Edit tour

Windows Analysis Report
P.O.exe

Overview

General Information

Sample name:	P.O.exe
Analysis ID:	1560083
MD5:	6802a38084da57589c5d743dcbf22a66
SHA1:	83ed1d10c94b42586916aa0e52f8fe980b408386
SHA256:	c6324c508e3f4ca77de6321a2ba98faec3cb40ab4b9d85a2eced9560f24f6eb9
Tags:	exeuser-lowmal3
Infos:

Detection

FormBook

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected FormBook

.NET source code contains potential unpacker

AI detected suspicious sample

Injects a PE file into a foreign processes

Machine Learning detection for sample

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

P.O.exe (PID: 7424 cmdline: "C:\Users\user\Desktop\P.O.exe" MD5: 6802A38084DA57589C5D743DCBF22A66)

P.O.exe (PID: 7948 cmdline: "C:\Users\user\Desktop\P.O.exe" MD5: 6802A38084DA57589C5D743DCBF22A66)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

⊘No configs have been found

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000005.00000002.2357534519.0000000001210000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000005.00000002.2355865186.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
Process Memory Space: P.O.exe PID: 7424	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
5.2.P.O.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
5.2.P.O.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: P.O.exe

ReversingLabs: Detection: 36%

Yara detected FormBook

Source: Yara match	File source: 5.2.P.O.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.P.O.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.2357534519.0000000001210000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2355865186.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: P.O.exe

Joe Sandbox ML: detected

Source: P.O.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: P.O.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: wntdll.pdbUGP source: P.O.exe, 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: P.O.exe, P.O.exe, 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp

Source: P.O.exe	String found in binary or memory: http://tempuri.org/ianiDataSet.xsd
Source: P.O.exe	String found in binary or memory: http://tempuri.org/ianiDataSet1.xsd
Source: P.O.exe	String found in binary or memory: http://tempuri.org/ianiDataSet2.xsdM
Source: P.O.exe, 00000000.00000002.1953414669.0000000007052000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: P.O.exe, 00000000.00000002.1953414669.0000000007052000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: P.O.exe, 00000000.00000002.1953414669.0000000007052000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: P.O.exe, 00000000.00000002.1953414669.0000000007052000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: P.O.exe, 00000000.00000002.1953414669.0000000007052000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: P.O.exe, 00000000.00000002.1953414669.0000000007052000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: P.O.exe, 00000000.00000002.1953414669.0000000007052000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: P.O.exe, 00000000.00000002.1953414669.0000000007052000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: P.O.exe, 00000000.00000002.1953414669.0000000007052000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: P.O.exe, 00000000.00000002.1953414669.0000000007052000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: P.O.exe, 00000000.00000002.1953414669.0000000007052000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: P.O.exe, 00000000.00000002.1953414669.0000000007052000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: P.O.exe, 00000000.00000002.1953414669.0000000007052000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: P.O.exe, 00000000.00000002.1953414669.0000000007052000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: P.O.exe, 00000000.00000002.1953414669.0000000007052000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: P.O.exe, 00000000.00000002.1953414669.0000000007052000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: P.O.exe, 00000000.00000002.1953414669.0000000007052000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: P.O.exe, 00000000.00000002.1953414669.0000000007052000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: P.O.exe, 00000000.00000002.1953414669.0000000007052000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: P.O.exe, 00000000.00000002.1953414669.0000000007052000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: P.O.exe, 00000000.00000002.1953414669.0000000007052000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: P.O.exe, 00000000.00000002.1953414669.0000000007052000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: P.O.exe, 00000000.00000002.1953414669.0000000007052000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: P.O.exe, 00000000.00000002.1953414669.0000000007052000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: P.O.exe, 00000000.00000002.1953414669.0000000007052000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 5.2.P.O.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.P.O.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.2357534519.0000000001210000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2355865186.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\P.O.exe	Code function: 0_2_07737A50 NtUnmapViewOfSection,	0_2_07737A50
Source: C:\Users\user\Desktop\P.O.exe	Code function: 0_2_07737A48 NtUnmapViewOfSection,	0_2_07737A48
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_0042CCB3 NtClose,	5_2_0042CCB3
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F335C0 NtCreateMutant,LdrInitializeThunk,	5_2_00F335C0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F32B60 NtClose,LdrInitializeThunk,	5_2_00F32B60
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F32C70 NtFreeVirtualMemory,LdrInitializeThunk,	5_2_00F32C70
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F32DF0 NtQuerySystemInformation,LdrInitializeThunk,	5_2_00F32DF0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F33090 NtSetValueKey,	5_2_00F33090
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F33010 NtOpenDirectoryObject,	5_2_00F33010
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F34340 NtSetContextThread,	5_2_00F34340
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F34650 NtSuspendThread,	5_2_00F34650
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F339B0 NtGetContextThread,	5_2_00F339B0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F32AF0 NtWriteFile,	5_2_00F32AF0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F32AD0 NtReadFile,	5_2_00F32AD0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F32AB0 NtWaitForSingleObject,	5_2_00F32AB0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F32BF0 NtAllocateVirtualMemory,	5_2_00F32BF0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F32BE0 NtQueryValueKey,	5_2_00F32BE0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F32BA0 NtEnumerateValueKey,	5_2_00F32BA0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F32B80 NtQueryInformationFile,	5_2_00F32B80
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F32CF0 NtOpenProcess,	5_2_00F32CF0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F32CC0 NtQueryVirtualMemory,	5_2_00F32CC0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F32CA0 NtQueryInformationToken,	5_2_00F32CA0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F32C60 NtCreateKey,	5_2_00F32C60
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F32C00 NtQueryInformationProcess,	5_2_00F32C00
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F32DD0 NtDelayExecution,	5_2_00F32DD0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F32DB0 NtEnumerateKey,	5_2_00F32DB0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F33D70 NtOpenThread,	5_2_00F33D70
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F32D30 NtUnmapViewOfSection,	5_2_00F32D30
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F32D10 NtMapViewOfSection,	5_2_00F32D10
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F33D10 NtOpenProcessToken,	5_2_00F33D10
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F32D00 NtSetInformationFile,	5_2_00F32D00
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F32EE0 NtQueueApcThread,	5_2_00F32EE0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F32EA0 NtAdjustPrivilegesToken,	5_2_00F32EA0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F32E80 NtReadVirtualMemory,	5_2_00F32E80
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F32E30 NtWriteVirtualMemory,	5_2_00F32E30
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F32FE0 NtCreateFile,	5_2_00F32FE0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F32FB0 NtResumeThread,	5_2_00F32FB0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F32FA0 NtQuerySection,	5_2_00F32FA0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F32F90 NtProtectVirtualMemory,	5_2_00F32F90
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F32F60 NtCreateProcessEx,	5_2_00F32F60
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F32F30 NtCreateSection,	5_2_00F32F30

Source: C:\Users\user\Desktop\P.O.exe	Code function: 0_2_0144D51C	0_2_0144D51C
Source: C:\Users\user\Desktop\P.O.exe	Code function: 0_2_0773AAD0	0_2_0773AAD0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 0_2_07735738	0_2_07735738
Source: C:\Users\user\Desktop\P.O.exe	Code function: 0_2_07734EC8	0_2_07734EC8
Source: C:\Users\user\Desktop\P.O.exe	Code function: 0_2_07735B70	0_2_07735B70
Source: C:\Users\user\Desktop\P.O.exe	Code function: 0_2_07735300	0_2_07735300
Source: C:\Users\user\Desktop\P.O.exe	Code function: 0_2_077372B0	0_2_077372B0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_0042F253	5_2_0042F253
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_004022E0	5_2_004022E0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_0041046B	5_2_0041046B
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00410473	5_2_00410473
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_004025F0	5_2_004025F0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00416DF3	5_2_00416DF3
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00416DAC	5_2_00416DAC
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_0040E673	5_2_0040E673
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00410693	5_2_00410693
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00402F25	5_2_00402F25
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00402F30	5_2_00402F30
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_0040E7C3	5_2_0040E7C3
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_0040E7B7	5_2_0040E7B7
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FB70E9	5_2_00FB70E9
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FBF0E0	5_2_00FBF0E0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F070C0	5_2_00F070C0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FAF0CC	5_2_00FAF0CC
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FB81CC	5_2_00FB81CC
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F0B1B0	5_2_00F0B1B0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FC01AA	5_2_00FC01AA
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FCB16B	5_2_00FCB16B
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EEF172	5_2_00EEF172
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F3516C	5_2_00F3516C
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F88158	5_2_00F88158
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F9A118	5_2_00F9A118
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EF0100	5_2_00EF0100
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FA12ED	5_2_00FA12ED
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F1B2C0	5_2_00F1B2C0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F802C0	5_2_00F802C0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F052A0	5_2_00F052A0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FA0274	5_2_00FA0274
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F0E3F0	5_2_00F0E3F0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FC03E6	5_2_00FC03E6
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F4739A	5_2_00F4739A
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EED34C	5_2_00EED34C
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FBA352	5_2_00FBA352
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FB132D	5_2_00FB132D
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FAE4F6	5_2_00FAE4F6
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EF1460	5_2_00EF1460
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FB2446	5_2_00FB2446
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FBF43F	5_2_00FBF43F
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F9D5B0	5_2_00F9D5B0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FC0591	5_2_00FC0591
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FB7571	5_2_00FB7571
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F00535	5_2_00F00535
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F1C6E0	5_2_00F1C6E0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FB16CC	5_2_00FB16CC
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EFC7C0	5_2_00EFC7C0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FBF7B0	5_2_00FBF7B0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F00770	5_2_00F00770
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F24750	5_2_00F24750
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F2E8F0	5_2_00F2E8F0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F038E0	5_2_00F038E0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EE68B8	5_2_00EE68B8
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F02840	5_2_00F02840
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F0A840	5_2_00F0A840
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F6D800	5_2_00F6D800
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F029A0	5_2_00F029A0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FCA9A6	5_2_00FCA9A6
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F16962	5_2_00F16962
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F09950	5_2_00F09950
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F1B950	5_2_00F1B950
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FADAC6	5_2_00FADAC6
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F45AA0	5_2_00F45AA0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F9DAAC	5_2_00F9DAAC
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EFEA80	5_2_00EFEA80
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F73A6C	5_2_00F73A6C
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FBFA49	5_2_00FBFA49
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FB7A46	5_2_00FB7A46
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F75BF0	5_2_00F75BF0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F3DBF9	5_2_00F3DBF9
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FB6BD7	5_2_00FB6BD7
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F1FB80	5_2_00F1FB80
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FBFB76	5_2_00FBFB76
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FBAB40	5_2_00FBAB40
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FBFCF2	5_2_00FBFCF2
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EF0CF2	5_2_00EF0CF2
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FA0CB5	5_2_00FA0CB5
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F79C32	5_2_00F79C32
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F00C00	5_2_00F00C00
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EFADE0	5_2_00EFADE0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F1FDC0	5_2_00F1FDC0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F18DBF	5_2_00F18DBF
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FB7D73	5_2_00FB7D73
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FB1D5A	5_2_00FB1D5A
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F03D40	5_2_00F03D40
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F0AD00	5_2_00F0AD00
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FBEEDB	5_2_00FBEEDB
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F09EB0	5_2_00F09EB0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F12E90	5_2_00F12E90
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FBCE93	5_2_00FBCE93
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F00E59	5_2_00F00E59
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FBEE26	5_2_00FBEE26
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EF2FC8	5_2_00EF2FC8
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FBFFB1	5_2_00FBFFB1
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F7EFA0	5_2_00F7EFA0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F01F92	5_2_00F01F92
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F74F40	5_2_00F74F40
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F20F30	5_2_00F20F30
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F42F28	5_2_00F42F28
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FBFF09	5_2_00FBFF09

Source: C:\Users\user\Desktop\P.O.exe	Code function: String function: 00F7F290 appears 105 times
Source: C:\Users\user\Desktop\P.O.exe	Code function: String function: 00F47E54 appears 94 times
Source: C:\Users\user\Desktop\P.O.exe	Code function: String function: 00F35130 appears 36 times
Source: C:\Users\user\Desktop\P.O.exe	Code function: String function: 00F6EA12 appears 86 times
Source: C:\Users\user\Desktop\P.O.exe	Code function: String function: 00EEB970 appears 253 times

Source: P.O.exe, 00000000.00000002.1954637867.0000000007C30000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs P.O.exe
Source: P.O.exe, 00000000.00000002.1948781389.000000000120E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs P.O.exe
Source: P.O.exe, 00000000.00000002.1952792955.0000000005640000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs P.O.exe
Source: P.O.exe, 00000000.00000000.1703495934.0000000000B6C000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameeuWT.exe4 vs P.O.exe
Source: P.O.exe, 00000000.00000002.1949349380.0000000002F73000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs P.O.exe
Source: P.O.exe, 00000005.00000002.2356525474.0000000000FED000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs P.O.exe
Source: P.O.exe	Binary or memory string: OriginalFilenameeuWT.exe4 vs P.O.exe

Source: P.O.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: P.O.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.P.O.exe.41e4f00.0.raw.unpack, pXblAmimsnTC264Gfp.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.P.O.exe.41e4f00.0.raw.unpack, pXblAmimsnTC264Gfp.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.P.O.exe.41e4f00.0.raw.unpack, DvKkmjD3k46QOm7KdT.cs	Security API names: _0020.SetAccessControl
Source: 0.2.P.O.exe.41e4f00.0.raw.unpack, DvKkmjD3k46QOm7KdT.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.P.O.exe.41e4f00.0.raw.unpack, DvKkmjD3k46QOm7KdT.cs	Security API names: _0020.AddAccessRule
Source: 0.2.P.O.exe.7c30000.4.raw.unpack, DvKkmjD3k46QOm7KdT.cs	Security API names: _0020.SetAccessControl
Source: 0.2.P.O.exe.7c30000.4.raw.unpack, DvKkmjD3k46QOm7KdT.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.P.O.exe.7c30000.4.raw.unpack, DvKkmjD3k46QOm7KdT.cs	Security API names: _0020.AddAccessRule
Source: 0.2.P.O.exe.7c30000.4.raw.unpack, pXblAmimsnTC264Gfp.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.P.O.exe.7c30000.4.raw.unpack, pXblAmimsnTC264Gfp.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal80.troj.evad.winEXE@3/1@0/0

Source: C:\Users\user\Desktop\P.O.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\P.O.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\P.O.exe

Mutant created: NULL

Source: P.O.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: P.O.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\P.O.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: P.O.exe, 00000000.00000000.1703383050.0000000000A72000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: INSERT INTO [dbo].[CREDIT_PLAN] ([CREDIT_ID], [MATURITY_DATE], [MATURITY_SUM], [MATURITY_NOTE], [MODIF_DATE]) VALUES (@CREDIT_ID, @MATURITY_DATE, @MATURITY_SUM, @MATURITY_NOTE, @MODIF_DATE);
Source: P.O.exe, 00000000.00000000.1703383050.0000000000A72000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: INSERT INTO [dbo].[CREDIT_PRODUCT] ([PROD_NAME], [PROD_ACTIVE], [PROD_SUM_FROM], [PROD_SUM_TO], [MODIF_DATE], [INTEREST]) VALUES (@PROD_NAME, @PROD_ACTIVE, @PROD_SUM_FROM, @PROD_SUM_TO, @MODIF_DATE, @INTEREST);
Source: P.O.exe, 00000000.00000000.1703383050.0000000000A72000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: UPDATE [dbo].[Login] SET [User_id] = @User_id, [User_pass] = @User_pass WHERE (([User_id] = @Original_User_id) AND ([User_pass] = @Original_User_pass));
Source: P.O.exe, 00000000.00000000.1703383050.0000000000A72000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: UPDATE [dbo].[CREDIT_PLAN] SET [CREDIT_ID] = @CREDIT_ID, [MATURITY_DATE] = @MATURITY_DATE, [MATURITY_SUM] = @MATURITY_SUM, [MATURITY_NOTE] = @MATURITY_NOTE, [MODIF_DATE] = @MODIF_DATE WHERE (([MATURITY_ID] = @Original_MATURITY_ID) AND ((@IsNull_CREDIT_ID = 1 AND [CREDIT_ID] IS NULL) OR ([CREDIT_ID] = @Original_CREDIT_ID)) AND ([MATURITY_DATE] = @Original_MATURITY_DATE) AND ([MATURITY_SUM] = @Original_MATURITY_SUM) AND ((@IsNull_MATURITY_NOTE = 1 AND [MATURITY_NOTE] IS NULL) OR ([MATURITY_NOTE] = @Original_MATURITY_NOTE)) AND ((@IsNull_MODIF_DATE = 1 AND [MODIF_DATE] IS NULL) OR ([MODIF_DATE] = @Original_MODIF_DATE)));
Source: P.O.exe, 00000000.00000000.1703383050.0000000000A72000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: INSERT INTO [dbo].[PROD_PERIODS] ([PROD_CODE], [PROD_PERIOD]) VALUES (@PROD_CODE, @PROD_PERIOD);
Source: P.O.exe, 00000000.00000000.1703383050.0000000000A72000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: UPDATE [dbo].[INTEREST] SET [PROD_CODE] = @PROD_CODE, [PROD_PERIOD] = @PROD_PERIOD, [SUM_FROM] = @SUM_FROM, [SUM_TO] = @SUM_TO WHERE (([PROD_CODE] = @Original_PROD_CODE) AND ([PROD_PERIOD] = @Original_PROD_PERIOD) AND ([SUM_FROM] = @Original_SUM_FROM) AND ([SUM_TO] = @Original_SUM_TO));
Source: P.O.exe, 00000000.00000000.1703383050.0000000000A72000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: UPDATE [dbo].[CREDIT] SET [CREDIT_NO] = @CREDIT_NO, [CREDIT_DATE] = @CREDIT_DATE, [CREDIT_PERIOD] = @CREDIT_PERIOD, [CREDIT_END_DATE] = @CREDIT_END_DATE, [CREDIT_BEGIN_DATE] = @CREDIT_BEGIN_DATE, [CLIENT_ID] = @CLIENT_ID, [PROD_CODE] = @PROD_CODE, [CREDIT_SUM] = @CREDIT_SUM, [CREDIT_NOTE] = @CREDIT_NOTE, [MODIF_DATE] = @MODIF_DATE WHERE (([CREDIT_ID] = @Original_CREDIT_ID) AND ([CREDIT_NO] = @Original_CREDIT_NO) AND ((@IsNull_CREDIT_DATE = 1 AND [CREDIT_DATE] IS NULL) OR ([CREDIT_DATE] = @Original_CREDIT_DATE)) AND ([CREDIT_PERIOD] = @Original_CREDIT_PERIOD) AND ((@IsNull_CREDIT_END_DATE = 1 AND [CREDIT_END_DATE] IS NULL) OR ([CREDIT_END_DATE] = @Original_CREDIT_END_DATE)) AND ((@IsNull_CREDIT_BEGIN_DATE = 1 AND [CREDIT_BEGIN_DATE] IS NULL) OR ([CREDIT_BEGIN_DATE] = @Original_CREDIT_BEGIN_DATE)) AND ([CLIENT_ID] = @Original_CLIENT_ID) AND ((@IsNull_PROD_CODE = 1 AND [PROD_CODE] IS NULL) OR ([PROD_CODE] = @Original_PROD_CODE)) AND ([CREDIT_SUM] = @Original_CREDIT_SUM) AND ((@IsNull_CREDIT_NOTE = 1 AND [CREDIT_NOTE] IS NULL) OR ([CREDIT_NOTE] = @Original_CREDIT_NOTE)) AND ((@IsNull_MODIF_DATE = 1 AND [MODIF_DATE] IS NULL) OR ([MODIF_DATE] = @Original_MODIF_DATE)));
Source: P.O.exe, 00000000.00000000.1703383050.0000000000A72000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: UPDATE [dbo].[CREDIT_PRODUCT] SET [PROD_NAME] = @PROD_NAME, [PROD_ACTIVE] = @PROD_ACTIVE, [PROD_SUM_FROM] = @PROD_SUM_FROM, [PROD_SUM_TO] = @PROD_SUM_TO, [MODIF_DATE] = @MODIF_DATE WHERE (([PROD_CODE] = @Original_PROD_CODE) AND ([PROD_NAME] = @Original_PROD_NAME) AND ([PROD_ACTIVE] = @Original_PROD_ACTIVE) AND ([PROD_SUM_FROM] = @Original_PROD_SUM_FROM) AND ([PROD_SUM_TO] = @Original_PROD_SUM_TO) AND ((@IsNull_MODIF_DATE = 1 AND [MODIF_DATE] IS NULL) OR ([MODIF_DATE] = @Original_MODIF_DATE)));
Source: P.O.exe, 00000000.00000000.1703383050.0000000000A72000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: INSERT INTO [dbo].[CREDIT_PRODUCT] ([PROD_NAME], [PROD_ACTIVE], [PROD_SUM_FROM], [PROD_SUM_TO], [MODIF_DATE]) VALUES (@PROD_NAME, @PROD_ACTIVE, @PROD_SUM_FROM, @PROD_SUM_TO, @MODIF_DATE);

Source: P.O.exe

ReversingLabs: Detection: 36%

Source: unknown	Process created: C:\Users\user\Desktop\P.O.exe "C:\Users\user\Desktop\P.O.exe"
Source: C:\Users\user\Desktop\P.O.exe	Process created: C:\Users\user\Desktop\P.O.exe "C:\Users\user\Desktop\P.O.exe"
Source: C:\Users\user\Desktop\P.O.exe	Process created: C:\Users\user\Desktop\P.O.exe "C:\Users\user\Desktop\P.O.exe"	Jump to behavior

Source: C:\Users\user\Desktop\P.O.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Section loaded: windowscodecs.dll	Jump to behavior

Source: C:\Users\user\Desktop\P.O.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\P.O.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: P.O.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: P.O.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: wntdll.pdbUGP source: P.O.exe, 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: P.O.exe, P.O.exe, 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: P.O.exe, InnerForm.cs	.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: 0.2.P.O.exe.41e4f00.0.raw.unpack, DvKkmjD3k46QOm7KdT.cs	.Net Code: qZIrNlsV5j System.Reflection.Assembly.Load(byte[])
Source: 0.2.P.O.exe.7c30000.4.raw.unpack, DvKkmjD3k46QOm7KdT.cs	.Net Code: qZIrNlsV5j System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\P.O.exe	Code function: 0_2_0144DB84 pushfd ; ret	0_2_0144DB89
Source: C:\Users\user\Desktop\P.O.exe	Code function: 0_2_077342A4 push ebx; ret	0_2_077342DA
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_0040D8D0 pushad ; iretd	5_2_0040D8D1
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_004031B0 push eax; ret	5_2_004031B2
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_0040D3DE pushad ; retf	5_2_0040D3DF
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00414C77 push es; iretd	5_2_00414C79
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00415DE9 push ebp; iretd	5_2_00415E4B
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_0040E61C push es; retf	5_2_0040E61D
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00405F99 push edi; retf	5_2_00405F9A
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EF09AD push ecx; mov dword ptr [esp], ecx	5_2_00EF09B6

Source: P.O.exe

Static PE information: section name: .text entropy: 7.559514437779557

Source: 0.2.P.O.exe.41e4f00.0.raw.unpack, N5GegfGQFfXMbcSkDs.cs	High entropy of concatenated method names: 'zZOXib27YE', 'Ii7X657CM6', 'ix2X2h7iP9', 'WaEXLQ5f5J', 'd1EXn76oBQ', 'I6SXKrI58F', 'tH7XmIhpAU', 'egFXf9p4WY', 'wnYXA1iaX9', 'x7OXy5Aj8T'
Source: 0.2.P.O.exe.41e4f00.0.raw.unpack, z2a8i2ojUgvyJwRfCF.cs	High entropy of concatenated method names: 'xsnNQ8cQd', 'tp4OEgPKh', 'Hi6jUnuMO', 'g4NkWZNWY', 'ile6l3XSm', 'ta8CHk2Ku', 'Q1lAsilZQgZ2c2eWrG', 'AxAS1RJfkXm4Mdf1Zd', 'j73VXdI9JSLj1OT7Ok', 'nr1pKvyom'
Source: 0.2.P.O.exe.41e4f00.0.raw.unpack, celYeqzM3KC4ypVT5Q.cs	High entropy of concatenated method names: 'Bw2cjkZQ6w', 'ypSciv2F5L', 'Jgec6Vu8cx', 'hVBc2nfu0N', 'bKOcLeHfGB', 'NK9cne54u2', 'dMycKfni3P', 'l8Cc9Gm0MK', 'MQocFRXEFu', 'Wglc7kays3'
Source: 0.2.P.O.exe.41e4f00.0.raw.unpack, PL6oH92bSmQPe6LV7e.cs	High entropy of concatenated method names: 'O4A1MkUMJC', 'UTI1aGsmXG', 'iYk1wMh30Y', 'quV1Vr7oVR', 'dtu1D4GlSN', 'xWvwWB0Ra4', 'M2cwh8hwP5', 'ifewJC5qSo', 'QkPwSQlqa4', 'cRgwvgp56U'
Source: 0.2.P.O.exe.41e4f00.0.raw.unpack, n1KClrJpONMWo6xxrk.cs	High entropy of concatenated method names: 'V1s3QtX2iw', 'Y0Z3805iAC', 'dyY335kWJR', 'Jl23PU7JgU', 'Y2f3xMecxL', 'jEH39GHMWA', 'Dispose', 'avapZQKGo7', 'yNupa6NKyt', 'CqNploCCWJ'
Source: 0.2.P.O.exe.41e4f00.0.raw.unpack, GXJsgnaU8ZhvdK8JmB.cs	High entropy of concatenated method names: 'Dispose', 'zMW4vo6xxr', 'zJOoLjQaN1', 'hAXRTn1c9H', 'Cn54dtmNVt', 'RWY4zTfHf6', 'ProcessDialogKey', 'Lbsob0BWDx', 'laro4yhF1c', 'ahgoowT3BD'
Source: 0.2.P.O.exe.41e4f00.0.raw.unpack, hT3BDndstDB0ojUCiK.cs	High entropy of concatenated method names: 'UDbclflIhB', 'Uybcw3qoAm', 'em2c1LF7pS', 'xIvcVFNLlE', 'd6gc3BcnQt', 'mbXcDTTiHt', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.P.O.exe.41e4f00.0.raw.unpack, lckN0ishG93fnW4P4C.cs	High entropy of concatenated method names: 'oIvQA4howN', 'GyqQqgV2oa', 'GvcQsB4VYB', 'ejJQ0JmgNG', 'LMWQLVqNLa', 'sbPQt3pZoK', 'HvxQnpKuFo', 'FRgQKq60M4', 'ufPQEIUWsX', 'V6MQmkuEYJ'
Source: 0.2.P.O.exe.41e4f00.0.raw.unpack, vdDBXrHFUq3rHX3VUZ.cs	High entropy of concatenated method names: 'k2PVFmN9Ad', 'DQcV75hrwI', 'RLmVNNZFUg', 'DSOVO1Uwgd', 'QYMVgSAoR9', 'GvFVjqplOe', 'Mv0VkOMHFv', 'DJ3VigJyZG', 'VSCV6ASkbI', 'lYmVC97XoG'
Source: 0.2.P.O.exe.41e4f00.0.raw.unpack, Bn8Bcx4rjnO1EoGlhZG.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'UvMu3nxRdN', 'K6Bucbvsn5', 'jxZuPydBaM', 'JQluuqVeSp', 'HtwuxUJthQ', 'nJ0uBvk5OF', 'IbBu95p2x7'
Source: 0.2.P.O.exe.41e4f00.0.raw.unpack, DvKkmjD3k46QOm7KdT.cs	High entropy of concatenated method names: 'tgJUMivVCn', 'CaVUZWNBxJ', 'FuaUagq9Ax', 'Y1wUlYfKlS', 'vmkUwE8ijn', 'jEtU1HRyRc', 'gBFUV0SZwm', 'GBsUDxNiDF', 'mvkUYnqrc3', 'u6JURSvq3B'
Source: 0.2.P.O.exe.41e4f00.0.raw.unpack, pjCCI7LCB9GSLQmT8m.cs	High entropy of concatenated method names: 'rbXyEuwvTmtvBD1OwQl', 'Px2lqLwqsC2FkiIJhUl', 'pQB1pkKoZJ', 'dNW13vI0gQ', 'GGe1cnpfcO', 'NiAgkxwC1MlKE83IECd', 'tfVnyZwhAB0SbpZOUfi'
Source: 0.2.P.O.exe.41e4f00.0.raw.unpack, wOjsFFr0eb67Ueyky9.cs	High entropy of concatenated method names: 'Il84VXblAm', 'Ksn4DTC264', 'M6v4RVnvEM', 'DgY4TleExR', 'pXr4QqGqL6', 'cH94IbSmQP', 'v83bVDPRM9v2Q5qhpM', 'Tt7bqfspR5tueGBwEc', 'bGB448ISnD', 'Gf34UYwj1w'
Source: 0.2.P.O.exe.41e4f00.0.raw.unpack, YLmevh4bWI9hrnX9NGr.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'bxmcyCivYC', 'GKRcqb3Wey', 'I2OcGmwnI3', 'CPacsxYC6j', 'fTtc0H1MdR', 'hU2ceFWSHK', 'CG6c5aqoDY'
Source: 0.2.P.O.exe.41e4f00.0.raw.unpack, A00TKdlh3bniX5QxRk.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'zFyovkNUr8', 'Y3vodAiIFY', 'BhhozUy9RS', 'IxDUbAMUOC', 'xQBU4Pr5Ed', 'IgpUosh5yt', 'i6XUUisrph', 'XwIvbGcjUIsIt0OBFoF'
Source: 0.2.P.O.exe.41e4f00.0.raw.unpack, Tniemf66vVnvEMigYl.cs	High entropy of concatenated method names: 'k5JlOGmpXM', 'f1JljXYZ38', 'AnGlipaQFc', 'ck3l68Uek1', 'm96lQVAes2', 'aV4lIkfLxW', 'lXEl8sDcIr', 'tcclpuUxF1', 'yCOl3vuyK3', 'QHqlceQ8CZ'
Source: 0.2.P.O.exe.41e4f00.0.raw.unpack, rsrOF64oALLZOGUvSbn.cs	High entropy of concatenated method names: 'ToString', 'V0xPiASIJ1', 'Hw6P6pL3w1', 'BxkPCfuVDf', 'IPwP2dPXmm', 'He4PLjiGLj', 'oYoPtMKCct', 'qcUPn4nJ58', 'TS0tV8G27pK49f9hxB2', 'kiuG6wG5qyx3qWOiXRs'
Source: 0.2.P.O.exe.41e4f00.0.raw.unpack, AjXsOrmdP6cL18GgmJ.cs	High entropy of concatenated method names: 'qaAVZltIvq', 'WJRVlrYuBE', 'irSV19JZjd', 'uIO1dqmsjK', 'Sca1zI97r8', 'Vg9VbGOEc8', 'frNV4kJ16k', 'ySOVoFh4Qd', 'pL6VUb5RF3', 'LSLVrK8Ee6'
Source: 0.2.P.O.exe.41e4f00.0.raw.unpack, pXblAmimsnTC264Gfp.cs	High entropy of concatenated method names: 'v1JastbZM9', 'jCva0qQLBq', 'adiaedXoid', 'VWEa5m10Bd', 'B1maWDSXyk', 'q2bahMCKRR', 'uRkaJ5L8V3', 'a1maSrDa9F', 'Xd0avtgNJL', 'tc5admaFAs'
Source: 0.2.P.O.exe.41e4f00.0.raw.unpack, IRKLfs44Q03G3eEvCFA.cs	High entropy of concatenated method names: 'dbvcdVQnCp', 'EfIczxDgfj', 'FugPbNuLjS', 'OwpP48GQ55', 'pZmPopINYm', 'Ma9PU0EYih', 'CVLPr5grfY', 'DasPMHxDpb', 'C3FPZiO5nJ', 'BnnPalYQFS'
Source: 0.2.P.O.exe.41e4f00.0.raw.unpack, h5j0lWhqbryNj1r59W.cs	High entropy of concatenated method names: 'nmM8SBWEW5', 'm8C8dpXIP4', 'ODQpb3lx14', 'dEtp4cew06', 'hcI8yWN6bl', 'uJd8qIif5v', 'bd58GPwjhR', 'DTs8s5JppY', 'mkV80vt3PO', 'IbJ8eYPVfX'
Source: 0.2.P.O.exe.41e4f00.0.raw.unpack, Q0BWDxvYaryhF1cbhg.cs	High entropy of concatenated method names: 'fSr32vpwF1', 'Nwo3LJ3rHT', 'EIt3tMJjgV', 'jOB3nFSnyv', 'vbC3KUg9QO', 't863ErsUDD', 'dZ63mwDfeI', 'k333fqZt3h', 'mZa3H09Diw', 'WcR3APFw25'
Source: 0.2.P.O.exe.41e4f00.0.raw.unpack, SExR6jCjVkYVOIXrqG.cs	High entropy of concatenated method names: 'z0bwgYnS7V', 'mnAwkN7wZ4', 'fuQlt2JI3x', 'Idjln5xB40', 'kYTlKIw917', 'eEDlEQ5XB7', 'OaFlmqAHeb', 'sIPlfSkDh2', 'SEDlHg18RN', 'gSKlA0p7wb'
Source: 0.2.P.O.exe.7c30000.4.raw.unpack, N5GegfGQFfXMbcSkDs.cs	High entropy of concatenated method names: 'zZOXib27YE', 'Ii7X657CM6', 'ix2X2h7iP9', 'WaEXLQ5f5J', 'd1EXn76oBQ', 'I6SXKrI58F', 'tH7XmIhpAU', 'egFXf9p4WY', 'wnYXA1iaX9', 'x7OXy5Aj8T'
Source: 0.2.P.O.exe.7c30000.4.raw.unpack, z2a8i2ojUgvyJwRfCF.cs	High entropy of concatenated method names: 'xsnNQ8cQd', 'tp4OEgPKh', 'Hi6jUnuMO', 'g4NkWZNWY', 'ile6l3XSm', 'ta8CHk2Ku', 'Q1lAsilZQgZ2c2eWrG', 'AxAS1RJfkXm4Mdf1Zd', 'j73VXdI9JSLj1OT7Ok', 'nr1pKvyom'
Source: 0.2.P.O.exe.7c30000.4.raw.unpack, celYeqzM3KC4ypVT5Q.cs	High entropy of concatenated method names: 'Bw2cjkZQ6w', 'ypSciv2F5L', 'Jgec6Vu8cx', 'hVBc2nfu0N', 'bKOcLeHfGB', 'NK9cne54u2', 'dMycKfni3P', 'l8Cc9Gm0MK', 'MQocFRXEFu', 'Wglc7kays3'
Source: 0.2.P.O.exe.7c30000.4.raw.unpack, PL6oH92bSmQPe6LV7e.cs	High entropy of concatenated method names: 'O4A1MkUMJC', 'UTI1aGsmXG', 'iYk1wMh30Y', 'quV1Vr7oVR', 'dtu1D4GlSN', 'xWvwWB0Ra4', 'M2cwh8hwP5', 'ifewJC5qSo', 'QkPwSQlqa4', 'cRgwvgp56U'
Source: 0.2.P.O.exe.7c30000.4.raw.unpack, n1KClrJpONMWo6xxrk.cs	High entropy of concatenated method names: 'V1s3QtX2iw', 'Y0Z3805iAC', 'dyY335kWJR', 'Jl23PU7JgU', 'Y2f3xMecxL', 'jEH39GHMWA', 'Dispose', 'avapZQKGo7', 'yNupa6NKyt', 'CqNploCCWJ'
Source: 0.2.P.O.exe.7c30000.4.raw.unpack, GXJsgnaU8ZhvdK8JmB.cs	High entropy of concatenated method names: 'Dispose', 'zMW4vo6xxr', 'zJOoLjQaN1', 'hAXRTn1c9H', 'Cn54dtmNVt', 'RWY4zTfHf6', 'ProcessDialogKey', 'Lbsob0BWDx', 'laro4yhF1c', 'ahgoowT3BD'
Source: 0.2.P.O.exe.7c30000.4.raw.unpack, hT3BDndstDB0ojUCiK.cs	High entropy of concatenated method names: 'UDbclflIhB', 'Uybcw3qoAm', 'em2c1LF7pS', 'xIvcVFNLlE', 'd6gc3BcnQt', 'mbXcDTTiHt', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.P.O.exe.7c30000.4.raw.unpack, lckN0ishG93fnW4P4C.cs	High entropy of concatenated method names: 'oIvQA4howN', 'GyqQqgV2oa', 'GvcQsB4VYB', 'ejJQ0JmgNG', 'LMWQLVqNLa', 'sbPQt3pZoK', 'HvxQnpKuFo', 'FRgQKq60M4', 'ufPQEIUWsX', 'V6MQmkuEYJ'
Source: 0.2.P.O.exe.7c30000.4.raw.unpack, vdDBXrHFUq3rHX3VUZ.cs	High entropy of concatenated method names: 'k2PVFmN9Ad', 'DQcV75hrwI', 'RLmVNNZFUg', 'DSOVO1Uwgd', 'QYMVgSAoR9', 'GvFVjqplOe', 'Mv0VkOMHFv', 'DJ3VigJyZG', 'VSCV6ASkbI', 'lYmVC97XoG'
Source: 0.2.P.O.exe.7c30000.4.raw.unpack, Bn8Bcx4rjnO1EoGlhZG.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'UvMu3nxRdN', 'K6Bucbvsn5', 'jxZuPydBaM', 'JQluuqVeSp', 'HtwuxUJthQ', 'nJ0uBvk5OF', 'IbBu95p2x7'
Source: 0.2.P.O.exe.7c30000.4.raw.unpack, DvKkmjD3k46QOm7KdT.cs	High entropy of concatenated method names: 'tgJUMivVCn', 'CaVUZWNBxJ', 'FuaUagq9Ax', 'Y1wUlYfKlS', 'vmkUwE8ijn', 'jEtU1HRyRc', 'gBFUV0SZwm', 'GBsUDxNiDF', 'mvkUYnqrc3', 'u6JURSvq3B'
Source: 0.2.P.O.exe.7c30000.4.raw.unpack, pjCCI7LCB9GSLQmT8m.cs	High entropy of concatenated method names: 'rbXyEuwvTmtvBD1OwQl', 'Px2lqLwqsC2FkiIJhUl', 'pQB1pkKoZJ', 'dNW13vI0gQ', 'GGe1cnpfcO', 'NiAgkxwC1MlKE83IECd', 'tfVnyZwhAB0SbpZOUfi'
Source: 0.2.P.O.exe.7c30000.4.raw.unpack, wOjsFFr0eb67Ueyky9.cs	High entropy of concatenated method names: 'Il84VXblAm', 'Ksn4DTC264', 'M6v4RVnvEM', 'DgY4TleExR', 'pXr4QqGqL6', 'cH94IbSmQP', 'v83bVDPRM9v2Q5qhpM', 'Tt7bqfspR5tueGBwEc', 'bGB448ISnD', 'Gf34UYwj1w'
Source: 0.2.P.O.exe.7c30000.4.raw.unpack, YLmevh4bWI9hrnX9NGr.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'bxmcyCivYC', 'GKRcqb3Wey', 'I2OcGmwnI3', 'CPacsxYC6j', 'fTtc0H1MdR', 'hU2ceFWSHK', 'CG6c5aqoDY'
Source: 0.2.P.O.exe.7c30000.4.raw.unpack, A00TKdlh3bniX5QxRk.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'zFyovkNUr8', 'Y3vodAiIFY', 'BhhozUy9RS', 'IxDUbAMUOC', 'xQBU4Pr5Ed', 'IgpUosh5yt', 'i6XUUisrph', 'XwIvbGcjUIsIt0OBFoF'
Source: 0.2.P.O.exe.7c30000.4.raw.unpack, Tniemf66vVnvEMigYl.cs	High entropy of concatenated method names: 'k5JlOGmpXM', 'f1JljXYZ38', 'AnGlipaQFc', 'ck3l68Uek1', 'm96lQVAes2', 'aV4lIkfLxW', 'lXEl8sDcIr', 'tcclpuUxF1', 'yCOl3vuyK3', 'QHqlceQ8CZ'
Source: 0.2.P.O.exe.7c30000.4.raw.unpack, rsrOF64oALLZOGUvSbn.cs	High entropy of concatenated method names: 'ToString', 'V0xPiASIJ1', 'Hw6P6pL3w1', 'BxkPCfuVDf', 'IPwP2dPXmm', 'He4PLjiGLj', 'oYoPtMKCct', 'qcUPn4nJ58', 'TS0tV8G27pK49f9hxB2', 'kiuG6wG5qyx3qWOiXRs'
Source: 0.2.P.O.exe.7c30000.4.raw.unpack, AjXsOrmdP6cL18GgmJ.cs	High entropy of concatenated method names: 'qaAVZltIvq', 'WJRVlrYuBE', 'irSV19JZjd', 'uIO1dqmsjK', 'Sca1zI97r8', 'Vg9VbGOEc8', 'frNV4kJ16k', 'ySOVoFh4Qd', 'pL6VUb5RF3', 'LSLVrK8Ee6'
Source: 0.2.P.O.exe.7c30000.4.raw.unpack, pXblAmimsnTC264Gfp.cs	High entropy of concatenated method names: 'v1JastbZM9', 'jCva0qQLBq', 'adiaedXoid', 'VWEa5m10Bd', 'B1maWDSXyk', 'q2bahMCKRR', 'uRkaJ5L8V3', 'a1maSrDa9F', 'Xd0avtgNJL', 'tc5admaFAs'
Source: 0.2.P.O.exe.7c30000.4.raw.unpack, IRKLfs44Q03G3eEvCFA.cs	High entropy of concatenated method names: 'dbvcdVQnCp', 'EfIczxDgfj', 'FugPbNuLjS', 'OwpP48GQ55', 'pZmPopINYm', 'Ma9PU0EYih', 'CVLPr5grfY', 'DasPMHxDpb', 'C3FPZiO5nJ', 'BnnPalYQFS'
Source: 0.2.P.O.exe.7c30000.4.raw.unpack, h5j0lWhqbryNj1r59W.cs	High entropy of concatenated method names: 'nmM8SBWEW5', 'm8C8dpXIP4', 'ODQpb3lx14', 'dEtp4cew06', 'hcI8yWN6bl', 'uJd8qIif5v', 'bd58GPwjhR', 'DTs8s5JppY', 'mkV80vt3PO', 'IbJ8eYPVfX'
Source: 0.2.P.O.exe.7c30000.4.raw.unpack, Q0BWDxvYaryhF1cbhg.cs	High entropy of concatenated method names: 'fSr32vpwF1', 'Nwo3LJ3rHT', 'EIt3tMJjgV', 'jOB3nFSnyv', 'vbC3KUg9QO', 't863ErsUDD', 'dZ63mwDfeI', 'k333fqZt3h', 'mZa3H09Diw', 'WcR3APFw25'
Source: 0.2.P.O.exe.7c30000.4.raw.unpack, SExR6jCjVkYVOIXrqG.cs	High entropy of concatenated method names: 'z0bwgYnS7V', 'mnAwkN7wZ4', 'fuQlt2JI3x', 'Idjln5xB40', 'kYTlKIw917', 'eEDlEQ5XB7', 'OaFlmqAHeb', 'sIPlfSkDh2', 'SEDlHg18RN', 'gSKlA0p7wb'

Source: C:\Users\user\Desktop\P.O.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: P.O.exe PID: 7424, type: MEMORYSTR

Source: C:\Users\user\Desktop\P.O.exe	Memory allocated: 1400000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Memory allocated: 2F10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Memory allocated: 2E20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Memory allocated: 7DC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Memory allocated: 8DC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Memory allocated: 8F70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Memory allocated: 9F70000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\P.O.exe

Code function: 5_2_00F6D1C0 rdtsc

5_2_00F6D1C0

Source: C:\Users\user\Desktop\P.O.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\P.O.exe

API coverage: 0.7 %

Source: C:\Users\user\Desktop\P.O.exe TID: 7444	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe TID: 7952	Thread sleep time: -30000s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\P.O.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\P.O.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\P.O.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\Desktop\P.O.exe

Code function: 5_2_00F6D1C0 rdtsc

5_2_00F6D1C0

Source: C:\Users\user\Desktop\P.O.exe

Code function: 5_2_00417D83 LdrLoadDll,

5_2_00417D83

Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F320F0 mov ecx, dword ptr fs:[00000030h]	5_2_00F320F0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EF80E9 mov eax, dword ptr fs:[00000030h]	5_2_00EF80E9
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EEA0E3 mov ecx, dword ptr fs:[00000030h]	5_2_00EEA0E3
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F150E4 mov eax, dword ptr fs:[00000030h]	5_2_00F150E4
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F150E4 mov ecx, dword ptr fs:[00000030h]	5_2_00F150E4
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F760E0 mov eax, dword ptr fs:[00000030h]	5_2_00F760E0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EEC0F0 mov eax, dword ptr fs:[00000030h]	5_2_00EEC0F0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FC50D9 mov eax, dword ptr fs:[00000030h]	5_2_00FC50D9
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F720DE mov eax, dword ptr fs:[00000030h]	5_2_00F720DE
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F190DB mov eax, dword ptr fs:[00000030h]	5_2_00F190DB
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F070C0 mov eax, dword ptr fs:[00000030h]	5_2_00F070C0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F070C0 mov ecx, dword ptr fs:[00000030h]	5_2_00F070C0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F070C0 mov ecx, dword ptr fs:[00000030h]	5_2_00F070C0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F070C0 mov eax, dword ptr fs:[00000030h]	5_2_00F070C0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F070C0 mov ecx, dword ptr fs:[00000030h]	5_2_00F070C0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F070C0 mov ecx, dword ptr fs:[00000030h]	5_2_00F070C0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F070C0 mov eax, dword ptr fs:[00000030h]	5_2_00F070C0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F070C0 mov eax, dword ptr fs:[00000030h]	5_2_00F070C0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F070C0 mov eax, dword ptr fs:[00000030h]	5_2_00F070C0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F070C0 mov eax, dword ptr fs:[00000030h]	5_2_00F070C0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F070C0 mov eax, dword ptr fs:[00000030h]	5_2_00F070C0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F070C0 mov eax, dword ptr fs:[00000030h]	5_2_00F070C0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F070C0 mov eax, dword ptr fs:[00000030h]	5_2_00F070C0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F070C0 mov eax, dword ptr fs:[00000030h]	5_2_00F070C0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F070C0 mov eax, dword ptr fs:[00000030h]	5_2_00F070C0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F070C0 mov eax, dword ptr fs:[00000030h]	5_2_00F070C0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F070C0 mov eax, dword ptr fs:[00000030h]	5_2_00F070C0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F070C0 mov eax, dword ptr fs:[00000030h]	5_2_00F070C0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F6D0C0 mov eax, dword ptr fs:[00000030h]	5_2_00F6D0C0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F6D0C0 mov eax, dword ptr fs:[00000030h]	5_2_00F6D0C0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FB60B8 mov eax, dword ptr fs:[00000030h]	5_2_00FB60B8
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FB60B8 mov ecx, dword ptr fs:[00000030h]	5_2_00FB60B8
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F880A8 mov eax, dword ptr fs:[00000030h]	5_2_00F880A8
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F1D090 mov eax, dword ptr fs:[00000030h]	5_2_00F1D090
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F1D090 mov eax, dword ptr fs:[00000030h]	5_2_00F1D090
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EED08D mov eax, dword ptr fs:[00000030h]	5_2_00EED08D
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EF208A mov eax, dword ptr fs:[00000030h]	5_2_00EF208A
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F2909C mov eax, dword ptr fs:[00000030h]	5_2_00F2909C
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F7D080 mov eax, dword ptr fs:[00000030h]	5_2_00F7D080
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F7D080 mov eax, dword ptr fs:[00000030h]	5_2_00F7D080
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EF5096 mov eax, dword ptr fs:[00000030h]	5_2_00EF5096
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F01070 mov eax, dword ptr fs:[00000030h]	5_2_00F01070
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F01070 mov ecx, dword ptr fs:[00000030h]	5_2_00F01070
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F01070 mov eax, dword ptr fs:[00000030h]	5_2_00F01070
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F01070 mov eax, dword ptr fs:[00000030h]	5_2_00F01070
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F01070 mov eax, dword ptr fs:[00000030h]	5_2_00F01070
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F01070 mov eax, dword ptr fs:[00000030h]	5_2_00F01070
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F01070 mov eax, dword ptr fs:[00000030h]	5_2_00F01070
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F01070 mov eax, dword ptr fs:[00000030h]	5_2_00F01070
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F01070 mov eax, dword ptr fs:[00000030h]	5_2_00F01070
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F01070 mov eax, dword ptr fs:[00000030h]	5_2_00F01070
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F01070 mov eax, dword ptr fs:[00000030h]	5_2_00F01070
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F01070 mov eax, dword ptr fs:[00000030h]	5_2_00F01070
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F01070 mov eax, dword ptr fs:[00000030h]	5_2_00F01070
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F1C073 mov eax, dword ptr fs:[00000030h]	5_2_00F1C073
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F6D070 mov ecx, dword ptr fs:[00000030h]	5_2_00F6D070
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F7106E mov eax, dword ptr fs:[00000030h]	5_2_00F7106E
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FC5060 mov eax, dword ptr fs:[00000030h]	5_2_00FC5060
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F1B052 mov eax, dword ptr fs:[00000030h]	5_2_00F1B052
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F9705E mov ebx, dword ptr fs:[00000030h]	5_2_00F9705E
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F9705E mov eax, dword ptr fs:[00000030h]	5_2_00F9705E
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F76050 mov eax, dword ptr fs:[00000030h]	5_2_00F76050
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EF2050 mov eax, dword ptr fs:[00000030h]	5_2_00EF2050
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FB903E mov eax, dword ptr fs:[00000030h]	5_2_00FB903E
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FB903E mov eax, dword ptr fs:[00000030h]	5_2_00FB903E
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FB903E mov eax, dword ptr fs:[00000030h]	5_2_00FB903E
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FB903E mov eax, dword ptr fs:[00000030h]	5_2_00FB903E
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EEA020 mov eax, dword ptr fs:[00000030h]	5_2_00EEA020
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EEC020 mov eax, dword ptr fs:[00000030h]	5_2_00EEC020
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F0E016 mov eax, dword ptr fs:[00000030h]	5_2_00F0E016
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F0E016 mov eax, dword ptr fs:[00000030h]	5_2_00F0E016
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F0E016 mov eax, dword ptr fs:[00000030h]	5_2_00F0E016
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F0E016 mov eax, dword ptr fs:[00000030h]	5_2_00F0E016
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F74000 mov ecx, dword ptr fs:[00000030h]	5_2_00F74000
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F971F9 mov esi, dword ptr fs:[00000030h]	5_2_00F971F9
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EF51ED mov eax, dword ptr fs:[00000030h]	5_2_00EF51ED
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F201F8 mov eax, dword ptr fs:[00000030h]	5_2_00F201F8
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FC61E5 mov eax, dword ptr fs:[00000030h]	5_2_00FC61E5
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F151EF mov eax, dword ptr fs:[00000030h]	5_2_00F151EF
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F151EF mov eax, dword ptr fs:[00000030h]	5_2_00F151EF
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F151EF mov eax, dword ptr fs:[00000030h]	5_2_00F151EF
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F151EF mov eax, dword ptr fs:[00000030h]	5_2_00F151EF
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F151EF mov eax, dword ptr fs:[00000030h]	5_2_00F151EF
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F151EF mov eax, dword ptr fs:[00000030h]	5_2_00F151EF
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F151EF mov eax, dword ptr fs:[00000030h]	5_2_00F151EF
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F151EF mov eax, dword ptr fs:[00000030h]	5_2_00F151EF
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F151EF mov eax, dword ptr fs:[00000030h]	5_2_00F151EF
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F151EF mov eax, dword ptr fs:[00000030h]	5_2_00F151EF
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F151EF mov eax, dword ptr fs:[00000030h]	5_2_00F151EF
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F151EF mov eax, dword ptr fs:[00000030h]	5_2_00F151EF
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F151EF mov eax, dword ptr fs:[00000030h]	5_2_00F151EF
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F2D1D0 mov eax, dword ptr fs:[00000030h]	5_2_00F2D1D0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F2D1D0 mov ecx, dword ptr fs:[00000030h]	5_2_00F2D1D0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F6E1D0 mov eax, dword ptr fs:[00000030h]	5_2_00F6E1D0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F6E1D0 mov eax, dword ptr fs:[00000030h]	5_2_00F6E1D0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F6E1D0 mov ecx, dword ptr fs:[00000030h]	5_2_00F6E1D0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F6E1D0 mov eax, dword ptr fs:[00000030h]	5_2_00F6E1D0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F6E1D0 mov eax, dword ptr fs:[00000030h]	5_2_00F6E1D0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FC51CB mov eax, dword ptr fs:[00000030h]	5_2_00FC51CB
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FB61C3 mov eax, dword ptr fs:[00000030h]	5_2_00FB61C3
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FB61C3 mov eax, dword ptr fs:[00000030h]	5_2_00FB61C3
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F0B1B0 mov eax, dword ptr fs:[00000030h]	5_2_00F0B1B0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FA11A4 mov eax, dword ptr fs:[00000030h]	5_2_00FA11A4
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FA11A4 mov eax, dword ptr fs:[00000030h]	5_2_00FA11A4
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FA11A4 mov eax, dword ptr fs:[00000030h]	5_2_00FA11A4
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FA11A4 mov eax, dword ptr fs:[00000030h]	5_2_00FA11A4
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F47190 mov eax, dword ptr fs:[00000030h]	5_2_00F47190
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F7019F mov eax, dword ptr fs:[00000030h]	5_2_00F7019F
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F7019F mov eax, dword ptr fs:[00000030h]	5_2_00F7019F
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F7019F mov eax, dword ptr fs:[00000030h]	5_2_00F7019F
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F7019F mov eax, dword ptr fs:[00000030h]	5_2_00F7019F
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FAC188 mov eax, dword ptr fs:[00000030h]	5_2_00FAC188
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FAC188 mov eax, dword ptr fs:[00000030h]	5_2_00FAC188
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F30185 mov eax, dword ptr fs:[00000030h]	5_2_00F30185
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EEA197 mov eax, dword ptr fs:[00000030h]	5_2_00EEA197
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EEA197 mov eax, dword ptr fs:[00000030h]	5_2_00EEA197
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EEA197 mov eax, dword ptr fs:[00000030h]	5_2_00EEA197
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F89179 mov eax, dword ptr fs:[00000030h]	5_2_00F89179
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EEF172 mov eax, dword ptr fs:[00000030h]	5_2_00EEF172
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EEF172 mov eax, dword ptr fs:[00000030h]	5_2_00EEF172
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EEF172 mov eax, dword ptr fs:[00000030h]	5_2_00EEF172
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EEF172 mov eax, dword ptr fs:[00000030h]	5_2_00EEF172
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EEF172 mov eax, dword ptr fs:[00000030h]	5_2_00EEF172
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EEF172 mov eax, dword ptr fs:[00000030h]	5_2_00EEF172
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EEF172 mov eax, dword ptr fs:[00000030h]	5_2_00EEF172
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EEF172 mov eax, dword ptr fs:[00000030h]	5_2_00EEF172
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EEF172 mov eax, dword ptr fs:[00000030h]	5_2_00EEF172
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EEF172 mov eax, dword ptr fs:[00000030h]	5_2_00EEF172
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EEF172 mov eax, dword ptr fs:[00000030h]	5_2_00EEF172
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EEF172 mov eax, dword ptr fs:[00000030h]	5_2_00EEF172
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EEF172 mov eax, dword ptr fs:[00000030h]	5_2_00EEF172
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EEF172 mov eax, dword ptr fs:[00000030h]	5_2_00EEF172
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EEF172 mov eax, dword ptr fs:[00000030h]	5_2_00EEF172
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EEF172 mov eax, dword ptr fs:[00000030h]	5_2_00EEF172
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EEF172 mov eax, dword ptr fs:[00000030h]	5_2_00EEF172
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EEF172 mov eax, dword ptr fs:[00000030h]	5_2_00EEF172
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EEF172 mov eax, dword ptr fs:[00000030h]	5_2_00EEF172
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EEF172 mov eax, dword ptr fs:[00000030h]	5_2_00EEF172
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EEF172 mov eax, dword ptr fs:[00000030h]	5_2_00EEF172
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F88158 mov eax, dword ptr fs:[00000030h]	5_2_00F88158
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EE9148 mov eax, dword ptr fs:[00000030h]	5_2_00EE9148
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EE9148 mov eax, dword ptr fs:[00000030h]	5_2_00EE9148
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EE9148 mov eax, dword ptr fs:[00000030h]	5_2_00EE9148
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EE9148 mov eax, dword ptr fs:[00000030h]	5_2_00EE9148
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FC5152 mov eax, dword ptr fs:[00000030h]	5_2_00FC5152
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EEC156 mov eax, dword ptr fs:[00000030h]	5_2_00EEC156
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F83140 mov eax, dword ptr fs:[00000030h]	5_2_00F83140
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F83140 mov eax, dword ptr fs:[00000030h]	5_2_00F83140
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F83140 mov eax, dword ptr fs:[00000030h]	5_2_00F83140
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EF6154 mov eax, dword ptr fs:[00000030h]	5_2_00EF6154
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EF6154 mov eax, dword ptr fs:[00000030h]	5_2_00EF6154
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F84144 mov eax, dword ptr fs:[00000030h]	5_2_00F84144
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F84144 mov eax, dword ptr fs:[00000030h]	5_2_00F84144
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F84144 mov ecx, dword ptr fs:[00000030h]	5_2_00F84144
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F84144 mov eax, dword ptr fs:[00000030h]	5_2_00F84144
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F84144 mov eax, dword ptr fs:[00000030h]	5_2_00F84144
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EF7152 mov eax, dword ptr fs:[00000030h]	5_2_00EF7152
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F20124 mov eax, dword ptr fs:[00000030h]	5_2_00F20124
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EEB136 mov eax, dword ptr fs:[00000030h]	5_2_00EEB136
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EEB136 mov eax, dword ptr fs:[00000030h]	5_2_00EEB136
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EEB136 mov eax, dword ptr fs:[00000030h]	5_2_00EEB136
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EEB136 mov eax, dword ptr fs:[00000030h]	5_2_00EEB136
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EF1131 mov eax, dword ptr fs:[00000030h]	5_2_00EF1131
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EF1131 mov eax, dword ptr fs:[00000030h]	5_2_00EF1131
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F9A118 mov ecx, dword ptr fs:[00000030h]	5_2_00F9A118
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F9A118 mov eax, dword ptr fs:[00000030h]	5_2_00F9A118
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F9A118 mov eax, dword ptr fs:[00000030h]	5_2_00F9A118
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F9A118 mov eax, dword ptr fs:[00000030h]	5_2_00F9A118
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FB0115 mov eax, dword ptr fs:[00000030h]	5_2_00FB0115
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FAF2F8 mov eax, dword ptr fs:[00000030h]	5_2_00FAF2F8
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EE92FF mov eax, dword ptr fs:[00000030h]	5_2_00EE92FF
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F002E1 mov eax, dword ptr fs:[00000030h]	5_2_00F002E1
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F002E1 mov eax, dword ptr fs:[00000030h]	5_2_00F002E1
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F002E1 mov eax, dword ptr fs:[00000030h]	5_2_00F002E1
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FA12ED mov eax, dword ptr fs:[00000030h]	5_2_00FA12ED
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FA12ED mov eax, dword ptr fs:[00000030h]	5_2_00FA12ED
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FA12ED mov eax, dword ptr fs:[00000030h]	5_2_00FA12ED
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FA12ED mov eax, dword ptr fs:[00000030h]	5_2_00FA12ED
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FA12ED mov eax, dword ptr fs:[00000030h]	5_2_00FA12ED
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FA12ED mov eax, dword ptr fs:[00000030h]	5_2_00FA12ED
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FA12ED mov eax, dword ptr fs:[00000030h]	5_2_00FA12ED
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FA12ED mov eax, dword ptr fs:[00000030h]	5_2_00FA12ED
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FA12ED mov eax, dword ptr fs:[00000030h]	5_2_00FA12ED
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FA12ED mov eax, dword ptr fs:[00000030h]	5_2_00FA12ED
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FA12ED mov eax, dword ptr fs:[00000030h]	5_2_00FA12ED
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FA12ED mov eax, dword ptr fs:[00000030h]	5_2_00FA12ED
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FA12ED mov eax, dword ptr fs:[00000030h]	5_2_00FA12ED
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FA12ED mov eax, dword ptr fs:[00000030h]	5_2_00FA12ED
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FC52E2 mov eax, dword ptr fs:[00000030h]	5_2_00FC52E2
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F1F2D0 mov eax, dword ptr fs:[00000030h]	5_2_00F1F2D0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F1F2D0 mov eax, dword ptr fs:[00000030h]	5_2_00F1F2D0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EF92C5 mov eax, dword ptr fs:[00000030h]	5_2_00EF92C5
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EF92C5 mov eax, dword ptr fs:[00000030h]	5_2_00EF92C5
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EFA2C3 mov eax, dword ptr fs:[00000030h]	5_2_00EFA2C3
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EFA2C3 mov eax, dword ptr fs:[00000030h]	5_2_00EFA2C3
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EFA2C3 mov eax, dword ptr fs:[00000030h]	5_2_00EFA2C3
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EFA2C3 mov eax, dword ptr fs:[00000030h]	5_2_00EFA2C3
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EFA2C3 mov eax, dword ptr fs:[00000030h]	5_2_00EFA2C3
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F1B2C0 mov eax, dword ptr fs:[00000030h]	5_2_00F1B2C0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F1B2C0 mov eax, dword ptr fs:[00000030h]	5_2_00F1B2C0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F1B2C0 mov eax, dword ptr fs:[00000030h]	5_2_00F1B2C0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F1B2C0 mov eax, dword ptr fs:[00000030h]	5_2_00F1B2C0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F1B2C0 mov eax, dword ptr fs:[00000030h]	5_2_00F1B2C0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F1B2C0 mov eax, dword ptr fs:[00000030h]	5_2_00F1B2C0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F1B2C0 mov eax, dword ptr fs:[00000030h]	5_2_00F1B2C0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EEB2D3 mov eax, dword ptr fs:[00000030h]	5_2_00EEB2D3
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EEB2D3 mov eax, dword ptr fs:[00000030h]	5_2_00EEB2D3
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EEB2D3 mov eax, dword ptr fs:[00000030h]	5_2_00EEB2D3
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F792BC mov eax, dword ptr fs:[00000030h]	5_2_00F792BC
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F792BC mov eax, dword ptr fs:[00000030h]	5_2_00F792BC
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F792BC mov ecx, dword ptr fs:[00000030h]	5_2_00F792BC
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F792BC mov ecx, dword ptr fs:[00000030h]	5_2_00F792BC
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F002A0 mov eax, dword ptr fs:[00000030h]	5_2_00F002A0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F002A0 mov eax, dword ptr fs:[00000030h]	5_2_00F002A0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F052A0 mov eax, dword ptr fs:[00000030h]	5_2_00F052A0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F052A0 mov eax, dword ptr fs:[00000030h]	5_2_00F052A0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F052A0 mov eax, dword ptr fs:[00000030h]	5_2_00F052A0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F052A0 mov eax, dword ptr fs:[00000030h]	5_2_00F052A0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F872A0 mov eax, dword ptr fs:[00000030h]	5_2_00F872A0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F872A0 mov eax, dword ptr fs:[00000030h]	5_2_00F872A0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F862A0 mov eax, dword ptr fs:[00000030h]	5_2_00F862A0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F862A0 mov ecx, dword ptr fs:[00000030h]	5_2_00F862A0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F862A0 mov eax, dword ptr fs:[00000030h]	5_2_00F862A0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F862A0 mov eax, dword ptr fs:[00000030h]	5_2_00F862A0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F862A0 mov eax, dword ptr fs:[00000030h]	5_2_00F862A0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F862A0 mov eax, dword ptr fs:[00000030h]	5_2_00F862A0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FB92A6 mov eax, dword ptr fs:[00000030h]	5_2_00FB92A6
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FB92A6 mov eax, dword ptr fs:[00000030h]	5_2_00FB92A6
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FB92A6 mov eax, dword ptr fs:[00000030h]	5_2_00FB92A6
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FB92A6 mov eax, dword ptr fs:[00000030h]	5_2_00FB92A6
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F2329E mov eax, dword ptr fs:[00000030h]	5_2_00F2329E
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F2329E mov eax, dword ptr fs:[00000030h]	5_2_00F2329E
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F70283 mov eax, dword ptr fs:[00000030h]	5_2_00F70283
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F70283 mov eax, dword ptr fs:[00000030h]	5_2_00F70283
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F70283 mov eax, dword ptr fs:[00000030h]	5_2_00F70283
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F2E284 mov eax, dword ptr fs:[00000030h]	5_2_00F2E284
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F2E284 mov eax, dword ptr fs:[00000030h]	5_2_00F2E284
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FC5283 mov eax, dword ptr fs:[00000030h]	5_2_00FC5283
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F31270 mov eax, dword ptr fs:[00000030h]	5_2_00F31270
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F31270 mov eax, dword ptr fs:[00000030h]	5_2_00F31270
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EE826B mov eax, dword ptr fs:[00000030h]	5_2_00EE826B
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F19274 mov eax, dword ptr fs:[00000030h]	5_2_00F19274
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FA0274 mov eax, dword ptr fs:[00000030h]	5_2_00FA0274
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FA0274 mov eax, dword ptr fs:[00000030h]	5_2_00FA0274
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FA0274 mov eax, dword ptr fs:[00000030h]	5_2_00FA0274
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FA0274 mov eax, dword ptr fs:[00000030h]	5_2_00FA0274
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FA0274 mov eax, dword ptr fs:[00000030h]	5_2_00FA0274
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FA0274 mov eax, dword ptr fs:[00000030h]	5_2_00FA0274
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FA0274 mov eax, dword ptr fs:[00000030h]	5_2_00FA0274
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FA0274 mov eax, dword ptr fs:[00000030h]	5_2_00FA0274
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FA0274 mov eax, dword ptr fs:[00000030h]	5_2_00FA0274
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FA0274 mov eax, dword ptr fs:[00000030h]	5_2_00FA0274
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FA0274 mov eax, dword ptr fs:[00000030h]	5_2_00FA0274
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FA0274 mov eax, dword ptr fs:[00000030h]	5_2_00FA0274
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EF4260 mov eax, dword ptr fs:[00000030h]	5_2_00EF4260
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EF4260 mov eax, dword ptr fs:[00000030h]	5_2_00EF4260
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EF4260 mov eax, dword ptr fs:[00000030h]	5_2_00EF4260
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FBD26B mov eax, dword ptr fs:[00000030h]	5_2_00FBD26B
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FBD26B mov eax, dword ptr fs:[00000030h]	5_2_00FBD26B
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FAB256 mov eax, dword ptr fs:[00000030h]	5_2_00FAB256
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FAB256 mov eax, dword ptr fs:[00000030h]	5_2_00FAB256
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EE9240 mov eax, dword ptr fs:[00000030h]	5_2_00EE9240
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EE9240 mov eax, dword ptr fs:[00000030h]	5_2_00EE9240
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F78243 mov eax, dword ptr fs:[00000030h]	5_2_00F78243
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F78243 mov ecx, dword ptr fs:[00000030h]	5_2_00F78243
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EF6259 mov eax, dword ptr fs:[00000030h]	5_2_00EF6259
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EEA250 mov eax, dword ptr fs:[00000030h]	5_2_00EEA250
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F2724D mov eax, dword ptr fs:[00000030h]	5_2_00F2724D
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EE823B mov eax, dword ptr fs:[00000030h]	5_2_00EE823B
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FC5227 mov eax, dword ptr fs:[00000030h]	5_2_00FC5227
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F27208 mov eax, dword ptr fs:[00000030h]	5_2_00F27208
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F27208 mov eax, dword ptr fs:[00000030h]	5_2_00F27208
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FC53FC mov eax, dword ptr fs:[00000030h]	5_2_00FC53FC
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F0E3F0 mov eax, dword ptr fs:[00000030h]	5_2_00F0E3F0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F0E3F0 mov eax, dword ptr fs:[00000030h]	5_2_00F0E3F0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F0E3F0 mov eax, dword ptr fs:[00000030h]	5_2_00F0E3F0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F263FF mov eax, dword ptr fs:[00000030h]	5_2_00F263FF
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F003E9 mov eax, dword ptr fs:[00000030h]	5_2_00F003E9
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F003E9 mov eax, dword ptr fs:[00000030h]	5_2_00F003E9
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F003E9 mov eax, dword ptr fs:[00000030h]	5_2_00F003E9
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F003E9 mov eax, dword ptr fs:[00000030h]	5_2_00F003E9
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F003E9 mov eax, dword ptr fs:[00000030h]	5_2_00F003E9
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F003E9 mov eax, dword ptr fs:[00000030h]	5_2_00F003E9
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F003E9 mov eax, dword ptr fs:[00000030h]	5_2_00F003E9
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F003E9 mov eax, dword ptr fs:[00000030h]	5_2_00F003E9
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FAF3E6 mov eax, dword ptr fs:[00000030h]	5_2_00FAF3E6
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FAB3D0 mov ecx, dword ptr fs:[00000030h]	5_2_00FAB3D0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EFA3C0 mov eax, dword ptr fs:[00000030h]	5_2_00EFA3C0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EFA3C0 mov eax, dword ptr fs:[00000030h]	5_2_00EFA3C0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EFA3C0 mov eax, dword ptr fs:[00000030h]	5_2_00EFA3C0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EFA3C0 mov eax, dword ptr fs:[00000030h]	5_2_00EFA3C0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EFA3C0 mov eax, dword ptr fs:[00000030h]	5_2_00EFA3C0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EFA3C0 mov eax, dword ptr fs:[00000030h]	5_2_00EFA3C0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EF83C0 mov eax, dword ptr fs:[00000030h]	5_2_00EF83C0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EF83C0 mov eax, dword ptr fs:[00000030h]	5_2_00EF83C0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EF83C0 mov eax, dword ptr fs:[00000030h]	5_2_00EF83C0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EF83C0 mov eax, dword ptr fs:[00000030h]	5_2_00EF83C0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FAC3CD mov eax, dword ptr fs:[00000030h]	5_2_00FAC3CD
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F763C0 mov eax, dword ptr fs:[00000030h]	5_2_00F763C0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F233A0 mov eax, dword ptr fs:[00000030h]	5_2_00F233A0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F233A0 mov eax, dword ptr fs:[00000030h]	5_2_00F233A0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F133A5 mov eax, dword ptr fs:[00000030h]	5_2_00F133A5
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FC539D mov eax, dword ptr fs:[00000030h]	5_2_00FC539D
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EEE388 mov eax, dword ptr fs:[00000030h]	5_2_00EEE388
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EEE388 mov eax, dword ptr fs:[00000030h]	5_2_00EEE388
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EEE388 mov eax, dword ptr fs:[00000030h]	5_2_00EEE388
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F4739A mov eax, dword ptr fs:[00000030h]	5_2_00F4739A
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F4739A mov eax, dword ptr fs:[00000030h]	5_2_00F4739A
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EE8397 mov eax, dword ptr fs:[00000030h]	5_2_00EE8397
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EE8397 mov eax, dword ptr fs:[00000030h]	5_2_00EE8397
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EE8397 mov eax, dword ptr fs:[00000030h]	5_2_00EE8397
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F1438F mov eax, dword ptr fs:[00000030h]	5_2_00F1438F
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F1438F mov eax, dword ptr fs:[00000030h]	5_2_00F1438F
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F9437C mov eax, dword ptr fs:[00000030h]	5_2_00F9437C
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FAF367 mov eax, dword ptr fs:[00000030h]	5_2_00FAF367
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EF7370 mov eax, dword ptr fs:[00000030h]	5_2_00EF7370
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EF7370 mov eax, dword ptr fs:[00000030h]	5_2_00EF7370
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EF7370 mov eax, dword ptr fs:[00000030h]	5_2_00EF7370
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EED34C mov eax, dword ptr fs:[00000030h]	5_2_00EED34C
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EED34C mov eax, dword ptr fs:[00000030h]	5_2_00EED34C
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FBA352 mov eax, dword ptr fs:[00000030h]	5_2_00FBA352
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F7035C mov eax, dword ptr fs:[00000030h]	5_2_00F7035C
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F7035C mov eax, dword ptr fs:[00000030h]	5_2_00F7035C
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F7035C mov eax, dword ptr fs:[00000030h]	5_2_00F7035C
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F7035C mov ecx, dword ptr fs:[00000030h]	5_2_00F7035C
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F7035C mov eax, dword ptr fs:[00000030h]	5_2_00F7035C
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F7035C mov eax, dword ptr fs:[00000030h]	5_2_00F7035C
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FC5341 mov eax, dword ptr fs:[00000030h]	5_2_00FC5341
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EE9353 mov eax, dword ptr fs:[00000030h]	5_2_00EE9353
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EE9353 mov eax, dword ptr fs:[00000030h]	5_2_00EE9353
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F72349 mov eax, dword ptr fs:[00000030h]	5_2_00F72349
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F72349 mov eax, dword ptr fs:[00000030h]	5_2_00F72349
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F72349 mov eax, dword ptr fs:[00000030h]	5_2_00F72349
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F72349 mov eax, dword ptr fs:[00000030h]	5_2_00F72349
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F72349 mov eax, dword ptr fs:[00000030h]	5_2_00F72349
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F72349 mov eax, dword ptr fs:[00000030h]	5_2_00F72349
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F72349 mov eax, dword ptr fs:[00000030h]	5_2_00F72349
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F72349 mov eax, dword ptr fs:[00000030h]	5_2_00F72349
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F72349 mov eax, dword ptr fs:[00000030h]	5_2_00F72349
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F72349 mov eax, dword ptr fs:[00000030h]	5_2_00F72349
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F72349 mov eax, dword ptr fs:[00000030h]	5_2_00F72349
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F72349 mov eax, dword ptr fs:[00000030h]	5_2_00F72349
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F72349 mov eax, dword ptr fs:[00000030h]	5_2_00F72349
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F72349 mov eax, dword ptr fs:[00000030h]	5_2_00F72349
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F72349 mov eax, dword ptr fs:[00000030h]	5_2_00F72349
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FB132D mov eax, dword ptr fs:[00000030h]	5_2_00FB132D
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FB132D mov eax, dword ptr fs:[00000030h]	5_2_00FB132D
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F1F32A mov eax, dword ptr fs:[00000030h]	5_2_00F1F32A
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EE7330 mov eax, dword ptr fs:[00000030h]	5_2_00EE7330
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F10310 mov ecx, dword ptr fs:[00000030h]	5_2_00F10310
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F2A30B mov eax, dword ptr fs:[00000030h]	5_2_00F2A30B
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F2A30B mov eax, dword ptr fs:[00000030h]	5_2_00F2A30B
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F2A30B mov eax, dword ptr fs:[00000030h]	5_2_00F2A30B
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F7930B mov eax, dword ptr fs:[00000030h]	5_2_00F7930B
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F7930B mov eax, dword ptr fs:[00000030h]	5_2_00F7930B
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F7930B mov eax, dword ptr fs:[00000030h]	5_2_00F7930B
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EEC310 mov ecx, dword ptr fs:[00000030h]	5_2_00EEC310
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EF04E5 mov ecx, dword ptr fs:[00000030h]	5_2_00EF04E5
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F994E0 mov eax, dword ptr fs:[00000030h]	5_2_00F994E0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FC54DB mov eax, dword ptr fs:[00000030h]	5_2_00FC54DB
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F234B0 mov eax, dword ptr fs:[00000030h]	5_2_00F234B0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F244B0 mov ecx, dword ptr fs:[00000030h]	5_2_00F244B0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EF64AB mov eax, dword ptr fs:[00000030h]	5_2_00EF64AB
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F7A4B0 mov eax, dword ptr fs:[00000030h]	5_2_00F7A4B0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EF9486 mov eax, dword ptr fs:[00000030h]	5_2_00EF9486
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EF9486 mov eax, dword ptr fs:[00000030h]	5_2_00EF9486
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EEB480 mov eax, dword ptr fs:[00000030h]	5_2_00EEB480
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F1A470 mov eax, dword ptr fs:[00000030h]	5_2_00F1A470
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F1A470 mov eax, dword ptr fs:[00000030h]	5_2_00F1A470
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F1A470 mov eax, dword ptr fs:[00000030h]	5_2_00F1A470
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FC547F mov eax, dword ptr fs:[00000030h]	5_2_00FC547F
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EF1460 mov eax, dword ptr fs:[00000030h]	5_2_00EF1460
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EF1460 mov eax, dword ptr fs:[00000030h]	5_2_00EF1460
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EF1460 mov eax, dword ptr fs:[00000030h]	5_2_00EF1460
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EF1460 mov eax, dword ptr fs:[00000030h]	5_2_00EF1460
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EF1460 mov eax, dword ptr fs:[00000030h]	5_2_00EF1460
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F0F460 mov eax, dword ptr fs:[00000030h]	5_2_00F0F460
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F0F460 mov eax, dword ptr fs:[00000030h]	5_2_00F0F460
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F0F460 mov eax, dword ptr fs:[00000030h]	5_2_00F0F460
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F0F460 mov eax, dword ptr fs:[00000030h]	5_2_00F0F460
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F0F460 mov eax, dword ptr fs:[00000030h]	5_2_00F0F460
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F0F460 mov eax, dword ptr fs:[00000030h]	5_2_00F0F460
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F7C460 mov ecx, dword ptr fs:[00000030h]	5_2_00F7C460
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FAF453 mov eax, dword ptr fs:[00000030h]	5_2_00FAF453
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F1245A mov eax, dword ptr fs:[00000030h]	5_2_00F1245A
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EFB440 mov eax, dword ptr fs:[00000030h]	5_2_00EFB440
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EFB440 mov eax, dword ptr fs:[00000030h]	5_2_00EFB440
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EFB440 mov eax, dword ptr fs:[00000030h]	5_2_00EFB440
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EFB440 mov eax, dword ptr fs:[00000030h]	5_2_00EFB440
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EFB440 mov eax, dword ptr fs:[00000030h]	5_2_00EFB440
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EFB440 mov eax, dword ptr fs:[00000030h]	5_2_00EFB440
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F2E443 mov eax, dword ptr fs:[00000030h]	5_2_00F2E443
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F2E443 mov eax, dword ptr fs:[00000030h]	5_2_00F2E443
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F2E443 mov eax, dword ptr fs:[00000030h]	5_2_00F2E443
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F2E443 mov eax, dword ptr fs:[00000030h]	5_2_00F2E443
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F2E443 mov eax, dword ptr fs:[00000030h]	5_2_00F2E443
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F2E443 mov eax, dword ptr fs:[00000030h]	5_2_00F2E443
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F2E443 mov eax, dword ptr fs:[00000030h]	5_2_00F2E443
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F2E443 mov eax, dword ptr fs:[00000030h]	5_2_00F2E443
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EE645D mov eax, dword ptr fs:[00000030h]	5_2_00EE645D
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F2A430 mov eax, dword ptr fs:[00000030h]	5_2_00F2A430
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EEC427 mov eax, dword ptr fs:[00000030h]	5_2_00EEC427
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EEE420 mov eax, dword ptr fs:[00000030h]	5_2_00EEE420
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EEE420 mov eax, dword ptr fs:[00000030h]	5_2_00EEE420
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EEE420 mov eax, dword ptr fs:[00000030h]	5_2_00EEE420
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F76420 mov eax, dword ptr fs:[00000030h]	5_2_00F76420
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F76420 mov eax, dword ptr fs:[00000030h]	5_2_00F76420
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F76420 mov eax, dword ptr fs:[00000030h]	5_2_00F76420
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F76420 mov eax, dword ptr fs:[00000030h]	5_2_00F76420
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F76420 mov eax, dword ptr fs:[00000030h]	5_2_00F76420
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F76420 mov eax, dword ptr fs:[00000030h]	5_2_00F76420
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F76420 mov eax, dword ptr fs:[00000030h]	5_2_00F76420
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F77410 mov eax, dword ptr fs:[00000030h]	5_2_00F77410
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F28402 mov eax, dword ptr fs:[00000030h]	5_2_00F28402
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F28402 mov eax, dword ptr fs:[00000030h]	5_2_00F28402
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F28402 mov eax, dword ptr fs:[00000030h]	5_2_00F28402
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F1340D mov eax, dword ptr fs:[00000030h]	5_2_00F1340D
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F115F4 mov eax, dword ptr fs:[00000030h]	5_2_00F115F4
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F115F4 mov eax, dword ptr fs:[00000030h]	5_2_00F115F4
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F115F4 mov eax, dword ptr fs:[00000030h]	5_2_00F115F4
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F115F4 mov eax, dword ptr fs:[00000030h]	5_2_00F115F4
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F115F4 mov eax, dword ptr fs:[00000030h]	5_2_00F115F4
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F115F4 mov eax, dword ptr fs:[00000030h]	5_2_00F115F4
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EF25E0 mov eax, dword ptr fs:[00000030h]	5_2_00EF25E0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F1E5E7 mov eax, dword ptr fs:[00000030h]	5_2_00F1E5E7
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F1E5E7 mov eax, dword ptr fs:[00000030h]	5_2_00F1E5E7
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F1E5E7 mov eax, dword ptr fs:[00000030h]	5_2_00F1E5E7
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F1E5E7 mov eax, dword ptr fs:[00000030h]	5_2_00F1E5E7
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F1E5E7 mov eax, dword ptr fs:[00000030h]	5_2_00F1E5E7
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F1E5E7 mov eax, dword ptr fs:[00000030h]	5_2_00F1E5E7
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F1E5E7 mov eax, dword ptr fs:[00000030h]	5_2_00F1E5E7
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F1E5E7 mov eax, dword ptr fs:[00000030h]	5_2_00F1E5E7
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F2C5ED mov eax, dword ptr fs:[00000030h]	5_2_00F2C5ED
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F2C5ED mov eax, dword ptr fs:[00000030h]	5_2_00F2C5ED
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F2A5D0 mov eax, dword ptr fs:[00000030h]	5_2_00F2A5D0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F2A5D0 mov eax, dword ptr fs:[00000030h]	5_2_00F2A5D0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F6D5D0 mov eax, dword ptr fs:[00000030h]	5_2_00F6D5D0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F6D5D0 mov ecx, dword ptr fs:[00000030h]	5_2_00F6D5D0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F195DA mov eax, dword ptr fs:[00000030h]	5_2_00F195DA
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FC35D7 mov eax, dword ptr fs:[00000030h]	5_2_00FC35D7
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FC35D7 mov eax, dword ptr fs:[00000030h]	5_2_00FC35D7
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FC35D7 mov eax, dword ptr fs:[00000030h]	5_2_00FC35D7
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F255C0 mov eax, dword ptr fs:[00000030h]	5_2_00F255C0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FC55C9 mov eax, dword ptr fs:[00000030h]	5_2_00FC55C9
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F2E5CF mov eax, dword ptr fs:[00000030h]	5_2_00F2E5CF
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F2E5CF mov eax, dword ptr fs:[00000030h]	5_2_00F2E5CF
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EF65D0 mov eax, dword ptr fs:[00000030h]	5_2_00EF65D0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F145B1 mov eax, dword ptr fs:[00000030h]	5_2_00F145B1
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F145B1 mov eax, dword ptr fs:[00000030h]	5_2_00F145B1
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F1F5B0 mov eax, dword ptr fs:[00000030h]	5_2_00F1F5B0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F1F5B0 mov eax, dword ptr fs:[00000030h]	5_2_00F1F5B0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F1F5B0 mov eax, dword ptr fs:[00000030h]	5_2_00F1F5B0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F1F5B0 mov eax, dword ptr fs:[00000030h]	5_2_00F1F5B0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F1F5B0 mov eax, dword ptr fs:[00000030h]	5_2_00F1F5B0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F1F5B0 mov eax, dword ptr fs:[00000030h]	5_2_00F1F5B0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F1F5B0 mov eax, dword ptr fs:[00000030h]	5_2_00F1F5B0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F1F5B0 mov eax, dword ptr fs:[00000030h]	5_2_00F1F5B0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F1F5B0 mov eax, dword ptr fs:[00000030h]	5_2_00F1F5B0
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F835BA mov eax, dword ptr fs:[00000030h]	5_2_00F835BA
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F835BA mov eax, dword ptr fs:[00000030h]	5_2_00F835BA
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F835BA mov eax, dword ptr fs:[00000030h]	5_2_00F835BA
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F835BA mov eax, dword ptr fs:[00000030h]	5_2_00F835BA
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FAF5BE mov eax, dword ptr fs:[00000030h]	5_2_00FAF5BE
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F705A7 mov eax, dword ptr fs:[00000030h]	5_2_00F705A7
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F705A7 mov eax, dword ptr fs:[00000030h]	5_2_00F705A7
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F705A7 mov eax, dword ptr fs:[00000030h]	5_2_00F705A7
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F115A9 mov eax, dword ptr fs:[00000030h]	5_2_00F115A9
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F115A9 mov eax, dword ptr fs:[00000030h]	5_2_00F115A9
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F115A9 mov eax, dword ptr fs:[00000030h]	5_2_00F115A9
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F115A9 mov eax, dword ptr fs:[00000030h]	5_2_00F115A9
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F115A9 mov eax, dword ptr fs:[00000030h]	5_2_00F115A9
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EE758F mov eax, dword ptr fs:[00000030h]	5_2_00EE758F
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EE758F mov eax, dword ptr fs:[00000030h]	5_2_00EE758F
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EE758F mov eax, dword ptr fs:[00000030h]	5_2_00EE758F
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F7B594 mov eax, dword ptr fs:[00000030h]	5_2_00F7B594
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F7B594 mov eax, dword ptr fs:[00000030h]	5_2_00F7B594
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EF2582 mov eax, dword ptr fs:[00000030h]	5_2_00EF2582
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EF2582 mov ecx, dword ptr fs:[00000030h]	5_2_00EF2582
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F2E59C mov eax, dword ptr fs:[00000030h]	5_2_00F2E59C
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F24588 mov eax, dword ptr fs:[00000030h]	5_2_00F24588
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F2B570 mov eax, dword ptr fs:[00000030h]	5_2_00F2B570
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F2B570 mov eax, dword ptr fs:[00000030h]	5_2_00F2B570
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EEB562 mov eax, dword ptr fs:[00000030h]	5_2_00EEB562
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F2656A mov eax, dword ptr fs:[00000030h]	5_2_00F2656A
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F2656A mov eax, dword ptr fs:[00000030h]	5_2_00F2656A
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F2656A mov eax, dword ptr fs:[00000030h]	5_2_00F2656A
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EF8550 mov eax, dword ptr fs:[00000030h]	5_2_00EF8550
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00EF8550 mov eax, dword ptr fs:[00000030h]	5_2_00EF8550
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F2D530 mov eax, dword ptr fs:[00000030h]	5_2_00F2D530
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F2D530 mov eax, dword ptr fs:[00000030h]	5_2_00F2D530
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F00535 mov eax, dword ptr fs:[00000030h]	5_2_00F00535
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F00535 mov eax, dword ptr fs:[00000030h]	5_2_00F00535
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F00535 mov eax, dword ptr fs:[00000030h]	5_2_00F00535
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F00535 mov eax, dword ptr fs:[00000030h]	5_2_00F00535
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F00535 mov eax, dword ptr fs:[00000030h]	5_2_00F00535
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F00535 mov eax, dword ptr fs:[00000030h]	5_2_00F00535
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00FC5537 mov eax, dword ptr fs:[00000030h]	5_2_00FC5537
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F1E53E mov eax, dword ptr fs:[00000030h]	5_2_00F1E53E
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F1E53E mov eax, dword ptr fs:[00000030h]	5_2_00F1E53E
Source: C:\Users\user\Desktop\P.O.exe	Code function: 5_2_00F1E53E mov eax, dword ptr fs:[00000030h]	5_2_00F1E53E

Source: C:\Users\user\Desktop\P.O.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\P.O.exe

Memory written: C:\Users\user\Desktop\P.O.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\P.O.exe

Process created: C:\Users\user\Desktop\P.O.exe "C:\Users\user\Desktop\P.O.exe"

Jump to behavior

Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Users\user\Desktop\P.O.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P.O.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\P.O.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 5.2.P.O.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.P.O.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.2357534519.0000000001210000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2355865186.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 5.2.P.O.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.P.O.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.2357534519.0000000001210000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2355865186.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	111 Process Injection	1 Masquerading	OS Credential Dumping	2 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	41 Virtualization/Sandbox Evasion	Security Account Manager	41 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	111 Process Injection	NTDS	12 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	3 Obfuscated Files or Information	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	12 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
P.O.exe	37%	ReversingLabs	ByteCode-MSIL.Trojan.BotX
P.O.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://www.apache.org/licenses/LICENSE-2.0	P.O.exe, 00000000.00000002.1953414669.0000000007052000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com	P.O.exe, 00000000.00000002.1953414669.0000000007052000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designersG	P.O.exe, 00000000.00000002.1953414669.0000000007052000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designers/?	P.O.exe, 00000000.00000002.1953414669.0000000007052000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.founder.com.cn/cn/bThe	P.O.exe, 00000000.00000002.1953414669.0000000007052000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designers?	P.O.exe, 00000000.00000002.1953414669.0000000007052000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/ianiDataSet2.xsdM	P.O.exe	false	high
http://www.tiro.com	P.O.exe, 00000000.00000002.1953414669.0000000007052000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designers	P.O.exe, 00000000.00000002.1953414669.0000000007052000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.goodfont.co.kr	P.O.exe, 00000000.00000002.1953414669.0000000007052000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.carterandcone.coml	P.O.exe, 00000000.00000002.1953414669.0000000007052000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/ianiDataSet.xsd	P.O.exe	false	high
http://www.sajatypeworks.com	P.O.exe, 00000000.00000002.1953414669.0000000007052000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.typography.netD	P.O.exe, 00000000.00000002.1953414669.0000000007052000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designers/cabarga.htmlN	P.O.exe, 00000000.00000002.1953414669.0000000007052000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.founder.com.cn/cn/cThe	P.O.exe, 00000000.00000002.1953414669.0000000007052000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.galapagosdesign.com/staff/dennis.htm	P.O.exe, 00000000.00000002.1953414669.0000000007052000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/ianiDataSet1.xsd	P.O.exe	false	high
http://www.founder.com.cn/cn	P.O.exe, 00000000.00000002.1953414669.0000000007052000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designers/frere-user.html	P.O.exe, 00000000.00000002.1953414669.0000000007052000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.jiyu-kobo.co.jp/	P.O.exe, 00000000.00000002.1953414669.0000000007052000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.galapagosdesign.com/DPlease	P.O.exe, 00000000.00000002.1953414669.0000000007052000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designers8	P.O.exe, 00000000.00000002.1953414669.0000000007052000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fonts.com	P.O.exe, 00000000.00000002.1953414669.0000000007052000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.sandoll.co.kr	P.O.exe, 00000000.00000002.1953414669.0000000007052000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.urwpp.deDPlease	P.O.exe, 00000000.00000002.1953414669.0000000007052000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.zhongyicts.com.cn	P.O.exe, 00000000.00000002.1953414669.0000000007052000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.sakkal.com	P.O.exe, 00000000.00000002.1953414669.0000000007052000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1560083
Start date and time:	2024-11-21 11:37:45 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 12s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	P.O.exe
Detection:	MAL
Classification:	mal80.troj.evad.winEXE@3/1@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 97% Number of executed functions: 39 Number of non-executed functions: 203
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: P.O.exe

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\P.O.exe.log

Download File

Process:	C:\Users\user\Desktop\P.O.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.5572076518938935
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	P.O.exe
File size:	1'029'120 bytes
MD5:	6802a38084da57589c5d743dcbf22a66
SHA1:	83ed1d10c94b42586916aa0e52f8fe980b408386
SHA256:	c6324c508e3f4ca77de6321a2ba98faec3cb40ab4b9d85a2eced9560f24f6eb9
SHA512:	d10850405e917d3e81f9a844a376594c303ac8756e626d880f4b22e8d71b7289fc594aa8193c38dc0ba6692d50f71bfdae199a643ec49b06438f14dfe5218744
SSDEEP:	24576:1rOrPQzqszxW7yp+p2++L/gCKw2Lb3tEF2ZgzaFeEZN:Tzq6W74+ojgCKfNEF+gz0D
TLSH:	0225B02077F8DE67E27A61F3DB84421197BAD185767BE3AA0CC560CE25D27321383927
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....>g..............0......(........... ........@.. ....................... ............@................................

File Icon


Icon Hash:	130b253d1931012d

Static PE Info

General

Entrypoint:	0x4fa82e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x673EBFB4 [Thu Nov 21 05:05:56 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xfa7dc	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xfc000	0x2588	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x100000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xf8834	0xf8a00	0dbbef3b57b3a8f7b6c07f621ab93613	False	0.7493155715811965	data	7.559514437779557	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xfc000	0x2588	0x2600	ba2eeab4f7432b876f0bb04b563f8c2b	False	0.875	data	7.577177546459968	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x100000	0xc	0x200	31e52b28137a4fec5a722abcc967fb2f	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0xfc100	0x2016	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9504504504504504
RT_GROUP_ICON	0xfe128	0x14	data	1.05
RT_VERSION	0xfe14c	0x23c	data	0.46853146853146854
RT_MANIFEST	0xfe398	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

⊘No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: P.O.exePID: 7424, Parent PID: 2580

General

Target ID:	0
Start time:	05:38:39
Start date:	21/11/2024
Path:	C:\Users\user\Desktop\P.O.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\P.O.exe"
Imagebase:	0xa70000
File size:	1'029'120 bytes
MD5 hash:	6802A38084DA57589C5D743DCBF22A66
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: P.O.exePID: 7948, Parent PID: 7424

General

Target ID:	5
Start time:	05:39:04
Start date:	21/11/2024
Path:	C:\Users\user\Desktop\P.O.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\P.O.exe"
Imagebase:	0x400000
File size:	1'029'120 bytes
MD5 hash:	6802A38084DA57589C5D743DCBF22A66
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.2357534519.0000000001210000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.2355865186.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: P.O.exePID: 7424, Parent PID: 2580COMMON

Execution Graph

Execution Coverage:	10.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	2.9%
Total number of Nodes:	204
Total number of Limit Nodes:	6

Executed Functions

Function 07737A48 Relevance: 1.6, APIs: 1, Instructions: 53nativeCOMMON

Download Yara Rule

APIs

NtUnmapViewOfSection.NTDLL(?,?), ref: 07737AB5

Memory Dump Source

Source File: 00000000.00000002.1954521910.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7730000_P.jbxd

Similarity

API ID: SectionUnmapView
String ID:
API String ID: 498011366-0
Opcode ID: 1b54ed892d6debaef0a5dbde8d0108fbffceac42fd963e2dc4de89a03acb7f47
Instruction ID: ae365206352e150b59f6d27729f283d6f1544faa66fea6c3c3dc64eea990458d
Opcode Fuzzy Hash: 1b54ed892d6debaef0a5dbde8d0108fbffceac42fd963e2dc4de89a03acb7f47
Instruction Fuzzy Hash: AF1137B19002498FCB10DFA9C444BDEFFF5AF88324F24842AD559A7250C7799944CFA4

Function 07737A50 Relevance: 1.6, APIs: 1, Instructions: 50nativeCOMMON

Download Yara Rule

APIs

NtUnmapViewOfSection.NTDLL(?,?), ref: 07737AB5

Memory Dump Source

Source File: 00000000.00000002.1954521910.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7730000_P.jbxd

Similarity

API ID: SectionUnmapView
String ID:
API String ID: 498011366-0
Opcode ID: 0a1df687a16f01e3e7db770d22f20800efda37e3c5b4165360e42408bf55a14e
Instruction ID: a0bf8358e9a2d9f737156ae52c77637c9e50d235b1551fdb4933a6a301159961
Opcode Fuzzy Hash: 0a1df687a16f01e3e7db770d22f20800efda37e3c5b4165360e42408bf55a14e
Instruction Fuzzy Hash: B41158B19002498FCB10DFAAC445BDEFFF4EB88324F20882AD459A7350CB75A944CFA4

Function 0773AAD0 Relevance: .6, Instructions: 627COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1954521910.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7730000_P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8da741f403603683f8b2ab00213aedd8c09e42e7dba800518fe3a2180413d49
Instruction ID: b7cbafaff628ab9be7065da30dda5e832e940c3ab2a59ddc06ea70011155ef57
Opcode Fuzzy Hash: d8da741f403603683f8b2ab00213aedd8c09e42e7dba800518fe3a2180413d49
Instruction Fuzzy Hash: B032BFB0B012058FDB19DB65C590BAEBBF6AF89340F25886DE046DB3A2DB35DD01CB51

Function 07737AFC Relevance: 1.7, APIs: 1, Instructions: 249
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07737D3E

Memory Dump Source

Source File: 00000000.00000002.1954521910.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7730000_P.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 73de43c1f5efdbb31bf9ba20c351f1e9cb2183335b5938fdaadb7bad4714f955
Instruction ID: 93e1958d525474748f5978a4a45dbbb9595ccf27f31f1c78d5f680ebe31165b6
Opcode Fuzzy Hash: 73de43c1f5efdbb31bf9ba20c351f1e9cb2183335b5938fdaadb7bad4714f955
Instruction Fuzzy Hash: 69A18EB1D0021ACFDB14CF68C881BEDBBB2BF48354F1485A9E808A7251DB749985CF92

Function 07737B08 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07737D3E

Memory Dump Source

Source File: 00000000.00000002.1954521910.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7730000_P.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 75195062e9dab90e27847908c65938c7d0e5591d15bd453ffcdaca1e720a4459
Instruction ID: 1bf44cbfbd954796a2e464216bcce2bde1e4f9dfc69acb76afa8719c97523726
Opcode Fuzzy Hash: 75195062e9dab90e27847908c65938c7d0e5591d15bd453ffcdaca1e720a4459
Instruction Fuzzy Hash: 6E916DB1D0031ADFDB14CF68C881BEDBBB6BF48354F1485A9E808A7251DB749985CF92

Function 0144AD08 Relevance: 1.7, APIs: 1, Instructions: 196
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0144AF5E

Memory Dump Source

Source File: 00000000.00000002.1949065234.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1440000_P.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 04070e62dbf10efda4817b012032a679343c7962711948ba95dba8fb8ec2067d
Instruction ID: 76ed831408349b2eb0ffb2dae4580f7667be14c35d1a9c490d1a97f853f88fa8
Opcode Fuzzy Hash: 04070e62dbf10efda4817b012032a679343c7962711948ba95dba8fb8ec2067d
Instruction Fuzzy Hash: CD7125B0A40B058FE724DF2AD04175ABBF5BF48314F20892ED49AD7B60D775E84ACB90

Function 014444B4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 014459A9

Memory Dump Source

Source File: 00000000.00000002.1949065234.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1440000_P.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 155d7a20994a7583d651b3528cb078ea6a3a03ada72dc5c68da8c5248d32b93f
Instruction ID: cfbb3745137c5e327f289784ca72bde94b5e1eeaa468a572629f925f896ec1a7
Opcode Fuzzy Hash: 155d7a20994a7583d651b3528cb078ea6a3a03ada72dc5c68da8c5248d32b93f
Instruction Fuzzy Hash: A141C1B0D00719CFDF24DFA9C884B9EBBB5BF49304F24806AD418AB265DB756945CF90

Function 014458EC Relevance: 1.6, APIs: 1, Instructions: 95
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 014459A9

Memory Dump Source

Source File: 00000000.00000002.1949065234.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1440000_P.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 844c2439fd22588e78e3d4c398f0b242f48efd5100efee97e8e0f3cdc25672d2
Instruction ID: eaabd1225890cd9e83ee678be0b250cbd44667bfed460c90d8bf3b558446137b
Opcode Fuzzy Hash: 844c2439fd22588e78e3d4c398f0b242f48efd5100efee97e8e0f3cdc25672d2
Instruction Fuzzy Hash: 9541E0B0C00719CFDF24CFA9C8846DEBBB5BF49304F2480AAD418AB265DB756946CF90

Function 07737879 Relevance: 1.6, APIs: 1, Instructions: 72
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07737910

Memory Dump Source

Source File: 00000000.00000002.1954521910.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7730000_P.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: ae7707a62c5efbc969e78a7d5bb58bca6a8fcf12b6e61101d9b16dfe385eba0d
Instruction ID: b9d9c3d19af9a3157a0cae1608e3e697b7093e45035200c12b44faeac761d9f8
Opcode Fuzzy Hash: ae7707a62c5efbc969e78a7d5bb58bca6a8fcf12b6e61101d9b16dfe385eba0d
Instruction Fuzzy Hash: A6215AB6900259DFCB10DFA9C881BDEBBF1FF48310F10842AE558A7251C7749944CFA4

Function 07737880 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07737910

Memory Dump Source

Source File: 00000000.00000002.1954521910.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7730000_P.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 8d661301ea7ad8206a8baef2dce536af46fa48d50c7feaae396f69d29c021ed8
Instruction ID: fc03a037553751b93794dddbdfbf0e63cc23c8ac79769bd2fff53f9339df6e3c
Opcode Fuzzy Hash: 8d661301ea7ad8206a8baef2dce536af46fa48d50c7feaae396f69d29c021ed8
Instruction Fuzzy Hash: 062139B19003599FCB10DFA9C885BEEBBF5FF48310F10882AE958A7251C7789954CBA4

Function 07737969 Relevance: 1.6, APIs: 1, Instructions: 66
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 077379F0

Memory Dump Source

Source File: 00000000.00000002.1954521910.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7730000_P.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: cf019dc5506425cdae8fe9e26540ca0d42eae416e289d373578452c35e7232b2
Instruction ID: 6799ba8e16dfc3d1aeb1c8bde4ff41800e236bdbf03d61d487cb396451678bf7
Opcode Fuzzy Hash: cf019dc5506425cdae8fe9e26540ca0d42eae416e289d373578452c35e7232b2
Instruction Fuzzy Hash: 1D2116B1900259DFCB10DFA9C880AEEBBF1FF48320F10842AE559A7250C7749944CBA4

Function 077376E0 Relevance: 1.6, APIs: 1, Instructions: 65
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07737766

Memory Dump Source

Source File: 00000000.00000002.1954521910.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7730000_P.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: f02b7b7d736234dfce8545e80df299377e1d484e0775377e63018f66f6713948
Instruction ID: e0c2fe5ecbdeba96f201e9f6c3c14fc44dde0ac1f21d035c23cfae23cf43458b
Opcode Fuzzy Hash: f02b7b7d736234dfce8545e80df299377e1d484e0775377e63018f66f6713948
Instruction Fuzzy Hash: AF2138B1D002098FDB14DFAAC4857EEBBF4EF88324F14C42AD559A7241C7789985CFA4

Function 0144D1DC Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0144D5B6,?,?,?,?,?), ref: 0144D677

Memory Dump Source

Source File: 00000000.00000002.1949065234.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1440000_P.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: c11f0bff8d8d81f0d562e5599104bb768339a14fe5964a39f7becd8cab6d07eb
Instruction ID: c3dddce8d018c5c1a2fae63a277241233de5186e18dd08a13d25a267297239e4
Opcode Fuzzy Hash: c11f0bff8d8d81f0d562e5599104bb768339a14fe5964a39f7becd8cab6d07eb
Instruction Fuzzy Hash: A621E3B5D002489FDB10CF9AD584ADEBBF4EB48320F54841AE918A7320D374A950CFA5

Function 0144D5E8 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0144D5B6,?,?,?,?,?), ref: 0144D677

Memory Dump Source

Source File: 00000000.00000002.1949065234.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1440000_P.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 3681652e27cb7a5274f12edd2f968bb582453d8570912ef42fec6ba848739787
Instruction ID: c8a0becd2bd3e60b9ea96dcfa7c6cde0db9f4c528bf2ce6118d166a199c1843d
Opcode Fuzzy Hash: 3681652e27cb7a5274f12edd2f968bb582453d8570912ef42fec6ba848739787
Instruction Fuzzy Hash: CC21F8B5D01249DFDB10CF9AD584ADEBBF5FB08310F14841AE958A3310C378A945CF64

Function 077376E8 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07737766

Memory Dump Source

Source File: 00000000.00000002.1954521910.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7730000_P.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 7f9a1924a2ba68f46f515a23e270cca0ff61ff64681f1d257b80c7a74ed70c8d
Instruction ID: fa8a71ab80d54f2c9560dd5cbd49ad93dc9a5e7432851203a98002db68fd85cf
Opcode Fuzzy Hash: 7f9a1924a2ba68f46f515a23e270cca0ff61ff64681f1d257b80c7a74ed70c8d
Instruction Fuzzy Hash: 722149B1D003098FDB14DFAAC4857EEBBF4EF48324F50842AD459A7241C7789944CFA4

Function 07737970 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 077379F0

Memory Dump Source

Source File: 00000000.00000002.1954521910.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7730000_P.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: a3088059fee6dbdaf33d95d7306a05c427ce85d5aa5f74d9b2a9a31962a9456b
Instruction ID: 10fb8d38ef846a82a2cf411dbd8f143855c6f86301b9f6365af56def4b1ddf38
Opcode Fuzzy Hash: a3088059fee6dbdaf33d95d7306a05c427ce85d5aa5f74d9b2a9a31962a9456b
Instruction Fuzzy Hash: 152128B19002599FCB10DFAAC881BEEFBF5FF48320F50842AE559A7251C7749944CBA5

Function 077377B8 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0773782E

Memory Dump Source

Source File: 00000000.00000002.1954521910.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7730000_P.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 347854e4c9142727ffff49bb8563ed90549894a60e5a93e59aee61e8328c830c
Instruction ID: 3bb8e2c6e9855917fba18b3311fcbc4ef3c045501884c4d573071c18c7dd1b6c
Opcode Fuzzy Hash: 347854e4c9142727ffff49bb8563ed90549894a60e5a93e59aee61e8328c830c
Instruction Fuzzy Hash: 891197B2900249CFCB10CFA9C845BDEBFF1EF88324F24882AE559A7250C7759941CFA0

Function 077377C0 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0773782E

Memory Dump Source

Source File: 00000000.00000002.1954521910.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7730000_P.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: ed4d6ea343b39be04642a412d88ff8b7a241aec4b42de22082cd65581ac08ae1
Instruction ID: 1af47b26a1d510bfa5e3d773e698e03ef342589f3dfe64f4c9c9260e31953fcb
Opcode Fuzzy Hash: ed4d6ea343b39be04642a412d88ff8b7a241aec4b42de22082cd65581ac08ae1
Instruction Fuzzy Hash: 041137B29002499FDB10DFAAC845BDEBFF5EF88324F108829E559A7250C775A944CFA4

Function 077371FA Relevance: 1.6, APIs: 1, Instructions: 51threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 07737262

Memory Dump Source

Source File: 00000000.00000002.1954521910.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7730000_P.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 86ffe0fa91d09186b04ef08f2f930eb0796ee67ff77e04109efd9c4d33f9df2d
Instruction ID: 67ffa4b9056baefe98e3b81c28609f2e2b1d56155ab0bd3ec1871098f9eddf8a
Opcode Fuzzy Hash: 86ffe0fa91d09186b04ef08f2f930eb0796ee67ff77e04109efd9c4d33f9df2d
Instruction Fuzzy Hash: C41158B19002498FCB10DFA9C585BEEFFF4EF88324F24842AD459A7250C774A944CFA4

Function 07737200 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 07737262

Memory Dump Source

Source File: 00000000.00000002.1954521910.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7730000_P.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 3afee7198785e6b34f65ad5a4e2f99de2633ab5b2b1f7488056a4c856c2f5872
Instruction ID: ea74d11265717fa906daea1af38bcb1b580fd5c296cfee7f1432972b4415f9b5
Opcode Fuzzy Hash: 3afee7198785e6b34f65ad5a4e2f99de2633ab5b2b1f7488056a4c856c2f5872
Instruction Fuzzy Hash: 5C113AB19003498FDB14DFAAC4457DEFBF4EB88324F20842AD459A7250C775A944CF94

Function 077343C8 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 07739EC5

Memory Dump Source

Source File: 00000000.00000002.1954521910.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7730000_P.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 8d65ae9fe131cf4b8c43ad65853b675985968bd9b9cbd794b17dc8f053a837c1
Instruction ID: c8e0bffdb54ff932f94186407dc6231f6f8a1bd74abe213d899628138e7e4128
Opcode Fuzzy Hash: 8d65ae9fe131cf4b8c43ad65853b675985968bd9b9cbd794b17dc8f053a837c1
Instruction Fuzzy Hash: 201103B6804349DFDB10DF9AC485BDEBBF8EB48324F10885AE558A7201C3B5A944CFA5

Function 0144AEF8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0144AF5E

Memory Dump Source

Source File: 00000000.00000002.1949065234.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1440000_P.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 0d01d900a87ee3eaa4973fb04c41cd81c5082ca5274a19ad47a11a3037f1009a
Instruction ID: c8e13d07f00fa75968b5b3fd2d1f043f2a1b0964601eb7ac767ba861c07c53ed
Opcode Fuzzy Hash: 0d01d900a87ee3eaa4973fb04c41cd81c5082ca5274a19ad47a11a3037f1009a
Instruction Fuzzy Hash: 2611E0B6D002498FEB10CF9AC444ADEFBF4EB88324F24846AD959A7350C379A545CFA5

Function 07739E62 Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 07739EC5

Memory Dump Source

Source File: 00000000.00000002.1954521910.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7730000_P.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 6153dde5165b0e26812438ed6232940b0f9c8be9ac7993b4d5f544978c00abee
Instruction ID: d3c80af7d8e125225541bbad6e8be27dffbee0927f635526935e8b0f8ec9ecfc
Opcode Fuzzy Hash: 6153dde5165b0e26812438ed6232940b0f9c8be9ac7993b4d5f544978c00abee
Instruction Fuzzy Hash: 6F1103B6900249DFDB10CF99C584BDEBFF4FB48324F14885AE558A7610C3B5A944CFA5

Function 0117D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1948617566.000000000117D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0117D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_117d000_P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b3ae36980e532d2ef97fe60bf0dec0714b61e157b5163e77617e2604df822eb
Instruction ID: d187b21f943ef056c0266824652f43dada071955fc4e25a88604ca0f4c73e9fa
Opcode Fuzzy Hash: 3b3ae36980e532d2ef97fe60bf0dec0714b61e157b5163e77617e2604df822eb
Instruction Fuzzy Hash: 3E21D371644208DFDF09DF98E580B26BBB5FF84324F24C56DE9494B356C336D446CA62

Function 0117D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1948617566.000000000117D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0117D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_117d000_P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d52e14104b2f5de31017a0ec613025f148f74b2b57df155f3709efd3170a7edb
Instruction ID: 74ddeea21b29ccdc29ee3c633c88ff866cf9656c44c7023947a2cc061818e77a
Opcode Fuzzy Hash: d52e14104b2f5de31017a0ec613025f148f74b2b57df155f3709efd3170a7edb
Instruction Fuzzy Hash: 48210071604208DFCF1ADF58E984B26BBB5EF88314F20C56DD80A4B356C33AD446CA62

Function 0117D006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1948617566.000000000117D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0117D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_117d000_P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3405bb572ff0492d07265cced3d444e2f338e87f9e8f9637d989612aaacbc22b
Instruction ID: af3fa37d25840fc325edff0a7a46a104e6d391e524de78b1e5a1ec60984189a0
Opcode Fuzzy Hash: 3405bb572ff0492d07265cced3d444e2f338e87f9e8f9637d989612aaacbc22b
Instruction Fuzzy Hash: 0521DE355083848FCB07CF24D990B15BF71EF46214F28C1EAD8498F2A3C33A980ACB62

Function 0117D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1948617566.000000000117D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0117D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_117d000_P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: f854f79de10ebd8d6bd352dee163efa89ec0fe42016407f608099c9570fa5b2e
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: F411A975504284DFDB06CF54D5C4B15BFB1FB84224F28C6AAD8494B396C33AD40ACB62

Function 0116D759 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1948574729.000000000116D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0116D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_116d000_P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07efb1e4079997280b4bfed96226a9a8c79582802f6e24a8cb8ecb7ebb23ea4d
Instruction ID: b9321db908b9eb52e37f8f6701d0a750493a801fee703de399e7eefd30711b3d
Opcode Fuzzy Hash: 07efb1e4079997280b4bfed96226a9a8c79582802f6e24a8cb8ecb7ebb23ea4d
Instruction Fuzzy Hash: 6D01FC3120478099EB194B59ED84767FFDCEF41328F18C466ED484A246C37E9840C6B3

Function 0116D758 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1948574729.000000000116D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0116D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_116d000_P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2000bc30e052200e10b874ae80f156c04ee5cee7ee5f4dc67e1a58a324d35cf
Instruction ID: be1504248ccbbaf691ff1efe78618da14bdf0193d677cfe4f8ce50d9ef82c0c6
Opcode Fuzzy Hash: e2000bc30e052200e10b874ae80f156c04ee5cee7ee5f4dc67e1a58a324d35cf
Instruction Fuzzy Hash: A2F062725047849EEB158F1ADC84B62FFECEF51639F18C45AED484A286C37A9844CBB1

Non-executed Functions

Function 07735738 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1954521910.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7730000_P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 942a1cb818f21c302cd2c6120e835f5c68b79c2de4c4e527e112f3c576c9361c
Instruction ID: b70579848b68b460219172d4378aa6ec58a03be9546ef08f7a9f85d8243344f4
Opcode Fuzzy Hash: 942a1cb818f21c302cd2c6120e835f5c68b79c2de4c4e527e112f3c576c9361c
Instruction Fuzzy Hash: 97E1EBB4E102198FCB14DFA9D5909AEFBF2FF89304F248169D418AB356DB31A941CF61

Function 07734EC8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1954521910.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7730000_P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2df749dca10ca908c08ec990c2e5614f34a3e50af68f7e7be5b0f5839ec3c4b
Instruction ID: e08c4a2f44b229f75a8ea82bad67bf8c1d865776ba1476e6cdfce55f87541ce2
Opcode Fuzzy Hash: e2df749dca10ca908c08ec990c2e5614f34a3e50af68f7e7be5b0f5839ec3c4b
Instruction Fuzzy Hash: 37E10CB4E101598FCB14DFA9D5909AEFBF2FF89304F248169D418AB356DB31A941CFA0

Function 07735B70 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1954521910.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7730000_P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81567bd24dd7ed1043d6b5075c68fab945c267cbfff18e7ef9a3756f2715edb7
Instruction ID: a13f5f4b2c5132d716535807bd57608355124710300819f422a6c1bae8ced381
Opcode Fuzzy Hash: 81567bd24dd7ed1043d6b5075c68fab945c267cbfff18e7ef9a3756f2715edb7
Instruction Fuzzy Hash: 00E1EBB4E102198FCB14DFA9D5909AEFBF2FF49304F248159E418AB356DB31A941CF61

Function 07735300 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1954521910.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7730000_P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: faf560edcefe1e12fb012fc6f5774a59c427163cc3346fb7f15d22bb25918373
Instruction ID: 2365f8798a41edd2d6048da6b64c1cdf11fb0c4437ddab307ab09d4d2734cc9f
Opcode Fuzzy Hash: faf560edcefe1e12fb012fc6f5774a59c427163cc3346fb7f15d22bb25918373
Instruction Fuzzy Hash: 84E11BB4E102198FCB14DFA9D5809AEFBF2FF89305F248169E414AB356DB31A941CF61

Function 077372B0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1954521910.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7730000_P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cccd179a7f2f5d95ecfbc36e464ab55ad922d6b71614783ed6257a46d545fda
Instruction ID: 91baf6d80a3bff17ddd65a96b9a99a0d54d80b5bacf9b1babd1943c6ef8bac0e
Opcode Fuzzy Hash: 2cccd179a7f2f5d95ecfbc36e464ab55ad922d6b71614783ed6257a46d545fda
Instruction Fuzzy Hash: 65E1FDB4E101198FDB14DFA9D5909AEFBF2FF89304F248169E414AB356DB31A941CFA0

Function 0144D51C Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1949065234.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1440000_P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88e8f2549091e46ca1b88302d85a0c5dc995c78ca77bf56254d49b2679fd4ffd
Instruction ID: aee735c83ed77ec36a5a084712051a062cbd4b2fc7e20ad75edf63a0e2ca4f44
Opcode Fuzzy Hash: 88e8f2549091e46ca1b88302d85a0c5dc995c78ca77bf56254d49b2679fd4ffd
Instruction Fuzzy Hash: 02A18132E0021ACFDF05DFB9D84059EBBB2FF95300B15856AE905AB365DB31D95ACB80

Analysis Process: P.O.exePID: 7948, Parent PID: 7424COMMON

Execution Graph

Execution Coverage:	0.9%
Dynamic/Decrypted Code Coverage:	5.7%
Signature Coverage:	3.8%
Total number of Nodes:	105
Total number of Limit Nodes:	8

Executed Functions

Function 00417D83 Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00417DF5

Memory Dump Source

Source File: 00000005.00000002.2355865186.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_P.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 68a1343607c5a450f7786a2c1a825d0cce543795bf5a9c2a52c786633a32a0ce
Instruction ID: 88b9ef28133dc456cab6c81c5f600716b01c30102915f9fd8f3ec612534eff34
Opcode Fuzzy Hash: 68a1343607c5a450f7786a2c1a825d0cce543795bf5a9c2a52c786633a32a0ce
Instruction Fuzzy Hash: 23011EB5E0020DABDF10DAE5DC42FEEB3789F54308F0081AAE90897241F635EB598B95

Function 0042CCB3 Relevance: 1.5, APIs: 1, Instructions: 25
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtClose.NTDLL(?,?,00000000,00000000,0000001F,?,FA0A1F00), ref: 0042CCE7

Memory Dump Source

Source File: 00000005.00000002.2355865186.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_P.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 78e2a7f370486fb8e38ebc04d0bcf967f8016fa95c29a15494aeb31deec0d7bf
Instruction ID: d46bfabfc098e6d5a2aad821b6b2a61ea91c21e50ceafb7c4f345b9124cf626d
Opcode Fuzzy Hash: 78e2a7f370486fb8e38ebc04d0bcf967f8016fa95c29a15494aeb31deec0d7bf
Instruction Fuzzy Hash: 98E026366006043BC210FA6ADC01FD7776CDFC5B10F000819FA0867242C7B4B90087F4

Function 00F335C0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 00F335CA

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ed1956c65601f96db5258064b31b036b731f1e024c9f28277afd016011493f16
Instruction ID: e1c6726b86b1361385d6f08b8448a28496dc832eb9f07dc39866ae465ba5a3d0
Opcode Fuzzy Hash: ed1956c65601f96db5258064b31b036b731f1e024c9f28277afd016011493f16
Instruction Fuzzy Hash: BA90023160550412D2007158851470A140587D0341F65C422A4424568E8BD98A5275A2

Function 00F32B60 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 00F32B6A

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4f755868a58f86b29f667b505b1b9f4ad80fe694af71207240f066c011ccfada
Instruction ID: 86f859567ef1d012b4d22827ad1c43b933d5b6230a29c34b0c61f96e36c906a9
Opcode Fuzzy Hash: 4f755868a58f86b29f667b505b1b9f4ad80fe694af71207240f066c011ccfada
Instruction Fuzzy Hash: 0B9002612024001342057158841461A440A87E0341B55C032E5014590EC96989927125

Function 00F32C70 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 00F32C7A

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7313bc79457b07c402406145406ee68052ea51ff23dd1d0bc1396eb13ee6e0d6
Instruction ID: 8cee8514115e88e8363d497a2db4f56588291b975e4be1698a3c9be1df67315f
Opcode Fuzzy Hash: 7313bc79457b07c402406145406ee68052ea51ff23dd1d0bc1396eb13ee6e0d6
Instruction Fuzzy Hash: 4890023120148812D2107158C40474E040587D0341F59C422A8424658E8AD989927121

Function 00F32DF0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 00F32DFA

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 0be75895dc9f3639d8f5e075d061aa774cab187c3836658b5f267bbaa67ab6c6
Instruction ID: 0b48512abd3f542b2ed447acd996fa7dad60f1f3511864076cc315d77e78c4a6
Opcode Fuzzy Hash: 0be75895dc9f3639d8f5e075d061aa774cab187c3836658b5f267bbaa67ab6c6
Instruction Fuzzy Hash: 9890023120140423D2117158850470B040987D0381F95C423A4424558E9A9A8A53B121

Function 0042D003 Relevance: 1.5, APIs: 1, Instructions: 29
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000000,00000004,00000000,D08CFFD5,00000007,00000000,00000004,00000000,004175E7,000000F4), ref: 0042D03F

Memory Dump Source

Source File: 00000005.00000002.2355865186.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_P.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 03c4c79e38dc09a6bc7d5db5b5ebb6e976b89401a2158c2de3acff6390cbe796
Instruction ID: 480c2476483c24a98dc1ccd4d3f8387b92b9bc50a10ea559d801330f157754dd
Opcode Fuzzy Hash: 03c4c79e38dc09a6bc7d5db5b5ebb6e976b89401a2158c2de3acff6390cbe796
Instruction Fuzzy Hash: CCE065B66046147FE710EFA9EC41E9B33ACEFC9710F00041AFA08A7241D778B9108AB9

Function 0042CFB3 Relevance: 1.5, APIs: 1, Instructions: 29
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,0041EB4E,?,?,00000000,?,0041EB4E,?,?,?), ref: 0042CFEF

Memory Dump Source

Source File: 00000005.00000002.2355865186.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_P.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: fc49648c11e90faf33731bc79bc8e8675936d387bbefc8f6442bf02281781b34
Instruction ID: dc73a00d5b2d417b2c46dafea40d9adc71060332ee157e8bfc2b2fc429177c5c
Opcode Fuzzy Hash: fc49648c11e90faf33731bc79bc8e8675936d387bbefc8f6442bf02281781b34
Instruction Fuzzy Hash: 2DE06DB66042047BD610EE59EC41E9B33ACDFC9710F000819F908A7241D675BA118BB9

Function 0042D053 Relevance: 1.5, APIs: 1, Instructions: 25
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(?), ref: 0042D087

Memory Dump Source

Source File: 00000005.00000002.2355865186.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_P.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 15264c56b12c26b86eb90c2dabc34e6d55a96133bf5bcb6f2ee9bafa70ba7c0d
Instruction ID: 7a9833e9e4d947a3999cb396ff3879e5195884ea37e196f788b44d0b0899353c
Opcode Fuzzy Hash: 15264c56b12c26b86eb90c2dabc34e6d55a96133bf5bcb6f2ee9bafa70ba7c0d
Instruction Fuzzy Hash: D2E04F722406147BC210FA5ADC02F9B775CDBC5715F10845AFA086B241D7B9791587A8

Function 00F32C0A Relevance: 1.5, APIs: 1, Instructions: 8
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 00F32C24

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 26291dc3da8559d73c7a8404b91881e88a7eccedc2c4b8bb62253aa2bb4c6543
Instruction ID: d3e89d63a878e8d56cc4d538646808484f246cf16c3fb5b308ad883256312f75
Opcode Fuzzy Hash: 26291dc3da8559d73c7a8404b91881e88a7eccedc2c4b8bb62253aa2bb4c6543
Instruction Fuzzy Hash: A2B04C719015C595DA51A760460861A79006790761F15C062D2020641B47689591F175

Non-executed Functions

Function 00F72349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON

Download Yara Rule

Strings

RaiseExceptionOnPossibleDeadlock, xrefs: 00F72579
ShutdownFlags, xrefs: 00F724A1
UseImpersonatedDeviceMap, xrefs: 00F7251C
CFGOptions, xrefs: 00F72967
UnloadEventTraceDepth, xrefs: 00F724C0
MaxDeadActivationContexts, xrefs: 00F72D82
GlobalFlag, xrefs: 00F72F3F, 00F73059
minkernel\ntdll\ldrinit.c, xrefs: 00F73187
GlobalFlag2, xrefs: 00F72FC0
DisableExceptionChainValidation, xrefs: 00F7275F
@, xrefs: 00F72B74
LdrpInitializeExecutionOptions, xrefs: 00F7317D
MaxLoaderThreads, xrefs: 00F724EC
Initializing the application verifier package failed with status 0x%08lx, xrefs: 00F73176
@, xrefs: 00F72942
FrontEndHeapDebugOptions, xrefs: 00F72489
MinimumStackCommitInBytes, xrefs: 00F72BB0
TracingFlags, xrefs: 00F72549
ExecuteOptions, xrefs: 00F725A0
DisableHeapLookaside, xrefs: 00F7246D

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
API String ID: 0-2160512332
Opcode ID: c7b4f3ef1d459cfff31da272d2c4839e9de1effbfbc3c86f22f03fedbe002373
Instruction ID: 5384a62fa6ba80dc9885c88ea86e4ab1b3eec024304f8c3d2bcd98bd1136e144
Opcode Fuzzy Hash: c7b4f3ef1d459cfff31da272d2c4839e9de1effbfbc3c86f22f03fedbe002373
Instruction Fuzzy Hash: 82929F71A04341ABE760CF24CC81B6BB7E8BB84764F14881EFA98D7291D774E944EB53

Function 00FA12ED Relevance: 11.8, Strings: 9, Instructions: 515COMMON

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 00FA16CD, 00FA16F9, 00FA1749, 00FA179B, 00FA17FC, 00FA1840, 00FA18D9
Heap entry %p has incorrect PreviousSize field (%04x instead of %04x), xrefs: 00FA186B
Heap block at %p is not last block in segment (%p), xrefs: 00FA17B7
Free Heap block %p modified at %p after it was freed, xrefs: 00FA171B
Heap block at %p has corrupted PreviousSize (%lx), xrefs: 00FA176D
Heap block at %p has incorrect segment offset (%x), xrefs: 00FA181A
Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x), xrefs: 00FA18A5
Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x), xrefs: 00FA18F8
HEAP: , xrefs: 00FA1706, 00FA1756, 00FA17A8, 00FA1809, 00FA184D, 00FA1895, 00FA18E6

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID: Free Heap block %p modified at %p after it was freed$HEAP: $HEAP[%wZ]: $Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x)$Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x)$Heap block at %p has corrupted PreviousSize (%lx)$Heap block at %p has incorrect segment offset (%x)$Heap block at %p is not last block in segment (%p)$Heap entry %p has incorrect PreviousSize field (%04x instead of %04x)
API String ID: 0-3591852110
Opcode ID: 8b48bb70399b0c4ff896813fd5aa374019dd177de3408897e9ebded68a60b07e
Instruction ID: 44c867c42e5ca260f2cf7843d44a4610c9459abcfe73d99ec22ce02858fe3bb6
Opcode Fuzzy Hash: 8b48bb70399b0c4ff896813fd5aa374019dd177de3408897e9ebded68a60b07e
Instruction Fuzzy Hash: FB12BEB1A00646DFD725CF29C441BB6BBF5FF0A720F1A8459E4869B682D734EC81EB50

Function 00EED34C Relevance: 11.6, Strings: 9, Instructions: 312COMMON

Download Yara Rule

Strings

@, xrefs: 00EED3E9
@, xrefs: 00EED49D
\Registry\Machine\Software\Policies\Microsoft\MUI\Settings, xrefs: 00EED3B6
PreferredUILanguages, xrefs: 00EED4B8, 00EED4C5
PreferredUILanguagesPending, xrefs: 00F4A8DE
@, xrefs: 00EED663
MachinePreferredUILanguages, xrefs: 00EED685
Control Panel\Desktop\MuiCached, xrefs: 00EED62B
Control Panel\Desktop, xrefs: 00EED45D

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID: @$@$@$Control Panel\Desktop$Control Panel\Desktop\MuiCached$MachinePreferredUILanguages$PreferredUILanguages$PreferredUILanguagesPending$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings
API String ID: 0-3532704233
Opcode ID: 9ed2f79444413866936bdc17bfe6656b7e501b492c8facb9c7c1b1cb486d6829
Instruction ID: 450e62b1707c3f6dada15b3bf99e99df455c48eb820cab6dee70dc06bffbbad9
Opcode Fuzzy Hash: 9ed2f79444413866936bdc17bfe6656b7e501b492c8facb9c7c1b1cb486d6829
Instruction Fuzzy Hash: 4FB19D7190C3999FC721DF25C880B6BBBE8AB88754F01592EF889E7240D734DD48DB92

Function 00F89179 Relevance: 10.4, Strings: 8, Instructions: 401COMMON

Download Yara Rule

Strings

%s\%u-%u-%u-%u, xrefs: 00F89422
%s\%ld\%s, xrefs: 00F8948D
Global\Session\%ld%s, xrefs: 00F894C5
\AppContainerNamedObjects, xrefs: 00F894AB, 00F894B9
BaseNamedObjects, xrefs: 00F89477, 00F8947C
AppContainerNamedObjects, xrefs: 00F8946E, 00F894D6
\Sessions, xrefs: 00F89488
\BaseNamedObjects, xrefs: 00F8949E

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID: %s\%ld\%s$%s\%u-%u-%u-%u$AppContainerNamedObjects$BaseNamedObjects$Global\Session\%ld%s$\AppContainerNamedObjects$\BaseNamedObjects$\Sessions
API String ID: 0-3063724069
Opcode ID: f36bac6540710d5e51971827f74214b55241d7eeacdaf6b58dceaa1ed2fefca1
Instruction ID: 12fedad961d8197a54e9f17e4a06ca219bf96de3961cf4ff8068744d45f3ff0e
Opcode Fuzzy Hash: f36bac6540710d5e51971827f74214b55241d7eeacdaf6b58dceaa1ed2fefca1
Instruction Fuzzy Hash: 90D1E37280C311AFD721EB54CC41BBFB7E8AF84724F084929FA84A7250E7B4DD45A792

Function 00FA0274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 00FA0399, 00FA04A8, 00FA05D0, 00FA0675, 00FA06CC
RtlReAllocateHeap, xrefs: 00FA02BF, 00FA0362
Just reallocated block at %p to 0x%Ix bytes with tag %ws, xrefs: 00FA069F
About to reallocate block at %p to %Ix bytes, xrefs: 00FA03BA
About to rellocate block at %p to 0x%Ix bytes with tag %ws, xrefs: 00FA04D3
Just reallocated block at %p to %Ix bytes, xrefs: 00FA05F1
HEAP: , xrefs: 00FA03A6, 00FA04B5, 00FA05DD, 00FA0682, 00FA06D9
Invalid allocation size - %Ix (exceeded %Ix), xrefs: 00FA06EA

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
API String ID: 0-1700792311
Opcode ID: b5b78379c1ed73a1cc0ac9cf231581821f9312257443c8f63ec2c9a22bb503f4
Instruction ID: b0a106d68125fb8dbc430283b633c9e9b9627eebd7aaaa137ea8e307fc22ef19
Opcode Fuzzy Hash: b5b78379c1ed73a1cc0ac9cf231581821f9312257443c8f63ec2c9a22bb503f4
Instruction Fuzzy Hash: E8D1E171900789DFCB15DF68E841AADBBF1FF4A714F088059E445AB362CB35E981EB50

Function 00EED08D Relevance: 10.2, Strings: 8, Instructions: 249COMMON

Download Yara Rule

Strings

\Registry\Machine\Software\Policies\Microsoft\MUI\Settings, xrefs: 00EED0CF
Control Panel\Desktop\MuiCached\MachineLanguageConfiguration, xrefs: 00EED262
Software\Policies\Microsoft\Control Panel\Desktop, xrefs: 00EED146
@, xrefs: 00EED313
\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration, xrefs: 00EED2C3
@, xrefs: 00EED2AF
@, xrefs: 00EED0FD
Control Panel\Desktop\LanguageConfiguration, xrefs: 00EED196

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID: @$@$@$Control Panel\Desktop\LanguageConfiguration$Control Panel\Desktop\MuiCached\MachineLanguageConfiguration$Software\Policies\Microsoft\Control Panel\Desktop$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration
API String ID: 0-1356375266
Opcode ID: 17f619e0f4f8ab752ccd8049dc2c41b4d55093f082586b8eb97e7d3957d488b3
Instruction ID: d47c5af7c4949db7bfe82160410b1f831eb3cba3ec2ec118431d3085abd1c60a
Opcode Fuzzy Hash: 17f619e0f4f8ab752ccd8049dc2c41b4d55093f082586b8eb97e7d3957d488b3
Instruction Fuzzy Hash: C8A15DB19083499FD721DF25C841B9BBBE8BF88725F00492EF998A6241D778D908DB53

Function 00EEF172 Relevance: 8.2, Strings: 6, Instructions: 684COMMON

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 00F4DF57, 00F4E09B, 00F4E279, 00F4E391
(UCRBlock != NULL), xrefs: 00F4DF6F
(LONG)FreeEntry->Size > 1, xrefs: 00F4E291
((LONG)FreeEntry->Size > 1), xrefs: 00F4E0B3
(!TrailingUCR), xrefs: 00F4E3A9
HEAP: , xrefs: 00F4DF64, 00F4E0A8, 00F4E286, 00F4E39E

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID: (!TrailingUCR)$((LONG)FreeEntry->Size > 1)$(LONG)FreeEntry->Size > 1$(UCRBlock != NULL)$HEAP: $HEAP[%wZ]:
API String ID: 0-523794902
Opcode ID: c0f5cee0dee43b9e5c61cca9bdb187fd2b610801bf03831342890e8fc9557e90
Instruction ID: 5b269488357fd04d1bea779453db3855bcd9523da22b8c3af630569d5666b466
Opcode Fuzzy Hash: c0f5cee0dee43b9e5c61cca9bdb187fd2b610801bf03831342890e8fc9557e90
Instruction Fuzzy Hash: 0642FD316087898FC715CF29C880B6ABBE5FF88314F14596DF8869B392D734D945EB12

Function 00F0B1B0 Relevance: 7.8, Strings: 6, Instructions: 350COMMON

Download Yara Rule

Strings

API set, xrefs: 00F583F4, 00F583F9
SxS, xrefs: 00F583ED
minkernel\ntdll\ldrutil.c, xrefs: 00F5840D, 00F584E1
DLL %wZ was redirected to %wZ by %s, xrefs: 00F583FC
LdrpPreprocessDllName for DLL %wZ failed with status 0x%08lx, xrefs: 00F584D0
LdrpPreprocessDllName, xrefs: 00F58403, 00F584D7

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID: API set$DLL %wZ was redirected to %wZ by %s$LdrpPreprocessDllName$LdrpPreprocessDllName for DLL %wZ failed with status 0x%08lx$SxS$minkernel\ntdll\ldrutil.c
API String ID: 0-122214566
Opcode ID: c6364e3843f96c271ef57a84dd0e78f8db10fb59a74adecfb4e9a82047f775fe
Instruction ID: b728545034302019fc67c1c6e9fbf19db8a4b9ae3518bb9e06ecfdc27d74b1c1
Opcode Fuzzy Hash: c6364e3843f96c271ef57a84dd0e78f8db10fb59a74adecfb4e9a82047f775fe
Instruction Fuzzy Hash: 33C15931E04215ABDB24CF64CC81BBEB7A5AF45710F244169ED42AB2D2EB78CD49F391

Function 00F263FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrinit.c, xrefs: 00F640E9, 00F6414B, 00F6420F, 00F64269
_LdrpInitialize, xrefs: 00F640DF, 00F64141, 00F64205, 00F6425F
LDR:MRDATA: Process initialization failed with status 0x%08lx, xrefs: 00F640D8
Process initialization failed with status 0x%08lx, xrefs: 00F6413A
NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop, xrefs: 00F641FE
Delaying execution failed with status 0x%08lx, xrefs: 00F64258

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
API String ID: 0-792281065
Opcode ID: 256dee39deba1018632739cd4ccf64498e1c3bf9d6b7d17f293dae9388da3000
Instruction ID: 35f9118281c063af5cd57ca773caebdfa790b1206408cb5d89100ab7c121f8e0
Opcode Fuzzy Hash: 256dee39deba1018632739cd4ccf64498e1c3bf9d6b7d17f293dae9388da3000
Instruction Fuzzy Hash: F2915971E00768DBDB25EF54EC99BAA37A0AF51B24F240129F900AB2D1D778A841F791

Function 00EE645D Relevance: 7.6, Strings: 6, Instructions: 150COMMON

Download Yara Rule

Strings

Loading the shim engine DLL failed with status 0x%08lx, xrefs: 00F49A2A
Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 00F499ED
minkernel\ntdll\ldrinit.c, xrefs: 00F49A11, 00F49A3A
apphelp.dll, xrefs: 00EE6496
Getting the shim engine exports failed with status 0x%08lx, xrefs: 00F49A01
LdrpInitShimEngine, xrefs: 00F499F4, 00F49A07, 00F49A30

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
API String ID: 0-204845295
Opcode ID: 2777ee354ae99b50a8c7bbafa021192eabea887f868c40fe33a5794fe72923a3
Instruction ID: 8b4e784713349c15ea15e6cae9c5422b05a78d8d1ac4701e1f963681fc13c7ab
Opcode Fuzzy Hash: 2777ee354ae99b50a8c7bbafa021192eabea887f868c40fe33a5794fe72923a3
Instruction Fuzzy Hash: 5551C3713083489FD320DF24DC86FAB77E4EB84794F10191EF995AB2A1D674E904EB92

Function 00F1F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON

Download Yara Rule

Strings

RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 00F602E7
RTL: Re-Waiting, xrefs: 00F6031E
RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 00F602BD

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
API String ID: 0-2474120054
Opcode ID: 908b719e6e5962778d163bcf42771a1cd99d3714c53276c3b23cac4d7c6f161d
Instruction ID: 4ca59709a3826c592b7d8d741033eddbedd8dbeed6c1567abe2eaa07814b3d2e
Opcode Fuzzy Hash: 908b719e6e5962778d163bcf42771a1cd99d3714c53276c3b23cac4d7c6f161d
Instruction Fuzzy Hash: 03E1C171A047419FD725CF28C885B6AB7E0FF85324F240A2DF4958B2E1DB74D989EB42

Function 00F151EF Relevance: 6.7, Strings: 5, Instructions: 434COMMON

Download Yara Rule

Strings

Kernel-MUI-Language-Allowed, xrefs: 00F1527B
Kernel-MUI-Language-Disallowed, xrefs: 00F15352
Kernel-MUI-Language-SKU, xrefs: 00F1542B
Kernel-MUI-Number-Allowed, xrefs: 00F15247
WindowsExcludedProcs, xrefs: 00F1522A

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
API String ID: 0-258546922
Opcode ID: 5b149e3b5e232ebc6986ca90e56854c0c1aa12d38c1a46243c3998fbec36c412
Instruction ID: 17954acf2fca053a6043ca9c7a0e514ccb7aebb027d79063a530a56c9002ef05
Opcode Fuzzy Hash: 5b149e3b5e232ebc6986ca90e56854c0c1aa12d38c1a46243c3998fbec36c412
Instruction Fuzzy Hash: E1F16B72D00A19EFCB11DF94C981AEEBBF9EF88B50F15006AE501F7251D7749E41ABA0

Function 00FA11A4 Relevance: 6.4, Strings: 5, Instructions: 113COMMON

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 00FA123D, 00FA12B7
Heap %p - headers modified (%p is %lx instead of %lx), xrefs: 00FA1261
This is located in the %s field of the heap header., xrefs: 00FA12D6
-, xrefs: 00FA1270
HEAP: , xrefs: 00FA124A, 00FA125D, 00FA125F, 00FA12C4

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID: This is located in the %s field of the heap header.$ -$HEAP: $HEAP[%wZ]: $Heap %p - headers modified (%p is %lx instead of %lx)
API String ID: 0-3499080548
Opcode ID: a7fdd00401aedab43ff3fe9f799f6b30ff94796b7b3197ba89cc019be301216f
Instruction ID: 16e8ee90b97f75596ed4cda3176439857f38beb7177c7175c0a7f369046319a6
Opcode Fuzzy Hash: a7fdd00401aedab43ff3fe9f799f6b30ff94796b7b3197ba89cc019be301216f
Instruction Fuzzy Hash: C0310172240254EFD714DB98C882F67B7E8FF06760F2A0059F501EB2A2D776EC41EA64

Function 00F070C0 Relevance: 6.0, Strings: 3, Instructions: 2248COMMON

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 00F07C6D, 00F08670
HEAP: Free Heap block %p modified at %p after it was freed, xrefs: 00F07C96, 00F08696
HEAP: , xrefs: 00F07C7C, 00F0867F

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
API String ID: 0-3178619729
Opcode ID: 3ac07682279f1a12a86e2ade479f087f10b2e5aef490ee88e056bae25743f54b
Instruction ID: a0926ff03050ca89233a494c06132d2e9daac2ba1917fb8feec6a9bf0eb87f61
Opcode Fuzzy Hash: 3ac07682279f1a12a86e2ade479f087f10b2e5aef490ee88e056bae25743f54b
Instruction Fuzzy Hash: 85139F70E04655DFDB24CF68C8807A9BBF1BF59314F2481A9D885AB381DB34AD46EF90

Function 00F01070 Relevance: 5.9, Strings: 4, Instructions: 940COMMON

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 00F55877
!(CheckedFlags & ~HEAP_CREATE_VALID_MASK), xrefs: 00F5588F
@, xrefs: 00F55A53
HEAP: , xrefs: 00F55884

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID: !(CheckedFlags & ~HEAP_CREATE_VALID_MASK)$@$HEAP: $HEAP[%wZ]:
API String ID: 0-3570731704
Opcode ID: d71ef2804a931d655f6b041ff8c9b94da35a11ab8df456775d672dcc594d387d
Instruction ID: 5394370a65de986105e0b9e0f6a58e99f23bffec9c3599a008f8aa3b99bbfacc
Opcode Fuzzy Hash: d71ef2804a931d655f6b041ff8c9b94da35a11ab8df456775d672dcc594d387d
Instruction Fuzzy Hash: 6F928B71E01668CFEB24CF18CC90BA9B7B5BF44320F1581EAE949A7291D7349E84EF51

Function 00EFA3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON

Download Yara Rule

Strings

LdrResFallbackLangList Enter, xrefs: 00EFA3EF
LdrResFallbackLangList Exit, xrefs: 00EFA3FF
8, xrefs: 00EFA3E7
6, xrefs: 00EFA3F7

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
API String ID: 0-379654539
Opcode ID: 90279c44ce0c02f8e457b503d101836e14e226261f8fd337ab62ed071e5ca10b
Instruction ID: 65818473cf05bd8b73bc2a070949769203eab5590ee7e1ca675fd90e93d03eb0
Opcode Fuzzy Hash: 90279c44ce0c02f8e457b503d101836e14e226261f8fd337ab62ed071e5ca10b
Instruction Fuzzy Hash: 9DC1ADB050838ACFC711CF18C044BBAB7E4BF85714F08596AFA99AB251E774C949DB53

Function 00F28402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON

Download Yara Rule

Strings

@, xrefs: 00F28591
minkernel\ntdll\ldrinit.c, xrefs: 00F28421
LdrpInitializeProcess, xrefs: 00F28422
\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 00F2855E

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
API String ID: 0-1918872054
Opcode ID: ce9fe75c03ca33e7be1149da1be610fa8c77fd5290781da18aacb3a953760423
Instruction ID: 2c7cbb502d8c7b54a4da4e240cdb79403f9b3335685775ff1557b5746a78263d
Opcode Fuzzy Hash: ce9fe75c03ca33e7be1149da1be610fa8c77fd5290781da18aacb3a953760423
Instruction Fuzzy Hash: BD91DD71509354AFD720EF20CC42FABB7E8BF847A4F44092EFA8496191E734D905EB62

Function 00EFB440 Relevance: 5.2, Strings: 4, Instructions: 221COMMON

Download Yara Rule

Strings

LdrpResGetResourceDirectory Exit, xrefs: 00EFB477
\U, xrefs: 00EFB5E0
{, xrefs: 00F537B6
LdrpResGetResourceDirectory Enter, xrefs: 00EFB465

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID: LdrpResGetResourceDirectory Enter$LdrpResGetResourceDirectory Exit$\U${
API String ID: 0-2509056319
Opcode ID: 730d447bac7a1f586d1e16ae5302fd12d03275b86b0b607c54736b548a3ba44e
Instruction ID: d8d91239767fe0c9e7de4a84860986e1301d4117325bd9fec685f7189c6633a6
Opcode Fuzzy Hash: 730d447bac7a1f586d1e16ae5302fd12d03275b86b0b607c54736b548a3ba44e
Instruction Fuzzy Hash: 0991DDB1E04209CBDB21CF58D940BFEB7B1EF04364F259195EA11BB290D7789E84DB90

Function 00EF64AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON

Download Yara Rule

Strings

ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 00F51028
ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 00F510AE
ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 00F5106B
ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 00F50FE5

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
API String ID: 0-1468400865
Opcode ID: 7dd194260e11098022abd7b1acc025932cdaa7a02ba48fa819be67b78f49b52c
Instruction ID: 8c7b424c3842afb501d388f82763e5a0400b43a5b56c327abc1bdf8048b7df35
Opcode Fuzzy Hash: 7dd194260e11098022abd7b1acc025932cdaa7a02ba48fa819be67b78f49b52c
Instruction Fuzzy Hash: 8D71C1B19043489FCB20DF14C885BAB7FA8AF44764F101869FA48AB186D778D588DBD2

Function 00F1245A Relevance: 5.1, Strings: 4, Instructions: 111COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrinit.c, xrefs: 00F5A9A2
TG, xrefs: 00F12462
Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 00F5A992
LdrpDynamicShimModule, xrefs: 00F5A998

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$TG$minkernel\ntdll\ldrinit.c
API String ID: 0-2078120800
Opcode ID: f61a651613a371c253eea8e0cf0350f7b108dc69637dfc7592943417b53946af
Instruction ID: 0f7ed32eeed840347d55e697ea1290e66b0c8aee30d3619f0603cce53661d263
Opcode Fuzzy Hash: f61a651613a371c253eea8e0cf0350f7b108dc69637dfc7592943417b53946af
Instruction Fuzzy Hash: E3317D72A00249EBCB20DF99DCC9EBA77B4FB84710F150159FA00AB251C7745E95F781

Function 00EE9148 Relevance: 5.1, Strings: 4, Instructions: 100COMMON

Download Yara Rule

Strings

VirtualQuery Failed 0x%p %x, xrefs: 00F4BAF7
HEAP[%wZ]: , xrefs: 00F4BAA0, 00F4BADD
VirtualProtect Failed 0x%p %x, xrefs: 00F4BABA
HEAP: , xrefs: 00F4BAAD, 00F4BAEA

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $VirtualProtect Failed 0x%p %x$VirtualQuery Failed 0x%p %x
API String ID: 0-1391187441
Opcode ID: a9480dd70e450ffec6baa41120d1eabd280a326090e9deadc0751b89b914853d
Instruction ID: 588ebf989f2c9904520bb79e1d404b5e9c5191c9808d6c1ac086eb345b6bcb47
Opcode Fuzzy Hash: a9480dd70e450ffec6baa41120d1eabd280a326090e9deadc0751b89b914853d
Instruction Fuzzy Hash: E931AF32A00259EFCB01DB5AC889FAABBF8EF45720F154055FD14BB292D774ED81DA60

Function 00F994E0 Relevance: 4.3, Strings: 3, Instructions: 558COMMON

Download Yara Rule

Strings

0, xrefs: 00F99BF6
, xrefs: 00F99B84
, xrefs: 00F99AD7

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID: $ $0
API String ID: 0-3352262554
Opcode ID: 99602cb587309dc599dc3c8c19c234d25b813ca940b81683e8e375068fa30297
Instruction ID: c847316c1fc6bca16319472003bb1a21ac98b0dd14392e281c9247b8fcf04f94
Opcode Fuzzy Hash: 99602cb587309dc599dc3c8c19c234d25b813ca940b81683e8e375068fa30297
Instruction Fuzzy Hash: FC3225B1A0C3818FE724CF68C884B5BBBE4BF88314F15492EF59987250D7B5E948DB52

Function 00EF1460 Relevance: 4.1, Strings: 3, Instructions: 385COMMON

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 00EF1712
HEAP: Free Heap block %p modified at %p after it was freed, xrefs: 00EF1728
HEAP: , xrefs: 00EF1596

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
API String ID: 0-3178619729
Opcode ID: c0216c6d557deaf670a93199a615deb16345f14830a53d84801ab5f0396b99e9
Instruction ID: 984dd8e561f56c7938d44225b94541ef834e1d86b4beac8564907aac5505d648
Opcode Fuzzy Hash: c0216c6d557deaf670a93199a615deb16345f14830a53d84801ab5f0396b99e9
Instruction Fuzzy Hash: 77E1E230A0424DDBDB18CF28C451BBABBF1EF85314F1494ADEA96EB286D734E944DB50

Function 00EEA197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON

Download Yara Rule

Strings

\??\, xrefs: 00F4C1E4
FilterFullPath, xrefs: 00F4C2E6
UseFilter, xrefs: 00EEA1C1

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID: FilterFullPath$UseFilter$\??\
API String ID: 0-2779062949
Opcode ID: 586e8fc64fd95613005f5c79e27acf3b2f4275be331c7b706b8841813fb812cb
Instruction ID: f55889c0ccecaa44ec3a36e6e5db07c4dd3fbc836bd47e2d2b15e6c1bd71990f
Opcode Fuzzy Hash: 586e8fc64fd95613005f5c79e27acf3b2f4275be331c7b706b8841813fb812cb
Instruction Fuzzy Hash: 5FA18D71D016299BDB71DF24DC88BEAB7B8EF48710F1041E9E908A7250D739AE84DF90

Function 00F77410 Relevance: 4.0, Strings: 3, Instructions: 233COMMON

Download Yara Rule

Strings

VirtualAlloc, xrefs: 00F775FC
Objects>%4u, xrefs: 00F775D5
Objects=%4u, xrefs: 00F775EA

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID: Objects=%4u$Objects>%4u$VirtualAlloc
API String ID: 0-3870751728
Opcode ID: e6c287d7b5386cc20841e1846092e851c328b679429871d660ca80825658e0cd
Instruction ID: 133814b6ca6e958fced398b0e9f7549ac4536f70dbf184284cd05ca6ca8f8152
Opcode Fuzzy Hash: e6c287d7b5386cc20841e1846092e851c328b679429871d660ca80825658e0cd
Instruction Fuzzy Hash: 05915AB0E147059FDB14DF68C880BADBBB1BF48314F24C16AE909AB391E7749842DF91

Function 00F2909C Relevance: 3.9, Strings: 3, Instructions: 199COMMON

Download Yara Rule

Strings

&, xrefs: 00F65CF8
@, xrefs: 00F29148
%, xrefs: 00F65D3F

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID: %$&$@
API String ID: 0-1537733988
Opcode ID: 7a352b549b6f5c39713c992c45d16fd2f7f6ae385d2a1f85a97f293b90f8bbe1
Instruction ID: c77ea4bd7e037955848218ebf8fd225ea8d5a2b7045b6dbb5c20615ec7a59ad1
Opcode Fuzzy Hash: 7a352b549b6f5c39713c992c45d16fd2f7f6ae385d2a1f85a97f293b90f8bbe1
Instruction Fuzzy Hash: B371AB70A0C752EFC714DF20D980A2BBBE5BF85728F10891DF4AA97291C774D905EB92

Function 00F115F4 Relevance: 3.9, Strings: 3, Instructions: 166COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrmap.c, xrefs: 00F5A59A
LdrpCompleteMapModule, xrefs: 00F5A590
Could not validate the crypto signature for DLL %wZ, xrefs: 00F5A589

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$minkernel\ntdll\ldrmap.c
API String ID: 0-1676968949
Opcode ID: af413bf8f5125d0cd953a4f23a39c2fb3b0ba6416fc05a6a634f7d61021db60a
Instruction ID: 664e45fd02f9a425b7c2ab9509d8fc7928fd5de83648ecb8d2a4622647acbebf
Opcode Fuzzy Hash: af413bf8f5125d0cd953a4f23a39c2fb3b0ba6416fc05a6a634f7d61021db60a
Instruction Fuzzy Hash: 57510171A007449BDB21CB28CD44BAA77E8BF00764F1802A9FA519B6E2D775ED80EB41

Function 00EE758F Relevance: 3.9, Strings: 3, Instructions: 132COMMON

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 00F4AFAB
Invalid address specified to %s( %p, %p ), xrefs: 00F4AFCB
HEAP: , xrefs: 00F4AFB8

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Invalid address specified to %s( %p, %p )
API String ID: 0-1151232445
Opcode ID: 7f56761aa41a47d9e3286f06c138e889709253a87ee367f28d364e3ab6cd5da3
Instruction ID: 73d30dcdfa6d5e0a190c1061df0e0e3483d87611e4fb3759714970444ddfe43b
Opcode Fuzzy Hash: 7f56761aa41a47d9e3286f06c138e889709253a87ee367f28d364e3ab6cd5da3
Instruction Fuzzy Hash: C54149706446C58FDF28CA1EC0807B57BE09F01328F1854ADD8C69B296D774DC8AE752

Function 00FAC188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON

Download Yara Rule

Strings

@, xrefs: 00FAC1F1
\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 00FAC1C5
PreferredUILanguages, xrefs: 00FAC212

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
API String ID: 0-2968386058
Opcode ID: 69c860c075d7c40fcb70a391ef3fc908fae59816c13acd185528ded13c666f52
Instruction ID: 7bac70a32df105e17ebfa252c49be7eeb6610d4dbe7cf71e57e5feffbaaa459c
Opcode Fuzzy Hash: 69c860c075d7c40fcb70a391ef3fc908fae59816c13acd185528ded13c666f52
Instruction Fuzzy Hash: C2416BB2E00219EBDF11DAD8C891FEEB7F8AB55710F14406AEA05F7280D7749E44AB90

Function 00F84144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON

Download Yara Rule

Strings

LdrpResValidateFilePath Enter, xrefs: 00F84160
@, xrefs: 00F84225
LdrpResValidateFilePath Exit, xrefs: 00F84172

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
API String ID: 0-1373925480
Opcode ID: e6e7ed426df50063cd8c1a19feef2fe5a5d6b837ea3d2ae815ba96ca099f4f13
Instruction ID: e21a845e87c05956a87169e8d008bdfe522718761277dfb8a5520886a6c3a2da
Opcode Fuzzy Hash: e6e7ed426df50063cd8c1a19feef2fe5a5d6b837ea3d2ae815ba96ca099f4f13
Instruction Fuzzy Hash: 43410632D04659CBEB22EBA4CC45BEDBBB8FF55350F24045AE801EB781D738A941EB11

Function 00EFA2C3 Relevance: 3.9, Strings: 3, Instructions: 118COMMON

Download Yara Rule

Strings

RtlpResUltimateFallbackInfo Enter, xrefs: 00EFA2FB
RtlpResUltimateFallbackInfo Exit, xrefs: 00EFA309
PS, xrefs: 00EFA348

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID: PS$RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
API String ID: 0-405261330
Opcode ID: 9626dc80f2801837dca2f328d291bb290da6e601ce330325c3cf552c70fb0349
Instruction ID: 78214a56922057dea613ec52c5fee4b3e2919733776ff91bd0f92901e8e4f30f
Opcode Fuzzy Hash: 9626dc80f2801837dca2f328d291bb290da6e601ce330325c3cf552c70fb0349
Instruction Fuzzy Hash: B741CC75A01648DBCB25CF59C840BBE77B4EF85314F2841A9EA08EB291E735DA00EB42

Function 00F233A0 Relevance: 3.9, Strings: 3, Instructions: 111COMMON

Download Yara Rule

Strings

SXS: %s() passed the empty activation context data, xrefs: 00F629FE
Actx , xrefs: 00F233AC
RtlCreateActivationContext, xrefs: 00F629F9

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID: Actx $RtlCreateActivationContext$SXS: %s() passed the empty activation context data
API String ID: 0-859632880
Opcode ID: fd714b87e42a7bac35bcd29815f5067147c91cc5226a00f978ca92a81b4c4c7b
Instruction ID: 28510532457932a0e611e4f2a7681d4aeccb989cfdea14a3e4de9abee3e2f9d2
Opcode Fuzzy Hash: fd714b87e42a7bac35bcd29815f5067147c91cc5226a00f978ca92a81b4c4c7b
Instruction Fuzzy Hash: 9A314232A007159FDB26EE58EC81F9673A4EB44720F148469FC049F286CB78EE41EB90

Function 00F7B594 Relevance: 3.9, Strings: 3, Instructions: 107COMMON

Download Yara Rule

Strings

\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\, xrefs: 00F7B632
@, xrefs: 00F7B670
GlobalFlag, xrefs: 00F7B68F

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID: @$GlobalFlag$\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
API String ID: 0-4192008846
Opcode ID: bd3f97e0425253e59b62e03cd71903d7a02e9912e604d2254300d3e0c16dfcfc
Instruction ID: 48b974398758f64385dda54a200e1032b085cc84c75e01c53b17935ee922e89a
Opcode Fuzzy Hash: bd3f97e0425253e59b62e03cd71903d7a02e9912e604d2254300d3e0c16dfcfc
Instruction Fuzzy Hash: 45315EB1E00219AFDB10EF94CC81BEEBBB8EF44754F0444AAE605B7291D7749E00DBA4

Function 00F31270 Relevance: 3.8, Strings: 3, Instructions: 97COMMON

Download Yara Rule

Strings

@, xrefs: 00F312A5
BuildLabEx, xrefs: 00F3130F
\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 00F3127B

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID: @$BuildLabEx$\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion
API String ID: 0-3051831665
Opcode ID: 4dd0507e6de23adeaafdd13239ae3a95ee5485203228978708ef77071a5cdf2e
Instruction ID: c36d32431295d529bcb821ba118c35e14f2ccf809eb675a28b01a9cea5c63c23
Opcode Fuzzy Hash: 4dd0507e6de23adeaafdd13239ae3a95ee5485203228978708ef77071a5cdf2e
Instruction Fuzzy Hash: E431CD72900619ABDB11AF94CC41EAEBBBDFB84720F004021F914A72A0DB34DA05ABA0

Function 00F720DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrinit.c, xrefs: 00F72104
Process initialization failed with status 0x%08lx, xrefs: 00F720F3
LdrpInitializationFailure, xrefs: 00F720FA

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
API String ID: 0-2986994758
Opcode ID: 23be44aa8375e8701374795faa7daf61895c078462dc717b0ef33f0f600afeb7
Instruction ID: aa08b81e9c48c628701b3ec628fca4a2eb0b889edf9b284509a8759520aa9f8a
Opcode Fuzzy Hash: 23be44aa8375e8701374795faa7daf61895c078462dc717b0ef33f0f600afeb7
Instruction Fuzzy Hash: D5F02275A40348BBD724EB48DC57F9A3768EB80B64F40006AF6047B281D2F4AA01E682

Function 00F003E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 00F54D8A

Strings

#%u, xrefs: 00F54D82

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID: ___swprintf_l
String ID: #%u
API String ID: 48624451-232158463
Opcode ID: a31bcadc2986d141fa2043ac4a9dc85517a426e27eba3297a392f7bf372c38a2
Instruction ID: a8843b25db33c0d3cfd1af42e1943da91b3e2420fcd01dc197da79c7dd2299d0
Opcode Fuzzy Hash: a31bcadc2986d141fa2043ac4a9dc85517a426e27eba3297a392f7bf372c38a2
Instruction Fuzzy Hash: 61716E71A0014A9FCB01DFA8C985BAEB7F8FF08714F144065E905E7291EA38EE45EB60

Function 00F052A0 Relevance: 3.2, Strings: 2, Instructions: 658COMMON

Download Yara Rule

Strings

@, xrefs: 00F055A3
@, xrefs: 00F05445

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID: @$@
API String ID: 0-149943524
Opcode ID: 84db72fdc1977575fa6ba2415f6614b5c1afb3d02c3d90762f172c000f25eddd
Instruction ID: 0b2633ee1e56e7827b94879b0839e185605c27601022aa6fa5edbf3af224bd81
Opcode Fuzzy Hash: 84db72fdc1977575fa6ba2415f6614b5c1afb3d02c3d90762f172c000f25eddd
Instruction Fuzzy Hash: AC329A759087118BCB248F18C894B3BB7E1AF84B61F54492EF9958B290E7B4DC84FF52

Function 00FBA352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON

Download Yara Rule

Strings

`, xrefs: 00FBA551
`, xrefs: 00FBA44B

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID: `$`
API String ID: 0-197956300
Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
Instruction ID: db6f3e3d2babdc151e01d44c881571ab696a919863e1906af90d37b96b16498e
Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
Instruction Fuzzy Hash: 21C102716083419BD724CF2AC841BABBBE6BFC4324F184A2DF595CA291D778D905EF42

Function 00EF04E5 Relevance: 2.7, Strings: 2, Instructions: 153COMMON

Download Yara Rule

Strings

kLsE, xrefs: 00EF0540
TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 00EF063D

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
API String ID: 0-2547482624
Opcode ID: 2f7da1d3c4f3f7389998666640e59f8233518a13d2d69e5a0df82227c26bf1c4
Instruction ID: 8a9d6058c9b7c1124c3adc857c91c67760f15b3f835fcd6c9344af3d0dc9b04b
Opcode Fuzzy Hash: 2f7da1d3c4f3f7389998666640e59f8233518a13d2d69e5a0df82227c26bf1c4
Instruction Fuzzy Hash: 93519E7150474A8BC724EF64C5806B7B7E4AF88308F01983EEA9AD7642E774E945CF92

Function 00F835BA Relevance: 2.6, Strings: 2, Instructions: 99COMMON

Download Yara Rule

Strings

LdrResGetRCConfig Exit, xrefs: 00F835FE
LdrResGetRCConfig Enter, xrefs: 00F835EC

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID: LdrResGetRCConfig Enter$LdrResGetRCConfig Exit
API String ID: 0-118005554
Opcode ID: 51a13f959f2ed5c9a24448feb864472ddb6f6cb2dc47e8b5b9097df361d1154c
Instruction ID: 8c576af4095dfe9d0d3eb9a0f51fada096916a3203b3955689b1f16b0d078ef9
Opcode Fuzzy Hash: 51a13f959f2ed5c9a24448feb864472ddb6f6cb2dc47e8b5b9097df361d1154c
Instruction Fuzzy Hash: 1231C132619745ABD311EB68D849F5AB7E4EF84B20F040869F854CB3E1EB34DA05EB52

Function 00F2329E Relevance: 2.6, Strings: 2, Instructions: 93COMMON

Download Yara Rule

Strings

@, xrefs: 00F2330D
.Local\, xrefs: 00F232B5

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID: .Local\$@
API String ID: 0-380025441
Opcode ID: 71beaa335bf8bee437bf7229e59943f431139f23a2a66bae76cda4b78f89dc18
Instruction ID: 9e056de76c6bb238453949ff13a10730505302127aab0dd87127e8c603820a53
Opcode Fuzzy Hash: 71beaa335bf8bee437bf7229e59943f431139f23a2a66bae76cda4b78f89dc18
Instruction Fuzzy Hash: ED31A1B25087149FD310DF28D881A5BBBE8FB84764F40092EF99583250DB39DF04EB92

Function 00F234B0 Relevance: 2.6, Strings: 2, Instructions: 66COMMON

Download Yara Rule

Strings

RtlpInitializeAssemblyStorageMap, xrefs: 00F62A90
SXS: %s() bad parameters:SXS: Map : 0x%pSXS: EntryCount : 0x%lx, xrefs: 00F62A95

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID: RtlpInitializeAssemblyStorageMap$SXS: %s() bad parameters:SXS: Map : 0x%pSXS: EntryCount : 0x%lx
API String ID: 0-2653619699
Opcode ID: 0665dacfbd0ba59cfbfa598598647a8dc3105b354c0dfc7ddc89204b25949a75
Instruction ID: 719f010d23ffada8bdce1a78716bb830c4ec2c51da4be64f7fa41cfde9919633
Opcode Fuzzy Hash: 0665dacfbd0ba59cfbfa598598647a8dc3105b354c0dfc7ddc89204b25949a75
Instruction Fuzzy Hash: E611EC72B05225ABE725DA88DD41F6B76A9DB94B54F1480697904EB280E6BCCE00A690

Function 00F2A5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON

Download Yara Rule

Strings

Cleanup Group, xrefs: 00F2A5E4
Threadpool!, xrefs: 00F2A5E9

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID: InitializeThunk
String ID: Cleanup Group$Threadpool!
API String ID: 2994545307-4008356553
Opcode ID: 5f7150037b03d568e75e36ceaa97321f12ec17fe81fbc2178803362698786bdf
Instruction ID: 0f51140023ad0b46bf30f01efde4eb24655fd4161870f73f23b7044832c77c4e
Opcode Fuzzy Hash: 5f7150037b03d568e75e36ceaa97321f12ec17fe81fbc2178803362698786bdf
Instruction Fuzzy Hash: 7801D1B2250744AFD321DF14DE46F167BE8E784B15F048979B558CB190E734E804EB46

Function 00EF7370 Relevance: 1.7, APIs: 1, Instructions: 247COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cec09e14378072302de71247daa87932b55b0f094ed8d51fb592c64a6ac0906d
Instruction ID: 8a32ef32539924221faef6575d9d9766a5d4cfbde50e8c9ac84a96e6c210d874
Opcode Fuzzy Hash: cec09e14378072302de71247daa87932b55b0f094ed8d51fb592c64a6ac0906d
Instruction Fuzzy Hash: 3CA18B71A08746CFC320CF28C480A2ABBE6BF98314F24496DF6C59B351E730E945DB92

Function 00F76420 Relevance: 1.5, Strings: 1, Instructions: 264COMMON

Download Yara Rule

Strings

, xrefs: 00F765C1

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 8e2055ac96cf315b77c21ea30f952639b3bc1eb45e9f847e4906e2d7722dd7a6
Instruction ID: 69b10289262f438a266030fe2188dc4a56afe6355ea73cf01f01de39c18f4f00
Opcode Fuzzy Hash: 8e2055ac96cf315b77c21ea30f952639b3bc1eb45e9f847e4906e2d7722dd7a6
Instruction Fuzzy Hash: 5A916072900619AFDB21DB94CD85FEEB7B8EF08B50F144065F604EB191D774AD04EBA1

Function 00FAB256 Relevance: 1.4, Strings: 1, Instructions: 130COMMON

Download Yara Rule

Strings

PreferredUILanguages, xrefs: 00FAB28F

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID: PreferredUILanguages
API String ID: 0-1884656846
Opcode ID: 4d4a17fdbaecf74c324afa31a95f5f61abcaecc6fe0ee762398472df6e5beba3
Instruction ID: c4f45ea1f983370eb1b6cb5cbcbf5eabb375d11b346acb92ef5638fe883bd71f
Opcode Fuzzy Hash: 4d4a17fdbaecf74c324afa31a95f5f61abcaecc6fe0ee762398472df6e5beba3
Instruction Fuzzy Hash: 9641E2B6D0031AABCF11DA94CC50BEEB7B9AF46720F11016AE901FB291D774DE40E7A0

Function 00F9705E Relevance: 1.4, Strings: 1, Instructions: 112COMMON

Download Yara Rule

Strings

kLsE, xrefs: 00F970A4

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID: kLsE
API String ID: 0-3058123920
Opcode ID: ec58d47cc688221fd85730bd31fb9e030f3e56eee62d6fb195ea1a541d2bcebf
Instruction ID: 38bc5b04adef961035770c057426fe22d19ad817337be1b6d15d3242cefa4fe8
Opcode Fuzzy Hash: ec58d47cc688221fd85730bd31fb9e030f3e56eee62d6fb195ea1a541d2bcebf
Instruction Fuzzy Hash: 5A41367192538C47FB21BB64ECC6B693B90AB507B8F14012DED50DE0E2CBB85885F7A1

Function 00EF4260 Relevance: 1.4, Strings: 1, Instructions: 102COMMON

Download Yara Rule

Strings

%, xrefs: 00EF42EA

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID: %
API String ID: 0-2291192146
Opcode ID: 45d3550bc6bbfb504985be49c8a22e46226cdb159931bfba460e3c2fa0fbb96b
Instruction ID: b8132e4288293e2b9c4c5cbe8d7207dec908505fd94353bb1b06061781bd087f
Opcode Fuzzy Hash: 45d3550bc6bbfb504985be49c8a22e46226cdb159931bfba460e3c2fa0fbb96b
Instruction Fuzzy Hash: 1241BD71200B499FC722CF24C886FE777E9BF49354F114429EA999B291CB74E844EB90

Function 00EF5096 Relevance: 1.3, Strings: 1, Instructions: 71COMMON

Download Yara Rule

Strings

Actx , xrefs: 00EF50BF

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID: Actx
API String ID: 0-89312691
Opcode ID: f72e051b6f16009e569f972aeb74810a8df9eed1652ab12ec94d7608889346aa
Instruction ID: 79510b54aac7686c9f9cdf29de4de39c308e538034b8451f9bec7830eb99e36d
Opcode Fuzzy Hash: f72e051b6f16009e569f972aeb74810a8df9eed1652ab12ec94d7608889346aa
Instruction Fuzzy Hash: 6E119633705E0A8BD7244D1D885077672D5EBB6328F34652AD752EB350DE71EC419380

Function 00F7106E Relevance: 1.3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

Strings

LdrCreateEnclave, xrefs: 00F710F7

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID: LdrCreateEnclave
API String ID: 0-3262589265
Opcode ID: c0a9403ff58465fd9591fe9bef17325cea77ce997671f6a67327ef9b58139a15
Instruction ID: a8bd300eea0ba33d272b1119398b11554d7979436f59edb04b60be43a2e1788e
Opcode Fuzzy Hash: c0a9403ff58465fd9591fe9bef17325cea77ce997671f6a67327ef9b58139a15
Instruction Fuzzy Hash: B42157B19083889FC310DF1AC846A5BFBE8FBD5B10F404A1FB5949B250D7B0D808DB92

Function 00F4739A Relevance: .7, Instructions: 705COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce32399f45956d6164934a58741128b2b082b9c389d67c16d8573ebec1f0cf31
Instruction ID: d65293b46073e0ffeed08e6cccfa162f67beade7f003e84e92cc58fc24f86f7a
Opcode Fuzzy Hash: ce32399f45956d6164934a58741128b2b082b9c389d67c16d8573ebec1f0cf31
Instruction Fuzzy Hash: 3C428071E047168FDB14DF59C8806BEBBB2FF88324B248559E856AB350D734ED41EB90

Function 00F1B2C0 Relevance: .6, Instructions: 629COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cf77f5e3cef1353ad71e7957adb85c6c365af0bf81978cf1455a0759a0190c0
Instruction ID: ac1e3b82173037be8715ad49cb310cc74019d498e345389994343b1c80492abd
Opcode Fuzzy Hash: 3cf77f5e3cef1353ad71e7957adb85c6c365af0bf81978cf1455a0759a0190c0
Instruction Fuzzy Hash: 74329C72E00219DBCB14DFA8C891BEEBBB1FF54764F184029E805AB391E7359D51EB90

Function 00F88158 Relevance: .6, Instructions: 617COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d9209a610a873ec35a1103d8c7d5981ace1984b0cae46ef4f1ec6daa6b3b576
Instruction ID: ef1a71636cc581e367fe029243b3f49e1e416288391bbf080126b6da0f6024bf
Opcode Fuzzy Hash: 2d9209a610a873ec35a1103d8c7d5981ace1984b0cae46ef4f1ec6daa6b3b576
Instruction Fuzzy Hash: BA423775E002198FDB24DF69CC81BEDB7B5BF48750F588099E849AB242EB349D82DF50

Function 00F9A118 Relevance: .6, Instructions: 591COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 142ca5d879aaf8dff8c49731f8e9eb5f647a4254576094fc1f5da84cd65598c0
Instruction ID: 4f81926cf450e8ad04002b3c101250d4380114a3b3a96ea332e3c74638c36b4b
Opcode Fuzzy Hash: 142ca5d879aaf8dff8c49731f8e9eb5f647a4254576094fc1f5da84cd65598c0
Instruction Fuzzy Hash: 4A22E271A046508BFF25CF29C095772B7F1AF44310F188499E8968F296E735D892FBE2

Function 00EF65D0 Relevance: .4, Instructions: 383COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7805925c7734f4f5bf9a8773308553c2b0ba4465fca0bfdea9cb0116e61e0696
Instruction ID: 701d23277085ef168c86a931fbec5707144b4c58d7eee554d58368dae7e1201d
Opcode Fuzzy Hash: 7805925c7734f4f5bf9a8773308553c2b0ba4465fca0bfdea9cb0116e61e0696
Instruction Fuzzy Hash: 46E1AF71508345CFC714DF28C480A6ABBE0FF99318F15896EFA9997391DB31E905CB92

Function 00EE8397 Relevance: .4, Instructions: 380COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae2aca56d39bb7e3c637e69c41d93cbe55a6ec3acbc6276a9f98d7293671da12
Instruction ID: 3883ded9a643d5bd549cb44d42bba575fdd4da0d65ea07f48498903538c2a9bd
Opcode Fuzzy Hash: ae2aca56d39bb7e3c637e69c41d93cbe55a6ec3acbc6276a9f98d7293671da12
Instruction Fuzzy Hash: 06D10371A0064A9BCB14DF66C981ABAB7E5FF44318F15462AFC1AEB2C1EB34DD40DB50

Function 00F78243 Relevance: .3, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
Instruction ID: 0a82dc677210a0375e2e9e65c6db50928f75b3763c20b5d1712ebdab8dc6053a
Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
Instruction Fuzzy Hash: AEB1D374A40604AFDF24CF94C948EABB7B5BF84354F10842AA90697391DE74ED07EB21

Function 00F0F460 Relevance: .3, Instructions: 321COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8eb68c335238015c84682bd49cc3b5398e5eb07494a255cd2d560dead7968138
Instruction ID: 3199859afe22491b1eef7df63fc36c96f5b2ef92029a67989f4955db6bf0b0f2
Opcode Fuzzy Hash: 8eb68c335238015c84682bd49cc3b5398e5eb07494a255cd2d560dead7968138
Instruction Fuzzy Hash: 7BC1F072E012258BCB34CF18C890B7AB7A1FB94724F294169EC429F6E2D7358D45FB90

Function 00F00535 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
Instruction ID: 3cb4ef09e1fdcf287e4091ffb7171245cc6d76b05a3a6e060cba324bb6c3d3c1
Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
Instruction Fuzzy Hash: 36B11631A00645AFDB21DB68CC51BBEB7F6AF44314F140165EA529B2C2DB34ED45FB90

Function 00F190DB Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8403fc2d53aff3372b7fe552b4de7f3c137f7fa5c43445dab71f457fe7dc6ef
Instruction ID: 8008b90a2c4cc0eaf5890735930f3f7264ec02a687aea705c2882223e95f32ed
Opcode Fuzzy Hash: f8403fc2d53aff3372b7fe552b4de7f3c137f7fa5c43445dab71f457fe7dc6ef
Instruction Fuzzy Hash: 4DA16D71901619AFEB22DF64CC82FAF77B9AF45760F050054FA00AB2A0D779DD51EBA0

Function 00EF83C0 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b340fd1c7c8fad7d7ffd6bd4043637cd7ff9e8ecd054d67794e77b8743353cef
Instruction ID: 2a7545f28510077380eb1dde5d18277a0aea087004262114ee36a6b63b8e3a80
Opcode Fuzzy Hash: b340fd1c7c8fad7d7ffd6bd4043637cd7ff9e8ecd054d67794e77b8743353cef
Instruction Fuzzy Hash: DDC16870608385CFD764CF14C585BABB7E5BF88304F44492DEA899B291EB75E908CF92

Function 00EEC427 Relevance: .3, Instructions: 280COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bbc556d43c9dd4206a1c40dddbae8d511cd4d12b74f07bbe253ed32021cf53e
Instruction ID: 3081dac602c6003367ecf052024098efeac08d8ec03ea72c45e47726a941d5fa
Opcode Fuzzy Hash: 8bbc556d43c9dd4206a1c40dddbae8d511cd4d12b74f07bbe253ed32021cf53e
Instruction Fuzzy Hash: 37B18270A002A98BDB24CF55C890BA9B3F1EF44714F1095E9D84AE7281EB74ADC6DF21

Function 00F1E5E7 Relevance: .3, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60b03009a3bfb9f6a6196b80d7ad2ccc53c181a09e5e49b1ebc3423c8bf41cb2
Instruction ID: beb50353da86bd45949f142a6a0c9faf44d2c79a8f8c2b73a710abc57f46af84
Opcode Fuzzy Hash: 60b03009a3bfb9f6a6196b80d7ad2ccc53c181a09e5e49b1ebc3423c8bf41cb2
Instruction Fuzzy Hash: C6A11731E00659AFEB21DB58CC48FEDB7A4AF00724F150175EE10AB2D1D7789D88EB91

Function 00F30185 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4338403494aa223de7670bbbacfab3abfa53a8ad63268d770560835b5d6e5dc8
Instruction ID: 3a9af79515c12b2533fdaf38cd9aaf907a8438a84d2e3ec384522ad7d998ab55
Opcode Fuzzy Hash: 4338403494aa223de7670bbbacfab3abfa53a8ad63268d770560835b5d6e5dc8
Instruction Fuzzy Hash: 70A1D471B0071A9FDB24CF65C9A1BAAB3B5FF54334F14402AEA0597282DF78E911EB50

Function 00F760E0 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 916ade2d68782b75450bb8538743b6cad0cf27914f66532769b988dfc8ed802c
Instruction ID: 7042f9ceb273c2c53ffaacefac78898698db6cda324f3d26968e6cd0decf8639
Opcode Fuzzy Hash: 916ade2d68782b75450bb8538743b6cad0cf27914f66532769b988dfc8ed802c
Instruction Fuzzy Hash: 5291A071D00619AFDF15CF68DC84BAEBBB5AB48710F15816AE518EB341D738ED00EBA1

Function 00F0E3F0 Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad7edaf88c00e27e1f68ee553fd6e7b4fffc381488c79a68528c93733c4f4adb
Instruction ID: 284e18fe91cb1692090bb2774aee9d992bf27804f860b18f458d7b7230c50f4d
Opcode Fuzzy Hash: ad7edaf88c00e27e1f68ee553fd6e7b4fffc381488c79a68528c93733c4f4adb
Instruction Fuzzy Hash: BF913536E00615CBDB28DB18C880B7EB7A1EF94725F184869ED05DB2C1E638DD05FBA1

Function 00EF1131 Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3918a1d2d384c146e9f177ea6bca4a54f5359d0329ac59d4abe950e8684638de
Instruction ID: 07ac0901b28b9e2d296a644cc4879be278c0fa44ebd3cdf3a4dbd1e32388d052
Opcode Fuzzy Hash: 3918a1d2d384c146e9f177ea6bca4a54f5359d0329ac59d4abe950e8684638de
Instruction Fuzzy Hash: 97B11275A093408FD354CF28C980A6AFBF1BB88314F18496EF999D7362D734E945DB42

Function 00EF9486 Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4aaea08823702d48448ef12b793bf89564a73b963cdf456893bff6231580e415
Instruction ID: b306fe00da6ff04859f78ba58aa0624aa471c0e966bc13d5e1122129b277c0c2
Opcode Fuzzy Hash: 4aaea08823702d48448ef12b793bf89564a73b963cdf456893bff6231580e415
Instruction Fuzzy Hash: 33B17274A00249CFCF26CF28D4807B977B0BB48318F24555EDA65AB2A3D735DC46DBA0

Function 00F1D090 Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f57846fa6853ce2eba42e0856427c3c37140fe7ac7bc1e87bfd5d4bd44f03bd
Instruction ID: 7731cd46c2f4f2b347fc82956459d7cda0dce874707f3c40469d1e160c2ba5db
Opcode Fuzzy Hash: 2f57846fa6853ce2eba42e0856427c3c37140fe7ac7bc1e87bfd5d4bd44f03bd
Instruction Fuzzy Hash: C281BE72E001199BEF18CF68C8817EDB7B2FB84311F26816ADD15B7340D6359E89EB91

Function 00F2E284 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1935aee768b9ab7e302ff8c6edbc65bf44c6180f2b5cf1ddb7f6cdc12e7c0470
Instruction ID: 16bca7642efe7a316c26127e3cf7e7bbb58a1968a5ef4c6c32d0f18da0a369f7
Opcode Fuzzy Hash: 1935aee768b9ab7e302ff8c6edbc65bf44c6180f2b5cf1ddb7f6cdc12e7c0470
Instruction Fuzzy Hash: 95817E71A00619EFDB25CFA5D880BEEBBF9FF48350F204429E556A7250DB70AC45EB60

Function 00F862A0 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88f29f5c5b905cd57d07ecd584bc0c46b12af23a25044565f3d27d69e67cb961
Instruction ID: 3d307bf2e8843f6dd9d21ca9b6a9b03d7440696e969758ad15c523cf446859b9
Opcode Fuzzy Hash: 88f29f5c5b905cd57d07ecd584bc0c46b12af23a25044565f3d27d69e67cb961
Instruction Fuzzy Hash: 4B71D132600B01AFEB31EF14CC45FAAB7A5EF44720F244928E656DB2E1D775E944EB50

Function 00F7035C Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
Instruction ID: a9997bce2e75161f4e6e5d81182b5f737620bd3ee9fc5ea26f817d479e4a74f3
Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
Instruction Fuzzy Hash: 55718E71E00609EFCB10DFA9C945E9EBBB8FF48710F14856AE509E7291DB34EA01DB50

Function 00FB132D Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10cffbd53be7de798eaf55841a1b48c74069e5900dfcbb6559b2bdc43398d173
Instruction ID: b0f6ab6fce736533c9fd80532402fbd5a973122585bbba3b1e9e2cd86d74b351
Opcode Fuzzy Hash: 10cffbd53be7de798eaf55841a1b48c74069e5900dfcbb6559b2bdc43398d173
Instruction Fuzzy Hash: CA815A75A00249DFCB09CF59C490AAEB7F1BF88310F1581A9E859AB355D734EA41DFA0

Function 00FB903E Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddcb3067c06e5e53c740e12a713f57f69f3273f81288bd1a798476d830bfe045
Instruction ID: 455a2f209806b67266d6a2e4645ca161e9ca293624451e695f24223e75035c37
Opcode Fuzzy Hash: ddcb3067c06e5e53c740e12a713f57f69f3273f81288bd1a798476d830bfe045
Instruction Fuzzy Hash: 0D61F171A04616AFC315DF66CC84BEBBBA8FF88750F008229F95987241DB74E901EF90

Function 00FB92A6 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6aadd02331178ab77f6163e689c898e5e835c15afb8a0dc40100386c5c9e49fe
Instruction ID: 4c435b9dc0298eae6a5564bff6eaed6077934644424f100ebcf7ce6dc29fed58
Opcode Fuzzy Hash: 6aadd02331178ab77f6163e689c898e5e835c15afb8a0dc40100386c5c9e49fe
Instruction Fuzzy Hash: F561073160C7418BD311CF66C895BAAB7E4BF80314F18446CE9858B292D7B5E806EF81

Function 00EEB2D3 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 072947e7aed55e78f5c04c2d10423f84f5228036de17aa6fd117742f7e34e5cf
Instruction ID: cadeaa223e72375e18325d3ed33a6d3679b0dd5bacfc60db596da0ee0c4703d3
Opcode Fuzzy Hash: 072947e7aed55e78f5c04c2d10423f84f5228036de17aa6fd117742f7e34e5cf
Instruction Fuzzy Hash: 8D415A31600A44DFC7269F16DC82B2BB7A9FF40724F115039F919EB291E774DC00ABA0

Function 00F6D5D0 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 421d61e5bc4c825cfb3b344d513b1230fd482de7481e25e13c6dc44851e8f620
Instruction ID: 7e7a30564b9c3743781be6c782963ac7c7963fbcb8d45957d1ec3674f7ce5927
Opcode Fuzzy Hash: 421d61e5bc4c825cfb3b344d513b1230fd482de7481e25e13c6dc44851e8f620
Instruction Fuzzy Hash: EF51F2B2F002129BCB10AF64CC41A7B77E6EF94754F040429F944C7251EA39CD56F7A2

Function 00F2B570 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3af694ac0e454b3c5c2a4e0e5054735c94e639584d8aded83d96edcd24966c72
Instruction ID: 52aa365ce14b8fa22b962c1a0c0590ab5965d25e961d8e75f9d8af0a09dc29f3
Opcode Fuzzy Hash: 3af694ac0e454b3c5c2a4e0e5054735c94e639584d8aded83d96edcd24966c72
Instruction Fuzzy Hash: 5451C3B15043549FD720EF24CC82F6A77A8EB84728F10062DF91197292D738E841EBA2

Function 00F195DA Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6e3d2dd2ffb6875b57020c7ba472a91c210f2b2f7899fd6c732aa4811246ebf
Instruction ID: ed56f11e44d9a04981e313c5061681d5a9f73627346e8461650132040541bd3b
Opcode Fuzzy Hash: a6e3d2dd2ffb6875b57020c7ba472a91c210f2b2f7899fd6c732aa4811246ebf
Instruction Fuzzy Hash: 49519D71901208AFEB219FA5CC91BEDBBB8FF01350F20412AE990A7191DBB59D85FF50

Function 00EF7152 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08f1365a42f70561c35e58d50960772b254db0abe7592d2cf336ef833bdf815b
Instruction ID: dab73dd25468ee059856d4a88981b2554a5ba53b4d90d71d8ba5e479f398e808
Opcode Fuzzy Hash: 08f1365a42f70561c35e58d50960772b254db0abe7592d2cf336ef833bdf815b
Instruction Fuzzy Hash: BC512531E05609EFEB15DF68D844BBDB7B4FF18315F104169EA42A3290DB74AD09EB80

Function 00F2E443 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91c400a8168bddc7a4162f2fcf77087f012045cd8e6ca630199dc949b9f65824
Instruction ID: ba430802822359666c31d07248c27afb2b63d5932dad53ab2854345f2e21a770
Opcode Fuzzy Hash: 91c400a8168bddc7a4162f2fcf77087f012045cd8e6ca630199dc949b9f65824
Instruction Fuzzy Hash: FD514672600A15AFDB21EF64D981EAAB3EDFF04794F60042AE542D7261D738EE40EB50

Function 00F145B1 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
Instruction ID: 859bf2b8fbc8f51efba5e8e3a6269785884810e0410987dfff482738090ed8fd
Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
Instruction Fuzzy Hash: 3251A271E0021AAFCF15DF94C841BFEBBB5AF85754F144069E901AB280D734EE84DBA4

Function 00FBD26B Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e34a641792a2e79be6bf0067dfbea21fe876c0422c27924c31e583a14ba6783b
Instruction ID: c6190c680354c6b7ebd276f3e5cbe346dc40427252830b3e1e6a1d7545a025c5
Opcode Fuzzy Hash: e34a641792a2e79be6bf0067dfbea21fe876c0422c27924c31e583a14ba6783b
Instruction Fuzzy Hash: CA5169726083429FC710CF69C881B9ABBE9FBC8354F08892DF89487281E734E905DF52

Function 00EF51ED Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b90d7bd68dd661567cdb4af5dd2341a2469b26a015dbf168615c2065bdad1f17
Instruction ID: b6800581cf6116b0c1eccf5e1fb4b6b250064d052fdf3f8df96aabc4fae46e0c
Opcode Fuzzy Hash: b90d7bd68dd661567cdb4af5dd2341a2469b26a015dbf168615c2065bdad1f17
Instruction Fuzzy Hash: 0B519032A02A1DDBEF119BA8C841BFD77B0BF28794F141119EB01F7251D774AD409B51

Function 00F83140 Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6276922de736b718b7439e273fc2646eed7dcb02025342ed73eb135a5a1c78ff
Instruction ID: 829c772fb6df4460246bbd9bd6e12b990aa77ccb0341c10a8007f5bb9b9cb846
Opcode Fuzzy Hash: 6276922de736b718b7439e273fc2646eed7dcb02025342ed73eb135a5a1c78ff
Instruction Fuzzy Hash: B251E272A04311DFD711EF14C841BAAB7E4FF88B24F118529F8949B2A0D374EE44EB92

Function 00F2A430 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6eb8396577e72786d11585c15c748bda26204a8b261b8c5a513ccfc92e2702d8
Instruction ID: 92c3e1a87ae93640d531ad47afdf68c7c4d570977335dcb510058c60a75ee770
Opcode Fuzzy Hash: 6eb8396577e72786d11585c15c748bda26204a8b261b8c5a513ccfc92e2702d8
Instruction Fuzzy Hash: 5241E372A44295ABCF14EF64FCC2B6A3765AB14714F05002DFA02DF251D7F69C00B6A1

Function 00FC35D7 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2c300d7f86a03933703e09635872856e70952263eb4647515a482bdea46eec2
Instruction ID: c5ec04730dd0946c50ccb3e2ca4857a92f9b232be172297c7801dc5ce10f6404
Opcode Fuzzy Hash: b2c300d7f86a03933703e09635872856e70952263eb4647515a482bdea46eec2
Instruction Fuzzy Hash: 8A516AB1600606EFCB15CF14CA81F56BBB5FF45354B15C0AAE8089F262E771EA46EF90

Function 00F201F8 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 103ce00eb77bcefe9e4051e7ed501f7d9612fd560a331172a0eed13e16382602
Instruction ID: 4132e72c92983622704fae4740b44303edd39d2f9140989f05fe1e5b3be4a692
Opcode Fuzzy Hash: 103ce00eb77bcefe9e4051e7ed501f7d9612fd560a331172a0eed13e16382602
Instruction Fuzzy Hash: A0419036D00225DBCB14DF94D840AEEB7B4BF48710F25815AE815F7282DB399D41EBA4

Function 00F6D1C0 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0eb649ebbf3548d8df43d0789ceff5cfbc550e3c64e1c06ae1f98d8f26ebe946
Instruction ID: 81e542f16fe6f23f155657866699a5121a2ef1893311fc25149e9c6d1e48bec7
Opcode Fuzzy Hash: 0eb649ebbf3548d8df43d0789ceff5cfbc550e3c64e1c06ae1f98d8f26ebe946
Instruction Fuzzy Hash: 86511771E00206DFCB18CF68C591AAABBF1FB48314B14856ED819E7345E734EA90DF90

Function 00EF6154 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53e3c1e5ddce5d8dbb294cb669a9000c77e43cbbc36d485eeaae9758f2c97015
Instruction ID: 071107bd49bac6ba57fb7124b9d13788e0e5b87e98f590fff78f764327b8e33e
Opcode Fuzzy Hash: 53e3c1e5ddce5d8dbb294cb669a9000c77e43cbbc36d485eeaae9758f2c97015
Instruction Fuzzy Hash: 2251F97090015EDBEB25CB64CC05BF9B7B1EF15318F1482A5E629A72D2DB389D81EF80

Function 00EEB136 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f5d13cd5c835edd7c8a42b6c605ab3794312fb8ac13b5fc180eaaa4dfad12ee
Instruction ID: 5696787fad5dd1b2f07e93cd39af1680669f8510e8b6201b8cea046719bbbc86
Opcode Fuzzy Hash: 7f5d13cd5c835edd7c8a42b6c605ab3794312fb8ac13b5fc180eaaa4dfad12ee
Instruction Fuzzy Hash: A741E170601659EFC721AF65CC81B6BBBE8EF14794F005429EA11EB2A1D774DC40EB90

Function 00F1A470 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 260b3e075e2c167e0ea6ce0ed819027b763df93f7cb43083a2ed9ccbc230f993
Instruction ID: 7dc0d75ee3f302f0830cafa64e1d420400c4bf1492da527507ff65b5767c5281
Opcode Fuzzy Hash: 260b3e075e2c167e0ea6ce0ed819027b763df93f7cb43083a2ed9ccbc230f993
Instruction Fuzzy Hash: 0C41D032A45648CFCF14DF68D8907ED77B2FB04724F180159D411AB2A1DB34AE84FBA5

Function 00EEA020 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
Instruction ID: 5d0fa3c5f34cce65ef9cdfe59dd5b6799338071863b1e0dd2cf2ac0874a862fa
Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
Instruction Fuzzy Hash: BA414031E04259DBDB10DE9688407BA7B71EB50734F19807EEC49AB241D731ED40F791

Function 00F705A7 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 504fd615377686909efa967a6bb03a626e7c2d299952eee455fe4922f381d562
Instruction ID: e0618543c3c72a1987e6c93557fefeb4a37c6bac7c077c887d092131d03f7db7
Opcode Fuzzy Hash: 504fd615377686909efa967a6bb03a626e7c2d299952eee455fe4922f381d562
Instruction Fuzzy Hash: 4F41C272A04645DFC320DF68DC51A6AB3E9AFC8710F04462AF89897680EB34ED14D7A6

Function 00F002E1 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
Instruction ID: 942e1d2f1307b9b8fb743ee87355b1d75257d3dea1df8d6f2b229693c9a4c35e
Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
Instruction Fuzzy Hash: 98314A32A05644AFDB229B68CC44BEABBE9EF04350F0441A5F855D7392C674D884EB64

Function 00F19274 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de133d882d22cc12dfad6ac2dc72bc9aeec44ca273ff48b25d8e5526735e854c
Instruction ID: 47157232cdb44b41f1c7b4d0e363202180a6e6d6619d703558bc5fdbe1019b0d
Opcode Fuzzy Hash: de133d882d22cc12dfad6ac2dc72bc9aeec44ca273ff48b25d8e5526735e854c
Instruction Fuzzy Hash: 2B31A072A04628AFDB358B24CC50BDAB7B9AF85760F100199B55CA7280DB709E84EF91

Function 00F150E4 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9736ef1e2d2fe6ed3e8edd6ff05ccc53a0216fb05e956db353e68a80ecb75403
Instruction ID: ac2c7b09740c326a0b3c4173eca4bf1802e00e8b9b8ee03ec122741b5fa62a45
Opcode Fuzzy Hash: 9736ef1e2d2fe6ed3e8edd6ff05ccc53a0216fb05e956db353e68a80ecb75403
Instruction Fuzzy Hash: EF31D432A08641EBD722DA18C8007A7B6E5ABC5B64F188529F8859B291D3B4CC85F792

Function 00EEB480 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 462f86d37e35c462047e1ae00655847868db3e4f02f460ac54894fa5ba6722b1
Instruction ID: a0220fcf10266ded78904dc92006a90a26680f32c0c613b20e167df445cb181b
Opcode Fuzzy Hash: 462f86d37e35c462047e1ae00655847868db3e4f02f460ac54894fa5ba6722b1
Instruction Fuzzy Hash: 21315372500648AFC721DF14C880A6B77AAFF84364F144269FC54AF2A2D731ED46CBE0

Function 00FB61C3 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4995b08e636ddb2ce099e6ce9cea1d48fb69c1121a996238ac918925d53734b
Instruction ID: c312c1b72ff41b630d8e33bce0e7df9e99bdb5a66ffc61f26b808555ff8dccdc
Opcode Fuzzy Hash: c4995b08e636ddb2ce099e6ce9cea1d48fb69c1121a996238ac918925d53734b
Instruction Fuzzy Hash: A531E176E00219ABEB15DF99CC41FAEB7B5EB48B50F454168F900EB280D774ED00DBA4

Function 00FB60B8 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9690cbe12873c84039f1e488ce7f782c5d23e22d92a2deb3c128db1f248c6a58
Instruction ID: d56deb6896da355098f5c98a1f265e207d649f2c8d86d6c148a8998e511e398e
Opcode Fuzzy Hash: 9690cbe12873c84039f1e488ce7f782c5d23e22d92a2deb3c128db1f248c6a58
Instruction Fuzzy Hash: 9031F472A00605AFDB12EF9ECC41BAEB7A9AF44B54F100069F505DB382DA38DD00BF90

Function 00EF8550 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 032efe2e2758b3096bc23aa15d377b38133e60d3475f33cd79ba90a696c07cf0
Instruction ID: db74d6c1ed8983208d3e80aa50d4b6bb04161d2293b3f41845c77b4ab7e2532d
Opcode Fuzzy Hash: 032efe2e2758b3096bc23aa15d377b38133e60d3475f33cd79ba90a696c07cf0
Instruction Fuzzy Hash: 1D319A72A0A3018FD760CF19C940B2AB7E4FB88714F154A6DFA84A7391D770EC48DB91

Function 00F47190 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d9f232daa6456112ef7cca9ac13d1ecc1d2608bc40d33be58fee952b0e99bbe
Instruction ID: 93f9e35998c81a21c19e4c5de18de34989efb2a676bf1b0e5db618c8cb2e4665
Opcode Fuzzy Hash: 3d9f232daa6456112ef7cca9ac13d1ecc1d2608bc40d33be58fee952b0e99bbe
Instruction Fuzzy Hash: 76316775A08346CFC710CF18C480956BBF5FF99320B2986A9E9589B325E730EE06DF91

Function 00EF92C5 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2963604b138b45d82781e0a3e479f75d70978de019cd50ff7a7906112cbdd64f
Instruction ID: 4a9d0fb79e7d358de4b17729440a62708cf182876dbaeda861e7a9ae8d434517
Opcode Fuzzy Hash: 2963604b138b45d82781e0a3e479f75d70978de019cd50ff7a7906112cbdd64f
Instruction Fuzzy Hash: 9E319EB26082498FC701DF18D840A5ABBE9FF89350F000569FD91973A2D734DD14DBA2

Function 00F1438F Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cc34ebca1da96639e90ff39f0c10b134d08be2e976708ce3e2b0405ff5c5947
Instruction ID: d253d85fcc7278f2810146c0e934d611fcf1f2a5f519fca6c13b81859663e431
Opcode Fuzzy Hash: 0cc34ebca1da96639e90ff39f0c10b134d08be2e976708ce3e2b0405ff5c5947
Instruction Fuzzy Hash: BB31C232B006059FC710DFA9CD81BAEB7F9AF84744F10852AE945D7291E734EA85EB90

Function 00EEC156 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a31ad30c52bf5f0a9fdabb530e3ad0e2e7dc0922c90100c8ecdd9785175406e5
Instruction ID: 9b684cd664891110eda73adc63dfc33a8a597249d00bb98e6e16fb6efef4e1ce
Opcode Fuzzy Hash: a31ad30c52bf5f0a9fdabb530e3ad0e2e7dc0922c90100c8ecdd9785175406e5
Instruction Fuzzy Hash: 01310B729002148BC721AF14CC42B797BB4BF51364F5481A9ED459F383DA38DD86EB90

Function 00FAC3CD Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
Instruction ID: ae129e6cf1820d1ac195a20e4ebd0e88fd25e8a6e3ddb3b5f06abc6442c6390e
Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
Instruction Fuzzy Hash: 50212B76600655A6CB14EB95CC11ABAB7B4EF45710F40801AFD95CB691EA3CDD40E3E4

Function 00EEE420 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63c219b8cbdfd0f1ff935e9efe2c6e25ab9cc185dc91c66aec59867ec8a1b815
Instruction ID: 571c59f7b102fa0b92a76563c2f2dfee97148e2580b880ee51110327b8862284
Opcode Fuzzy Hash: 63c219b8cbdfd0f1ff935e9efe2c6e25ab9cc185dc91c66aec59867ec8a1b815
Instruction Fuzzy Hash: C131DC32A0156C9BDB319A15CC42BEAB7B9AB05744F0100A1F695BB2D0D6B4AE849EA0

Function 00F244B0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21175288ea421d4a49d358ea7f4f35639f9727bdf4d2fd0816cf43b4d95ca180
Instruction ID: 43e1ef31a624d01f47fd9fb9d23def2b57711643f553b6f8082e6d6c39fba474
Opcode Fuzzy Hash: 21175288ea421d4a49d358ea7f4f35639f9727bdf4d2fd0816cf43b4d95ca180
Instruction Fuzzy Hash: C421D272A047559BCB22DF18D882B6BB7E4FF88760F044519FC949B241D774ED00EBA2

Function 00F24588 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
Instruction ID: 1bef4536e09c5dc82ef1bf404cfac12d0c40e925b76e763982f1b28828d78494
Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
Instruction Fuzzy Hash: 0E217172A00618EBCB15CFA8D980A8EBBB5FF49714F108065ED259B241D6B5EE059B90

Function 00EEE388 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
Instruction ID: 65f376060ad961ca6d5a1eef3f398f64513a8392e9a1a56d4739cd4a3b285216
Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
Instruction Fuzzy Hash: 63318731600648EFDB21CB69C884F6AB7B9EF85354F2045A9E952DB381E734EE02DB50

Function 00F2D530 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e6f041d0072275199d02bb0a3ac14b05670a1e4ad098195db134b428e44bc9b
Instruction ID: 9f336c1c0a955634759d119e4754410f2a41f8b63b35ab2c5720358a92846728
Opcode Fuzzy Hash: 3e6f041d0072275199d02bb0a3ac14b05670a1e4ad098195db134b428e44bc9b
Instruction Fuzzy Hash: 232105729042549BC720EB64DD45B1B77E8AB547A4F00082AF908DB2D2EB38DD00F7A2

Function 00F1F32A Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1acee25a86a18db778833508db53c8429f7f2c8d9f42c0ea70f9f679245ea3d
Instruction ID: 22ddd17a8ed744c2b91b428477cfaf599be78e438d5749e5667c547f09455f9f
Opcode Fuzzy Hash: e1acee25a86a18db778833508db53c8429f7f2c8d9f42c0ea70f9f679245ea3d
Instruction Fuzzy Hash: 0821CF722006009FC719CF15C841BAABBE9EF95364F15817DE11ACB2A1EB70EC45DB94

Function 00F7019F Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c8de8eb9099c20c6e5816d822efa4bb5424111370a3f26917c4b7768716f4e1
Instruction ID: 900424bdc6f2e2c550e6d88a5af246fbb70847fe4d3ee1cc904d34fed2cc356d
Opcode Fuzzy Hash: 4c8de8eb9099c20c6e5816d822efa4bb5424111370a3f26917c4b7768716f4e1
Instruction Fuzzy Hash: EA21BF72A00644EFC715DB68CC44F6AB7A8FF48750F14406AF904D76A1DA38ED00EB54

Function 00F971F9 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c446b4487c8cd7aeb294484160b6d9f8334219f2fe0c20da3e52f0ff7532d2af
Instruction ID: aabc24eaf104c441fa0edc671e2afbf92c2958f17e3c59bebbb06ca1792c4cad
Opcode Fuzzy Hash: c446b4487c8cd7aeb294484160b6d9f8334219f2fe0c20da3e52f0ff7532d2af
Instruction Fuzzy Hash: 4B214B31A287408BEB20FF258841B2BB7D9AFD1720F14496CF8A683141CB70AC45AF91

Function 00F70283 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab55304ff49743a8b9c5e05c3e6edb18aa1d2952222de5316b4c2684b159eea9
Instruction ID: c1e9472565c2b0b811b6a5505c0b9c809ee0b2a981151ed555272150beefa4ab
Opcode Fuzzy Hash: ab55304ff49743a8b9c5e05c3e6edb18aa1d2952222de5316b4c2684b159eea9
Instruction Fuzzy Hash: 4321C172904345DBC711DF69C848F6BB7DCAF90350F088466B888C7252DB38DA44E6A2

Function 00F6D0C0 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a31c2c23b4517fa83190f2f071b075dcb825627450a6f94414447da29f9bb9ec
Instruction ID: d62b4be078a56160277ee558604d8ac0b7e3af56f13a1ea8f589c21d5139afe9
Opcode Fuzzy Hash: a31c2c23b4517fa83190f2f071b075dcb825627450a6f94414447da29f9bb9ec
Instruction Fuzzy Hash: C521D472B44704ABD3219F18CC42B5BBBA4FF89720F10022EF945973A1D374DD00A7A9

Function 00F2A30B Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8053e67ee88006eaa9eefd292902939b9f175a6b9a08320c8bfd02a90e7d6292
Instruction ID: 5ab79b1907e4d3d8283cf5f86384e2c1fd508c8697b30a6cf7e379b300d38064
Opcode Fuzzy Hash: 8053e67ee88006eaa9eefd292902939b9f175a6b9a08320c8bfd02a90e7d6292
Instruction Fuzzy Hash: 0F21AC36600A509FC724DF29CC01B46B3F5AF08B44F248468A449CB762E335ED42EB94

Function 00F880A8 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
Instruction ID: 3c7ae94152d67a554f0ce57ecbc0e0a3d2e0e9ed0b1f50f893ede8b8b8360dc0
Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
Instruction Fuzzy Hash: BB218172900609EFDF21AF54CC44BDEBBBAEF44350F204455F941A7251DB74DD52AB50

Function 00F115A9 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29802a1ca24c6965babefc6623953e4fc32110ab479eab20bfca4cc576a297b9
Instruction ID: d067bd81d057d8da7b0ed0232c0f946542ea88b913405324afe07691bcd03030
Opcode Fuzzy Hash: 29802a1ca24c6965babefc6623953e4fc32110ab479eab20bfca4cc576a297b9
Instruction Fuzzy Hash: CF213832A01685CFD712CB99C944B6177EAFF40360F1D00A1EE058B2A2E778CC51F752

Function 00F20124 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
Instruction ID: 4736ef9ec23feb15819238278b68fb1d0aef2787fd2e6bfa3b3dab93b614121f
Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
Instruction Fuzzy Hash: 8E11C473601614BFD7229F54EC82F9ABBB8EF80764F200029FA049F191DAB1ED54EB50

Function 00EF80E9 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 308446ec9f34207b48cb34041d63e5b2014888f1194cedef53b1846b1f14daf9
Instruction ID: 684aa0b28b1e0dd9ee487248b50df1b6cf69d56a975d0353ce81f4f6a86db6eb
Opcode Fuzzy Hash: 308446ec9f34207b48cb34041d63e5b2014888f1194cedef53b1846b1f14daf9
Instruction Fuzzy Hash: 13216F75A01209DFCB14CF58C681ABEBBB5FB89718F24426DD205AB350DB71AE06DBD0

Function 00F7D080 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5dbe29364cfd9de88cbe914f195105263231397afa7a77619b07f8af73cc2f73
Instruction ID: 1dd22341f6deb61031254e517d650d1dfcf8c5dd5ef8b03d9c7eea7def945196
Opcode Fuzzy Hash: 5dbe29364cfd9de88cbe914f195105263231397afa7a77619b07f8af73cc2f73
Instruction Fuzzy Hash: 7F1129311402809BC732AB24DC45F2677B9DF81774F548439F9088B2D2DA38DC41F7A5

Function 00EE9240 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 824b873e20e1344503a98ad7487a32ec76b8004dd9c6d29f637ada8efefb3f41
Instruction ID: 82a548ade34a62fc72438ee92aecc104ee825f97e06da386eea1061cbf5b91aa
Opcode Fuzzy Hash: 824b873e20e1344503a98ad7487a32ec76b8004dd9c6d29f637ada8efefb3f41
Instruction Fuzzy Hash: 8611E67A020289EAD7259F51EC85A7237E9EBA8B94F104025E800DF272D338DE01FB54

Function 00F1B052 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a793d28b9555a1a9cd191c4b7c8cb689e892c5dfc50b0470117fa0439977cc7e
Instruction ID: 78d09b666b92805d8a237288beff10273248d80254885ed48958358534b74880
Opcode Fuzzy Hash: a793d28b9555a1a9cd191c4b7c8cb689e892c5dfc50b0470117fa0439977cc7e
Instruction Fuzzy Hash: 3901F972B00340EBD710AB6A9C85FAB77E8DF88724F040069F605C3241DB78E941A621

Function 00EE7330 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b24e77508f5fcfea32b2ffe185742df26c042632f679c8d266ed354978792d1
Instruction ID: dc96484089cad491f2c157dc3fd05625faa35fd72e5785dd0d605be8b0c5f092
Opcode Fuzzy Hash: 8b24e77508f5fcfea32b2ffe185742df26c042632f679c8d266ed354978792d1
Instruction Fuzzy Hash: 4611AC71604648AFD721CF6AC842BAB77E8FB44358F015829E9C5DB211E779EC00ABB0

Function 00F1E53E Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
Instruction ID: 2bd03bf911393a6868fe7bbe19ced144b864bd0d443b0b677b551c2d1a11a1f6
Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
Instruction Fuzzy Hash: 6511E572A02AC59BD7229729CD44B653798AB10769F1D00F0EE41C7682E32CCC8AF251

Function 00F1F2D0 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b80a114a3d5ecfbb24c3e1ddf30769a799e4ac8627b4833dc1910221e1a3cf3
Instruction ID: b8c03651a23e52c4766e5d4ae46edc20dc1fecc4040edd91e365fb27ca2a0d43
Opcode Fuzzy Hash: 1b80a114a3d5ecfbb24c3e1ddf30769a799e4ac8627b4833dc1910221e1a3cf3
Instruction Fuzzy Hash: EA11C272A01648ABC720DF69CC85BAEB7A8EF44710F240076E501EB292DA39ED41E750

Function 00F872A0 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e850f2c6b8a62aa57273bc2e4efeca7cc81b0ea7f022921ea7aa6f1d3ab38ae
Instruction ID: df4433cdf52332cb79821c00c694438bd9a0c8c4cbab8bb1076a33ef6df7eeb6
Opcode Fuzzy Hash: 1e850f2c6b8a62aa57273bc2e4efeca7cc81b0ea7f022921ea7aa6f1d3ab38ae
Instruction Fuzzy Hash: 6501DE72140609BFE711BF16CC81FA2F76EFF903A0F500529F200525A1C725ECA0EBA0

Function 00EEA250 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
Instruction ID: 203a956f03cf89ef6e05f85f934d429e2c0587921405b43dbe92edb6c0ee837b
Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
Instruction Fuzzy Hash: 7C012631405B599BCB308F16D840A727BA4EF59B64704893DFD95BB2A0D735E800DB61

Function 00F6E1D0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 638aee2bc7140a62d6c75ad1fbd50476c3b51979358ec42dad025558f8e8d448
Instruction ID: 2ef0e998ad62119e1c8fb7678dd7ea684763706bcbddac7c8335db9ad6694a18
Opcode Fuzzy Hash: 638aee2bc7140a62d6c75ad1fbd50476c3b51979358ec42dad025558f8e8d448
Instruction Fuzzy Hash: 9A11ED36641240EFCB15EF18CD91F16BBB9FF48B94F200065FA059B2A2C235ED01EA90

Function 00EF6259 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 025ce0c7a1082ce211493c67053f09fc577d09c4b572a3763810f05f4a6d6e6d
Instruction ID: 832600c3c35eee261ba23d47352dac735d037713dcc424a8192399dbbb29ea5e
Opcode Fuzzy Hash: 025ce0c7a1082ce211493c67053f09fc577d09c4b572a3763810f05f4a6d6e6d
Instruction Fuzzy Hash: DE117C7054122CABEB65EB64CD42FE9B3B4BF44724F5041D4B318AA0E1DB749E81EF84

Function 00EF208A Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
Instruction ID: 246ce96752aa7ee3d6501d33096e25ec2d5607629ae2228d6f2c5febd20195f1
Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
Instruction Fuzzy Hash: 2101F133A001148BDF108E69D880BA27B6ABFD4710F5554ADEF059F286EF719C81E7A0

Function 00F76050 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d0a78fe4b7c960b5a1f7dfec0793e732f558dbcf221a26ee39f693359fd0ce3
Instruction ID: 9f9131f468b13face1dd9dc7c257fe5c1662e57ac799916faa41b69f11205b22
Opcode Fuzzy Hash: 3d0a78fe4b7c960b5a1f7dfec0793e732f558dbcf221a26ee39f693359fd0ce3
Instruction Fuzzy Hash: BD11177390011DABCB11DB94CC85EEFBB7CEF48358F044166E906E7211EA34AA15DBE1

Function 00F320F0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75e128f3abf966e3b5cb69310c2538bc084781e02e5f4e54bb699c079f3ce07c
Instruction ID: 0b44c925cf523a6a4d60f4f38935834582caa411f14c7ea88c0c722c15cbd156
Opcode Fuzzy Hash: 75e128f3abf966e3b5cb69310c2538bc084781e02e5f4e54bb699c079f3ce07c
Instruction Fuzzy Hash: A8116D31A0120CAFCB04EF64DD51FAE7BB5EB44750F104059F9059B291D635EE11EB91

Function 00EEC020 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
Instruction ID: b5223bd76e4928d56f28672db0ef2c02cf5d6cbec58009532e19ab42bfdaecc8
Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
Instruction Fuzzy Hash: 3201F532100B48DFDB329666C900FA777E9FFC4314F14881DE9468B540DE74E802EB50

Function 00F2E5CF Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2850ed0c145cb92029404e92bf056a99f701121f8d79a04496a9d529b3cab920
Instruction ID: 4fc5b2fa8c38f7aed2c9cde60e40601887da21dfb202b57cfac5728186ed566b
Opcode Fuzzy Hash: 2850ed0c145cb92029404e92bf056a99f701121f8d79a04496a9d529b3cab920
Instruction Fuzzy Hash: 6501DF72600A44BBC351AB29CD85E57B7ACEF847A4B040629B108C36A2DB78EC01E6F0

Function 00EE9353 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16eb1e9227c9ca53ee971aeba792c6b4be561f846bb8a1c766c052503132072f
Instruction ID: 53f91728b4aa1f05a387836aaeb7f5ad8526157aad9dba263bbd82d84db6e544
Opcode Fuzzy Hash: 16eb1e9227c9ca53ee971aeba792c6b4be561f846bb8a1c766c052503132072f
Instruction Fuzzy Hash: 7A118B32800B419FD7319E16D880B26B3E4FF80766F158868E4896A4A7C378E881DB10

Function 00F7C460 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 997607aa6336fc654d8c8a92dc9652f9ad03e857fd1695ff6164c7b291244b4d
Instruction ID: df38b8a7e3546cd9001d69f693fcc73a0f406dbf90384e012c7e7bd043799a6d
Opcode Fuzzy Hash: 997607aa6336fc654d8c8a92dc9652f9ad03e857fd1695ff6164c7b291244b4d
Instruction Fuzzy Hash: 97115B71A0120CEBCB05EF64C851EAE7BB5EB48350F00805AB90597390DA38EE11EB91

Function 00F2D1D0 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2103513d2fbd223765d54b27d59d1ce24549dd4e977acd5ce3c70b0a80ca45ab
Instruction ID: 9f9a481803bd06ee6e04d001ff7bf0bf01e1a970c392f5de637ecdb57c5ff7a5
Opcode Fuzzy Hash: 2103513d2fbd223765d54b27d59d1ce24549dd4e977acd5ce3c70b0a80ca45ab
Instruction Fuzzy Hash: 7001F272A01624DBDB21DA54F805F6973A9EB84B34F20821AFE158B2C1DB78ED41E791

Function 00F133A5 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5807426d3854de8340053ba828383e613f6f2126caef2cc0c9319ce74fae2529
Instruction ID: 0e59bacf9dfe195699956edc679a695bc31b53003e19b88c519f12676f1c2634
Opcode Fuzzy Hash: 5807426d3854de8340053ba828383e613f6f2126caef2cc0c9319ce74fae2529
Instruction Fuzzy Hash: FD01D136700115EBCB12DAAADC01EDB7AACAF84B50B140429B915D7160EA31EE82E760

Function 00FAF453 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c9ef9fdf0cd7a0c1280b291dd4e62a68bd48713b734b8b75639b2e16a82f390
Instruction ID: ff3610d1d5ebe6e425011bbad7ba6307666f4b7e736e448aa597dee4e20bb3e5
Opcode Fuzzy Hash: 9c9ef9fdf0cd7a0c1280b291dd4e62a68bd48713b734b8b75639b2e16a82f390
Instruction Fuzzy Hash: 44017571A11258AFCB14EFA9D842FAFBBB8EF45710F504066B900EB381D678EE05D794

Function 00FAF5BE Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec8b0a50df095f268211671d24a45f7b6503b95ffd5b6beb746dfcc806c86c0b
Instruction ID: 1ae019464d57e0898acb48237b72270f9cc1c9153be9d2c762220be3cfdf4cb9
Opcode Fuzzy Hash: ec8b0a50df095f268211671d24a45f7b6503b95ffd5b6beb746dfcc806c86c0b
Instruction Fuzzy Hash: A7017571E01248AFCB04DFA9D842FAEBBB8EF45710F004066B900EB391D678EE05DB94

Function 00F0E016 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
Instruction ID: ddd24c3728d040bed86f7c83ba4ebd84d5d885b669e53a99a3e871588c1e16bf
Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
Instruction Fuzzy Hash: C8017CB27045849FD3228B1DC948F377BDCEF55760F0908A2F905CB6E1D6A8DC40E621

Function 00EE826B Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ef3180e16d3f3063113bbd4ec33bee843f4b3d0ff94e0933de839b2b30dd2bb
Instruction ID: df75449c32b13901f092fefe003dd0767b5f0e24a7ba4cf1a036d6ae838b41af
Opcode Fuzzy Hash: 2ef3180e16d3f3063113bbd4ec33bee843f4b3d0ff94e0933de839b2b30dd2bb
Instruction Fuzzy Hash: 3301F73170054CDFC704DB6ADD059AF77A8EF84714B15506AAA09BB651EE20ED01D291

Function 00FAF367 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f391dc3983d74b14f411d7cbb120e47e7bca0c393ef4216398a8cc9538e69100
Instruction ID: 4f6f502939813b47fad53052b03c9b9668d961cb1ca38ee63723a97972d8a135
Opcode Fuzzy Hash: f391dc3983d74b14f411d7cbb120e47e7bca0c393ef4216398a8cc9538e69100
Instruction Fuzzy Hash: 3B018471A01358ABDB14EBA5DC46FAF7BB8EF44710F004066B500EB281D6B8DA05D794

Function 00EF2582 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f454bd69de5b650558a183e0f5cfd853c8dc1deeacab347160a33ab512e32719
Instruction ID: 217f51e2416f4c886a508828b2c4df5fb4377ce65785bb51289516f8b5b0e3dc
Opcode Fuzzy Hash: f454bd69de5b650558a183e0f5cfd853c8dc1deeacab347160a33ab512e32719
Instruction Fuzzy Hash: AEF0F432A41A24B7C731DF56CC40F57BAADEB84BA0F108028B705A7640CA74ED01EAA0

Function 00FC50D9 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 762efb01b7e9e2c7859395977e3402f25e35243022c2297a07f19bda78d8cf4b
Instruction ID: dea23b9425a7e6529464eb125de0b889103a9e93103ca05e4733282a8db1d6d4
Opcode Fuzzy Hash: 762efb01b7e9e2c7859395977e3402f25e35243022c2297a07f19bda78d8cf4b
Instruction Fuzzy Hash: 39015AB1A0120DABCB00DFA9D946AAEB7B8EF48710F10405AF500E7281D638AA019BA0

Function 00F1C073 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
Instruction ID: 3f00ce02b841f2ecdcc31376c89386200a21457bf7eafb5578aa158a691d0b67
Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
Instruction Fuzzy Hash: 25F0AFB2A00A14ABD324CF4DDC41E57F7EADFC4B90F048168A545C7220EA71DD04DB90

Function 00FC5060 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 514c44187e7584b83bb9f7571de6ce0fd3395d0007b58dd3140a3eece2274631
Instruction ID: ec2a473f275c51846cd7a17f4adcb7bbeb602b712e09b38ef1df3e59fa4f9ee1
Opcode Fuzzy Hash: 514c44187e7584b83bb9f7571de6ce0fd3395d0007b58dd3140a3eece2274631
Instruction Fuzzy Hash: 14012171A1125D9FCB04DFA9D942EEEB7B8EF48754F10405AF501E7351D638EA019BA0

Function 00FC5152 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f192852cd2e2ad8175fdb91b75c8b0b68d40eada12cf07cf70d7bf6edc3e3b1
Instruction ID: cc0fd199f33aa188bc1315d87a02e7e7eda18119072012bd843d21625fec2288
Opcode Fuzzy Hash: 2f192852cd2e2ad8175fdb91b75c8b0b68d40eada12cf07cf70d7bf6edc3e3b1
Instruction Fuzzy Hash: A5012171A1124D9FDB04DFA9D945EDEB7B8EF48714F14405AF500E7351D738EA019BA0

Function 00EEC310 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
Instruction ID: 198eac38042f40fd4c2792ef0439b1402a79a837a5ff0b9c4a2db7bcfbdf82f9
Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
Instruction Fuzzy Hash: 33F0F633244EB69BD732165B4840B6BB6D99FC1BA8F3A9075F109FB244CA648C03B6D1

Function 00FC5537 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0be0aafe3ac42e1e8efd70a86aea7ea00e62ac1e41ba175409daad960c7c567
Instruction ID: 96aa177012b247873d3d80bfd3d6eb7db1bd33bdaeb865f54e3b9c34d83f512e
Opcode Fuzzy Hash: e0be0aafe3ac42e1e8efd70a86aea7ea00e62ac1e41ba175409daad960c7c567
Instruction Fuzzy Hash: B4111E70A1124ADFDB04DFA9D941BAEB7F4BF08704F14426AE504EB382D638E941DB50

Function 00FC61E5 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44cea50e3f32dae70d99e7e90809969804c1c896af21be6c915ca47a142fb017
Instruction ID: 9820b122bf03cccc536f3d1f4c1552afc2db47047571f37710ae3695b99acb6d
Opcode Fuzzy Hash: 44cea50e3f32dae70d99e7e90809969804c1c896af21be6c915ca47a142fb017
Instruction Fuzzy Hash: F1014F71A0125D9FCB04DFA9D946FEEB7B8AF48314F14406AF501EB290D778EA01DB94

Function 00FAF2F8 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09556ebd02df16e7f5870ff7127e40c71b15bc18618073fd3d9a3047d05272dc
Instruction ID: 48ab64cd819deb926adef419fa3fc8c1907f3bd5803b7e86dbdaed28ac76687b
Opcode Fuzzy Hash: 09556ebd02df16e7f5870ff7127e40c71b15bc18618073fd3d9a3047d05272dc
Instruction Fuzzy Hash: 8AF0A472A11348ABDB04DBB9C806AAEB7B8EF44710F008066F501EB291DA78EA059750

Function 00F763C0 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
Instruction ID: 3a0f81263bd53c6b65fd2ff82c7965263ba2b275d558f2926f6b054e29cff243
Opcode Fuzzy Hash: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
Instruction Fuzzy Hash: 93F01D7220001DBFEF019F94DD81DAF7BBDEB49398B108125FA15E2161D635DE21ABA0

Function 00F2724D Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44620c8b90c707c3135ebb5afdba643e124f7b09bfea536c61b6b3c3b840e391
Instruction ID: 2a2fb96b4c571c0ae2a00e2ada90125bd28ba027f10e4517837337e352cce27e
Opcode Fuzzy Hash: 44620c8b90c707c3135ebb5afdba643e124f7b09bfea536c61b6b3c3b840e391
Instruction Fuzzy Hash: AEF0F672E05365EBEB10E7A89941FABB7A8AF80720F188155FD019B1C1D634ED40EA50

Function 00F7A4B0 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41a36c8a4c2f93453c209f6efbcb5a28854920c7c3768d2978422eb342d51e12
Instruction ID: 27ae12a1c33b768e53e2dd9f75370dcbe140777ff0293f4a5352c59429df7151
Opcode Fuzzy Hash: 41a36c8a4c2f93453c209f6efbcb5a28854920c7c3768d2978422eb342d51e12
Instruction Fuzzy Hash: 84019A36500149ABCF129F84DC40EDE3F66FB4C764F0A8116FE1866260C236D970EF82

Function 00EEC0F0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bc0a95ab80ddcb2acb58b75835af98b618da03a9e6f2a715bede9cb5c4658bc
Instruction ID: b22e959778bdc126c3f81aa5ed0219aa7f15dc5450c9fdfb166c2b91cbfbd954
Opcode Fuzzy Hash: 8bc0a95ab80ddcb2acb58b75835af98b618da03a9e6f2a715bede9cb5c4658bc
Instruction Fuzzy Hash: 49F02B713052855BE314951A8D02F7232B5D7C0754F35A07DEB09AB2C2E971DC038794

Function 00FC53FC Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ef8f4448680cd90ae602b279d8762e8abf7d97c91a9db538b4ab86a0dc03a0c
Instruction ID: 53a490c18b4966cf9dd23b710933f7c0012bacf50288905d0083cc2494e524ae
Opcode Fuzzy Hash: 5ef8f4448680cd90ae602b279d8762e8abf7d97c91a9db538b4ab86a0dc03a0c
Instruction Fuzzy Hash: 38011E70E0120A9FDB08DFA9D556F9EB7F4FF08300F148169A519EB381D634AA409B90

Function 00F2656A Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16d75e4d7f3a568420916d739ec4c790104c812cc249a5dcfcfd6f3c7025503e
Instruction ID: 2d68aabff4d145d6ad5fc284758205c5651c858d14279898b682e3de77a3292e
Opcode Fuzzy Hash: 16d75e4d7f3a568420916d739ec4c790104c812cc249a5dcfcfd6f3c7025503e
Instruction Fuzzy Hash: B201A471605AC4DBE332AB28DD4AF2537A8AB40B14F5C0190B901CB6E2D728E841B510

Function 00F9437C Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
Instruction ID: bbda6720897f570c50bf68c4f3db5c67fbd21008e240f3bfed2a20c4d90ce489
Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
Instruction Fuzzy Hash: 94F0E931B41D1247EF75EA3A9820F2AB2559FE0F21B05052CAC45CB680DF50EC02B790

Function 00EE92FF Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32e500866cd8195e81c173c029760340a18a447eb08bc64573cc7631b15862b8
Instruction ID: 3934a2dfacae143e710682ed0327476fb7849403bf2b23d222162e1dc95383c7
Opcode Fuzzy Hash: 32e500866cd8195e81c173c029760340a18a447eb08bc64573cc7631b15862b8
Instruction Fuzzy Hash: 43F0F032100788ABD7319B0ADC05F9ABBEDEF84704F08011CB542A3192C6A0A904C660

Function 00FAF3E6 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dff98ce9c8d2989dc054a8e6f282c5aaeb2521302cd4817b29b648d60e40150e
Instruction ID: c5e3b96bfb310dfd364db37da93681529f42b5261f933269f3aaad3aa7d8ec32
Opcode Fuzzy Hash: dff98ce9c8d2989dc054a8e6f282c5aaeb2521302cd4817b29b648d60e40150e
Instruction Fuzzy Hash: 75F04FB1E0124CAFCB04EFA9D946A9EB7F4EF08300F504069B945EB392D678EA01DB54

Function 00FC55C9 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d88593334818841cb328e27b826e89b3fe00c7bfdd142667917540478c6d0e9f
Instruction ID: d96c43b67c71b38b31170f94f6d3896ed8aaf3801cef52cfe2882a0ef4588c59
Opcode Fuzzy Hash: d88593334818841cb328e27b826e89b3fe00c7bfdd142667917540478c6d0e9f
Instruction Fuzzy Hash: 49F01974A01249AFCB04EFA8DA46A9EB7B4AB18700F504459B845EB281D678EA00EB54

Function 00FB0115 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d31a75e3e73d181244f838e41c00b9e0b9a072d40211cb2a737009f3e3b4a5d
Instruction ID: 87e2cd57be397ee1d316bc8494f6b2fa1e5a008a970548e9713a53d7f2124cb4
Opcode Fuzzy Hash: 0d31a75e3e73d181244f838e41c00b9e0b9a072d40211cb2a737009f3e3b4a5d
Instruction Fuzzy Hash: CBF027A68156CC0ACB266B2D7C952DA3B659752334F091085D4B19B213C9788D83FA20

Function 00FC52E2 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5750f699ec4ea8560a168760845eff818f66dd5b4b43d4d0b5d7ebc214b73f6f
Instruction ID: c2457919e9aa4a6ea2e39be0b73f16f67d7543d11e2076c232e50b1774e7ecd5
Opcode Fuzzy Hash: 5750f699ec4ea8560a168760845eff818f66dd5b4b43d4d0b5d7ebc214b73f6f
Instruction Fuzzy Hash: B3F0E970A1068D9FCB04EFB5DA42F6E73B4EF14704F004058B401EB2C1DA78E900E714

Function 00FC5283 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24deb2fb8fbc22392338386b0a32bebe59743252e5007772ba0733c4c632852b
Instruction ID: 22676348a545e794b11cdb57bb51baaa7f63cf639d7e11a6a446e26663c34f61
Opcode Fuzzy Hash: 24deb2fb8fbc22392338386b0a32bebe59743252e5007772ba0733c4c632852b
Instruction Fuzzy Hash: 2EF0B470A116499FD704EBA4D902FAE73F4AF04700F004458B441EB281EA38E900A750

Function 00FC539D Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3357cfccefacd76027c94287ae1eda2a1da6426c7dd79afb4f83fafb444a8ec
Instruction ID: cc1ef2da7dbb00e1c0eea1d6004f9d153e97f015f05321b7770685fd9acf160d
Opcode Fuzzy Hash: b3357cfccefacd76027c94287ae1eda2a1da6426c7dd79afb4f83fafb444a8ec
Instruction Fuzzy Hash: C0F0E970A1064D9FC708EFB8D946F5EB7B4EF04704F108058F501EB281DA78E901EB14

Function 00F2C5ED Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e96d46a28f2662560c4dfb73cfdaf3c2f8a14ea8668ccae8bcab703c61cc7719
Instruction ID: 108409ccc3ff554d5a8be4ed9fbea3de3074dfc4be368bef57cf38fc6b909a38
Opcode Fuzzy Hash: e96d46a28f2662560c4dfb73cfdaf3c2f8a14ea8668ccae8bcab703c61cc7719
Instruction Fuzzy Hash: 51F052728412718FC3229718E108B19BBD4AB00FB0F089425D40E83202C3A8CC80EAE0

Function 00F6D070 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29a6642c7ef7ed3592a36acdccc95c3bae471711bc0d42908ddba4b2807d0017
Instruction ID: 538ad470b66b9e832042812a42724cadb142e0d2741bedb878adf3eb6e215061
Opcode Fuzzy Hash: 29a6642c7ef7ed3592a36acdccc95c3bae471711bc0d42908ddba4b2807d0017
Instruction Fuzzy Hash: E2F02B3360461477C230AA0D8C05F5BFBACDBD5B70F10431ABA249B1D1DA74EA01E7D6

Function 00FC51CB Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55a930eeb73672046ad79e7a81b1e435f2c1aee3172c119e20e786abd7ffa8e5
Instruction ID: 1a3faea4528e042f1a5930aabf9978d365abcbb7751c2eef78d0da5e68406d66
Opcode Fuzzy Hash: 55a930eeb73672046ad79e7a81b1e435f2c1aee3172c119e20e786abd7ffa8e5
Instruction Fuzzy Hash: 43F082B0A1124DABDB04EBA8DA07FAE77F8AF44704F140059B941EB2D1EA78E900E754

Function 00FC5227 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee951354b1749a8d84463187517d196cb69d20b2471b6e0e6ebae00bcfc80cbd
Instruction ID: 1eebf6946ccbd22ef53fa4ee0c169503645497a59b9923bb68b42dbccdab654c
Opcode Fuzzy Hash: ee951354b1749a8d84463187517d196cb69d20b2471b6e0e6ebae00bcfc80cbd
Instruction Fuzzy Hash: 5EF08270A15249ABDB04EBA8DA46FAE73F8AF04704F540058B901EB2D1EA78E900A754

Function 00F27208 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c79af7ce3dc6102cf714b04afeae79d234e2266ed005baffdd3568136f927e3c
Instruction ID: 2431a933f5d99480cb3257b23a9c64098f2009db16a368b38cd3d3c9c6708e9d
Opcode Fuzzy Hash: c79af7ce3dc6102cf714b04afeae79d234e2266ed005baffdd3568136f927e3c
Instruction Fuzzy Hash: 3EF02072D117949FD722F318C184F22B3D8AB01B34F0D9165E80A8B502C378EC80E350

Function 00FC5341 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8305e737c7490042ab48dd68f8946d37ea98d204fd55db6f599b7c93d00f29cc
Instruction ID: 5a875a12370af823cdc7acb691496a46b9232de58818fb67f5e11ccdeb779ee2
Opcode Fuzzy Hash: 8305e737c7490042ab48dd68f8946d37ea98d204fd55db6f599b7c93d00f29cc
Instruction Fuzzy Hash: 6BF08270A01649ABCB04DBA9DA46E9E77B8AF09794F500059B501EB2D1EA78E900A714

Function 00FC54DB Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 687e31ba245a7a446c35227c1333adcec72b83be9a4be1a2754727ac23995853
Instruction ID: b29ef7ffbc27eda23a1bfdc5b6e7756cae5c361ef401c58490b6824d9c0eaf77
Opcode Fuzzy Hash: 687e31ba245a7a446c35227c1333adcec72b83be9a4be1a2754727ac23995853
Instruction Fuzzy Hash: 1DF08270A1124DAFDB04EBA9D957F9E77B8AF08708F140458B501EB2C1EA38ED00A714

Function 00FC547F Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ea002a1d2750fdbd8701f9cad3253da6b50564d75c2a5ad3e6b2a7772997fa0
Instruction ID: 443d5775c0eb47f909433774943d0b257f3136e1627e2e5f2d468280abc63c8f
Opcode Fuzzy Hash: 7ea002a1d2750fdbd8701f9cad3253da6b50564d75c2a5ad3e6b2a7772997fa0
Instruction Fuzzy Hash: C8F08270A01649ABDB08DBA9DA57F9E77B8AF08704F100058F501EB3C1EA38E940A754

Function 00F255C0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09511f6a5b3cabbe784265c74914248b525a176bb6667c193042ebcc910e885d
Instruction ID: cef590638aec6896c0d918e0bcb121d084c326a5042456c1aae23cd621442c1e
Opcode Fuzzy Hash: 09511f6a5b3cabbe784265c74914248b525a176bb6667c193042ebcc910e885d
Instruction Fuzzy Hash: 15E02233501A24ABC3211A06EC02F12FBA9FFA0BB0F288229F058575D08B74FD11FAD4

Function 00EF25E0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8a79b5de0cce7820704c2957f59b7f3b202688259d3d9da868924c15c84c72d5
Instruction ID: 104fb08d9f9c369fc0d8e94345a8f217253fb6a8ba5ac64eaf0e18b617a791d5
Opcode Fuzzy Hash: 8a79b5de0cce7820704c2957f59b7f3b202688259d3d9da868924c15c84c72d5
Instruction Fuzzy Hash: 47E092721009989BC711BB29DD02F9BB7DAEB90374F014519B215AB1E1CB34A910D784

Function 00F74000 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
Instruction ID: e94c8fa15f301042a36d1c6f4a8916c2f2f97ec28745ac3b9808c186ed77fe1d
Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
Instruction Fuzzy Hash: 0CE0C2347003058FD715CF19C040B6677B6BFD5B20F28C069A9488F205EB32E842DB41

Function 00EE823B Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
Instruction ID: 5ced327428a3ad81746865d4e08ae0bd430995a94f1801ee9ea149b195dec638
Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
Instruction Fuzzy Hash: 36E0CD31440954DFD7312F12DD01F51B7A5FF98B20F205819F145250B58B749C81FB44

Function 00FAB3D0 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2862d5c95079e8f9bdfc17701203be164f113e2c7109adcb0461f4fb661a1a8a
Instruction ID: df4e5461475fe203f1a10d89ccf0461d7ed290eb842c190facf8038181745f51
Opcode Fuzzy Hash: 2862d5c95079e8f9bdfc17701203be164f113e2c7109adcb0461f4fb661a1a8a
Instruction Fuzzy Hash: 10E0CD31244614B7DB225E40CC01F657B95EB507A0F204031FA086A691C6759D51F6D4

Function 00EF2050 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6062959fcc0733883eba05940c764aac3b318c0a113711c2820c339341ebbb8
Instruction ID: 04fb70f1b9ebeb52fa61903cd6148f8920c6e666a0ffbc085465ddca07601b47
Opcode Fuzzy Hash: a6062959fcc0733883eba05940c764aac3b318c0a113711c2820c339341ebbb8
Instruction Fuzzy Hash: A0E08C322004986BC611FB5DED42E5A73DEEBA43A0F014125B250AB2E1CA64AD00D794

Function 00F792BC Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c12b5716507eec6457da3605e8a0efb6d7ea458f25b09ecb53f568c20f509b2
Instruction ID: de4e86e94f89d3210fc79daf43aa9f998f3934d105cf23c64981a75978b0a639
Opcode Fuzzy Hash: 5c12b5716507eec6457da3605e8a0efb6d7ea458f25b09ecb53f568c20f509b2
Instruction Fuzzy Hash: ACF06534205B84CFE31ADF08C1E1B2133BAFB85B00F504069C44A8FBA2C33AAD42EA40

Function 00EEB562 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 513c018af8093926a425ffcf59a89caa6ba2b1d98b48f3b0c5e1abf4a0335a68
Instruction ID: 11443a464a3bbdd2d9a6fe0dd6892fc434415cb5d253886760555f0b439c7895
Opcode Fuzzy Hash: 513c018af8093926a425ffcf59a89caa6ba2b1d98b48f3b0c5e1abf4a0335a68
Instruction Fuzzy Hash: 9CD05B31161660AFD7316F15FD06F477AB6AF80B10F0505147041764F18765ED44D6D0

Function 00F2E59C Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
Instruction ID: 3f2ddfed7f93349b4ed45623a87c2590fb74d59b558015be0c642c9dce54af10
Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
Instruction Fuzzy Hash: F3D0A7325045106BD7319A1CFC00FC373DCAB48720F050459B004C7050C364AC41D644

Function 00EEA0E3 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
Instruction ID: c13c882861eec0d352a81e7bc94ff5e141d5b70d6cb14147fbea5082e19dbef7
Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
Instruction Fuzzy Hash: 7DD022322130B093CB2856526C00FA3B9099F80B98F1E003C340AF3800C0088C42E2E0

Function 00F002A0 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
Instruction ID: 83e317ae927b382da9e2e8eedd2ff44f483c0294446c72765425b88544352ca4
Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
Instruction Fuzzy Hash: D0D0C935612E80CFC71BCB0CC5A8B1573A4BB84B44F8104A0E401CBB61DA2CED84EA00

Function 00F7930B Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73b68ca8792e09d39eb84bf204166a27678a7482029cab1375adc9e7cd32c121
Instruction ID: 55038590e9c7608210bed378f4c3b3024e4cd9086c8d3dbb6439de0e95c37e0b
Opcode Fuzzy Hash: 73b68ca8792e09d39eb84bf204166a27678a7482029cab1375adc9e7cd32c121
Instruction Fuzzy Hash: 04D05E35945AC4CFE727CB08C165B507BF8F705B50F854099E0464BBA2C3BC9D84CB01

Function 00F10310 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction ID: 2a9e774bd9ff6e734f05936db1bdb46467750230a40e341ef67a0b8011a4d7cd
Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction Fuzzy Hash: A3D01236100248EFCB01DF41C890D9A773AFBC8710F108019FD190B6118A75EDA2DA50

Function 00F1340D Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 228d46562787cc6ef91b6aff40b17c30ce715ed8b58bcfbb69b93c396a4a2043
Instruction ID: 1c21957e4c720a75916d0e3c819a8d9c143ae0de2329e240e4eb6b82679d988f
Opcode Fuzzy Hash: 228d46562787cc6ef91b6aff40b17c30ce715ed8b58bcfbb69b93c396a4a2043
Instruction Fuzzy Hash: E5C08C705419806AFB2B9700ED01B283A94AB0072AF84019CBA40794E2C36E9E42A218

Function 00F32890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 00F3293C
___swprintf_l.LIBCMT ref: 00F3295E
___swprintf_l.LIBCMT ref: 00F329A3
___swprintf_l.LIBCMT ref: 00F6A52E

Strings

:%u.%u.%u.%u, xrefs: 00F6A5B8
::ffff:0:%u.%u.%u.%u, xrefs: 00F6A54E
::%hs%u.%u.%u.%u, xrefs: 00F6A527
ffff:, xrefs: 00F6A504

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: 98253da2fe1a6659041eb9ee05c5b29f28bda1bd0020fa7fe2f20a7d05b9e0eb
Instruction ID: 04ba52fce632128fa2400b94eed0c698efdd83195fe27645b22069a3429d8603
Opcode Fuzzy Hash: 98253da2fe1a6659041eb9ee05c5b29f28bda1bd0020fa7fe2f20a7d05b9e0eb
Instruction Fuzzy Hash: 4B51EBB6E00256BFDB50DF588C90A7EF7B8BB48310F14816AE465E7641D734DE40BBA0

Function 00F27630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON

Download Yara Rule

Strings

CLIENT(ntdll): Processing section info %ws..., xrefs: 00F64787
CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 00F646FC
CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 00F64742
Execute=1, xrefs: 00F64713
ExecuteOptions, xrefs: 00F646A0
CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 00F64655
CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 00F64725

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 0-484625025
Opcode ID: 5ddbbc8e69c351273b3a23c5f099a31b5408a0d47411f54057fcb699c3d5f2d2
Instruction ID: 5afd712a0a90d71dfa3801ad1d7ac2b39cebcdbf24c318e4981d5ad4b1120436
Opcode Fuzzy Hash: 5ddbbc8e69c351273b3a23c5f099a31b5408a0d47411f54057fcb699c3d5f2d2
Instruction Fuzzy Hash: 47510931A043297ADF10FBA4EC8AFAE77A8EF14310F1400E9E505AB291D771AE45EF51

Function 00F3B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 00F3B6BF

Strings

0, xrefs: 00F3B695
0, xrefs: 00F3B66F
-, xrefs: 00F3B650
+, xrefs: 00F3B65A

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-$0$0
API String ID: 1302938615-699404926
Opcode ID: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
Instruction ID: 046017d3c5f601e3d961a1f1dbfd5d105ca2c5692045f71e64ad60850e7e6f13
Opcode Fuzzy Hash: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
Instruction Fuzzy Hash: E3819270E052499EDF248F68C8727FEBBB5EF85330F18425AEA51A7292C7349C41EB51

Function 00F2BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON

Download Yara Rule

Strings

RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 00F67B7F
RTL: Resource at %p, xrefs: 00F67B8E
RTL: Re-Waiting, xrefs: 00F67BAC

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 0-871070163
Opcode ID: 7a458c89550c1e32649225de9a457dfb84de23ebf11b97a3cc2c181a04de15e2
Instruction ID: 627e488719ac0f71ef35bdeb0f392ea82dcd14d9e0b8ee3259c2758c82fb3320
Opcode Fuzzy Hash: 7a458c89550c1e32649225de9a457dfb84de23ebf11b97a3cc2c181a04de15e2
Instruction Fuzzy Hash: 0B41E3317047129FC720DE25DD41B6AB7E5EF88720F100A2DF85ADB281DB71E805AB91

Function 00F2B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00F6728C

Strings

RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 00F67294
RTL: Resource at %p, xrefs: 00F672A3
RTL: Re-Waiting, xrefs: 00F672C1

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-605551621
Opcode ID: 12811d0b565291e589318557bdb26f60e05516700af17985daeae0e2f85df2b7
Instruction ID: 010fe567b438cfb00f9094a5fc3551a3cb99d110447d9764e3d8e6e82ac18519
Opcode Fuzzy Hash: 12811d0b565291e589318557bdb26f60e05516700af17985daeae0e2f85df2b7
Instruction Fuzzy Hash: 6941F232A04312ABD720EE25CC42F6AB7A5FB44724F140619FC55AB281DB25F846EBD1

Function 00F37D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 00F37E8B

Strings

+, xrefs: 00F37DE8
-, xrefs: 00F37DDD

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-
API String ID: 1302938615-2137968064
Opcode ID: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
Instruction ID: c3a2ba049ef5628db9e29942068bbd49d85c070b05b54aa02c526fab82d80444
Opcode Fuzzy Hash: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
Instruction Fuzzy Hash: E59194F1E083169BDF34EE69C8816BEB7A5BF44370F24451AE865E72C0DB349D81A760

Function 00EF9126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON

Download Yara Rule

Strings

@, xrefs: 00EF9175
$, xrefs: 00EF9191

Memory Dump Source

Source File: 00000005.00000002.2356525474.0000000000EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ec0000_P.jbxd

Similarity

API ID:
String ID: $$@
API String ID: 0-1194432280
Opcode ID: 43cf04af8bb5b0b4e897f5025c09b2657b749b53440a6c2c0ba1b8de5f813d46
Instruction ID: 706bdfb92e1075cb9da9d8b591cebae7d4bcfdbce181a176545ca394d5d83acd
Opcode Fuzzy Hash: 43cf04af8bb5b0b4e897f5025c09b2657b749b53440a6c2c0ba1b8de5f813d46
Instruction Fuzzy Hash: A4812971D0126D9BDB35CF54CC45BEAB7B8AB08710F0441EAAA49B7281E7709E84DFA0

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report P.O.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\P.O.exe.log

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: P.O.exePID: 7424, Parent PID: 2580

Windows Analysis Report
P.O.exe

Function 07737AFC Relevance: 1.7, APIs: 1, Instructions: 249
processCOMMON

Function 07737B08 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Function 0144AD08 Relevance: 1.7, APIs: 1, Instructions: 196
COMMON

Function 014444B4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 014458EC Relevance: 1.6, APIs: 1, Instructions: 95
COMMON

Function 07737879 Relevance: 1.6, APIs: 1, Instructions: 72
injectionCOMMON

Function 07737880 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Function 07737969 Relevance: 1.6, APIs: 1, Instructions: 66
COMMON

Function 077376E0 Relevance: 1.6, APIs: 1, Instructions: 65
threadCOMMON

Function 0144D1DC Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Function 0144D5E8 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Function 077376E8 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Function 00417D83 Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Function 0042CCB3 Relevance: 1.5, APIs: 1, Instructions: 25
nativeCOMMON

Function 00F335C0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Function 00F32B60 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE