDcLa0VCu3
MD5:	F8961E496D6DF77F24843B67F1C6D468
SHA1:	3F74342F03E8CA5463B4406C952646AEAC93E398
SHA-256:	1743EB45DD685CD02854F41982035CACD3B035A30E20C92C33F7D683F9B7EB81
SHA-512:	A4F2CA36C536A26F0A22F7CA9F37C7BAA6C31CB5324C372E93C21E7E1E9616F27221B874B314ECD7BF034CACFD81870290C2C8D33081F41AA72F380B7FB31415
Malicious:	false
Preview:	AgJK7k8nbmR0I8hOJFm8z9Pbz3ApnQqMAbJ8jgwaiPjFZpdLr8Ft9aOAQsUEkT9K5F0rzjonSLZ

C:\Program Files\Windows Mail\TextInputHost.exe

Download File

Process:	C:\driverruntimeperfCommon\sessioncrt.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	846336
Entropy (8bit):	6.07927872147921
Encrypted:	false
SSDEEP:	12288:uNAVD6uoulBt8OlTvU4GBn7cA7T6FQXTLpnghvui9tt6iYfOQ9K9/mEFuJ0xr:3aulBHlTvAX6+DL6wivgiYVK9uE4Jk
MD5:	3BB547F1542863E0A6E80E2C6F330C0C
SHA1:	8460779EB426AC7D14669C82B7752ECE0B2E980A
SHA-256:	70FABB0762AEF63BC896AF593821FFD3E37A3A9B6FA4E5492EA3E0525DD4F880
SHA-512:	E80BD2A9C7198B69C696D57337FC70D40DF44951F4BA319ECD29D4BC25914F52F430A3F2EF4FBFBA797D76ABEBD019E2BB4C9F5BCF210EB7048E9F680B7D8FE7
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 82%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6........... ........@.. .......................`............@.....................................K.... .......................@....................................................... ............... ..H............text........ ...................... ..`.sdata.../.......0..................@....rsrc........ ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files\Windows Portable Devices\24fab4fe41bce1

Download File

Process:	C:\driverruntimeperfCommon\sessioncrt.exe
File Type:	ASCII text, with very long lines (660), with no line terminators
Category:	dropped
Size (bytes):	660
Entropy (8bit):	5.890794428559122
Encrypted:	false
SSDEEP:	12:GXgXIGGKcaAFCM2ARkNzxevGTdukh73k1kjqESX8kLvSTxr:4RKc7vtGdrt3k1ko/LKd
MD5:	F7EE25A3D4EC89015F3237BB7FB898C3
SHA1:	CDBD12FA351E10A8B5F7C4D8D2D0047C7767BEF0
SHA-256:	CD693C339915F32BD2413226132D1EC682E3B8DEB2BF06697D1A5DF7D5A2FBC9
SHA-512:	358BFA15E38D549CB51E4A08CFDF475CEA323CC8036C352AFD45EDC362C1AE680DB8D685256E675DB5EAD20CC40A151D419F555B7D265FF85DEC9738E3383FC6
Malicious:	false
Preview:	L7MjMIr1LszPQYJUywVIUcaxBpkGqKowUU972Rfr1xbjWKSBBqVnczUthYighlLBEC45ZLchQoQhA1a0WjF9yAUeAQads8KPmZeUQXmzOyWxjxsp8rJ8gLNErZ5Iv9ySdB4lWGk96Pv9ng5MhufAyMtaLan0cdDP9EUh2HT1HKBQZNaKdskAdxdRReZ5dugdMfAjMXUabn3nKcA8AcWu2DvLkCPYrXYXoiE4N07FYJjz4zGzdb5AXwkIuy9KI5tEPg9mXGuJeRWsd5Ru5a5QbXA275JY1x7cafkX0dbWqvgFZ1pyhOOrAdm1gHoc6WSqT4S8U34b8ijp14cGQV0njQb72t1sz9ZTdzvfjqdnTwsc36AloiLlfoGDcVFlCLm9IPMBI6hk2NTxh9E6tPEQxyyyssDOk1lIJtTnu9dsBltSVTgdQJ2wHWLUbXSa3T9AlLnxpaMuwVOMEgdZLj7b9zAxh8LWqCyslsqJqsxz7I9vH8P543OUViBwK0QrOzDuhglVzTtdvHd0zPpjsQcxxeWCr49zcGlHFPNkX3FkJviOFK65Kq87WP6DKio4U3AogVvjBFLyL2nC5H7h7EpvInvzTKayPKQQu3stYX3FeJwel4IClG7POPg3k5P0oXjAlXRBZOIkKjQ90QOZCYNJ

C:\Program Files\Windows Portable Devices\rxlSpmEkQUyDvxlFic.exe

Download File

Process:	C:\driverruntimeperfCommon\sessioncrt.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	846336
Entropy (8bit):	6.07927872147921
Encrypted:	false
SSDEEP:	12288:uNAVD6uoulBt8OlTvU4GBn7cA7T6FQXTLpnghvui9tt6iYfOQ9K9/mEFuJ0xr:3aulBHlTvAX6+DL6wivgiYVK9uE4Jk
MD5:	3BB547F1542863E0A6E80E2C6F330C0C
SHA1:	8460779EB426AC7D14669C82B7752ECE0B2E980A
SHA-256:	70FABB0762AEF63BC896AF593821FFD3E37A3A9B6FA4E5492EA3E0525DD4F880
SHA-512:	E80BD2A9C7198B69C696D57337FC70D40DF44951F4BA319ECD29D4BC25914F52F430A3F2EF4FBFBA797D76ABEBD019E2BB4C9F5BCF210EB7048E9F680B7D8FE7
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 82%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6........... ........@.. .......................`............@.....................................K.... .......................@....................................................... ............... ..H............text........ ...................... ..`.sdata.../.......0..................@....rsrc........ ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\24fab4fe41bce1

Download File

Process:	C:\driverruntimeperfCommon\sessioncrt.exe
File Type:	ASCII text, with very long lines (769), with no line terminators
Category:	dropped
Size (bytes):	769
Entropy (8bit):	5.901797679836037
Encrypted:	false
SSDEEP:	24:Hy26mOU4VE81/wLc2h+MswkheKFxIysx6iYJ9:S21YEa/wnwMDaeKFxax/2
MD5:	71A2D144A7401BC6E393BF6B09511951
SHA1:	36024D72624139E50676FE7256F420F68C61285C
SHA-256:	A8CCDD1AC9E323398BE64C950361918D14A3D798A2635770AFF2316D76224918
SHA-512:	C3492C089D8A216E2CA3992B4A5B81395B0841D36300335A8D55AA49F55C538FD77C5A0BF2DABB96CD13AECEFE89CCEE25804C2FB025E73786AA0CBC12AAA687
Malicious:	false
Preview:	C48qGg0fW2uR7kecWeOnoS5V67FzHZNV71iISmj7ATIkYs72u5av0wGu9ntIbAX6oZTFCVJu5RnUJV7OAMFL9cfLvxIp3af96L58Y10Ywq0iJwlopeIP5M7M4IUOMd1evoY8Z8zJVrYSl6B9Me9YSQEtNtDQhmLTzVxfXmOqp94Nxpk8GVCsdcMejpuq5jmsgFdQIgljPTsTW06iIFJLkc0WJS5s1ivFXLrsLUzktccKu2IstMi0ZaIDPHG0l3rrhm6LJNWxPjcHApmRKM9pA5p6CodEO98zvumH66jfzuk08BCjfzqY4Crm69JeuSjQkmWPCeUNmdzPVz8Al3jYSk5sDAK6xFvhLTPVpwgAecvaNcQHBJ20tK79rnMCUYahsRDBjmUzXi40yefluC5oM4yBVQoCkepFCOs5YOiYyDdKPHKMHlSRdvUxdBqT7SO33yxkwkMfegzIbovNFc49MYmQ34bXiOagzkRbUkZhYww66LWyPcOfXOqeLgr2Iz6PFTT1XU3eCXkZlpUrhnHGA4Ik3wPx2gYj0g0m2eb5jtc9oR3gMAVfs0PKKt8kFGmf9BjEyrzCLLgRcJ6m3sk2L319RpcIg0zcH7AmsyseKSUgT8sBxVrWftTFKjxIPqfUWEKfIT4EAFr3iVqS7aVKJd7Xn4cIBjPdw9KPyN3dbmVZBahz3eLyVVL2Gw1N0vDb0OHjKaeth1tgHhVNXnPgYbIbxRIBVpmqi4jxS7oc9bQdlpvibozNghDYFqw3ScX1P

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\rxlSpmEkQUyDvxlFic.exe

Download File

Process:	C:\driverruntimeperfCommon\sessioncrt.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	846336
Entropy (8bit):	6.07927872147921
Encrypted:	false
SSDEEP:	12288:uNAVD6uoulBt8OlTvU4GBn7cA7T6FQXTLpnghvui9tt6iYfOQ9K9/mEFuJ0xr:3aulBHlTvAX6+DL6wivgiYVK9uE4Jk
MD5:	3BB547F1542863E0A6E80E2C6F330C0C
SHA1:	8460779EB426AC7D14669C82B7752ECE0B2E980A
SHA-256:	70FABB0762AEF63BC896AF593821FFD3E37A3A9B6FA4E5492EA3E0525DD4F880
SHA-512:	E80BD2A9C7198B69C696D57337FC70D40DF44951F4BA319ECD29D4BC25914F52F430A3F2EF4FBFBA797D76ABEBD019E2BB4C9F5BCF210EB7048E9F680B7D8FE7
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 82%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6........... ........@.. .......................`............@.....................................K.... .......................@....................................................... ............... ..H............text........ ...................... ..`.sdata.../.......0..................@....rsrc........ ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Recovery\24fab4fe41bce1

Download File

Process:	C:\driverruntimeperfCommon\sessioncrt.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	236
Entropy (8bit):	5.832476279439248
Encrypted:	false
SSDEEP:	6:OiZuCzfvBiWVSXsHx5fM14kp1Th3Pe8mVvFg0:tMCqK014g1H+vf
MD5:	1EDB01BDC8E476C6839193D94C50F7A1
SHA1:	B1EF3489E5E49E16C4EC6F62939518BBB6CFAB5F
SHA-256:	D04D7DB4E95BB3D75A41C145736C087F74E76CF3691F097A4AC0FD641CA5FB09
SHA-512:	6325AB2621A74359571E38AED9BB0D61E9D72FF4548318C2C1479A2B9B716DCB0B63C0110DF4B3EA668FFAFAFCB4D8808891ABA4B9BBDD344E5B80D8AD1A1BBC
Malicious:	false
Preview:	ESxsZyRZs5FuK6gmk1wSTzGdcEOwPAOGml6tt0wTMKpPSnLwyoMsJH4OMUQVkeJrr9HiAx2tFdGJK1Kz2b7lxg6frrhZkbsrA7iTfmwBvdnqBuDUJacJhi4KCm1SPdInuYINT1TQo6zU3Qe6oNPJ8iKcDXR3uevSU95nm0BSHLektjRvI5oCN9pMNqJ5jafKKh94U1UxL7CxDktdGfuz0sEVUtZ5qFsqpUZLjWbRk00Q

C:\Recovery\rxlSpmEkQUyDvxlFic.exe

Download File

Process:	C:\driverruntimeperfCommon\sessioncrt.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	846336
Entropy (8bit):	6.07927872147921
Encrypted:	false
SSDEEP:	12288:uNAVD6uoulBt8OlTvU4GBn7cA7T6FQXTLpnghvui9tt6iYfOQ9K9/mEFuJ0xr:3aulBHlTvAX6+DL6wivgiYVK9uE4Jk
MD5:	3BB547F1542863E0A6E80E2C6F330C0C
SHA1:	8460779EB426AC7D14669C82B7752ECE0B2E980A
SHA-256:	70FABB0762AEF63BC896AF593821FFD3E37A3A9B6FA4E5492EA3E0525DD4F880
SHA-512:	E80BD2A9C7198B69C696D57337FC70D40DF44951F4BA319ECD29D4BC25914F52F430A3F2EF4FBFBA797D76ABEBD019E2BB4C9F5BCF210EB7048E9F680B7D8FE7
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 82%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6........... ........@.. .......................`............@.....................................K.... .......................@....................................................... ............... ..H............text........ ...................... ..`.sdata.../.......0..................@....rsrc........ ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\rxlSpmEkQUyDvxlFic.exe.log

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\rxlSpmEkQUyDvxlFic.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1281
Entropy (8bit):	5.370111951859942
Encrypted:	false
SSDEEP:	24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhA2
MD5:	12C61586CD59AA6F2A21DF30501F71BD
SHA1:	E6B279DC134544867C868E3FF3C267A06CE340C7
SHA-256:	EC20A856DBBCF320F7F24C823D6E9D2FD10E9335F5DE2F56AB9A7DF1ED358543
SHA-512:	B0731F59C74C9D25A4C82E166B3DC300BBCF89F6969918EC748B867C641ED0D8E0DE81AAC68209EF140219861B4939F1B07D0885ACA112D494D23AAF9A9C03FE
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\sessioncrt.exe.log

Download File

Process:	C:\driverruntimeperfCommon\sessioncrt.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1740
Entropy (8bit):	5.36827240602657
Encrypted:	false
SSDEEP:	48:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhAHKKkhHNpaHKlT4x:iq+wmj0qCYqGSI6oPtzHeqKkhtpaqZ4x
MD5:	B28E0CCD25623D173B2EB29F3A99B9DD
SHA1:	070E4C4A7F903505259E41AFDF7873C31F90D591
SHA-256:	3A108902F93EF9E952D9E748207778718A2CBAEB0AB39C41BD37E9BB0B85BF3A
SHA-512:	17F5FBF18EE0058F928A4D7C53AA4B1191BA3110EDF8E853F145D720381FCEA650A3C997E3D56597150149771E14C529F1BDFDC4A2BBD3719336259C4DD8B342
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

C:\Windows\ImmersiveControlPanel\pris\6dd19aba3e2428

Download File

Process:	C:\driverruntimeperfCommon\sessioncrt.exe
File Type:	ASCII text, with very long lines (975), with no line terminators
Category:	dropped
Size (bytes):	975
Entropy (8bit):	5.913453915111409
Encrypted:	false
SSDEEP:	24:JTFUY1Npzd7vDQ5eQaYcVD0AwEcfEqq21ioAlApK7:8epZ7HDlPqq24oXY7
MD5:	0B09926378B4E94FC450CDE9B16FF17E
SHA1:	C009F111E735D624A54549ABD7F158BCA8A8548D
SHA-256:	A53AE1A9DC50394CE838AD5CDDC6831CEAD5F0C3ED89400006723F806638AA29
SHA-512:	DF116394A7B8FB2303F139E1F560BBA08443DFF241DD8F02258E6A8F625AFADBB2A8867A3F535E53DC4C36428D9CB8BC07749B23BF39DBF726CE62823F9C614A
Malicious:	false
Preview:	JEV0HO5AuYEhKReX2NnCL5qbDO6WlTYnqb2qiG3zA1I8h38K4eCI7exNX3w3RjZa9b0tYxywUyBTxs4KPwcHRQpMooSoT9hbcs8FDPwGpQxJcdap9mofHRJtvoFteKcUQk0FtyGAAVbBcgtKOmprUBTLiOUYJDlfxc22mV5LfofvzHQO44f1fv9PQpgfds06t6N9o1h2rdLqghVb7FdOiu9Ccnl7zarxxiC24RkDXmKBjTssTEhYOlY96KhAPjCQwX37fchqea15j8cJ42ou3SjMJC6ttkxxj4OLavN0h03xuda8rXGX5SWeyqxcgy64mDVouRtIpxMDZvcqm7BWda1RiuXt7uTt38KqHvOao7sHFSECOG0iwkbMMEG939K4edKalwi1tksfstMPpVe04u6Sh8eDpOhowxnmIobci9zM15ec10ThfTAtg12mSeMfCEs4GkHB4CS55tamdBMy49Idw4FQwyKDwTKxMjWRsSncBFywaPJQSXkC5PHLe1OF2PIljna4p4FlVqbrGTzgo4uZtH16bKx1Eikv6MMxzPkYS8qPxaFLBsa7ft2cvdcfHNhxFqv3GCqZUVGuamIBEmzVHnQNTuCWxEREa3JHoLE9BBnJmIBIUaaeXMqcZhkVAUmPECThdBW3h0UG9HkLt3BWnwqOMrrGlt9qYXFkzdpTDh7h1kdS7YmGTPlRWEUvTQSx0nrlBAWPNsSGyIXmNZJMH2XIwxNuJ39xPJqO31Q6CW3k6fcNrsh4GFq8PizOwlGTtf1pcJtWINKu9xLQUADaVFrJcs8UCCJaQj1boxvi9Lv3468cWi3wip8nyrMtKYUFDuda5umhPfbKTyPfuf8dJX1klNn6lBXl1pzKdhgm5WgDOxUAbq9pa06q32zsGq5NHzTn8FCM8Vix0yWx2nf5CrLAtJQksyfPaT5YerBWnwrESJzEgCzdKAKaoT4yyceK0SWh27SLlIR

C:\Windows\ImmersiveControlPanel\pris\ApplicationFrameHost.exe

Download File

Process:	C:\driverruntimeperfCommon\sessioncrt.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	846336
Entropy (8bit):	6.07927872147921
Encrypted:	false
SSDEEP:	12288:uNAVD6uoulBt8OlTvU4GBn7cA7T6FQXTLpnghvui9tt6iYfOQ9K9/mEFuJ0xr:3aulBHlTvAX6+DL6wivgiYVK9uE4Jk
MD5:	3BB547F1542863E0A6E80E2C6F330C0C
SHA1:	8460779EB426AC7D14669C82B7752ECE0B2E980A
SHA-256:	70FABB0762AEF63BC896AF593821FFD3E37A3A9B6FA4E5492EA3E0525DD4F880
SHA-512:	E80BD2A9C7198B69C696D57337FC70D40DF44951F4BA319ECD29D4BC25914F52F430A3F2EF4FBFBA797D76ABEBD019E2BB4C9F5BCF210EB7048E9F680B7D8FE7
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 82%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6........... ........@.. .......................`............@.....................................K.... .......................@....................................................... ............... ..H............text........ ...................... ..`.sdata.../.......0..................@....rsrc........ ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Setup\State\9e8d7a4ca61bd9

Download File

Process:	C:\driverruntimeperfCommon\sessioncrt.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	176
Entropy (8bit):	5.747478923770636
Encrypted:	false
SSDEEP:	3:xCSr+6tR9s2DUmsYV/SO7WDRtNAdWbPjxr+gmcb+FQ1U9BFWXRgauzRGvu2H/59i:7C6tbs2D465ojt+pDqzuzpqRk
MD5:	479795EEADDD676E63F6A43C71476E4E
SHA1:	910E24FFFDF6052A0DB6538E82C238BDAA79B4D6
SHA-256:	3ABBC74A32298C0CCFB13C50F9A839219C08F4003FC5AD3898919B7F0BA24603
SHA-512:	C339896624DF94BDB3C3964F5C821624F44E6E891728833F4C4CFD3E4218DF15FABAF7724BECAEF39714C0517696BE7786C26BD1D041E5C63233C5EED0ED8A24
Malicious:	false
Preview:	Txqag7NVkZGWAsQnZAiYb3XZAWcy0fr81CILSUPlQZBy3wqbtPTs5staaQaJeZeEsHf8jFUEv6IB1igNqBElM9CISsvC4FH047GvRs2o5O78kri1uMddV32tEWp0USKpzSG4cv67IZq7BEhlK3RsloeBEXq4DBUmERISkoY8QfU5M4rA

C:\Windows\Setup\State\RuntimeBroker.exe

Download File

Process:	C:\driverruntimeperfCommon\sessioncrt.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	846336
Entropy (8bit):	6.07927872147921
Encrypted:	false
SSDEEP:	12288:uNAVD6uoulBt8OlTvU4GBn7cA7T6FQXTLpnghvui9tt6iYfOQ9K9/mEFuJ0xr:3aulBHlTvAX6+DL6wivgiYVK9uE4Jk
MD5:	3BB547F1542863E0A6E80E2C6F330C0C
SHA1:	8460779EB426AC7D14669C82B7752ECE0B2E980A
SHA-256:	70FABB0762AEF63BC896AF593821FFD3E37A3A9B6FA4E5492EA3E0525DD4F880
SHA-512:	E80BD2A9C7198B69C696D57337FC70D40DF44951F4BA319ECD29D4BC25914F52F430A3F2EF4FBFBA797D76ABEBD019E2BB4C9F5BCF210EB7048E9F680B7D8FE7
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 82%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6........... ........@.. .......................`............@.....................................K.... .......................@....................................................... ............... ..H............text........ ...................... ..`.sdata.../.......0..................@....rsrc........ ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\TAPI\cc11b995f2a76d

Download File

Process:	C:\driverruntimeperfCommon\sessioncrt.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	234
Entropy (8bit):	5.697987250804096
Encrypted:	false
SSDEEP:	6:7RqGZtbUkGUGV2mZrfr4km9WTM1PjjA4WTndKX6:VSkGUGgMrfr4koWY+TnkX6
MD5:	CE0451E291BD3E4E02E562852993DC5B
SHA1:	8D9262D5A25C6B9363B955CDB657827C9EDD632D
SHA-256:	EDE32F2FD50FC34378585858E297C878FCD1B7368A8C9BFA547C80D598E3F18B
SHA-512:	323A31E022E955955FB99FA812DCB3C01CBDC3EB5B2F97B4FB403F001C07FFCBAE24E506F33E3AC1F8F3435D15FF107135B0485C46932AB146F7BE8F436B4397
Malicious:	false
Preview:	FHOUO2YY4oJeoKXVqf0421fjum8HN7FtirSMOXM02O3IJP9ayUPNCkVNlojm4RK6ia572KGSS9Bo7XafnhS2s1q7WEkkyk5kD7jsTCioO65DirPONE8W8RNrt8kxjgdrEakAyrLl9oow6nZoyWWumjlvu29VbuEscN8HHPaf2WWUnauFi58NJtFfyyP5s0JPj5TsoRhj602PMRITH3wfv1itIdTS9exBMHvrHCbRXZ

C:\Windows\TAPI\winlogon.exe

Download File

Process:	C:\driverruntimeperfCommon\sessioncrt.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	846336
Entropy (8bit):	6.07927872147921
Encrypted:	false
SSDEEP:	12288:uNAVD6uoulBt8OlTvU4GBn7cA7T6FQXTLpnghvui9tt6iYfOQ9K9/mEFuJ0xr:3aulBHlTvAX6+DL6wivgiYVK9uE4Jk
MD5:	3BB547F1542863E0A6E80E2C6F330C0C
SHA1:	8460779EB426AC7D14669C82B7752ECE0B2E980A
SHA-256:	70FABB0762AEF63BC896AF593821FFD3E37A3A9B6FA4E5492EA3E0525DD4F880
SHA-512:	E80BD2A9C7198B69C696D57337FC70D40DF44951F4BA319ECD29D4BC25914F52F430A3F2EF4FBFBA797D76ABEBD019E2BB4C9F5BCF210EB7048E9F680B7D8FE7
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 82%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6........... ........@.. .......................`............@.....................................K.... .......................@....................................................... ............... ..H............text........ ...................... ..`.sdata.../.......0..................@....rsrc........ ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\driverruntimeperfCommon\24fab4fe41bce1

Download File

Process:	C:\driverruntimeperfCommon\sessioncrt.exe
File Type:	ASCII text, with very long lines (982), with no line terminators
Category:	dropped
Size (bytes):	982
Entropy (8bit):	5.90938842220962
Encrypted:	false
SSDEEP:	24:pvHzG84Snt11V50yIrTXPuOu40+qDGRI9PwyP9CXXLE2V6QRxjRDTiNC3gg:pvHtTr0BfXPduDqSwSUXXLfV6QRxgg
MD5:	72B295E0B2DF14F904A4B7C0E8B976FC
SHA1:	2C16FE9DD5405EEC3EC7B082686E82F46AD95B12
SHA-256:	A81088C59E0F6C381368D0BCD0697BDA813846031D2BE35137E6423C46930296
SHA-512:	F2E7F15A0B6128FDE988C7B0F20DD4547583DB9E3971B8B7E9E267055E92E2ACD7AC6C601BAB6CA8B493BA47B090CBD11442F5B6B394906630F11852B2085D0F
Malicious:	false
Preview:	T5IWJ2jSXi4DS25Uy7koW9mCitADdh28PlH63YoataTW0qnZKF5HOzmUTGxa2fzzp6yqu9bZTK46qQL1Fl2XmvtZ9xmxkNhNkdq427oLofxE5poD45VRnbN4MZr7WnyGnrVMjQ9I6rtG7peUJj2p2QkJQvsdPqyAqrbNTbdn6NU6rG6h4WywvJOWGM5xig2P2taPOQArFPso5obJyLi32BPgdEHHfqFaVED8qrSoWHrfbjbcvw8X79X0e3vKJ3LZKST0kcdH23guUtF4moVtrrcVrNex5Ifd5RVIPk2SS1eDcmfux1hehcscz7JW8pMuYDzDX7oCvCa0NY3ErtADlA5ci3TRbfUmoupZxcX0MeseB2PaEFoPpIJXIWeenXlQsxLctdRPVK1GRabqo2MW1E7glRRa83Mz3cwNrwrlxZ3fQCFr5xzvKOYo0o1bM1Rc8CMzoN92LlicKbPiMjeKDaooDIWC4PY6HbhO0QDry7jjq6dZZSPnWHZhYhvf1675MlUt4Bs5fwVF0E8Ho7nmAvkAB9zSfi01AoWEmtfXkTIjvTqTjn13TV5bBUr4LZa76eFMr3f5cPBqmAPsTgt1q7hps4DSBkML2KnROelqI5bETOyAE9lppjQ96ZdxzN31D0ycX7dy4DsvfdWeGCNB9hfT4oUzAy05CjBdaWnHgwul0fdcD9qxA22gUehtnoxFNxt6c2EtZGfNw4cZK1vBHD5KrfJ5y4d18oYDvhAK47X4WptZCIiv2w7K1jO7tI4emnOHfZnn1kGKpBxCvt3qVs9MqOLMSCbwC3Rtal4nf54Spxe0vML9POJ3oCbRNaUyIUIwtElKzQLayqg3tUaF0cgxtXEYKmZEkFJUosHrkBK9DtF7fhh29P7qyVCV9N9M0GzshMPANtfyRhtASG2mFhEVHcgSpvrXC8I63XaTSgoQtIZQlCD2VXHTBelEq6VbBIwSYxG5qjUi2yl8DPrnsy

C:\driverruntimeperfCommon\56085415360792

Download File

Process:	C:\driverruntimeperfCommon\sessioncrt.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	92
Entropy (8bit):	5.359880977513951
Encrypted:	false
SSDEEP:	3:Eky9+168lcaPtm8x29xS:6+16iiF9U
MD5:	D8D2AC8F181A36778D6D7FC1B2B54765
SHA1:	1C391D1014083DA429855D3409EAC0FAD3F93704
SHA-256:	ED3D20DBC2F97298B6E1B7FD02FAC63E9DD53798D469279CFFA995405672C919
SHA-512:	11FACE007C9CE2FDA0C39586CA9AF7309DF30C2F16EB25BE73C7FBD94C7B86BAAB8EEE958C7D3CFE0E311244A043947373F3E7620E0C8F4C046779A63A009A21
Malicious:	false
Preview:	jCK4rA72OQpZZ54vKaRh7ugrMYMfFspItkg7L95lPFQPI2eTqcptuZHyfcsSxcwgkhqyY7jLfpS2eRjT43ymC5XTdsbt

C:\driverruntimeperfCommon\5940a34987c991

Download File

Process:	C:\driverruntimeperfCommon\sessioncrt.exe
File Type:	ASCII text, with very long lines (681), with no line terminators
Category:	dropped
Size (bytes):	681
Entropy (8bit):	5.895024298023154
Encrypted:	false
SSDEEP:	12:lsYoc4Fm4fX88wIxwUnANA6x489Yga+24+F7ZyhVW5I7HuT4:lsYWYKM5c4NVS8Gga+24+FNyvIIyM
MD5:	380E02389B3D6F998D17FFCF2141597F
SHA1:	9777585928DBC88CCB1C66E9C2C608D2B2DD4A71
SHA-256:	FE3B7189DD1D72544BCC1F3D5BE9BE79712022F1D7BA20ED38A2139DE27BB2DC
SHA-512:	9A6E837FD38A82CA7421ECED3F5E8F6B4F3666AD86912E00C51A8AD81A641A784F2DC8B5C0EEF1FE88692C9FBAD6A2461001F862785E5758BE203E663DA969F4
Malicious:	false
Preview:	oRdIc46KLJVFrkCRJgp3QT5newkjpgUDSxwVcxM9mQasev6lO5Ie2DZVWznqTWfpzSx3yqyVUpQA3MJtz9UuXzKOYb9mJfqPvu2M7CwhGxJNxYcJq41UCuSAHjfWrLLz9AOIU6vwMwnjp6a99z6PnVNBc2EYha05lUOwJTzuIFHPGsUKIgX1P6LnxNpc1XOw5s8VsozpALHiO74uh4PBC9qpIl96oX2u0UTYu8ceqs1DznYzT547HNu6BSNGp3AnSWs3ng9jcvUTHn0fMJnsd5nmkWXbvVzxrNud4fLx5UfV3azXcr4fQSKXsFSRIiyG6hl43Xkr7zwIaRtKh98DaTgZDWuyM4oXgYYVy5eFHMiafB7aWItJjuqnAM0gmwfCLZmC2XVmf36OvG4BZTcDLexvsvVmE7cUqfOFZ5i9wGopyb23SyHTUc1ql0THBtihblhP1ymevcQE0I6Q3bTQ0JAOohdila7DiGON4mBdLmh1Lw0d4DOkaRqRkSlUUD3UfNgu3tWQZzEOlJC1rAohMXnRa6mlBrJItNV8QGkKq7KkNcqaQtmUZVHIjPT6GvOsq6fXxDklZe0OMCD7QLVSEzsXFNYBwnD5tc4Q7SmMIB45e25hLWq4Z6n1NHRkpjzwa5fuIxA7jJJD4x3NR10Z7IgxyDCzACgjLIejXLYXV

C:\driverruntimeperfCommon\APcholoL7ETBvvAkO3nQrcw9B.vbe

Download File

Process:	C:\Users\user\Desktop\Ym9pCkdQCN.exe
File Type:	data
Category:	dropped
Size (bytes):	220
Entropy (8bit):	5.794089849605947
Encrypted:	false
SSDEEP:	6:Gh0wqK+NkLzWbHa/818nZNDd3RL1wQJR2zEoX5OU/nFxOln7:GhFMCzWLaG4d3XBJMEopBSln7
MD5:	D13B809897EBE952203ABC4C42C06C0D
SHA1:	6E3B2786A58E1E6202A8F9BF07F5BF7920C22B4C
SHA-256:	D4B5B94489D1CBC3EB81197F4B47EB1AA6CDF52D61846978BCA975A9E872555E
SHA-512:	FE9304C4E96B4DB535D2EBFB377FAFF5821FD6C92E03BAF6E605E2947D312CDAFEB3D95C9F371D033CBBBBE90286A206F63D14612B2804AF13C4813A5788A28E
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	#@~^wwAAAA==j.Y~q/4?t.V^~',Z.+mYn6(L+1O`r.?1.rwDRUtnVsE@#@&.U^DbwO UV+n2vFT!Zb@#@&j.Y,./4?4nV^PxP;DnCD+r(%+1Y`r.jmMkaY ?4n^VE#@#@&.ktj4.VV ]!x~J;lJN.b\.DD!xDr:.wnD6ZGhsWxJ]wayqx(.WW\w}5*pTXFR(CYr~~TBP0Csk++T4AAA==^#~@.

C:\driverruntimeperfCommon\RppzIJI6o4vFZ4Y4XgyK.bat

Download File

Process:	C:\Users\user\Desktop\Ym9pCkdQCN.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	43
Entropy (8bit):	4.056640266572305
Encrypted:	false
SSDEEP:	3:I5ClOVvLI1ki:IklOxLI1J
MD5:	A679E16A147BF13230279D799151BA0A
SHA1:	B71772AB25E66DA8ECCDB9C780107F3F639333A7
SHA-256:	75FEC36CABE4CD08038EF91DB82A996659BB347F8D36FF54D10F7462359695AC
SHA-512:	D2753F59B321042F9C1B5329BA3A8D70060FF5DDE4B58D446A00FC9D10871EA6CD4008A5DBBF1185DBBB0D881FD210FE25933E6DD11CABA802F4C8E6B35F3915
Malicious:	false
Preview:	"C:\driverruntimeperfCommon\sessioncrt.exe"

C:\driverruntimeperfCommon\dllhost.exe

Download File

Process:	C:\driverruntimeperfCommon\sessioncrt.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	846336
Entropy (8bit):	6.07927872147921
Encrypted:	false
SSDEEP:	12288:uNAVD6uoulBt8OlTvU4GBn7cA7T6FQXTLpnghvui9tt6iYfOQ9K9/mEFuJ0xr:3aulBHlTvAX6+DL6wivgiYVK9uE4Jk
MD5:	3BB547F1542863E0A6E80E2C6F330C0C
SHA1:	8460779EB426AC7D14669C82B7752ECE0B2E980A
SHA-256:	70FABB0762AEF63BC896AF593821FFD3E37A3A9B6FA4E5492EA3E0525DD4F880
SHA-512:	E80BD2A9C7198B69C696D57337FC70D40DF44951F4BA319ECD29D4BC25914F52F430A3F2EF4FBFBA797D76ABEBD019E2BB4C9F5BCF210EB7048E9F680B7D8FE7
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 82%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6........... ........@.. .......................`............@.....................................K.... .......................@....................................................... ............... ..H............text........ ...................... ..`.sdata.../.......0..................@....rsrc........ ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\driverruntimeperfCommon\rxlSpmEkQUyDvxlFic.exe

Download File

Process:	C:\driverruntimeperfCommon\sessioncrt.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	846336
Entropy (8bit):	6.07927872147921
Encrypted:	false
SSDEEP:	12288:uNAVD6uoulBt8OlTvU4GBn7cA7T6FQXTLpnghvui9tt6iYfOQ9K9/mEFuJ0xr:3aulBHlTvAX6+DL6wivgiYVK9uE4Jk
MD5:	3BB547F1542863E0A6E80E2C6F330C0C
SHA1:	8460779EB426AC7D14669C82B7752ECE0B2E980A
SHA-256:	70FABB0762AEF63BC896AF593821FFD3E37A3A9B6FA4E5492EA3E0525DD4F880
SHA-512:	E80BD2A9C7198B69C696D57337FC70D40DF44951F4BA319ECD29D4BC25914F52F430A3F2EF4FBFBA797D76ABEBD019E2BB4C9F5BCF210EB7048E9F680B7D8FE7
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 82%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6........... ........@.. .......................`............@.....................................K.... .......................@....................................................... ............... ..H............text........ ...................... ..`.sdata.../.......0..................@....rsrc........ ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\driverruntimeperfCommon\sessioncrt.exe

Download File

Process:	C:\Users\user\Desktop\Ym9pCkdQCN.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	846336
Entropy (8bit):	6.07927872147921
Encrypted:	false
SSDEEP:	12288:uNAVD6uoulBt8OlTvU4GBn7cA7T6FQXTLpnghvui9tt6iYfOQ9K9/mEFuJ0xr:3aulBHlTvAX6+DL6wivgiYVK9uE4Jk
MD5:	3BB547F1542863E0A6E80E2C6F330C0C
SHA1:	8460779EB426AC7D14669C82B7752ECE0B2E980A
SHA-256:	70FABB0762AEF63BC896AF593821FFD3E37A3A9B6FA4E5492EA3E0525DD4F880
SHA-512:	E80BD2A9C7198B69C696D57337FC70D40DF44951F4BA319ECD29D4BC25914F52F430A3F2EF4FBFBA797D76ABEBD019E2BB4C9F5BCF210EB7048E9F680B7D8FE7
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 82%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6........... ........@.. .......................`............@.....................................K.... .......................@....................................................... ............... ..H............text........ ...................... ..`.sdata.../.......0..................@....rsrc........ ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\driverruntimeperfCommon\wininit.exe

Download File

Process:	C:\driverruntimeperfCommon\sessioncrt.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	846336
Entropy (8bit):	6.07927872147921
Encrypted:	false
SSDEEP:	12288:uNAVD6uoulBt8OlTvU4GBn7cA7T6FQXTLpnghvui9tt6iYfOQ9K9/mEFuJ0xr:3aulBHlTvAX6+DL6wivgiYVK9uE4Jk
MD5:	3BB547F1542863E0A6E80E2C6F330C0C
SHA1:	8460779EB426AC7D14669C82B7752ECE0B2E980A
SHA-256:	70FABB0762AEF63BC896AF593821FFD3E37A3A9B6FA4E5492EA3E0525DD4F880
SHA-512:	E80BD2A9C7198B69C696D57337FC70D40DF44951F4BA319ECD29D4BC25914F52F430A3F2EF4FBFBA797D76ABEBD019E2BB4C9F5BCF210EB7048E9F680B7D8FE7
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 82%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6........... ........@.. .......................`............@.....................................K.... .......................@....................................................... ............... ..H............text........ ...................... ..`.sdata.../.......0..................@....rsrc........ ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.373453598449705
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.97% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Ym9pCkdQCN.exe
File size:	1'163'420 bytes
MD5:	320d22e3d94232bf94d984a3f58ff702
SHA1:	3493e2e6fcea69f57bc6009b499daf4c72f3d291
SHA256:	b31cd6ff73ee1167c0c40bba43ce9b665160383d0c2714986b56bed241c9711a
SHA512:	b2c84f6ae3a30afc469ed74fcfe6b9e03f6f1a28805f69bf62ae0bc45e7405fe798865babb4cace8b6a2f904c7b1eec84e5f5e05be4d93bee81efadf1dd8a8fb
SSDEEP:	24576:U2G/nvxW3Ww0t+aulBHlTvAX6+DL6wivgiYVK9uE4Jkx:UbA30+ZlBHGxDHgxL8Jc
TLSH:	EF354A017E44CE11F0195233C2EF490447B4AE552AB6E72B7EB9376D66623A37C1CACB
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......b`..&...&...&.....h.+.....j.......k.>.....^.$...._..0...._..5...._....../y..,.../y..#...&...*...._......._..'...._f.'...._..'..

File Icon


Icon Hash:	1515d4d4442f2d2d

Static PE Info

General

Entrypoint:	0x41ec40
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x5FC684D7 [Tue Dec 1 18:00:55 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	fcf1390e9ce472c7270447fc5c61a0c1

Entrypoint Preview

Instruction
call 00007FF7908113F9h
jmp 00007FF790810E0Dh
cmp ecx, dword ptr [0043E668h]
jne 00007FF790810F85h
ret
jmp 00007FF79081157Eh
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FF790803D17h
mov dword ptr [esi], 00435580h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 00435588h
mov dword ptr [ecx], 00435580h
ret
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 00435568h
push eax
call 00007FF79081411Dh
pop ecx
ret
push ebp
mov ebp, esp
sub esp, 0Ch
lea ecx, dword ptr [ebp-0Ch]
call 00007FF790803CAEh
push 0043B704h
lea eax, dword ptr [ebp-0Ch]
push eax
call 00007FF790813832h
int3
push ebp
mov ebp, esp
sub esp, 0Ch
lea ecx, dword ptr [ebp-0Ch]
call 00007FF790810F24h
push 0043B91Ch
lea eax, dword ptr [ebp-0Ch]
push eax
call 00007FF790813815h
int3
jmp 00007FF790815863h
jmp dword ptr [00433260h]
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push 00421EB0h
push dword ptr fs:[00000000h]

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[C++] VS2015 UPD3.1 build 24215
[EXP] VS2015 UPD3.1 build 24215
[RES] VS2015 UPD3 build 24213
[LNK] VS2015 UPD3.1 build 24215

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x3c820	0x34	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3c854	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x63000	0xdfd0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x71000	0x2268	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x3aac0	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x35508	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x33000	0x260	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x3bdc4	0x120	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x310ea	0x31200	c5bf61bbedb6ad471e9dc6266398e965	False	0.583959526081425	data	6.708075396341128	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x33000	0xa612	0xa800	7980b588d5b28128a2f3c36cabe2ce98	False	0.45284598214285715	data	5.221742709250668	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3e000	0x23728	0x1000	201530c9e56f172adf2473053298d48f	False	0.36767578125	data	3.7088186669877685	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.didat	0x62000	0x188	0x200	c5d41d8f254f69e567595ab94266cfdc	False	0.4453125	data	3.2982538067961342	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x63000	0xdfd0	0xe000	f6c0f34fae6331b50a7ad2efc4bfefdb	False	0.6370326450892857	data	6.6367506404157535	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x71000	0x2268	0x2400	c7a942b723cb29d9c02f7c611b544b50	False	0.7681206597222222	data	6.5548620101740545	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
PNG	0x63650	0xb45	PNG image data, 93 x 302, 8-bit/color RGB, non-interlaced	English	United States	1.0027729636048528
PNG	0x64198	0x15a9	PNG image data, 186 x 604, 8-bit/color RGB, non-interlaced	English	United States	0.9363390441839495
RT_ICON	0x65748	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, resolution 2834 x 2834 px/m, 256 important colors	English	United States	0.47832369942196534
RT_ICON	0x65cb0	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, resolution 2834 x 2834 px/m, 256 important colors	English	United States	0.5410649819494585
RT_ICON	0x66558	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, resolution 2834 x 2834 px/m, 256 important colors	English	United States	0.4933368869936034
RT_ICON	0x67400	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2834 x 2834 px/m	English	United States	0.5390070921985816
RT_ICON	0x67868	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2834 x 2834 px/m	English	United States	0.41393058161350843
RT_ICON	0x68910	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2834 x 2834 px/m	English	United States	0.3479253112033195
RT_ICON	0x6aeb8	0x3d71	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9809269502193401
RT_DIALOG	0x6f588	0x286	data	English	United States	0.5092879256965944
RT_DIALOG	0x6f358	0x13a	data	English	United States	0.60828025477707
RT_DIALOG	0x6f498	0xec	data	English	United States	0.6991525423728814
RT_DIALOG	0x6f228	0x12e	data	English	United States	0.5927152317880795
RT_DIALOG	0x6eef0	0x338	data	English	United States	0.45145631067961167
RT_DIALOG	0x6ec98	0x252	data	English	United States	0.5757575757575758
RT_STRING	0x6ff68	0x1e2	data	English	United States	0.3900414937759336
RT_STRING	0x70150	0x1cc	data	English	United States	0.4282608695652174
RT_STRING	0x70320	0x1b8	data	English	United States	0.45681818181818185
RT_STRING	0x704d8	0x146	data	English	United States	0.5153374233128835
RT_STRING	0x70620	0x446	data	English	United States	0.340036563071298
RT_STRING	0x70a68	0x166	data	English	United States	0.49162011173184356
RT_STRING	0x70bd0	0x152	data	English	United States	0.5059171597633136
RT_STRING	0x70d28	0x10a	data	English	United States	0.49624060150375937
RT_STRING	0x70e38	0xbc	data	English	United States	0.6329787234042553
RT_STRING	0x70ef8	0xd6	data	English	United States	0.5747663551401869
RT_GROUP_ICON	0x6ec30	0x68	data	English	United States	0.7019230769230769
RT_MANIFEST	0x6f810	0x753	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.3957333333333333

Imports

DLL

Import

KERNEL32.dll

GetLastError, SetLastError, FormatMessageW, GetCurrentProcess, DeviceIoControl, SetFileTime, CloseHandle, CreateDirectoryW, RemoveDirectoryW, CreateFileW, DeleteFileW, CreateHardLinkW, GetShortPathNameW, GetLongPathNameW, MoveFileW, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, SetFileAttributesW, GetFileAttributesW, FindClose, FindFirstFileW, FindNextFileW, GetVersionExW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleFileNameW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, GetCurrentProcessId, ExitProcess, SetThreadExecutionState, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, GetProcessAffinityMask, CreateThread, SetThreadPriority, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, SetEvent, ResetEvent, ReleaseSemaphore, WaitForSingleObject, CreateEventW, CreateSemaphoreW, GetSystemTime, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, FileTimeToLocalFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, LockResource, GlobalLock, GlobalUnlock, GlobalFree, LoadResource, SizeofResource, SetCurrentDirectoryW, GetExitCodeProcess, GetLocalTime, GetTickCount, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, ExpandEnvironmentStringsW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetTimeFormatW, GetDateFormatW, GetNumberFormatW, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapSize, SetStdHandle, GetProcessHeap, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, IsProcessorFeaturePresent, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, TerminateProcess, RtlUnwind, EncodePointer, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapAlloc, HeapReAlloc, GetStringTypeW, LCMapStringW, FindFirstFileExA, FindNextFileA, IsValidCodePage, GetOEMCP, GetCommandLineA, GetEnvironmentStringsW, FreeEnvironmentStringsW, DecodePointer

gdiplus.dll

GdiplusShutdown, GdiplusStartup, GdipCreateHBITMAPFromBitmap, GdipCreateBitmapFromStreamICM, GdipCreateBitmapFromStream, GdipDisposeImage, GdipCloneImage, GdipFree, GdipAlloc

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 6, 2024 13:17:30.994888067 CEST	53	53023	162.159.36.2	192.168.2.8
Oct 6, 2024 13:17:31.482825041 CEST	54614	53	192.168.2.8	1.1.1.1
Oct 6, 2024 13:17:31.490207911 CEST	53	54614	1.1.1.1	192.168.2.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 6, 2024 13:17:31.482825041 CEST	192.168.2.8	1.1.1.1	0x755c	Standard query (0)	206.23.85.13.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 6, 2024 13:17:31.490207911 CEST	1.1.1.1	192.168.2.8	0x755c	Name error (3)	206.23.85.13.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false

Target ID:	0
Start time:	07:17:01
Start date:	06/10/2024
Path:	C:\Users\user\Desktop\Ym9pCkdQCN.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Ym9pCkdQCN.exe"
Imagebase:	0xe80000
File size:	1'163'420 bytes
MD5 hash:	320D22E3D94232BF94D984A3F58FF702
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	07:17:02
Start date:	06/10/2024
Path:	C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WScript.exe" "C:\driverruntimeperfCommon\APcholoL7ETBvvAkO3nQrcw9B.vbe"
Imagebase:	0x5a0000
File size:	147'456 bytes
MD5 hash:	FF00E0480075B095948000BDC66E81F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	07:17:03
Start date:	06/10/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\driverruntimeperfCommon\RppzIJI6o4vFZ4Y4XgyK.bat" "
Imagebase:	0xa40000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	07:17:03
Start date:	06/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	07:17:03
Start date:	06/10/2024
Path:	C:\driverruntimeperfCommon\sessioncrt.exe
Wow64 process (32bit):	false
Commandline:	"C:\driverruntimeperfCommon\sessioncrt.exe"
Imagebase:	0x5f0000
File size:	846'336 bytes
MD5 hash:	3BB547F1542863E0A6E80E2C6F330C0C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000005.00000002.1476943848.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000005.00000002.1476943848.0000000002961000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 82%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	07:17:04
Start date:	06/10/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "rxlSpmEkQUyDvxlFicr" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\windows media player\Network Sharing\rxlSpmEkQUyDvxlFic.exe'" /f
Imagebase:	0x7ff6f5c30000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	07:17:04
Start date:	06/10/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "rxlSpmEkQUyDvxlFic" /sc ONLOGON /tr "'C:\Program Files (x86)\windows media player\Network Sharing\rxlSpmEkQUyDvxlFic.exe'" /rl HIGHEST /f
Imagebase:	0x7ff6f5c30000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	07:17:04
Start date:	06/10/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "rxlSpmEkQUyDvxlFicr" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\windows media player\Network Sharing\rxlSpmEkQUyDvxlFic.exe'" /rl HIGHEST /f
Imagebase:	0x7ff6f5c30000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	07:17:04
Start date:	06/10/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "rxlSpmEkQUyDvxlFicr" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\rxlSpmEkQUyDvxlFic.exe'" /f
Imagebase:	0x7ff6f5c30000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	07:17:04
Start date:	06/10/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "rxlSpmEkQUyDvxlFic" /sc ONLOGON /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\rxlSpmEkQUyDvxlFic.exe'" /rl HIGHEST /f
Imagebase:	0x7ff6f5c30000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	07:17:04
Start date:	06/10/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "rxlSpmEkQUyDvxlFicr" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\rxlSpmEkQUyDvxlFic.exe'" /rl HIGHEST /f
Imagebase:	0x7ff6f5c30000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	07:17:04
Start date:	06/10/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "rxlSpmEkQUyDvxlFicr" /sc MINUTE /mo 12 /tr "'C:\Recovery\rxlSpmEkQUyDvxlFic.exe'" /f
Imagebase:	0x7ff6f5c30000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	07:17:04
Start date:	06/10/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "rxlSpmEkQUyDvxlFic" /sc ONLOGON /tr "'C:\Recovery\rxlSpmEkQUyDvxlFic.exe'" /rl HIGHEST /f
Imagebase:	0x7ff6f5c30000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	07:17:04
Start date:	06/10/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "rxlSpmEkQUyDvxlFicr" /sc MINUTE /mo 12 /tr "'C:\Recovery\rxlSpmEkQUyDvxlFic.exe'" /rl HIGHEST /f
Imagebase:	0x7ff6f5c30000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	07:17:04
Start date:	06/10/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "rxlSpmEkQUyDvxlFicr" /sc MINUTE /mo 5 /tr "'C:\driverruntimeperfCommon\rxlSpmEkQUyDvxlFic.exe'" /f
Imagebase:	0x7ff6f5c30000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	07:17:04
Start date:	06/10/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "rxlSpmEkQUyDvxlFic" /sc ONLOGON /tr "'C:\driverruntimeperfCommon\rxlSpmEkQUyDvxlFic.exe'" /rl HIGHEST /f
Imagebase:	0x7ff6f5c30000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	07:17:05
Start date:	06/10/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "rxlSpmEkQUyDvxlFicr" /sc MINUTE /mo 11 /tr "'C:\driverruntimeperfCommon\rxlSpmEkQUyDvxlFic.exe'" /rl HIGHEST /f
Imagebase:	0x7ff6f5c30000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	07:17:05
Start date:	06/10/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "rxlSpmEkQUyDvxlFicr" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\microsoft office\Office16\rxlSpmEkQUyDvxlFic.exe'" /f
Imagebase:	0x7ff6f5c30000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	07:17:05
Start date:	06/10/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "rxlSpmEkQUyDvxlFic" /sc ONLOGON /tr "'C:\Program Files (x86)\microsoft office\Office16\rxlSpmEkQUyDvxlFic.exe'" /rl HIGHEST /f
Imagebase:	0x7ff6f5c30000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	07:17:05
Start date:	06/10/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "rxlSpmEkQUyDvxlFicr" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\microsoft office\Office16\rxlSpmEkQUyDvxlFic.exe'" /rl HIGHEST /f
Imagebase:	0x7ff6f5c30000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	07:17:05
Start date:	06/10/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Windows\Setup\State\RuntimeBroker.exe'" /f
Imagebase:	0x7ff6f5c30000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	07:17:05
Start date:	06/10/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\Setup\State\RuntimeBroker.exe'" /rl HIGHEST /f
Imagebase:	0x7ff6f5c30000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	07:17:05
Start date:	06/10/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Windows\Setup\State\RuntimeBroker.exe'" /rl HIGHEST /f
Imagebase:	0x7ff6f5c30000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	07:17:05
Start date:	06/10/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "rxlSpmEkQUyDvxlFicr" /sc MINUTE /mo 13 /tr "'C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\rxlSpmEkQUyDvxlFic.exe'" /f
Imagebase:	0x7ff6f5c30000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	07:17:05
Start date:	06/10/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "rxlSpmEkQUyDvxlFic" /sc ONLOGON /tr "'C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\rxlSpmEkQUyDvxlFic.exe'" /rl HIGHEST /f
Imagebase:	0x7ff6f5c30000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	07:17:06
Start date:	06/10/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "rxlSpmEkQUyDvxlFicr" /sc MINUTE /mo 8 /tr "'C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\rxlSpmEkQUyDvxlFic.exe'" /rl HIGHEST /f
Imagebase:	0x7ff6f5c30000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	07:17:06
Start date:	06/10/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\driverruntimeperfCommon\wininit.exe'" /f
Imagebase:	0x7ff6f5c30000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	07:17:06
Start date:	06/10/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\driverruntimeperfCommon\wininit.exe'" /rl HIGHEST /f
Imagebase:	0x7ff6f5c30000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	07:17:06
Start date:	06/10/2024
Path:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\rxlSpmEkQUyDvxlFic.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\rxlSpmEkQUyDvxlFic.exe"
Imagebase:	0x5c0000
File size:	846'336 bytes
MD5 hash:	3BB547F1542863E0A6E80E2C6F330C0C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 0000001F.00000002.1557304331.00000000028D1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 82%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	07:17:06
Start date:	06/10/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\driverruntimeperfCommon\wininit.exe'" /rl HIGHEST /f
Imagebase:	0x7ff6f5c30000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	07:17:06
Start date:	06/10/2024
Path:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\rxlSpmEkQUyDvxlFic.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\rxlSpmEkQUyDvxlFic.exe"
Imagebase:	0x440000
File size:	846'336 bytes
MD5 hash:	3BB547F1542863E0A6E80E2C6F330C0C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000021.00000002.1557234858.0000000002809000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000021.00000002.1557234858.00000000027C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	07:17:06
Start date:	06/10/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Windows\TAPI\winlogon.exe'" /f
Imagebase:	0x7ff6f5c30000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	07:17:06
Start date:	06/10/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\TAPI\winlogon.exe'" /rl HIGHEST /f
Imagebase:	0x7ff6f5c30000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	07:17:06
Start date:	06/10/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Windows\TAPI\winlogon.exe'" /rl HIGHEST /f
Imagebase:	0x7ff6f5c30000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	37
Start time:	07:17:06
Start date:	06/10/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "rxlSpmEkQUyDvxlFicr" /sc MINUTE /mo 11 /tr "'C:\Recovery\rxlSpmEkQUyDvxlFic.exe'" /f
Imagebase:	0x7ff6f5c30000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	07:17:06
Start date:	06/10/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "rxlSpmEkQUyDvxlFic" /sc ONLOGON /tr "'C:\Recovery\rxlSpmEkQUyDvxlFic.exe'" /rl HIGHEST /f
Imagebase:	0x7ff6f5c30000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	39
Start time:	07:17:06
Start date:	06/10/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "rxlSpmEkQUyDvxlFicr" /sc MINUTE /mo 6 /tr "'C:\Recovery\rxlSpmEkQUyDvxlFic.exe'" /rl HIGHEST /f
Imagebase:	0x7ff6f5c30000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	40
Start time:	07:17:06
Start date:	06/10/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Mail\TextInputHost.exe'" /f
Imagebase:	0x7ff6f5c30000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	41
Start time:	07:17:06
Start date:	06/10/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\TextInputHost.exe'" /rl HIGHEST /f
Imagebase:	0x7ff6f5c30000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	9.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	9.3%
Total number of Nodes:	1509
Total number of Limit Nodes:	36

Executed Functions

Function 00E9D5D4 Relevance: 42.2, APIs: 17, Strings: 7, Instructions: 197
filesleeptimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00E900CF: GetModuleHandleW.KERNEL32(kernel32), ref: 00E900E4
Part of subcall function 00E900CF: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00E900F6
Part of subcall function 00E900CF: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00E90127

Part of subcall function 00E99DA4: GetCurrentDirectoryW.KERNEL32(?,?), ref: 00E99DAC

Part of subcall function 00E9A335: OleInitialize.OLE32(00000000), ref: 00E9A34E
Part of subcall function 00E9A335: GdiplusStartup.GDIPLUS(?,?,00000000), ref: 00E9A385
Part of subcall function 00E9A335: SHGetMalloc.SHELL32(00EC8430), ref: 00E9A38F

Part of subcall function 00E913B3: GetCPInfo.KERNEL32(00000000,?), ref: 00E913C4
Part of subcall function 00E913B3: IsDBCSLeadByte.KERNEL32(00000000), ref: 00E913D8

GetCommandLineW.KERNEL32 ref: 00E9D61C
OpenFileMappingW.KERNEL32(000F001F,00000000,winrarsfxmappingfile.tmp), ref: 00E9D643
MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00007104), ref: 00E9D654
UnmapViewOfFile.KERNEL32(00000000), ref: 00E9D68E

Part of subcall function 00E9D287: SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 00E9D29D
Part of subcall function 00E9D287: SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 00E9D2D9

CloseHandle.KERNEL32(00000000), ref: 00E9D697
GetModuleFileNameW.KERNEL32(00000000,00EDDC90,00000800), ref: 00E9D6B2
SetEnvironmentVariableW.KERNEL32(sfxname,00EDDC90), ref: 00E9D6BE
GetLocalTime.KERNEL32(?), ref: 00E9D6C9
_swprintf.LIBCMT ref: 00E9D708
SetEnvironmentVariableW.KERNEL32(sfxstime,?), ref: 00E9D71A
GetModuleHandleW.KERNEL32(00000000), ref: 00E9D721
LoadIconW.USER32(00000000,00000064), ref: 00E9D738
DialogBoxParamW.USER32(00000000,STARTDLG,00000000,Function_0001AEE0,00000000), ref: 00E9D789
Sleep.KERNEL32(?), ref: 00E9D7B7
DeleteObject.GDI32 ref: 00E9D7F0
DeleteObject.GDI32(?), ref: 00E9D800
CloseHandle.KERNEL32 ref: 00E9D843

Strings

%4d-%02d-%02d-%02d-%02d-%02d-%03d, xrefs: 00E9D6F9
winrarsfxmappingfile.tmp, xrefs: 00E9D637
C:\Users\user\Desktop, xrefs: 00E9D5E9
sfxstime, xrefs: 00E9D715
STARTDLG, xrefs: 00E9D77E
sfxname, xrefs: 00E9D6B9
xj, xrefs: 00E9D7CB

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: EnvironmentFileHandleVariable$Module$AddressCloseDeleteObjectProcView$ByteCommandCurrentDialogDirectoryGdiplusIconInfoInitializeLeadLineLoadLocalMallocMappingNameOpenParamSleepStartupTimeUnmap_swprintf
String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$C:\Users\user\Desktop$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp$xj
API String ID: 788466649-1625347967
Opcode ID: e33e1b26158071e834a9cc51ba76889512e3d8426415754eca05827b35dd4206
Instruction ID: 5a58398b52e9bc6ba31e91ea8ea5877f78e3a15979dc1dbec02f5269546b4898
Opcode Fuzzy Hash: e33e1b26158071e834a9cc51ba76889512e3d8426415754eca05827b35dd4206
Instruction Fuzzy Hash: AD611471904350AFDB20AF76ED4AF6B37ECFB44345F00212AF545B62A2DB758909C7A1

Function 00E99E1C Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 100
memorywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindResourceW.KERNEL32(00E9AE4D,PNG,?,?,?,00E9AE4D,00000066), ref: 00E99E2E
SizeofResource.KERNEL32(00000000,00000000,?,?,?,00E9AE4D,00000066), ref: 00E99E46
LoadResource.KERNEL32(00000000,?,?,?,00E9AE4D,00000066), ref: 00E99E59
LockResource.KERNEL32(00000000,?,?,?,00E9AE4D,00000066), ref: 00E99E64
GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,00E9AE4D,00000066), ref: 00E99E82
GlobalLock.KERNEL32(00000000), ref: 00E99E93
CreateStreamOnHGlobal.COMBASE(00000000,00000000,?), ref: 00E99EB7
GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 00E99EFC
GlobalUnlock.KERNEL32(00000000), ref: 00E99F1B
GlobalFree.KERNEL32(00000000), ref: 00E99F22

Strings

PNG, xrefs: 00E99E1F

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: Global$Resource$CreateLock$AllocBitmapFindFreeFromGdipLoadSizeofStreamUnlock
String ID: PNG
API String ID: 3656887471-364855578
Opcode ID: 1409088b9557b9a186b5e4a85df6ef2055341790ab438c6d8200b1e1bcd0faf3
Instruction ID: c47d340456047eec589c00e09cb0b93267c27db6f7dfee71f3d14c8d30350c03
Opcode Fuzzy Hash: 1409088b9557b9a186b5e4a85df6ef2055341790ab438c6d8200b1e1bcd0faf3
Instruction Fuzzy Hash: 6D318F71205306AFDB209F7ADC49D6BBBADFF89755B04162CF902F2261DB32DC048A61

Function 00E8A5F4 Relevance: 7.6, APIs: 5, Instructions: 107
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(?,?,?,?,?,?,00E8A4EF,000000FF,?,?), ref: 00E8A628
FindFirstFileW.KERNELBASE(?,?,?,?,00000800,?,?,?,?,00E8A4EF,000000FF,?,?), ref: 00E8A65E
GetLastError.KERNEL32(?,?,00000800,?,?,?,?,00E8A4EF,000000FF,?,?), ref: 00E8A66A
FindNextFileW.KERNEL32(?,?,?,?,?,?,00E8A4EF,000000FF,?,?), ref: 00E8A692
GetLastError.KERNEL32(?,?,?,?,00E8A4EF,000000FF,?,?), ref: 00E8A69E

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: FileFind$ErrorFirstLast$Next
String ID:
API String ID: 869497890-0
Opcode ID: 0805b69cca5c16b922873f468fb8eb1bfc36eb8597b6422e9b05ab6fbf906ef7
Instruction ID: b7c5edc83a5adbd3162679aec01db946caed739df84b507e8c06d3e771a9aa1f
Opcode Fuzzy Hash: 0805b69cca5c16b922873f468fb8eb1bfc36eb8597b6422e9b05ab6fbf906ef7
Instruction Fuzzy Hash: 0A417671504245AFD724FF78C884ADBF7E8BF48354F080A2AF59DE3240E774A9589B52

Function 00EA753D Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,?,00EA7513,00000000,00EBBAD8,0000000C,00EA766A,00000000,00000002,00000000), ref: 00EA755E
TerminateProcess.KERNEL32(00000000,?,00EA7513,00000000,00EBBAD8,0000000C,00EA766A,00000000,00000002,00000000), ref: 00EA7565
ExitProcess.KERNEL32 ref: 00EA7577

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: add378628edab5ae566922394347b5d9dbb44f0ae8a1aad9950731830fa650fe
Instruction ID: 8f59284595937690531dff5d76c63627a9aa4bb017af4125d22c20b7d39d581c
Opcode Fuzzy Hash: add378628edab5ae566922394347b5d9dbb44f0ae8a1aad9950731830fa650fe
Instruction Fuzzy Hash: F8E04631404608AFCF11EF29CD0AA4A3F6AEF0A341F048124F845AE222CB35EE42CA50

Function 00E8857B Relevance: 3.9, APIs: 2, Instructions: 947COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00E88580
_memcmp.LIBVCRUNTIME ref: 00E88A08

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: H_prolog_memcmp
String ID:
API String ID: 3004599000-0
Opcode ID: f79e306dac899a1ced1ea620858827334fe4030bd90def8ab185db8257553713
Instruction ID: f030638eb8ad3dcd180641f27ef93dd352370db48637cb70a0eef303ccaa7e06
Opcode Fuzzy Hash: f79e306dac899a1ced1ea620858827334fe4030bd90def8ab185db8257553713
Instruction Fuzzy Hash: 57823970904245AEDF25EF60C985BFAB7B9AF05304F4861BAED5DBB183DB305A44CB60

Function 00E9AEE0 Relevance: 98.7, APIs: 47, Strings: 9, Instructions: 724COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00E9AEE5

Part of subcall function 00E8130B: GetDlgItem.USER32(00000000,00003021), ref: 00E8134F
Part of subcall function 00E8130B: SetWindowTextW.USER32(00000000,00EB35B4), ref: 00E81365

Strings

-el -s2 "-d%s" "-sp%s", xrefs: 00E9B281
winrarsfxmappingfile.tmp, xrefs: 00E9B2BC
C:\Users\user\Desktop, xrefs: 00E9B2DF
<, xrefs: 00E9B29A
"%s"%s, xrefs: 00E9B423
__tmp_rar_sfx_access_check_%u, xrefs: 00E9B1CB
STARTDLG, xrefs: 00E9AF04
@, xrefs: 00E9B2A7
LICENSEDLG, xrefs: 00E9B771

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: H_prologItemTextWindow
String ID: "%s"%s$-el -s2 "-d%s" "-sp%s"$<$@$C:\Users\user\Desktop$LICENSEDLG$STARTDLG$__tmp_rar_sfx_access_check_%u$winrarsfxmappingfile.tmp
API String ID: 810644672-1775577126
Opcode ID: eb111fb364e68b59a49b43c48a452983ef23771ffea5a357875cb883257a5525
Instruction ID: 264a3d5e3b772570a36ddacf43cd35dc06b39ddc7b35e45e554487c66b4ad5c0
Opcode Fuzzy Hash: eb111fb364e68b59a49b43c48a452983ef23771ffea5a357875cb883257a5525
Instruction Fuzzy Hash: 44422770944248BEEF25AFB1AE8AFBE77BCEB01704F002169F605B61D1CB754949CB61

Function 00E900CF Relevance: 98.3, APIs: 22, Strings: 34, Instructions: 317
libraryfileloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(kernel32), ref: 00E900E4
GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00E900F6
GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00E90127
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00E903D4
CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00E903F0
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00E90402
ReadFile.KERNEL32(00000000,?,00007FFE,00EB3BA4,00000000), ref: 00E90421
CloseHandle.KERNEL32(00000000), ref: 00E90479
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00E9048F
CompareStringW.KERNEL32(00000400,00001001,?,?,DXGIDebug.dll,?,?,00000000,?,00000800), ref: 00E904E7
GetFileAttributesW.KERNELBASE(?,?,?,00000800,?,00000000,?,00000800), ref: 00E90510
GetFileAttributesW.KERNEL32(?,?,?,00000800), ref: 00E9054A

Part of subcall function 00E90085: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00E900A0
Part of subcall function 00E90085: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00E8EB86,Crypt32.dll,00000000,00E8EC0A,?,?,00E8EBEC,?,?,?), ref: 00E900C2

_swprintf.LIBCMT ref: 00E905BE
_swprintf.LIBCMT ref: 00E9060A

Part of subcall function 00E8400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00E8401D

AllocConsole.KERNEL32 ref: 00E90612
GetCurrentProcessId.KERNEL32 ref: 00E9061C
AttachConsole.KERNEL32(00000000), ref: 00E90623
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000), ref: 00E90649
WriteConsoleW.KERNEL32(00000000), ref: 00E90650
Sleep.KERNEL32(00002710), ref: 00E9065B
FreeConsole.KERNEL32 ref: 00E90661
ExitProcess.KERNEL32 ref: 00E90669

Strings

l<, xrefs: 00E9055C
p@, xrefs: 00E90344
p?, xrefs: 00E902CB
SetDefaultDllDirectories, xrefs: 00E90121
<?, xrefs: 00E902B5
\A, xrefs: 00E903A7
D=, xrefs: 00E901F4
Please remove %s from %s folder. It is unsecure to run %s until it is done., xrefs: 00E905F8
@>, xrefs: 00E90247
?, xrefs: 00E90302
SetDllDirectoryW, xrefs: 00E900F0
P<, xrefs: 00E9019C
x=, xrefs: 00E90204
8<, xrefs: 00E90194
X@, xrefs: 00E90339
DXGIDebug.dll, xrefs: 00E90169, 00E904D3
<, xrefs: 00E9018C
>, xrefs: 00E90289
dwmapi.dll, xrefs: 00E90581
(>, xrefs: 00E9023C
uxtheme.dll, xrefs: 00E9058B
kernel32, xrefs: 00E900DD
|<, xrefs: 00E901AC
T;, xrefs: 00E90154
X>, xrefs: 00E90252
T?, xrefs: 00E902C0
4=, xrefs: 00E901EC
`=, xrefs: 00E901FC
(@, xrefs: 00E90323
?, xrefs: 00E902AA
0A, xrefs: 00E90391
DA, xrefs: 00E9039C
p>, xrefs: 00E9025D
@@, xrefs: 00E9032E

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: File$Console$HandleModule$AddressAttributesNameProcProcess_swprintf$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadPointerReadSleepStringSystemWrite__vswprintf_c_l
String ID: <$ ?$(>$(@$0A$4=$8<$<?$@>$@@$D=$DA$DXGIDebug.dll$P<$Please remove %s from %s folder. It is unsecure to run %s until it is done.$SetDefaultDllDirectories$SetDllDirectoryW$T;$T?$X>$X@$\A$`=$dwmapi.dll$kernel32$l<$p>$p?$p@$uxtheme.dll$x=$|<$>$?
API String ID: 1201351596-2360068917
Opcode ID: 8462fae83faa0d5605625e21bd7ffbd8a79cd8c294c24d9818de00bcff7bf6c1
Instruction ID: a985dc6be15854670b4ba974c34adce94b37e59e918a8455962788c1341e78b6
Opcode Fuzzy Hash: 8462fae83faa0d5605625e21bd7ffbd8a79cd8c294c24d9818de00bcff7bf6c1
Instruction Fuzzy Hash: 47D171B15483849FD731AF60D84BBDFBAE8AFC4704F40291DF689B6191D7B096488F62

Function 00E9BDF5 Relevance: 31.9, APIs: 14, Strings: 4, Instructions: 429
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 00E9BDFA

Part of subcall function 00E9AA36: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00001000), ref: 00E9AAFE

SetWindowTextW.USER32(?,?), ref: 00E9C127
_wcsrchr.LIBVCRUNTIME ref: 00E9C2B1
GetDlgItem.USER32(?,00000066), ref: 00E9C2EC
SetWindowTextW.USER32(00000000,?), ref: 00E9C2FC
SendMessageW.USER32(00000000,00000143,00000000,00ECA472), ref: 00E9C30A
SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00E9C335

Strings

%s.%d.tmp, xrefs: 00E9BFF6
Software\Microsoft\Windows\CurrentVersion, xrefs: 00E9C1D0
ProgramFilesDir, xrefs: 00E9C1FB
<br>, xrefs: 00E9C08A

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: MessageSendTextWindow$EnvironmentExpandH_prologItemStrings_wcsrchr
String ID: %s.%d.tmp$<br>$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion
API String ID: 3564274579-312220925
Opcode ID: 55c4b05d64805191a39202d7725cb406cfa94874dd7b0883e1be17799bb5a327
Instruction ID: 6bec41d1ef80756dfbfbe07043c2daaf47cb36cd8cf975dd0cbbc856ba72c7c9
Opcode Fuzzy Hash: 55c4b05d64805191a39202d7725cb406cfa94874dd7b0883e1be17799bb5a327
Instruction Fuzzy Hash: 8CE19272D04618AADF25EBA4DC85EEF77BCEF09314F1050A6F609F7091EB749A848B50

Function 00E8D341 Relevance: 25.1, APIs: 4, Strings: 10, Instructions: 555
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 00E8D346
_wcschr.LIBVCRUNTIME ref: 00E8D367
GetModuleFileNameW.KERNEL32(00000000,?,00000800,?,?,?,00E8D328,?), ref: 00E8D382
__fprintf_l.LIBCMT ref: 00E8D873

Part of subcall function 00E9137A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,00E8B652,00000000,?,?,?,00010444), ref: 00E91396

Strings

*messages***, xrefs: 00E8D49A
, xrefs: 00E8D67A
$9, xrefs: 00E8D6AF
a, xrefs: 00E8D4EF
,, xrefs: 00E8D8AE
$%s:, xrefs: 00E8D856
RTL, xrefs: 00E8D838
@%s:, xrefs: 00E8D85D, 00E8D869
*messages***, xrefs: 00E8D4D3
R, xrefs: 00E8D4E5

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: ByteCharFileH_prologModuleMultiNameWide__fprintf_l_wcschr
String ID: $ ,$$%s:$$9$*messages***$*messages***$@%s:$R$RTL$a
API String ID: 4184910265-2374907605
Opcode ID: 55e3f8dc07b451a57a698dd6a269e23ab2e10a9e6530682f08788b0b4bc82f0a
Instruction ID: ea35225a05c534ac23ef20ffcd166d9c4efbb280e8e812ce0978aae0dd917f96
Opcode Fuzzy Hash: 55e3f8dc07b451a57a698dd6a269e23ab2e10a9e6530682f08788b0b4bc82f0a
Instruction Fuzzy Hash: 0F12A0719042199ADF24FFA4DC82AEEB7B5EF44314F10616AF50EB71D1EB71AA40CB60

Function 00E9CB5A Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 97
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00E9AC74: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00E9AC85
Part of subcall function 00E9AC74: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00E9AC96
Part of subcall function 00E9AC74: IsDialogMessageW.USER32(00010444,?), ref: 00E9ACAA
Part of subcall function 00E9AC74: TranslateMessage.USER32(?), ref: 00E9ACB8
Part of subcall function 00E9AC74: DispatchMessageW.USER32(?), ref: 00E9ACC2

GetDlgItem.USER32(00000068,00EDECB0), ref: 00E9CB6E
ShowWindow.USER32(00000000,00000005,?,?,?,?,?,?,?,00E9A632,00000001,?,?,00E9AECB,00EB4F88,00EDECB0), ref: 00E9CB96
SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 00E9CBA1
SendMessageW.USER32(00000000,000000C2,00000000,00EB35B4), ref: 00E9CBAF
SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00E9CBC5
SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 00E9CBDF
SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00E9CC23
SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 00E9CC31
SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00E9CC40
SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00E9CC67
SendMessageW.USER32(00000000,000000C2,00000000,00EB431C), ref: 00E9CC76

Strings

\, xrefs: 00E9CBCF

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: Message$Send$DialogDispatchItemPeekShowTranslateWindow
String ID: \
API String ID: 3569833718-2967466578
Opcode ID: 7f0fd0c1f7b40f7cb977935e583828e70f0dde0d033a19954a9ef08f2ecf9548
Instruction ID: c494666b705ecc34e26f84946f3dc5c0677a5cd547b4241cd25cd22b362ec13d
Opcode Fuzzy Hash: 7f0fd0c1f7b40f7cb977935e583828e70f0dde0d033a19954a9ef08f2ecf9548
Instruction Fuzzy Hash: F031B071185385AFE301DF219D8AFAB7EACEB82704F00051CF651AA1D1DB655909C7BA

Function 00E9CE22 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 179
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ShellExecuteExW.SHELL32(?), ref: 00E9CF54
ShowWindow.USER32(?,00000000), ref: 00E9CF93
GetExitCodeProcess.KERNEL32(?,?), ref: 00E9CFCF
CloseHandle.KERNEL32(?), ref: 00E9CFF5
ShowWindow.USER32(?,00000001), ref: 00E9D084

Part of subcall function 00E917AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,00E8BB05,00000000,.exe,?,?,00000800,?,?,00E985DF,?), ref: 00E917C2

Strings

.inf, xrefs: 00E9CF10
.exe, xrefs: 00E9CFFF
, xrefs: 00E9CEA2

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: ShowWindow$CloseCodeCompareExecuteExitHandleProcessShellString
String ID: $.exe$.inf
API String ID: 3686203788-2452507128
Opcode ID: 3f3aede2b0e070c246dfd5695f0e7e2afab4667b8a9d9d9802d8332480565784
Instruction ID: 652aa3ba9c3171c5503e7bb27693afce94afca317d0a36a63d6e5eef87c376a3
Opcode Fuzzy Hash: 3f3aede2b0e070c246dfd5695f0e7e2afab4667b8a9d9d9802d8332480565784
Instruction Fuzzy Hash: 7061E370508390AEDF31AF25D8046ABBBEAEF85308F14681EF5C5B7251D7B18989CB52

Function 00EAA058 Relevance: 9.2, APIs: 6, Instructions: 216
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00EA4E35,00EA4E35,?,?,?,00EAA2A9,00000001,00000001,3FE85006), ref: 00EAA0B2
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00EAA2A9,00000001,00000001,3FE85006,?,?,?), ref: 00EAA138
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,3FE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00EAA232
__freea.LIBCMT ref: 00EAA23F

Part of subcall function 00EA8518: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00EAC13D,00000000,?,00EA67E2,?,00000008,?,00EA89AD,?,?,?), ref: 00EA854A

__freea.LIBCMT ref: 00EAA248
__freea.LIBCMT ref: 00EAA26D

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 5170495a48a9a315f6c61e1a487bd2a0b8d725f948fb4ccd1c94ba4f5259a40f
Instruction ID: 22969afc33d90be47c90168f739226b28f80952d96c56738158b5620561aec76
Opcode Fuzzy Hash: 5170495a48a9a315f6c61e1a487bd2a0b8d725f948fb4ccd1c94ba4f5259a40f
Instruction Fuzzy Hash: D551E372600306AFEB258E64CC41FBB77AAEB4A754F191239FC04FA150DB35EC54C661

Function 00E9A2C7 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 36
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetClassNameW.USER32(?,?,00000050), ref: 00E9A2DE
SHAutoComplete.SHLWAPI(?,00000010), ref: 00E9A315

Part of subcall function 00E917AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,00E8BB05,00000000,.exe,?,?,00000800,?,?,00E985DF,?), ref: 00E917C2

FindWindowExW.USER32(?,00000000,EDIT,00000000), ref: 00E9A305

Strings

@UJu, xrefs: 00E9A315
EDIT, xrefs: 00E9A2E9, 00E9A2F4, 00E9A301

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: AutoClassCompareCompleteFindNameStringWindow
String ID: @UJu$EDIT
API String ID: 4243998846-1013725496
Opcode ID: 1d7e9db73cb378301584d5979600bd8146cf4f01db4bdf6924c08e4c02cdce97
Instruction ID: 15cb8fa0c14ca907e928f27a9f5748e79228cde1ad8af1f47925a0527384e65f
Opcode Fuzzy Hash: 1d7e9db73cb378301584d5979600bd8146cf4f01db4bdf6924c08e4c02cdce97
Instruction Fuzzy Hash: AAF08272A0122C7BEF209A659C09FDF77AC9F46B10F080066BE05B61C0D760A945C6F6

Function 00E899B0 Relevance: 7.6, APIs: 5, Instructions: 117
filetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,00000000,00000003,?,00000000,?,00000000,?,?,00E878AD,?,00000005,?,00000011), ref: 00E89A4C
GetLastError.KERNEL32(?,?,00E878AD,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00E89A59
CreateFileW.KERNEL32(?,?,?,00000000,00000003,?,00000000,?,?,00000800,?,?,00E878AD,?,00000005,?), ref: 00E89A8E
GetLastError.KERNEL32(?,?,00E878AD,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00E89A96
SetFileTime.KERNEL32(00000000,00000000,000000FF,00000000,?,00E878AD,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00E89ADB

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: File$CreateErrorLast$Time
String ID:
API String ID: 1999340476-0
Opcode ID: 08dc16b223b0f45facb595d3675f65b0911c5de208cff1760fee8e3befe65213
Instruction ID: 1a981c9bbfcc5fa34405941eb5a62ed824bd3097643ab5ea8b9c748c07cdae27
Opcode Fuzzy Hash: 08dc16b223b0f45facb595d3675f65b0911c5de208cff1760fee8e3befe65213
Instruction Fuzzy Hash: D14135309447466FE320AB30CC06BEABBD4BB45328F140719F5ECA61D2E775A988CB95

Function 00E9AC74 Relevance: 7.5, APIs: 5, Instructions: 39
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00E9AC85
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00E9AC96
IsDialogMessageW.USER32(00010444,?), ref: 00E9ACAA
TranslateMessage.USER32(?), ref: 00E9ACB8
DispatchMessageW.USER32(?), ref: 00E9ACC2

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: Message$DialogDispatchPeekTranslate
String ID:
API String ID: 1266772231-0
Opcode ID: 6086b37b936a4b45064137b1603401c2bb5fd44577cc76e7e6260512b204b063
Instruction ID: 9414af28cd80dfa00bf503a99b7ad077fbc4dcef36b3b28fb1cdfa6d7894af09
Opcode Fuzzy Hash: 6086b37b936a4b45064137b1603401c2bb5fd44577cc76e7e6260512b204b063
Instruction Fuzzy Hash: 07F0F97190116DAF8F209FE29C8CDEBBF6CEF052517444429F515E6140EB249509C7F1

Function 00EA76BD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNELBASE(00000000,C:\Users\user\Desktop\Ym9pCkdQCN.exe,00000104), ref: 00EA76FD
_free.LIBCMT ref: 00EA77C8
_free.LIBCMT ref: 00EA77D2

Strings

C:\Users\user\Desktop\Ym9pCkdQCN.exe, xrefs: 00EA76F4, 00EA76FB, 00EA772A, 00EA7762

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\Ym9pCkdQCN.exe
API String ID: 2506810119-2401418235
Opcode ID: fa562d6f3d7590ef39bbe28578961f0a3b0fe7156bb856b0ece3ba4c470e99e2
Instruction ID: b1590d96e54dd99169768be7b067e29f84b1abb7820666d7e12c96e9936fbb70
Opcode Fuzzy Hash: fa562d6f3d7590ef39bbe28578961f0a3b0fe7156bb856b0ece3ba4c470e99e2
Instruction Fuzzy Hash: 6831B171A04209AFCB21DF99DC8199EBBFCEB8A310B1410A7F444BF211D6706E84CB50

Function 00E9A335 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00E90085: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00E900A0
Part of subcall function 00E90085: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00E8EB86,Crypt32.dll,00000000,00E8EC0A,?,?,00E8EBEC,?,?,?), ref: 00E900C2

OleInitialize.OLE32(00000000), ref: 00E9A34E
GdiplusStartup.GDIPLUS(?,?,00000000), ref: 00E9A385
SHGetMalloc.SHELL32(00EC8430), ref: 00E9A38F

Strings

riched20.dll, xrefs: 00E9A33D

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: DirectoryGdiplusInitializeLibraryLoadMallocStartupSystem
String ID: riched20.dll
API String ID: 3498096277-3360196438
Opcode ID: 9386de7ba93ab12f1dbb7d1333b17ffa1fb7a338f768639a48f6fe5f826ee776
Instruction ID: cbdce2608521551d63f16dfc45a958178b63f0621684ec0ed0fbb149ca23ffd5
Opcode Fuzzy Hash: 9386de7ba93ab12f1dbb7d1333b17ffa1fb7a338f768639a48f6fe5f826ee776
Instruction Fuzzy Hash: EFF0E7B1D0020DABCB10AF9A99499EFFBFCEB95711F00415AF914F2251DBB456098BA1

Function 00E9D287 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 32
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 00E9D29D
SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 00E9D2D9

Strings

sfxcmd, xrefs: 00E9D298
sfxpar, xrefs: 00E9D2D4

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: EnvironmentVariable
String ID: sfxcmd$sfxpar
API String ID: 1431749950-3493335439
Opcode ID: fbc5141dce8ca291595d6e8c302cbd73ca104b0b78a5d0dfb890958e16b9834a
Instruction ID: ac5c95f4409bcf636aa807710b6fd8a4d2b52fb8df5d5baedc79db125512cecb
Opcode Fuzzy Hash: fbc5141dce8ca291595d6e8c302cbd73ca104b0b78a5d0dfb890958e16b9834a
Instruction Fuzzy Hash: CEF08C72805228A6CB207FE59C0ABEABB9CAF09B41B001252FD88B6251D660CD4097E1

Function 00E8984E Relevance: 6.1, APIs: 4, Instructions: 57fileCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00E8985E
ReadFile.KERNELBASE(?,?,00000001,?,00000000), ref: 00E89876
GetLastError.KERNEL32 ref: 00E898A8
GetLastError.KERNEL32 ref: 00E898C7

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: ErrorLast$FileHandleRead
String ID:
API String ID: 2244327787-0
Opcode ID: b3c713867763c6e59f2c3afefc97cdb9b7d89d84ba342d464123fec6cefc91c7
Instruction ID: b3cde92dd37f4794633dfc892940110596817f1dade0f768a5a5510d0c8128f8
Opcode Fuzzy Hash: b3c713867763c6e59f2c3afefc97cdb9b7d89d84ba342d464123fec6cefc91c7
Instruction Fuzzy Hash: 7A11A030D0020AEFDB297B61C804ABA37A9EB02734F18912AF42EB7592D7359E449F51

Function 00EAA4F4 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00E8CFE0,00000000,00000000,?,00EAA49B,00E8CFE0,00000000,00000000,00000000,?,00EAA698,00000006,FlsSetValue), ref: 00EAA526
GetLastError.KERNEL32(?,00EAA49B,00E8CFE0,00000000,00000000,00000000,?,00EAA698,00000006,FlsSetValue,00EB7348,00EB7350,00000000,00000364,?,00EA9077), ref: 00EAA532
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00EAA49B,00E8CFE0,00000000,00000000,00000000,?,00EAA698,00000006,FlsSetValue,00EB7348,00EB7350,00000000), ref: 00EAA540

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 341a4c88e5978178fd6c95cb105837fe685e335f64a18bab9a9822dcf38b00ba
Instruction ID: 67af5864370ec03d0a71baa147c7b74646e043cb300894f8e6ccf19a53a74cc8
Opcode Fuzzy Hash: 341a4c88e5978178fd6c95cb105837fe685e335f64a18bab9a9822dcf38b00ba
Instruction Fuzzy Hash: 21014732A11326AFC7219A79AC44A677B5CAF0BBA1B180234F906FB140D731FA04C6E5

Function 00EAB188 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 91COMMON

Download Yara Rule

APIs

Part of subcall function 00EA8FA5: GetLastError.KERNEL32(?,00EC0EE8,00EA3E14,00EC0EE8,?,?,00EA3713,00000050,?,00EC0EE8,00000200), ref: 00EA8FA9
Part of subcall function 00EA8FA5: _free.LIBCMT ref: 00EA8FDC
Part of subcall function 00EA8FA5: SetLastError.KERNEL32(00000000,?,00EC0EE8,00000200), ref: 00EA901D
Part of subcall function 00EA8FA5: _abort.LIBCMT ref: 00EA9023

Part of subcall function 00EAB2AE: _abort.LIBCMT ref: 00EAB2E0
Part of subcall function 00EAB2AE: _free.LIBCMT ref: 00EAB314

Part of subcall function 00EAAF1B: GetOEMCP.KERNEL32(00000000,?,?,00EAB1A5,?), ref: 00EAAF46

_free.LIBCMT ref: 00EAB200
_free.LIBCMT ref: 00EAB236

Strings

, xrefs: 00EAB22A

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: _free$ErrorLast_abort
String ID:
API String ID: 2991157371-3162483948
Opcode ID: d935553532443abdc166c616a647d6b82b06f4dfb08bd65cff2eb49fabdd8140
Instruction ID: 6a9382aa51901368fabc3ba314349b83c0d386817cf682927492d5f4a0c66d1a
Opcode Fuzzy Hash: d935553532443abdc166c616a647d6b82b06f4dfb08bd65cff2eb49fabdd8140
Instruction Fuzzy Hash: B231F631900208AFDB10EFA9D941BAEB7F1EF4A324F25509AE414BF2A2DB717D41CB50

Function 00E89F2F Relevance: 4.6, APIs: 3, Instructions: 107fileCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F5,?,00000001,?,?,00E8CC94,00000001,?,?,?,00000000,00E94ECD,?,?,?), ref: 00E89F4C
WriteFile.KERNEL32(?,?,?,00000000,00000000,?,?,00000000,00E94ECD,?,?,?,?,?,00E94972,?), ref: 00E89F8E
WriteFile.KERNELBASE(?,?,?,00000000,00000000,?,?,?,00000001,?,?,00E8CC94,00000001,?,?), ref: 00E89FB8

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: FileWrite$Handle
String ID:
API String ID: 4209713984-0
Opcode ID: d3ef02b9fc216a1a1207744756e92f8d425a5b257b1c74389529c6a7c82c1b8c
Instruction ID: 6aae21f472f2f4caa58b68b36f81112ed5b99f0100393d94b67144ddccf1ff74
Opcode Fuzzy Hash: d3ef02b9fc216a1a1207744756e92f8d425a5b257b1c74389529c6a7c82c1b8c
Instruction Fuzzy Hash: 2831F2316083059FDB28AF24D948B7ABBA4EB80714F08561DF94DBA192C771DD48CBA2

Function 00E8A207 Relevance: 4.6, APIs: 3, Instructions: 56COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,00000000,?,?,?,00E8A113,?,00000001,00000000,?,?), ref: 00E8A22E
CreateDirectoryW.KERNEL32(?,00000000,?,?,00000800,?,?,?,?,00E8A113,?,00000001,00000000,?,?), ref: 00E8A261
GetLastError.KERNEL32(?,?,?,?,00E8A113,?,00000001,00000000,?,?), ref: 00E8A27E

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: CreateDirectory$ErrorLast
String ID:
API String ID: 2485089472-0
Opcode ID: b34016fca1136ea48e0c7b2cd1cc67dcc6e1adc314cbe8058ae0e978f12ac810
Instruction ID: bdc4bf39b745e2b2ec4005515c94afd6df1ed48ca31c25f8f59a50a77df21172
Opcode Fuzzy Hash: b34016fca1136ea48e0c7b2cd1cc67dcc6e1adc314cbe8058ae0e978f12ac810
Instruction Fuzzy Hash: E901803114161866FB32BB754C06BFA3388AF06B45F0C5877F90DF6071D7668A4187A3

Function 00EAAFF4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 00EAB019

Strings

, xrefs: 00EAB05E

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: Info
String ID:
API String ID: 1807457897-3916222277
Opcode ID: f8e2939b1e7032e72b382d59497dd34384427ad24e9da3e83ca21759bac0e5c9
Instruction ID: faf9087e8eee85536c7bad0e9f9859174dade5ea2e1df2f96bfd866d299e8009
Opcode Fuzzy Hash: f8e2939b1e7032e72b382d59497dd34384427ad24e9da3e83ca21759bac0e5c9
Instruction Fuzzy Hash: 7241F77050438C9ADF218A648C94BF7BBE9DB5A308F1414EDE59AAB143D335AE45DF20

Function 00EAA72C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,3FE85006,00000001,?,?), ref: 00EAA79D

Strings

LCMapStringEx, xrefs: 00EAA73D, 00EAA747

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: String
String ID: LCMapStringEx
API String ID: 2568140703-3893581201
Opcode ID: 247695f4a1f4c0c794afa1b055090adefbc357446a39ed7f45db858fa478f6d4
Instruction ID: 1b25039bb9472c998cf8be1e9a79132b2aab6e1ea8ae141cfdd45d2a45bd46a0
Opcode Fuzzy Hash: 247695f4a1f4c0c794afa1b055090adefbc357446a39ed7f45db858fa478f6d4
Instruction Fuzzy Hash: D401C232544209BBCF06AFA1DC06DEF7FA6EB4D750F085165FE1429160CA729921EB91

Function 00EAA6CA Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,00EA9D2F), ref: 00EAA715

Strings

InitializeCriticalSectionEx, xrefs: 00EAA6E5

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: CountCriticalInitializeSectionSpin
String ID: InitializeCriticalSectionEx
API String ID: 2593887523-3084827643
Opcode ID: efd2a76fbd57cb82e4d193a7029c539121985a74df205e5b04260395b75cfaee
Instruction ID: cd602349899e77aeb371e04639dea7df091ba3a1f3a1baccf5c0dda03241c4c5
Opcode Fuzzy Hash: efd2a76fbd57cb82e4d193a7029c539121985a74df205e5b04260395b75cfaee
Instruction Fuzzy Hash: B9F09A31645308BBCB01AFA5CC06CEF7FA1EB49720B045165FD093A260DA71AA10EB91

Function 00EAA56F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32 ref: 00EAA5AE

Strings

FlsAlloc, xrefs: 00EAA58A

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: Alloc
String ID: FlsAlloc
API String ID: 2773662609-671089009
Opcode ID: 26c34d2e60eafba0661b7423ec546560b8a1d65caabac95d5cf728a55497536f
Instruction ID: e3267e983567e49c0bc0330f8ebb92c0cfcd7d37123a68b79ad4c7e13b019b4c
Opcode Fuzzy Hash: 26c34d2e60eafba0661b7423ec546560b8a1d65caabac95d5cf728a55497536f
Instruction Fuzzy Hash: A6E05570B453286F8210ABA58C069EFBB94CB5AB10B050225FC043B340EE701E00D2DA

Function 00EA329A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 00EA32AF

Strings

FlsAlloc, xrefs: 00EA329E, 00EA32A8

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: try_get_function
String ID: FlsAlloc
API String ID: 2742660187-671089009
Opcode ID: 59efbd6b4bb5a081fe07165dd168ead5faacdad334bf0a31507330de8641f6e3
Instruction ID: 6bb69d1b49e71dbfb59abb9e1d4fe15d1ec546f6bb59bf142345914459082ff8
Opcode Fuzzy Hash: 59efbd6b4bb5a081fe07165dd168ead5faacdad334bf0a31507330de8641f6e3
Instruction Fuzzy Hash: 70D02B237817346E851133E56C03BEFBF448702FB6F451153FF083E282A461454001D5

Function 00EAB350 Relevance: 3.2, APIs: 2, Instructions: 168COMMON

Download Yara Rule

APIs

Part of subcall function 00EAAF1B: GetOEMCP.KERNEL32(00000000,?,?,00EAB1A5,?), ref: 00EAAF46

IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,00EAB1EA,?,00000000), ref: 00EAB3C4
GetCPInfo.KERNEL32(00000000,00EAB1EA,?,?,?,00EAB1EA,?,00000000), ref: 00EAB3D7

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: CodeInfoPageValid
String ID:
API String ID: 546120528-0
Opcode ID: fbb05c592533fea573b2eacf3a9bf729208ef096822c69851aab76ce8e0f25b6
Instruction ID: 1d127f049473e935f693b18607a4dd98a2ea5bd12374ce59eed3efd2f9e10a56
Opcode Fuzzy Hash: fbb05c592533fea573b2eacf3a9bf729208ef096822c69851aab76ce8e0f25b6
Instruction Fuzzy Hash: E6513670A043059EDB248F71C8816BBBBE5EF4E314F18916ED0A6AF253E735B945CB80

Function 00E81385 Relevance: 3.1, APIs: 2, Instructions: 97COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00E81385

Part of subcall function 00E86057: __EH_prolog.LIBCMT ref: 00E8605C

Part of subcall function 00E8C827: __EH_prolog.LIBCMT ref: 00E8C82C
Part of subcall function 00E8C827: new.LIBCMT ref: 00E8C86F
Part of subcall function 00E8C827: new.LIBCMT ref: 00E8C893

new.LIBCMT ref: 00E813FE

Part of subcall function 00E8B07D: __EH_prolog.LIBCMT ref: 00E8B082

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 2ff2d103ac9b372cc6a1c8c1743c35420e8c12c584794a3c026c1130a0d9d2fd
Instruction ID: 8fc210e1b9de9929470d51e4358653e4e390fd81d138234d567383e2d681fdbc
Opcode Fuzzy Hash: 2ff2d103ac9b372cc6a1c8c1743c35420e8c12c584794a3c026c1130a0d9d2fd
Instruction Fuzzy Hash: 464134B0805B40DEE724EF7984859E7FBE6FB18300F505A6ED2EE93282DB326554CB15

Function 00E81380 Relevance: 3.1, APIs: 2, Instructions: 95COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00E81385

Part of subcall function 00E86057: __EH_prolog.LIBCMT ref: 00E8605C

Part of subcall function 00E8C827: __EH_prolog.LIBCMT ref: 00E8C82C
Part of subcall function 00E8C827: new.LIBCMT ref: 00E8C86F
Part of subcall function 00E8C827: new.LIBCMT ref: 00E8C893

new.LIBCMT ref: 00E813FE

Part of subcall function 00E8B07D: __EH_prolog.LIBCMT ref: 00E8B082

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 4c01932aa98f891b130e143b0608bfb17cb10472fc7f1e62cfe887100d67b927
Instruction ID: 5516186827e0761bf25bc5f8f970db8d27499b2203e231d62076cbd88057aa05
Opcode Fuzzy Hash: 4c01932aa98f891b130e143b0608bfb17cb10472fc7f1e62cfe887100d67b927
Instruction Fuzzy Hash: 744134B0805B409EE724DF7984859E7FBE5FB19300F505A6ED2EE93282DB322554CB15

Function 00E8971E Relevance: 3.1, APIs: 2, Instructions: 86fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,00000000,00000001,00000000,00000002,00000000,00000000,?,00000000,?,?,?,00E89EDC,?,?,00E87867), ref: 00E897A6
CreateFileW.KERNEL32(?,00000000,00000001,00000000,00000002,00000000,00000000,?,?,00000800,?,?,00E89EDC,?,?,00E87867), ref: 00E897DB

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 0fe15cf80ff42396f7ca7103702d9bae6b4d495cfc0f4b9f943238f604675551
Instruction ID: b33437509380912c092f5b8d1921a03c1ba028930c4ed23dea0e13c90c75eb43
Opcode Fuzzy Hash: 0fe15cf80ff42396f7ca7103702d9bae6b4d495cfc0f4b9f943238f604675551
Instruction Fuzzy Hash: 222128B0510744AFD730AF24CC85BB7B7E8EB49768F04492EF1DDA2192C375AC488B20

Function 00E89D62 Relevance: 3.1, APIs: 2, Instructions: 82timeCOMMON

Download Yara Rule

APIs

FlushFileBuffers.KERNEL32(?,?,?,?,?,?,00E87547,?,?,?,?), ref: 00E89D7C
SetFileTime.KERNELBASE(?,?,?,?), ref: 00E89E2C

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: File$BuffersFlushTime
String ID:
API String ID: 1392018926-0
Opcode ID: c778825a500062a91b6caf9847b885939d22ca36ab8875e2adbe71eb50d81df2
Instruction ID: 1267857ca8abae7f8b415d36c036f8fc14f74beea9cf6d02c04262c87ed0c3d4
Opcode Fuzzy Hash: c778825a500062a91b6caf9847b885939d22ca36ab8875e2adbe71eb50d81df2
Instruction Fuzzy Hash: E021D631548346AFC714EE25C451ABBBBE4AF95708F08591CF8C9A7192D329DE0CDB51

Function 00EAA458 Relevance: 3.1, APIs: 2, Instructions: 65libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,00EB3958), ref: 00EAA4B8
__crt_fast_encode_pointer.LIBVCRUNTIME ref: 00EAA4C5

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: AddressProc__crt_fast_encode_pointer
String ID:
API String ID: 2279764990-0
Opcode ID: 151af132cc078cfb90614526dd601b189ea92c8b7d015c2b89ac88e316a9b47f
Instruction ID: 7524a0f605a8ea70d4f28e612a5b77d619eda00aac55ccde66eae85ab885b0c9
Opcode Fuzzy Hash: 151af132cc078cfb90614526dd601b189ea92c8b7d015c2b89ac88e316a9b47f
Instruction Fuzzy Hash: 9411C4336017219F9B229E69EC448EA73959B8E72471A5230FD25BF248DB70EC45C7D2

Function 00E89B59 Relevance: 3.1, APIs: 2, Instructions: 57COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,?,?,?,-00001964,?,00000800,-00001964,00E89B35,?,?,00000000,?,?,00E88D9C,?), ref: 00E89BC0
GetLastError.KERNEL32 ref: 00E89BCD

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 7759fbb8e3ad62db5bf430972d284639253f8483fa35dba368114f19ae728a22
Instruction ID: 7aa3d9fdfd3c1772b5271f4d39bbfcdb5281f2402e43e70fc44cd178f2c9d3f7
Opcode Fuzzy Hash: 7759fbb8e3ad62db5bf430972d284639253f8483fa35dba368114f19ae728a22
Instruction Fuzzy Hash: F3012B317052059F8B08EF65AC988BFB3D9AFC0321B18562DF81EA7292CA30DC059724

Function 00E89E40 Relevance: 3.1, APIs: 2, Instructions: 54COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,00000000,00000000,00000001), ref: 00E89E76
GetLastError.KERNEL32 ref: 00E89E82

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 19cf3ccdfa228d9ce2223edca380c375233f2efffc5ab5d4e1d4231e6c9e1a9d
Instruction ID: d7a8b92cad1cf33998e3b284e19638076266c83edc8fd15db8c94ec7f27a4af0
Opcode Fuzzy Hash: 19cf3ccdfa228d9ce2223edca380c375233f2efffc5ab5d4e1d4231e6c9e1a9d
Instruction Fuzzy Hash: 0E019271B042005FEB34EE29DC45B7BBAD99B84319F18593EB14EE2681DA31DC488710

Function 00EA8606 Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00EA8627

Part of subcall function 00EA8518: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00EAC13D,00000000,?,00EA67E2,?,00000008,?,00EA89AD,?,?,?), ref: 00EA854A

HeapReAlloc.KERNEL32(00000000,?,?,?,?,00EC0F50,00E8CE57,?,?,?,?,?,?), ref: 00EA8663

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: Heap$AllocAllocate_free
String ID:
API String ID: 2447670028-0
Opcode ID: 99bc2a55d74caddfb9f34ba7fa2c81d144613cdb4eefc9c132951b4c4e9d3b85
Instruction ID: 1a1b29b0da8c7f82415afd46d30598b33f82cc11c3f803dafb6f7b8fb43cbe65
Opcode Fuzzy Hash: 99bc2a55d74caddfb9f34ba7fa2c81d144613cdb4eefc9c132951b4c4e9d3b85
Instruction Fuzzy Hash: 57F0C2311011166AEB212A22AF00BAB3798DFEF7A4F246116F854BE191DE30F80095A4

Function 00E90908 Relevance: 3.0, APIs: 2, Instructions: 33COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?), ref: 00E90915
GetProcessAffinityMask.KERNEL32(00000000), ref: 00E9091C

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: Process$AffinityCurrentMask
String ID:
API String ID: 1231390398-0
Opcode ID: eba09e4026524435297544dbe340f24068670138095610a42e95689fb7fbb950
Instruction ID: 94a4bfcd3a799ae29071b46ce6c75ffb80e792fcfeda7bbb3d52e7ed40a21725
Opcode Fuzzy Hash: eba09e4026524435297544dbe340f24068670138095610a42e95689fb7fbb950
Instruction Fuzzy Hash: 01E09232A10119AF6F09DAB99C059FB73DDEFC4324760517AA806F3201F930DE0586A0

Function 00E8A444 Relevance: 3.0, APIs: 2, Instructions: 30COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,00E8A27A,?,?,?,00E8A113,?,00000001,00000000,?,?), ref: 00E8A458
SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,00E8A27A,?,?,?,00E8A113,?,00000001,00000000,?,?), ref: 00E8A489

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 748e549a08e480dddcfe945a3c18f848bfcaed9fba9482328998a3059e4e7b2b
Instruction ID: 8ad4de57c389ef9bf9d3a2612572438cad0eda2f4cec593be716a3d768ea5602
Opcode Fuzzy Hash: 748e549a08e480dddcfe945a3c18f848bfcaed9fba9482328998a3059e4e7b2b
Instruction Fuzzy Hash: 15F0A73124020D7BDF116F60DC45FDA375CBF04385F088161BC4CA6161DB7199A8AB50

Function 00E9D573 Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00E9D5A1
SetDlgItemTextW.USER32(00000065,?), ref: 00E9D5B8

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: ItemText_swprintf
String ID:
API String ID: 3011073432-0
Opcode ID: c78ede65f720c51e729314d080b99bd29dc2aee4333a8b5ef7ec3e99b9ed267b
Instruction ID: 20738fdb50e90a0abaa3642487330773408e46c041ce5d236a6dd9754b50f9cd
Opcode Fuzzy Hash: c78ede65f720c51e729314d080b99bd29dc2aee4333a8b5ef7ec3e99b9ed267b
Instruction Fuzzy Hash: CDF027715043487ADF11AB609C02FAA379CAB04745F040556B704B70A1DA326A204762

Function 00E8A12D Relevance: 3.0, APIs: 2, Instructions: 28fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?,?,?,00E8984C,?,?,00E89688,?,?,?,?,00EB1FA1,000000FF), ref: 00E8A13E
DeleteFileW.KERNEL32(?,?,?,00000800,?,?,00E8984C,?,?,00E89688,?,?,?,?,00EB1FA1,000000FF), ref: 00E8A16C

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: f52b2996836c6da17eaca1de30d0a9199e38eed290dc9afe30392ecd00b42139
Instruction ID: 9e9400cf12bbd4476458cc2aa6ed9cfa2083b508fc7380a179fd5d77a6a7031b
Opcode Fuzzy Hash: f52b2996836c6da17eaca1de30d0a9199e38eed290dc9afe30392ecd00b42139
Instruction Fuzzy Hash: CAE022742422086BEB10BF30DC06FEA339CAF08381F481072B88CE3064DB21DD98AB90

Function 00E9A39D Relevance: 3.0, APIs: 2, Instructions: 27COMMON

Download Yara Rule

APIs

GdiplusShutdown.GDIPLUS(?,?,?,?,00EB1FA1,000000FF), ref: 00E9A3D1
CoUninitialize.COMBASE(?,?,?,?,00EB1FA1,000000FF), ref: 00E9A3D6

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: GdiplusShutdownUninitialize
String ID:
API String ID: 3856339756-0
Opcode ID: ad541bd18ce89efb86f2ef25c31a39db61f018db84f672693ef3149a9202216d
Instruction ID: 8470f450ef838f1dba17353c683296900370f8bfde8da02b79c8c884c46d4c14
Opcode Fuzzy Hash: ad541bd18ce89efb86f2ef25c31a39db61f018db84f672693ef3149a9202216d
Instruction Fuzzy Hash: B2F0A032618644DFC700DB4DDD01B16FBACFB49B20F04436AF419A3760CB746800CA80

Function 00E8A194 Relevance: 3.0, APIs: 2, Instructions: 26COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,?,?,00E8A189,?,00E876B2,?,?,?,?), ref: 00E8A1A5
GetFileAttributesW.KERNELBASE(?,?,?,00000800,?,00E8A189,?,00E876B2,?,?,?,?), ref: 00E8A1D1

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 061b2f90238fa389a89cf85b006d4a9d82442711d62c8ca5bfd4b093ab2db90b
Instruction ID: 6b00152c5869265fee4fee93cc5e0865c9771439e300a18788f99254451b6fcc
Opcode Fuzzy Hash: 061b2f90238fa389a89cf85b006d4a9d82442711d62c8ca5bfd4b093ab2db90b
Instruction Fuzzy Hash: 48E065755001185BDB11FA64DC05BD5779CAB083A1F044262BD4CF3290D7709D489BD0

Function 00E90085 Relevance: 3.0, APIs: 2, Instructions: 25libraryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00E900A0
LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00E8EB86,Crypt32.dll,00000000,00E8EC0A,?,?,00E8EBEC,?,?,?), ref: 00E900C2

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: DirectoryLibraryLoadSystem
String ID:
API String ID: 1175261203-0
Opcode ID: 014b157933bd63047d3759747098399f04261d065209b481d8724577b72f7648
Instruction ID: 4b0f86c92bd3757f5cbf5f70283b8f1d16a6089906532e59a17f5dd75be20726
Opcode Fuzzy Hash: 014b157933bd63047d3759747098399f04261d065209b481d8724577b72f7648
Instruction Fuzzy Hash: F3E0127690112C6ADB21AAA5DC06FD777ACEF09382F4404A5BA48E3144DA749A448BE0

Function 00E99B0F Relevance: 3.0, APIs: 2, Instructions: 24windowCOMMON

Download Yara Rule

APIs

GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 00E99B30
GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 00E99B37

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: BitmapCreateFromGdipStream
String ID:
API String ID: 1918208029-0
Opcode ID: a72473fad274b53682c6ef30e5022c545ef8056cecd1a8a1115ee4b5c6fa34d6
Instruction ID: cdac8a233d71ab3129b77bb241ff30df074488f38d796a9f527db1a22cc0a178
Opcode Fuzzy Hash: a72473fad274b53682c6ef30e5022c545ef8056cecd1a8a1115ee4b5c6fa34d6
Instruction Fuzzy Hash: BEE0ED71901218EBCB10DF98E5026DAB7ECEB08721F10905FED95A3311E6756E049B95

Function 00EA215C Relevance: 3.0, APIs: 2, Instructions: 19COMMON

Download Yara Rule

APIs

Part of subcall function 00EA329A: try_get_function.LIBVCRUNTIME ref: 00EA32AF

___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00EA217A
___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 00EA2185

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: Value___vcrt____vcrt_uninitialize_ptdtry_get_function
String ID:
API String ID: 806969131-0
Opcode ID: 02859f0cd16719df8290d1d4a97e4775c64bc1279128824a891cef8eee7ad73d
Instruction ID: 0f82fe248227e2f1c7b542c738004f73a0ffd0eb280fb6a18699ce05efc4f894
Opcode Fuzzy Hash: 02859f0cd16719df8290d1d4a97e4775c64bc1279128824a891cef8eee7ad73d
Instruction Fuzzy Hash: 8CD0A925609306282C1827BC28822E92384597FBB83E03B8EF730BE0E1EE20B0496421

Function 00E9DC67 Relevance: 3.0, APIs: 2, Instructions: 13COMMONLIBRARYCODE

Download Yara Rule

APIs

DloadLock.DELAYIMP ref: 00E9DC73
DloadProtectSection.DELAYIMP ref: 00E9DC8F

Part of subcall function 00E9DE67: DloadObtainSection.DELAYIMP ref: 00E9DE77

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: Dload$Section$LockObtainProtect
String ID:
API String ID: 731663317-0
Opcode ID: 7baac851dcd0884382293c0ef8c5ccd7c12e8e9d7543a4b1c1f7d88a89fb1d81
Instruction ID: 899e9b9540a766510d7079cb74aff1f91c0851f0180a86d798b3c06bf60243a2
Opcode Fuzzy Hash: 7baac851dcd0884382293c0ef8c5ccd7c12e8e9d7543a4b1c1f7d88a89fb1d81
Instruction Fuzzy Hash: 74D0C9746082A85ECA15ABD59D8676CA2B0B714748FB42641B105FB1A0DBE444C6C615

Function 00E812E6 Relevance: 3.0, APIs: 2, Instructions: 11COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00E812FB
ShowWindow.USER32(00000000), ref: 00E81302

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: ItemShowWindow
String ID:
API String ID: 3351165006-0
Opcode ID: 5020d030e0e812debe7da553a040d027de4e30480ca8b7a3fce1f7b85686a8dd
Instruction ID: e34c763d2629dae3e44ea824eca7129c2846f6200ad9a1bc075fb78abf7342be
Opcode Fuzzy Hash: 5020d030e0e812debe7da553a040d027de4e30480ca8b7a3fce1f7b85686a8dd
Instruction Fuzzy Hash: A0C01232058288BECB010FB1EC09D2FBBACABA4212F05C90CB2A5D0061C238C118DB11

Function 00E819A6 Relevance: 1.8, APIs: 1, Instructions: 310COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00E819AB

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 8c6f0ffbfecacb283e4cb2cb4e4103a5cf6883a372879a9bcfb74565bfa3084f
Instruction ID: 0b11009893b4f021e9940f118f525dc8c4ee0c2c570ee420b647b42cfbea8b27
Opcode Fuzzy Hash: 8c6f0ffbfecacb283e4cb2cb4e4103a5cf6883a372879a9bcfb74565bfa3084f
Instruction Fuzzy Hash: 28C1B670A042449FDF19EF68C485BA97BE9AF05304F1860F9DC4EFB296CB319946CB61

Function 00E83B3D Relevance: 1.7, APIs: 1, Instructions: 176COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00E83B42

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 95ec108bb6b5fee20285d07fd34255ce18372582b9bc32fde4c43efdd00359ec
Instruction ID: b596d60cb4ce9c08a166c319a18f4bf78f18c7591468d45d5bdd4d85a249ea89
Opcode Fuzzy Hash: 95ec108bb6b5fee20285d07fd34255ce18372582b9bc32fde4c43efdd00359ec
Instruction Fuzzy Hash: D771E271504F44AEDB25EB70CC41AEBB7E8AF14701F44696EE5AF67282DB316A48CF10

Function 00E8837F Relevance: 1.6, APIs: 1, Instructions: 110COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00E88384

Part of subcall function 00E81380: __EH_prolog.LIBCMT ref: 00E81385
Part of subcall function 00E81380: new.LIBCMT ref: 00E813FE

Part of subcall function 00E819A6: __EH_prolog.LIBCMT ref: 00E819AB

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 98f08994138a14486a79c172928b4c7d66a77b811178a378c84906228f8c1b2d
Instruction ID: e6c572d7923ff675f35d15a2f141a308c2efd8cd16791d6e5111f6a642a2ef29
Opcode Fuzzy Hash: 98f08994138a14486a79c172928b4c7d66a77b811178a378c84906228f8c1b2d
Instruction Fuzzy Hash: 7B41B1329406589ADF20FB60C955BEA73A8AF50304F4450EAE99EB3093DF745EC9DB50

Function 00E81E00 Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00E81E05

Part of subcall function 00E83B3D: __EH_prolog.LIBCMT ref: 00E83B42

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 984a74ecea93b25112739bb1583eced351839e3d0360202a524154cf2000b749
Instruction ID: d764880ddd4ed67dd38fa5e65532a81586cddb9f6a7e8bb92403c9f2819a86cb
Opcode Fuzzy Hash: 984a74ecea93b25112739bb1583eced351839e3d0360202a524154cf2000b749
Instruction Fuzzy Hash: 702139719442099FCF15EFA8D9519EEFBF9BF58300B1010ADE849B7251CB325E11CB60

Function 00E9A7C3 Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00E9A7C8

Part of subcall function 00E81380: __EH_prolog.LIBCMT ref: 00E81385
Part of subcall function 00E81380: new.LIBCMT ref: 00E813FE

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 2202187011a84f45d7185b3ca32e71d4e9d06be211307e877328bfc2dd2de342
Instruction ID: 3d653365ec09b5257c6c43230a77b9fab90aa46cfb5545b6df83f6a20a776459
Opcode Fuzzy Hash: 2202187011a84f45d7185b3ca32e71d4e9d06be211307e877328bfc2dd2de342
Instruction Fuzzy Hash: 44216D71C04249AACF14EF98C9425EEB7F8EF19304F0414EEE809B7202D7356E06DBA1

Function 00E892E6 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00E892EB

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 172e809c6dfa7aa0fb89378f1154e488896159cdc1fff449951ffc4db3303e71
Instruction ID: 2f23e2407ba6840e9ef3c3158d1e756cdc102a5f5bd546e9ca47b03b2f910ce8
Opcode Fuzzy Hash: 172e809c6dfa7aa0fb89378f1154e488896159cdc1fff449951ffc4db3303e71
Instruction Fuzzy Hash: 7B118E73E005289BCF26BBA8CC529EEB776EF89750F045155F80DB7262CA34CD1087A0

Function 00E8AA88 Relevance: 1.5, APIs: 1, Instructions: 40COMMON

Download Yara Rule

APIs

new.LIBCMT ref: 00E8AA9A

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dae87922ec1b8facf4cbd1f95d3770f60e2097a5265b52e6532e4d2d30c47c6e
Instruction ID: 36c13dab0b29e7364ae596ec9b4574a7876b972cab9853d87bd1d79cdbecd459
Opcode Fuzzy Hash: dae87922ec1b8facf4cbd1f95d3770f60e2097a5265b52e6532e4d2d30c47c6e
Instruction Fuzzy Hash: 9BF08C31500B059FEB38EA64C945616B7E8EB11324F28996BE49EE2A90EB70D881C752

Function 00E85BD7 Relevance: 1.5, APIs: 1, Instructions: 32COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00E85BDC

Part of subcall function 00E8B07D: __EH_prolog.LIBCMT ref: 00E8B082

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: dab9519794045992e6874dad629a7c75c74ed24efd71232c858297836b1f4ffe
Instruction ID: 1d2f04e235f69b186c1a8de613dad091166bb019a85fe569f5d82fe26c42de2a
Opcode Fuzzy Hash: dab9519794045992e6874dad629a7c75c74ed24efd71232c858297836b1f4ffe
Instruction Fuzzy Hash: 77014B30A15688DAC725F7A4C0553DEFBE49B19710F40519DE85E73283CBB41B08C7A2

Function 00EA8518 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00EAC13D,00000000,?,00EA67E2,?,00000008,?,00EA89AD,?,?,?), ref: 00EA854A

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: a346e323b63c3202e55531c4904668a1d7e4a1feed0977907130dc0440242ae4
Instruction ID: ad2d044f99164d62c8f8a0f380f5ebead0db4b8ffc969ebc812d138246301d93
Opcode Fuzzy Hash: a346e323b63c3202e55531c4904668a1d7e4a1feed0977907130dc0440242ae4
Instruction Fuzzy Hash: 8BE0E531D802625AEB3126699E01B9B3BCC9F4B3B0F142221AC98BE090CE20FC0085E5

Function 00E8A4C6 Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 00E8A4F5

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: 1c678a52e23e48a1a9fc68875768c4bf740af923a278910b850a4e886fe61982
Instruction ID: bfb2456fa8033f45e517c23ba8e6f1a02b6a6eb26cea8c51a98e67af67fb52b4
Opcode Fuzzy Hash: 1c678a52e23e48a1a9fc68875768c4bf740af923a278910b850a4e886fe61982
Instruction Fuzzy Hash: 9FF0B431009780AADA223BB888047C67BD1AF05331F08DA0AF1FD22191C2B414D59723

Function 00E9067C Relevance: 1.5, APIs: 1, Instructions: 21threadCOMMON

Download Yara Rule

APIs

SetThreadExecutionState.KERNEL32(00000001), ref: 00E906B1

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: ExecutionStateThread
String ID:
API String ID: 2211380416-0
Opcode ID: 06ce0dab9d6ac77cac2d30b0792364e13fe48fc32b4f4c1501c92a22c16fbed9
Instruction ID: 9ba33903428f1091ab0d60f94748a96f7eae8774c2f690f101509f66d0d8d95e
Opcode Fuzzy Hash: 06ce0dab9d6ac77cac2d30b0792364e13fe48fc32b4f4c1501c92a22c16fbed9
Instruction Fuzzy Hash: 61D012257041516DDE217769A806BFE1A964FC2714F092069F44D77A878B56088A53A2

Function 00E99D7B Relevance: 1.5, APIs: 1, Instructions: 17memoryCOMMON

Download Yara Rule

APIs

GdipAlloc.GDIPLUS(00000010), ref: 00E99D81

Part of subcall function 00E99B0F: GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 00E99B30

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: Gdip$AllocBitmapCreateFromStream
String ID:
API String ID: 1915507550-0
Opcode ID: 4cf3c4e169e0f80c123d24ade4c43f63bdfd109b4bf71df52acedaf40aa9962d
Instruction ID: 921fa2e37c97e1f639923859f3911492aef8571064d38a59d19292e5dde84093
Opcode Fuzzy Hash: 4cf3c4e169e0f80c123d24ade4c43f63bdfd109b4bf71df52acedaf40aa9962d
Instruction Fuzzy Hash: D5D0A73021520C7ADF40BB788C0297A7BE8DB00300F105029BD08A6252FD72DE10A261

Function 00E89989 Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(000000FF,00E89887), ref: 00E89995

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: a3b1c5add25665ab169f36b942133e506a1bdb39b3a3d670d92449ebae201660
Instruction ID: 350629cf82769efc58114ff27b01ef2365ef9e61b3f741ab3576f03b1a4458ec
Opcode Fuzzy Hash: a3b1c5add25665ab169f36b942133e506a1bdb39b3a3d670d92449ebae201660
Instruction Fuzzy Hash: 6AD01231851140958F2166355D0A0BAB791DFC336EB3CE7A8D02DD80A2D723C803F641

Function 00E9D41A Relevance: 1.5, APIs: 1, Instructions: 13windowCOMMON

Download Yara Rule

APIs

SendDlgItemMessageW.USER32(0000006A,00000402,00000000,?,?), ref: 00E9D43F

Part of subcall function 00E9AC74: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00E9AC85
Part of subcall function 00E9AC74: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00E9AC96
Part of subcall function 00E9AC74: IsDialogMessageW.USER32(00010444,?), ref: 00E9ACAA
Part of subcall function 00E9AC74: TranslateMessage.USER32(?), ref: 00E9ACB8
Part of subcall function 00E9AC74: DispatchMessageW.USER32(?), ref: 00E9ACC2

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: Message$DialogDispatchItemPeekSendTranslate
String ID:
API String ID: 897784432-0
Opcode ID: 374f90dd519ab608862af88de8d7519b03770031f32f4a2680026bbe2a1ee0d0
Instruction ID: 7286f6d21040926cd356ae444887a92300272c51e1f626bbfcc731d9213a6790
Opcode Fuzzy Hash: 374f90dd519ab608862af88de8d7519b03770031f32f4a2680026bbe2a1ee0d0
Instruction Fuzzy Hash: 01D09E31144300BFDA152B52DF06F1F7AE6BB88B04F004564B348740B28A729D219B16

Function 00E9D8E8 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E9D8A3

Part of subcall function 00E9DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E9DFD6
Part of subcall function 00E9DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E9DFE7

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: ec8165536178d7ddff22437157a7d5155f048848520868db7e18e40773e098dc
Instruction ID: 1f6dbe152d301014127d17164e323b12e0ba402035bad9a7f7355602963f24ab
Opcode Fuzzy Hash: ec8165536178d7ddff22437157a7d5155f048848520868db7e18e40773e098dc
Instruction Fuzzy Hash: 95B012A176D2156C354C65056C03E7B024CC4C0B10330711EF10DF00C1D4805D440431

Function 00E9D8FC Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E9D8A3

Part of subcall function 00E9DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E9DFD6
Part of subcall function 00E9DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E9DFE7

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 7dad2966a556e1c698463a0dc49a16c88e62980c29070b2f837730eed3cc963e
Instruction ID: 5caf1c964af79d896e150d4fa028d454a0566832b10f33bcff03ea486e3b275e
Opcode Fuzzy Hash: 7dad2966a556e1c698463a0dc49a16c88e62980c29070b2f837730eed3cc963e
Instruction Fuzzy Hash: EBB012A176D1116C350C65066C03E7B024CD4C0B10330701EF10DF00C1D4C05D040431

Function 00E9D8F2 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E9D8A3

Part of subcall function 00E9DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E9DFD6
Part of subcall function 00E9DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E9DFE7

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 5c02fc6a0348b1fb94275a0ebe186bb3fbf6b23315182b22e6b8192d0dd66858
Instruction ID: 5b5b8fe888d7f6f210b1dd8851a67506336ae15b27bfde904a740ce8ac594b5f
Opcode Fuzzy Hash: 5c02fc6a0348b1fb94275a0ebe186bb3fbf6b23315182b22e6b8192d0dd66858
Instruction Fuzzy Hash: 43B012A176D1116C350C65056D03E7B024CC4C0B10330701EF10DF00C1D8805E050431

Function 00E9D8CA Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E9D8A3

Part of subcall function 00E9DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E9DFD6
Part of subcall function 00E9DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E9DFE7

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: ffc145a890904f0e7e5b2327fe3dcc33768c61e84dd037fae99a017b922dfc8b
Instruction ID: 224b76d9a00b1204fdc7b689b75183c90f2f1fc8b117ae0f686a578dc38cc8d5
Opcode Fuzzy Hash: ffc145a890904f0e7e5b2327fe3dcc33768c61e84dd037fae99a017b922dfc8b
Instruction Fuzzy Hash: 06B012913AD5116C350C69156D03E7B024CC4C0B10330B01EF109F01C1D8805D0E0431

Function 00E9D8C0 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E9D8A3

Part of subcall function 00E9DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E9DFD6
Part of subcall function 00E9DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E9DFE7

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 2d65bc03833e6a8e21897f184b63571264fba3b27f13be85191fb6a6b1c313aa
Instruction ID: 82bdba9e981fd56debdaec0da7e43c8353d9f2a924a85da37344c9686d375f5d
Opcode Fuzzy Hash: 2d65bc03833e6a8e21897f184b63571264fba3b27f13be85191fb6a6b1c313aa
Instruction Fuzzy Hash: 19B012913AD6556C354C65157C03E7B024CC4C0B10330B11EF109F01C1D4805C890431

Function 00E9D8DE Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E9D8A3

Part of subcall function 00E9DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E9DFD6
Part of subcall function 00E9DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E9DFE7

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 705ba8f0d65c01efe97c50383829f616824b8d8e03cb07924cc7b805b4b4f6b3
Instruction ID: 6fdd9e2737c00b387b8512b02a9915dd43cc7a9bbd10317db6ff5d6a57834727
Opcode Fuzzy Hash: 705ba8f0d65c01efe97c50383829f616824b8d8e03cb07924cc7b805b4b4f6b3
Instruction Fuzzy Hash: A6B012A176D1116C350C65056C03E7B024CC4C1B10330B01EF50DF00C1D4805D040431

Function 00E9D8AC Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E9D8A3

Part of subcall function 00E9DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E9DFD6
Part of subcall function 00E9DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E9DFE7

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 4782ddabc45c3155d5073b11795110bf6ed80eeea34c3121c908eb6a7b7219aa
Instruction ID: 4fcd74d14a64676d04fb4a09e83d28d6b064268aa18999e9dca8a2218e8a72bb
Opcode Fuzzy Hash: 4782ddabc45c3155d5073b11795110bf6ed80eeea34c3121c908eb6a7b7219aa
Instruction Fuzzy Hash: F4B0129536D215AC350C65057C43E7F024CE4C0B10330701EF109F00C2D4C05C040531

Function 00E9D8B6 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E9D8A3

Part of subcall function 00E9DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E9DFD6
Part of subcall function 00E9DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E9DFE7

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: b5f3fc1d847f3733b3ef3647befc919fb2c6d2476bda9f8bc1ad0618ce732c9b
Instruction ID: 18c0ad30415f1015d5a0996ccf9f4feb0e2f97bbb31bb3eca9a99bab4d83da37
Opcode Fuzzy Hash: b5f3fc1d847f3733b3ef3647befc919fb2c6d2476bda9f8bc1ad0618ce732c9b
Instruction Fuzzy Hash: 41B012913AD5116C350C69156C03E7B024CC4C1B10330F01EF509F01C1D4805C090431

Function 00E9D891 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E9D8A3

Part of subcall function 00E9DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E9DFD6
Part of subcall function 00E9DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E9DFE7

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 2169dadcf135bd5b4de9fb99fcb163cb051a06ed53afc54eb586f0504f2eaa73
Instruction ID: a48b7d2a607b04a8856f691abceab98585ff85e8ede0b996a60081368c8b6f5a
Opcode Fuzzy Hash: 2169dadcf135bd5b4de9fb99fcb163cb051a06ed53afc54eb586f0504f2eaa73
Instruction Fuzzy Hash: CAB0129536D3157C390C25017C53D7F020CC4C0B10330752EF109F00C2D4805C484431

Function 00E9E1F9 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E9E20B

Part of subcall function 00E9DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E9DFD6
Part of subcall function 00E9DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E9DFE7

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 7f461ef7623d438bb9fae3b8dc8b9618f26de1e001d96ceaf9ed6ce881c7d089
Instruction ID: 671d5d42a94c9b111bd8f2fd518453f8cfce7b02350fa9c5812086e071e267e3
Opcode Fuzzy Hash: 7f461ef7623d438bb9fae3b8dc8b9618f26de1e001d96ceaf9ed6ce881c7d089
Instruction Fuzzy Hash: 0EB012D136E1057C360C56017D07CBB031CC4C0B61330F01EB305F40D19A808C054032

Function 00E9D942 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E9D8A3

Part of subcall function 00E9DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E9DFD6
Part of subcall function 00E9DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E9DFE7

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 6ce844433e727a77b6e104bc1eb084557134923a3de489c3759a372da4b98abb
Instruction ID: 771843e315b346b6bb8624d599525769b20e5530d4ac59160ce3847e26fb67c9
Opcode Fuzzy Hash: 6ce844433e727a77b6e104bc1eb084557134923a3de489c3759a372da4b98abb
Instruction Fuzzy Hash: EAB012A236D111AC350C65056D03E7B02CCC4C0B10330701EF109F01C1D8805D051431

Function 00E9D92E Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E9D8A3

Part of subcall function 00E9DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E9DFD6
Part of subcall function 00E9DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E9DFE7

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 3b14d6ee937e01cb4fff0f993027c5277a7468b8e8a041350f9281ca5c5ce403
Instruction ID: 659cac49efc3cdeb5c7f74223e43e02400cdb8105eaf595e5552e415ef28f3ff
Opcode Fuzzy Hash: 3b14d6ee937e01cb4fff0f993027c5277a7468b8e8a041350f9281ca5c5ce403
Instruction Fuzzy Hash: 94B0129236D1116C350C65156C03E7B028CC4C1B10330B01EF609F01C1D5805C041431

Function 00E9D924 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E9D8A3

Part of subcall function 00E9DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E9DFD6
Part of subcall function 00E9DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E9DFE7

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: e35f5998ecdd5833b5bf354b8d757b03481a741b321ff19a66eccaed13c8b8d4
Instruction ID: 1d71c2333af6da21b68ee00237886804d2ccc983c4004e3c3a04729a2fe83dd5
Opcode Fuzzy Hash: e35f5998ecdd5833b5bf354b8d757b03481a741b321ff19a66eccaed13c8b8d4
Instruction Fuzzy Hash: E3B0129137E1116C350C65056C03E7B028DD8C0B10330B01EF109F00C1D4C05C040431

Function 00E9D906 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E9D8A3

Part of subcall function 00E9DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E9DFD6
Part of subcall function 00E9DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E9DFE7

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 8029b79a82adbc913b16812b88515927cc2cb9aca6d59b9230790592863bf343
Instruction ID: 21ec8ba07e3a6cf77b5eefbf1b18aefaae520c644199921c960af89b75aca83c
Opcode Fuzzy Hash: 8029b79a82adbc913b16812b88515927cc2cb9aca6d59b9230790592863bf343
Instruction Fuzzy Hash: 1EB0129136E1116C350C65056C03E7B024DC4C1B10330F02EF509F00C1D4805C040431

Function 00E9D910 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E9D8A3

Part of subcall function 00E9DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E9DFD6
Part of subcall function 00E9DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E9DFE7

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 3c4ca51dff94fad7839bea6eebe53ac0471fcb3d0053ac99db6048c42df7c0d2
Instruction ID: 7cb195b70fa960f608836bfa84209f51b3c47fa2547c1089ae921e3c1cccae4c
Opcode Fuzzy Hash: 3c4ca51dff94fad7839bea6eebe53ac0471fcb3d0053ac99db6048c42df7c0d2
Instruction Fuzzy Hash: F7B012A136E2156C354C66056C03E7F024DC4C0B10331B11EF109F00C1D4805C440431

Function 00E9DACF Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E9DAB2

Part of subcall function 00E9DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E9DFD6
Part of subcall function 00E9DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E9DFE7

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: db0740b7280b8f19a46f20b38b2bdab7438081d2605bba5d04e2efa44f05668a
Instruction ID: a718b3c62a9cf3517a4bae355793fc404ec3084cf4020bbeeb4e5009a8b82ab7
Opcode Fuzzy Hash: db0740b7280b8f19a46f20b38b2bdab7438081d2605bba5d04e2efa44f05668a
Instruction Fuzzy Hash: EFB012A136C111BC394875067C03DBF028CC0C0B10330F11FF409F0084D4C84C044431

Function 00E9DAD9 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E9DAB2

Part of subcall function 00E9DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E9DFD6
Part of subcall function 00E9DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E9DFE7

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 82b2bba21a4521975a75b39a91c2dae8e7390244ba861590ab80a83f289887fb
Instruction ID: 8e807605d6207fb123b11ce78740f16ffd6ee3989c0715c6c18c408ea693f646
Opcode Fuzzy Hash: 82b2bba21a4521975a75b39a91c2dae8e7390244ba861590ab80a83f289887fb
Instruction Fuzzy Hash: EFB012913AC1117C390875167C03EBF028DD0C4B10330B51FF109F0084D4C44C094431

Function 00E9DBE8 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E9DBD5

Part of subcall function 00E9DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E9DFD6
Part of subcall function 00E9DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E9DFE7

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 5874cc9d68d3a5c706d2b4bedfd5b55e598fe9030efa72b42b246e54965d4991
Instruction ID: de4e41c3a1ee5393e96b3decb9a1a3905ad1b2676c6efb07e156bef60e4f8cbf
Opcode Fuzzy Hash: 5874cc9d68d3a5c706d2b4bedfd5b55e598fe9030efa72b42b246e54965d4991
Instruction Fuzzy Hash: 0CB0129536C11AAC354C55192C17DBF026CD0C0B10330B01EB509F5090E9C08C084131

Function 00E9DBFC Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E9DBD5

Part of subcall function 00E9DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E9DFD6
Part of subcall function 00E9DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E9DFE7

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 3dbb299a382bea6d37668ee100f635e296408000bed8760b6abea60996435d08
Instruction ID: 40444cb9988497b2b4dd3847da8715fbba42c4e6ca781d578c748336ef14d89d
Opcode Fuzzy Hash: 3dbb299a382bea6d37668ee100f635e296408000bed8760b6abea60996435d08
Instruction Fuzzy Hash: 47B0129536C15A6C350C55192D17DBF025CD0C0B20330B01EB209F4090EDC08C054031

Function 00E9DBC3 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E9DBD5

Part of subcall function 00E9DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E9DFD6
Part of subcall function 00E9DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E9DFE7

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 60b22fd4f9d5f87786e1038f3a6d713c5f371e6aaedb598dad7f08a485f2920a
Instruction ID: 7004d919d26c16c56be52822397c3b3888bba57789cd64d8bb5221088c79ec22
Opcode Fuzzy Hash: 60b22fd4f9d5f87786e1038f3a6d713c5f371e6aaedb598dad7f08a485f2920a
Instruction Fuzzy Hash: 64B0029537D25E7D364C55556D17DBF025CD5C0B11331752EB505F4091A9D09C495431

Function 00E9DBDE Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E9DBD5

Part of subcall function 00E9DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E9DFD6
Part of subcall function 00E9DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E9DFE7

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 6cd3d60cbb68d043fe496b40a01d136a56b5d057f16e261731b792aae1d74145
Instruction ID: 7ce631b7f60fa6a8fcb50a1af2227c816b54391a8559df2fbf20707e43512424
Opcode Fuzzy Hash: 6cd3d60cbb68d043fe496b40a01d136a56b5d057f16e261731b792aae1d74145
Instruction Fuzzy Hash: F5B0129536C1196C350855292C17EBF025CE0C0B10330702EB10AF4090E9C08C084031

Function 00E9DB01 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E9DAB2

Part of subcall function 00E9DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E9DFD6
Part of subcall function 00E9DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E9DFE7

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 788995fee626f5938bcabd2ecb5b9c7e5fbcc76dd8faa5b53c71c09bea7aa14a
Instruction ID: c29df21fdbdeeb56a625a230e1fe8fd3ce8b47d69e769f90e54209d1046bd29c
Opcode Fuzzy Hash: 788995fee626f5938bcabd2ecb5b9c7e5fbcc76dd8faa5b53c71c09bea7aa14a
Instruction Fuzzy Hash: 5DB012913AC215BC390875067C03EBF028DE0C0B10330711FF009F0084D4C44C045531

Function 00E9DC5D Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E9DC36

Part of subcall function 00E9DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E9DFD6
Part of subcall function 00E9DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E9DFE7

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 6f22afddf089ee6607f0ddbd5491a826fa43a9191348c66e97c6c0255e6d5748
Instruction ID: a292df07dbc2461b41a343c444a81d709fa6cca89876189b8fa80d3d5e24d5dc
Opcode Fuzzy Hash: 6f22afddf089ee6607f0ddbd5491a826fa43a9191348c66e97c6c0255e6d5748
Instruction Fuzzy Hash: A8B0129537D3156C390C69456C03DBB026CD0C0B10330751FB30AF0050D5C0DC044031

Function 00E9DC53 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E9DC36

Part of subcall function 00E9DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E9DFD6
Part of subcall function 00E9DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E9DFE7

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 76c82bb925965a7f31cd6216f302dd8fe93b38aeb9447c16c88ea1dea76f83ee
Instruction ID: daa5ecdef64d27d4e7dabc6608038ba62e8d49ba63981f29e650f4226ebd95d1
Opcode Fuzzy Hash: 76c82bb925965a7f31cd6216f302dd8fe93b38aeb9447c16c88ea1dea76f83ee
Instruction Fuzzy Hash: 50B0129536D2156C390C69456C03DBB026CC0C5B10330B51EB70AF0050D5C0DC044031

Function 00E9DC24 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E9DC36

Part of subcall function 00E9DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E9DFD6
Part of subcall function 00E9DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E9DFE7

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 516f7ad9425e610797c90b6455ebfe595c4b80bcf8de621c7a67e687f2c5fa30
Instruction ID: eceed22f576718416e7022a268678e4a32f27b7637fdeb458e8e4cb9163bdc10
Opcode Fuzzy Hash: 516f7ad9425e610797c90b6455ebfe595c4b80bcf8de621c7a67e687f2c5fa30
Instruction Fuzzy Hash: 30B0129536D31D7C390C29416E03CBB422CC1C0B10330761EB306F005095C0DC445031

Function 00E9D8D9 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E9D8A3

Part of subcall function 00E9DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E9DFD6
Part of subcall function 00E9DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E9DFE7

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 5d106c1056ec3d49f46783440c840ad804bbb3da15015297b3c8dd9f99c3970c
Instruction ID: f6d9f4b9373499a30086724b802320c8417273e6316fac93d245d274739b9d18
Opcode Fuzzy Hash: 5d106c1056ec3d49f46783440c840ad804bbb3da15015297b3c8dd9f99c3970c
Instruction Fuzzy Hash: D1A001A66AD622BC391C6651AD57EBB025CD8C5B61330A91AF44AB40C2A98468495831

Function 00E9D98D Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E9D8A3

Part of subcall function 00E9DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E9DFD6
Part of subcall function 00E9DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E9DFE7

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 84a92eb061e83257c412a4b2c12f67177263e41397b322f6b16e32831378842d
Instruction ID: f6d9f4b9373499a30086724b802320c8417273e6316fac93d245d274739b9d18
Opcode Fuzzy Hash: 84a92eb061e83257c412a4b2c12f67177263e41397b322f6b16e32831378842d
Instruction Fuzzy Hash: D1A001A66AD622BC391C6651AD57EBB025CD8C5B61330A91AF44AB40C2A98468495831

Function 00E9D983 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E9D8A3

Part of subcall function 00E9DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E9DFD6
Part of subcall function 00E9DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E9DFE7

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: b1212606740e1da15a2d4563cd1907ab0e21bee844b1bc7fdef1c10ce5ef82b4
Instruction ID: f6d9f4b9373499a30086724b802320c8417273e6316fac93d245d274739b9d18
Opcode Fuzzy Hash: b1212606740e1da15a2d4563cd1907ab0e21bee844b1bc7fdef1c10ce5ef82b4
Instruction Fuzzy Hash: D1A001A66AD622BC391C6651AD57EBB025CD8C5B61330A91AF44AB40C2A98468495831

Function 00E9D997 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E9D8A3

Part of subcall function 00E9DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E9DFD6
Part of subcall function 00E9DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E9DFE7

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 52c8f45ed70d20ff768c6bc47cf16b1b4bfcd2341fd75589ed67c0ae3b975613
Instruction ID: f6d9f4b9373499a30086724b802320c8417273e6316fac93d245d274739b9d18
Opcode Fuzzy Hash: 52c8f45ed70d20ff768c6bc47cf16b1b4bfcd2341fd75589ed67c0ae3b975613
Instruction Fuzzy Hash: D1A001A66AD622BC391C6651AD57EBB025CD8C5B61330A91AF44AB40C2A98468495831

Function 00E9D96F Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E9D8A3

Part of subcall function 00E9DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E9DFD6
Part of subcall function 00E9DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E9DFE7

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 8264cabb140234589c2580b49a855f33dc588f3e0cf5ac6335ca4e68ba2d2ee3
Instruction ID: f6d9f4b9373499a30086724b802320c8417273e6316fac93d245d274739b9d18
Opcode Fuzzy Hash: 8264cabb140234589c2580b49a855f33dc588f3e0cf5ac6335ca4e68ba2d2ee3
Instruction Fuzzy Hash: D1A001A66AD622BC391C6651AD57EBB025CD8C5B61330A91AF44AB40C2A98468495831

Function 00E9D965 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E9D8A3

Part of subcall function 00E9DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E9DFD6
Part of subcall function 00E9DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E9DFE7

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: e5b13dc4accd3aa2bdcca01e535c941f76bbc7de46e38e13c1946861653c9bd3
Instruction ID: f6d9f4b9373499a30086724b802320c8417273e6316fac93d245d274739b9d18
Opcode Fuzzy Hash: e5b13dc4accd3aa2bdcca01e535c941f76bbc7de46e38e13c1946861653c9bd3
Instruction Fuzzy Hash: D1A001A66AD622BC391C6651AD57EBB025CD8C5B61330A91AF44AB40C2A98468495831

Function 00E9D979 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E9D8A3

Part of subcall function 00E9DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E9DFD6
Part of subcall function 00E9DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E9DFE7

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: e5b108d937bc64e2b959fd8218a657b5476e4c3a97fd20804246354843338727
Instruction ID: f6d9f4b9373499a30086724b802320c8417273e6316fac93d245d274739b9d18
Opcode Fuzzy Hash: e5b108d937bc64e2b959fd8218a657b5476e4c3a97fd20804246354843338727
Instruction Fuzzy Hash: D1A001A66AD622BC391C6651AD57EBB025CD8C5B61330A91AF44AB40C2A98468495831

Function 00E9D95B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E9D8A3

Part of subcall function 00E9DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E9DFD6
Part of subcall function 00E9DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E9DFE7

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 3cd520788dea77079093e1e8835d8de4c143070f5c5319c0cafdd9cfd3b4cc3e
Instruction ID: f6d9f4b9373499a30086724b802320c8417273e6316fac93d245d274739b9d18
Opcode Fuzzy Hash: 3cd520788dea77079093e1e8835d8de4c143070f5c5319c0cafdd9cfd3b4cc3e
Instruction Fuzzy Hash: D1A001A66AD622BC391C6651AD57EBB025CD8C5B61330A91AF44AB40C2A98468495831

Function 00E9D951 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E9D8A3

Part of subcall function 00E9DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E9DFD6
Part of subcall function 00E9DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E9DFE7

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: cc7f2a2a024d409ef269aa99c393c89e0bad2645dc8484fc964805194fc59e93
Instruction ID: f6d9f4b9373499a30086724b802320c8417273e6316fac93d245d274739b9d18
Opcode Fuzzy Hash: cc7f2a2a024d409ef269aa99c393c89e0bad2645dc8484fc964805194fc59e93
Instruction Fuzzy Hash: D1A001A66AD622BC391C6651AD57EBB025CD8C5B61330A91AF44AB40C2A98468495831

Function 00E9D93D Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E9D8A3

Part of subcall function 00E9DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E9DFD6
Part of subcall function 00E9DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E9DFE7

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: c4cac29cba4c21b2ad16a784c5a76b951ed06d7a2fa14e826e399e47d140ec67
Instruction ID: f6d9f4b9373499a30086724b802320c8417273e6316fac93d245d274739b9d18
Opcode Fuzzy Hash: c4cac29cba4c21b2ad16a784c5a76b951ed06d7a2fa14e826e399e47d140ec67
Instruction Fuzzy Hash: D1A001A66AD622BC391C6651AD57EBB025CD8C5B61330A91AF44AB40C2A98468495831

Function 00E9D91F Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E9D8A3

Part of subcall function 00E9DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E9DFD6
Part of subcall function 00E9DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E9DFE7

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: bd4a327dfe2a1fc51790e275289be5b72d0a1313cb0e3933384e25fb13950016
Instruction ID: f6d9f4b9373499a30086724b802320c8417273e6316fac93d245d274739b9d18
Opcode Fuzzy Hash: bd4a327dfe2a1fc51790e275289be5b72d0a1313cb0e3933384e25fb13950016
Instruction Fuzzy Hash: D1A001A66AD622BC391C6651AD57EBB025CD8C5B61330A91AF44AB40C2A98468495831

Function 00E9DAE8 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E9DAB2

Part of subcall function 00E9DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E9DFD6
Part of subcall function 00E9DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E9DFE7

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 67899111e8e08f1c734757819a25516aba69d55404ab06d5657aa60cad42d43a
Instruction ID: 7030c647a662d57983172ecc4eae90d2a5e4a93076607092b48e79c7203371e2
Opcode Fuzzy Hash: 67899111e8e08f1c734757819a25516aba69d55404ab06d5657aa60cad42d43a
Instruction Fuzzy Hash: C2A001A62AD222BC39087652BD17DBF029DD4C4B61730AA1AF40AF4089A9C858595831

Function 00E9DAFC Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E9DAB2

Part of subcall function 00E9DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E9DFD6
Part of subcall function 00E9DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E9DFE7

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: a81f05d7f63d034aa949af71b198e81ebae5b70f6bf44dcf51b6a714fc40908a
Instruction ID: 7030c647a662d57983172ecc4eae90d2a5e4a93076607092b48e79c7203371e2
Opcode Fuzzy Hash: a81f05d7f63d034aa949af71b198e81ebae5b70f6bf44dcf51b6a714fc40908a
Instruction Fuzzy Hash: C2A001A62AD222BC39087652BD17DBF029DD4C4B61730AA1AF40AF4089A9C858595831

Function 00E9DAF2 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E9DAB2

Part of subcall function 00E9DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E9DFD6
Part of subcall function 00E9DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E9DFE7

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 625e48fa13d47492ffd6771bd37a55be489199e308f7abac3e1cfa206a78f945
Instruction ID: 7030c647a662d57983172ecc4eae90d2a5e4a93076607092b48e79c7203371e2
Opcode Fuzzy Hash: 625e48fa13d47492ffd6771bd37a55be489199e308f7abac3e1cfa206a78f945
Instruction Fuzzy Hash: C2A001A62AD222BC39087652BD17DBF029DD4C4B61730AA1AF40AF4089A9C858595831

Function 00E9DACA Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E9DAB2

Part of subcall function 00E9DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E9DFD6
Part of subcall function 00E9DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E9DFE7

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 363b6627574231ed55424cedc1dde41845607dae1a69a3d0023c6e9cc7a6f44a
Instruction ID: 7030c647a662d57983172ecc4eae90d2a5e4a93076607092b48e79c7203371e2
Opcode Fuzzy Hash: 363b6627574231ed55424cedc1dde41845607dae1a69a3d0023c6e9cc7a6f44a
Instruction Fuzzy Hash: C2A001A62AD222BC39087652BD17DBF029DD4C4B61730AA1AF40AF4089A9C858595831

Function 00E9DAC0 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E9DAB2

Part of subcall function 00E9DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E9DFD6
Part of subcall function 00E9DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E9DFE7

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 52ed5bd387a95705e5c127ec7dffa2ab3120ed8d647d96bb451e2d1eaf15d9fb
Instruction ID: 7030c647a662d57983172ecc4eae90d2a5e4a93076607092b48e79c7203371e2
Opcode Fuzzy Hash: 52ed5bd387a95705e5c127ec7dffa2ab3120ed8d647d96bb451e2d1eaf15d9fb
Instruction Fuzzy Hash: C2A001A62AD222BC39087652BD17DBF029DD4C4B61730AA1AF40AF4089A9C858595831

Function 00E9DAA5 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E9DAB2

Part of subcall function 00E9DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E9DFD6
Part of subcall function 00E9DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E9DFE7

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 6568f25bbb61dcc095cd81efab00f205d990d52b2eca502891d2f714c4a85c61
Instruction ID: a2fceea4beca448d1129aa28e971f9a27fb2b06f4eff69bfd9f140973d448bca
Opcode Fuzzy Hash: 6568f25bbb61dcc095cd81efab00f205d990d52b2eca502891d2f714c4a85c61
Instruction Fuzzy Hash: 25A001A63AD6227C3948B652BD17DBF029DE4D0B22730A61AF40AF4089A9C858595831

Function 00E9DBF7 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E9DBD5

Part of subcall function 00E9DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E9DFD6
Part of subcall function 00E9DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E9DFE7

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 0749141b825b98d9eacf0dc5dc9f24559e4bb51a860d432282ea03c87607ab5d
Instruction ID: 6a6f1452aba8e0d433cad52e09ec73294a2baa0ae6816750a7ff1059bbe73895
Opcode Fuzzy Hash: 0749141b825b98d9eacf0dc5dc9f24559e4bb51a860d432282ea03c87607ab5d
Instruction Fuzzy Hash: D5A0029536D1167C350855556D17DBF025CD4C4B513316519B506B405169905C455431

Function 00E9DC4E Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E9DC36

Part of subcall function 00E9DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E9DFD6
Part of subcall function 00E9DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E9DFE7

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 5c5c68926cb6d219de8fe19f820c908c9073deb87995952ad42f257f359a3a4b
Instruction ID: 6eae8f78178c1783f56da5e875cd95b43e4283d084f6f253aea0c168c5142891
Opcode Fuzzy Hash: 5c5c68926cb6d219de8fe19f820c908c9073deb87995952ad42f257f359a3a4b
Instruction Fuzzy Hash: 75A001AA6AD226BC790C6A916D17DBB426CD4C4B61330A91AB60BB40A1AAC0AC499431

Function 00E9DC44 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E9DC36

Part of subcall function 00E9DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E9DFD6
Part of subcall function 00E9DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E9DFE7

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 3704a57fcdb071ab68af74759fd191c0be3e7a0669e9d1630b5e736f98df3f9e
Instruction ID: 6eae8f78178c1783f56da5e875cd95b43e4283d084f6f253aea0c168c5142891
Opcode Fuzzy Hash: 3704a57fcdb071ab68af74759fd191c0be3e7a0669e9d1630b5e736f98df3f9e
Instruction Fuzzy Hash: 75A001AA6AD226BC790C6A916D17DBB426CD4C4B61330A91AB60BB40A1AAC0AC499431

Function 00E9DC0B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E9DBD5

Part of subcall function 00E9DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E9DFD6
Part of subcall function 00E9DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E9DFE7

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: a574375373c03e0533eeeccdef1f89421633abab78e919ffe791cce9eabf51e6
Instruction ID: 6a6f1452aba8e0d433cad52e09ec73294a2baa0ae6816750a7ff1059bbe73895
Opcode Fuzzy Hash: a574375373c03e0533eeeccdef1f89421633abab78e919ffe791cce9eabf51e6
Instruction Fuzzy Hash: D5A0029536D1167C350855556D17DBF025CD4C4B513316519B506B405169905C455431

Function 00E9DC1F Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E9DBD5

Part of subcall function 00E9DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E9DFD6
Part of subcall function 00E9DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E9DFE7

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 3ba9b3c779ae61f55eb8eb52367757ac2cf3a5fd7b33ace9b3bedf311bbc4abe
Instruction ID: 6a6f1452aba8e0d433cad52e09ec73294a2baa0ae6816750a7ff1059bbe73895
Opcode Fuzzy Hash: 3ba9b3c779ae61f55eb8eb52367757ac2cf3a5fd7b33ace9b3bedf311bbc4abe
Instruction Fuzzy Hash: D5A0029536D1167C350855556D17DBF025CD4C4B513316519B506B405169905C455431

Function 00E9DC15 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E9DBD5

Part of subcall function 00E9DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E9DFD6
Part of subcall function 00E9DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E9DFE7

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: da4e1d5b7d9f5d246f15605a1b6a73f73de5344348eeb1e3e559330ded44febc
Instruction ID: 6a6f1452aba8e0d433cad52e09ec73294a2baa0ae6816750a7ff1059bbe73895
Opcode Fuzzy Hash: da4e1d5b7d9f5d246f15605a1b6a73f73de5344348eeb1e3e559330ded44febc
Instruction Fuzzy Hash: D5A0029536D1167C350855556D17DBF025CD4C4B513316519B506B405169905C455431

Function 00E9A322 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetCurrentDirectoryW.KERNELBASE(?,00E9A587,C:\Users\user\Desktop,00000000,00EC946A,00000006), ref: 00E9A326

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: CurrentDirectory
String ID:
API String ID: 1611563598-0
Opcode ID: c2201a2b3a6c3fd6e20d55b6955fba4fcaaa226e4a5f076d783e68301ba74088
Instruction ID: 51b0cb10d6ae63e24c08b0cb933951ea0b9e5306790faf9234a388b83b58a694
Opcode Fuzzy Hash: c2201a2b3a6c3fd6e20d55b6955fba4fcaaa226e4a5f076d783e68301ba74088
Instruction Fuzzy Hash: C7A012301950066A8B000B34CD0AC16B6545760702F0087207002C00A0CB308818A500

Function 00E896D0 Relevance: 1.3, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(000000FF,?,?,00E8968F,?,?,?,?,00EB1FA1,000000FF), ref: 00E896EB

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 347233dcbdea23809f7e97c6c8c6cf62805bd546e85eb71e5a8187e0a40e63ef
Instruction ID: d1d51348f4081218cdd434e6cf0d6bc574bb0f2c3c4f4f0f39b2249a4f7d9de6
Opcode Fuzzy Hash: 347233dcbdea23809f7e97c6c8c6cf62805bd546e85eb71e5a8187e0a40e63ef
Instruction Fuzzy Hash: 6AF08930956B048FDB30AA24D5497A277E45B12739F086B1ED0FF634E1E771654D9F00

Non-executed Functions

Function 00E9B8E0 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 286timewindowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00E8130B: GetDlgItem.USER32(00000000,00003021), ref: 00E8134F
Part of subcall function 00E8130B: SetWindowTextW.USER32(00000000,00EB35B4), ref: 00E81365

SendDlgItemMessageW.USER32(?,00000066,00000171,00000000,00000000), ref: 00E9B971
EndDialog.USER32(?,00000006), ref: 00E9B984
GetDlgItem.USER32(?,0000006C), ref: 00E9B9A0
SetFocus.USER32(00000000), ref: 00E9B9A7
SetDlgItemTextW.USER32(?,00000065,?), ref: 00E9B9E1
SendDlgItemMessageW.USER32(?,00000066,00000170,?,00000000), ref: 00E9BA18
FindFirstFileW.KERNEL32(?,?), ref: 00E9BA2E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00E9BA4C
FileTimeToSystemTime.KERNEL32(?,?), ref: 00E9BA5C
GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 00E9BA78
GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 00E9BA94
_swprintf.LIBCMT ref: 00E9BAC4

Part of subcall function 00E8400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00E8401D

SetDlgItemTextW.USER32(?,0000006A,?), ref: 00E9BAD7
FindClose.KERNEL32(00000000), ref: 00E9BADE
_swprintf.LIBCMT ref: 00E9BB37
SetDlgItemTextW.USER32(?,00000068,?), ref: 00E9BB4A
SendDlgItemMessageW.USER32(?,00000067,00000170,?,00000000), ref: 00E9BB67
FileTimeToLocalFileTime.KERNEL32(?,?,?), ref: 00E9BB87
FileTimeToSystemTime.KERNEL32(?,?), ref: 00E9BB97
GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 00E9BBB1
GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 00E9BBC9
_swprintf.LIBCMT ref: 00E9BBF5
SetDlgItemTextW.USER32(?,0000006B,?), ref: 00E9BC08
_swprintf.LIBCMT ref: 00E9BC5C
SetDlgItemTextW.USER32(?,00000069,?), ref: 00E9BC6F

Part of subcall function 00E9A63C: GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 00E9A662
Part of subcall function 00E9A63C: GetNumberFormatW.KERNEL32(00000400,00000000,?,00EBE600,?,?), ref: 00E9A6B1

Strings

%s %s %s, xrefs: 00E9BAB2, 00E9BBE7
%s %s, xrefs: 00E9BB29, 00E9BC4E
REPLACEFILEDLG, xrefs: 00E9B907

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: ItemTime$File$Text$Format$_swprintf$MessageSend$DateFindLocalSystem$CloseDialogFirstFocusInfoLocaleNumberWindow__vswprintf_c_l
String ID: %s %s$%s %s %s$REPLACEFILEDLG
API String ID: 797121971-1840816070
Opcode ID: b02d5fa6586e9ee67b5f83ae372c8c96fa166d848586c895c7a9f40513ea9e6d
Instruction ID: 4d1b1049dee652ad8baaec61b5ec3dfbd593ca0194d3c283b723ae81b7c84a0e
Opcode Fuzzy Hash: b02d5fa6586e9ee67b5f83ae372c8c96fa166d848586c895c7a9f40513ea9e6d
Instruction Fuzzy Hash: 9491C6B2148348BFD6219BA1DD89FFB77ECEB89704F041919F749F6081DB71A6088762

Function 00E8718C Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 296fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00E87191
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000001,00000080,00000000,?,00000001), ref: 00E872F1
CloseHandle.KERNEL32(00000000), ref: 00E87301

Part of subcall function 00E87BF5: GetCurrentProcess.KERNEL32(00000020,?), ref: 00E87C04
Part of subcall function 00E87BF5: GetLastError.KERNEL32 ref: 00E87C4A
Part of subcall function 00E87BF5: CloseHandle.KERNEL32(?), ref: 00E87C59

CreateDirectoryW.KERNEL32(?,00000000,?,00000001), ref: 00E8730C
CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,02200000,00000000), ref: 00E8741A
DeviceIoControl.KERNEL32(00000000,000900A4,?,-00000008,00000000,00000000,?,00000000), ref: 00E87446
CloseHandle.KERNEL32(?), ref: 00E87457
GetLastError.KERNEL32 ref: 00E87467
RemoveDirectoryW.KERNEL32(?), ref: 00E874B3
DeleteFileW.KERNEL32(?), ref: 00E874DB

Strings

SeRestorePrivilege, xrefs: 00E871B2
SeCreateSymbolicLinkPrivilege, xrefs: 00E871BC
\??\, xrefs: 00E87217
UNC\, xrefs: 00E8723C

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: CloseCreateFileHandle$DirectoryErrorLast$ControlCurrentDeleteDeviceH_prologProcessRemove
String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
API String ID: 3935142422-3508440684
Opcode ID: b90db2bdd386de11631d3d9ef812e0aed61f1a0da22f5a07427f5b346736cc30
Instruction ID: 2903000cb571662637cae3ab9dfb90bf993472f8bd46d8cfc05d0dde1e201432
Opcode Fuzzy Hash: b90db2bdd386de11631d3d9ef812e0aed61f1a0da22f5a07427f5b346736cc30
Instruction Fuzzy Hash: B4B1D171904215AEDF20EBA4CC42BEF7BB8AF04304F1451A9F98DF7142E734AA49CB61

Function 00E83281 Relevance: 12.9, APIs: 4, Strings: 3, Instructions: 608COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00E8328A
_memcmp.LIBVCRUNTIME ref: 00E83377

Strings

CMT, xrefs: 00E83990
hc%u, xrefs: 00E8367B
h%u, xrefs: 00E8362D

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: H_prolog_memcmp
String ID: CMT$h%u$hc%u
API String ID: 3004599000-3282847064
Opcode ID: 1dd74660258dbff06bb746ce37f576ea5aa1c390631eb595a6d09d4d98d2fa12
Instruction ID: c12101a95a8ff2d7c11ff1bbc4ef36528d915d9814b445de7e5860773ec7b101
Opcode Fuzzy Hash: 1dd74660258dbff06bb746ce37f576ea5aa1c390631eb595a6d09d4d98d2fa12
Instruction Fuzzy Hash: 0332D6715106849FDF14EF74C885AEA37E5AF15704F14247EFD8EAB282EB70A948CB60

Function 00EAD00E Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODE

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00EAD154

Strings

1#QNAN, xrefs: 00EAE35A
1#SNAN, xrefs: 00EAE353
1#IND, xrefs: 00EAE34C
1#INF, xrefs: 00EAE361

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 1421b60817e179df19ddc7e83c572a8c8df52640b9df4bcd802e832be9211145
Instruction ID: 6fc7ba5a1b3f93d1e68e780cd5bd5c77c50f5fe1a37fe8807a0561801496f7e6
Opcode Fuzzy Hash: 1421b60817e179df19ddc7e83c572a8c8df52640b9df4bcd802e832be9211145
Instruction Fuzzy Hash: C1C24D71E086288FDB25CE28DD407EAB7B5EB4A304F1551EAD44EFB640E774AE858F40

Function 00E827E8 Relevance: 7.8, APIs: 3, Strings: 1, Instructions: 794COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00E827F1
_strlen.LIBCMT ref: 00E82D7F

Part of subcall function 00E9137A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,00E8B652,00000000,?,?,?,00010444), ref: 00E91396

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00E82EE0

Strings

CMT, xrefs: 00E82F13

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: ByteCharH_prologMultiUnothrow_t@std@@@Wide__ehfuncinfo$??2@_strlen
String ID: CMT
API String ID: 1706572503-2756464174
Opcode ID: 2d087b81d0e24581d7b3dd7444d32c1e99d42f8b3bc56ad0171793adf57c0cc0
Instruction ID: 0dd5b82a3916d9211af3e8a81e7240b6267d1b19744ed9f002ec568656ca0dd3
Opcode Fuzzy Hash: 2d087b81d0e24581d7b3dd7444d32c1e99d42f8b3bc56ad0171793adf57c0cc0
Instruction Fuzzy Hash: D66246716002448FDF18EF74C8856EA7BE1EF55304F18557EEE8EAB282DB70A945CB60

Function 00EA866F Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 00EA8767
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 00EA8771
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 00EA877E

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 25fd2cb3e53c5464383e7e6b73fda2b78228cbd5b7db6760f793eb67ac501a0a
Instruction ID: 7089710ac122422f60382b90eba40aa3432c0eb12b136a4e6fb7ba7af263f3d3
Opcode Fuzzy Hash: 25fd2cb3e53c5464383e7e6b73fda2b78228cbd5b7db6760f793eb67ac501a0a
Instruction Fuzzy Hash: 2D31D8759012289BCF61DF64D98978DB7B8BF08310F5051EAF80CA7250EB309F858F45

Function 00EAAAA8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

., xrefs: 00EAAC3B

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID:
String ID: .
API String ID: 0-248832578
Opcode ID: f2a262ff18b100ba6dcbb2f7a580aa2c1f61532e896fec8e27c98d6808be5fa1
Instruction ID: 01179c04ba0dbbbaf0b139235ec076b283ce28e5e128127ce8b76c7397c871ad
Opcode Fuzzy Hash: f2a262ff18b100ba6dcbb2f7a580aa2c1f61532e896fec8e27c98d6808be5fa1
Instruction Fuzzy Hash: B531E8719002096FDB249E79CC85EFB7BBEDB8A314F1811A8F519AB251D730AD44CB60

Function 00EACB60 Relevance: 3.5, APIs: 2, Instructions: 464COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f40ebe10d214b85774591126f504afcb75e73f030a81f23e755a653bb72e8d1
Instruction ID: 5efefb21208699edeab4f6d78465b3e464ad7a6602279d02ca9535af190b2f23
Opcode Fuzzy Hash: 3f40ebe10d214b85774591126f504afcb75e73f030a81f23e755a653bb72e8d1
Instruction Fuzzy Hash: F8020C71E002199FDF14CFA9D8806ADBBF1EF89324F25916AD919FB384D731A9418B90

Function 00E9A63C Relevance: 3.0, APIs: 2, Instructions: 46COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 00E9A662
GetNumberFormatW.KERNEL32(00000400,00000000,?,00EBE600,?,?), ref: 00E9A6B1

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: FormatInfoLocaleNumber
String ID:
API String ID: 2169056816-0
Opcode ID: b5291845128cd790c50f3fb239b04d8595d124b493cb7312c71ee179df954754
Instruction ID: 59eec7f5cedcf14accd6e3bb82224232b1a9094ab574981916ad24f8e55f2e6a
Opcode Fuzzy Hash: b5291845128cd790c50f3fb239b04d8595d124b493cb7312c71ee179df954754
Instruction Fuzzy Hash: 49015E76510248BEDB109FA5EC4AFEBB7BCEF19710F005522FA09B7251D3709A1887A5

Function 00E86EC9 Relevance: 3.0, APIs: 2, Instructions: 17windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00E9117C,?,00000200), ref: 00E86EC9
FormatMessageW.KERNEL32(00001200,00000000,00000000,00000400,?,?,00000000), ref: 00E86EEA

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: f679102ac6b4ff779aeaadecd765921b089b704e0895110c0a60cf40a47ceeb3
Instruction ID: 5b919977334aa394ff1c9114ede89c697fbc029e57b4795c6d66f96876dcfce6
Opcode Fuzzy Hash: f679102ac6b4ff779aeaadecd765921b089b704e0895110c0a60cf40a47ceeb3
Instruction Fuzzy Hash: 92D0A7353D8307BFEA102A31CC06F273B516B15B42F109610B31AFC0D0C57091189714

Function 00EB1194 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00EB118F,?,?,00000008,?,?,00EB0E2F,00000000), ref: 00EB13C1

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 6411dd56955e42571c411c60dc83abb495da31d1edbe15ac98ab40ec91d46310
Instruction ID: 067fede9e8b29e077290a42b5787e4244e503073365e1d60b6394cfbd87b0c6c
Opcode Fuzzy Hash: 6411dd56955e42571c411c60dc83abb495da31d1edbe15ac98ab40ec91d46310
Instruction Fuzzy Hash: 17B15D31610608DFD715CF28C49ABA67BE0FF45368F659698E8E9DF2A1C335E981CB40

Function 00E8407E Relevance: 1.6, Strings: 1, Instructions: 332COMMON

Download Yara Rule

Strings

gj, xrefs: 00E840C1

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID:
String ID: gj
API String ID: 0-4203073231
Opcode ID: a0369178afaab8f057452f05d90b761e11247dd8fa3e0517c4f2f6685209ea50
Instruction ID: a543512a4a8e4ba94844b17c1437388821dc49b758453773defc2e18fe91ec4c
Opcode Fuzzy Hash: a0369178afaab8f057452f05d90b761e11247dd8fa3e0517c4f2f6685209ea50
Instruction Fuzzy Hash: B0F1C2B1A083418FD748CF29D880A1BFBE1BFCC208F15892EF598D7715E634E9558B56

Function 00E8ACF5 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(?), ref: 00E8AD1A

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: 64101402b013bcc5aa27b7207e96665a23ed12035739518d38d60f600962ea23
Instruction ID: 78c7ff8b0bb4ab90b45ed6d008858a9aa9429860b8eb071442e483ae87a6047b
Opcode Fuzzy Hash: 64101402b013bcc5aa27b7207e96665a23ed12035739518d38d60f600962ea23
Instruction Fuzzy Hash: 61F01DB0A0020CCFD728EF59ED41AEA73B5F758715F2002AAD91DA3794D371AD858F92

Function 00E9F063 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_0001F070,00E9EAC5), ref: 00E9F068

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 007a39e12eeb68e998a85a609595f9e4245233cdd7cbee56d42025e55154ae18
Instruction ID: 8f62babb04fa1d138353147a0386a2c60973d90f5555da7490e81da9492a9762
Opcode Fuzzy Hash: 007a39e12eeb68e998a85a609595f9e4245233cdd7cbee56d42025e55154ae18
Instruction Fuzzy Hash:

Function 00EAB710 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00EAB710

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 87b647b8a1a96c8a2e6127a647059cd318afdf8b894aff9b8b26f4180b30f007
Instruction ID: 3b2b942f8af61b0a220ea21de42cb747504f274e756de89a4ee8fbb24d0bfd0e
Opcode Fuzzy Hash: 87b647b8a1a96c8a2e6127a647059cd318afdf8b894aff9b8b26f4180b30f007
Instruction Fuzzy Hash: D6A012701011018F83008F775D09209359D670028070483546004D5020D63041544F00

Function 00E95C77 Relevance: .8, Instructions: 800COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a6e4fef8a49dcc930715721b7d4fffbd12b6467634e9eef11ded152ea66fbae
Instruction ID: d16e7a61328436c7bf5e15cca0a86c1b72948b9e419a6b9b83473a3fd529a9a9
Opcode Fuzzy Hash: 8a6e4fef8a49dcc930715721b7d4fffbd12b6467634e9eef11ded152ea66fbae
Instruction Fuzzy Hash: 6B621971604B859FCF2ACF38C9906F9BBE1AF55308F04956ED8AA9B346D730E945CB10

Function 00E970BF Relevance: .8, Instructions: 773COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 575a8806441ce9a72c04ae9113137d22797e0c306676329538b0a0bf3ae15e30
Instruction ID: 337bfd9f705888826ce5d4ad13570e457b38eb774c7dcb633c64d2fe4db7a4aa
Opcode Fuzzy Hash: 575a8806441ce9a72c04ae9113137d22797e0c306676329538b0a0bf3ae15e30
Instruction Fuzzy Hash: 686224706287469FCB19CF28C8806B9BBE1FF55308F14966ED8E697742D730E959CB80

Function 00E8ED14 Relevance: .7, Instructions: 694COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5448180e84c52624f7729a892eb382d9b2428a7fa06f80140d36ae3f2e7eaf5
Instruction ID: 9fdcfdf19be587539f4183ad1a263d1bcb57dc8faade38275206c1d0c491d6b3
Opcode Fuzzy Hash: d5448180e84c52624f7729a892eb382d9b2428a7fa06f80140d36ae3f2e7eaf5
Instruction Fuzzy Hash: 6E523A726087018FC718CF19C891A6AF7E1FFCC304F498A2DE9859B255D734EA59CB86

Function 00E96A7B Relevance: .5, Instructions: 509COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b128652cfc05922bcadf57a8b7dd7ea527a44bcd35d493aa0b6bd6966f0d4f9
Instruction ID: 165a164b13f2261818baa9d0131cd6cb5434104e2a0c4929294fdebdee07f86c
Opcode Fuzzy Hash: 2b128652cfc05922bcadf57a8b7dd7ea527a44bcd35d493aa0b6bd6966f0d4f9
Instruction Fuzzy Hash: C412F1B17047068BCB28DF28C9D06B9B3E0FF54308F14992EE59BD7A81E774A895CB45

Function 00E8BE13 Relevance: .4, Instructions: 449COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ceaaa4ac8d0b2d2d262f37e361bd7f54d519c47df61f6a9818debce929bc05a1
Instruction ID: 07b767ea658bae59f69ec4cdf94142963dc06ddb0708fcaa2f4f6f80cce163bb
Opcode Fuzzy Hash: ceaaa4ac8d0b2d2d262f37e361bd7f54d519c47df61f6a9818debce929bc05a1
Instruction Fuzzy Hash: 76F192716083018FC718DF29C48456EBBE1EFCA358F24AA2EF4DDA7251D734E9468B52

Function 00EA0B43 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: d230ed903681ac1ba7673ec8956252d42f2a7f833333bd9332b29fb058732c34
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: 39C1A5362150930ADF2D4A39857443FFAA15AA77B531A276EE4B3DF1C4FE20F624D620

Function 00EA0F78 Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: fcf12328e29e5ce6a4fdf361604d3655558021a15948df3db0587c76a39af101
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: 70C1E7362050930ADF2D4639C57453FBBA15AA77B530B27AEE4B2DF0D4FE20E624D620

Function 00EA070E Relevance: .3, Instructions: 331COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
Instruction ID: d6d04df892b461764b679a427f77d342cabae01e2e209a60cbcdbe6c754dde0e
Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
Instruction Fuzzy Hash: B4C195362051930ADF2D4639853443FBAA15EA77B531A276EE4B3DF1C5FE20F624DA20

Function 00E96646 Relevance: .3, Instructions: 325COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 5fd528234dc2ae753da3bc5e61a46128dfbbae1215d4674d03110a0daa588075
Instruction ID: 1b2ae5a17409daa2060eee8f903a1fcf089b2801b1794b04c7295d994ae291c3
Opcode Fuzzy Hash: 5fd528234dc2ae753da3bc5e61a46128dfbbae1215d4674d03110a0daa588075
Instruction Fuzzy Hash: D2D107B1A043418FDF18CF29C88079BBBE0BF95308F04556EE884AB742D774E959CB96

Function 00EA02F6 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: 1f6a978215b31a0552fa1cd1649b230b18ba0be4ff679a8ed6d930f644825925
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: 21C192362051530ADF2D4A39853443FBBA15AA77B531A276EE4B3DF1C5FE20E6249A20

Function 00E8E2A0 Relevance: .3, Instructions: 318COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6dd856ea396b0fc269d58fbade7290a655465b74f3827b904d03b70d6a803545
Instruction ID: 4f7a6d8f26f8bb6f1dd189086595e491b6e0153c1eb47356fcbe5b5c68b36c53
Opcode Fuzzy Hash: 6dd856ea396b0fc269d58fbade7290a655465b74f3827b904d03b70d6a803545
Instruction Fuzzy Hash: A7E129755083949FC304CF69D89096BBBF0AB8A300F89096EF5D5A7352C336E91ADB52

Function 00E93A3C Relevance: .3, Instructions: 263COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b6a3d46f10441a3051e9d0d7f9b8667803012905bf4d198d95ae77b69715ff4
Instruction ID: 504f5dc8387e3b221c34ca980b3f7e9f0d90edecc8af2c718edcdae0efd8eb93
Opcode Fuzzy Hash: 4b6a3d46f10441a3051e9d0d7f9b8667803012905bf4d198d95ae77b69715ff4
Instruction Fuzzy Hash: B09147702047498BDF24EF78C891BBEB3D5EB90304F14192EE59BF7282EA759A44C352

Function 00EA4969 Relevance: .2, Instructions: 237COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 974f056fb6d6047f905444469c9cba5aac180f0ffe0ec02876a67bcf2b78aba9
Instruction ID: 906ca86840cf5001c5b00a92c700969299badd1c81a798b972dab815ee7777b6
Opcode Fuzzy Hash: 974f056fb6d6047f905444469c9cba5aac180f0ffe0ec02876a67bcf2b78aba9
Instruction Fuzzy Hash: BA6138F16807095ADA3499284855BFF63D89BCF308F143A19E482FF2C1E5D1FD528759

Function 00E93D6D Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fa2980f550074fd9d5fffc8fceb723f20dffd391df208c388f2810114909e4d
Instruction ID: 43b8537b1bf2230b1354942b0844b3c879b19273bef1c395dfc9098df1808156
Opcode Fuzzy Hash: 2fa2980f550074fd9d5fffc8fceb723f20dffd391df208c388f2810114909e4d
Instruction Fuzzy Hash: 01712D717043455BDF24DE38C8D0BED77E5EB90308F04593EE9CBAB282DA749A858752

Function 00EA473A Relevance: .2, Instructions: 214COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d25a7c413b64cc1c4dee81fed1a27e24b1c019bc61537549567cd7e8aefb3c1
Instruction ID: 02dd1014264d43b0714527781d425320ee8b54201f1d13d3fbd442b5cb473d3c
Opcode Fuzzy Hash: 1d25a7c413b64cc1c4dee81fed1a27e24b1c019bc61537549567cd7e8aefb3c1
Instruction Fuzzy Hash: 275126F1600AC456DB3845689856BBF67C99BDF308F18351AF582BF2C2C3D9BE458351

Function 00E8DE6C Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b40b1c175ece3554ef72f82c0a429ae625cff3f00b10c126160b2b859ef75fe
Instruction ID: c460dd7bfa8e97a1b11025fe163e9a834a40159bc4ada863928c1e024937cab0
Opcode Fuzzy Hash: 9b40b1c175ece3554ef72f82c0a429ae625cff3f00b10c126160b2b859ef75fe
Instruction Fuzzy Hash: F581A29221E6E46DC7065F7E3CA4AF63FA15737300B1D04BAC4CAA62A3C037559EDB21

Function 00E8E8A0 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03c9ca388900fbc02435086b33961c9d13399507502e386ed9a16f10815bd27d
Instruction ID: 002c3063e8f6ad0f03dfe4836631336714ba2717e62d95dc6f43732580b3bc8e
Opcode Fuzzy Hash: 03c9ca388900fbc02435086b33961c9d13399507502e386ed9a16f10815bd27d
Instruction Fuzzy Hash: DC51FF305083D14FC712DF24919046EBFE0BEDA708F5968DEE4ED6B212D221DA4ACB92

Function 00E8F968 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47ee379fb73776cdf0f25797fbdff96f9b68dda55a089708a0e9aeabb357c1c6
Instruction ID: 78e09e87305b4e67c3c4403f140c5a0564f61c08096bb8ea1eab7d2bc22b3e1b
Opcode Fuzzy Hash: 47ee379fb73776cdf0f25797fbdff96f9b68dda55a089708a0e9aeabb357c1c6
Instruction Fuzzy Hash: 1D512671A083018BC748CF19D48059AF7E1FFC8354F058A2EE899A7740DB34E959CB96

Function 00E937C1 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 680dd35d5b71cc1049d84931067584ed44f7cee91fcb56c6d02cf908e44fe073
Instruction ID: 34f739c547bdbe84663abab30c2c80f34b47f8f1d37a5a23d00f9f24eed4d364
Opcode Fuzzy Hash: 680dd35d5b71cc1049d84931067584ed44f7cee91fcb56c6d02cf908e44fe073
Instruction Fuzzy Hash: CC3114B56047058FCB14EF28C85126ABBE0FB95304F14592FE4D9E7342C739EA89CB92

Function 00E85F3C Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 882b8b5030d85eafe3ef73fc438876b6c957d535822a4914b5ce240ebadad23a
Instruction ID: 2b3d755d9d4d944a1f5c35bd520a168994647f6d851db29c5e0053d8adf5a9dc
Opcode Fuzzy Hash: 882b8b5030d85eafe3ef73fc438876b6c957d535822a4914b5ce240ebadad23a
Instruction Fuzzy Hash: F021DA32A201614FCB48DF2EDCD08777751A786311746823BEE4AAB3D1C935F929CBA0

Function 00E8DA98 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 236COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00E8DABE

Part of subcall function 00E8400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00E8401D

Part of subcall function 00E91596: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000200,00000000,00000000,?,00EC0EE8,00000200,00E8D202,00000000,?,00000050,00EC0EE8), ref: 00E915B3

_strlen.LIBCMT ref: 00E8DADF
SetDlgItemTextW.USER32(?,00EBE154,?), ref: 00E8DB3F
GetWindowRect.USER32(?,?), ref: 00E8DB79
GetClientRect.USER32(?,?), ref: 00E8DB85
GetWindowLongW.USER32(?,000000F0), ref: 00E8DC25
GetWindowRect.USER32(?,?), ref: 00E8DC52
SetWindowTextW.USER32(?,?), ref: 00E8DC95
GetSystemMetrics.USER32(00000008), ref: 00E8DC9D
GetWindow.USER32(?,00000005), ref: 00E8DCA8
GetWindowRect.USER32(00000000,?), ref: 00E8DCD5
GetWindow.USER32(00000000,00000002), ref: 00E8DD47

Strings

CAPTION, xrefs: 00E8DC77
d, xrefs: 00E8DBA5
$%s:, xrefs: 00E8DAB2
T, xrefs: 00E8DAFA

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: Window$Rect$Text$ByteCharClientItemLongMetricsMultiSystemWide__vswprintf_c_l_strlen_swprintf
String ID: $%s:$CAPTION$T$d
API String ID: 2407758923-3856749
Opcode ID: eabdaf6a27324b4cfbef83ece564e998273efc22ff5f07898526fd1db88d3f3d
Instruction ID: 05b7da123208d4520ee76439f17e5f21cd51aeff642ea2b5b8b226ef4b24d858
Opcode Fuzzy Hash: eabdaf6a27324b4cfbef83ece564e998273efc22ff5f07898526fd1db88d3f3d
Instruction Fuzzy Hash: 5781C171508345AFD710DFA9CD89E6BBBE9EBC8704F04191DFA88A7290D670E909CB52

Function 00EAC233 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 00EAC277

Part of subcall function 00EABE12: _free.LIBCMT ref: 00EABE2F
Part of subcall function 00EABE12: _free.LIBCMT ref: 00EABE41
Part of subcall function 00EABE12: _free.LIBCMT ref: 00EABE53
Part of subcall function 00EABE12: _free.LIBCMT ref: 00EABE65
Part of subcall function 00EABE12: _free.LIBCMT ref: 00EABE77
Part of subcall function 00EABE12: _free.LIBCMT ref: 00EABE89
Part of subcall function 00EABE12: _free.LIBCMT ref: 00EABE9B
Part of subcall function 00EABE12: _free.LIBCMT ref: 00EABEAD
Part of subcall function 00EABE12: _free.LIBCMT ref: 00EABEBF
Part of subcall function 00EABE12: _free.LIBCMT ref: 00EABED1
Part of subcall function 00EABE12: _free.LIBCMT ref: 00EABEE3
Part of subcall function 00EABE12: _free.LIBCMT ref: 00EABEF5
Part of subcall function 00EABE12: _free.LIBCMT ref: 00EABF07

_free.LIBCMT ref: 00EAC26C

Part of subcall function 00EA84DE: RtlFreeHeap.NTDLL(00000000,00000000,?,00EABFA7,00EB3958,00000000,00EB3958,00000000,?,00EABFCE,00EB3958,00000007,00EB3958,?,00EAC3CB,00EB3958), ref: 00EA84F4
Part of subcall function 00EA84DE: GetLastError.KERNEL32(00EB3958,?,00EABFA7,00EB3958,00000000,00EB3958,00000000,?,00EABFCE,00EB3958,00000007,00EB3958,?,00EAC3CB,00EB3958,00EB3958), ref: 00EA8506

_free.LIBCMT ref: 00EAC28E
_free.LIBCMT ref: 00EAC2A3
_free.LIBCMT ref: 00EAC2AE
_free.LIBCMT ref: 00EAC2D0
_free.LIBCMT ref: 00EAC2E3
_free.LIBCMT ref: 00EAC2F1
_free.LIBCMT ref: 00EAC2FC
_free.LIBCMT ref: 00EAC334
_free.LIBCMT ref: 00EAC33B
_free.LIBCMT ref: 00EAC358
_free.LIBCMT ref: 00EAC370

Strings

P, xrefs: 00EAC249

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID: P
API String ID: 161543041-1343716551
Opcode ID: b7718529c889203c471ed0fdd6afc2d8e603b7ae610fb875697be388dca1e9e6
Instruction ID: f0ebbef9b0345f98763a7b096b0c3bb53c8d20cbe4b8d54cf1140cea85ff0400
Opcode Fuzzy Hash: b7718529c889203c471ed0fdd6afc2d8e603b7ae610fb875697be388dca1e9e6
Instruction Fuzzy Hash: 32315E316006059FEF20AA78DA45B5B73E9BF0E314F24A469E469FF561DF31BC448A60

Function 00E9CD2E Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 79windowCOMMON

Download Yara Rule

APIs

GetWindow.USER32(?,00000005), ref: 00E9CD51
GetClassNameW.USER32(00000000,?,00000800), ref: 00E9CD7D

Part of subcall function 00E917AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,00E8BB05,00000000,.exe,?,?,00000800,?,?,00E985DF,?), ref: 00E917C2

GetWindowLongW.USER32(00000000,000000F0), ref: 00E9CD99
SendMessageW.USER32(00000000,00000173,00000000,00000000), ref: 00E9CDB0
GetObjectW.GDI32(00000000,00000018,?), ref: 00E9CDC4
SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 00E9CDED
DeleteObject.GDI32(00000000), ref: 00E9CDF4
GetWindow.USER32(00000000,00000002), ref: 00E9CDFD

Strings

STATIC, xrefs: 00E9CD83

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: Window$MessageObjectSend$ClassCompareDeleteLongNameString
String ID: STATIC
API String ID: 3820355801-1882779555
Opcode ID: b166df19a8617eb7b05a0cbb92900833fd26338499a12d854c73f8df622200e2
Instruction ID: 218a58ad775ff2f3c9233507d752b7fb4b4578d19d6b02781229acdb407a85c3
Opcode Fuzzy Hash: b166df19a8617eb7b05a0cbb92900833fd26338499a12d854c73f8df622200e2
Instruction Fuzzy Hash: CA113632541355BFFA31BF609C8AFBF369CFF45745F105028FB06B90D2CA608A0986A5

Function 00EA8EB1 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00EA8EC5

Part of subcall function 00EA84DE: RtlFreeHeap.NTDLL(00000000,00000000,?,00EABFA7,00EB3958,00000000,00EB3958,00000000,?,00EABFCE,00EB3958,00000007,00EB3958,?,00EAC3CB,00EB3958), ref: 00EA84F4
Part of subcall function 00EA84DE: GetLastError.KERNEL32(00EB3958,?,00EABFA7,00EB3958,00000000,00EB3958,00000000,?,00EABFCE,00EB3958,00000007,00EB3958,?,00EAC3CB,00EB3958,00EB3958), ref: 00EA8506

_free.LIBCMT ref: 00EA8ED1
_free.LIBCMT ref: 00EA8EDC
_free.LIBCMT ref: 00EA8EE7
_free.LIBCMT ref: 00EA8EF2
_free.LIBCMT ref: 00EA8EFD
_free.LIBCMT ref: 00EA8F08
_free.LIBCMT ref: 00EA8F13
_free.LIBCMT ref: 00EA8F1E
_free.LIBCMT ref: 00EA8F2C

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: e7dbec8821cce5fa1eb5cb6f513cde97bc58739ca9d22035616be22407db5bf3
Instruction ID: 3e94913100396fd1c39a940bfbb1f99744ff444a70ed0424b3e1b16eb022f43e
Opcode Fuzzy Hash: e7dbec8821cce5fa1eb5cb6f513cde97bc58739ca9d22035616be22407db5bf3
Instruction Fuzzy Hash: 9011D77650010DAFCB11FF54CA52CDA3BA5FF0D350B0150A0F9186F522DA31EA519B80

Function 00E82162 Relevance: 14.5, APIs: 5, Strings: 3, Instructions: 480COMMON

Download Yara Rule

Strings

;%u, xrefs: 00E82497
x%u, xrefs: 00E8267A
xc%u, xrefs: 00E826D7

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID:
String ID: ;%u$x%u$xc%u
API String ID: 0-2277559157
Opcode ID: f85c23269bb4faed701ddf58dbb868d7ef61717e4dfd628706f2224b529c50e4
Instruction ID: d32be9dc90c2d0ae8376703944be108215f7c1300ef3b3565f728e869797a00b
Opcode Fuzzy Hash: f85c23269bb4faed701ddf58dbb868d7ef61717e4dfd628706f2224b529c50e4
Instruction Fuzzy Hash: 9EF125706042405BDB15FF348895BEE77D5AF91304F18247EFA8DBB283EA659848C7B2

Function 00E9ACD0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 98windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E8130B: GetDlgItem.USER32(00000000,00003021), ref: 00E8134F
Part of subcall function 00E8130B: SetWindowTextW.USER32(00000000,00EB35B4), ref: 00E81365

EndDialog.USER32(?,00000001), ref: 00E9AD20
SendMessageW.USER32(?,00000080,00000001,?), ref: 00E9AD47
SendDlgItemMessageW.USER32(?,00000066,00000172,00000000,?), ref: 00E9AD60
SetWindowTextW.USER32(?,?), ref: 00E9AD71
GetDlgItem.USER32(?,00000065), ref: 00E9AD7A
SendMessageW.USER32(00000000,00000435,00000000,00010000), ref: 00E9AD8E
SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 00E9ADA4

Strings

LICENSEDLG, xrefs: 00E9ACE4

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: MessageSend$Item$TextWindow$Dialog
String ID: LICENSEDLG
API String ID: 3214253823-2177901306
Opcode ID: 9cc809694a73a460c497a4efb5de9b36e64e96e3e9ddf5e2b435f7c7f4f4b22f
Instruction ID: eccfc74409e12db490e94d9c3f01f3eab43472c95902b52fe87c15dbe8015d9e
Opcode Fuzzy Hash: 9cc809694a73a460c497a4efb5de9b36e64e96e3e9ddf5e2b435f7c7f4f4b22f
Instruction Fuzzy Hash: 4121E631240248BFD6116F32ED49E7B3BACEF4674AF051028F704BA5E0CB525905D672

Function 00E89443 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00E89448
GetLongPathNameW.KERNEL32(?,?,00000800), ref: 00E8946B
GetShortPathNameW.KERNEL32(?,?,00000800), ref: 00E8948A

Part of subcall function 00E917AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,00E8BB05,00000000,.exe,?,?,00000800,?,?,00E985DF,?), ref: 00E917C2

_swprintf.LIBCMT ref: 00E89526

Part of subcall function 00E8400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00E8401D

MoveFileW.KERNEL32(?,?), ref: 00E89595
MoveFileW.KERNEL32(?,?), ref: 00E895D5

Strings

rtmp%d, xrefs: 00E8950F

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: FileMoveNamePath$CompareH_prologLongShortString__vswprintf_c_l_swprintf
String ID: rtmp%d
API String ID: 2111052971-3303766350
Opcode ID: 444c5a1bd053781e8b884c56204dc7623e0f066f49f78ab913ca51cb052c03fe
Instruction ID: e870028cfa77afe717c45368f7f016dab9fdf91852a41167366f82e86a6a74cf
Opcode Fuzzy Hash: 444c5a1bd053781e8b884c56204dc7623e0f066f49f78ab913ca51cb052c03fe
Instruction Fuzzy Hash: 83414171D00259AACF20FBA08C85AEA73BCAF15784F0854E5B54DF3042FB749B89DB64

Function 00E98E62 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 125memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?), ref: 00E98F38
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000003,?,00000000,00000000), ref: 00E98F59
CreateStreamOnHGlobal.COMBASE(00000000,00000001,00000000), ref: 00E98F80

Strings

<html>, xrefs: 00E98EA7, 00E98EE0
<head><meta http-equiv="content-type" content="text/html; charset=, xrefs: 00E98EB2
</html>, xrefs: 00E98F0A
utf-8"></head>, xrefs: 00E98EBD

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: Global$AllocByteCharCreateMultiStreamWide
String ID: </html>$<head><meta http-equiv="content-type" content="text/html; charset=$<html>$utf-8"></head>
API String ID: 4094277203-4209811716
Opcode ID: 3c95e9ac99af3cb0d86b7ea498a5a3eecf308ce0a6f0d946b5a0b42b88c68dbc
Instruction ID: db2ab5254c124ae868354cd84f2588accea5b97d37a9ee4c8e802b694fe23f44
Opcode Fuzzy Hash: 3c95e9ac99af3cb0d86b7ea498a5a3eecf308ce0a6f0d946b5a0b42b88c68dbc
Instruction Fuzzy Hash: A73128326083157FDB24AB349C02FAB77D8DF57724F142119F811BA1E2EF64AA0983A1

Function 00EA8FA5 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00EC0EE8,00EA3E14,00EC0EE8,?,?,00EA3713,00000050,?,00EC0EE8,00000200), ref: 00EA8FA9
_free.LIBCMT ref: 00EA8FDC
_free.LIBCMT ref: 00EA9004
SetLastError.KERNEL32(00000000,?,00EC0EE8,00000200), ref: 00EA9011
SetLastError.KERNEL32(00000000,?,00EC0EE8,00000200), ref: 00EA901D
_abort.LIBCMT ref: 00EA9023

Strings

X, xrefs: 00EA8FF7

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID: X
API String ID: 3160817290-1677210272
Opcode ID: e4ce4118a7c1756322a858f2a9386316c7fa89d15836824a7943959b5f984241
Instruction ID: ea76d9edbeb8203dc835e35f2675d9ee69edd52c433b717b3d5b51ca4c9cd099
Opcode Fuzzy Hash: e4ce4118a7c1756322a858f2a9386316c7fa89d15836824a7943959b5f984241
Instruction Fuzzy Hash: FBF028356446066EC21133356E0AB6B2AAA9FDF764B352224F515FE2A3EF20FD015051

Function 00E90A8A Relevance: 12.1, APIs: 8, Instructions: 115timeCOMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 00E90A9D

Part of subcall function 00E8ACF5: GetVersionExW.KERNEL32(?), ref: 00E8AD1A

FileTimeToLocalFileTime.KERNEL32(?,00000001,00000000,?,00000064,00000000,00000001,00000000,?), ref: 00E90AC0
FileTimeToSystemTime.KERNEL32(?,?,00000000,?,00000064,00000000,00000001,00000000,?), ref: 00E90AD2
SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 00E90AE3
SystemTimeToFileTime.KERNEL32(?,?), ref: 00E90AF3
SystemTimeToFileTime.KERNEL32(?,?), ref: 00E90B03
FileTimeToSystemTime.KERNEL32(?,?), ref: 00E90B3D
__aullrem.LIBCMT ref: 00E90BCB

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion__aulldiv__aullrem
String ID:
API String ID: 1247370737-0
Opcode ID: 9515ee506f096d724648919c7d6b02e24e44d5d30e553d23e7dce49c5067eee6
Instruction ID: 6fde579a1bf6d32fe8918a3ad8764f2019b5714fc76fed78b20df60358f139e7
Opcode Fuzzy Hash: 9515ee506f096d724648919c7d6b02e24e44d5d30e553d23e7dce49c5067eee6
Instruction Fuzzy Hash: 6A4129B2408306AFC710DF65C88496BF7F8FF88718F405A2EF596A2650E775E548CB51

Function 00EAEE2D Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,00EAF5A2,?,00000000,?,00000000,00000000), ref: 00EAEE6F
__fassign.LIBCMT ref: 00EAEEEA
__fassign.LIBCMT ref: 00EAEF05
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 00EAEF2B
WriteFile.KERNEL32(?,?,00000000,00EAF5A2,00000000,?,?,?,?,?,?,?,?,?,00EAF5A2,?), ref: 00EAEF4A
WriteFile.KERNEL32(?,?,00000001,00EAF5A2,00000000,?,?,?,?,?,?,?,?,?,00EAF5A2,?), ref: 00EAEF83

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 4f6dbd4b5282a86af6ef228afe8f847d3986e5cebaf0548ce0b652e34752fdd0
Instruction ID: 05b329124995edfed4a568ec9518bf89af9fcbf0fecfde5b8d05bb204a1d1cc5
Opcode Fuzzy Hash: 4f6dbd4b5282a86af6ef228afe8f847d3986e5cebaf0548ce0b652e34752fdd0
Instruction Fuzzy Hash: B051A074A002499FCB10CFA8DC86AEEBBF9EF4D300F14455AE555FB391E630A950CB60

Function 00E9C534 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 135COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000800,?), ref: 00E9C54A
_swprintf.LIBCMT ref: 00E9C57E

Part of subcall function 00E8400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00E8401D

SetDlgItemTextW.USER32(?,00000066,00EC946A), ref: 00E9C59E
_wcschr.LIBVCRUNTIME ref: 00E9C5D1
EndDialog.USER32(?,00000001), ref: 00E9C6B2

Strings

%s%s%u, xrefs: 00E9C573

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: DialogItemPathTempText__vswprintf_c_l_swprintf_wcschr
String ID: %s%s%u
API String ID: 2892007947-1360425832
Opcode ID: 1cdc385554c6a70a6858acb848746072ca589fb084ae9298a1b0aa9e9646699c
Instruction ID: 762ec7ff3b0a0d1bc9148c09ba0041eaa78552313bc39c243c1aa2d5abb59b54
Opcode Fuzzy Hash: 1cdc385554c6a70a6858acb848746072ca589fb084ae9298a1b0aa9e9646699c
Instruction Fuzzy Hash: 54416171900658AADF26EBA0DC85EDE77BCEB08705F1060A6E509F6061E7759BC8CB50

Function 00E99635 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108COMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,00000000), ref: 00E9964E
GetWindowRect.USER32(?,00000000), ref: 00E99693
ShowWindow.USER32(?,00000005,00000000), ref: 00E9972A
SetWindowTextW.USER32(?,00000000), ref: 00E99732
ShowWindow.USER32(00000000,00000005), ref: 00E99748

Strings

RarHtmlClassName, xrefs: 00E996F4

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: Window$Show$RectText
String ID: RarHtmlClassName
API String ID: 3937224194-1658105358
Opcode ID: f4e30740237eb7843de8d31b563d52c0644f59119b6711f95622f6c04740260c
Instruction ID: 908814fb8162129e70353a3abe9fd106678693b174f118ae989834e5040242ba
Opcode Fuzzy Hash: f4e30740237eb7843de8d31b563d52c0644f59119b6711f95622f6c04740260c
Instruction Fuzzy Hash: 9531AD31405208AFCB119FA9DC88B6B7BACEF48705F00455DFE49BA167CB34DA49CB61

Function 00EABFB5 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00EABF79: _free.LIBCMT ref: 00EABFA2

_free.LIBCMT ref: 00EAC003

Part of subcall function 00EA84DE: RtlFreeHeap.NTDLL(00000000,00000000,?,00EABFA7,00EB3958,00000000,00EB3958,00000000,?,00EABFCE,00EB3958,00000007,00EB3958,?,00EAC3CB,00EB3958), ref: 00EA84F4
Part of subcall function 00EA84DE: GetLastError.KERNEL32(00EB3958,?,00EABFA7,00EB3958,00000000,00EB3958,00000000,?,00EABFCE,00EB3958,00000007,00EB3958,?,00EAC3CB,00EB3958,00EB3958), ref: 00EA8506

_free.LIBCMT ref: 00EAC00E
_free.LIBCMT ref: 00EAC019
_free.LIBCMT ref: 00EAC06D
_free.LIBCMT ref: 00EAC078
_free.LIBCMT ref: 00EAC083
_free.LIBCMT ref: 00EAC08E

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 11f2a1bb5d4160fb08a4b7348739aee2344f3630d5c617e2ee7e867637fc9caa
Instruction ID: 291d53535c41bf8002d48317738b350db1236aff4278b7b05a25b50aacf86fcb
Opcode Fuzzy Hash: 11f2a1bb5d4160fb08a4b7348739aee2344f3630d5c617e2ee7e867637fc9caa
Instruction Fuzzy Hash: CB112C75640B08FED620BBB0CD06FCBB7DD6F0E700F449815B2A97A453DB65F9448A90

Function 00EA20CA Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00EA20C1,00E9FB12), ref: 00EA20D8
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00EA20E6
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00EA20FF
SetLastError.KERNEL32(00000000,?,00EA20C1,00E9FB12), ref: 00EA2151

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 27fcd4bd34d5c801107f0bb9b9baf053a313308a8392106f929f6c4c6732c806
Instruction ID: 9cf82dcbe95dca89b41e3a1be082fdceebeda6f04e4f6a0f4cdaced436b07b83
Opcode Fuzzy Hash: 27fcd4bd34d5c801107f0bb9b9baf053a313308a8392106f929f6c4c6732c806
Instruction Fuzzy Hash: 8101283260E3126EEA552BBA7C855572B84EF2F735321172EF3307C1E0EE516C085140

Function 00EA9029 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00EC0EE8,00000200,00EA895F,00EA58FE,?,?,?,?,00E8D25E,?,00D337E0,00000063,00000004,00E8CFE0,?), ref: 00EA902E
_free.LIBCMT ref: 00EA9063
_free.LIBCMT ref: 00EA908A
SetLastError.KERNEL32(00000000,00EB3958,00000050,00EC0EE8), ref: 00EA9097
SetLastError.KERNEL32(00000000,00EB3958,00000050,00EC0EE8), ref: 00EA90A0

Strings

X, xrefs: 00EA907E

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: ErrorLast$_free
String ID: X
API String ID: 3170660625-1677210272
Opcode ID: 340719e6e41c34c608e7bb5c9b6e707c109421b36ef8103cdf674878ce06f39c
Instruction ID: 766df43226c9ea1a559711d189c3a746228044f89b4a39ea1e7c11561aaa32a4
Opcode Fuzzy Hash: 340719e6e41c34c608e7bb5c9b6e707c109421b36ef8103cdf674878ce06f39c
Instruction Fuzzy Hash: 4301F432545B016E832237366DC696B269E9FCF3F53242224F619BE2A3EF64AC055160

Function 00E9DC9A Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

Strings

ReleaseSRWLockExclusive, xrefs: 00E9DCD9
AcquireSRWLockExclusive, xrefs: 00E9DCC9
KERNEL32.DLL, xrefs: 00E9DCB4

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID:
String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
API String ID: 0-1718035505
Opcode ID: 3d1c4498cce4d4e450ac8d6460e208c29f5eaec47f8f04f7edb4518b36305b17
Instruction ID: 80ae0d1af56328f571400e48d5a31b0eab77d4b935ac934f35428783e42c4ca5
Opcode Fuzzy Hash: 3d1c4498cce4d4e450ac8d6460e208c29f5eaec47f8f04f7edb4518b36305b17
Instruction Fuzzy Hash: CA01A9716497325F4F616FB65C856E793949B4231A3343B3AE502F7240DBD1C885D690

Function 00EA8060 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00EA807E

Part of subcall function 00EA84DE: RtlFreeHeap.NTDLL(00000000,00000000,?,00EABFA7,00EB3958,00000000,00EB3958,00000000,?,00EABFCE,00EB3958,00000007,00EB3958,?,00EAC3CB,00EB3958), ref: 00EA84F4
Part of subcall function 00EA84DE: GetLastError.KERNEL32(00EB3958,?,00EABFA7,00EB3958,00000000,00EB3958,00000000,?,00EABFCE,00EB3958,00000007,00EB3958,?,00EAC3CB,00EB3958,00EB3958), ref: 00EA8506

_free.LIBCMT ref: 00EA8090
_free.LIBCMT ref: 00EA80A3
_free.LIBCMT ref: 00EA80B4
_free.LIBCMT ref: 00EA80C5

Strings

, xrefs: 00EA8074

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-3162483948
Opcode ID: efd85b4c9c2b4ff152715ef0451a962494936bf56342776d2c6347a142854a39
Instruction ID: a15bd070371547f14698466b4c50c04f0d3cc7e7edd07383b84d3079860b08a5
Opcode Fuzzy Hash: efd85b4c9c2b4ff152715ef0451a962494936bf56342776d2c6347a142854a39
Instruction Fuzzy Hash: 5CF030748012598F87117F27BD914463BA5BB1D7203085686F411BFB70CB7118D99FC2

Function 00E90CBE Relevance: 9.1, APIs: 6, Instructions: 94timeCOMMON

Download Yara Rule

APIs

SystemTimeToFileTime.KERNEL32(?,?), ref: 00E90D0D

Part of subcall function 00E8ACF5: GetVersionExW.KERNEL32(?), ref: 00E8AD1A

LocalFileTimeToFileTime.KERNEL32(?,00E90CB8), ref: 00E90D31
FileTimeToSystemTime.KERNEL32(?,?), ref: 00E90D47
TzSpecificLocalTimeToSystemTime.KERNEL32(00000000,?,?), ref: 00E90D56
SystemTimeToFileTime.KERNEL32(?,00E90CB8), ref: 00E90D64
SystemTimeToFileTime.KERNEL32(?,?), ref: 00E90D72

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion
String ID:
API String ID: 2092733347-0
Opcode ID: 00b19aa448b5b6a975ab30b8543789387dd46a67fc469d876cdf0fbf102709ff
Instruction ID: 8f641afd79fa2ff22da59a25e2060854b5e78c9a766df7a9c56648ea76143e6e
Opcode Fuzzy Hash: 00b19aa448b5b6a975ab30b8543789387dd46a67fc469d876cdf0fbf102709ff
Instruction Fuzzy Hash: 9A31957A90020AEFCB00EFE5D8859EFBBBCFF58700B04555AE955E7210E630AA45CB65

Function 00E991B0 Relevance: 9.1, APIs: 6, Instructions: 89COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00E991D4
_memcmp.LIBVCRUNTIME ref: 00E991EB

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 365ef1aec62887b1c3fdfa2be71cb9be045b547f2f3837d298e214a983d0201e
Instruction ID: 31f238602b265b2b974c811084063e7fe3685186ef8df8cb296505d2bed14e55
Opcode Fuzzy Hash: 365ef1aec62887b1c3fdfa2be71cb9be045b547f2f3837d298e214a983d0201e
Instruction Fuzzy Hash: CF21837160020EBBEF059B19DC81FAB77ADAB50798B14A528FC09FA316E270ED458691

Function 00E9D2E6 Relevance: 9.0, APIs: 6, Instructions: 43windowsynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,0000000A), ref: 00E9D2F2
PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00E9D30C
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00E9D31D
TranslateMessage.USER32(?), ref: 00E9D327
DispatchMessageW.USER32(?), ref: 00E9D331
WaitForSingleObject.KERNEL32(?,0000000A), ref: 00E9D33C

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: Message$ObjectSingleWait$DispatchPeekTranslate
String ID:
API String ID: 2148572870-0
Opcode ID: c7efacf332ee6bc19c2945bbb4eecbf7e62187596e9ff8d29c92195eef4443a2
Instruction ID: a32c3d09f6bf0f1eaecbc4ec82960e1287afc7332bcfe0048eda15e0d75f8dcf
Opcode Fuzzy Hash: c7efacf332ee6bc19c2945bbb4eecbf7e62187596e9ff8d29c92195eef4443a2
Instruction Fuzzy Hash: B2F03C72A0112DAFCF20AFA2EC4DEDBBF6DEF51792F008116FA06E6050D6358645C7A1

Function 00E9C40E Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON

Download Yara Rule

APIs

_wcschr.LIBVCRUNTIME ref: 00E9C435

Part of subcall function 00E917AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,00E8BB05,00000000,.exe,?,?,00000800,?,?,00E985DF,?), ref: 00E917C2

Strings

MIN, xrefs: 00E9C4A3
<, xrefs: 00E9C41E
HIDE, xrefs: 00E9C474
MAX, xrefs: 00E9C487

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: CompareString_wcschr
String ID: <$HIDE$MAX$MIN
API String ID: 2548945186-3358265660
Opcode ID: 795bd4f64c17c726e10c76fd6ae29e2985dea7ed1aaca76128565e8fd8a45b91
Instruction ID: c29629ef1d050b5fdc39004424e8b2b26f9e3465b38e0b79e95f16ca8d6fad69
Opcode Fuzzy Hash: 795bd4f64c17c726e10c76fd6ae29e2985dea7ed1aaca76128565e8fd8a45b91
Instruction Fuzzy Hash: 7E318172A00249AADF25EA94CC55FEF77BCEB14304F1050A6FA15F6091EBB49FC48A50

Function 00E9A990 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 63COMMON

Download Yara Rule

APIs

Part of subcall function 00E8130B: GetDlgItem.USER32(00000000,00003021), ref: 00E8134F
Part of subcall function 00E8130B: SetWindowTextW.USER32(00000000,00EB35B4), ref: 00E81365

EndDialog.USER32(?,00000001), ref: 00E9A9DE
GetDlgItemTextW.USER32(?,00000066,?,00000080), ref: 00E9A9F6
SetDlgItemTextW.USER32(?,00000067,?), ref: 00E9AA24

Strings

GETPASSWORD1, xrefs: 00E9A9A9
xj, xrefs: 00E9AA02

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: GETPASSWORD1$xj
API String ID: 445417207-2429949757
Opcode ID: de00250f74d0683e2f0a88476a526a0cad55a6ebc462ac8a68e8862fe9fb390f
Instruction ID: 90a7c20b13ffc568b0f7ccd802d17f516f2428d584fa60f1bd98347bbefd01ed
Opcode Fuzzy Hash: de00250f74d0683e2f0a88476a526a0cad55a6ebc462ac8a68e8862fe9fb390f
Instruction Fuzzy Hash: F91144329402187BDF21AE65AD49FFB7B6CEF89304F041035FB49B60C0D2A19955D7A2

Function 00E9ADED Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 59windowCOMMON

Download Yara Rule

APIs

LoadBitmapW.USER32(00000065), ref: 00E9ADFD
GetObjectW.GDI32(00000000,00000018,?), ref: 00E9AE22
DeleteObject.GDI32(00000000), ref: 00E9AE54
DeleteObject.GDI32(00000000), ref: 00E9AE77

Part of subcall function 00E99E1C: FindResourceW.KERNEL32(00E9AE4D,PNG,?,?,?,00E9AE4D,00000066), ref: 00E99E2E
Part of subcall function 00E99E1C: SizeofResource.KERNEL32(00000000,00000000,?,?,?,00E9AE4D,00000066), ref: 00E99E46
Part of subcall function 00E99E1C: LoadResource.KERNEL32(00000000,?,?,?,00E9AE4D,00000066), ref: 00E99E59
Part of subcall function 00E99E1C: LockResource.KERNEL32(00000000,?,?,?,00E9AE4D,00000066), ref: 00E99E64

Strings

], xrefs: 00E9AE2A

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: Resource$Object$DeleteLoad$BitmapFindLockSizeof
String ID: ]
API String ID: 142272564-3352871620
Opcode ID: a995bb50594b911c9356e2d20c781f5b95d0880e2515943c4014ccdb1de2e315
Instruction ID: 61d9b31fd2ac92ae385798e43e57cd27a6d09ff16f3d35da8a5b7823e58082f8
Opcode Fuzzy Hash: a995bb50594b911c9356e2d20c781f5b95d0880e2515943c4014ccdb1de2e315
Instruction Fuzzy Hash: 6201C832540215ABDF106B695C45A7F77ADAF81B51F0C1029FE00B7292DA724C1596A2

Function 00E9CC90 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00E8130B: GetDlgItem.USER32(00000000,00003021), ref: 00E8134F
Part of subcall function 00E8130B: SetWindowTextW.USER32(00000000,00EB35B4), ref: 00E81365

EndDialog.USER32(?,00000001), ref: 00E9CCDB
GetDlgItemTextW.USER32(?,00000068,00000800), ref: 00E9CCF1
SetDlgItemTextW.USER32(?,00000066,?), ref: 00E9CD05
SetDlgItemTextW.USER32(?,00000068), ref: 00E9CD14

Strings

RENAMEDLG, xrefs: 00E9CCA8

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: RENAMEDLG
API String ID: 445417207-3299779563
Opcode ID: b890278d4bac5f21105b85ed5bb43a08aed31e78313dfb0adf0331e4a378102e
Instruction ID: f6a687d2649ae13150b19e12049778febaca10dfdcabbe0b5979c62fb0d70407
Opcode Fuzzy Hash: b890278d4bac5f21105b85ed5bb43a08aed31e78313dfb0adf0331e4a378102e
Instruction Fuzzy Hash: F00128322853547FEA116F65AD08FA7BF5CEB5A706F201415F349BA0E0C7625A08CB75

Function 00EA2503 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00EA251A

Part of subcall function 00EA2B52: ___AdjustPointer.LIBCMT ref: 00EA2B9C

_UnwindNestedFrames.LIBCMT ref: 00EA2531
___FrameUnwindToState.LIBVCRUNTIME ref: 00EA2543
CallCatchBlock.LIBVCRUNTIME ref: 00EA2567

Strings

/), xrefs: 00EA2526, 00EA2517

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
String ID: /)
API String ID: 2633735394-750405031
Opcode ID: 8ab29acd33a3066b3f23f97a448595ce03f4b23344991831e99f7cf6ac797a0c
Instruction ID: f1bf3af99c2215aaf3e8be267a0efea0396454c4637c6df5495e0a3fe4ac012f
Opcode Fuzzy Hash: 8ab29acd33a3066b3f23f97a448595ce03f4b23344991831e99f7cf6ac797a0c
Instruction Fuzzy Hash: 41010532400109ABCF129F69CC01EDA3BAAFF5E714F059418FA187A120C336E961ABA1

Function 00EA75C2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00EA7573,00000000,?,00EA7513,00000000,00EBBAD8,0000000C,00EA766A,00000000,00000002), ref: 00EA75E2
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00EA75F5
FreeLibrary.KERNEL32(00000000,?,?,?,00EA7573,00000000,?,00EA7513,00000000,00EBBAD8,0000000C,00EA766A,00000000,00000002), ref: 00EA7618

Strings

mscoree.dll, xrefs: 00EA75DB
CorExitProcess, xrefs: 00EA75ED

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 1cbee26eab614f7bf709ba014d050ce17b2320d0b171b8942c13fe5530ab95d0
Instruction ID: 45ad261b8511c36340e90993dc0e3cf17ffe7f8bd4d4221c58e76fed38f3209e
Opcode Fuzzy Hash: 1cbee26eab614f7bf709ba014d050ce17b2320d0b171b8942c13fe5530ab95d0
Instruction Fuzzy Hash: 09F0A431A08608FFCB15ABA5DC0ABEEBFB8EF48715F004158F805B6250DB709A44CA50

Function 00E8EB73 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00E90085: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00E900A0
Part of subcall function 00E90085: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00E8EB86,Crypt32.dll,00000000,00E8EC0A,?,?,00E8EBEC,?,?,?), ref: 00E900C2

GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 00E8EB92
GetProcAddress.KERNEL32(00EC81C0,CryptUnprotectMemory), ref: 00E8EBA2

Strings

CryptProtectMemory, xrefs: 00E8EB8C
Crypt32.dll, xrefs: 00E8EB7C
CryptUnprotectMemory, xrefs: 00E8EB98

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: AddressProc$DirectoryLibraryLoadSystem
String ID: Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory
API String ID: 2141747552-1753850145
Opcode ID: a6af61dcae20796dd777aea8b53af13585316ba6f9a310ac71a942f124479e19
Instruction ID: 3e7de4d75b6170612515b90a2fd45dcc97ade32186e362415ed72624d618bb43
Opcode Fuzzy Hash: a6af61dcae20796dd777aea8b53af13585316ba6f9a310ac71a942f124479e19
Instruction Fuzzy Hash: 5CE04F70845741AECB31AF35980AB83BAE45F14704B00A81DE4DAF3684D6F5D5448B50

Function 00EA7DD9 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00EA7E4B
_free.LIBCMT ref: 00EA7E6B

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 4e0097789a90268c2721acc82e3520307c318c33621df3aac7f63aec8106b8f8
Instruction ID: c05d9ed4e402d542a805f2ebf68ead7e649f9f116eeb1f1eb913067e39d51cfd
Opcode Fuzzy Hash: 4e0097789a90268c2721acc82e3520307c318c33621df3aac7f63aec8106b8f8
Instruction Fuzzy Hash: B441AD32A002049FCB20DF78C881A9EB7E5EF8A714B1595A8E955FF341DB31BD01CB80

Function 00EAB610 Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00EAB619
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00EAB63C

Part of subcall function 00EA8518: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00EAC13D,00000000,?,00EA67E2,?,00000008,?,00EA89AD,?,?,?), ref: 00EA854A

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00EAB662
_free.LIBCMT ref: 00EAB675
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00EAB684

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 4e2360cda99ebe63fd94b7077396c0b6d03742867de6796410c695ccffd8ff1c
Instruction ID: 319001a48e0ab7e32ece85bbfa7cac996e884bb149faea6016e557e46d824856
Opcode Fuzzy Hash: 4e2360cda99ebe63fd94b7077396c0b6d03742867de6796410c695ccffd8ff1c
Instruction Fuzzy Hash: CE01D472602611BF232116BB6C8DC7B6A6DDFCFBA43140228BC05FB112DF60ED4181B0

Function 00E9075B Relevance: 7.5, APIs: 5, Instructions: 44COMMON

Download Yara Rule

APIs

Part of subcall function 00E90A41: ResetEvent.KERNEL32(?), ref: 00E90A53
Part of subcall function 00E90A41: ReleaseSemaphore.KERNEL32(?,00000000,00000000), ref: 00E90A67

ReleaseSemaphore.KERNEL32(?,00000040,00000000), ref: 00E9078F
CloseHandle.KERNEL32(?,?), ref: 00E907A9
DeleteCriticalSection.KERNEL32(?), ref: 00E907C2
CloseHandle.KERNEL32(?), ref: 00E907CE
CloseHandle.KERNEL32(?), ref: 00E907DA

Part of subcall function 00E9084E: WaitForSingleObject.KERNEL32(?,000000FF,00E90A78,?), ref: 00E90854
Part of subcall function 00E9084E: GetLastError.KERNEL32(?), ref: 00E90860

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: CloseHandle$ReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
String ID:
API String ID: 1868215902-0
Opcode ID: 0883162037b51742d52e891ac9961054c78b4eb36db5f4a72c028fdb3acda656
Instruction ID: 80d71aef376342742114cb8cf407f332906d7df2bdfcbb21aae9dc499c84db7a
Opcode Fuzzy Hash: 0883162037b51742d52e891ac9961054c78b4eb36db5f4a72c028fdb3acda656
Instruction Fuzzy Hash: 0C019271544B04EFCB21AB65DC85FC6BBE9FF48720F400629F15A62161CB757A48CB90

Function 00EABF10 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00EABF28

Part of subcall function 00EA84DE: RtlFreeHeap.NTDLL(00000000,00000000,?,00EABFA7,00EB3958,00000000,00EB3958,00000000,?,00EABFCE,00EB3958,00000007,00EB3958,?,00EAC3CB,00EB3958), ref: 00EA84F4
Part of subcall function 00EA84DE: GetLastError.KERNEL32(00EB3958,?,00EABFA7,00EB3958,00000000,00EB3958,00000000,?,00EABFCE,00EB3958,00000007,00EB3958,?,00EAC3CB,00EB3958,00EB3958), ref: 00EA8506

_free.LIBCMT ref: 00EABF3A
_free.LIBCMT ref: 00EABF4C
_free.LIBCMT ref: 00EABF5E
_free.LIBCMT ref: 00EABF70

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: c6fd92ad804080b2e3e0bc196326c770594f6462cdc5660ee2ef50c596531cce
Instruction ID: 5c26f5585b7573e6f0e3cac23da419d067daa8425001762d88943480e3dc1e0b
Opcode Fuzzy Hash: c6fd92ad804080b2e3e0bc196326c770594f6462cdc5660ee2ef50c596531cce
Instruction Fuzzy Hash: 9AF01236604201AF8620EB65EE86C5773D9BF4E7147686D05F019FFA11CB70FC848A54

Function 00E87574 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 93COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00E87579

Part of subcall function 00E83B3D: __EH_prolog.LIBCMT ref: 00E83B42

GetLastError.KERNEL32(?,?,00000800,?,?,?,00000000,00000000), ref: 00E87640

Part of subcall function 00E87BF5: GetCurrentProcess.KERNEL32(00000020,?), ref: 00E87C04
Part of subcall function 00E87BF5: GetLastError.KERNEL32 ref: 00E87C4A
Part of subcall function 00E87BF5: CloseHandle.KERNEL32(?), ref: 00E87C59

Strings

SeRestorePrivilege, xrefs: 00E875D3
SeSecurityPrivilege, xrefs: 00E875BE

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: ErrorH_prologLast$CloseCurrentHandleProcess
String ID: SeRestorePrivilege$SeSecurityPrivilege
API String ID: 3813983858-639343689
Opcode ID: e0c4ce887de88a3d932a0e18f73215dfcb2b9b8f2d431ab11f7d93dcd5efeaa9
Instruction ID: 2e2eaef995785bc40b1ad5065b11fb22d5298946d2eba26e3865a8c924e9b413
Opcode Fuzzy Hash: e0c4ce887de88a3d932a0e18f73215dfcb2b9b8f2d431ab11f7d93dcd5efeaa9
Instruction Fuzzy Hash: E131E771908248AEDF10FBA4DC42FEE7BB9AF14354F105169F58DB7152DB708A45C760

Function 00E9A430 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

Part of subcall function 00E8130B: GetDlgItem.USER32(00000000,00003021), ref: 00E8134F
Part of subcall function 00E8130B: SetWindowTextW.USER32(00000000,00EB35B4), ref: 00E81365

EndDialog.USER32(?,00000001), ref: 00E9A4B8
GetDlgItemTextW.USER32(?,00000066,?,?), ref: 00E9A4CD
SetDlgItemTextW.USER32(?,00000066,?), ref: 00E9A4E2

Strings

ASKNEXTVOL, xrefs: 00E9A448

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: ASKNEXTVOL
API String ID: 445417207-3402441367
Opcode ID: ea6bf14031225715ea9ddfc265624c1c58cf3363c3697f5bb18cdd1244a5da4c
Instruction ID: b309a33db9d611a5fb77e90ebd74d124118d23ce52654317e97f89981d470b3a
Opcode Fuzzy Hash: ea6bf14031225715ea9ddfc265624c1c58cf3363c3697f5bb18cdd1244a5da4c
Instruction Fuzzy Hash: AD11D6322442446FDA219F99DC4DF6677A9EF46304F281424F314BB0A0C7E19905DB63

Function 00E8D1C3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67COMMON

Download Yara Rule

APIs

__fprintf_l.LIBCMT ref: 00E8D22E
_strncpy.LIBCMT ref: 00E8D278

Strings

@%s, xrefs: 00E8D218
$%s, xrefs: 00E8D223

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: __fprintf_l_strncpy
String ID: $%s$@%s
API String ID: 1857242416-834177443
Opcode ID: d7b01644dd73933b4abbc9649e04104980710f22ebdde597639e521e5772f0cd
Instruction ID: 135cc492c5b4d01289387c86aa4407c8110502376b5a2d542044ed6529b84978
Opcode Fuzzy Hash: d7b01644dd73933b4abbc9649e04104980710f22ebdde597639e521e5772f0cd
Instruction Fuzzy Hash: 27216D72544308AAEF21EEA4CD06FEA7BE8AF05300F141522FE1CB61A1E371EA559B51

Function 00E8B4F7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00E8B51E

Part of subcall function 00E8400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00E8401D

_wcschr.LIBVCRUNTIME ref: 00E8B53C
_wcschr.LIBVCRUNTIME ref: 00E8B54C

Strings

%c:\, xrefs: 00E8B514

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: _wcschr$__vswprintf_c_l_swprintf
String ID: %c:\
API String ID: 525462905-3142399695
Opcode ID: 55b8163bea8ffbc4df3d2921dea76290d417434c6ec06278bea42203ebe3d07e
Instruction ID: cf50a73687e87f017e38b4d2008cd510523c048cae1797d1800cfba2b1ca2735
Opcode Fuzzy Hash: 55b8163bea8ffbc4df3d2921dea76290d417434c6ec06278bea42203ebe3d07e
Instruction Fuzzy Hash: 32012D63904311BAC724BBB59C42C6BB7EDEE96360B506416F85DFA081FB30E940C3A1

Function 00E906BA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(00000320,00000000,?,?,?,00E8ABC5,00000008,?,00000000,?,00E8CB88,?,00000000), ref: 00E906F3
CreateSemaphoreW.KERNEL32(00000000,00000000,00000040,00000000,?,?,?,00E8ABC5,00000008,?,00000000,?,00E8CB88,?,00000000), ref: 00E906FD
CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,00E8ABC5,00000008,?,00000000,?,00E8CB88,?,00000000), ref: 00E9070D

Strings

Thread pool initialization failed., xrefs: 00E90725

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: Create$CriticalEventInitializeSectionSemaphore
String ID: Thread pool initialization failed.
API String ID: 3340455307-2182114853
Opcode ID: 169353b62a2df7b44b459cd64d18756c4dc74277513b85f0d9648942b3fb8c5e
Instruction ID: 9e0ef2a27e4635b02c6e1f1c2d6c2f569898ec139d79f27278c7477394073b87
Opcode Fuzzy Hash: 169353b62a2df7b44b459cd64d18756c4dc74277513b85f0d9648942b3fb8c5e
Instruction Fuzzy Hash: A211A0B1604708AFC3206F76DC85AA7FBECEF94754F50582EF1DAA2201D7716A80CB50

Function 00E9D38B Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON

Download Yara Rule

Strings

RENAMEDLG, xrefs: 00E9D3DE
REPLACEFILEDLG, xrefs: 00E9D3C9, 00E9D3FD

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID:
String ID: RENAMEDLG$REPLACEFILEDLG
API String ID: 0-56093855
Opcode ID: e80eefe0b35d7c7a9ef070450e714ffe4884b1aa763b0491cac2c56c36f88efd
Instruction ID: 5dc6b00f04d5584e6ac3220b7caea2e41fe75f485cbe627bbdc551f6bfa57f90
Opcode Fuzzy Hash: e80eefe0b35d7c7a9ef070450e714ffe4884b1aa763b0491cac2c56c36f88efd
Instruction Fuzzy Hash: E501F571608359AFCF109F16EE40EA67BA9F714385B002032F810F3270C6729854EB61

Function 00EA91DE Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00EA9269
__alldvrm.LIBCMT ref: 00EA946A
__alldvrm.LIBCMT ref: 00EA948C

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 35fd0d8be5dca6c89d1c4a519db20ace465afc24967252a61766d950e54f80d3
Instruction ID: 3f9029998fadb87020ba026ee46a9dfe5a6417b32cc765dec13238388a8b69f6
Opcode Fuzzy Hash: 35fd0d8be5dca6c89d1c4a519db20ace465afc24967252a61766d950e54f80d3
Instruction Fuzzy Hash: A7A157319003469FEB25CE68C8817AEBBE5EF5F314F14516DE595AF382C238A946C750

Function 00E8A2AB Relevance: 6.1, APIs: 4, Instructions: 127filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,?,00000000,?,00E880B7,?,?,?), ref: 00E8A351
CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,00000800,?,00000000,?,00E880B7,?,?), ref: 00E8A395
SetFileTime.KERNEL32(?,00000800,?,00000000,?,00000000,?,00E880B7,?,?,?,?,?,?,?,?), ref: 00E8A416
CloseHandle.KERNEL32(?,?,00000000,?,00E880B7,?,?,?,?,?,?,?,?,?,?,?), ref: 00E8A41D

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: File$Create$CloseHandleTime
String ID:
API String ID: 2287278272-0
Opcode ID: 0de29fd00585e2b9fe70c4a5d0bc677c0953175984ff34f9a674263577c18f3d
Instruction ID: 064eb992a1703f25603a9b15a62566eb678e517a925cb4a3ca1690acc843ef7d
Opcode Fuzzy Hash: 0de29fd00585e2b9fe70c4a5d0bc677c0953175984ff34f9a674263577c18f3d
Instruction Fuzzy Hash: 1041D0302883806EE731EF24DC45FEFBBE4AF81704F18092EB5D8A3191D6649A48DB13

Function 00EAC099 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00EA89AD,?,00000000,?,00000001,?,?,00000001,00EA89AD,?), ref: 00EAC0E6
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00EAC16F
GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00EA67E2,?), ref: 00EAC181
__freea.LIBCMT ref: 00EAC18A

Part of subcall function 00EA8518: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00EAC13D,00000000,?,00EA67E2,?,00000008,?,00EA89AD,?,?,?), ref: 00EA854A

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: a95bc6f3f1a21314bdcccbd22c83b4e2f63f36502fe280874cc4d00be2e074a1
Instruction ID: 05945e249fb4bd5286c1abb18203851facd413228ecd90b2e7f2846445f520f0
Opcode Fuzzy Hash: a95bc6f3f1a21314bdcccbd22c83b4e2f63f36502fe280874cc4d00be2e074a1
Instruction Fuzzy Hash: 4131AC72A0120AABDB248F65DC41DAE7BB5EB59314F240268FC04AA251E735ED54CBA0

Function 00E99DBB Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00E99DBE
GetDeviceCaps.GDI32(00000000,00000058), ref: 00E99DCD
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00E99DDB
ReleaseDC.USER32(00000000,00000000), ref: 00E99DE9

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 9a8b6efb2321c515341219755b4259f14150e80e36b13bdd2bed15c9607b1179
Instruction ID: bd27bd23793f57177de9261e08bced02589b955d1d9975878d9d7c4139698a56
Opcode Fuzzy Hash: 9a8b6efb2321c515341219755b4259f14150e80e36b13bdd2bed15c9607b1179
Instruction Fuzzy Hash: 60E0EC31985A65AFD7241FB6AD4DB8F3B58BB09722F050019F705BA1D0DAB04409CB94

Function 00EA2016 Relevance: 6.0, APIs: 4, Instructions: 14COMMON

Download Yara Rule

APIs

___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00EA2016
___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 00EA201B
___vcrt_initialize_locks.LIBVCRUNTIME ref: 00EA2020

Part of subcall function 00EA310E: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 00EA311F

___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00EA2035

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
String ID:
API String ID: 1761009282-0
Opcode ID: 50341c1e121bd6f5d5b78c5b3ee2afe6a0478775b34c66270a9efbcfed992c13
Instruction ID: 7036e81c571374cde14d1394575f886a4816c9f8817849098ba25b15ddbd6a74
Opcode Fuzzy Hash: 50341c1e121bd6f5d5b78c5b3ee2afe6a0478775b34c66270a9efbcfed992c13
Instruction Fuzzy Hash: 41C04C24005640D41C113ABA32421BD0BC00C7F7C8B9370CAFB903F103DE06360FA132

Function 00E99F5D Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 224COMMON

Download Yara Rule

APIs

Part of subcall function 00E99DF1: GetDC.USER32(00000000), ref: 00E99DF5
Part of subcall function 00E99DF1: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00E99E00
Part of subcall function 00E99DF1: ReleaseDC.USER32(00000000,00000000), ref: 00E99E0B

GetObjectW.GDI32(?,00000018,?), ref: 00E99F8D

Part of subcall function 00E9A1E5: GetDC.USER32(00000000), ref: 00E9A1EE
Part of subcall function 00E9A1E5: GetObjectW.GDI32(?,00000018,?), ref: 00E9A21D
Part of subcall function 00E9A1E5: ReleaseDC.USER32(00000000,?), ref: 00E9A2B5

Strings

(, xrefs: 00E9A0A3

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: ObjectRelease$CapsDevice
String ID: (
API String ID: 1061551593-3887548279
Opcode ID: e7ca4c67fded0b4fdec6b70d7c6f8d14aba119620872cbfc3bd75cd24c8234ab
Instruction ID: 7c1f1ab2eb614a744f58817148e8cb15fd9131a7d34c7ed679270c791dbae4c0
Opcode Fuzzy Hash: e7ca4c67fded0b4fdec6b70d7c6f8d14aba119620872cbfc3bd75cd24c8234ab
Instruction Fuzzy Hash: EA811471208354AFC714DF69D84492BBBE9FF88704F14492DF98AE7260DB31AD05CB92

Function 00E90E37 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 179COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00E90FF1

Strings

%ls, xrefs: 00E90E76, 00E90E8C
%s: %s, xrefs: 00E91000

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: _swprintf
String ID: %ls$%s: %s
API String ID: 589789837-2259941744
Opcode ID: be91f5cf8c27527177c0083d3b0cd5ad78b74867cb95082ae6a2c3590236488e
Instruction ID: ae445c9f8f26ec61e1aa049927042d4b5cc8c7c7845d574e8a488c17e215c59d
Opcode Fuzzy Hash: be91f5cf8c27527177c0083d3b0cd5ad78b74867cb95082ae6a2c3590236488e
Instruction Fuzzy Hash: CF51D53128C701FEFE322AA4CD02FB77696AB04B00F647906B7DE748E6C6A355907712

Function 00EAA918 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00EAAA84

Part of subcall function 00EA8849: IsProcessorFeaturePresent.KERNEL32(00000017,00EA8838,00000050,00EB3958,?,00E8CFE0,00000004,00EC0EE8,?,?,00EA8845,00000000,00000000,00000000,00000000,00000000), ref: 00EA884B
Part of subcall function 00EA8849: GetCurrentProcess.KERNEL32(C0000417,00EB3958,00000050,00EC0EE8), ref: 00EA886D
Part of subcall function 00EA8849: TerminateProcess.KERNEL32(00000000), ref: 00EA8874

Strings

*?, xrefs: 00EAA95B
., xrefs: 00EAAC3B

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: Process$CurrentFeaturePresentProcessorTerminate_free
String ID: *?$.
API String ID: 2667617558-3972193922
Opcode ID: 46d45437bf881060891f947650aec9d3ba4d76883fc361421d2bb44ca5e48db8
Instruction ID: 8172d442aa5cf5c4856db369e2d99c35db09c964f32d8fb3651711e8e1fec9ff
Opcode Fuzzy Hash: 46d45437bf881060891f947650aec9d3ba4d76883fc361421d2bb44ca5e48db8
Instruction Fuzzy Hash: D051A071D0020A9FDF14CFA8C9419AEB7F5EF5D314F299169E454BB300E735AA01CB51

Function 00E8772B Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138timeCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00E87730
SetFileTime.KERNEL32(?,?,?,?,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00E878CC

Part of subcall function 00E8A444: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,00E8A27A,?,?,?,00E8A113,?,00000001,00000000,?,?), ref: 00E8A458
Part of subcall function 00E8A444: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,00E8A27A,?,?,?,00E8A113,?,00000001,00000000,?,?), ref: 00E8A489

Strings

:, xrefs: 00E877A1

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: File$Attributes$H_prologTime
String ID: :
API String ID: 1861295151-336475711
Opcode ID: 6c995e3ad81a54fc1c4965971021f683000353bfabf9dc0963645f3c308bb613
Instruction ID: 346cdb0869fe4ac4b27edd7184d64f306858035fd9199f22cfce9637b900dad4
Opcode Fuzzy Hash: 6c995e3ad81a54fc1c4965971021f683000353bfabf9dc0963645f3c308bb613
Instruction Fuzzy Hash: 55416371905268AADB25FB50CD45EEEB3BCAF44300F10509AB64DB3092EB745F84DB61

Function 00E8B66C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 130COMMON

Download Yara Rule

Strings

UNC, xrefs: 00E8B708
\\?\, xrefs: 00E8B6BE, 00E8B6FA, 00E8B75B, 00E8B7AE

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID:
String ID: UNC$\\?\
API String ID: 0-253988292
Opcode ID: c32f1bb7c5b0f8936ec91bac4c024f1a846edf37b93d7c28cac144cb9cb909fb
Instruction ID: acbacb19e93d7378ea2ca071bf396c9cb06a908d70ef0fcad6b4b3ff1e72e8dc
Opcode Fuzzy Hash: c32f1bb7c5b0f8936ec91bac4c024f1a846edf37b93d7c28cac144cb9cb909fb
Instruction Fuzzy Hash: C6419135840319BACF20BF61DC42EEF77A9AF85754B106126F81CB7262E771DA40CBA4

Function 00E98FB6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 85COMMON

Download Yara Rule

APIs

new.LIBCMT ref: 00E98FC4

Strings

about:blank, xrefs: 00E99082
Shell.Explorer, xrefs: 00E98FEF

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID:
String ID: Shell.Explorer$about:blank
API String ID: 0-874089819
Opcode ID: dc0bfab02dcd8317e476db124509a41179f7ac3db31625ee5d7438746c4ae639
Instruction ID: 17a36635af3ee3aa1911b4651f997f2bec9adc2a7a5ee77bf7ee7ce421784484
Opcode Fuzzy Hash: dc0bfab02dcd8317e476db124509a41179f7ac3db31625ee5d7438746c4ae639
Instruction Fuzzy Hash: F5217E712043049FCF089F69C895A6A77A8FF85711B14956DF819AB293DBB0EC00CB60

Function 00E9D44D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 70COMMON

Download Yara Rule

APIs

DialogBoxParamW.USER32(GETPASSWORD1,00010444,00E9A990,?,?), ref: 00E9D4C5

Strings

xj, xrefs: 00E9D4D5
GETPASSWORD1, xrefs: 00E9D4BA

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: DialogParam
String ID: GETPASSWORD1$xj
API String ID: 665744214-2429949757
Opcode ID: bd8b2ff03dd5259863eac8e645f76da237f975e132e626ac08b94ab7575264de
Instruction ID: 9c7ebebafc1017d796f0396c40c22f2ac360c90393e115801a69d6b63200a2b5
Opcode Fuzzy Hash: bd8b2ff03dd5259863eac8e645f76da237f975e132e626ac08b94ab7575264de
Instruction Fuzzy Hash: 6C117871604258AFDF21DE349C02FEB3398B709715F146078FD49BB181DAB1AC84C360

Function 00E8EBF2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 69COMMON

Download Yara Rule

APIs

Part of subcall function 00E8EB73: GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 00E8EB92
Part of subcall function 00E8EB73: GetProcAddress.KERNEL32(00EC81C0,CryptUnprotectMemory), ref: 00E8EBA2

GetCurrentProcessId.KERNEL32(?,?,?,00E8EBEC), ref: 00E8EC84

Strings

CryptUnprotectMemory failed, xrefs: 00E8EC7C
CryptProtectMemory failed, xrefs: 00E8EC3B

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: AddressProc$CurrentProcess
String ID: CryptProtectMemory failed$CryptUnprotectMemory failed
API String ID: 2190909847-396321323
Opcode ID: 24b27b46bc4547efc36f4fc2aab8a3ab7c1ee819c18c1074977f90a17a1a5b54
Instruction ID: 684c35821c6aaa5b7ff02d1c7d9ff9f8d3239b43cc686e848e3eb43711e6352b
Opcode Fuzzy Hash: 24b27b46bc4547efc36f4fc2aab8a3ab7c1ee819c18c1074977f90a17a1a5b54
Instruction Fuzzy Hash: BB112431E052645FDB147B36DE06AAE7794AF04714B049119E80D7B391CA319E4287D0

Function 00EA9B90 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00EA9BBE
_free.LIBCMT ref: 00EA9BE4

Strings

X, xrefs: 00EA9C4B

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: _free
String ID: X
API String ID: 269201875-1677210272
Opcode ID: cef5546eb1888f0fac8e1b80671175ce2852f5dd9fc0b44155d85652aa808dfc
Instruction ID: baf6a793d294cdf6bc426a62c00c4dcace7eed17f1b2b3e3ec61d2dfe1bafb67
Opcode Fuzzy Hash: cef5546eb1888f0fac8e1b80671175ce2852f5dd9fc0b44155d85652aa808dfc
Instruction Fuzzy Hash: 29113831A007115FEB209B39AC85B5633D4AB5E334F042262F621FF2E1E770E8859684

Function 00E9EC4A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00E9F25E
___raise_securityfailure.LIBCMT ref: 00E9F345

Strings

8, xrefs: 00E9F340

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: FeaturePresentProcessor___raise_securityfailure
String ID: 8
API String ID: 3761405300-3509204572
Opcode ID: 94dea2f515d716730944845a41a5d7259160cfc496ce5bed30132609cb0bdbc3
Instruction ID: e382d36b4037fd7a2d1f21e4b6f41c12dcd44a11e09767b752070ffe6ec64b59
Opcode Fuzzy Hash: 94dea2f515d716730944845a41a5d7259160cfc496ce5bed30132609cb0bdbc3
Instruction Fuzzy Hash: 8D21C3B55103889FDB10DF96E9C26957BA4AB48324F10583AF508AE3B0E3F559C8CB45

Function 00E90889 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00010000,00E909D0,?,00000000,00000000), ref: 00E908AD
SetThreadPriority.KERNEL32(?,00000000), ref: 00E908F4

Part of subcall function 00E86E91: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00E86EAF

Strings

CreateThread failed, xrefs: 00E908B9

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: Thread$CreatePriority__vswprintf_c_l
String ID: CreateThread failed
API String ID: 2655393344-3849766595
Opcode ID: d653333f3d2be44d66639612d657b91a10bb3c70aa565b4cae8aa807814cf131
Instruction ID: 496521afaaacad47c878b1ada39f15c6ef27b9ed72cff2d4555f434a264547c1
Opcode Fuzzy Hash: d653333f3d2be44d66639612d657b91a10bb3c70aa565b4cae8aa807814cf131
Instruction Fuzzy Hash: 9801D6B1344305AFDA346F64ED82FA67398EF80715F10153DF68AB2181CAA1A88196A4

Function 00EAB2AE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00EA8FA5: GetLastError.KERNEL32(?,00EC0EE8,00EA3E14,00EC0EE8,?,?,00EA3713,00000050,?,00EC0EE8,00000200), ref: 00EA8FA9
Part of subcall function 00EA8FA5: _free.LIBCMT ref: 00EA8FDC
Part of subcall function 00EA8FA5: SetLastError.KERNEL32(00000000,?,00EC0EE8,00000200), ref: 00EA901D
Part of subcall function 00EA8FA5: _abort.LIBCMT ref: 00EA9023

_abort.LIBCMT ref: 00EAB2E0
_free.LIBCMT ref: 00EAB314

Strings

, xrefs: 00EAB30B

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: ErrorLast_abort_free
String ID:
API String ID: 289325740-3162483948
Opcode ID: 6e931e3aa93347cffe1911a02e55ed426465ed7318d092c4d608e3d09bcb354a
Instruction ID: 54c99346b152ce9699d3981f41e9716efe6eead8903bf931f27190a6dc3291f3
Opcode Fuzzy Hash: 6e931e3aa93347cffe1911a02e55ed426465ed7318d092c4d608e3d09bcb354a
Instruction Fuzzy Hash: F5015271D01721DFCF21AF69580129EB7A0BF0E721B19260AE5217F792CBB079458BC2

Function 00E8130B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 00E8DA98: _swprintf.LIBCMT ref: 00E8DABE
Part of subcall function 00E8DA98: _strlen.LIBCMT ref: 00E8DADF
Part of subcall function 00E8DA98: SetDlgItemTextW.USER32(?,00EBE154,?), ref: 00E8DB3F
Part of subcall function 00E8DA98: GetWindowRect.USER32(?,?), ref: 00E8DB79
Part of subcall function 00E8DA98: GetClientRect.USER32(?,?), ref: 00E8DB85

GetDlgItem.USER32(00000000,00003021), ref: 00E8134F
SetWindowTextW.USER32(00000000,00EB35B4), ref: 00E81365

Strings

0, xrefs: 00E8130E

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: ItemRectTextWindow$Client_strlen_swprintf
String ID: 0
API String ID: 2622349952-4108050209
Opcode ID: 6100af6b1878c9267fb1359a7f785c93517b04a9a0e64074f469fb65724916af
Instruction ID: 22bffc5030eaf7b412f07b7887fda82fa352717dfb622584f2d720044917f12e
Opcode Fuzzy Hash: 6100af6b1878c9267fb1359a7f785c93517b04a9a0e64074f469fb65724916af
Instruction Fuzzy Hash: 22F0AF3014438CAADF252F718C09BEA3B9CBB10349F09A8A8FE4D745A1C775C996EB10

Function 00E9084E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF,00E90A78,?), ref: 00E90854
GetLastError.KERNEL32(?), ref: 00E90860

Part of subcall function 00E86E91: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00E86EAF

Strings

WaitForMultipleObjects error %d, GetLastError %d, xrefs: 00E90869

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: ErrorLastObjectSingleWait__vswprintf_c_l
String ID: WaitForMultipleObjects error %d, GetLastError %d
API String ID: 1091760877-2248577382
Opcode ID: b79cbee505ea8ff2022560534e4912b6936d5030120fa8b387938da57618d9eb
Instruction ID: 2f4f529ea4131a4e01d95dacced1d195fae1d25f4b83d6c4614a98a3d4a3b44f
Opcode Fuzzy Hash: b79cbee505ea8ff2022560534e4912b6936d5030120fa8b387938da57618d9eb
Instruction Fuzzy Hash: 85D05E71A081316ACA143734AC0BEEF79059F52730F601719F63D752F5DA210A5182D5

Function 00E8DA4E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00E8D32F,?), ref: 00E8DA53
FindResourceW.KERNEL32(00000000,RTL,00000005,?,00E8D32F,?), ref: 00E8DA61

Strings

RTL, xrefs: 00E8DA5B

Memory Dump Source

Source File: 00000000.00000002.1420024707.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1420001686.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420054814.0000000000EB3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420068830.0000000000EE1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1420188841.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Ym9pCkdQCN.jbxd

Similarity

API ID: FindHandleModuleResource
String ID: RTL
API String ID: 3537982541-834975271
Opcode ID: c9658888392bb26e0d775de10e8cf5fbcd009eab7a7a90d8147042fcba2bb13d
Instruction ID: 994a065c90e5563620b9847ffbc9e1e0baabafe0e66c1d260ee7ac4760386de8
Opcode Fuzzy Hash: c9658888392bb26e0d775de10e8cf5fbcd009eab7a7a90d8147042fcba2bb13d
Instruction Fuzzy Hash: B2C01232289350BAEB3137367D0EB836A486F10B12F19158CB249FA5D4DAE5DA4887A0

Analysis Process: sessioncrt.exePID: 7804, Parent PID: 7752COMMON

Executed Functions

Function 00007FFB4AE2C70D Relevance: 4.3, Strings: 3, Instructions: 509COMMON

Download Yara Rule

Strings

_, xrefs: 00007FFB4AE2C739
^, xrefs: 00007FFB4AE2C839
|M_^, xrefs: 00007FFB4AE2C801

Memory Dump Source

Source File: 00000005.00000002.1482370874.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffb4ae20000_sessioncrt.jbxd

Similarity

API ID:
String ID: ^$_$|M_^
API String ID: 0-1069427755
Opcode ID: 642b6a18535e95ba7c0a1a59b859fe9eac7969d93c4e025e8fa26d026a0b96b1
Instruction ID: 5d7ab74c442d5b3a7c003e8e05e4bc5caa017651dd908163a707960382f35049
Opcode Fuzzy Hash: 642b6a18535e95ba7c0a1a59b859fe9eac7969d93c4e025e8fa26d026a0b96b1
Instruction Fuzzy Hash: AFF121B2A0CA0A9FEB41FFB8D8552FDB7E4FF88310F2041BAC459D6182DE3464458791

Function 00007FFB4AE21748 Relevance: 1.5, Strings: 1, Instructions: 250COMMON

Download Yara Rule

Strings

2EJ, xrefs: 00007FFB4AE21F13

Memory Dump Source

Source File: 00000005.00000002.1482370874.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffb4ae20000_sessioncrt.jbxd

Similarity

API ID:
String ID: 2EJ
API String ID: 0-4011802628
Opcode ID: 79cb96bb1266cb10c5e3b0ec92a56e13590232b0dd3a9e9d95afb6fee0a1635e
Instruction ID: a2d19adf4d1e6bb59e559287e5ea17d0d6e701a85f724eba1f236307eca40e1f
Opcode Fuzzy Hash: 79cb96bb1266cb10c5e3b0ec92a56e13590232b0dd3a9e9d95afb6fee0a1635e
Instruction Fuzzy Hash: F671A772A0DA494FEB49EF6CC8615A977D2FFD8314B2441BDD45EC3282CE25AD02C782

Function 00007FFB4AE2C7AD Relevance: 1.3, Strings: 1, Instructions: 88COMMON

Download Yara Rule

Strings

|M_^, xrefs: 00007FFB4AE2C801

Memory Dump Source

Source File: 00000005.00000002.1482370874.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffb4ae20000_sessioncrt.jbxd

Similarity

API ID:
String ID: |M_^
API String ID: 0-3374310339
Opcode ID: 2165d9d2dd5813efae96567cb21d070de1e55befb96de5fcbf461f0a9e3deb32
Instruction ID: 7bf7971c9cffd02de8f469aa27f43ea53685f7aeab35b5d66d848a8a79fe7535
Opcode Fuzzy Hash: 2165d9d2dd5813efae96567cb21d070de1e55befb96de5fcbf461f0a9e3deb32
Instruction Fuzzy Hash: 12212872A0D91ADAE341BE7CF4491F9B7E4FF54321F2486BBC49CC5043DE2861868791

Function 00007FFB4AE2C24D Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1482370874.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffb4ae20000_sessioncrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78088119466d92a80c58610d67d2c748313fe3193ef00f0105d52beab0005e1f
Instruction ID: 823cfd67d110f72638cb5acfc3c361bb112c2cfb8533d498f7d7d65ae698070e
Opcode Fuzzy Hash: 78088119466d92a80c58610d67d2c748313fe3193ef00f0105d52beab0005e1f
Instruction Fuzzy Hash: 106106B1D586198EEBA4FF68C9547EDB7F5FB98300F6001BAD01DE3281DE3869858B41

Function 00007FFB4AE21DCC Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1482370874.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffb4ae20000_sessioncrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 059dfb8d0ad320f4c64102949412ec6549b40267b22c504a1a69e1483c4f49bb
Instruction ID: c3b784342acaeeb56e0c20f70789369f52652271bb75e29f101ba1ad131fe8de
Opcode Fuzzy Hash: 059dfb8d0ad320f4c64102949412ec6549b40267b22c504a1a69e1483c4f49bb
Instruction Fuzzy Hash: 32419271A18A494BDB4CEE5CC8656BA73E2FFD8315F24457EE45EC3285CE31E9028781

Function 00007FFB4AE2A928 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1482370874.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffb4ae20000_sessioncrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58dd6ae7d41b03a022b803a7f1f7ede289c16faade2f278684a1361a67adf2ed
Instruction ID: 9d1af21e7a54725d8e805fec4948add817035dd6ba9dd6b8a1022e05aed65b73
Opcode Fuzzy Hash: 58dd6ae7d41b03a022b803a7f1f7ede289c16faade2f278684a1361a67adf2ed
Instruction Fuzzy Hash: CF5108B1D5C91D8EEB94FF64C5656EDB7B5FB68310F6001BAD019E7281CE3868418B42

Function 00007FFB4AE21D8D Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1482370874.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffb4ae20000_sessioncrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab2b8d7230704d29c24aaec509a66df345f59987d6f4438cf54be8744ce8135a
Instruction ID: 461f495d2b3348d9cd4a0e059ad47b03e9c92d8ac93a7b2547fe69ff33a8bb42
Opcode Fuzzy Hash: ab2b8d7230704d29c24aaec509a66df345f59987d6f4438cf54be8744ce8135a
Instruction Fuzzy Hash: 7241F772A0DB4A8FDB4DEE58C8601B977D1FF98315B2441BED45AC7282CE35E9028782

Function 00007FFB4AE34CD0 Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1482370874.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffb4ae20000_sessioncrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3c133d6bacd60460bb0b9ac26563a83cfc0432aa373201bf26b29af8ed90e41
Instruction ID: bd939e3c405f93d1d282729aafc22411c44ed3e5e8a4aa12dd92060ef577c123
Opcode Fuzzy Hash: d3c133d6bacd60460bb0b9ac26563a83cfc0432aa373201bf26b29af8ed90e41
Instruction Fuzzy Hash: C2412EB194891D8FEB94FFA8D499AACB7F1FF58301F6001AAD01DE7251CE356881CB41

Function 00007FFB4AE2364B Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1482370874.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffb4ae20000_sessioncrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 614b491e7e155c8458d527744d12c003593c091079a6af3291d20ec40da68652
Instruction ID: 5f305c5418fb5e264f944f9c3700ad2b5257a8efe15ba919d35d4454bb02a1ad
Opcode Fuzzy Hash: 614b491e7e155c8458d527744d12c003593c091079a6af3291d20ec40da68652
Instruction Fuzzy Hash: 49419EB294894E8EEB84EF68C9656F87BE5FF19300F6401BAD01DD3282CE2458018B12

Function 00007FFB4AE23285 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1482370874.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffb4ae20000_sessioncrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71eac75ddd965b126cd02760f434f5cd5c595122fcff13101a710cf7ef98e649
Instruction ID: 4eb03d1b3ad602780708f97ebacd17c340cbaa3b011b0e16ef24c1321d5f7e0e
Opcode Fuzzy Hash: 71eac75ddd965b126cd02760f434f5cd5c595122fcff13101a710cf7ef98e649
Instruction Fuzzy Hash: FE512AB2D4850E8FEB54FFA8C5656EDB7F5FF58300F6000BAD029E7291DA3869448B52

Function 00007FFB4AE221A5 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1482370874.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffb4ae20000_sessioncrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d691717155275d835741ad470291944a2f64ec873fe5240ce9ce96b682f981e5
Instruction ID: 78dcab300bf64eec9bce3fc5a0b59c66dffe513e626cf786cf92a7ff8b261b88
Opcode Fuzzy Hash: d691717155275d835741ad470291944a2f64ec873fe5240ce9ce96b682f981e5
Instruction Fuzzy Hash: AA412673A4DA494FD346BF78C8651B97BE4FF49300F2449FAD458CB193DD29A8018352

Function 00007FFB4AE2378E Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1482370874.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffb4ae20000_sessioncrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4506401d089f660e005e8b509aae3240b2e2e26306eff49c9d7a0861415cd860
Instruction ID: 8974a76e3b0c7bcfd7853ef25c6397fd2448c0a64d7444b1d849ca8b2ab7f8e7
Opcode Fuzzy Hash: 4506401d089f660e005e8b509aae3240b2e2e26306eff49c9d7a0861415cd860
Instruction Fuzzy Hash: 594172B295DA4E8FE749EF6CD8153E97BE1FB8A350F5002BEC009D72C6CBA514058B51

Function 00007FFB4AE2BCC4 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1482370874.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffb4ae20000_sessioncrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 483a24370e3ce68304a0b682c268bae0bde0bc371ecf7a07aa58ffb305b938bb
Instruction ID: ce046d784c8e9fc386df4a935ca4e73e7bb2078018dabc32f92120a0273e328f
Opcode Fuzzy Hash: 483a24370e3ce68304a0b682c268bae0bde0bc371ecf7a07aa58ffb305b938bb
Instruction Fuzzy Hash: 6931F8B2D5C91D8EEB94FF68D9A56ECB7B5FF6C300F604069D01DD3282CE2468419B41

Function 00007FFB4AE2BD3C Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1482370874.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffb4ae20000_sessioncrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b548f5c62f2712b9fbf9af5c8ba54fb349a9d787325384ca3395080dd2aa5663
Instruction ID: 4245906b3735ac1f1b47761ac8f0c9b7dd7b060aa46770fe54f8cc0d80b0c50c
Opcode Fuzzy Hash: b548f5c62f2712b9fbf9af5c8ba54fb349a9d787325384ca3395080dd2aa5663
Instruction Fuzzy Hash: 973107B1E5C91D8FEB94FF68C5A56ACBBB5FF69300F6000A9C01DD7282CE2468419B41

Function 00007FFB4AE2C4F0 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1482370874.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffb4ae20000_sessioncrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3718f4c38c8bba60121bb0978cc426f09c9f32c3b7ade46c638ffc32d4b7780
Instruction ID: d12affe5d0c89bce1653b8d6328e8d2395a1e169a0f1c52620b2f7b08b3cd0dd
Opcode Fuzzy Hash: c3718f4c38c8bba60121bb0978cc426f09c9f32c3b7ade46c638ffc32d4b7780
Instruction Fuzzy Hash: 5C3154B1C4861A8EEB14FFB1C5546FCB7E9FF48301FA001BAD019A7281DB39A584DB50

Function 00007FFB4AE23357 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1482370874.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffb4ae20000_sessioncrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb61936b3e27a60e51887a90918c89cec763d25ad57bd7e0be9bfa0e3c44fbb6
Instruction ID: 80067f0db1a010c845b12b20cb3a540ca53ef3ced129311894f8a7c3c03ae437
Opcode Fuzzy Hash: bb61936b3e27a60e51887a90918c89cec763d25ad57bd7e0be9bfa0e3c44fbb6
Instruction Fuzzy Hash: 9421E5B2D4851E8FDB54FFA8C5A46ECB7F5FF58301F6000AAD019E7291CA386941CB11

Function 00007FFB4AE2A0D1 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1482370874.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffb4ae20000_sessioncrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b4e99708c9966aa3f72068ade06470b8f7f0546ad828f7d66fccfcce3619711
Instruction ID: 5a29abb1b682338614b4fd82929882c3e5870f9be453ef86bb6007e8b39e2311
Opcode Fuzzy Hash: 6b4e99708c9966aa3f72068ade06470b8f7f0546ad828f7d66fccfcce3619711
Instruction Fuzzy Hash: 9A215BB091864D8FDB89EF28C4996AA3BE5FF28314F2141AAE819C3251DB34E451CB41

Function 00007FFB4AE23480 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1482370874.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffb4ae20000_sessioncrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3fc326cb4e95e605b493fa645f5e4910abb57c120a56e225d6da32e8a9e87d6
Instruction ID: 1fd1cb27e62c84079c135ef204b3b74fd50a2648128f74475b8a156ccabbf1f7
Opcode Fuzzy Hash: e3fc326cb4e95e605b493fa645f5e4910abb57c120a56e225d6da32e8a9e87d6
Instruction Fuzzy Hash: 4621907188D28A4FD743AF74C8685A97FF4FF0A310B1504EBD459CB062DA689449CB12

Function 00007FFB4AE2C450 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1482370874.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffb4ae20000_sessioncrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 795750efe9862de563161cb4ac974bad8a4093df8359ec77d9bfb8e4223e9c61
Instruction ID: b4425df7a8ec4df1113fe405e74e972f5504394e01cb0361d3dc2c8f8664b63c
Opcode Fuzzy Hash: 795750efe9862de563161cb4ac974bad8a4093df8359ec77d9bfb8e4223e9c61
Instruction Fuzzy Hash: 3B11BEB580CA8D8EEB46FF74C4241BA3BA0FF59300F2104FBD419C6192DA345440C752

Function 00007FFB4AE20F41 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1482370874.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffb4ae20000_sessioncrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 115372e28d867f37ecc55b83f55035dd9930ec2080573d9a9dd71510853f3947
Instruction ID: 0acaef5f01be638b26fed22184bad3e6b6fc217750907dcad4f414682562fcc7
Opcode Fuzzy Hash: 115372e28d867f37ecc55b83f55035dd9930ec2080573d9a9dd71510853f3947
Instruction Fuzzy Hash: E9118E719499098BFB55FF64C964AEDB7B5FB48300F2081B5D419E7291CE34AE41CB41

Function 00007FFB4AE235A5 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1482370874.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffb4ae20000_sessioncrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5368be830b489dc7b1b373e3631f23c94554deb1f9120ecbdfde4047a449af52
Instruction ID: 146424a14a7f86a69e047b686480aeb930cbf0a5697821b9a08c0d81db47d147
Opcode Fuzzy Hash: 5368be830b489dc7b1b373e3631f23c94554deb1f9120ecbdfde4047a449af52
Instruction Fuzzy Hash: F7115EB288C64A8FDB45FF74C4692FD7BA4FF19300F6008FAD429C6291DA35A4448B02

Function 00007FFB4AE2C325 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1482370874.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffb4ae20000_sessioncrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fc5dd59d737cc3efbaaec99000425e49332c4cbca9a6706f0089d0733b622ca
Instruction ID: 4a407866781fb36b059377414fe056109706069571c5f5138967bfb954f170aa
Opcode Fuzzy Hash: 6fc5dd59d737cc3efbaaec99000425e49332c4cbca9a6706f0089d0733b622ca
Instruction Fuzzy Hash: 9E115A7094861E8FDB84FF68C4482BE77A9FF58300F2005BAE429C3590DB31A950CB50

Function 00007FFB4AE20A01 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1482370874.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffb4ae20000_sessioncrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd4d27679d567db9c7d9acbf3d650bc466a0eda764794b9073090ecd4bf096ad
Instruction ID: d1b4909c6d8a139eb7930fe479d4b23e8b60b04f6f900c284ce74faadf63380e
Opcode Fuzzy Hash: cd4d27679d567db9c7d9acbf3d650bc466a0eda764794b9073090ecd4bf096ad
Instruction Fuzzy Hash: 2B017CB2A4890A8FE781FF78D8591BE77E5FF58300BA101F2C428C7192DE28A9018741

Function 00007FFB4AE22F01 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1482370874.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffb4ae20000_sessioncrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8c1e987e48f0aaa05e54f3ef6480d64c17e6f9e1cabbdc7eccf7d720109cc6e
Instruction ID: d39159284a30075e6ec2eafb61ebee251263bf77a8cb1caa662f94796663c086
Opcode Fuzzy Hash: c8c1e987e48f0aaa05e54f3ef6480d64c17e6f9e1cabbdc7eccf7d720109cc6e
Instruction Fuzzy Hash: 10019EB184D6498FE751BF34C4692B97BE4FF19300F2549F6D428CA0A2EA24A0448A01

Function 00007FFB4AE205D8 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1482370874.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffb4ae20000_sessioncrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7711e739d33f73324a0d789f73a1319cd0297b9df0d7c49c197ba9fce05f76c
Instruction ID: fe6afc064ffec5c8764783a9acd5e0a3f5c5bb6f02a4b0dffa0bc999f779a1fc
Opcode Fuzzy Hash: e7711e739d33f73324a0d789f73a1319cd0297b9df0d7c49c197ba9fce05f76c
Instruction Fuzzy Hash: DB01697094954E8FDB48FF64C0656BA77A5FF58305F6004BAD42EC2181CE32A651CB41

Function 00007FFB4AE2AD6E Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1482370874.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffb4ae20000_sessioncrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7197000dd416eabc0201585b82dc58b864214544a9a5d23d8119d053a56f1ac7
Instruction ID: af364d361ba43a59aa3a1fc12346297824b8620e395d578b623e723c79ab6576
Opcode Fuzzy Hash: 7197000dd416eabc0201585b82dc58b864214544a9a5d23d8119d053a56f1ac7
Instruction Fuzzy Hash: 92115EB194895E4EEBE4EF28C884BA9B3A1FB58301F6043EAC01DD3141DE3499818B41

Function 00007FFB4AE2A9F8 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1482370874.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffb4ae20000_sessioncrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc419f9a3206377fd9914ace2112f2ce86b3fd9e0535f332c2bcc4a8ba8f3a42
Instruction ID: 6e06c455200e67aafb78faf73966cf7c68da7ef4d05221ed2aaddd72be13c7ea
Opcode Fuzzy Hash: cc419f9a3206377fd9914ace2112f2ce86b3fd9e0535f332c2bcc4a8ba8f3a42
Instruction Fuzzy Hash: 11015EB195850E8EEB44FF74C8686BD76E5FF2C301F6004BAE82ED2194DE35A550C701

Function 00007FFB4AE2122D Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1482370874.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffb4ae20000_sessioncrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a909d35b2858a28f3d40c190d341bd0b5db1af9c70e0c95903a5a8491044f2bf
Instruction ID: 288df3ef103c17e7551bcb94c3e12c46c0ea37b14ce4bd33f6f612515144eed4
Opcode Fuzzy Hash: a909d35b2858a28f3d40c190d341bd0b5db1af9c70e0c95903a5a8491044f2bf
Instruction Fuzzy Hash: 0701B1B2A4E60A4FEB49AFA8C4B52B977A4FF59311F2001FEE01AC61D1CB266501C741

Function 00007FFB4AE2BB91 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1482370874.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffb4ae20000_sessioncrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8f2fa0a65ac13384748e7646a37425af08d1d3dfbaff9dbe879e2e3179356b9
Instruction ID: c6ed5e35b25933dbe1c39293b15d332a30bd5f93d22bd253eebe81c1ec6f41a9
Opcode Fuzzy Hash: b8f2fa0a65ac13384748e7646a37425af08d1d3dfbaff9dbe879e2e3179356b9
Instruction Fuzzy Hash: DAF081B1D5D64E8FEB44BF64C9682F97BA4FF28301F6105BAE829C2191DB3895508741

Function 00007FFB4AE2A619 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1482370874.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffb4ae20000_sessioncrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23508de8e84aca816023724fb540013f90343e8879b1692ddea9f4ceb693a87d
Instruction ID: 65aacd7e2d29e07f3197d3156a5ed68d1a2464fafd7185130f25fd9d59dd0ba4
Opcode Fuzzy Hash: 23508de8e84aca816023724fb540013f90343e8879b1692ddea9f4ceb693a87d
Instruction Fuzzy Hash: 2601717199D6898FD742BF34C9695A97BE8FF5A300F6605F2D418C70A2DE28A444C712

Function 00007FFB4AE22F79 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1482370874.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffb4ae20000_sessioncrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67710bc20c1b638c29e6b7d68a1059e52ac0371508ee9adf56114b246fc42dc0
Instruction ID: 413e07205ece5860ef58be005edb31e5d97dae9abbd8d56d75d057c281614cc9
Opcode Fuzzy Hash: 67710bc20c1b638c29e6b7d68a1059e52ac0371508ee9adf56114b246fc42dc0
Instruction Fuzzy Hash: 6401B1B184D6894FE742BF34C9692A97BE4FF1D300F2508F6C418CB0A3DA28A4448B12

Function 00007FFB4AE3AD60 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1482370874.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffb4ae20000_sessioncrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60a2e3ff85db90f7b6d051d3346e307d8353682a866ca7bfd33c3982551771ac
Instruction ID: 4ff8e3d10187f66f872cb4d39d85315b20cff3fa9bee1fcc0059542da46c1412
Opcode Fuzzy Hash: 60a2e3ff85db90f7b6d051d3346e307d8353682a866ca7bfd33c3982551771ac
Instruction Fuzzy Hash: 4B0169B095890E8EEB91FF78C9486BEB7E8FF58305FA009B6D428C3051EA34A1848740

Function 00007FFB4AE2123C Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1482370874.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffb4ae20000_sessioncrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58e35ac167e155b2457396f8a6815f04c4d22079370a4c6526ddf58b83885972
Instruction ID: 97f2f4636ad94b43993a861e0328f9f536070fef120c1296c28e156fcfbeee42
Opcode Fuzzy Hash: 58e35ac167e155b2457396f8a6815f04c4d22079370a4c6526ddf58b83885972
Instruction Fuzzy Hash: 6901F2B3D4E68A4EFB58BFBCC5693B97BA8FF59310F2001BAE429C10C1DB2412048642

Function 00007FFB4AE20A1C Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1482370874.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffb4ae20000_sessioncrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82a769d16b4af2d54e751b594adb59b6b3220077e3f096cad6bfbb2e0accbc3d
Instruction ID: 1530c2af80286ca57ed2f462b1e209b7f36859eb4214150421b5ca21b2f6f746
Opcode Fuzzy Hash: 82a769d16b4af2d54e751b594adb59b6b3220077e3f096cad6bfbb2e0accbc3d
Instruction Fuzzy Hash: DFF0A2F2D5C54E4AF790BF78D9251F97BA8FF48300FA004BAD42CC10D2EE3859048641

Function 00007FFB4AE20610 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1482370874.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffb4ae20000_sessioncrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb0d0c443a644dd8686e01acdb93bb9270d3b9ee6a588291db54a7356e09af3b
Instruction ID: 43dfc59fd159e99ba85f789c32dae4fecc709db832095e041ec98b444f3db0ba
Opcode Fuzzy Hash: cb0d0c443a644dd8686e01acdb93bb9270d3b9ee6a588291db54a7356e09af3b
Instruction Fuzzy Hash: C9014BB185850E8AEB5DFF34C0682B972A4FF18305F2008BED82AC61D2DE36A590C612

Function 00007FFB4AE20608 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1482370874.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffb4ae20000_sessioncrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be35f3897e95e19acfa8264e0451d607833818a95aa56a0cfa4dcb22126ed6ec
Instruction ID: 0b89fcdfd292a0e1416954e67330abfc48d6e6e0ab65cb26bc5ac2f6b39dbbdf
Opcode Fuzzy Hash: be35f3897e95e19acfa8264e0451d607833818a95aa56a0cfa4dcb22126ed6ec
Instruction Fuzzy Hash: 8301AD7084850E8BEB4DFF34C0692B972A8FF1C304F2008BED82EC61D2DE36A554C601

Function 00007FFB4AE2AA9C Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1482370874.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffb4ae20000_sessioncrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 403d6a69517c1f615c299920cc45734594606dc557f34879f5cc61d87ba04988
Instruction ID: 210edca2e1df97fb159cdeb5205dd743c859e0c8a7cd4a3b23cae5026b86c642
Opcode Fuzzy Hash: 403d6a69517c1f615c299920cc45734594606dc557f34879f5cc61d87ba04988
Instruction Fuzzy Hash: 170162E2D5CA4F8AE755BF78DA251FDBAE8FF48300FA405F6D428C2082EE2459459641

Function 00007FFB4AE2AA98 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1482370874.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffb4ae20000_sessioncrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fc4de3adcd12ef090215f9b22e93a64ef1038c505ebdd8c060e11a2afa1a11e
Instruction ID: f9427db6a6446f1956c202f2c480c2421880b1c4391a831c8a02b5462a7d1f73
Opcode Fuzzy Hash: 4fc4de3adcd12ef090215f9b22e93a64ef1038c505ebdd8c060e11a2afa1a11e
Instruction Fuzzy Hash: 6FF0ADA295C80A8FE740FF38C9641BD77E5FF48300BA005F2D428C3092EE24A4019741

Function 00007FFB4AE21240 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1482370874.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffb4ae20000_sessioncrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be6b766f51b824412b4c14cfb02d48764be5fb9c9524ada572362023344de03a
Instruction ID: 98885b77ecb8907c745b80983524d02a0ae0e4c3c2e980cdf806392d306ae209
Opcode Fuzzy Hash: be6b766f51b824412b4c14cfb02d48764be5fb9c9524ada572362023344de03a
Instruction Fuzzy Hash: 05F0D1B294E64A8EEB58BFB8D5283BA77A8FF59310F2001BAE429C20D0DB241214C641

Function 00007FFB4AE205D0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1482370874.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffb4ae20000_sessioncrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9109e41ba10ff20815e6dd9dacd080643dafcc5306e830e8238413af8f9e05c9
Instruction ID: b5113a785c26aeadf7645c27082eca8d17b76ec79eda4311fb8511b18b3aa20b
Opcode Fuzzy Hash: 9109e41ba10ff20815e6dd9dacd080643dafcc5306e830e8238413af8f9e05c9
Instruction Fuzzy Hash: E8F0A47184E54ECFDB44BE74D4651FA77A8FF19305F6004B9E81DC2181CE36A650C642

Function 00007FFB4AE2084D Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1482370874.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffb4ae20000_sessioncrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5d8d32784578133962a9c24f2eaae2048a02007ffcd453bfe42358557b2e8d0
Instruction ID: 34ffa6a45d6122f6db85e18529d33d3b28268a97e707792bee1dfd3f22842f35
Opcode Fuzzy Hash: e5d8d32784578133962a9c24f2eaae2048a02007ffcd453bfe42358557b2e8d0
Instruction Fuzzy Hash: 40E0A092E4D6869EF34A3AF498320E57B60BF42300B2981F7D0AD92883DC19681581D2

Function 00007FFB4AE2088C Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1482370874.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffb4ae20000_sessioncrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b70635b0fd3805158636d54af15779a37e932d43688a0ad9ebca9da10b144011
Instruction ID: 65aa7e8beb2eed177ca248e1f7afe9cbc954c8a5638c55da31b5538cb854eaea
Opcode Fuzzy Hash: b70635b0fd3805158636d54af15779a37e932d43688a0ad9ebca9da10b144011
Instruction Fuzzy Hash: 9EF0AFB288C50D8EF795FF78C5581BA7AE8FF5C300F2044F2D429C6492DD34A8448692

Function 00007FFB4AE205ED Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1482370874.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffb4ae20000_sessioncrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81afa68aa4c08038da73045018ba37afed9f27086ceccd64ab815a4204fb7c4e
Instruction ID: 05d0188d805a84b82ccae9696417f5e576e77ae1f14ab92ad6e99b736527094b
Opcode Fuzzy Hash: 81afa68aa4c08038da73045018ba37afed9f27086ceccd64ab815a4204fb7c4e
Instruction Fuzzy Hash: 6FF0F67144D68E8BE718BF34CD552BA3398FF48305F60487AE82DC11C2EB34A565C641

Function 00007FFB4AE27D99 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1482370874.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffb4ae20000_sessioncrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cb3aa1f3f044fbe7a879204324a3969019737679c924c9f715bc85dc71ca615
Instruction ID: 6953b3291b95e0a7619a69aeb77bd3e48a6476f7d6ba2b868969f43d00d4f6bb
Opcode Fuzzy Hash: 7cb3aa1f3f044fbe7a879204324a3969019737679c924c9f715bc85dc71ca615
Instruction Fuzzy Hash: 3101DE719096198BDB68EF14C9647ADB7B1FB88301F2041EEC40EA2380DB345A84CF50

Function 00007FFB4AE21D1C Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1482370874.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffb4ae20000_sessioncrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 849b4f893f39ece19c87e5ddc0fb61ca39f631ce9b1443a657d38dcca0b4bdcc
Instruction ID: 576f623869a7b53ebae5440e6431fdbc44e28290cb8b6c33c0507361cef743e6
Opcode Fuzzy Hash: 849b4f893f39ece19c87e5ddc0fb61ca39f631ce9b1443a657d38dcca0b4bdcc
Instruction Fuzzy Hash: 5DF0C27184E68ECFEB98FE64C4651BA7BA4FF59301F3000B9E81DC2180CE729650C781

Function 00007FFB4AE2B7DC Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1482370874.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffb4ae20000_sessioncrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a701dd074cd8bd278e97739a4ab6319ef5ad0ef4a0bd7bc73324e37f2aaf75d4
Instruction ID: be6e090ac670931dd2c183db79a4e1d9497b34fe2a8e02eb9c8899773380f823
Opcode Fuzzy Hash: a701dd074cd8bd278e97739a4ab6319ef5ad0ef4a0bd7bc73324e37f2aaf75d4
Instruction Fuzzy Hash: E3F09671C5C68E8EEB54FF38C9241FD76A4FF28300F2005BAE82DC2040DB7055548741

Function 00007FFB4AE2B7DA Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1482370874.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffb4ae20000_sessioncrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37b8561feee2925099c798a2429f82750c3337a09400d27c181fb0a6fd9e34a7
Instruction ID: 3c97097c26e9c9fa98c3595e254272407136b4d5f80f9ba044d40fa6a6b08559
Opcode Fuzzy Hash: 37b8561feee2925099c798a2429f82750c3337a09400d27c181fb0a6fd9e34a7
Instruction Fuzzy Hash: 48F0F87194894E8FDB88FF68D4655BE77A4FF28300B2004BED42ED7191DE32A5408741

Function 00007FFB4AE228DD Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1482370874.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffb4ae20000_sessioncrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4392a6871514d2538dae4a9fd3a04cee62410f2863b4df3be9dd0c82b3d4cd72
Instruction ID: 930498ec339cdbd6d7efc55fe36f6c6d45d6f6cf2020034274183fbc6f5fdebf
Opcode Fuzzy Hash: 4392a6871514d2538dae4a9fd3a04cee62410f2863b4df3be9dd0c82b3d4cd72
Instruction Fuzzy Hash: CCF0827198C5094FE751FF34C4655B937E8FF19300B2645F2C018CB063DA28E4408701

Function 00007FFB4AE2536F Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1482370874.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffb4ae20000_sessioncrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a48c7cb642380eb96f85dcdcb1ff0134f39e3453862a919a6f22d4aa479f7abc
Instruction ID: aa99d07403bc38c587b8ccae3d44cad9c30f5e66b3c0f483bd3c7759c2b11216
Opcode Fuzzy Hash: a48c7cb642380eb96f85dcdcb1ff0134f39e3453862a919a6f22d4aa479f7abc
Instruction Fuzzy Hash: 5701C4B188D62A8EDB64EF14C9A47BDB7B4BB48301F7005F9C01DA6281CB3429808F11

Function 00007FFB4AE2287C Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1482370874.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffb4ae20000_sessioncrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1801fcaade3fe485be632e2d7c3fbe2e1b7034f14159b844702bf52c2b776cdd
Instruction ID: b20a8199878b7250b2ebe9fd0fb259006a68af080e6021c57b5c2a516f95d195
Opcode Fuzzy Hash: 1801fcaade3fe485be632e2d7c3fbe2e1b7034f14159b844702bf52c2b776cdd
Instruction Fuzzy Hash: 58F0A0B184D68E8AEB5DBF34C5251F97AA4FF19300F2008BEE829C51C2DF38D4548642

Function 00007FFB4AE2280C Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1482370874.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffb4ae20000_sessioncrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8afcf41cf5dfd3211163220d793980657ef77c140a0618136606e5b94bcb35d6
Instruction ID: 49a276ab11104708af4cd269bde6363c79d9a6ea6bebdc0b13d077b4f9e6dfaf
Opcode Fuzzy Hash: 8afcf41cf5dfd3211163220d793980657ef77c140a0618136606e5b94bcb35d6
Instruction Fuzzy Hash: EFF0A7B184D68E8AEB5DBF34C5651B93694FF18304F6048BDE81DC50C2DF749554C641

Function 00007FFB4AE228EC Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1482370874.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffb4ae20000_sessioncrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b6111a2fe9eb7310a08e1c8a7a089df3f945d5fa25e8fec4718a411329562df
Instruction ID: f1acdd8e8a97ee284f19fa0045b1f2cb6c6b0d216a5d3a90bf55d96d126727a0
Opcode Fuzzy Hash: 3b6111a2fe9eb7310a08e1c8a7a089df3f945d5fa25e8fec4718a411329562df
Instruction Fuzzy Hash: A1E065B2CDD54E4AE7557F34C9641B57AA8FF19304F3419B5E82CC5082EE6491548642

Function 00007FFB4AE21D0D Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1482370874.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffb4ae20000_sessioncrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89ddd3388fcb5e691d2a7c4579a05ceba84e0160995c9a8b4401cf166c91aaa7
Instruction ID: 92e1dcbfea21b4f299dcccd954dcf2e33fcffb1a0bb0c64a878ace811089a914
Opcode Fuzzy Hash: 89ddd3388fcb5e691d2a7c4579a05ceba84e0160995c9a8b4401cf166c91aaa7
Instruction Fuzzy Hash: 44E0923154E28ACFCB59EE60D4715AA3761FF5A300B6100EED00ACB182CA27E940C741

Function 00007FFB4AE227F9 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1482370874.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffb4ae20000_sessioncrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5227e6334aa36409ad50dc753c09025130e9ab5dd4ec8907c424c36b39798c5b
Instruction ID: df38b056ebdec462db665b7baa604a1a28c59548bbfc8d7efa92cdf9c6056335
Opcode Fuzzy Hash: 5227e6334aa36409ad50dc753c09025130e9ab5dd4ec8907c424c36b39798c5b
Instruction Fuzzy Hash: C3E08C7144E3C58FCB1AAF30C8210A83B35BF5A300B5608EBD409CE0D3C62DD818C312

Function 00007FFB4AE2286D Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1482370874.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffb4ae20000_sessioncrt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0888ce13a90b99d01ee52dfee86d409a2b1af0f84f6f7142a5f2b35b49804477
Instruction ID: 94059b89ecd22bd8b50a74757548879f5a3e5fd2063b64cffeceb11a9eba342b
Opcode Fuzzy Hash: 0888ce13a90b99d01ee52dfee86d409a2b1af0f84f6f7142a5f2b35b49804477
Instruction Fuzzy Hash: D0D05E7284E2468BDB1D6F20C4211F93361BF59300F6504BAE819CA5D6DB2DE8118702

Analysis Process: rxlSpmEkQUyDvxlFic.exePID: 7416, Parent PID: 660COMMON

Executed Functions

Function 00007FFB4AE4C70D Relevance: 3.0, Strings: 2, Instructions: 511COMMON

Download Yara Rule

Strings

_, xrefs: 00007FFB4AE4C739
|K_^, xrefs: 00007FFB4AE4C801

Memory Dump Source

Source File: 0000001F.00000002.1560230709.00007FFB4AE40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffb4ae40000_rxlSpmEkQUyDvxlFic.jbxd

Similarity

API ID:
String ID: _$|K_^
API String ID: 0-2492322344
Opcode ID: c4aa8ea4577d03bfc07e0f86836b89da58c2a948bff6a74d175db8e49779c5a7
Instruction ID: 25fa7e8e16bbf790c8265f304b773f537071d0796a3614cc4ffcd5a7d4bb32df
Opcode Fuzzy Hash: c4aa8ea4577d03bfc07e0f86836b89da58c2a948bff6a74d175db8e49779c5a7
Instruction Fuzzy Hash: C7F1E0B190CA1A9BEB41FFB8E8552FDB7A8FF88310F2046BAD419D7183DE3465458790

Function 00007FFB4AE41748 Relevance: 1.5, Strings: 1, Instructions: 288COMMON

Download Yara Rule

Strings

2EJ, xrefs: 00007FFB4AE41F13

Memory Dump Source

Source File: 0000001F.00000002.1560230709.00007FFB4AE40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffb4ae40000_rxlSpmEkQUyDvxlFic.jbxd

Similarity

API ID:
String ID: 2EJ
API String ID: 0-4011802628
Opcode ID: 975b4ff99d5b0e57287f58a8de03b4f4ff75a43ca68e85ce0c0ad6c8c622f078
Instruction ID: 0256b83873aa65a2e4c85b1d0d21cf0667785e485a5f6dc47e4c3cbda6035522
Opcode Fuzzy Hash: 975b4ff99d5b0e57287f58a8de03b4f4ff75a43ca68e85ce0c0ad6c8c622f078
Instruction Fuzzy Hash: 5781B571A0DA694BDB59EE2CC8555A977DAFFD8310B2401BEE45EC3282CE35AC028781

Function 00007FFB4AE4C7AD Relevance: 1.3, Strings: 1, Instructions: 88COMMON

Download Yara Rule

Strings

|K_^, xrefs: 00007FFB4AE4C801

Memory Dump Source

Source File: 0000001F.00000002.1560230709.00007FFB4AE40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffb4ae40000_rxlSpmEkQUyDvxlFic.jbxd

Similarity

API ID:
String ID: |K_^
API String ID: 0-3448938353
Opcode ID: dc5ca4017d749e281168c7424ac5a8fcc52c9d4a757b72274ac0c2ec261e0a14
Instruction ID: 0a9e196a164889c7418e3528eefff3e6a0824289d57e7cc1f2af8c650de2716e
Opcode Fuzzy Hash: dc5ca4017d749e281168c7424ac5a8fcc52c9d4a757b72274ac0c2ec261e0a14
Instruction Fuzzy Hash: F7212872A0D91ADAE341BEBCF44A1F977E8FF44325F2487BBC45DC9043DA2461858791

Function 00007FFB4AE41D8D Relevance: .2, Instructions: 191COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.1560230709.00007FFB4AE40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffb4ae40000_rxlSpmEkQUyDvxlFic.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eab601ae483aec783e83a770adda13a7e8b9096c91dede6abe9973bf5e534ca1
Instruction ID: 137510e9d7ef3313179cd4698007b890a1398939a0eee8490743fd2c1e5cc390
Opcode Fuzzy Hash: eab601ae483aec783e83a770adda13a7e8b9096c91dede6abe9973bf5e534ca1
Instruction Fuzzy Hash: B751F371A0CB694FDB49EE18C8541BA77EAFFD8311B2441BED45AC7282CE35E8028781

Function 00007FFB4AE4BC19 Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.1560230709.00007FFB4AE40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffb4ae40000_rxlSpmEkQUyDvxlFic.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c7cec01b59e34320d6fac8387ce9e59a6c8f0c2770777013f209e64b04fe5df
Instruction ID: 1bd48312765773d1019c7c8f8e0087e2713f3056ddda20468005c124737082c6
Opcode Fuzzy Hash: 2c7cec01b59e34320d6fac8387ce9e59a6c8f0c2770777013f209e64b04fe5df
Instruction Fuzzy Hash: 2E5119B0D5C92D8EEB54FF64C9956ADBBB9FF68310F2100BAC019D7292CE3868418B40

Function 00007FFB4AE54CD0 Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.1560230709.00007FFB4AE40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffb4ae40000_rxlSpmEkQUyDvxlFic.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b4176ae5f0f5b19eb3ab81a745a02dbc8859e83972fdb7665e554ccd3fbf676
Instruction ID: ac076a12c3da2cf1d6ea6c3f602cf8c1c326fa71576fc399dda4aa751e3736f9
Opcode Fuzzy Hash: 6b4176ae5f0f5b19eb3ab81a745a02dbc8859e83972fdb7665e554ccd3fbf676
Instruction Fuzzy Hash: 62413DB094891D8FEB94FFA8D499AACBBF5FF58300F2001AAD41DE7255CE346841CB41

Function 00007FFB4AE4364B Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.1560230709.00007FFB4AE40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffb4ae40000_rxlSpmEkQUyDvxlFic.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f4b3a020c83c36b3fe4b48c0444d5d4589ef388ed033da33ebb6b1f58e2b537
Instruction ID: 7bd1d5885ce78f7907594de5bd6605311600c29c4c253e882441204b9f8b786e
Opcode Fuzzy Hash: 0f4b3a020c83c36b3fe4b48c0444d5d4589ef388ed033da33ebb6b1f58e2b537
Instruction Fuzzy Hash: 42418CB190C95E8EEB88FF68C8596FCBBE9FF59300F6401FAD01DD7292CA2858018751

Function 00007FFB4AE43285 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.1560230709.00007FFB4AE40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffb4ae40000_rxlSpmEkQUyDvxlFic.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bb72c31fdd8672e3e6f4bf0dbc9b23e5ded4cef8d2cea21407a4c5d74488b7e
Instruction ID: 2eb0b66c909cc4250861c6b55779a311a8f4fb5de78813dc7557339170d1ee1d
Opcode Fuzzy Hash: 7bb72c31fdd8672e3e6f4bf0dbc9b23e5ded4cef8d2cea21407a4c5d74488b7e
Instruction Fuzzy Hash: 9D514AB0D4862E8FEB54FFA8C5546EDB7BDFF55301F6000BAD429E7292DA3869448B10

Function 00007FFB4AE421A5 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.1560230709.00007FFB4AE40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffb4ae40000_rxlSpmEkQUyDvxlFic.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce67c63e5657b28218b7beec288be0772deac2cfd1b5bd55e0b8bbde8b32301e
Instruction ID: a0cd268067844dbc8a9d89137ba2ddf4c7e05d31e8cc551f670313c7ef4f8a60
Opcode Fuzzy Hash: ce67c63e5657b28218b7beec288be0772deac2cfd1b5bd55e0b8bbde8b32301e
Instruction Fuzzy Hash: D24154B1A4DA9A4FE746BF3CC8551B87BECFF86200F2405FAD458CB193DE28A8018351

Function 00007FFB4AE4378E Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.1560230709.00007FFB4AE40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffb4ae40000_rxlSpmEkQUyDvxlFic.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c31f3dd0baf4b4f90b7cfa0d95e61e75f8376f0be0682bb4a65b0341d36507a
Instruction ID: d43fa2d9f2d67a99158cc03ba1a8f0f396a3f63f46c77de54cc1e6c3333d2798
Opcode Fuzzy Hash: 7c31f3dd0baf4b4f90b7cfa0d95e61e75f8376f0be0682bb4a65b0341d36507a
Instruction Fuzzy Hash: 714181B195DA4E8FE748EF68D8553ED7FE5FB89354F5002BAC008D76C6CBA814098750

Function 00007FFB4AE4BCC4 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.1560230709.00007FFB4AE40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffb4ae40000_rxlSpmEkQUyDvxlFic.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aec609c41bd276098f06ea86585cfbde29c81761f083af8e4d8307436d0a7cec
Instruction ID: b2511cd0dde6ae0bb73f8d4fac5b61d9971d0ebbeaada5fb162bd25def037a1f
Opcode Fuzzy Hash: aec609c41bd276098f06ea86585cfbde29c81761f083af8e4d8307436d0a7cec
Instruction Fuzzy Hash: 7C31D5B0E5C92D8EEB94FF68D9956ECB7BDFF68310F6100A9D01DD7282CE2468419B40

Function 00007FFB4AE4BD3C Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.1560230709.00007FFB4AE40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffb4ae40000_rxlSpmEkQUyDvxlFic.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d225fc9cb5f9b12d7843b25d75d40e3400bc33f3b04315bcf698f70b074404fc
Instruction ID: 7cb81fe7ec990cc2751fabc27181f3a5cbbc233afcad3e98b182c531b4e53c7a
Opcode Fuzzy Hash: d225fc9cb5f9b12d7843b25d75d40e3400bc33f3b04315bcf698f70b074404fc
Instruction Fuzzy Hash: 2031FAB0E5C92D8EEB94FF68D9956ACBBBDFF69300F6100A9C11DD7282CE2458419700

Function 00007FFB4AE43480 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.1560230709.00007FFB4AE40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffb4ae40000_rxlSpmEkQUyDvxlFic.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 244fee9ea74fa75827f3b0e34f0ad831c2ad35bae7003257ea737d58ee287410
Instruction ID: e911f354c756ec80c5b9d0c7f8260c79fdd26e548b14528087664331f4258cb9
Opcode Fuzzy Hash: 244fee9ea74fa75827f3b0e34f0ad831c2ad35bae7003257ea737d58ee287410
Instruction Fuzzy Hash: B321AF7088D28A8FD743AF74C8585E97FF8FF07310B1904EBD058CB0A2DA699489CB21

Function 00007FFB4AE4084D Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.1560230709.00007FFB4AE40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffb4ae40000_rxlSpmEkQUyDvxlFic.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 403a9b9d1698897374919ce932030f74d8009381b8c7f32c195384964b3f6be1
Instruction ID: a62ec7d5c9c43b8a4d2ede762023afe9c609f37c5870c17a0154d5a6fc6f7f17
Opcode Fuzzy Hash: 403a9b9d1698897374919ce932030f74d8009381b8c7f32c195384964b3f6be1
Instruction Fuzzy Hash: EE1123A1D4CA9A9FF742BFB8CA590F87BECFF59300F2444F6D468C6493DD28A0448280

Function 00007FFB4AE40A01 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.1560230709.00007FFB4AE40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffb4ae40000_rxlSpmEkQUyDvxlFic.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eae381a60d6685ad84a8b9d0a08a3fdde6c309a4023a9741de070c263bf33321
Instruction ID: d76c154f05a512cf9322cdb994f5b85be3932b1c1dc753867011a5fb5f963502
Opcode Fuzzy Hash: eae381a60d6685ad84a8b9d0a08a3fdde6c309a4023a9741de070c263bf33321
Instruction Fuzzy Hash: 811179B1958A5E8EE781FF78C8491B97BECFF58310F6009F6D428C61A2EA38A5458740

Function 00007FFB4AE4122D Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.1560230709.00007FFB4AE40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffb4ae40000_rxlSpmEkQUyDvxlFic.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e41e7aa2e9c8de42c9a60aabd2e296284013029d86659ada7e1a28251c936de
Instruction ID: 185cfa131d647e9c6fc40dc9b3d6d0b3b4e9fd97f3ed5a81989d6e125e23846e
Opcode Fuzzy Hash: 5e41e7aa2e9c8de42c9a60aabd2e296284013029d86659ada7e1a28251c936de
Instruction Fuzzy Hash: A111B1B094EA6A8FEB49BF78C4592B97BECFF65311F2001FAD429C61D1DB255444C740

Function 00007FFB4AE4C450 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.1560230709.00007FFB4AE40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffb4ae40000_rxlSpmEkQUyDvxlFic.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74daecfdaf2af3845e45cb68740784d4930d4f606989bf26d72837ca9c70eed3
Instruction ID: 2e3a4f5350d7627b8df6e43d98d056f59b538d5f0823ec66c0b6d8e21114b1a1
Opcode Fuzzy Hash: 74daecfdaf2af3845e45cb68740784d4930d4f606989bf26d72837ca9c70eed3
Instruction Fuzzy Hash: 2411BBB080CAAD8EEB86BF78C9241B93BA8FF59300F2105FBD829C7192DA745840C751

Function 00007FFB4AE40F41 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.1560230709.00007FFB4AE40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffb4ae40000_rxlSpmEkQUyDvxlFic.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f168927506f546e1620f0fd838d353713262d4240293c966b1257fcc1984f18
Instruction ID: 58d291e73804e63e46c06a28d089a7bb452619b77623612c9daf7c09b74f2593
Opcode Fuzzy Hash: 4f168927506f546e1620f0fd838d353713262d4240293c966b1257fcc1984f18
Instruction Fuzzy Hash: DC118C71D0991A8BEB55FF64C954AEDB7BDFF44300F2082B5D419E7282CE38AA45CB90

Function 00007FFB4AE4BB91 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.1560230709.00007FFB4AE40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffb4ae40000_rxlSpmEkQUyDvxlFic.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0472731201e8b5842b3a151c79387e8b2e9164e19bb1dd9c5c051e56001decd
Instruction ID: 9a598b432d3da5762de9def0207a8e83f805d4542ef2354e4dbd8a3877bcd92c
Opcode Fuzzy Hash: b0472731201e8b5842b3a151c79387e8b2e9164e19bb1dd9c5c051e56001decd
Instruction Fuzzy Hash: AC118EB095865E8FEB44FF74C8682F97BA8FF28301F6004BAD429C2191DB35A540C700

Function 00007FFB4AE4AA98 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.1560230709.00007FFB4AE40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffb4ae40000_rxlSpmEkQUyDvxlFic.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25060ea5918ef8336d40432b86adc4038dd9a7d35452176a42a05f3e090dcf52
Instruction ID: 88e487b9d1775f4ea1c079a292135d3a0c55dfddd218dd3b55637f54f67c0d0f
Opcode Fuzzy Hash: 25060ea5918ef8336d40432b86adc4038dd9a7d35452176a42a05f3e090dcf52
Instruction Fuzzy Hash: 8E116DB0958A1E8EE751FF78C5482BD7BEDFF48310FA409F6D428C7092EE34A5489640

Function 00007FFB4AE435A5 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.1560230709.00007FFB4AE40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffb4ae40000_rxlSpmEkQUyDvxlFic.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d78c2b055658b214a2e50718376407484f9ace761d8e577bf286441b20ab9df
Instruction ID: cd83dac49ffbcde86011b0023fb5d6d96bb1fed2ea00936c5ebadf194f10fac6
Opcode Fuzzy Hash: 6d78c2b055658b214a2e50718376407484f9ace761d8e577bf286441b20ab9df
Instruction Fuzzy Hash: DD113CB195C65E8FEB45FF74C4692FD7BA8FF18300F6004FAD429C6291DA39A5448700

Function 00007FFB4AE42F01 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.1560230709.00007FFB4AE40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffb4ae40000_rxlSpmEkQUyDvxlFic.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 380870690126a77eb1d11823126796241cc43ac2e613f9766b26afb868f26808
Instruction ID: c4a5640f2ba8c4b3631041ecf23f2724806dbe29cded022944df787985d05884
Opcode Fuzzy Hash: 380870690126a77eb1d11823126796241cc43ac2e613f9766b26afb868f26808
Instruction Fuzzy Hash: 6D019EB084D6598FE751FF34C4492B97BECFF19300F6545F6D418CA0A2EA28A0848B00

Function 00007FFB4AE405D8 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.1560230709.00007FFB4AE40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffb4ae40000_rxlSpmEkQUyDvxlFic.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed95f07a5b29cdf0a212db94da7679ff5e084ffc3c39a88d7ea1685f16ebff90
Instruction ID: 4c4143885f23b7ff5c87f83cabac0f09e6f8cd5429401a9cd4aa89445b43532c
Opcode Fuzzy Hash: ed95f07a5b29cdf0a212db94da7679ff5e084ffc3c39a88d7ea1685f16ebff90
Instruction Fuzzy Hash: E4018CB094992E8FDF48FF24C4596BA77ADFF58305F3004BAD42EC2180CA36A551CB40

Function 00007FFB4AE4B7DA Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.1560230709.00007FFB4AE40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffb4ae40000_rxlSpmEkQUyDvxlFic.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 811b4f3db39d66847610397d3f1f80e0a03d8f313669377ff44fe88b4075bc50
Instruction ID: 9dc8014d10b0f5a4b4f96877956adc19463c52b1a4f98bd72ed024789c16d45d
Opcode Fuzzy Hash: 811b4f3db39d66847610397d3f1f80e0a03d8f313669377ff44fe88b4075bc50
Instruction Fuzzy Hash: DD0140B095855D8FEB48FF78C8582B97BE8FF28301F6004BAD429C2191DA31A554C740

Function 00007FFB4AE4AD6E Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.1560230709.00007FFB4AE40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffb4ae40000_rxlSpmEkQUyDvxlFic.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73bd5828118621edaa327e5ee6fb7dec573fbd0ad46151bbb64a222b1e3849db
Instruction ID: d6f7ba2708cc3c54a3f749ab8628be3f14374deeb4767bbc71b5c30da8a769c4
Opcode Fuzzy Hash: 73bd5828118621edaa327e5ee6fb7dec573fbd0ad46151bbb64a222b1e3849db
Instruction Fuzzy Hash: D91130B0949D6E4EEBE4EF28C885BE9B7A9FB58315F6043E6C01DD3181DA349D858B40

Function 00007FFB4AE428DD Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.1560230709.00007FFB4AE40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffb4ae40000_rxlSpmEkQUyDvxlFic.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 447391766f114a12a657b1930227e30be1c665902b3c3235ab89acd6d522f8bc
Instruction ID: 234f837ce925e779fca67d0fdfa979989bdf29bf897a13e432391a11f11a3ffe
Opcode Fuzzy Hash: 447391766f114a12a657b1930227e30be1c665902b3c3235ab89acd6d522f8bc
Instruction Fuzzy Hash: 0B019AB084D65A8FE755FF34C8886B97BECFF59300F2245F6D428CA0A3EA28E5448700

Function 00007FFB4AE4A619 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.1560230709.00007FFB4AE40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffb4ae40000_rxlSpmEkQUyDvxlFic.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d41772af545b705e22aa2d8369bbc8da92553e59d06c86486e68f72e4129a60d
Instruction ID: 2181aa4301b3c92efb85a8827367cd5ca36bda29d46f27eb1f0a011d6a2f8788
Opcode Fuzzy Hash: d41772af545b705e22aa2d8369bbc8da92553e59d06c86486e68f72e4129a60d
Instruction Fuzzy Hash: 1001717099D6898FE742BF34C9595A97BECFF5A310F6605F2D418C70A2D928A444C711

Function 00007FFB4AE42F79 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.1560230709.00007FFB4AE40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffb4ae40000_rxlSpmEkQUyDvxlFic.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec45dd9e30ef1f2b9f57dcda1fcf76d93f9daa616a8260be5490a7a563d52e63
Instruction ID: 6ab15d1c73fc3019faca9ec1a24a5a5b33c9287d7b1458f9018944cbd43dffb9
Opcode Fuzzy Hash: ec45dd9e30ef1f2b9f57dcda1fcf76d93f9daa616a8260be5490a7a563d52e63
Instruction Fuzzy Hash: 6901847094D6894FE752BF34C5592B97BECFF59300F6505F6D419CB093DA28A4448B11

Function 00007FFB4AE41D0D Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.1560230709.00007FFB4AE40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffb4ae40000_rxlSpmEkQUyDvxlFic.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3effc58fbe110a94dd469a9c4efd3e45a0a803da2b48b17b7da225df4bfe9dd
Instruction ID: 56c6228b222869b1a5aad35d5cceab8ec5ef538e755b6f59a5bcd2335f7b03a7
Opcode Fuzzy Hash: d3effc58fbe110a94dd469a9c4efd3e45a0a803da2b48b17b7da225df4bfe9dd
Instruction Fuzzy Hash: 5401A2B084EAAE8FDF99EE24C8552B93BA8FF56301F6004BAD418C6191CA369454C741

Function 00007FFB4AE40610 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.1560230709.00007FFB4AE40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffb4ae40000_rxlSpmEkQUyDvxlFic.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29192c24d58d927b52d1e70a78410485e976376169479e4574546f2472cc5fd0
Instruction ID: a39a20f7b9f4ec4e6e86c7ebbb23817717f505791f96261dc1449f34e03d297f
Opcode Fuzzy Hash: 29192c24d58d927b52d1e70a78410485e976376169479e4574546f2472cc5fd0
Instruction Fuzzy Hash: CF014BB095851E8AEB59FF34C0582BD76ACFF18305F2004BEE82AC61D6DE36A590C610

Function 00007FFB4AE40608 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.1560230709.00007FFB4AE40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffb4ae40000_rxlSpmEkQUyDvxlFic.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 413024ce599acd429699696bc0976004d96aceedbe631f06645a2576f9b87131
Instruction ID: 10e388aa295c355a1a0ee87be152fd025f69a5ab20c51614bc5c024b4d30e6e3
Opcode Fuzzy Hash: 413024ce599acd429699696bc0976004d96aceedbe631f06645a2576f9b87131
Instruction Fuzzy Hash: 9A014B7085951E8AEB49FF34C4592BD72ACFF18305F6048BED82EC6192DE36A554C600

Function 00007FFB4AE41240 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.1560230709.00007FFB4AE40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffb4ae40000_rxlSpmEkQUyDvxlFic.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82229fdfc756fdf06235fb654d3b4321fcde2c3a23d8fa9ce6ba8e2d248f013d
Instruction ID: cb77d50b2211768acc3ae4c1fed36281625df89ced898bac85ad4a71ec50e74b
Opcode Fuzzy Hash: 82229fdfc756fdf06235fb654d3b4321fcde2c3a23d8fa9ce6ba8e2d248f013d
Instruction Fuzzy Hash: 11F0D1B0D4EA6B8EFF58BEB8C5193BA77ACFF56210F2001BAD829C20C1DB241014C240

Function 00007FFB4AE405D0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.1560230709.00007FFB4AE40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffb4ae40000_rxlSpmEkQUyDvxlFic.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75a0991dfa0ebc1ff67a6733e54955a63109f19d557ac9af512e35e48baa3c5d
Instruction ID: 8416d14095695d4e2991ac7f14a35eb89a67f5e51e83c72d89157028748f90ad
Opcode Fuzzy Hash: 75a0991dfa0ebc1ff67a6733e54955a63109f19d557ac9af512e35e48baa3c5d
Instruction Fuzzy Hash: 46F0AFB084EA6E8FEF48FE34D4552FA77ACFF15305F2004BAE81DC2181CA36A550CA41

Function 00007FFB4AE405ED Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.1560230709.00007FFB4AE40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffb4ae40000_rxlSpmEkQUyDvxlFic.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ec4e2defbf109d8e0c9155264dc4c40e1f700e3c8f73e88bc7399d8900688ee
Instruction ID: 5ef6b11d734d52d0cfb962505f0b7d81d29b4904987e191a3f54abefccc30618
Opcode Fuzzy Hash: 3ec4e2defbf109d8e0c9155264dc4c40e1f700e3c8f73e88bc7399d8900688ee
Instruction Fuzzy Hash: C2F0C27044D65A8BE714BE34CD452BA335CFF48305F60447AE82DC1182EB346565C640

Function 00007FFB4AE427F9 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.1560230709.00007FFB4AE40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffb4ae40000_rxlSpmEkQUyDvxlFic.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b07e3923ac39a7f02c480f6ffaf040eb7b1e4433d484ad631b1fca873cf18834
Instruction ID: 22c9e73e8eb6396160ec2ee5ff7ebb038d8911e8f4ab9594c7b20909a64ae001
Opcode Fuzzy Hash: b07e3923ac39a7f02c480f6ffaf040eb7b1e4433d484ad631b1fca873cf18834
Instruction Fuzzy Hash: 57F0AFB084E79A8FD75AAF30C8651B93BA8BF5A200F6544FAD458C90D3DA299848C301

Function 00007FFB4AE47D99 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.1560230709.00007FFB4AE40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffb4ae40000_rxlSpmEkQUyDvxlFic.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fffcaaa3a69b902dce0211795c33e84a607062c1c6ec1fd7df0b506f7476d73d
Instruction ID: c0a2d1d6e8e820d31e786f6fd9bde208017a94566093560408feed0b568e0540
Opcode Fuzzy Hash: fffcaaa3a69b902dce0211795c33e84a607062c1c6ec1fd7df0b506f7476d73d
Instruction Fuzzy Hash: DD01E1709096298BDB68EF14C9547ADB7B5FB84301F2041EEC40EA7380DB345E84CF50

Function 00007FFB4AE4286D Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.1560230709.00007FFB4AE40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffb4ae40000_rxlSpmEkQUyDvxlFic.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d709d82f755623a3da4d0fe1331be272631a957b76c4d72384b7ed3d154e701
Instruction ID: 8143df4eb47af1c71832b8928fb2a42346e677e6fd7c0593301e9c101bb150c6
Opcode Fuzzy Hash: 0d709d82f755623a3da4d0fe1331be272631a957b76c4d72384b7ed3d154e701
Instruction Fuzzy Hash: EBF09AB084D69A8BEB59AF34C8552FD3BA8FF69201F6004BAE829C91D2DF3894548700

Function 00007FFB4AE4536F Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.1560230709.00007FFB4AE40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffb4ae40000_rxlSpmEkQUyDvxlFic.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df433a5c001eb07e4299c11b81a1de7501103b0a9bb6d773e878080c5a703f3a
Instruction ID: 151cf87a853949ef59ac07c356a6a81e863ca8f3a20d9f811566d5349658573c
Opcode Fuzzy Hash: df433a5c001eb07e4299c11b81a1de7501103b0a9bb6d773e878080c5a703f3a
Instruction Fuzzy Hash: CE0196B0D8D66ACEDB64EF14C9947ADB7B9BB49301F7005E9D41DA6381CB346D808F50

Analysis Process: rxlSpmEkQUyDvxlFic.exePID: 752, Parent PID: 660COMMON

Executed Functions

Function 00007FFB4AE33743 Relevance: 2.7, Strings: 2, Instructions: 211COMMON

Download Yara Rule

Strings

@, xrefs: 00007FFB4AE337D3
@, xrefs: 00007FFB4AE3393F

Memory Dump Source

Source File: 00000021.00000002.1560230555.00007FFB4AE31000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffb4ae31000_rxlSpmEkQUyDvxlFic.jbxd

Similarity

API ID:
String ID: @$@
API String ID: 0-149943524
Opcode ID: 2fae8d94afc960c3a25c96817d134398a09b795e51d42a25322f66494b8009b9
Instruction ID: c94cf28b329ca2baf483fef5f55cfaaa618feb2d9afe913e3cb2dea0fedc4c8d
Opcode Fuzzy Hash: 2fae8d94afc960c3a25c96817d134398a09b795e51d42a25322f66494b8009b9
Instruction Fuzzy Hash: E79172B0D5852E9EDBA4FF68C994BECB7B5FB58301F6041EAD01DE3291DA745A848F00

Function 00007FFB4AE2E3B9 Relevance: 2.6, Strings: 2, Instructions: 125COMMON

Download Yara Rule

Strings

I, xrefs: 00007FFB4AE2E3BE
:, xrefs: 00007FFB4AE2E3FC

Memory Dump Source

Source File: 00000021.00000002.1560230555.00007FFB4AE2A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE2A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffb4ae2a000_rxlSpmEkQUyDvxlFic.jbxd

Similarity

API ID:
String ID: :$I
API String ID: 0-676700614
Opcode ID: 0f5d6c3b3881c9d0b6b4d8d6dd91073818d4b022145b32c04d24f28a6090fa06
Instruction ID: 4d71777c38f39189d5113604dbe9bc29267c770e75cf4cbe742b43f91fbc67b2
Opcode Fuzzy Hash: 0f5d6c3b3881c9d0b6b4d8d6dd91073818d4b022145b32c04d24f28a6090fa06
Instruction Fuzzy Hash: AF5119B1D586298FEBA8EF28C8557E9B7B1FB49300F6001FAD54DA3281CA345981CF45

Function 00007FFB4AE21748 Relevance: 1.5, Strings: 1, Instructions: 250COMMON

Download Yara Rule

Strings

2EJ, xrefs: 00007FFB4AE21F13

Memory Dump Source

Source File: 00000021.00000002.1560230555.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffb4ae20000_rxlSpmEkQUyDvxlFic.jbxd

Similarity

API ID:
String ID: 2EJ
API String ID: 0-4011802628
Opcode ID: 79cb96bb1266cb10c5e3b0ec92a56e13590232b0dd3a9e9d95afb6fee0a1635e
Instruction ID: a2d19adf4d1e6bb59e559287e5ea17d0d6e701a85f724eba1f236307eca40e1f
Opcode Fuzzy Hash: 79cb96bb1266cb10c5e3b0ec92a56e13590232b0dd3a9e9d95afb6fee0a1635e
Instruction Fuzzy Hash: F671A772A0DA494FEB49EF6CC8615A977D2FFD8314B2441BDD45EC3282CE25AD02C782

Function 00007FFB4AE311AC Relevance: 1.3, Strings: 1, Instructions: 30COMMON

Download Yara Rule

Strings

/, xrefs: 00007FFB4AE310F9

Memory Dump Source

Source File: 00000021.00000002.1560230555.00007FFB4AE31000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffb4ae31000_rxlSpmEkQUyDvxlFic.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: f2bd8071dc1ac9a2915e8955fe268a359db42570391551573cc736dd4fb63cb2
Instruction ID: 72ab8f676057fee8dab1cd376f58fa260ee4878c9d4a0827402e0c0133abaf6e
Opcode Fuzzy Hash: f2bd8071dc1ac9a2915e8955fe268a359db42570391551573cc736dd4fb63cb2
Instruction Fuzzy Hash: 98F0197094821E8BEF18FE50C8646ED73B6FB50300F1042BED40A9B280CB746944DB04

Function 00007FFB4AE2E411 Relevance: 1.3, Strings: 1, Instructions: 20COMMON

Download Yara Rule

Strings

@, xrefs: 00007FFB4AE2E455

Memory Dump Source

Source File: 00000021.00000002.1560230555.00007FFB4AE2A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE2A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffb4ae2a000_rxlSpmEkQUyDvxlFic.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 0c03969ae0a59a0ae68bee576eb3eb0d44fbd59591c71fdd7730d6433d731fcc
Instruction ID: d06d9525f3fe2b5f94e00375148b70b2930c35eb41e698a9223f5c4e5fe3b196
Opcode Fuzzy Hash: 0c03969ae0a59a0ae68bee576eb3eb0d44fbd59591c71fdd7730d6433d731fcc
Instruction Fuzzy Hash: F8F0A5B1D086688EDB94EF18C8507ED77F5BB18301F6001EAD51DE3281CB389A809F15

Function 00007FFB4AE32D8B Relevance: .5, Instructions: 451COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1560230555.00007FFB4AE31000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffb4ae31000_rxlSpmEkQUyDvxlFic.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd66275dbf7dfc84ca5c8b12da1c88b62722ba21e8cbfaddae308aada3ed25e1
Instruction ID: 4d2e632768cfd50520cb35d0231b13a771b242391a515ff713127d5524535681
Opcode Fuzzy Hash: fd66275dbf7dfc84ca5c8b12da1c88b62722ba21e8cbfaddae308aada3ed25e1
Instruction Fuzzy Hash: 3011BEA190D68A8FE742FF78C9696A97FF4FF16300F1404F6D458CB0A3DA28A844C752

Function 00007FFB4AE2D499 Relevance: .4, Instructions: 403COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1560230555.00007FFB4AE2A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE2A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffb4ae2a000_rxlSpmEkQUyDvxlFic.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0160f1e8fded78025182ecd976165e66e6f8d077066afd36799197588ec7848
Instruction ID: 197b628bc595fc8fa79b1c6511efccbf95e09194dc67eecc956e4de3ac932175
Opcode Fuzzy Hash: b0160f1e8fded78025182ecd976165e66e6f8d077066afd36799197588ec7848
Instruction Fuzzy Hash: 46E14EB1D19A5A8FDB58EF68C4A57A8B7B1FF58300F2441FAD04DD72D2CA38A841CB51

Function 00007FFB4AE3332F Relevance: .3, Instructions: 316COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1560230555.00007FFB4AE31000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffb4ae31000_rxlSpmEkQUyDvxlFic.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d72fd9b3c9891e4bcced92ba65c0b6f1b4888ef742ffc71352caf712a753e20a
Instruction ID: 34826f305ac57102b940dc9d18591ae9554fa75b58fa4eb5bee1b6ccd24f909c
Opcode Fuzzy Hash: d72fd9b3c9891e4bcced92ba65c0b6f1b4888ef742ffc71352caf712a753e20a
Instruction Fuzzy Hash: E6812C6770E96AEED302BB7CF8465E97B94EF82335B1843F7D588CA043D914604A87E0

Function 00007FFB4AE21DCC Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1560230555.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffb4ae20000_rxlSpmEkQUyDvxlFic.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 059dfb8d0ad320f4c64102949412ec6549b40267b22c504a1a69e1483c4f49bb
Instruction ID: c3b784342acaeeb56e0c20f70789369f52652271bb75e29f101ba1ad131fe8de
Opcode Fuzzy Hash: 059dfb8d0ad320f4c64102949412ec6549b40267b22c504a1a69e1483c4f49bb
Instruction Fuzzy Hash: 32419271A18A494BDB4CEE5CC8656BA73E2FFD8315F24457EE45EC3285CE31E9028781

Function 00007FFB4AE2BC19 Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1560230555.00007FFB4AE2A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE2A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffb4ae2a000_rxlSpmEkQUyDvxlFic.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc98c99be069ea67f49c0e774688d6479a7265ac551d3b07dad1d86dcad9e1fe
Instruction ID: 8b9cdd7921a99b1d56718bf624d47d9b2632bc867dbf3a33c0ee06eb570ea67b
Opcode Fuzzy Hash: bc98c99be069ea67f49c0e774688d6479a7265ac551d3b07dad1d86dcad9e1fe
Instruction Fuzzy Hash: F95129B1D5CA0D8FEB94FF64C5656EDBBB5FF69300F6400BAC019D7282CE2868418B42

Function 00007FFB4AE34CBD Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1560230555.00007FFB4AE31000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffb4ae31000_rxlSpmEkQUyDvxlFic.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5b1d5143582a09fe3e4f667aa310c48ce42b36b19f8dcbdc18a628b565b81ab
Instruction ID: 28e2c60704205b53021a2ac9e93da3196f439812bf83a01c2b524d409052f21f
Opcode Fuzzy Hash: d5b1d5143582a09fe3e4f667aa310c48ce42b36b19f8dcbdc18a628b565b81ab
Instruction Fuzzy Hash: AC512FB1948A5D8FEB94FFA8C4956AC7BF1FF58301F6001AAD01DE7292DA3568418B41

Function 00007FFB4AE21D8D Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1560230555.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffb4ae20000_rxlSpmEkQUyDvxlFic.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab2b8d7230704d29c24aaec509a66df345f59987d6f4438cf54be8744ce8135a
Instruction ID: 461f495d2b3348d9cd4a0e059ad47b03e9c92d8ac93a7b2547fe69ff33a8bb42
Opcode Fuzzy Hash: ab2b8d7230704d29c24aaec509a66df345f59987d6f4438cf54be8744ce8135a
Instruction Fuzzy Hash: 7241F772A0DB4A8FDB4DEE58C8601B977D1FF98315B2441BED45AC7282CE35E9028782

Function 00007FFB4AE2364B Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1560230555.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffb4ae20000_rxlSpmEkQUyDvxlFic.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9cfab4a85da941970a7f285f5b770faad959e05df841442a3413c8b6fb5b13d
Instruction ID: a5068d4fa46eed2c1dc554a7108be19ac9a559a23cb1c5ec9f013f5a95b74d81
Opcode Fuzzy Hash: a9cfab4a85da941970a7f285f5b770faad959e05df841442a3413c8b6fb5b13d
Instruction Fuzzy Hash: 1041AFB294C94E8FEB88EF68C9656FD7BE5FF19300F6401B9D01DD3282CE2458018B12

Function 00007FFB4AE23285 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1560230555.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffb4ae20000_rxlSpmEkQUyDvxlFic.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0193495fe046aed0e5e1a6d168ba5f79f17bafda7ea63c2bfa4ffc716cc9e06e
Instruction ID: 5636ed56e795753113b4de2597bdf11db391e63062a8219bdcc0f081cceaff60
Opcode Fuzzy Hash: 0193495fe046aed0e5e1a6d168ba5f79f17bafda7ea63c2bfa4ffc716cc9e06e
Instruction Fuzzy Hash: F1512AB2D4850E8FEB54FFA8C5656EDB7B5FF58300F6000BAD029E7291DE3869448B52

Function 00007FFB4AE221A5 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1560230555.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffb4ae20000_rxlSpmEkQUyDvxlFic.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78affb31afe9b61ac456d26ce2fdd44d05a98f3a9caa08c3d86eda8e127aa9a8
Instruction ID: f594a1771d7df8f3869300403e3203d4180b0056b30dab9114ae41d4faee6e7e
Opcode Fuzzy Hash: 78affb31afe9b61ac456d26ce2fdd44d05a98f3a9caa08c3d86eda8e127aa9a8
Instruction Fuzzy Hash: 87412773A4DA4A4FD356BF78C8651B97BE4FF49300F2449FAD458CB193DE29A8018352

Function 00007FFB4AE2378E Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1560230555.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffb4ae20000_rxlSpmEkQUyDvxlFic.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eed35d2179a59c68e5e068c91640e96f7ae32c3a6e56df941a4d4a4a40a78f10
Instruction ID: afad3972059d1f36adb1476c528fef66b0213575b598d433e615db847d7e54fe
Opcode Fuzzy Hash: eed35d2179a59c68e5e068c91640e96f7ae32c3a6e56df941a4d4a4a40a78f10
Instruction Fuzzy Hash: 5F4181B2A5D94E8FE748EF68D8153E97BE1FB8A350F9002BAC008D72C6CBB514158B41

Function 00007FFB4AE3219D Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1560230555.00007FFB4AE31000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffb4ae31000_rxlSpmEkQUyDvxlFic.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 539b33c026ed1c8ec7d86eb98d0d5b95398b80169cfcc4361a888fbc77244230
Instruction ID: 2d08e0490b5b63011fedb2dcc8c5247a9e36d718d74d1821d974984ea9b42c2d
Opcode Fuzzy Hash: 539b33c026ed1c8ec7d86eb98d0d5b95398b80169cfcc4361a888fbc77244230
Instruction Fuzzy Hash: C2417FB0D18A1E9FEB44FFA8D8556EDB7B5FF58300F2001BAD419E7282CE3468418B91

Function 00007FFB4AE335C5 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1560230555.00007FFB4AE31000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffb4ae31000_rxlSpmEkQUyDvxlFic.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71216219f56e18024e063fe4a264e8ae455ab1cc7ffdaad39f491964766019da
Instruction ID: 7cf4b30e7f282d12447b5a55ff518740a44f24deb37db68068134d8dc341b92a
Opcode Fuzzy Hash: 71216219f56e18024e063fe4a264e8ae455ab1cc7ffdaad39f491964766019da
Instruction Fuzzy Hash: F64105B0D4861E9EEB94FF68C955BE9B6B5FB59300F2001FAD01DD3292DE3869848F40

Function 00007FFB4AE35BD5 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1560230555.00007FFB4AE31000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffb4ae31000_rxlSpmEkQUyDvxlFic.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de31517df84c53e1b77299456c52565dae4f030cefbd568c3bf2cf11f191c8a3
Instruction ID: 9d6bbe4683017ad670e544404af64c97d346c5ea266b6a36cc2b032c16951d5a
Opcode Fuzzy Hash: de31517df84c53e1b77299456c52565dae4f030cefbd568c3bf2cf11f191c8a3
Instruction Fuzzy Hash: 2C4125B0D4C6198FEB68FF68C9557A9B7B5FF59304F2041BAC01DA6282CB386985CB11

Function 00007FFB4AE2BCC4 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1560230555.00007FFB4AE2A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE2A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffb4ae2a000_rxlSpmEkQUyDvxlFic.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a80b86e97fb18101a7e3737840ffd4f84c527939901a5448b45b665a268d32d8
Instruction ID: ce046d784c8e9fc386df4a935ca4e73e7bb2078018dabc32f92120a0273e328f
Opcode Fuzzy Hash: a80b86e97fb18101a7e3737840ffd4f84c527939901a5448b45b665a268d32d8
Instruction Fuzzy Hash: 6931F8B2D5C91D8EEB94FF68D9A56ECB7B5FF6C300F604069D01DD3282CE2468419B41

Function 00007FFB4AE2BD3C Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1560230555.00007FFB4AE2A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE2A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffb4ae2a000_rxlSpmEkQUyDvxlFic.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9211a56feac9174ab831d9ba8834236c1e54aa74d5db9b93c1cce3b7fc9ddbe7
Instruction ID: 4245906b3735ac1f1b47761ac8f0c9b7dd7b060aa46770fe54f8cc0d80b0c50c
Opcode Fuzzy Hash: 9211a56feac9174ab831d9ba8834236c1e54aa74d5db9b93c1cce3b7fc9ddbe7
Instruction Fuzzy Hash: 973107B1E5C91D8FEB94FF68C5A56ACBBB5FF69300F6000A9C01DD7282CE2468419B41

Function 00007FFB4AE334D3 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1560230555.00007FFB4AE31000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffb4ae31000_rxlSpmEkQUyDvxlFic.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbd95752f7d0ecf9b6e89396aeee9506d4c96a4a6d9a302a19790aa4a9326edb
Instruction ID: 5ff79e044eb4631f23bd8e481625843549eb75c20a833d07650870835a53ac00
Opcode Fuzzy Hash: bbd95752f7d0ecf9b6e89396aeee9506d4c96a4a6d9a302a19790aa4a9326edb
Instruction Fuzzy Hash: 90213662B0E68AAFE312BF7CE8555F9BBA4FF52221F2402F7D558C6043DA285004C761

Function 00007FFB4AE23357 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1560230555.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffb4ae20000_rxlSpmEkQUyDvxlFic.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbcf507998cc60ad946246d261e55a43df98b68e00e1d030888921c53f38813e
Instruction ID: 2849c2527738802dc1a9de71023c7a21d29434498ba395171976f7b8a7dcd06d
Opcode Fuzzy Hash: cbcf507998cc60ad946246d261e55a43df98b68e00e1d030888921c53f38813e
Instruction Fuzzy Hash: 6821E5B2D4851E8FDB54FFA8C5A46ECB7F5FF58301F6000AAD019E7291CA386941CB11

Function 00007FFB4AE31C88 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1560230555.00007FFB4AE31000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffb4ae31000_rxlSpmEkQUyDvxlFic.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d61795774ab3a45f8b67b4d950993b3c4686bad12ba169f48781c5d695d1b82a
Instruction ID: 9de0f3cf27dcd99ed37ce1452b1adfab87e35f22d6f28d41d00008ac06b0b049
Opcode Fuzzy Hash: d61795774ab3a45f8b67b4d950993b3c4686bad12ba169f48781c5d695d1b82a
Instruction Fuzzy Hash: 9021ACB048E2C95FDB07AB7489652E53FB4AF07200F2905EED499CA493CA2A6496C351

Function 00007FFB4AE23480 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1560230555.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffb4ae20000_rxlSpmEkQUyDvxlFic.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3fc326cb4e95e605b493fa645f5e4910abb57c120a56e225d6da32e8a9e87d6
Instruction ID: 1fd1cb27e62c84079c135ef204b3b74fd50a2648128f74475b8a156ccabbf1f7
Opcode Fuzzy Hash: e3fc326cb4e95e605b493fa645f5e4910abb57c120a56e225d6da32e8a9e87d6
Instruction Fuzzy Hash: 4621907188D28A4FD743AF74C8685A97FF4FF0A310B1504EBD459CB062DA689449CB12

Function 00007FFB4AE32C09 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1560230555.00007FFB4AE31000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffb4ae31000_rxlSpmEkQUyDvxlFic.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 182666bb1449b10426544515654806859c5ae252df80cc094a69cfd9aeea0ddd
Instruction ID: e9703ff075fd3c3f0614e70d44077d4a33a38ae1ee5ac4360e0266efc862865f
Opcode Fuzzy Hash: 182666bb1449b10426544515654806859c5ae252df80cc094a69cfd9aeea0ddd
Instruction Fuzzy Hash: 4821F07084D68A8FE742BF74C8586AA7FF4FF2A300F1545FAD498CB063D9289584C761

Function 00007FFB4AE31F01 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1560230555.00007FFB4AE31000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffb4ae31000_rxlSpmEkQUyDvxlFic.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 200022227a02b21b811a3cd3ae7523c10b72809a00f990964f94b4a3ab73f521
Instruction ID: 3b001e7c6072200939f039083105791d032102a426cf2470ad0051022a3bb0cb
Opcode Fuzzy Hash: 200022227a02b21b811a3cd3ae7523c10b72809a00f990964f94b4a3ab73f521
Instruction Fuzzy Hash: 0D118EB095D6498FDB49FF28C4A61FD3BA1FF58314F2102BEE85A83281CB35A554CB81

Function 00007FFB4AE36865 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1560230555.00007FFB4AE31000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffb4ae31000_rxlSpmEkQUyDvxlFic.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bed4dac1f2d825b529f8444300afe66f9d568fdbce872e481430c512cad4623b
Instruction ID: 6b395cf4b1c5a4a29a92d6c9d0bb719482009d242a3f340894c6515d64e25d94
Opcode Fuzzy Hash: bed4dac1f2d825b529f8444300afe66f9d568fdbce872e481430c512cad4623b
Instruction Fuzzy Hash: F61190B084C64E8FEB59FF78C4692BA7BA4FF58300F2045FED429C6191CB75A4448741

Function 00007FFB4AE34195 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1560230555.00007FFB4AE31000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffb4ae31000_rxlSpmEkQUyDvxlFic.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a74301b1071d3ae451cebdb111db0130a56e8e5ea408076f7d3d939b1440c7cd
Instruction ID: 49fb0bcbec0c818c90d06a4b7199189c6c702f5689fd136d3e1d95f99d7d84ad
Opcode Fuzzy Hash: a74301b1071d3ae451cebdb111db0130a56e8e5ea408076f7d3d939b1440c7cd
Instruction Fuzzy Hash: 161190B084CA4A8FEB99FFB8C5652B97BE0FF68301F2005FAD429C7592CA35A5458741

Function 00007FFB4AE367C1 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1560230555.00007FFB4AE31000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffb4ae31000_rxlSpmEkQUyDvxlFic.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2343e760c323e5218a373215bfe3216a58a3fc15169d31b9e9b0e67a59f3b5d9
Instruction ID: 242527e260d2a7540d9ba5f987796187004d254413305984b5caca085c096f2c
Opcode Fuzzy Hash: 2343e760c323e5218a373215bfe3216a58a3fc15169d31b9e9b0e67a59f3b5d9
Instruction Fuzzy Hash: 1E119DB094CA4E8FEB99FF78C4692BA7BA0FF58300F2005FAD429C2192DB74A440C741

Function 00007FFB4AE346B5 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1560230555.00007FFB4AE31000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffb4ae31000_rxlSpmEkQUyDvxlFic.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 055c4b3d6c34150cbf409f3325db0726e57f6c6e8c840d2bd86b76e5dd9bf2e6
Instruction ID: d56ce6f323a9dacf962ef564d57ad00b829e7358995f14792ef0dc87b23bd07c
Opcode Fuzzy Hash: 055c4b3d6c34150cbf409f3325db0726e57f6c6e8c840d2bd86b76e5dd9bf2e6
Instruction Fuzzy Hash: 751134B180DA8A8FE749FEB4C9652B83AD0FF55301F2400FED41D861A2CE296444C741

Function 00007FFB4AE32108 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1560230555.00007FFB4AE31000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffb4ae31000_rxlSpmEkQUyDvxlFic.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c4bef0b48e213634dfe77e5322e20f42dc69b8a17ab5cfdc0c2c1a2e96139ad
Instruction ID: 49d631552191f05ba59ea8e1cc896138760715605ae88353448701819ddcb1b1
Opcode Fuzzy Hash: 0c4bef0b48e213634dfe77e5322e20f42dc69b8a17ab5cfdc0c2c1a2e96139ad
Instruction Fuzzy Hash: 7A11BE7088E6894FDB46BF3089692FA7FB4FF16300F2504EBC599CB093CA295549C711

Function 00007FFB4AE340F9 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1560230555.00007FFB4AE31000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffb4ae31000_rxlSpmEkQUyDvxlFic.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34ef5d4cb8c4d53c752b4d0e901f4197eb1065de0dc40392634439119275c3b2
Instruction ID: ce779b7c9df48587d866f9257325ba5ada96e4af1e1062db3d01da9c9a6d75a8
Opcode Fuzzy Hash: 34ef5d4cb8c4d53c752b4d0e901f4197eb1065de0dc40392634439119275c3b2
Instruction Fuzzy Hash: 91219FB094DA4A8FDB95FF78C4692B97BB0FF68301F2001FAD419C7192CA389444C741

Function 00007FFB4AE34A29 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1560230555.00007FFB4AE31000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffb4ae31000_rxlSpmEkQUyDvxlFic.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdaca77d17e0e8dd3f2b2c459f095958fad5b36aeeb0b96fbd2a2f86101057d1
Instruction ID: 9c1b7b69eb5d020305c19ff9ea55bb87de033dea9fc467a99bfa884366c77d0e
Opcode Fuzzy Hash: bdaca77d17e0e8dd3f2b2c459f095958fad5b36aeeb0b96fbd2a2f86101057d1
Instruction Fuzzy Hash: 6C11D3B084D68E8FEB55FFB4C4692B97BE0FF19301F2504FAD419C6192EA395584C741

Function 00007FFB4AE2C450 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1560230555.00007FFB4AE2A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE2A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffb4ae2a000_rxlSpmEkQUyDvxlFic.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71327bf2e4008989b1a36fa9ed971d9a2ec2463c81d967ef19298567b26b004d
Instruction ID: b4425df7a8ec4df1113fe405e74e972f5504394e01cb0361d3dc2c8f8664b63c
Opcode Fuzzy Hash: 71327bf2e4008989b1a36fa9ed971d9a2ec2463c81d967ef19298567b26b004d
Instruction Fuzzy Hash: 3B11BEB580CA8D8EEB46FF74C4241BA3BA0FF59300F2104FBD419C6192DA345440C752

Function 00007FFB4AE36905 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1560230555.00007FFB4AE31000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffb4ae31000_rxlSpmEkQUyDvxlFic.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d71c59c88ea0dc8ac22a14da0b1c21115029fa993ef9c11e32eb7cb02d84b2d
Instruction ID: 6ed666f72a6a8762c3c83427307a6b4070ed9654eaa8f121891e329cb5628cc7
Opcode Fuzzy Hash: 5d71c59c88ea0dc8ac22a14da0b1c21115029fa993ef9c11e32eb7cb02d84b2d
Instruction Fuzzy Hash: B911E2B184DA8A8BEB49BF34C5A62B97BE4FF15300F2400FED46A86193CE295444C741

Function 00007FFB4AE20F41 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1560230555.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffb4ae20000_rxlSpmEkQUyDvxlFic.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e116d4cf49f2a3e1a73ad63bbe1e5652ba6826ed91d4692de1ab64a320d6dc9
Instruction ID: e92116a176982bdcdbfdcdf768c49ab382846a0a949400f0e7c334186ce3a685
Opcode Fuzzy Hash: 8e116d4cf49f2a3e1a73ad63bbe1e5652ba6826ed91d4692de1ab64a320d6dc9
Instruction Fuzzy Hash: 02118C7294990A8BFB55FF64C964AEEB7B5FB48300F2082B5D419E7291CE34AE41CB41

Function 00007FFB4AE3699D Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1560230555.00007FFB4AE31000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffb4ae31000_rxlSpmEkQUyDvxlFic.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed31acef8b874fc9df821bd515cdcab8c77cdf0bb5ff1317b5cced2fa0e70ea0
Instruction ID: 0f7090cfb7aa6e839d24ce92a6dc1b5d76a66cce8817c8bf4bd77699f2a408e3
Opcode Fuzzy Hash: ed31acef8b874fc9df821bd515cdcab8c77cdf0bb5ff1317b5cced2fa0e70ea0
Instruction Fuzzy Hash: D311BEB084D68A8FEB59FF34C4662BA7BE4FF59300F6480FED41AC3192DA3964448781

Function 00007FFB4AE36EC1 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1560230555.00007FFB4AE31000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffb4ae31000_rxlSpmEkQUyDvxlFic.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d13dda0c2892187223f7fe7d9770ddc29b8f654c8915cc80f5635ca83a19f045
Instruction ID: 2805f7acd0592116241ec2096211f82fc9625fbde26c349f3e99bb8197ef8566
Opcode Fuzzy Hash: d13dda0c2892187223f7fe7d9770ddc29b8f654c8915cc80f5635ca83a19f045
Instruction Fuzzy Hash: 3711827084D55A8FEB41FF74C9586BA7BF4FF19301F1408F6D428C7061DA34A1888750

Function 00007FFB4AE2BB91 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1560230555.00007FFB4AE2A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE2A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffb4ae2a000_rxlSpmEkQUyDvxlFic.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 253afa0650f6120d4835870eabbbf931b064761743188b6c46a4375b8a71c647
Instruction ID: 4bf364db5845bb88a44efa60544e0891c83aa5b3a6cefb91005a8574530fbae1
Opcode Fuzzy Hash: 253afa0650f6120d4835870eabbbf931b064761743188b6c46a4375b8a71c647
Instruction Fuzzy Hash: 97118EB195864E8FEB44FF74C8682F97BA0FF28301F6004BAD42AC2191DB35A540C701

Function 00007FFB4AE322F1 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1560230555.00007FFB4AE31000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffb4ae31000_rxlSpmEkQUyDvxlFic.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eeeb6f8fb07e074368ee0891defd9464294c051607bbbe2ad1fec34990883293
Instruction ID: 0eff8f29851b384b4c98ffc6943b3e91b24ce9f25ef23b39d292d7373a414e9f
Opcode Fuzzy Hash: eeeb6f8fb07e074368ee0891defd9464294c051607bbbe2ad1fec34990883293
Instruction Fuzzy Hash: 6A11AD7084C64A8FE782BF74C8485FA7BE8FF6A300F2049F6E468C7062DA34A2458711

Function 00007FFB4AE347DD Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1560230555.00007FFB4AE31000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffb4ae31000_rxlSpmEkQUyDvxlFic.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a857cb34b354469aff9e2ff152e9b370ce0971fcc6fdd5e6c58ef604013383e6
Instruction ID: bc0dd1e428f7508e58cc6192b8e872f5725c601c50bf691be4e0c04090148894
Opcode Fuzzy Hash: a857cb34b354469aff9e2ff152e9b370ce0971fcc6fdd5e6c58ef604013383e6
Instruction Fuzzy Hash: 5B11B2B094C68E8FEB49FFB4C4592B97BE0FF19301F2005FAD429C6192DA756541C741

Function 00007FFB4AE35B49 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1560230555.00007FFB4AE31000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffb4ae31000_rxlSpmEkQUyDvxlFic.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a4157a741f4d1a59c03d2456f0e57afe99cdf611285d50cff323da65d50062e
Instruction ID: 18e52d580e6f00cfa41941611ab2928fecdbdd44720a8aa45af20eb94b0f4fec
Opcode Fuzzy Hash: 4a4157a741f4d1a59c03d2456f0e57afe99cdf611285d50cff323da65d50062e
Instruction Fuzzy Hash: A511C1B080D68A8FE742FF74C9591B97BF4FF19300F6504F6D418C7192DE28A4448761

Function 00007FFB4AE235A5 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1560230555.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffb4ae20000_rxlSpmEkQUyDvxlFic.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5368be830b489dc7b1b373e3631f23c94554deb1f9120ecbdfde4047a449af52
Instruction ID: 146424a14a7f86a69e047b686480aeb930cbf0a5697821b9a08c0d81db47d147
Opcode Fuzzy Hash: 5368be830b489dc7b1b373e3631f23c94554deb1f9120ecbdfde4047a449af52
Instruction Fuzzy Hash: F7115EB288C64A8FDB45FF74C4692FD7BA4FF19300F6008FAD429C6291DA35A4448B02

Function 00007FFB4AE3499D Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1560230555.00007FFB4AE31000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffb4ae31000_rxlSpmEkQUyDvxlFic.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba279d4ba9e498d35ae5a10e289ad795121f08bdcad880e90874f699622d11f2
Instruction ID: 4d0515bc37fd8fbc0160f59a94d4f282ccd753c4ad4c8b010d644cd780056459
Opcode Fuzzy Hash: ba279d4ba9e498d35ae5a10e289ad795121f08bdcad880e90874f699622d11f2
Instruction Fuzzy Hash: 9F11C1B090D58E8FEB45FF78C4692B97BE0FF18301F2045FED42AC2192DA256440C701

Function 00007FFB4AE20A01 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1560230555.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffb4ae20000_rxlSpmEkQUyDvxlFic.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe495c829c7d8248b57cde6075d7a6c3c9a6d8d2d015f74974ce7ba3967e5394
Instruction ID: 8359f420f0fd5182950bb4aa3d4628dc19cf574874f0e12f94a6d9c65fb18786
Opcode Fuzzy Hash: fe495c829c7d8248b57cde6075d7a6c3c9a6d8d2d015f74974ce7ba3967e5394
Instruction Fuzzy Hash: 87017CB2A4890A8FE791FF78D8591BE77E5FF58300BA101F2C428C7192DE28A9018741

Function 00007FFB4AE22F01 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1560230555.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffb4ae20000_rxlSpmEkQUyDvxlFic.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8c1e987e48f0aaa05e54f3ef6480d64c17e6f9e1cabbdc7eccf7d720109cc6e
Instruction ID: d39159284a30075e6ec2eafb61ebee251263bf77a8cb1caa662f94796663c086
Opcode Fuzzy Hash: c8c1e987e48f0aaa05e54f3ef6480d64c17e6f9e1cabbdc7eccf7d720109cc6e
Instruction Fuzzy Hash: 10019EB184D6498FE751BF34C4692B97BE4FF19300F2549F6D428CA0A2EA24A0448A01

Function 00007FFB4AE205D8 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1560230555.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffb4ae20000_rxlSpmEkQUyDvxlFic.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7711e739d33f73324a0d789f73a1319cd0297b9df0d7c49c197ba9fce05f76c
Instruction ID: fe6afc064ffec5c8764783a9acd5e0a3f5c5bb6f02a4b0dffa0bc999f779a1fc
Opcode Fuzzy Hash: e7711e739d33f73324a0d789f73a1319cd0297b9df0d7c49c197ba9fce05f76c
Instruction Fuzzy Hash: DB01697094954E8FDB48FF64C0656BA77A5FF58305F6004BAD42EC2181CE32A651CB41

Function 00007FFB4AE2D11D Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1560230555.00007FFB4AE2A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE2A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffb4ae2a000_rxlSpmEkQUyDvxlFic.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f1ed7c97f1d1391d4effda762e0a3cad3cfdfd6f07fdfaecbd65545ddd2f5df
Instruction ID: 5e2039906c7798b9e45abd502a2f10f5f33a8ce645e184096574672bda4d7693
Opcode Fuzzy Hash: 2f1ed7c97f1d1391d4effda762e0a3cad3cfdfd6f07fdfaecbd65545ddd2f5df
Instruction Fuzzy Hash: 3A115AB194868D8FEB45FF28C4A82B97BA0FF18300F2004FAD429C6591DB35A540C701

Function 00007FFB4AE2AD6E Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1560230555.00007FFB4AE2A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE2A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffb4ae2a000_rxlSpmEkQUyDvxlFic.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: caa0592d3b6bf4163b14dd146c26212cba0eba1089e6c28d363a095e69bcc7cc
Instruction ID: 468b30db4af27a111ee8b475cbbd14d57f16daa758e611a230fbe965eddd8eb4
Opcode Fuzzy Hash: caa0592d3b6bf4163b14dd146c26212cba0eba1089e6c28d363a095e69bcc7cc
Instruction Fuzzy Hash: 441170B194895E4EEBE4EF28C884BE9B7A1FB9C301F6043E6C01DE3141DE349D818B41

Function 00007FFB4AE2DE30 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1560230555.00007FFB4AE2A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE2A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffb4ae2a000_rxlSpmEkQUyDvxlFic.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10a999117b3e011b245d419cd9faa055fb3852d5e4852efb8fc0d316b9e212e8
Instruction ID: 5289895857ef30746ca5c4ff6cb02d68de5dfa3578798693ff99db0e33f52e70
Opcode Fuzzy Hash: 10a999117b3e011b245d419cd9faa055fb3852d5e4852efb8fc0d316b9e212e8
Instruction Fuzzy Hash: 1B0161B0C0850E8FEB85FF38C4545BA77A5FF68301F2086B6D429C2194CB30A194C780

Function 00007FFB4AE37619 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1560230555.00007FFB4AE31000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffb4ae31000_rxlSpmEkQUyDvxlFic.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff8368ee98ecb5fdfadb79054cbdb03bb7a3128e919b2e4de1516fc9000873e8
Instruction ID: 47844684e0dabbd0ce1b722a92aceae7e68f495bd9dd47242b5fe197488e2462
Opcode Fuzzy Hash: ff8368ee98ecb5fdfadb79054cbdb03bb7a3128e919b2e4de1516fc9000873e8
Instruction Fuzzy Hash: 4D01C0B0C4D6898FDB4AFF38C4651B93BA4FF19300F6104FED42AC6192DA25A454C740

Function 00007FFB4AE2DE11 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1560230555.00007FFB4AE2A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE2A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffb4ae2a000_rxlSpmEkQUyDvxlFic.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afd49c69406b5126dd09a8f36162c40ac59945c41ad7d1bc61edb9c523600080
Instruction ID: e7727f06eda311d7b3fc58279fb29375267a4ab4723a2af950f78ec5f1f53db8
Opcode Fuzzy Hash: afd49c69406b5126dd09a8f36162c40ac59945c41ad7d1bc61edb9c523600080
Instruction Fuzzy Hash: 18018FB1C0D64E8FEB95EF34C8542FA3BA1FF68301F2446BAE828C6291DB349450C781

Function 00007FFB4AE3768D Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1560230555.00007FFB4AE31000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffb4ae31000_rxlSpmEkQUyDvxlFic.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcc99378ec30091afd03e10ade7e10571098dc8af9727b06b67c636b470e0888
Instruction ID: 9efdc90d15f22eb133d98efec55482e69b676c95c85cfa870d6d70344703fd1b
Opcode Fuzzy Hash: bcc99378ec30091afd03e10ade7e10571098dc8af9727b06b67c636b470e0888
Instruction Fuzzy Hash: B701DEB084D64A8FEB49FF38C5642FA3BA0FF19300F2004FED42AC6092DA35A544C751

Function 00007FFB4AE2122D Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1560230555.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffb4ae20000_rxlSpmEkQUyDvxlFic.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a909d35b2858a28f3d40c190d341bd0b5db1af9c70e0c95903a5a8491044f2bf
Instruction ID: 288df3ef103c17e7551bcb94c3e12c46c0ea37b14ce4bd33f6f612515144eed4
Opcode Fuzzy Hash: a909d35b2858a28f3d40c190d341bd0b5db1af9c70e0c95903a5a8491044f2bf
Instruction Fuzzy Hash: 0701B1B2A4E60A4FEB49AFA8C4B52B977A4FF59311F2001FEE01AC61D1CB266501C741

Function 00007FFB4AE2A619 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1560230555.00007FFB4AE2A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE2A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffb4ae2a000_rxlSpmEkQUyDvxlFic.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a52457d73a2fe963a7a31bc35fd143b0722aa179c0b71bdbce1903cfa384fa23
Instruction ID: 65aacd7e2d29e07f3197d3156a5ed68d1a2464fafd7185130f25fd9d59dd0ba4
Opcode Fuzzy Hash: a52457d73a2fe963a7a31bc35fd143b0722aa179c0b71bdbce1903cfa384fa23
Instruction Fuzzy Hash: 2601717199D6898FD742BF34C9695A97BE8FF5A300F6605F2D418C70A2DE28A444C712

Function 00007FFB4AE37049 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1560230555.00007FFB4AE31000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffb4ae31000_rxlSpmEkQUyDvxlFic.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13e2d59fb79c9103b2fa304664b200786e6e5d40ba81dea88445b5377730f7e4
Instruction ID: 74942a97daa5f91e2216c4aecaa915ac9c6f2698aa7ceace4d803ecb380b0b3c
Opcode Fuzzy Hash: 13e2d59fb79c9103b2fa304664b200786e6e5d40ba81dea88445b5377730f7e4
Instruction Fuzzy Hash: C10171B194E6899FE752FF34C5692A97BE4FF15300F6544F6D418C70A2EE28A4488B11

Function 00007FFB4AE22F79 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1560230555.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffb4ae20000_rxlSpmEkQUyDvxlFic.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67710bc20c1b638c29e6b7d68a1059e52ac0371508ee9adf56114b246fc42dc0
Instruction ID: 413e07205ece5860ef58be005edb31e5d97dae9abbd8d56d75d057c281614cc9
Opcode Fuzzy Hash: 67710bc20c1b638c29e6b7d68a1059e52ac0371508ee9adf56114b246fc42dc0
Instruction Fuzzy Hash: 6401B1B184D6894FE742BF34C9692A97BE4FF1D300F2508F6C418CB0A3DA28A4448B12

Function 00007FFB4AE2123C Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1560230555.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffb4ae20000_rxlSpmEkQUyDvxlFic.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58e35ac167e155b2457396f8a6815f04c4d22079370a4c6526ddf58b83885972
Instruction ID: 97f2f4636ad94b43993a861e0328f9f536070fef120c1296c28e156fcfbeee42
Opcode Fuzzy Hash: 58e35ac167e155b2457396f8a6815f04c4d22079370a4c6526ddf58b83885972
Instruction Fuzzy Hash: 6901F2B3D4E68A4EFB58BFBCC5693B97BA8FF59310F2001BAE429C10C1DB2412048642

Function 00007FFB4AE20A1C Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1560230555.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffb4ae20000_rxlSpmEkQUyDvxlFic.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfa660d323a2324e157a0bd9ec9ddfbb5e6b5a26228bd3c87b82c262fb92dcaa
Instruction ID: 326ab1ee7f5b5f772e2cef069938030c0c86bcc6e07562dfa88487dc442fd5e5
Opcode Fuzzy Hash: cfa660d323a2324e157a0bd9ec9ddfbb5e6b5a26228bd3c87b82c262fb92dcaa
Instruction Fuzzy Hash: A7F08FF295C54E4AF790BE78D9251B977A8FF48300FA004B6D42CD10D2EE3459048641

Function 00007FFB4AE20610 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1560230555.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffb4ae20000_rxlSpmEkQUyDvxlFic.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb0d0c443a644dd8686e01acdb93bb9270d3b9ee6a588291db54a7356e09af3b
Instruction ID: 43dfc59fd159e99ba85f789c32dae4fecc709db832095e041ec98b444f3db0ba
Opcode Fuzzy Hash: cb0d0c443a644dd8686e01acdb93bb9270d3b9ee6a588291db54a7356e09af3b
Instruction Fuzzy Hash: C9014BB185850E8AEB5DFF34C0682B972A4FF18305F2008BED82AC61D2DE36A590C612

Function 00007FFB4AE20608 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1560230555.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffb4ae20000_rxlSpmEkQUyDvxlFic.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be35f3897e95e19acfa8264e0451d607833818a95aa56a0cfa4dcb22126ed6ec
Instruction ID: 0b89fcdfd292a0e1416954e67330abfc48d6e6e0ab65cb26bc5ac2f6b39dbbdf
Opcode Fuzzy Hash: be35f3897e95e19acfa8264e0451d607833818a95aa56a0cfa4dcb22126ed6ec
Instruction Fuzzy Hash: 8301AD7084850E8BEB4DFF34C0692B972A8FF1C304F2008BED82EC61D2DE36A554C601

Function 00007FFB4AE21240 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1560230555.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffb4ae20000_rxlSpmEkQUyDvxlFic.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be6b766f51b824412b4c14cfb02d48764be5fb9c9524ada572362023344de03a
Instruction ID: 98885b77ecb8907c745b80983524d02a0ae0e4c3c2e980cdf806392d306ae209
Opcode Fuzzy Hash: be6b766f51b824412b4c14cfb02d48764be5fb9c9524ada572362023344de03a
Instruction Fuzzy Hash: 05F0D1B294E64A8EEB58BFB8D5283BA77A8FF59310F2001BAE429C20D0DB241214C641

Function 00007FFB4AE2AA9C Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1560230555.00007FFB4AE2A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE2A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffb4ae2a000_rxlSpmEkQUyDvxlFic.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9724c94e681119814f186720c9a4cadbf1771a5dddc02ded68162c4a2179972
Instruction ID: 9bcbecd5b352cadc44851d1d6d75bdd35b05c0402aee701948af991668dc256e
Opcode Fuzzy Hash: d9724c94e681119814f186720c9a4cadbf1771a5dddc02ded68162c4a2179972
Instruction Fuzzy Hash: D601A2E2D5CA4F8AE754BF78DA241FDBAE8FF48300FA405F6D428C2082EE2459048241

Function 00007FFB4AE2AA98 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1560230555.00007FFB4AE2A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE2A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffb4ae2a000_rxlSpmEkQUyDvxlFic.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a52c9acca9e5d1637fb7b188041e02355c1d059427095603383f026695342b8
Instruction ID: 395e0b817cfddfae82343ec5e9322f380d033ed31c6fce8d325ffca0210f08d2
Opcode Fuzzy Hash: 6a52c9acca9e5d1637fb7b188041e02355c1d059427095603383f026695342b8
Instruction Fuzzy Hash: 78F0ADA295C80B8FE740FF38C9541BE77E5FF48300BA005F2D428D3092EE24A4019741

Function 00007FFB4AE205D0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1560230555.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffb4ae20000_rxlSpmEkQUyDvxlFic.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9109e41ba10ff20815e6dd9dacd080643dafcc5306e830e8238413af8f9e05c9
Instruction ID: b5113a785c26aeadf7645c27082eca8d17b76ec79eda4311fb8511b18b3aa20b
Opcode Fuzzy Hash: 9109e41ba10ff20815e6dd9dacd080643dafcc5306e830e8238413af8f9e05c9
Instruction Fuzzy Hash: E8F0A47184E54ECFDB44BE74D4651FA77A8FF19305F6004B9E81DC2181CE36A650C642

Function 00007FFB4AE2084D Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1560230555.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffb4ae20000_rxlSpmEkQUyDvxlFic.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5d8d32784578133962a9c24f2eaae2048a02007ffcd453bfe42358557b2e8d0
Instruction ID: 34ffa6a45d6122f6db85e18529d33d3b28268a97e707792bee1dfd3f22842f35
Opcode Fuzzy Hash: e5d8d32784578133962a9c24f2eaae2048a02007ffcd453bfe42358557b2e8d0
Instruction Fuzzy Hash: 40E0A092E4D6869EF34A3AF498320E57B60BF42300B2981F7D0AD92883DC19681581D2

Function 00007FFB4AE2088C Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1560230555.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffb4ae20000_rxlSpmEkQUyDvxlFic.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b70635b0fd3805158636d54af15779a37e932d43688a0ad9ebca9da10b144011
Instruction ID: 65aa7e8beb2eed177ca248e1f7afe9cbc954c8a5638c55da31b5538cb854eaea
Opcode Fuzzy Hash: b70635b0fd3805158636d54af15779a37e932d43688a0ad9ebca9da10b144011
Instruction Fuzzy Hash: 9EF0AFB288C50D8EF795FF78C5581BA7AE8FF5C300F2044F2D429C6492DD34A8448692

Function 00007FFB4AE205ED Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1560230555.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffb4ae20000_rxlSpmEkQUyDvxlFic.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81afa68aa4c08038da73045018ba37afed9f27086ceccd64ab815a4204fb7c4e
Instruction ID: 05d0188d805a84b82ccae9696417f5e576e77ae1f14ab92ad6e99b736527094b
Opcode Fuzzy Hash: 81afa68aa4c08038da73045018ba37afed9f27086ceccd64ab815a4204fb7c4e
Instruction Fuzzy Hash: 6FF0F67144D68E8BE718BF34CD552BA3398FF48305F60487AE82DC11C2EB34A565C641

Function 00007FFB4AE34E30 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1560230555.00007FFB4AE31000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffb4ae31000_rxlSpmEkQUyDvxlFic.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da3235471377095bdd0169d53762977f11c7090898e422f3df2a4089da6b6356
Instruction ID: 3859679c6f6e608c3a3f3fc8cf0f968ac3af0838c0565ce27295efda59eee25a
Opcode Fuzzy Hash: da3235471377095bdd0169d53762977f11c7090898e422f3df2a4089da6b6356
Instruction Fuzzy Hash: 4DF0E2B5A4892D8EDF94FFA9D8957ECBBB5FB58201F6000A6D41CE3241DE3868818B44

Function 00007FFB4AE21D1C Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1560230555.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffb4ae20000_rxlSpmEkQUyDvxlFic.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 849b4f893f39ece19c87e5ddc0fb61ca39f631ce9b1443a657d38dcca0b4bdcc
Instruction ID: 576f623869a7b53ebae5440e6431fdbc44e28290cb8b6c33c0507361cef743e6
Opcode Fuzzy Hash: 849b4f893f39ece19c87e5ddc0fb61ca39f631ce9b1443a657d38dcca0b4bdcc
Instruction Fuzzy Hash: 5DF0C27184E68ECFEB98FE64C4651BA7BA4FF59301F3000B9E81DC2180CE729650C781

Function 00007FFB4AE2DC94 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1560230555.00007FFB4AE2A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE2A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffb4ae2a000_rxlSpmEkQUyDvxlFic.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 414f8f847bfc45abacd8379e16a6fcb53b25d4eb1f54ac60640d6627b41bb73c
Instruction ID: f2808a53bab1b8426f22b71e2c3b62aa505c27b3c0ec23782f386b51a03458b7
Opcode Fuzzy Hash: 414f8f847bfc45abacd8379e16a6fcb53b25d4eb1f54ac60640d6627b41bb73c
Instruction Fuzzy Hash: 740128B1D4821A8FEB10EFA4C9A0AEDB7F4BF48300F200176D515E7284EB78A501CB51

Function 00007FFB4AE2B7DC Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1560230555.00007FFB4AE2A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE2A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffb4ae2a000_rxlSpmEkQUyDvxlFic.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e53e7381b5ae8ee829cd96d5f615923e8fdff453b1140d14df6d762f3ea82b5e
Instruction ID: be6e090ac670931dd2c183db79a4e1d9497b34fe2a8e02eb9c8899773380f823
Opcode Fuzzy Hash: e53e7381b5ae8ee829cd96d5f615923e8fdff453b1140d14df6d762f3ea82b5e
Instruction Fuzzy Hash: E3F09671C5C68E8EEB54FF38C9241FD76A4FF28300F2005BAE82DC2040DB7055548741

Function 00007FFB4AE228DD Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1560230555.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffb4ae20000_rxlSpmEkQUyDvxlFic.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4392a6871514d2538dae4a9fd3a04cee62410f2863b4df3be9dd0c82b3d4cd72
Instruction ID: 930498ec339cdbd6d7efc55fe36f6c6d45d6f6cf2020034274183fbc6f5fdebf
Opcode Fuzzy Hash: 4392a6871514d2538dae4a9fd3a04cee62410f2863b4df3be9dd0c82b3d4cd72
Instruction Fuzzy Hash: CCF0827198C5094FE751FF34C4655B937E8FF19300B2645F2C018CB063DA28E4408701

Function 00007FFB4AE2B7DA Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1560230555.00007FFB4AE2A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE2A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffb4ae2a000_rxlSpmEkQUyDvxlFic.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4eef5ef9e596776417021a11458bc8643fbb0d931efec7be87eff3a0db37cb0a
Instruction ID: 3c97097c26e9c9fa98c3595e254272407136b4d5f80f9ba044d40fa6a6b08559
Opcode Fuzzy Hash: 4eef5ef9e596776417021a11458bc8643fbb0d931efec7be87eff3a0db37cb0a
Instruction Fuzzy Hash: 48F0F87194894E8FDB88FF68D4655BE77A4FF28300B2004BED42ED7191DE32A5408741

Function 00007FFB4AE224C9 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1560230555.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffb4ae20000_rxlSpmEkQUyDvxlFic.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08b55e66e19a971ca5e3dd832291280b26cf1d7e2605a12df051562b269c9d8e
Instruction ID: bb8e542cea817801141bdf12b3d063e5b8018f77ae82fbd85ceebec54961b9f6
Opcode Fuzzy Hash: 08b55e66e19a971ca5e3dd832291280b26cf1d7e2605a12df051562b269c9d8e
Instruction Fuzzy Hash: F2F0177294D519CFEB20FF20CC64BE973B4FB58300F2406EAC01EDB292CB782A448A41

Function 00007FFB4AE2287C Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1560230555.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffb4ae20000_rxlSpmEkQUyDvxlFic.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1801fcaade3fe485be632e2d7c3fbe2e1b7034f14159b844702bf52c2b776cdd
Instruction ID: b20a8199878b7250b2ebe9fd0fb259006a68af080e6021c57b5c2a516f95d195
Opcode Fuzzy Hash: 1801fcaade3fe485be632e2d7c3fbe2e1b7034f14159b844702bf52c2b776cdd
Instruction Fuzzy Hash: 58F0A0B184D68E8AEB5DBF34C5251F97AA4FF19300F2008BEE829C51C2DF38D4548642

Function 00007FFB4AE2280C Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1560230555.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffb4ae20000_rxlSpmEkQUyDvxlFic.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8afcf41cf5dfd3211163220d793980657ef77c140a0618136606e5b94bcb35d6
Instruction ID: 49a276ab11104708af4cd269bde6363c79d9a6ea6bebdc0b13d077b4f9e6dfaf
Opcode Fuzzy Hash: 8afcf41cf5dfd3211163220d793980657ef77c140a0618136606e5b94bcb35d6
Instruction Fuzzy Hash: EFF0A7B184D68E8AEB5DBF34C5651B93694FF18304F6048BDE81DC50C2DF749554C641

Function 00007FFB4AE228EC Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1560230555.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffb4ae20000_rxlSpmEkQUyDvxlFic.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b6111a2fe9eb7310a08e1c8a7a089df3f945d5fa25e8fec4718a411329562df
Instruction ID: f1acdd8e8a97ee284f19fa0045b1f2cb6c6b0d216a5d3a90bf55d96d126727a0
Opcode Fuzzy Hash: 3b6111a2fe9eb7310a08e1c8a7a089df3f945d5fa25e8fec4718a411329562df
Instruction Fuzzy Hash: A1E065B2CDD54E4AE7557F34C9641B57AA8FF19304F3419B5E82CC5082EE6491548642

Function 00007FFB4AE21D0D Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1560230555.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffb4ae20000_rxlSpmEkQUyDvxlFic.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89ddd3388fcb5e691d2a7c4579a05ceba84e0160995c9a8b4401cf166c91aaa7
Instruction ID: 92e1dcbfea21b4f299dcccd954dcf2e33fcffb1a0bb0c64a878ace811089a914
Opcode Fuzzy Hash: 89ddd3388fcb5e691d2a7c4579a05ceba84e0160995c9a8b4401cf166c91aaa7
Instruction Fuzzy Hash: 44E0923154E28ACFCB59EE60D4715AA3761FF5A300B6100EED00ACB182CA27E940C741

Function 00007FFB4AE227F9 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1560230555.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffb4ae20000_rxlSpmEkQUyDvxlFic.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5227e6334aa36409ad50dc753c09025130e9ab5dd4ec8907c424c36b39798c5b
Instruction ID: df38b056ebdec462db665b7baa604a1a28c59548bbfc8d7efa92cdf9c6056335
Opcode Fuzzy Hash: 5227e6334aa36409ad50dc753c09025130e9ab5dd4ec8907c424c36b39798c5b
Instruction Fuzzy Hash: C3E08C7144E3C58FCB1AAF30C8210A83B35BF5A300B5608EBD409CE0D3C62DD818C312

Function 00007FFB4AE2286D Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1560230555.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffb4ae20000_rxlSpmEkQUyDvxlFic.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0888ce13a90b99d01ee52dfee86d409a2b1af0f84f6f7142a5f2b35b49804477
Instruction ID: 94059b89ecd22bd8b50a74757548879f5a3e5fd2063b64cffeceb11a9eba342b
Opcode Fuzzy Hash: 0888ce13a90b99d01ee52dfee86d409a2b1af0f84f6f7142a5f2b35b49804477
Instruction Fuzzy Hash: D0D05E7284E2468BDB1D6F20C4211F93361BF59300F6504BAE819CA5D6DB2DE8118702

Function 00007FFB4AE20CA9 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1560230555.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffb4ae20000_rxlSpmEkQUyDvxlFic.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e46365e64b659dbab50e0a90ea5822e3dd4f5bce9b69969af2e84195c2ddb38
Instruction ID: c443b8343fdd5f1d2494bae4abe030988d118f8e2987e3f24921aa334d70ce5a
Opcode Fuzzy Hash: 2e46365e64b659dbab50e0a90ea5822e3dd4f5bce9b69969af2e84195c2ddb38
Instruction Fuzzy Hash: 45B009D78CE40681F4A0BD70C2220BC001C2F5E354F75A4B4E43E005C30C0839442063

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Ym9pCkdQCN.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: DCRat

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\Microsoft Office\Office16\24fab4fe41bce1

C:\Program Files (x86)\Microsoft Office\Office16\rxlSpmEkQUyDvxlFic.exe

C:\Program Files (x86)\Reference Assemblies\886983d96e3d3e

C:\Program Files (x86)\Reference Assemblies\csrss.exe

C:\Program Files (x86)\Windows Media Player\Network Sharing\24fab4fe41bce1

C:\Program Files (x86)\Windows Media Player\Network Sharing\rxlSpmEkQUyDvxlFic.exe

C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\24fab4fe41bce1

C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\rxlSpmEkQUyDvxlFic.exe

C:\Program Files\Windows Mail\22eafd247d37c3

C:\Program Files\Windows Mail\TextInputHost.exe

C:\Program Files\Windows Portable Devices\24fab4fe41bce1

C:\Program Files\Windows Portable Devices\rxlSpmEkQUyDvxlFic.exe

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\24fab4fe41bce1

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\rxlSpmEkQUyDvxlFic.exe

C:\Recovery\24fab4fe41bce1

C:\Recovery\rxlSpmEkQUyDvxlFic.exe

Windows Analysis Report
Ym9pCkdQCN.exe

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre