Edit tour

Windows Analysis Report
c62q1qZ8kX.exe

Overview

General Information

Sample name:	c62q1qZ8kX.exe renamed because original name is a hash value
Original sample name:	11DA048860021B6C22E171032E48B023.exe
Analysis ID:	1562033
MD5:	11da048860021b6c22e171032e48b023
SHA1:	b3b636a8bd17223454b4522fdbdb4863e0c4a565
SHA256:	c0d51cad38cd578ac0f62737185d0e15184843b8a118bb978d11d9e86998eef3
Tags:	DCRatexeuser-abuse_ch
Infos:

Detection

DCRat

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Schedule system process

Suricata IDS alerts for network traffic

Yara detected DCRat

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected suspicious sample

Creates processes via WMI

Drops PE files to the user root directory

Machine Learning detection for dropped file

Machine Learning detection for sample

Sigma detected: Execution from Suspicious Folder

Sigma detected: Files With System Process Name In Unsuspected Locations

Uses schtasks.exe or at.exe to add and modify task schedules

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to communicate with device drivers

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Drops PE files to the user directory

Enables debug privileges

File is packed with WinRar

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Suspicious Schtasks From Env Var Folder

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

c62q1qZ8kX.exe (PID: 7132 cmdline: "C:\Users\user\Desktop\c62q1qZ8kX.exe" MD5: 11DA048860021B6C22E171032E48B023)

wscript.exe (PID: 6432 cmdline: "C:\Windows\System32\WScript.exe" "C:\blockrefSessionBrokerDll\5sVJrvWE.vbe" MD5: FF00E0480075B095948000BDC66E81F0)

cmd.exe (PID: 1856 cmdline: C:\Windows\system32\cmd.exe /c ""C:\blockrefSessionBrokerDll\jNiINMcACfpGfudqTH4IxZpVWTbF.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 432 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chainMonitor.exe (PID: 6192 cmdline: "C:\blockrefSessionBrokerDll\chainMonitor.exe" MD5: F6B809FA6BD0E72435FAB78E9744CCD7)

schtasks.exe (PID: 2304 cmdline: schtasks.exe /create /tn "mmeUVmNHPOdstm" /sc MINUTE /mo 9 /tr "'C:\Users\Default\mmeUVmNHPOdst.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 6484 cmdline: schtasks.exe /create /tn "mmeUVmNHPOdst" /sc ONLOGON /tr "'C:\Users\Default\mmeUVmNHPOdst.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 6840 cmdline: schtasks.exe /create /tn "mmeUVmNHPOdstm" /sc MINUTE /mo 9 /tr "'C:\Users\Default\mmeUVmNHPOdst.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 6188 cmdline: schtasks.exe /create /tn "mmeUVmNHPOdstm" /sc MINUTE /mo 5 /tr "'C:\Recovery\mmeUVmNHPOdst.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7156 cmdline: schtasks.exe /create /tn "mmeUVmNHPOdst" /sc ONLOGON /tr "'C:\Recovery\mmeUVmNHPOdst.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7132 cmdline: schtasks.exe /create /tn "mmeUVmNHPOdstm" /sc MINUTE /mo 11 /tr "'C:\Recovery\mmeUVmNHPOdst.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 6404 cmdline: schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 6532 cmdline: schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 4420 cmdline: schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 6384 cmdline: schtasks.exe /create /tn "mmeUVmNHPOdstm" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Defender\en-US\mmeUVmNHPOdst.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 5076 cmdline: schtasks.exe /create /tn "mmeUVmNHPOdst" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\en-US\mmeUVmNHPOdst.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 6504 cmdline: schtasks.exe /create /tn "mmeUVmNHPOdstm" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Defender\en-US\mmeUVmNHPOdst.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 6400 cmdline: schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows NT\Accessories\en-GB\conhost.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 2300 cmdline: schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\en-GB\conhost.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 6560 cmdline: schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows NT\Accessories\en-GB\conhost.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7076 cmdline: schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 6 /tr "'C:\Program Files\7-Zip\Lang\TextInputHost.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 6232 cmdline: schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\TextInputHost.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 6264 cmdline: schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 11 /tr "'C:\Program Files\7-Zip\Lang\TextInputHost.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 5356 cmdline: schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\java\jre-1.8\lib\applet\WmiPrvSE.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 6356 cmdline: schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\java\jre-1.8\lib\applet\WmiPrvSE.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 6360 cmdline: schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\java\jre-1.8\lib\applet\WmiPrvSE.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 6456 cmdline: schtasks.exe /create /tn "mmeUVmNHPOdstm" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\AppData\Local\Application Data\History\mmeUVmNHPOdst.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 6508 cmdline: schtasks.exe /create /tn "mmeUVmNHPOdst" /sc ONLOGON /tr "'C:\Users\Default User\AppData\Local\Application Data\History\mmeUVmNHPOdst.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 6400 cmdline: schtasks.exe /create /tn "mmeUVmNHPOdstm" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\AppData\Local\Application Data\History\mmeUVmNHPOdst.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7128 cmdline: schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\microsoft onedrive\setup\logs\Idle.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 6264 cmdline: schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\microsoft onedrive\setup\logs\Idle.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 6356 cmdline: schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\microsoft onedrive\setup\logs\Idle.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 6456 cmdline: schtasks.exe /create /tn "mmeUVmNHPOdstm" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Pictures\mmeUVmNHPOdst.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 6776 cmdline: schtasks.exe /create /tn "mmeUVmNHPOdst" /sc ONLOGON /tr "'C:\Users\Public\Pictures\mmeUVmNHPOdst.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

fontdrvhost.exe (PID: 3592 cmdline: "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe" MD5: F6B809FA6BD0E72435FAB78E9744CCD7)

fontdrvhost.exe (PID: 4444 cmdline: "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe" MD5: F6B809FA6BD0E72435FAB78E9744CCD7)

mmeUVmNHPOdst.exe (PID: 2148 cmdline: "C:\Users\Default User\AppData\Local\Application Data\History\mmeUVmNHPOdst.exe" MD5: F6B809FA6BD0E72435FAB78E9744CCD7)

mmeUVmNHPOdst.exe (PID: 6556 cmdline: "C:\Users\Default User\AppData\Local\Application Data\History\mmeUVmNHPOdst.exe" MD5: F6B809FA6BD0E72435FAB78E9744CCD7)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
DCRat	DCRat is a typical RAT that has been around since at least June 2019.	No Attribution	https://axmahr.github.io/posts/asyncrat-detection/ https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/ https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html https://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus	https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat

Malware Configuration

Threatname: DCRat

{"SCRT": "{\"J\":\",\",\"C\":\"_\",\"y\":\"-\",\"6\":\"<\",\"i\":\"%\",\"d\":\"&\",\"M\":\"~\",\"1\":\"`\",\"A\":\"*\",\"o\":\";\",\"T\":\" \",\"G\":\"$\",\"L\":\">\",\"9\":\".\",\"P\":\"|\",\"V\":\")\",\"n\":\"(\",\"B\":\"!\",\"4\":\"^\",\"I\":\"#\",\"z\":\"@\"}", "PCRT": "{\"=\":\"@\",\"w\":\"!\",\"S\":\"_\",\"c\":\">\",\"I\":\"#\",\"6\":\"$\",\"X\":\",\",\"0\":\"-\",\"i\":\")\",\"x\":\"|\",\"j\":\";\",\"M\":\"^\",\"p\":\"~\",\"b\":\"<\",\"l\":\" \",\"y\":\"%\",\"Q\":\".\",\"D\":\"&\",\"f\":\"(\",\"e\":\"*\"}", "TAG": "", "MUTEX": "DCR_MUTEX-TXFV1PVhEzKnX0qsW6HH", "LDTM": false, "DBG": false, "SST": 5, "SMST": 2, "BCS": 0, "AUR": 1, "ASCFG": {"searchpath": "%UsersFolder% - Fast"}, "AS": false, "ASO": false, "AD": false}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000022.00000002.1884618745.00000000032F2000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000021.00000002.1884278845.00000000032F8000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000022.00000002.1884618745.00000000032B5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000022.00000002.1884618745.00000000032E9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000004.00000002.1801910999.0000000002FC1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
0000001C.00000002.1879455048.0000000002E31000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000004.00000002.1801910999.0000000003371000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000021.00000002.1884278845.00000000032B1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
0000001E.00000002.1884137133.0000000003231000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: chainMonitor.exe PID: 6192	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: fontdrvhost.exe PID: 3592	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: fontdrvhost.exe PID: 4444	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: mmeUVmNHPOdst.exe PID: 2148	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: mmeUVmNHPOdst.exe PID: 6556	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Click to see the 9 entries

Sigma Signatures

System Summary

Sigma detected: Execution from Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Users\Default User\AppData\Local\Application Data\History\mmeUVmNHPOdst.exe", CommandLine: "C:\Users\Default User\AppData\Local\Application Data\History\mmeUVmNHPOdst.exe", CommandLine|base64offset|contains: , Image: C:\Users\Default\AppData\Local\Microsoft\Windows\History\mmeUVmNHPOdst.exe, NewProcessName: C:\Users\Default\AppData\Local\Microsoft\Windows\History\mmeUVmNHPOdst.exe, OriginalFileName: C:\Users\Default\AppData\Local\Microsoft\Windows\History\mmeUVmNHPOdst.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1044, ProcessCommandLine: "C:\Users\Default User\AppData\Local\Application Data\History\mmeUVmNHPOdst.exe", ProcessId: 2148, ProcessName: mmeUVmNHPOdst.exe

Sigma detected: Files With System Process Name In Unsuspected Locations

Source: File created

Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\blockrefSessionBrokerDll\chainMonitor.exe, ProcessId: 6192, TargetFilename: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: schtasks.exe /create /tn "mmeUVmNHPOdstm" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\AppData\Local\Application Data\History\mmeUVmNHPOdst.exe'" /f, CommandLine: schtasks.exe /create /tn "mmeUVmNHPOdstm" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\AppData\Local\Application Data\History\mmeUVmNHPOdst.exe'" /f, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\blockrefSessionBrokerDll\chainMonitor.exe", ParentImage: C:\blockrefSessionBrokerDll\chainMonitor.exe, ParentProcessId: 6192, ParentProcessName: chainMonitor.exe, ProcessCommandLine: schtasks.exe /create /tn "mmeUVmNHPOdstm" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\AppData\Local\Application Data\History\mmeUVmNHPOdst.exe'" /f, ProcessId: 6456, ProcessName: schtasks.exe

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\blockrefSessionBrokerDll\5sVJrvWE.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\blockrefSessionBrokerDll\5sVJrvWE.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\c62q1qZ8kX.exe", ParentImage: C:\Users\user\Desktop\c62q1qZ8kX.exe, ParentProcessId: 7132, ParentProcessName: c62q1qZ8kX.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\blockrefSessionBrokerDll\5sVJrvWE.vbe" , ProcessId: 6432, ProcessName: wscript.exe

Persistence and Installation Behavior

Sigma detected: Schedule system process

Source: Process started

Author: Joe Security: Data: Command: schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows NT\Accessories\en-GB\conhost.exe'" /f, CommandLine: schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows NT\Accessories\en-GB\conhost.exe'" /f, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\blockrefSessionBrokerDll\chainMonitor.exe", ParentImage: C:\blockrefSessionBrokerDll\chainMonitor.exe, ParentProcessId: 6192, ParentProcessName: chainMonitor.exe, ProcessCommandLine: schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows NT\Accessories\en-GB\conhost.exe'" /f, ProcessId: 6400, ProcessName: schtasks.exe

Suricata Signatures

ET MALWARE DCRAT Activity (GET)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-25T05:52:21.563959+0100	2034194	1	A Network Trojan was detected	192.168.2.4	49730	141.8.192.138	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: c62q1qZ8kX.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Program Files\Windows Defender\en-US\mmeUVmNHPOdst.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files\Windows Defender\en-US\mmeUVmNHPOdst.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files\Windows Defender\en-US\mmeUVmNHPOdst.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files\Windows Defender\en-US\mmeUVmNHPOdst.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files\7-Zip\Lang\TextInputHost.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\blockrefSessionBrokerDll\5sVJrvWE.vbe	Avira: detection malicious, Label: VBS/Runner.VPG
Source: C:\Program Files (x86)\Java\jre-1.8\lib\applet\WmiPrvSE.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files (x86)\Microsoft OneDrive\setup\logs\Idle.exe	Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Program Files\Windows Defender\en-US\mmeUVmNHPOdst.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Users\user\AppData\Local\Temp\nfAOklRSeu.bat	Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Program Files\Windows NT\Accessories\en-GB\conhost.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984

Found malware configuration

Source: 00000004.00000002.1801910999.0000000002FC1000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: DCRat {"SCRT": "{\"J\":\",\",\"C\":\"_\",\"y\":\"-\",\"6\":\"<\",\"i\":\"%\",\"d\":\"&\",\"M\":\"~\",\"1\":\"`\",\"A\":\"*\",\"o\":\";\",\"T\":\" \",\"G\":\"$\",\"L\":\">\",\"9\":\".\",\"P\":\"|\",\"V\":\")\",\"n\":\"(\",\"B\":\"!\",\"4\":\"^\",\"I\":\"#\",\"z\":\"@\"}", "PCRT": "{\"=\":\"@\",\"w\":\"!\",\"S\":\"_\",\"c\":\">\",\"I\":\"#\",\"6\":\"$\",\"X\":\",\",\"0\":\"-\",\"i\":\")\",\"x\":\"|\",\"j\":\";\",\"M\":\"^\",\"p\":\"~\",\"b\":\"<\",\"l\":\" \",\"y\":\"%\",\"Q\":\".\",\"D\":\"&\",\"f\":\"(\",\"e\":\"*\"}", "TAG": "", "MUTEX": "DCR_MUTEX-TXFV1PVhEzKnX0qsW6HH", "LDTM": false, "DBG": false, "SST": 5, "SMST": 2, "BCS": 0, "AUR": 1, "ASCFG": {"searchpath": "%UsersFolder% - Fast"}, "AS": false, "ASO": false, "AD": false}

Multi AV Scanner detection for dropped file

Source: C:\Program Files (x86)\Java\jre-1.8\lib\applet\WmiPrvSE.exe	ReversingLabs: Detection: 78%
Source: C:\Program Files (x86)\Java\jre-1.8\lib\applet\WmiPrvSE.exe	Virustotal: Detection: 76%	Perma Link
Source: C:\Program Files\7-Zip\Lang\TextInputHost.exe	ReversingLabs: Detection: 78%
Source: C:\Program Files\7-Zip\Lang\TextInputHost.exe	Virustotal: Detection: 76%	Perma Link
Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe	ReversingLabs: Detection: 78%
Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe	Virustotal: Detection: 76%	Perma Link
Source: C:\Program Files\Windows Defender\en-US\mmeUVmNHPOdst.exe	ReversingLabs: Detection: 78%
Source: C:\Program Files\Windows NT\Accessories\en-GB\conhost.exe	ReversingLabs: Detection: 78%
Source: C:\Recovery\mmeUVmNHPOdst.exe	ReversingLabs: Detection: 78%
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\History\mmeUVmNHPOdst.exe	ReversingLabs: Detection: 78%
Source: C:\Users\Default\mmeUVmNHPOdst.exe	ReversingLabs: Detection: 78%
Source: C:\Users\Public\Pictures\mmeUVmNHPOdst.exe	ReversingLabs: Detection: 78%
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	ReversingLabs: Detection: 78%

Multi AV Scanner detection for submitted file

Source: c62q1qZ8kX.exe

Virustotal: Detection: 58%

Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.4% probability

Machine Learning detection for dropped file

Source: C:\Program Files\Windows Defender\en-US\mmeUVmNHPOdst.exe	Joe Sandbox ML: detected
Source: C:\Program Files\Windows Defender\en-US\mmeUVmNHPOdst.exe	Joe Sandbox ML: detected
Source: C:\Program Files\Windows Defender\en-US\mmeUVmNHPOdst.exe	Joe Sandbox ML: detected
Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe	Joe Sandbox ML: detected
Source: C:\Program Files\Windows Defender\en-US\mmeUVmNHPOdst.exe	Joe Sandbox ML: detected
Source: C:\Program Files\7-Zip\Lang\TextInputHost.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Java\jre-1.8\lib\applet\WmiPrvSE.exe	Joe Sandbox ML: detected
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Microsoft OneDrive\setup\logs\Idle.exe	Joe Sandbox ML: detected
Source: C:\Program Files\Windows Defender\en-US\mmeUVmNHPOdst.exe	Joe Sandbox ML: detected
Source: C:\Program Files\Windows NT\Accessories\en-GB\conhost.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: c62q1qZ8kX.exe

Joe Sandbox ML: detected

Source: c62q1qZ8kX.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	Directory created: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe	Jump to behavior
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	Directory created: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\5b884080fd4f94	Jump to behavior
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	Directory created: C:\Program Files\Windows Defender\en-US\mmeUVmNHPOdst.exe	Jump to behavior
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	Directory created: C:\Program Files\Windows Defender\en-US\1824f7f43360d2	Jump to behavior
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	Directory created: C:\Program Files\Windows NT\Accessories\en-GB\conhost.exe	Jump to behavior
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	Directory created: C:\Program Files\Windows NT\Accessories\en-GB\088424020bedd6	Jump to behavior
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	Directory created: C:\Program Files\7-Zip\Lang\TextInputHost.exe	Jump to behavior
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	Directory created: C:\Program Files\7-Zip\Lang\22eafd247d37c3	Jump to behavior

Source: c62q1qZ8kX.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:

Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: c62q1qZ8kX.exe

Source: C:\Users\user\Desktop\c62q1qZ8kX.exe	Code function: 0_2_001DA5F4 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,		0_2_001DA5F4
Source: C:\Users\user\Desktop\c62q1qZ8kX.exe	Code function: 0_2_001EB8E0 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,		0_2_001EB8E0

Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2034194 - Severity 1 - ET MALWARE DCRAT Activity (GET) : 192.168.2.4:49730 -> 141.8.192.138:80

Source: chainMonitor.exe, 00000004.00000002.1801910999.0000000003396000.00000004.00000800.00020000.00000000.sdmp

String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

System Summary

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\SysWOW64\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Source: C:\Users\user\Desktop\c62q1qZ8kX.exe

Code function: 0_2_001D718C: __EH_prolog,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,

0_2_001D718C

Source: C:\Users\user\Desktop\c62q1qZ8kX.exe	Code function: 0_2_001D857B	0_2_001D857B
Source: C:\Users\user\Desktop\c62q1qZ8kX.exe	Code function: 0_2_001FD00E	0_2_001FD00E
Source: C:\Users\user\Desktop\c62q1qZ8kX.exe	Code function: 0_2_001D407E	0_2_001D407E
Source: C:\Users\user\Desktop\c62q1qZ8kX.exe	Code function: 0_2_001E70BF	0_2_001E70BF
Source: C:\Users\user\Desktop\c62q1qZ8kX.exe	Code function: 0_2_00201194	0_2_00201194
Source: C:\Users\user\Desktop\c62q1qZ8kX.exe	Code function: 0_2_001D3281	0_2_001D3281
Source: C:\Users\user\Desktop\c62q1qZ8kX.exe	Code function: 0_2_001DE2A0	0_2_001DE2A0
Source: C:\Users\user\Desktop\c62q1qZ8kX.exe	Code function: 0_2_001F02F6	0_2_001F02F6
Source: C:\Users\user\Desktop\c62q1qZ8kX.exe	Code function: 0_2_001E6646	0_2_001E6646
Source: C:\Users\user\Desktop\c62q1qZ8kX.exe	Code function: 0_2_001F070E	0_2_001F070E
Source: C:\Users\user\Desktop\c62q1qZ8kX.exe	Code function: 0_2_001F473A	0_2_001F473A
Source: C:\Users\user\Desktop\c62q1qZ8kX.exe	Code function: 0_2_001E37C1	0_2_001E37C1
Source: C:\Users\user\Desktop\c62q1qZ8kX.exe	Code function: 0_2_001D27E8	0_2_001D27E8
Source: C:\Users\user\Desktop\c62q1qZ8kX.exe	Code function: 0_2_001DE8A0	0_2_001DE8A0
Source: C:\Users\user\Desktop\c62q1qZ8kX.exe	Code function: 0_2_001DF968	0_2_001DF968
Source: C:\Users\user\Desktop\c62q1qZ8kX.exe	Code function: 0_2_001F4969	0_2_001F4969
Source: C:\Users\user\Desktop\c62q1qZ8kX.exe	Code function: 0_2_001E3A3C	0_2_001E3A3C
Source: C:\Users\user\Desktop\c62q1qZ8kX.exe	Code function: 0_2_001E6A7B	0_2_001E6A7B
Source: C:\Users\user\Desktop\c62q1qZ8kX.exe	Code function: 0_2_001F0B43	0_2_001F0B43
Source: C:\Users\user\Desktop\c62q1qZ8kX.exe	Code function: 0_2_001FCB60	0_2_001FCB60
Source: C:\Users\user\Desktop\c62q1qZ8kX.exe	Code function: 0_2_001E5C77	0_2_001E5C77
Source: C:\Users\user\Desktop\c62q1qZ8kX.exe	Code function: 0_2_001DED14	0_2_001DED14
Source: C:\Users\user\Desktop\c62q1qZ8kX.exe	Code function: 0_2_001E3D6D	0_2_001E3D6D
Source: C:\Users\user\Desktop\c62q1qZ8kX.exe	Code function: 0_2_001EFDFA	0_2_001EFDFA
Source: C:\Users\user\Desktop\c62q1qZ8kX.exe	Code function: 0_2_001DBE13	0_2_001DBE13
Source: C:\Users\user\Desktop\c62q1qZ8kX.exe	Code function: 0_2_001DDE6C	0_2_001DDE6C
Source: C:\Users\user\Desktop\c62q1qZ8kX.exe	Code function: 0_2_001D5F3C	0_2_001D5F3C
Source: C:\Users\user\Desktop\c62q1qZ8kX.exe	Code function: 0_2_001F0F78	0_2_001F0F78
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	Code function: 4_2_00007FFD9BAA3595	4_2_00007FFD9BAA3595
Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe	Code function: 28_2_00007FFD9BA93595	28_2_00007FFD9BA93595
Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe	Code function: 28_2_00007FFD9BAA5DE1	28_2_00007FFD9BAA5DE1
Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe	Code function: 28_2_00007FFD9BAA6C40	28_2_00007FFD9BAA6C40
Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe	Code function: 28_2_00007FFD9BAA3748	28_2_00007FFD9BAA3748
Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe	Code function: 28_2_00007FFD9BAA4D2D	28_2_00007FFD9BAA4D2D
Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe	Code function: 28_2_00007FFD9BAA7521	28_2_00007FFD9BAA7521
Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe	Code function: 28_2_00007FFD9BAA4409	28_2_00007FFD9BAA4409
Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe	Code function: 28_2_00007FFD9BAA235D	28_2_00007FFD9BAA235D
Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe	Code function: 28_2_00007FFD9BAA1CE9	28_2_00007FFD9BAA1CE9
Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe	Code function: 28_2_00007FFD9BAA3740	28_2_00007FFD9BAA3740
Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe	Code function: 28_2_00007FFD9BAA42A1	28_2_00007FFD9BAA42A1
Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe	Code function: 30_2_00007FFD9BAB3595	30_2_00007FFD9BAB3595
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\History\mmeUVmNHPOdst.exe	Code function: 33_2_00007FFD9BAA3595	33_2_00007FFD9BAA3595
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\History\mmeUVmNHPOdst.exe	Code function: 33_2_00007FFD9BAAA7ED	33_2_00007FFD9BAAA7ED
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\History\mmeUVmNHPOdst.exe	Code function: 33_2_00007FFD9BAAA215	33_2_00007FFD9BAAA215
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\History\mmeUVmNHPOdst.exe	Code function: 33_2_00007FFD9BAAADC0	33_2_00007FFD9BAAADC0
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\History\mmeUVmNHPOdst.exe	Code function: 33_2_00007FFD9BAAE270	33_2_00007FFD9BAAE270
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\History\mmeUVmNHPOdst.exe	Code function: 34_2_00007FFD9BAB3595	34_2_00007FFD9BAB3595

Source: C:\Users\user\Desktop\c62q1qZ8kX.exe	Code function: String function: 001EE360 appears 52 times
Source: C:\Users\user\Desktop\c62q1qZ8kX.exe	Code function: String function: 001EE28C appears 35 times
Source: C:\Users\user\Desktop\c62q1qZ8kX.exe	Code function: String function: 001EED00 appears 31 times

Source: chainMonitor.exe.0.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: Idle.exe.4.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: mmeUVmNHPOdst.exe.4.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970

Source: c62q1qZ8kX.exe, 00000000.00000002.1680635152.000000000268A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamewscript.exe.mui` vs c62q1qZ8kX.exe
Source: c62q1qZ8kX.exe, 00000000.00000002.1680635152.000000000268A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamewscript.exe` vs c62q1qZ8kX.exe
Source: c62q1qZ8kX.exe, 00000000.00000003.1677692227.0000000004BD9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelibGLESv2.dll4 vs c62q1qZ8kX.exe
Source: c62q1qZ8kX.exe, 00000000.00000003.1677175661.0000000004BDF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelibGLESv2.dll4 vs c62q1qZ8kX.exe
Source: c62q1qZ8kX.exe, 00000000.00000003.1676268067.0000000004AC2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelibGLESv2.dll4 vs c62q1qZ8kX.exe
Source: c62q1qZ8kX.exe, 00000000.00000003.1679937411.0000000002688000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamewscript.exe.mui` vs c62q1qZ8kX.exe
Source: c62q1qZ8kX.exe, 00000000.00000003.1679937411.0000000002688000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamewscript.exe` vs c62q1qZ8kX.exe
Source: c62q1qZ8kX.exe	Binary or memory string: OriginalFilenamelibGLESv2.dll4 vs c62q1qZ8kX.exe

Source: c62q1qZ8kX.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.3.c62q1qZ8kX.exe.4b0f542.0.raw.unpack, Segm1DSJ7h057T1iACN.cs	Cryptographic APIs: 'TransformBlock'
Source: 0.3.c62q1qZ8kX.exe.4b0f542.0.raw.unpack, Segm1DSJ7h057T1iACN.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.3.c62q1qZ8kX.exe.4b0f542.0.raw.unpack, L2YDcmKRhuRvjZdhj5X.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.3.c62q1qZ8kX.exe.4b0f542.0.raw.unpack, L2YDcmKRhuRvjZdhj5X.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.3.c62q1qZ8kX.exe.4c2c542.1.raw.unpack, Segm1DSJ7h057T1iACN.cs	Cryptographic APIs: 'TransformBlock'
Source: 0.3.c62q1qZ8kX.exe.4c2c542.1.raw.unpack, Segm1DSJ7h057T1iACN.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.3.c62q1qZ8kX.exe.4c2c542.1.raw.unpack, L2YDcmKRhuRvjZdhj5X.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.3.c62q1qZ8kX.exe.4c2c542.1.raw.unpack, L2YDcmKRhuRvjZdhj5X.cs	Cryptographic APIs: 'CreateDecryptor'

Source: 0.3.c62q1qZ8kX.exe.4c2c542.1.raw.unpack, ud7MQOusfFuoOVGUMvR.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.3.c62q1qZ8kX.exe.4c2c542.1.raw.unpack, ud7MQOusfFuoOVGUMvR.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.3.c62q1qZ8kX.exe.4b0f542.0.raw.unpack, ud7MQOusfFuoOVGUMvR.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.3.c62q1qZ8kX.exe.4b0f542.0.raw.unpack, ud7MQOusfFuoOVGUMvR.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.evad.winEXE@39/28@0/0

Source: C:\Users\user\Desktop\c62q1qZ8kX.exe

Code function: 0_2_001D6EC9 GetLastError,FormatMessageW,

0_2_001D6EC9

Source: C:\Users\user\Desktop\c62q1qZ8kX.exe

Code function: 0_2_001E9E1C FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,CreateStreamOnHGlobal,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,

0_2_001E9E1C

Source: C:\blockrefSessionBrokerDll\chainMonitor.exe

File created: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe

Jump to behavior

Source: C:\blockrefSessionBrokerDll\chainMonitor.exe

File created: C:\Users\Default\mmeUVmNHPOdst.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:432:120:WilError_03
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\History\mmeUVmNHPOdst.exe	Mutant created: NULL
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\0e074db691fec0439ad17dd4b802ed6965179822

Source: C:\blockrefSessionBrokerDll\chainMonitor.exe

File created: C:\Users\user\AppData\Local\Temp\QiyHNrWFuo

Jump to behavior

Source: C:\Windows\SysWOW64\wscript.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\blockrefSessionBrokerDll\jNiINMcACfpGfudqTH4IxZpVWTbF.bat" "

Source: C:\Users\user\Desktop\c62q1qZ8kX.exe	Command line argument: sfxname	0_2_001ED5D4
Source: C:\Users\user\Desktop\c62q1qZ8kX.exe	Command line argument: sfxstime	0_2_001ED5D4
Source: C:\Users\user\Desktop\c62q1qZ8kX.exe	Command line argument: STARTDLG	0_2_001ED5D4
Source: C:\Users\user\Desktop\c62q1qZ8kX.exe	Command line argument: xj"	0_2_001ED5D4

Source: c62q1qZ8kX.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: c62q1qZ8kX.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create

Source: C:\Users\user\Desktop\c62q1qZ8kX.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\Desktop\c62q1qZ8kX.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: c62q1qZ8kX.exe

Virustotal: Detection: 58%

Source: C:\Users\user\Desktop\c62q1qZ8kX.exe

File read: C:\Users\user\Desktop\c62q1qZ8kX.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\c62q1qZ8kX.exe "C:\Users\user\Desktop\c62q1qZ8kX.exe"
Source: C:\Users\user\Desktop\c62q1qZ8kX.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\blockrefSessionBrokerDll\5sVJrvWE.vbe"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\blockrefSessionBrokerDll\jNiINMcACfpGfudqTH4IxZpVWTbF.bat" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\blockrefSessionBrokerDll\chainMonitor.exe "C:\blockrefSessionBrokerDll\chainMonitor.exe"
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "mmeUVmNHPOdstm" /sc MINUTE /mo 9 /tr "'C:\Users\Default\mmeUVmNHPOdst.exe'" /f
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "mmeUVmNHPOdst" /sc ONLOGON /tr "'C:\Users\Default\mmeUVmNHPOdst.exe'" /rl HIGHEST /f
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "mmeUVmNHPOdstm" /sc MINUTE /mo 9 /tr "'C:\Users\Default\mmeUVmNHPOdst.exe'" /rl HIGHEST /f
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "mmeUVmNHPOdstm" /sc MINUTE /mo 5 /tr "'C:\Recovery\mmeUVmNHPOdst.exe'" /f
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "mmeUVmNHPOdst" /sc ONLOGON /tr "'C:\Recovery\mmeUVmNHPOdst.exe'" /rl HIGHEST /f
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "mmeUVmNHPOdstm" /sc MINUTE /mo 11 /tr "'C:\Recovery\mmeUVmNHPOdst.exe'" /rl HIGHEST /f
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe'" /f
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe'" /rl HIGHEST /f
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe'" /rl HIGHEST /f
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "mmeUVmNHPOdstm" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Defender\en-US\mmeUVmNHPOdst.exe'" /f
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "mmeUVmNHPOdst" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\en-US\mmeUVmNHPOdst.exe'" /rl HIGHEST /f
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "mmeUVmNHPOdstm" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Defender\en-US\mmeUVmNHPOdst.exe'" /rl HIGHEST /f
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows NT\Accessories\en-GB\conhost.exe'" /f
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\en-GB\conhost.exe'" /rl HIGHEST /f
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows NT\Accessories\en-GB\conhost.exe'" /rl HIGHEST /f
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 6 /tr "'C:\Program Files\7-Zip\Lang\TextInputHost.exe'" /f
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\TextInputHost.exe'" /rl HIGHEST /f
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 11 /tr "'C:\Program Files\7-Zip\Lang\TextInputHost.exe'" /rl HIGHEST /f
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\java\jre-1.8\lib\applet\WmiPrvSE.exe'" /f
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\java\jre-1.8\lib\applet\WmiPrvSE.exe'" /rl HIGHEST /f
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\java\jre-1.8\lib\applet\WmiPrvSE.exe'" /rl HIGHEST /f
Source: unknown	Process created: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe"
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "mmeUVmNHPOdstm" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\AppData\Local\Application Data\History\mmeUVmNHPOdst.exe'" /f
Source: unknown	Process created: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe"
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "mmeUVmNHPOdst" /sc ONLOGON /tr "'C:\Users\Default User\AppData\Local\Application Data\History\mmeUVmNHPOdst.exe'" /rl HIGHEST /f
Source: unknown	Process created: C:\Users\Default\AppData\Local\Microsoft\Windows\History\mmeUVmNHPOdst.exe "C:\Users\Default User\AppData\Local\Application Data\History\mmeUVmNHPOdst.exe"
Source: unknown	Process created: C:\Users\Default\AppData\Local\Microsoft\Windows\History\mmeUVmNHPOdst.exe "C:\Users\Default User\AppData\Local\Application Data\History\mmeUVmNHPOdst.exe"
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\microsoft onedrive\setup\logs\Idle.exe'" /f
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "mmeUVmNHPOdst" /sc ONLOGON /tr "'C:\Users\Public\Pictures\mmeUVmNHPOdst.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\c62q1qZ8kX.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\blockrefSessionBrokerDll\5sVJrvWE.vbe"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\blockrefSessionBrokerDll\jNiINMcACfpGfudqTH4IxZpVWTbF.bat" "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\blockrefSessionBrokerDll\chainMonitor.exe "C:\blockrefSessionBrokerDll\chainMonitor.exe"	Jump to behavior
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\c62q1qZ8kX.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\Desktop\c62q1qZ8kX.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\c62q1qZ8kX.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\Desktop\c62q1qZ8kX.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\c62q1qZ8kX.exe	Section loaded: <pi-ms-win-core-localization-l1-2-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\c62q1qZ8kX.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\c62q1qZ8kX.exe	Section loaded: dxgidebug.dll	Jump to behavior
Source: C:\Users\user\Desktop\c62q1qZ8kX.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\c62q1qZ8kX.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\c62q1qZ8kX.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\c62q1qZ8kX.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\c62q1qZ8kX.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\c62q1qZ8kX.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\c62q1qZ8kX.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\c62q1qZ8kX.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\c62q1qZ8kX.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\c62q1qZ8kX.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\c62q1qZ8kX.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\c62q1qZ8kX.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\c62q1qZ8kX.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\c62q1qZ8kX.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\c62q1qZ8kX.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\c62q1qZ8kX.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\c62q1qZ8kX.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\c62q1qZ8kX.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\c62q1qZ8kX.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\c62q1qZ8kX.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\c62q1qZ8kX.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\c62q1qZ8kX.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\c62q1qZ8kX.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\c62q1qZ8kX.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\c62q1qZ8kX.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\c62q1qZ8kX.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\c62q1qZ8kX.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\c62q1qZ8kX.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\c62q1qZ8kX.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\c62q1qZ8kX.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\c62q1qZ8kX.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Users\user\Desktop\c62q1qZ8kX.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\Desktop\c62q1qZ8kX.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\c62q1qZ8kX.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\c62q1qZ8kX.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\c62q1qZ8kX.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\c62q1qZ8kX.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\c62q1qZ8kX.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\c62q1qZ8kX.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\c62q1qZ8kX.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\c62q1qZ8kX.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	Section loaded: version.dll	Jump to behavior
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe	Section loaded: mscoree.dll
Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe	Section loaded: version.dll
Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe	Section loaded: uxtheme.dll
Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe	Section loaded: windows.storage.dll
Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe	Section loaded: wldp.dll
Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe	Section loaded: profapi.dll
Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe	Section loaded: cryptsp.dll
Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe	Section loaded: rsaenh.dll
Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe	Section loaded: cryptbase.dll
Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\History\mmeUVmNHPOdst.exe	Section loaded: mscoree.dll
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\History\mmeUVmNHPOdst.exe	Section loaded: apphelp.dll
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\History\mmeUVmNHPOdst.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\History\mmeUVmNHPOdst.exe	Section loaded: version.dll
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\History\mmeUVmNHPOdst.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\History\mmeUVmNHPOdst.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\History\mmeUVmNHPOdst.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\History\mmeUVmNHPOdst.exe	Section loaded: uxtheme.dll
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\History\mmeUVmNHPOdst.exe	Section loaded: windows.storage.dll
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\History\mmeUVmNHPOdst.exe	Section loaded: wldp.dll
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\History\mmeUVmNHPOdst.exe	Section loaded: profapi.dll
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\History\mmeUVmNHPOdst.exe	Section loaded: cryptsp.dll
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\History\mmeUVmNHPOdst.exe	Section loaded: rsaenh.dll
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\History\mmeUVmNHPOdst.exe	Section loaded: cryptbase.dll
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\History\mmeUVmNHPOdst.exe	Section loaded: sspicli.dll
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\History\mmeUVmNHPOdst.exe	Section loaded: mscoree.dll
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\History\mmeUVmNHPOdst.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\History\mmeUVmNHPOdst.exe	Section loaded: version.dll
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\History\mmeUVmNHPOdst.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\History\mmeUVmNHPOdst.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\History\mmeUVmNHPOdst.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\History\mmeUVmNHPOdst.exe	Section loaded: uxtheme.dll
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\History\mmeUVmNHPOdst.exe	Section loaded: windows.storage.dll
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\History\mmeUVmNHPOdst.exe	Section loaded: wldp.dll
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\History\mmeUVmNHPOdst.exe	Section loaded: profapi.dll
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\History\mmeUVmNHPOdst.exe	Section loaded: cryptsp.dll
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\History\mmeUVmNHPOdst.exe	Section loaded: rsaenh.dll
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\History\mmeUVmNHPOdst.exe	Section loaded: cryptbase.dll
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\History\mmeUVmNHPOdst.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll

Source: C:\Users\user\Desktop\c62q1qZ8kX.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	Directory created: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe	Jump to behavior
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	Directory created: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\5b884080fd4f94	Jump to behavior
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	Directory created: C:\Program Files\Windows Defender\en-US\mmeUVmNHPOdst.exe	Jump to behavior
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	Directory created: C:\Program Files\Windows Defender\en-US\1824f7f43360d2	Jump to behavior
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	Directory created: C:\Program Files\Windows NT\Accessories\en-GB\conhost.exe	Jump to behavior
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	Directory created: C:\Program Files\Windows NT\Accessories\en-GB\088424020bedd6	Jump to behavior
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	Directory created: C:\Program Files\7-Zip\Lang\TextInputHost.exe	Jump to behavior
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	Directory created: C:\Program Files\7-Zip\Lang\22eafd247d37c3	Jump to behavior

Source: c62q1qZ8kX.exe

Static file information: File size 1164947 > 1048576

Source: c62q1qZ8kX.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: c62q1qZ8kX.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: c62q1qZ8kX.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: c62q1qZ8kX.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: c62q1qZ8kX.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: c62q1qZ8kX.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: c62q1qZ8kX.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: c62q1qZ8kX.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: c62q1qZ8kX.exe

Source: c62q1qZ8kX.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: c62q1qZ8kX.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: c62q1qZ8kX.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: c62q1qZ8kX.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: c62q1qZ8kX.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 0.3.c62q1qZ8kX.exe.4b0f542.0.raw.unpack, L2YDcmKRhuRvjZdhj5X.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 0.3.c62q1qZ8kX.exe.4c2c542.1.raw.unpack, L2YDcmKRhuRvjZdhj5X.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

.NET source code contains potential unpacker

Source: 0.3.c62q1qZ8kX.exe.4b0f542.0.raw.unpack, Ah49hCZH3dw5D4YGQl4.cs	.Net Code: d5IWvFCcLT System.AppDomain.Load(byte[])
Source: 0.3.c62q1qZ8kX.exe.4b0f542.0.raw.unpack, Ah49hCZH3dw5D4YGQl4.cs	.Net Code: d5IWvFCcLT System.Reflection.Assembly.Load(byte[])
Source: 0.3.c62q1qZ8kX.exe.4b0f542.0.raw.unpack, Ah49hCZH3dw5D4YGQl4.cs	.Net Code: d5IWvFCcLT
Source: 0.3.c62q1qZ8kX.exe.4c2c542.1.raw.unpack, Ah49hCZH3dw5D4YGQl4.cs	.Net Code: d5IWvFCcLT System.AppDomain.Load(byte[])
Source: 0.3.c62q1qZ8kX.exe.4c2c542.1.raw.unpack, Ah49hCZH3dw5D4YGQl4.cs	.Net Code: d5IWvFCcLT System.Reflection.Assembly.Load(byte[])
Source: 0.3.c62q1qZ8kX.exe.4c2c542.1.raw.unpack, Ah49hCZH3dw5D4YGQl4.cs	.Net Code: d5IWvFCcLT

Source: C:\Users\user\Desktop\c62q1qZ8kX.exe

File created: C:\blockrefSessionBrokerDll\__tmp_rar_sfx_access_check_7165656

Jump to behavior

Source: c62q1qZ8kX.exe

Static PE information: section name: .didat

Source: C:\Users\user\Desktop\c62q1qZ8kX.exe	Code function: 0_2_001EE28C push eax; ret		0_2_001EE2AA
Source: C:\Users\user\Desktop\c62q1qZ8kX.exe	Code function: 0_2_001EED46 push ecx; ret		0_2_001EED59

Source: 0.3.c62q1qZ8kX.exe.4b0f542.0.raw.unpack, BTavBvZDvmurUhMi5F7.cs	High entropy of concatenated method names: '_0023Nn', 'Dispose', 'wp6BfUqTI6', 'zo3B9YiqJL', 'KlPBQKbYTG', 'E34Bt7j1WE', 'GrmBdKs7OU', 'FRT7mNHtHwihyhnEsUe', 'sbaAbAHF8owbFL0DEb2', 'o6Cmc4HYbdchUv191Bu'
Source: 0.3.c62q1qZ8kX.exe.4b0f542.0.raw.unpack, csrKF2khS3vcSG1HyBI.cs	High entropy of concatenated method names: 'IHawXFlbBh', 'uxnwfFIBLy', 'zyAw9yiJpl', 'rIOwQIWhQ2', 'poPwtZjRpL', 'rGqcpyKO3uUN6Au4TNT', 'aHWa6BKHu8DkX7K2G1a', 'YKqNUPKo7KabMXVGYna', 'GxNA5aKkTi6gjnRyj9O', 'JgS9uhKp7S4iIeXebeg'
Source: 0.3.c62q1qZ8kX.exe.4b0f542.0.raw.unpack, TsxT3wSA4edic4MpVbD.cs	High entropy of concatenated method names: 'rMJnttQwDo', 'QPKavdBD50vFp6n0lde', 'AVdOpPBmV36ZGJ8F7GI', 'KhJEsSB7Q1JuvgaOOH3', 'aTfxxdBQ3kWOtC8e6CB', '_1fi', 'VeKERUP6CY', '_676', 'IG9', 'mdP'
Source: 0.3.c62q1qZ8kX.exe.4b0f542.0.raw.unpack, QIkeeSSo7FXvZXWrQt2.cs	High entropy of concatenated method names: '_7tu', '_8ge', 'DyU', '_58f', '_254', '_6Q3', '_7f4', 'B3I', '_75k', 'd4G'
Source: 0.3.c62q1qZ8kX.exe.4b0f542.0.raw.unpack, UCDXlWuB4cY04NkWXax.cs	High entropy of concatenated method names: 'sg9', 't6XLjeKUq2', 'h59F8RIO3y', 'aJBLua2I5k', 'Agfo7c4cykyjSc5FHZm', 'BKEdDP4rxwV96i65Nbg', 'GHUarV4eyHW0k2c61o7', 'Mg8Z604qUdj2JNqqqS9', 'nbZCAf4d9MKH4dl01LL', 'NLp3pI4XWPSEdDB7HIe'
Source: 0.3.c62q1qZ8kX.exe.4b0f542.0.raw.unpack, FQxKiiSZuR0tn16ZFuO.cs	High entropy of concatenated method names: 'MlFmqXivQk', 'WGAmFUPXgX', '_8r1', 'pMWmOiL0nr', 'Y3SmVwhtNJ', 'VQMmD26yEf', 'WdwmIP3UNp', 't5uQ733i793n3gBeXti', 'tp2XfF38SteJL4KmjDA', 'X6UvqQ3HeOVwZCYtQRV'
Source: 0.3.c62q1qZ8kX.exe.4b0f542.0.raw.unpack, w4jW4UKo0cmtiwx7McF.cs	High entropy of concatenated method names: 'DmgPoQrFAP', 'X58P4XrweD', 'B7DPmIGQi0', 'HOJPYhnYo4', 'o02PE5gKSj', 'SeWPnLhRSm', 'DQIP584Fof', 'PKaPGqvWcW', 'TL2PPPTr6c', 'NH9PLSQVra'
Source: 0.3.c62q1qZ8kX.exe.4b0f542.0.raw.unpack, BDfUN7K1bvsaaXFoxr.cs	High entropy of concatenated method names: 'nBLwlNh2H', 'n6fDQ7vjDQASJfLIQ6', 'QUFmEmmsXr9oqifSwv', 'aeQr3Ulg1nwyYvr1Ha', 'fNTPNGLCqkJ6FOt5NB', 'IXpW1bRDrqZd5DA8gT', 'LyFuw36YB', 'q7iWJDcUg', 'xBhpiyAyv', 'z5vBev06d'
Source: 0.3.c62q1qZ8kX.exe.4b0f542.0.raw.unpack, UwMgdPNgU2TVr434b3G.cs	High entropy of concatenated method names: '_7v4', 'YZ8', '_888', 'G9C', 'SRmIIkal5MDTOmIJEsb', 'uheTw5avP0gSn5XiPbr', 'jydrRBaLlqJrP1QALWV', 'awBu8ZaRLF4AP4ABkgQ', 'LohTUsaT4b3o3M75wWU', 'dpby8WayK4Xkd5YnN49'
Source: 0.3.c62q1qZ8kX.exe.4b0f542.0.raw.unpack, OBsje040EP5O1RPNAg.cs	High entropy of concatenated method names: 'g25', 'YZ8', '_23T', 'G9C', 'PVl0QXaku', 'ff4iMxIRrJuqtBZjQ88', 'rJudlKITM4tDNbrNfRD', 'ohAjmTIymdNhvUgI3Fx', 'lJmTCxIwm7rnislcIeB', 'bINPogIUE3rZ5ply3kP'
Source: 0.3.c62q1qZ8kX.exe.4b0f542.0.raw.unpack, VETkIyugvG7tashH2yt.cs	High entropy of concatenated method names: '_3VT', 'O5t', '_1W5', 'vypOV5GGKn', 'dPmLIn6ifZ', 'RuyODmdDPA', 'QvELwVYyWt', 'mRlKd96whSUZQ8nsQon', 'sVi9a86U2kj7gLJmZWI', 'N9ZRQ76TccbqZ9caR3B'
Source: 0.3.c62q1qZ8kX.exe.4b0f542.0.raw.unpack, X7JJXbVBX4lMrZWYHK.cs	High entropy of concatenated method names: '_52U', 'YZ8', 'M5A', 'G9C', 'QwfXuJnG9oQZkFb7XZ5', 'I8yCU8nJWaxiuBR3Pys', 'UnKHcUnhOu5PntneQ6Z', 'L7Df4KnVnIse1KYu4U0', 'ODdOeanW7kSS4qeSL9L', 'NLTHysnS6BW4BQSqmGw'
Source: 0.3.c62q1qZ8kX.exe.4b0f542.0.raw.unpack, HF3FNqNoIxVl2jpJCq1.cs	High entropy of concatenated method names: 'p23', 'YZ8', 'Gog', 'G9C', 'YOrC6GsdHQbvvVooSA9', 'rh6oafscjdYY290GYy2', 'w8tRYtsrIxJCkijGDf5', 'iQuaXVseJ0CDadEe1tc', 'PrQ6s9sXf8FrnZDLYUP', 'VyGJXLsMExkmdcqVkta'
Source: 0.3.c62q1qZ8kX.exe.4b0f542.0.raw.unpack, epTJSnNr49vpMXjSlGQ.cs	High entropy of concatenated method names: 'rU3', 'YZ8', 'M54', 'G9C', 'hHaDY3YU2eAgMIlKEDs', 'nQ9CJdY3LXwmnFGwJrQ', 'MqTjPrYZw0UvNv2OHTs', 'lX8wqIYP67aMxKdtP7k', 'hhZQK6YB5373Ojhx0ic', 'DTvcx2YgyTvLmyU7eAr'
Source: 0.3.c62q1qZ8kX.exe.4b0f542.0.raw.unpack, UkAHs583MevrOqSRRCc.cs	High entropy of concatenated method names: '_14Y', 'b41', 'D7Y', 'xMq', 'i39', '_77u', '_4PG', '_5u8', 'h12', '_2KT'
Source: 0.3.c62q1qZ8kX.exe.4b0f542.0.raw.unpack, IFvd5oNdLpyxbKcB1pE.cs	High entropy of concatenated method names: 'C7Yujp449l', 'mPiuu1O1I7', 'hGruWr3qwp', 'wbrIJeFXmcIg8A3nbTe', 'O9jvZHFMMs9tVcwy65l', 'KnFs4BFr1hpJtKGA5ET', 'IuvFGxFe4Y7UwIxWfPr', 'ENQOmiFGsQlPhX2qVMq', 'bTxrndFJMVnMJyofOwa', 'n7G1iKFhiNrocCm12jX'
Source: 0.3.c62q1qZ8kX.exe.4b0f542.0.raw.unpack, i0BuNNNDDFP3K8Ni1NQ.cs	High entropy of concatenated method names: 'Vcej8uvjla', 'ON8sHvFykj1UO4VTF7X', 'gtJSF9Fw59Z0B7yJCE1', 'VYCRfZFRIVqBjEvauKQ', 'aUQjQsFTmPiTvtLfin2', 'jWFRBqFUiDYd3aP97C1', '_3Xh', 'YZ8', '_123', 'G9C'
Source: 0.3.c62q1qZ8kX.exe.4b0f542.0.raw.unpack, FQjXyPz9Orn3S3diLe.cs	High entropy of concatenated method names: 'Y29', 'YZ8', 'jn6', 'G9C', 'WSc3QQAflcQM1UEVrvA', 'DQrSxfA9YfxTwF0cajo', 'w4j8BPAnIsmjWiImEBn', 'tkk4koAAVPKJRhYP6xE', 'SNFu8nAYgcJtq3W821b', 'YnsJZkAsg38vbqRa8y1'
Source: 0.3.c62q1qZ8kX.exe.4b0f542.0.raw.unpack, vsrAdokbaUoHX8JihTh.cs	High entropy of concatenated method names: 'Bu4IpewkXC', 'aZtIBtiusZ', 'zbxITSyB0H', 'gsx5olC87yxy1qmjyXY', 'EtxB3fCHYTFerLf0hSd', 'kpbIOwCEl8cyRERtXfI', 'e4v7LsCiOJrfAxqwwDN', 'AeWC6DCopBE0dB0tuAi', 'OofJ8WCOjFkavnV7wDd', 'sY3hZgCkXIAhvFIdJjW'
Source: 0.3.c62q1qZ8kX.exe.4b0f542.0.raw.unpack, GhDVPEZJqpqVVwYHpXA.cs	High entropy of concatenated method names: 'mBTu4lihVM', 'f9dumlse5U', 'cyvuYRTwOy', 'pnZ5gh2vmlOdqexBHxN', 'do4jse2LqBUyF5PAwH7', 'JWTlbU2RleCf23Gj1qt', 'ssIEIV2TnylCWm5YQkw', 'UcjI3w2yP3jUbcbFkMA', 'xIlD4Q2wYQNBlRlnW8y', 'gfHhW92mEwsSOeMeXb5'
Source: 0.3.c62q1qZ8kX.exe.4b0f542.0.raw.unpack, k4XrHWNyNXenptXaN47.cs	High entropy of concatenated method names: 'gHL', 'YZ8', 'vF9', 'G9C', 'z48vDqsxXVSiPj75o9P', 'snB0ifsjBmesxARvKEo', 'YkZ5oUsChC7tREjesKy', 'M2shwCsKAmdAQyS9nME', 'dSUHh3s73f5T2UlmRai', 'dfORWksQ4Po41jO0YUF'
Source: 0.3.c62q1qZ8kX.exe.4b0f542.0.raw.unpack, Dh3q7cZ7Xoo8FypSYf8.cs	High entropy of concatenated method names: 'mESb4k55XQ', 'SnJQ8yoeIeBTf6d76oe', 'a81kbLocpfIdI9bJN2A', 'gVcOl5orrA2btLdmVLI', 'fvVWfpoXfLbplDIpRYZ', 'BqV7kOoM8wmAfBqKMaA', 'musbC4XweJ', 'ya7bSrDEBo', 'K93bhqKxaj', 'xaqbg79g1r'
Source: 0.3.c62q1qZ8kX.exe.4b0f542.0.raw.unpack, cyrkmmuUFiGbPEF8SYk.cs	High entropy of concatenated method names: '_269', '_5E7', 'VrxLv1XNwA', 'Mz8', 'vhOL2k1rif', 'bvR95c6XCNakaD2Qflq', 'MDOG4E6M8ZmF5EiQegr', 'ztfb5K6G8LxF2R7tWJs', 'ABfqQs6JQp7IhWfR0v9', 'TmXgDK6h8EQl7MicCHb'
Source: 0.3.c62q1qZ8kX.exe.4b0f542.0.raw.unpack, gsDr7SZ0a8AnosWRimK.cs	High entropy of concatenated method names: 'dN3WzOi1ll', 'Rm9pcXYS6C', 'DQgpjOgYL7', 'rQ8pu0paDN', 'Dn6pWwtT8h', 'Mb9pp88tot', 'Wl3pBXBDXP', 'nB4pT6hThp', 'p3Fpb5onIw', 'HWPpq2tqxF'
Source: 0.3.c62q1qZ8kX.exe.4b0f542.0.raw.unpack, gjnVTHkxLgcLlRdDRgV.cs	High entropy of concatenated method names: 'HsRIXLnLfr', 'mRgIfnwxvk', 'kuXI9HijPu', 'JieIQKS4YJ', 'AMpItDknV5', 'raFjGvCRlNsigjJuvVM', 'xfecpdCT6mmmjR0k4fx', 'fxB2K9CvqPbOcLerUvk', 'wm2010CLeRLAJ7gW5HP', 'BmpOyICyOKITe5jP851'
Source: 0.3.c62q1qZ8kX.exe.4b0f542.0.raw.unpack, LaknZHNPUClv6xhofOG.cs	High entropy of concatenated method names: '_625', 'YZ8', '_9pX', 'G9C', 'mWUPNbap1BGfs4A1scY', 'v1RGn2abn4oQsJhHbti', 'PZpUAJa4qfWNpOh7acs', 'q0DBC6a6POf9oMhY2lw', 'IUp8gnaxGC90RTt2gQh', 'P7Dq2QajyEFLflrZegM'
Source: 0.3.c62q1qZ8kX.exe.4b0f542.0.raw.unpack, emLg1tSysdBJhDx9lSx.cs	High entropy of concatenated method names: 'pcrmhKEUtX', 'FlsmgWLuNF', 'yjVm1biy0O', 'ox4mAeLlsf', 'YhsmNW1xTZ', 'HXxCS73Vtbi9EaNHeXF', 'rpyARn3W4FymbsaTuOY', 'AnSZmi3SaJOEjZoCDD2', 'Dbm9ny3z0APxqBfYVJO', 'hfrMISZ0HX12ua35EKr'
Source: 0.3.c62q1qZ8kX.exe.4b0f542.0.raw.unpack, h4C07Au2E78ko2wna6x.cs	High entropy of concatenated method names: 'UovqHxqnno', 'PWJqxEh66p', 'PipqiiLG1S', 'HhGqKG65bd', 'lsDqeavaGd', 'vFu2eSbAFMamvNH5lx0', 'NpOaD4bY214dk0VX402', 'ijC5gEb9PmFQaj0WmVM', 'dv5ho5bnhNTPNhq45sP', 'BiBLtKbsMVYsO8UToOJ'
Source: 0.3.c62q1qZ8kX.exe.4b0f542.0.raw.unpack, E4oTU8N24Zr0WjmmnfZ.cs	High entropy of concatenated method names: 'yiQ', 'YZ8', '_5li', 'G9C', 'jm1HYFs0xvLFxej8o1r', 'Qtf2Ids10OXMEStfo9L', 'vwbBqqsIc4jHG0kiphd', 'HhM6CfsfpGavhl58gPM', 'ayafv3s9hVqwW7cpYo0', 'lfZKxZsnQev4m5mXdMc'
Source: 0.3.c62q1qZ8kX.exe.4b0f542.0.raw.unpack, ud7MQOusfFuoOVGUMvR.cs	High entropy of concatenated method names: 'RiUFyOWcvl', 'SLdF2G11Jr', 'j9vFly8Cvb', 'uCNrAUbBM0FlndtuggU', 'dtHPvmbZV9rCX6oMkH2', 'CRVAdAbPldOTRnAMotK', 'ewmcSEbgeDxZtJZBj3J', 'dmyFTvw19P', 'vniFbwClXd', 'zhFFqTjZOD'
Source: 0.3.c62q1qZ8kX.exe.4b0f542.0.raw.unpack, mysax8Nih7hUd4iacMp.cs	High entropy of concatenated method names: 'B3EjZNE8NX', 'nSFGMZFIKaJv3TF52Fe', 'hiV5aPFfUOyl7lNKaCo', 'T03MdQF02KWqRDCwQxc', 'UbnZXxF1kEykJ1LDx9L', 'oY5Y2GF9iDdfctjS4Qv', 'KPolZmFn8HTWecqI2cf', 'i7KXWuFAva1Y6B6fapo', 'SDPjMUHyhd', 'HOvUwqFtES0c5ljvmHm'
Source: 0.3.c62q1qZ8kX.exe.4b0f542.0.raw.unpack, cbfMJCNeDbJcqw4KK0S.cs	High entropy of concatenated method names: 'GvP', 'YZ8', 'bp6', 'G9C', 'gZa5X4tTNxLZguHU6QA', 'HaDB9JtyBa9IBKPo4iC', 'jOknkmtwaI9hWqh70hy', 'KrCqQOtUAAjUpAioaRm', 'Cct0d4t3RyhJt09ls5S', 'frITO1tZfx3UIxuFFek'
Source: 0.3.c62q1qZ8kX.exe.4b0f542.0.raw.unpack, BP4EbNSer7F6RARQFrM.cs	High entropy of concatenated method names: 'poaYF5jflh', 'l4tYOsO07T', 'FZnYV2AIcE', '_3Gf', '_4XH', '_3mv', '_684', '_555', 'Z9E', 'B9UYDE5pqS'
Source: 0.3.c62q1qZ8kX.exe.4b0f542.0.raw.unpack, rpt6FckHXG23v1Rimkf.cs	High entropy of concatenated method names: 'uxk', 'q7W', '_327', '_958', '_4Oz', 'r6z', 'r7o', 'Z83', 'L5N', 'VTw'
Source: 0.3.c62q1qZ8kX.exe.4b0f542.0.raw.unpack, zxkIne86jJJ1hV0uPkt.cs	High entropy of concatenated method names: 'q7g4cXBh3j', 'KaAIHXyVuSHMaje118v', 'A6ElWmyJ0Vtd7pZMSTb', 'PYO7QPyhWO9FhnhwlH6', 'jVWaPlyWxHiu6rdywMe', 'F6QLyZySH3Y6nMGBexx', 'KhsduuyzgCWupbEukZC'
Source: 0.3.c62q1qZ8kX.exe.4b0f542.0.raw.unpack, lhVRifuc20vGWpEldjr.cs	High entropy of concatenated method names: 'Cg5FLtnvgM', 'B0sFXbTbZd', 'Jt9iCn4oxvaVnHhpNPq', 'a1PIZF4OF5CZfCNLRD2', 'N8yF1D489s20Qk1ujUS', 'zOHFXN4HbBwxdDwGXKe', 'Y0gb544ksItDBrdBYmc', 'kqhIJf4pYu0Z5JT6WG2'
Source: 0.3.c62q1qZ8kX.exe.4b0f542.0.raw.unpack, dE2andYyANyRAhgSO8.cs	High entropy of concatenated method names: 'T43', 'YZ8', '_56i', 'G9C', 'X4P4ukIaiu34XlXn6mM', 'FNI519I2mHXEH5wlo9D', 'yFPQdBIN9fExRNjJnv0', 'gUOMvvI5UPuOc9dhKIe', 'gL9F1xIuxIcXTCGtdmU', 'QSnI79IEp87eYFsDkyO'
Source: 0.3.c62q1qZ8kX.exe.4b0f542.0.raw.unpack, KkqCKm879bITXNNigiM.cs	High entropy of concatenated method names: 'i7X4Ei4XpQ', 'WGB4nd2tJF', 'F8e', 'bLw', 'U96', '_71a', 'O52', 'GKE45gK3vP', '_5f9', 'A6Y'
Source: 0.3.c62q1qZ8kX.exe.4b0f542.0.raw.unpack, LkqhlxuzEAlC71GncAd.cs	High entropy of concatenated method names: 'uxmOE5PYcc', 'KhKOn2tKwj', 'rxUO5ZSuJQ', 'IOYUIixZ6I1Z2YUSwe5', 'bpo7olxPEbIqEp7nnrF', 'N9uNUvxUJVVUIX0suIL', 'GVUnLOx3pJFyVIjPFfh', 'XIWn6dxBV11DUCvhmGr', 'j0FC7cxgX3XZJ3rqpDC', 'u6pUArxqSNJOmtMed3s'
Source: 0.3.c62q1qZ8kX.exe.4b0f542.0.raw.unpack, Ky9i8j8ho0Bi6mjp1Dv.cs	High entropy of concatenated method names: 'OAyodTXLQG', 'QlTokHgKvH', 'ya9oJ1qSd4', 'lVVortAfwe', 'TOGo0OVnvA', 'KXwsfuy7NmbW20AS2lL', 'TgBK8MyCvRPsQskpiDK', 'TV2sYeyKsJpgJRc0WFi', 'jAeeXPyQa0rfy3yFrlS', 'ekFtFRyDM6sfb2SUQZM'
Source: 0.3.c62q1qZ8kX.exe.4b0f542.0.raw.unpack, QyHaKbZlLH2Wansrc8i.cs	High entropy of concatenated method names: 'ORNTq6kvwk', 'mpxTFJObxi', 'mUKu9JHJBXLH2N5ur8u', 'oTt0t9HhciEYEoG5YoI', 'pel5fEHMngoZfXYJ5cy', 'NCpQhUHG5Mo45WR93Dy', 'iDhTlPXZ7s', 'CA6fFMo07WLP878eLEI', 'xqwIeIo1ZHKlCMmFUrg', 'eeZgZdHSK426Cy7jXbI'
Source: 0.3.c62q1qZ8kX.exe.4b0f542.0.raw.unpack, cWL8lWkU6QgWMnFxUot.cs	High entropy of concatenated method names: 'htjv8Cc2f9', 'lKAvfdXhaX', 'yo0v9gxd2s', 'brFvQgjpO3', 'RjAvtlOwwp', 'eYtvdgqamD', 'G1Kvk6wt9H', 'sCpvJ4bII2', 'VD4vrsGLhb', 'toav0xDvLf'
Source: 0.3.c62q1qZ8kX.exe.4b0f542.0.raw.unpack, nTHZRfuX6WsHwyPbkjk.cs	High entropy of concatenated method names: 'yu9qXCVPa6', 'CVnqfLJKuW', 'sLPq927PDe', 'AuxvbApuHYGnWvmUmiW', 'CvhvXGpNWW9WiyXyPOF', 'C9ByH5p5UGyc7yA4RaR', 'EcyMTbpEPt1XdfHiLb2', 'JTEqyxptCN', 'yj1q20eucE', 'A9eql1wFEh'
Source: 0.3.c62q1qZ8kX.exe.4b0f542.0.raw.unpack, x7OqLNgIQYhd2LOAe9.cs	High entropy of concatenated method names: '_8Ok', 'YZ8', 'InF', 'G9C', 'kq3gdEnEYqkiF2KJKJo', 'mXJhDVniI5J4pBNIlPo', 'jq6Pccn8I1Z4yRNv3Yu', 'tLhSCgnHIocxMFJFirE', 'wE5QvEnoUBxGHr3gWT1', 'JefSQtnOMHPBld0T0QZ'
Source: 0.3.c62q1qZ8kX.exe.4b0f542.0.raw.unpack, ITweK3ukUMqUJMmCggr.cs	High entropy of concatenated method names: 'YnLbrWplwZ', 'h38b0JY6WX', 'aubbsYHPDB', 'CBZbZ68hU3', 'TFnbUvxJlV', 'okKbMcHt5U', 'dSLnWeOQb4Fk5MC6cc9', 'Lu0g8JOKbn5UdDoyqFD', 'Vjg1j4O7T99VMbQUlXC', 'hpK1XEOD01Q62XLevCc'
Source: 0.3.c62q1qZ8kX.exe.4b0f542.0.raw.unpack, ioEvwZFbttBQc45dkP.cs	High entropy of concatenated method names: '_3OK', 'YZ8', '_321', 'G9C', 'wSlZMXIWe7HZVr8tmVH', 'jtUWyKISP9Ug2Yy5sDX', 'L0P7HiIz7HD6cpwfcSD', 'oY6P5Yf09Ea5rBH93Lm', 'URUUENf17eQIpFp9b6J', 'efLKq1fI1okV5gjTgXG'
Source: 0.3.c62q1qZ8kX.exe.4b0f542.0.raw.unpack, HOCYtPNw5puUyVBU8kF.cs	High entropy of concatenated method names: 'W78uSUHh6M', 'f71XdY2AucZIKAJPKUQ', 'TYsulv2YURe28dEPErT', 'ImLKcX29K2nC6F3vTKU', 'nhaZ7O2niAV3vCkf3Hc', 'i9L01g2sYIcs294ckWp', '_5q7', 'YZ8', '_6kf', 'G9C'
Source: 0.3.c62q1qZ8kX.exe.4b0f542.0.raw.unpack, L1d70Fur44t99Okv5Am.cs	High entropy of concatenated method names: 'TTYq0BKiHs', 'AL0qsw1j0A', 'iBKqZXmOvt', 'OqRqUcVBFo', 'dhHbvypLW79VvEUQejN', 'x6heJ9pReMicmnUgQCF', 'CaDvqLpTBcCyrmFOxcR', 'jauchJpluLOy5O9xNWC', 'qpIjLepvRg6fcXecWiG', 'FSkLJkpyJlpqTPKxaty'
Source: 0.3.c62q1qZ8kX.exe.4b0f542.0.raw.unpack, VYPOAE8jSuxkkDEhjaP.cs	High entropy of concatenated method names: 'q4Y', '_71O', '_6H6', 's0r4N9L7X1', '_13H', 'I64', '_67a', '_71t', 'fEj', '_9OJ'
Source: 0.3.c62q1qZ8kX.exe.4b0f542.0.raw.unpack, CoyjF5uwyE4VG5snr6S.cs	High entropy of concatenated method names: 'vr8achxybhpYNDsIk05', 'ysnpJsxw7pXd8YspY9p', 'tEj2PnxRxTemWnSFy15', 'VveuP9xTj8ILEuDLL23', 'IWF', 'j72', 'X1kOlkoayX', 'RJ9OaZV8VS', 'j4z', 'OjMOC6IVXQ'
Source: 0.3.c62q1qZ8kX.exe.4b0f542.0.raw.unpack, ACQ6lKBc4lxqGVer53.cs	High entropy of concatenated method names: '_66K', 'YZ8', 'O46', 'G9C', 'BQZaEL9aOmelQwOheAE', 'mMlqmC92W2BJl2i3oQO', 'ua2m5T9N03MsU9fpCpG', 'pmdBYr9581oJNpvsyVk', 'tdG9ML9uT7JFZCqI0j6', 'oR1R1y9Egx1SFX8nlcT'
Source: 0.3.c62q1qZ8kX.exe.4b0f542.0.raw.unpack, JjIZs0DPNgnARjdkqs.cs	High entropy of concatenated method names: '_59M', 'YZ8', '_1zA', 'G9C', 'ct2NWcfTgGt4ORZPTO7', 'FODWtIfyndJDSt5LPGf', 'Nlqujjfwn4linhZXr13', 'V3hwIgfUBoC1n1LF8WG', 'EwPnbdf3EWu6aUyAsVs', 'loT8JhfZq4lgJRhnprj'
Source: 0.3.c62q1qZ8kX.exe.4b0f542.0.raw.unpack, UrajRjwWtor5KKr6oZ.cs	High entropy of concatenated method names: '_88Z', 'YZ8', 'ffV', 'G9C', 'kd0p7Xngy4xc613d4j5', 'tY92tPnqa9bMdQMQq7r', 'C53qHond3ea8iSgJUYv', 'W8bAGtncq5HbIDIoWqY', 'Dq6xd7nrc0hk5w6ebnu', 'aAjb1wneCUN7DBCkBed'
Source: 0.3.c62q1qZ8kX.exe.4b0f542.0.raw.unpack, pV9c13v8XUsaBdn405.cs	High entropy of concatenated method names: 'OiRoqUEY3', 'dPm4n6ifZ', 'QvEmVYyWt', 'VrxY1XNwA', 'RD9EdAeV7', 'vhOnk1rif', 'gm15DwrEw', 'uSB4l01sc0Ch093DZiL', 'r7ul8Z1tqKWgTFCQ6tf', 'hH9LjO1Fc1ubZEntViY'
Source: 0.3.c62q1qZ8kX.exe.4b0f542.0.raw.unpack, ohhLC5NsmiVVavt9LQk.cs	High entropy of concatenated method names: 'hFCj5Nn6GZ', 'gtJxjbsHRmA7aoLCXok', 'p37qBIsoWc3vWDW4EjT', 'rgwkOysis8jtwt7u1Vc', 'FAat99s81eOniDRUHgI', 'kcpCfSsOKhJEbrajssa', 'Gme9p4skkAlsN1bQGqe', 'A7UOebspHIUwfKsZhm0', 'EIo488sbAfecjxUwSOa', 'f28'
Source: 0.3.c62q1qZ8kX.exe.4b0f542.0.raw.unpack, mwqinnNuQiLMS9mjPUw.cs	High entropy of concatenated method names: 'R1x', 'YZ8', '_8U7', 'G9C', 'inFCcgADPrrUKNn8HLr', 'jaEKcCAmBcJ0txPedSk', 'qc6RF1Alv7cnNMKsFTp', 'C9ckMsAvNNNWyutY1BT', 'b6eh76ALXDTP0Opcphb', 'DPwviFARkcSAC9YHDku'
Source: 0.3.c62q1qZ8kX.exe.4b0f542.0.raw.unpack, UM4LuJkwA3XtCUVatCj.cs	High entropy of concatenated method names: 'lmty4Pc2mX', 'zg5yYSqIHI', 'ArByw505MV', 'QIfyvjgT0R', 'MD2yy6RC6K', 'C9ny2g0uGY', 'IUOylfwyV3', 'OmXya9Nvdt', 'rNwyCrTuBj', 'LMBySFaB0S'
Source: 0.3.c62q1qZ8kX.exe.4b0f542.0.raw.unpack, lpcMosZ6u1U0Ynh7NCs.cs	High entropy of concatenated method names: 'PSqB5loZPa', 'gvU2v88WaYNBwrVCmXB', 'M56ynt8S799SkDK8vJ6', 'rxfV5j8hEwp7qmJMLiw', 't0MyXt8VRnE4s2KQIoN', 'WGJAXI8zriDE9qb3n1y', 'qTtDXPH0avX1fBp9kbR', 'mnHxlxH1kx973mpGT3s', 'OqOuqfHIriHgaXsrybp', 'm0qSrhHftVT9YD1poDr'
Source: 0.3.c62q1qZ8kX.exe.4b0f542.0.raw.unpack, ydmouJ8ij20jc5Bn0Cn.cs	High entropy of concatenated method names: 'TDDoMjMcNp', 'a5Ao3MwGWX', 'GFto6DyU3r', 'LGd2GLy3YNToAP5vuCO', 'hfKjG2yw144Bbu01n7u', 'RJ3jpmyUVB76fjQpxnv', 'Im3fapyZakmRcZBEeUV', 'lHVEHByPtlNrPOtOAHW', 'KFbxdcyBY0EPnyNrPoV', 'pSpwMUygqmisF0fLx0O'
Source: 0.3.c62q1qZ8kX.exe.4b0f542.0.raw.unpack, dc6xslNHWa1GnniWTsY.cs	High entropy of concatenated method names: '_3fO', 'YZ8', '_48A', 'G9C', 'VDRJcJYYW9HWaqIuZGt', 'FO04GNYsIoHUDrWJ8Ys', 'Wxjw0DYtSmysrlbkwTU', 'tO7tJEYFUtMEt6Oi10X', 'GatbR6YakvxT7o8CL8c', 'JcA85YY2xXosokqHL5Y'
Source: 0.3.c62q1qZ8kX.exe.4b0f542.0.raw.unpack, fk2gUpSSR2s6eG0LHHo.cs	High entropy of concatenated method names: 'Qkp', '_72e', 'R26', '_7w6', 'Awi', 'n73', 'cek', 'ro1', '_9j4', '_453'
Source: 0.3.c62q1qZ8kX.exe.4b0f542.0.raw.unpack, t2eSrNNNgqHXkQsJFXy.cs	High entropy of concatenated method names: 'tO4', 'YZ8', '_4kf', 'G9C', 'SDFKIJAOrVMUNbGTZef', 'ETX6IFAkkiVbZl3IFKX', 'Xh3xeVAp7wuPnIryr0T', 'JOrMMDAbRBIWFcciLAM', 'Ue7ckoA4T0xPst3YQg7', 'kXGD3fA6EiJ0wvYhb02'
Source: 0.3.c62q1qZ8kX.exe.4b0f542.0.raw.unpack, bf2YQfN9fNHIn69PRkc.cs	High entropy of concatenated method names: 'kNf', 'YZ8', 'U31', 'G9C', 'w8G6jhsRrahXhpqKZr7', 'IjmNLosTZeFXTQxdAdO', 'BrCLHbsyoSk8mmA7GWB', 'edpBmdsw7X9v88B9PXL', 'AUyT8bsUEwAS61OmWjq', 'YZNqcWs3ATWrGwl0eaj'
Source: 0.3.c62q1qZ8kX.exe.4b0f542.0.raw.unpack, Ah49hCZH3dw5D4YGQl4.cs	High entropy of concatenated method names: 'PCaWLydNhN', 'OWuWXCRPj5', 'CwMWfYq3nF', 'nvXW9WQBO7', 'zcHWQaP0Rh', 'EVXWtd6amQ', 'DsSWdmAov0', 'eErx9g5x8NnUcCLdQpv', 'h4W9R954EWKdvYoxUt7', 'HDlyd15689gMi7gCBoR'
Source: 0.3.c62q1qZ8kX.exe.4b0f542.0.raw.unpack, nUm2qtNKyxVEmrB0iG2.cs	High entropy of concatenated method names: '_6H9', 'YZ8', '_66N', 'G9C', 'pW6kNHAJy0nWl91eFtb', 'Owrwp8AhNAP8c6L2rOC', 'UygNTjAVwULOaRHbEfc', 'sh7cErAWCxKBWI4UEPB', 'tsbDLZASkD2SfEWjf02', 'pJChsNAzNyCm6RUKbnm'
Source: 0.3.c62q1qZ8kX.exe.4b0f542.0.raw.unpack, clJaP6N7W7JsEcrC24c.cs	High entropy of concatenated method names: 'kSEuA8hYt9', 'FHQuNESlai', 's7wuoep3Bk', 'HDwymo2aMCH6pQyZwSA', 'QKRMFX2tf86kgk0F8lR', 'gy8M7U2FjIOlihussor', 'yj2yCf22DSHKk7Qx12Z', 'R7QV2K2N4LpSpGrguMr', 'Uf4KgG25Ixbju6UEyLR', 'okH6662uHQC3Alfjsr8'
Source: 0.3.c62q1qZ8kX.exe.4b0f542.0.raw.unpack, xNjZupNtJqn3lKVKe1e.cs	High entropy of concatenated method names: 'W7IuV53vPS', 'X5DuDBI4Ss', 'peYiyUa2ww1B8U3cGuR', 'oHFsf5aF1ak7PZaNHZO', 'xbGZJpaakxaMtrSMJri', 'lnChu4aNBdQmAAyXKPE', 'CiQ8EWa5GMKGe4hWPD5', 'eb53BsauhHBUKOrGIYc', 'rS2INvaE4JYHe6sOv9K', 'lDQ8WNaijZZaWbxiWZC'
Source: 0.3.c62q1qZ8kX.exe.4b0f542.0.raw.unpack, IBUAZhkphp374UBLOov.cs	High entropy of concatenated method names: '_4J6', '_5Di', '_1y5', '_77a', '_1X1', '_7fn', 'OUK', '_8S4', 'wUn', '_447'
Source: 0.3.c62q1qZ8kX.exe.4b0f542.0.raw.unpack, XswEw8Zby6v73LbvGGB.cs	High entropy of concatenated method names: 'TJkW8fd8EP', 'yZYW7vxYZx', 'rKDIZluOjAjHgy4biSP', 'YIWKjrukHiv2gJKJyoX', 'MDvKA7upZDekqvP0qYN', 'KgI8xbubmL0GIpjaEpD', 'PmuRsgu4LNVdeu2QnYJ', 'eTYQFGu6sHrk41xY5m9', 'SsaiGDux7wvIhYXDxug', 'tEUuFZujm5mV35WaFVP'
Source: 0.3.c62q1qZ8kX.exe.4b0f542.0.raw.unpack, eOGGSEZEbT1IHKSepkV.cs	High entropy of concatenated method names: 'UiQpwJHIrv', 'QTjpvltQS8', 'cmjORcExjOpu9AfRY0Y', 'eQV8XJEj3HMavVmAUmZ', 'tQEj4kE4f6Zdxh6WjRT', 'bips9RE6tDg4kgXVWHB', 'sj6IqGECD0nKkxoMePm', 'BfEt7AEK8MXqykhvwUn', 'bT6rKDE7xqXUHgKgOuf', 'btWePhEQLgEMabKuBWi'
Source: 0.3.c62q1qZ8kX.exe.4b0f542.0.raw.unpack, fl4uPe8CyOOZH6FMDT2.cs	High entropy of concatenated method names: 'OdloHro1w6', 'sArox2LolJ', 's5Yoi1mG3X', 'kXSoKJkZUb', 'Iyfoeu6mVh', 'V3Vo8UapLp', 'xGVN8ayc0NpBJvto4UL', 'TCv1j4yqnkm7lLCnK0o', 'hlq7UOydeZMxB2hI4h6', 'VAD4FYyrJXYLp7wOqNU'
Source: 0.3.c62q1qZ8kX.exe.4b0f542.0.raw.unpack, Ebw2DvN6Ts1IFR4XO7r.cs	High entropy of concatenated method names: 'LT2jxBjY9l', 'gSsQAaFxFxPcWijGAIN', 'g1Cr1rFjsrg7j7Luk2o', 'GyrWQNF4Fv3pXRCMSPi', 'GhVAv3F6XRPUeqMpDUX', 'SaIePQFCQ3L05LjQrgG', 'QLw', 'YZ8', 'cC5', 'G9C'
Source: 0.3.c62q1qZ8kX.exe.4b0f542.0.raw.unpack, eWfce3uy46HsE5iGM3t.cs	High entropy of concatenated method names: '_525', 'L97', '_3t2', 'UL2', '_6V2', '_968', 'wcftKQ45emAGskcNWak', 'BJc37C4uxGQJxLL8VKd', 'iFy9Lx4EcF8tbgl2Col', 'sI49B54io6k7a0KWfrO'
Source: 0.3.c62q1qZ8kX.exe.4b0f542.0.raw.unpack, hXVLLCuabIYtdNAkTl3.cs	High entropy of concatenated method names: '_223', 'rQHywepHOR33qUgcVn2', 'LVnPDBpoxsJlTO9MJ4A', 'G1hY3mpO8pIWSSKJbyk', 'tI3ZRApkH4jMoY83w5X', 'pCgWSIppy7e2oUN4pRf', 'SNpNPYpbTqmZH4TuJ5r', 'k3BeIwp4w0CdmHLRaAg', 'CRgNmnp6RK6fOgf66TU', 'IWipVXpxMNOKvYlW6ov'
Source: 0.3.c62q1qZ8kX.exe.4b0f542.0.raw.unpack, EJg1c4uNLWX6qHnWDeU.cs	High entropy of concatenated method names: 'NFDb5gBMTM', 'Ce9bGNcHoJ', 'JMEbPXy0kZ', 'tMEbLRKnJ8', 'CxbBl9ozlybIko4o1GE', 'AjqvhCoWbRJ2QNVT6dW', 'vuaAvIoSFI6hXIuVrfF', 'hcPiWBO0Zp5rcVMarMr', 'MXiQA0O1uT1v9BWnoLk', 'yBO7m0OIuaVIcFdpWpl'
Source: 0.3.c62q1qZ8kX.exe.4b0f542.0.raw.unpack, Segm1DSJ7h057T1iACN.cs	High entropy of concatenated method names: 'aFb4ZGFU8i', 'K294UB3UiB', 'TG54MHXd5C', 'KpX43OJl3c', 'Rhi46L7oLF', 'MUw4RCfeN6', '_838', 'vVb', 'g24', '_9oL'
Source: 0.3.c62q1qZ8kX.exe.4b0f542.0.raw.unpack, zg6p92kWoFRGbT09bL3.cs	High entropy of concatenated method names: 'P29', '_3xW', 'bOP', 'Th1', '_36d', 'vWnvyvCg5a', 'l7Gv2bRqxv', 'r8j', 'LS1', '_55S'
Source: 0.3.c62q1qZ8kX.exe.4b0f542.0.raw.unpack, or1ZTaZZo7kGg6Gp9CI.cs	High entropy of concatenated method names: 'AxNuMmTCAc', 'lNCu3fn0CI', 'QQIu6a11S9', 'xG1uRc9QFd', 'SiGuHRa6B0', 'rJ1ux0LgZ5', 'rC1mijNHDDQR45CQc5p', 'XC2TgiNowP50qfZP5B7', 'mpMB1WNikYvS60BFyUA', 'EvPJq7N8E0eJ3KsNKVc'
Source: 0.3.c62q1qZ8kX.exe.4b0f542.0.raw.unpack, vZB1GE8qyJpocdawATL.cs	High entropy of concatenated method names: 'qeh4pWhchs', 'B2n4BfpvZ3', 'yex4TawG6n', 'U0S4b8bXE0', 'GuC4qADPld', 'ynm4FVaBCN', 'wLd4OxLt63', 'Kqf4V9cfp8', 'VO24DSbxwQ', 'eWp4I4rfmr'
Source: 0.3.c62q1qZ8kX.exe.4b0f542.0.raw.unpack, cge3SyShgmbSaYPUfXr.cs	High entropy of concatenated method names: 'D4M', '_4DP', 'HU2', '_4Ke', '_5C9', '_7b1', 'lV5', 'H7p', 'V5L', '_736'
Source: 0.3.c62q1qZ8kX.exe.4b0f542.0.raw.unpack, nsaDQdUwQPeLfNfew4.cs	High entropy of concatenated method names: 'pHw', 'YZ8', 'v2R', 'G9C', 'MhagLln7FP1BA8Uc3TS', 'u6HD3anQromPbyaGpcU', 'ajAjUonD3XTSZ7DO2WO', 'xKYuKHnmpJ5rYfNZ1L9', 'N4SOCWnlViHefm7DCah', 'Kkv909nvMZQKULhqX9G'
Source: 0.3.c62q1qZ8kX.exe.4b0f542.0.raw.unpack, Ix8C8L8HdOGgxm8fo2s.cs	High entropy of concatenated method names: 'beyoh0EFLO', 'Ijiogt0RKp', 'Mc3i7gTGegbJ6sHb7qX', 'QU8PbGTJCoaFTXHwC4D', 'FlC1XrThr93ZcV3YgTd', 'J7veOETVdKoeE7pRHAs', 'WOmafVTWABAOXqsLTRM', 'hbGWfuTS6ZDCOaD7Woo', 'aHZUNbTzK4AP2suCZ45', 'VBTRJBy0KPYRDdE8J0E'
Source: 0.3.c62q1qZ8kX.exe.4b0f542.0.raw.unpack, PMRD0Zka2PVyKSXLcWO.cs	High entropy of concatenated method names: 'EbZD9lJ68s', 'TMJDQKDWEZ', 'dohDt0E3b5', 'j87DdFg5NA', 'LoLDk7GPgf', 'n0Hm7LjSLA2YsRbB7og', 'xwE9WojzE6GbopyLOBg', 'ge0eLAjVIGNwqUIRMt0', 'G2GprojW5xnrFXYsPq0', 'zIXXbMC0Xk51awegpng'
Source: 0.3.c62q1qZ8kX.exe.4b0f542.0.raw.unpack, h0He62kvIIiMjGBFDGb.cs	High entropy of concatenated method names: 'fJ3p6wCgvZy02tv5v2D', 'hJeK8mCqiYHX4GT1iOj', 'Qk9UjACdP8EYnJKAh17', 'guKLomCPGaH5ju3FtNU', 'vLoHIsCBVwCXwSVv5mk'
Source: 0.3.c62q1qZ8kX.exe.4b0f542.0.raw.unpack, FhawSoNaGDD5xFYr4dn.cs	High entropy of concatenated method names: 'd43', 'YZ8', 'g67', 'G9C', 'KsCjOeYK0uJEZCmYDjg', 'GjTYtrY7Rij6FHqb2b2', 'feETlmYQ5Gnit8N7U5n', 'dWw26VYDCmfoPLTGmYT', 'dWDfvDYmyEEEHgH0W7h', 'Ws39kxYlDYEC7AOaJHt'
Source: 0.3.c62q1qZ8kX.exe.4b0f542.0.raw.unpack, L2YDcmKRhuRvjZdhj5X.cs	High entropy of concatenated method names: 'C1PoZeqC0qCB5WY3uYy', 'MfoMASqKDPgtJklBReA', 'soSfrCqx3Ob7yS0MUQn', 'ovfAJ3qjyQpalE2gSAS', 'iT0Pvt69jD', 'aJdCCSqDS87mXt7quW0', 'P1ObEoqmPNvtaPsogTI', 'fyLvxEqlH5tg7AR9Iiw', 'Axm1M6qvnAtXlOyJfk3', 'MKMmZhqLeYZviSQdhav'
Source: 0.3.c62q1qZ8kX.exe.4b0f542.0.raw.unpack, XiVHBOKpTsyO0RJSoDM.cs	High entropy of concatenated method names: 'vZpPHLsswkXOn', 'F6MAOnqExSmcXTtPnEj', 'SaGTZqqibCgXNavTOfn', 'KSdb4aq8fCDaaZh8tYh', 'QrGOXcqH2qLUDURqIOb', 'l89u9PqoxkXjncofy0n', 'siqEFeq57ZppCLomiO7', 'FAQ0qmqudJi36H3QnyR', 'lBKh1RqO8mwkKsxoW7J', 'jHLaREqkxiueL3dHBM2'
Source: 0.3.c62q1qZ8kX.exe.4b0f542.0.raw.unpack, wXj5tDZeTROgyIw8Wj7.cs	High entropy of concatenated method names: 'Rqdp8tamWQ', 'Kc4p7XlVZT', 'sJSpzCnab6', 'ccMBco74Yp', 'RIRBjD2yHA', 'upuBuu0wMy', 'RmbBW81syI', 'tHaBpx0T45', 'ydKBBpBgJp', 'u7LdYbiJ6qtyuqdcMsu'
Source: 0.3.c62q1qZ8kX.exe.4b0f542.0.raw.unpack, liHH7yNUcqjjbA2TRM8.cs	High entropy of concatenated method names: '_589', 'YZ8', '_491', 'G9C', 'H3tXA5arvFUSeVRmPV3', 'N3JStOaeowXZo4sK6Kh', 'Gd2GlqaXxsuqBkDcawh', 'odc8oOaMCOGvF8IT9Vf', 'cYSZOpaG4AfBgreshto', 'hfI97maJvnNIaLubRiu'
Source: 0.3.c62q1qZ8kX.exe.4b0f542.0.raw.unpack, KVX6N0NTilAdDyuH8NM.cs	High entropy of concatenated method names: '_981', 'YZ8', 'd52', 'G9C', 'bIyP1fYMm3axh6Xl2M5', 'wqV81OYGx1bwAcJ8MZQ', 'vH2ECUYJHlirnLxIrr7', 'xU49wqYh7c72wHWDfeN', 'GA9Br2YVAC0yENLjPSr', 'HO0aVGYW5aqSipN5iIm'
Source: 0.3.c62q1qZ8kX.exe.4b0f542.0.raw.unpack, PDnesVnvSO9iDM9Zjw.cs	High entropy of concatenated method names: '_468', 'YZ8', '_2M1', 'G9C', 'kKZPiv9HIsbUN5O72Kd', 'bOw4QX9oV3LjmL8UVVv', 'a1QkiS9OGZ8yn3cFJun', 'zxDdA69k5qR4lpgGadt', 's2JhnP9pvZpsfp83tvk', 'E7mWOr9bagGxwt9Jaie'
Source: 0.3.c62q1qZ8kX.exe.4b0f542.0.raw.unpack, w15WUwLeQ0wKR3imis.cs	High entropy of concatenated method names: '_52Y', 'YZ8', 'Eg4', 'G9C', 'XyhkMftUe', 'JaBk1qIOcgicyDS7r0P', 'DfJD3vIk3J52ZiSCNtf', 'zSpedgIpb91qlVeWpmG', 'ifkNydIbhxld5AXDFMj', 'bdolMxI4QRS809M4AiN'
Source: 0.3.c62q1qZ8kX.exe.4b0f542.0.raw.unpack, BH0XUkutAY872hob19q.cs	High entropy of concatenated method names: 'oYo', '_1Z5', 'ENyLbwrsXZ', 'w4XOprgjCU', 'maGLq5bDiH', 'AC35GY65bJLi3BvUAOd', 'ousesR6ufngrtFNnAGf', 'jbGoYb6EbaOicajFQFs', 'rwNbkD6iCFKROjFxxPS', 'V2p1SN68Hg7SZUyFaF2'
Source: 0.3.c62q1qZ8kX.exe.4b0f542.0.raw.unpack, BgeFqCkVuNgJJ9V1jjj.cs	High entropy of concatenated method names: 'ICU', 'j9U', 'IBK', '_6qM', 'Amn', 'Mc2', 'og6', 'z6i', '_5G6', 'r11'
Source: 0.3.c62q1qZ8kX.exe.4b0f542.0.raw.unpack, vW90CPk8I6bgVlYefD8.cs	High entropy of concatenated method names: 'IqcDlQVuZC', 'AtLY49joMxVwmKqZNdP', 'OUJDiGjORcJRxfbFC3G', 'yBQqT9j8w5gYgdaSKIZ', 'PxuBefjHpSv377JM5t2', 'r3tOGXduva', 'j99OP8mNwI', 'dVuOLNGaPC', 'c3KOXkbdqZ', 'FE0Ofh1LBD'
Source: 0.3.c62q1qZ8kX.exe.4b0f542.0.raw.unpack, q5vwrDIrTL77p3cqbs.cs	High entropy of concatenated method names: 'Nhefn0pDs', 'HOq9ZvleL', 'LakQtC7ZE', 'Ta09lb1wlG661HQZdXc', 'UToRYU1Tj9LffyjABK5', 'LLODuJ1yNJC3nQ58Foj', 'sOvMQp1UryfJMYqQgwe', 'UUpgCj13PbiUJhWd7G6', 'ucOPA21Z6QuBgJ3tVOG', 'jXnSof1P0gEXHmK86yI'
Source: 0.3.c62q1qZ8kX.exe.4b0f542.0.raw.unpack, LbHd3dS9u0hlFuDwrHn.cs	High entropy of concatenated method names: 'IGD', 'CV5', 'PDjmoatwQQ', '_3k4', 'elq', 'hlH', 'yc1', 'Y17', '_2QC', 'En1'
Source: 0.3.c62q1qZ8kX.exe.4b0f542.0.raw.unpack, M7T7yjNpIgyA1rJ8w6R.cs	High entropy of concatenated method names: '_6U6', 'YZ8', '_694', 'G9C', 'ILGcLjYOLLxYVt6p34M', 'tjim0NYk2HhOpnMr2bY', 'cdgx6lYpsKttevXM0l8', 'XSbUOoYb5Aia581weY5', 'OXUdoJY445tbCUP1iJk', 'kECdygY6bR4TxkBf6MP'
Source: 0.3.c62q1qZ8kX.exe.4b0f542.0.raw.unpack, bNj6eUPbclWJLKvWx8.cs	High entropy of concatenated method names: 'kcq', 'YZ8', '_4bQ', 'G9C', 'MiRU7EnAFuYbGIww300', 'RY315snYnPi62f1IMpj', 'X0viuJnsNwRsggEaZEw', 'tIpD22ntD4tisyg7dXw', 'UAKUsJnFaqHUxCA1X0L', 'EuxFlvnaoT1RDUVhbXA'
Source: 0.3.c62q1qZ8kX.exe.4b0f542.0.raw.unpack, lTkOEi8u7TmEhYYYXUn.cs	High entropy of concatenated method names: 'Butcocv4grNrRNSpZGk', 'kv25SVv6XZhN4LgY9JZ', 'WQ8KE8vpmMpt3v5Csfr', 'AptlvbvboSIOrOFwbkt', 'MqshobqkU3', 'KomSaAvC0R1WEuanGp6', 'AWsxiMvKYyk8tPfJKxF', 'vr18I6vxxfv3ZoH1ULm', 'dpqULHvjHpqTV6SQCr7', 'VXxJISv7WnloKFb0R2A'
Source: 0.3.c62q1qZ8kX.exe.4b0f542.0.raw.unpack, rnbstSkcHs1Jkow974I.cs	High entropy of concatenated method names: '_45b', 'ne2', '_115', '_3vY', 'sOZwcuhJVj', '_3il', 'PnWwjkP8AA', 'IMxwulZGfV', '_78N', 'z3K'
Source: 0.3.c62q1qZ8kX.exe.4b0f542.0.raw.unpack, D2akdWk0HUpbspsiXcs.cs	High entropy of concatenated method names: '_7zt', 'NwaISkOJnT', 'GWFIhxncPr', 'b4bIgRXbqN', 'ekDI1pD7kG', 'N6EIA7Xo1H', 'DcxINtQ4L6', 'x0soVfC4C6HAxxr6jis', 'S10aDLC6gEJXNqaL1Uc', 'r4njfCCprjiUSIGBZCt'
Source: 0.3.c62q1qZ8kX.exe.4b0f542.0.raw.unpack, u8QwAQNhoIFqWUeGUoq.cs	High entropy of concatenated method names: 'Ai7', 'YZ8', '_56U', 'G9C', 'EtqZAOsSYYROSUDmDFT', 'rWaIGEszevQPeFscSCn', 'KY8VFQt0NHDJWJNYqWn', 'TByIDVt1NZ9xS4FmYBo', 'Dc7xp3tI23FDLGTcnJY', 'tlG9wDtfZK8JyFhSMQr'
Source: 0.3.c62q1qZ8kX.exe.4b0f542.0.raw.unpack, Wq9urVtVi019PaNmS5.cs	High entropy of concatenated method names: 'P37', 'YZ8', 'b2I', 'G9C', 'Wlkici9BidNaUHm8QXK', 'VZ0Tvx9gcmROGFQ45iG', 'ovPmSn9qsLnqSwuGvs4', 'WIpENp9dpXkGkqKXXIP', 'ky4rJl9c3homMP8WA1V', 'nStaAX9rAaRfXlTg2cJ'
Source: 0.3.c62q1qZ8kX.exe.4b0f542.0.raw.unpack, ioigxVN8TNnxGU2EiPN.cs	High entropy of concatenated method names: 'K55', 'YZ8', '_9yX', 'G9C', 'K9hW4fAqnO9sZnr4m6q', 'KQe3BYAdwZ5reVvVZR7', 'HTNNrOAcdMkKP9YVFBn', 'Yf4Fd8Ark65fgBqKZMC', 'F2PSN0AebeqdopY1PO5', 'eih42fAX8ZPFUAhRYJc'
Source: 0.3.c62q1qZ8kX.exe.4b0f542.0.raw.unpack, xQYJ1MuP4VWG5qY6oGW.cs	High entropy of concatenated method names: '_9YY', '_57I', 'w51', 'RgyLOiKtk2', '_168', 'bi8wRP6jyXYkkNwLDat', 'CEnGP46Co0EVBrrCPEk', 'YZA3NS6KrJTP5IPZnaE', 'JhqceV67uIXWkbrSFiJ', 'FQIILS6QwdQYu18oYGx'
Source: 0.3.c62q1qZ8kX.exe.4b0f542.0.raw.unpack, fYgsDNunHfG8dWY7sx9.cs	High entropy of concatenated method names: '_5u9', 'sdyLpcIkJB', 'P5AOcHlRLC', 'eVyLBWhiYF', 'EVD63I4Vtn8siwft6MF', 'pweGSe4WMw9GVFFMG13', 'VmMsfM4SjuDsbtaQUb0', 'nE2kgy4JYDmgVQPRSQF', 'k4U7cM4hiTPvTa8HPDy', 'lCkPpn4zGEEQV0fu7ER'
Source: 0.3.c62q1qZ8kX.exe.4b0f542.0.raw.unpack, vFc2NbSWgcDAEfPGw0r.cs	High entropy of concatenated method names: 'XU05AxXanE', '_1kO', '_9v4', '_294', 'Isv5NstKc0', 'euj', 'HWo5olJNYG', 'DIv542otcT', 'o87', 'hqI5m12rcN'
Source: 0.3.c62q1qZ8kX.exe.4b0f542.0.raw.unpack, e7qXoLZraLdlSx0bfJy.cs	High entropy of concatenated method names: 'MZSWKse2mL', 'F5KhRSufpqxfZ0Oo9uP', 'GWdp3yu9j3tDMu1IZ8B', 'X4g5Itu1PXnUeIfkcka', 'fZcNc3uI8l9sdYOgZsl', 'cb7e7UunVD5EyJNWRUq', 'WcSrfxuApUSGtYWvDFX', 'fPmuRfuYux6u1JflMUd', 'gysrDyusyNHx8gkNX0x', 'pHVN9rutjS1FWUdeoRV'
Source: 0.3.c62q1qZ8kX.exe.4b0f542.0.raw.unpack, KfLtnaZv23eIIYbvUHq.cs	High entropy of concatenated method names: 'TUUpgoBNlR', 'joHp1g2XPC', 'gEcpAlFIga', 'QLjpNxbbwq', 'Rf6pot3UK3', 'Qj68Toi04SRpAYZArtA', 'FbEDXGi12mw9URibI3c', 'UQrDBkESFcLVKm0HNGf', 'CiO7RrEzuKvg66dqM2h', 'ACkW2MiIAVKCbfQTSMq'
Source: 0.3.c62q1qZ8kX.exe.4b0f542.0.raw.unpack, Y3D0b0uTvQv7DhMAmZN.cs	High entropy of concatenated method names: 'fGFq3UjQ4E', 'y9kq6NMm5r', 'UWIqRi2CsR', 'R4MQ3LpqM9PELWfnNDo', 'pnbiwnpdc9hDSWonjMi', 'lDqQLkpcxS4dhWSQvTd', 'brtDHcprKZYvWHr33m6', 'TgVbJZpeWjXecw0wRwg', 'cee17IpXNZiFZg6hlhB', 'NvIYFLpMNymBLq7YByA'
Source: 0.3.c62q1qZ8kX.exe.4b0f542.0.raw.unpack, StBSLES40vH4latTFen.cs	High entropy of concatenated method names: 'aJsxD3B93gpRJMROnY9', 'e10vJfBnvicj0HdxaUS', 'MwiEdCBIFgv6hsNv1pr', 'HNnU8fBfHtLEjrKFUXU', 'BLiYfZilxk', 'WM4', '_499', 'LpdY9B3HrM', 'GpxYQgfcxg', 'qyAYtiX4bA'
Source: 0.3.c62q1qZ8kX.exe.4b0f542.0.raw.unpack, q19di7SLKcyasLtZRZg.cs	High entropy of concatenated method names: '_159', 'rI9', '_2Cj', 'o6QY4FoQ5i', 'YrVYmoYyCX', 'lECYYaue5w', 'Ja3YEauafL', 'UaRYnCMRIM', 'xfLY5E15Ol', 'gcy5W6PytU1l7t0YqK9'
Source: 0.3.c62q1qZ8kX.exe.4b0f542.0.raw.unpack, ONcMMsl4eyKUDOhuV2.cs	High entropy of concatenated method names: '_23T', 'YZ8', 'ELp', 'G9C', 'lxq98BfhW5phSFWUTie', 'PrNofsfVjld0F45XEgw', 'VQjYp0fW5sjjBaaHkX0', 'CpnDISfSuXj3TFvQIMH', 'rNED0dfz0kQ1Yet0HNh', 'xlw3fL903mOIRH4R81C'
Source: 0.3.c62q1qZ8kX.exe.4b0f542.0.raw.unpack, xjm59PSnyhiAsLMBQfr.cs	High entropy of concatenated method names: 'PJ1', 'jo3', 'xV35FbRL8e', 'ARu5Or1bZ2', 'iEK5VeO8uX', 'EC9', '_74a', '_8pl', '_27D', '_524'
Source: 0.3.c62q1qZ8kX.exe.4c2c542.1.raw.unpack, BTavBvZDvmurUhMi5F7.cs	High entropy of concatenated method names: '_0023Nn', 'Dispose', 'wp6BfUqTI6', 'zo3B9YiqJL', 'KlPBQKbYTG', 'E34Bt7j1WE', 'GrmBdKs7OU', 'FRT7mNHtHwihyhnEsUe', 'sbaAbAHF8owbFL0DEb2', 'o6Cmc4HYbdchUv191Bu'
Source: 0.3.c62q1qZ8kX.exe.4c2c542.1.raw.unpack, csrKF2khS3vcSG1HyBI.cs	High entropy of concatenated method names: 'IHawXFlbBh', 'uxnwfFIBLy', 'zyAw9yiJpl', 'rIOwQIWhQ2', 'poPwtZjRpL', 'rGqcpyKO3uUN6Au4TNT', 'aHWa6BKHu8DkX7K2G1a', 'YKqNUPKo7KabMXVGYna', 'GxNA5aKkTi6gjnRyj9O', 'JgS9uhKp7S4iIeXebeg'
Source: 0.3.c62q1qZ8kX.exe.4c2c542.1.raw.unpack, TsxT3wSA4edic4MpVbD.cs	High entropy of concatenated method names: 'rMJnttQwDo', 'QPKavdBD50vFp6n0lde', 'AVdOpPBmV36ZGJ8F7GI', 'KhJEsSB7Q1JuvgaOOH3', 'aTfxxdBQ3kWOtC8e6CB', '_1fi', 'VeKERUP6CY', '_676', 'IG9', 'mdP'
Source: 0.3.c62q1qZ8kX.exe.4c2c542.1.raw.unpack, QIkeeSSo7FXvZXWrQt2.cs	High entropy of concatenated method names: '_7tu', '_8ge', 'DyU', '_58f', '_254', '_6Q3', '_7f4', 'B3I', '_75k', 'd4G'
Source: 0.3.c62q1qZ8kX.exe.4c2c542.1.raw.unpack, UCDXlWuB4cY04NkWXax.cs	High entropy of concatenated method names: 'sg9', 't6XLjeKUq2', 'h59F8RIO3y', 'aJBLua2I5k', 'Agfo7c4cykyjSc5FHZm', 'BKEdDP4rxwV96i65Nbg', 'GHUarV4eyHW0k2c61o7', 'Mg8Z604qUdj2JNqqqS9', 'nbZCAf4d9MKH4dl01LL', 'NLp3pI4XWPSEdDB7HIe'
Source: 0.3.c62q1qZ8kX.exe.4c2c542.1.raw.unpack, FQxKiiSZuR0tn16ZFuO.cs	High entropy of concatenated method names: 'MlFmqXivQk', 'WGAmFUPXgX', '_8r1', 'pMWmOiL0nr', 'Y3SmVwhtNJ', 'VQMmD26yEf', 'WdwmIP3UNp', 't5uQ733i793n3gBeXti', 'tp2XfF38SteJL4KmjDA', 'X6UvqQ3HeOVwZCYtQRV'
Source: 0.3.c62q1qZ8kX.exe.4c2c542.1.raw.unpack, w4jW4UKo0cmtiwx7McF.cs	High entropy of concatenated method names: 'DmgPoQrFAP', 'X58P4XrweD', 'B7DPmIGQi0', 'HOJPYhnYo4', 'o02PE5gKSj', 'SeWPnLhRSm', 'DQIP584Fof', 'PKaPGqvWcW', 'TL2PPPTr6c', 'NH9PLSQVra'
Source: 0.3.c62q1qZ8kX.exe.4c2c542.1.raw.unpack, BDfUN7K1bvsaaXFoxr.cs	High entropy of concatenated method names: 'nBLwlNh2H', 'n6fDQ7vjDQASJfLIQ6', 'QUFmEmmsXr9oqifSwv', 'aeQr3Ulg1nwyYvr1Ha', 'fNTPNGLCqkJ6FOt5NB', 'IXpW1bRDrqZd5DA8gT', 'LyFuw36YB', 'q7iWJDcUg', 'xBhpiyAyv', 'z5vBev06d'
Source: 0.3.c62q1qZ8kX.exe.4c2c542.1.raw.unpack, UwMgdPNgU2TVr434b3G.cs	High entropy of concatenated method names: '_7v4', 'YZ8', '_888', 'G9C', 'SRmIIkal5MDTOmIJEsb', 'uheTw5avP0gSn5XiPbr', 'jydrRBaLlqJrP1QALWV', 'awBu8ZaRLF4AP4ABkgQ', 'LohTUsaT4b3o3M75wWU', 'dpby8WayK4Xkd5YnN49'
Source: 0.3.c62q1qZ8kX.exe.4c2c542.1.raw.unpack, OBsje040EP5O1RPNAg.cs	High entropy of concatenated method names: 'g25', 'YZ8', '_23T', 'G9C', 'PVl0QXaku', 'ff4iMxIRrJuqtBZjQ88', 'rJudlKITM4tDNbrNfRD', 'ohAjmTIymdNhvUgI3Fx', 'lJmTCxIwm7rnislcIeB', 'bINPogIUE3rZ5ply3kP'
Source: 0.3.c62q1qZ8kX.exe.4c2c542.1.raw.unpack, VETkIyugvG7tashH2yt.cs	High entropy of concatenated method names: '_3VT', 'O5t', '_1W5', 'vypOV5GGKn', 'dPmLIn6ifZ', 'RuyODmdDPA', 'QvELwVYyWt', 'mRlKd96whSUZQ8nsQon', 'sVi9a86U2kj7gLJmZWI', 'N9ZRQ76TccbqZ9caR3B'
Source: 0.3.c62q1qZ8kX.exe.4c2c542.1.raw.unpack, X7JJXbVBX4lMrZWYHK.cs	High entropy of concatenated method names: '_52U', 'YZ8', 'M5A', 'G9C', 'QwfXuJnG9oQZkFb7XZ5', 'I8yCU8nJWaxiuBR3Pys', 'UnKHcUnhOu5PntneQ6Z', 'L7Df4KnVnIse1KYu4U0', 'ODdOeanW7kSS4qeSL9L', 'NLTHysnS6BW4BQSqmGw'
Source: 0.3.c62q1qZ8kX.exe.4c2c542.1.raw.unpack, HF3FNqNoIxVl2jpJCq1.cs	High entropy of concatenated method names: 'p23', 'YZ8', 'Gog', 'G9C', 'YOrC6GsdHQbvvVooSA9', 'rh6oafscjdYY290GYy2', 'w8tRYtsrIxJCkijGDf5', 'iQuaXVseJ0CDadEe1tc', 'PrQ6s9sXf8FrnZDLYUP', 'VyGJXLsMExkmdcqVkta'
Source: 0.3.c62q1qZ8kX.exe.4c2c542.1.raw.unpack, epTJSnNr49vpMXjSlGQ.cs	High entropy of concatenated method names: 'rU3', 'YZ8', 'M54', 'G9C', 'hHaDY3YU2eAgMIlKEDs', 'nQ9CJdY3LXwmnFGwJrQ', 'MqTjPrYZw0UvNv2OHTs', 'lX8wqIYP67aMxKdtP7k', 'hhZQK6YB5373Ojhx0ic', 'DTvcx2YgyTvLmyU7eAr'
Source: 0.3.c62q1qZ8kX.exe.4c2c542.1.raw.unpack, UkAHs583MevrOqSRRCc.cs	High entropy of concatenated method names: '_14Y', 'b41', 'D7Y', 'xMq', 'i39', '_77u', '_4PG', '_5u8', 'h12', '_2KT'
Source: 0.3.c62q1qZ8kX.exe.4c2c542.1.raw.unpack, IFvd5oNdLpyxbKcB1pE.cs	High entropy of concatenated method names: 'C7Yujp449l', 'mPiuu1O1I7', 'hGruWr3qwp', 'wbrIJeFXmcIg8A3nbTe', 'O9jvZHFMMs9tVcwy65l', 'KnFs4BFr1hpJtKGA5ET', 'IuvFGxFe4Y7UwIxWfPr', 'ENQOmiFGsQlPhX2qVMq', 'bTxrndFJMVnMJyofOwa', 'n7G1iKFhiNrocCm12jX'
Source: 0.3.c62q1qZ8kX.exe.4c2c542.1.raw.unpack, i0BuNNNDDFP3K8Ni1NQ.cs	High entropy of concatenated method names: 'Vcej8uvjla', 'ON8sHvFykj1UO4VTF7X', 'gtJSF9Fw59Z0B7yJCE1', 'VYCRfZFRIVqBjEvauKQ', 'aUQjQsFTmPiTvtLfin2', 'jWFRBqFUiDYd3aP97C1', '_3Xh', 'YZ8', '_123', 'G9C'
Source: 0.3.c62q1qZ8kX.exe.4c2c542.1.raw.unpack, FQjXyPz9Orn3S3diLe.cs	High entropy of concatenated method names: 'Y29', 'YZ8', 'jn6', 'G9C', 'WSc3QQAflcQM1UEVrvA', 'DQrSxfA9YfxTwF0cajo', 'w4j8BPAnIsmjWiImEBn', 'tkk4koAAVPKJRhYP6xE', 'SNFu8nAYgcJtq3W821b', 'YnsJZkAsg38vbqRa8y1'
Source: 0.3.c62q1qZ8kX.exe.4c2c542.1.raw.unpack, vsrAdokbaUoHX8JihTh.cs	High entropy of concatenated method names: 'Bu4IpewkXC', 'aZtIBtiusZ', 'zbxITSyB0H', 'gsx5olC87yxy1qmjyXY', 'EtxB3fCHYTFerLf0hSd', 'kpbIOwCEl8cyRERtXfI', 'e4v7LsCiOJrfAxqwwDN', 'AeWC6DCopBE0dB0tuAi', 'OofJ8WCOjFkavnV7wDd', 'sY3hZgCkXIAhvFIdJjW'
Source: 0.3.c62q1qZ8kX.exe.4c2c542.1.raw.unpack, GhDVPEZJqpqVVwYHpXA.cs	High entropy of concatenated method names: 'mBTu4lihVM', 'f9dumlse5U', 'cyvuYRTwOy', 'pnZ5gh2vmlOdqexBHxN', 'do4jse2LqBUyF5PAwH7', 'JWTlbU2RleCf23Gj1qt', 'ssIEIV2TnylCWm5YQkw', 'UcjI3w2yP3jUbcbFkMA', 'xIlD4Q2wYQNBlRlnW8y', 'gfHhW92mEwsSOeMeXb5'
Source: 0.3.c62q1qZ8kX.exe.4c2c542.1.raw.unpack, k4XrHWNyNXenptXaN47.cs	High entropy of concatenated method names: 'gHL', 'YZ8', 'vF9', 'G9C', 'z48vDqsxXVSiPj75o9P', 'snB0ifsjBmesxARvKEo', 'YkZ5oUsChC7tREjesKy', 'M2shwCsKAmdAQyS9nME', 'dSUHh3s73f5T2UlmRai', 'dfORWksQ4Po41jO0YUF'
Source: 0.3.c62q1qZ8kX.exe.4c2c542.1.raw.unpack, Dh3q7cZ7Xoo8FypSYf8.cs	High entropy of concatenated method names: 'mESb4k55XQ', 'SnJQ8yoeIeBTf6d76oe', 'a81kbLocpfIdI9bJN2A', 'gVcOl5orrA2btLdmVLI', 'fvVWfpoXfLbplDIpRYZ', 'BqV7kOoM8wmAfBqKMaA', 'musbC4XweJ', 'ya7bSrDEBo', 'K93bhqKxaj', 'xaqbg79g1r'
Source: 0.3.c62q1qZ8kX.exe.4c2c542.1.raw.unpack, cyrkmmuUFiGbPEF8SYk.cs	High entropy of concatenated method names: '_269', '_5E7', 'VrxLv1XNwA', 'Mz8', 'vhOL2k1rif', 'bvR95c6XCNakaD2Qflq', 'MDOG4E6M8ZmF5EiQegr', 'ztfb5K6G8LxF2R7tWJs', 'ABfqQs6JQp7IhWfR0v9', 'TmXgDK6h8EQl7MicCHb'
Source: 0.3.c62q1qZ8kX.exe.4c2c542.1.raw.unpack, gsDr7SZ0a8AnosWRimK.cs	High entropy of concatenated method names: 'dN3WzOi1ll', 'Rm9pcXYS6C', 'DQgpjOgYL7', 'rQ8pu0paDN', 'Dn6pWwtT8h', 'Mb9pp88tot', 'Wl3pBXBDXP', 'nB4pT6hThp', 'p3Fpb5onIw', 'HWPpq2tqxF'
Source: 0.3.c62q1qZ8kX.exe.4c2c542.1.raw.unpack, gjnVTHkxLgcLlRdDRgV.cs	High entropy of concatenated method names: 'HsRIXLnLfr', 'mRgIfnwxvk', 'kuXI9HijPu', 'JieIQKS4YJ', 'AMpItDknV5', 'raFjGvCRlNsigjJuvVM', 'xfecpdCT6mmmjR0k4fx', 'fxB2K9CvqPbOcLerUvk', 'wm2010CLeRLAJ7gW5HP', 'BmpOyICyOKITe5jP851'
Source: 0.3.c62q1qZ8kX.exe.4c2c542.1.raw.unpack, LaknZHNPUClv6xhofOG.cs	High entropy of concatenated method names: '_625', 'YZ8', '_9pX', 'G9C', 'mWUPNbap1BGfs4A1scY', 'v1RGn2abn4oQsJhHbti', 'PZpUAJa4qfWNpOh7acs', 'q0DBC6a6POf9oMhY2lw', 'IUp8gnaxGC90RTt2gQh', 'P7Dq2QajyEFLflrZegM'
Source: 0.3.c62q1qZ8kX.exe.4c2c542.1.raw.unpack, emLg1tSysdBJhDx9lSx.cs	High entropy of concatenated method names: 'pcrmhKEUtX', 'FlsmgWLuNF', 'yjVm1biy0O', 'ox4mAeLlsf', 'YhsmNW1xTZ', 'HXxCS73Vtbi9EaNHeXF', 'rpyARn3W4FymbsaTuOY', 'AnSZmi3SaJOEjZoCDD2', 'Dbm9ny3z0APxqBfYVJO', 'hfrMISZ0HX12ua35EKr'
Source: 0.3.c62q1qZ8kX.exe.4c2c542.1.raw.unpack, h4C07Au2E78ko2wna6x.cs	High entropy of concatenated method names: 'UovqHxqnno', 'PWJqxEh66p', 'PipqiiLG1S', 'HhGqKG65bd', 'lsDqeavaGd', 'vFu2eSbAFMamvNH5lx0', 'NpOaD4bY214dk0VX402', 'ijC5gEb9PmFQaj0WmVM', 'dv5ho5bnhNTPNhq45sP', 'BiBLtKbsMVYsO8UToOJ'
Source: 0.3.c62q1qZ8kX.exe.4c2c542.1.raw.unpack, E4oTU8N24Zr0WjmmnfZ.cs	High entropy of concatenated method names: 'yiQ', 'YZ8', '_5li', 'G9C', 'jm1HYFs0xvLFxej8o1r', 'Qtf2Ids10OXMEStfo9L', 'vwbBqqsIc4jHG0kiphd', 'HhM6CfsfpGavhl58gPM', 'ayafv3s9hVqwW7cpYo0', 'lfZKxZsnQev4m5mXdMc'
Source: 0.3.c62q1qZ8kX.exe.4c2c542.1.raw.unpack, ud7MQOusfFuoOVGUMvR.cs	High entropy of concatenated method names: 'RiUFyOWcvl', 'SLdF2G11Jr', 'j9vFly8Cvb', 'uCNrAUbBM0FlndtuggU', 'dtHPvmbZV9rCX6oMkH2', 'CRVAdAbPldOTRnAMotK', 'ewmcSEbgeDxZtJZBj3J', 'dmyFTvw19P', 'vniFbwClXd', 'zhFFqTjZOD'
Source: 0.3.c62q1qZ8kX.exe.4c2c542.1.raw.unpack, mysax8Nih7hUd4iacMp.cs	High entropy of concatenated method names: 'B3EjZNE8NX', 'nSFGMZFIKaJv3TF52Fe', 'hiV5aPFfUOyl7lNKaCo', 'T03MdQF02KWqRDCwQxc', 'UbnZXxF1kEykJ1LDx9L', 'oY5Y2GF9iDdfctjS4Qv', 'KPolZmFn8HTWecqI2cf', 'i7KXWuFAva1Y6B6fapo', 'SDPjMUHyhd', 'HOvUwqFtES0c5ljvmHm'
Source: 0.3.c62q1qZ8kX.exe.4c2c542.1.raw.unpack, cbfMJCNeDbJcqw4KK0S.cs	High entropy of concatenated method names: 'GvP', 'YZ8', 'bp6', 'G9C', 'gZa5X4tTNxLZguHU6QA', 'HaDB9JtyBa9IBKPo4iC', 'jOknkmtwaI9hWqh70hy', 'KrCqQOtUAAjUpAioaRm', 'Cct0d4t3RyhJt09ls5S', 'frITO1tZfx3UIxuFFek'
Source: 0.3.c62q1qZ8kX.exe.4c2c542.1.raw.unpack, BP4EbNSer7F6RARQFrM.cs	High entropy of concatenated method names: 'poaYF5jflh', 'l4tYOsO07T', 'FZnYV2AIcE', '_3Gf', '_4XH', '_3mv', '_684', '_555', 'Z9E', 'B9UYDE5pqS'
Source: 0.3.c62q1qZ8kX.exe.4c2c542.1.raw.unpack, rpt6FckHXG23v1Rimkf.cs	High entropy of concatenated method names: 'uxk', 'q7W', '_327', '_958', '_4Oz', 'r6z', 'r7o', 'Z83', 'L5N', 'VTw'
Source: 0.3.c62q1qZ8kX.exe.4c2c542.1.raw.unpack, zxkIne86jJJ1hV0uPkt.cs	High entropy of concatenated method names: 'q7g4cXBh3j', 'KaAIHXyVuSHMaje118v', 'A6ElWmyJ0Vtd7pZMSTb', 'PYO7QPyhWO9FhnhwlH6', 'jVWaPlyWxHiu6rdywMe', 'F6QLyZySH3Y6nMGBexx', 'KhsduuyzgCWupbEukZC'
Source: 0.3.c62q1qZ8kX.exe.4c2c542.1.raw.unpack, lhVRifuc20vGWpEldjr.cs	High entropy of concatenated method names: 'Cg5FLtnvgM', 'B0sFXbTbZd', 'Jt9iCn4oxvaVnHhpNPq', 'a1PIZF4OF5CZfCNLRD2', 'N8yF1D489s20Qk1ujUS', 'zOHFXN4HbBwxdDwGXKe', 'Y0gb544ksItDBrdBYmc', 'kqhIJf4pYu0Z5JT6WG2'
Source: 0.3.c62q1qZ8kX.exe.4c2c542.1.raw.unpack, dE2andYyANyRAhgSO8.cs	High entropy of concatenated method names: 'T43', 'YZ8', '_56i', 'G9C', 'X4P4ukIaiu34XlXn6mM', 'FNI519I2mHXEH5wlo9D', 'yFPQdBIN9fExRNjJnv0', 'gUOMvvI5UPuOc9dhKIe', 'gL9F1xIuxIcXTCGtdmU', 'QSnI79IEp87eYFsDkyO'
Source: 0.3.c62q1qZ8kX.exe.4c2c542.1.raw.unpack, KkqCKm879bITXNNigiM.cs	High entropy of concatenated method names: 'i7X4Ei4XpQ', 'WGB4nd2tJF', 'F8e', 'bLw', 'U96', '_71a', 'O52', 'GKE45gK3vP', '_5f9', 'A6Y'
Source: 0.3.c62q1qZ8kX.exe.4c2c542.1.raw.unpack, LkqhlxuzEAlC71GncAd.cs	High entropy of concatenated method names: 'uxmOE5PYcc', 'KhKOn2tKwj', 'rxUO5ZSuJQ', 'IOYUIixZ6I1Z2YUSwe5', 'bpo7olxPEbIqEp7nnrF', 'N9uNUvxUJVVUIX0suIL', 'GVUnLOx3pJFyVIjPFfh', 'XIWn6dxBV11DUCvhmGr', 'j0FC7cxgX3XZJ3rqpDC', 'u6pUArxqSNJOmtMed3s'
Source: 0.3.c62q1qZ8kX.exe.4c2c542.1.raw.unpack, Ky9i8j8ho0Bi6mjp1Dv.cs	High entropy of concatenated method names: 'OAyodTXLQG', 'QlTokHgKvH', 'ya9oJ1qSd4', 'lVVortAfwe', 'TOGo0OVnvA', 'KXwsfuy7NmbW20AS2lL', 'TgBK8MyCvRPsQskpiDK', 'TV2sYeyKsJpgJRc0WFi', 'jAeeXPyQa0rfy3yFrlS', 'ekFtFRyDM6sfb2SUQZM'
Source: 0.3.c62q1qZ8kX.exe.4c2c542.1.raw.unpack, QyHaKbZlLH2Wansrc8i.cs	High entropy of concatenated method names: 'ORNTq6kvwk', 'mpxTFJObxi', 'mUKu9JHJBXLH2N5ur8u', 'oTt0t9HhciEYEoG5YoI', 'pel5fEHMngoZfXYJ5cy', 'NCpQhUHG5Mo45WR93Dy', 'iDhTlPXZ7s', 'CA6fFMo07WLP878eLEI', 'xqwIeIo1ZHKlCMmFUrg', 'eeZgZdHSK426Cy7jXbI'
Source: 0.3.c62q1qZ8kX.exe.4c2c542.1.raw.unpack, cWL8lWkU6QgWMnFxUot.cs	High entropy of concatenated method names: 'htjv8Cc2f9', 'lKAvfdXhaX', 'yo0v9gxd2s', 'brFvQgjpO3', 'RjAvtlOwwp', 'eYtvdgqamD', 'G1Kvk6wt9H', 'sCpvJ4bII2', 'VD4vrsGLhb', 'toav0xDvLf'
Source: 0.3.c62q1qZ8kX.exe.4c2c542.1.raw.unpack, nTHZRfuX6WsHwyPbkjk.cs	High entropy of concatenated method names: 'yu9qXCVPa6', 'CVnqfLJKuW', 'sLPq927PDe', 'AuxvbApuHYGnWvmUmiW', 'CvhvXGpNWW9WiyXyPOF', 'C9ByH5p5UGyc7yA4RaR', 'EcyMTbpEPt1XdfHiLb2', 'JTEqyxptCN', 'yj1q20eucE', 'A9eql1wFEh'
Source: 0.3.c62q1qZ8kX.exe.4c2c542.1.raw.unpack, x7OqLNgIQYhd2LOAe9.cs	High entropy of concatenated method names: '_8Ok', 'YZ8', 'InF', 'G9C', 'kq3gdEnEYqkiF2KJKJo', 'mXJhDVniI5J4pBNIlPo', 'jq6Pccn8I1Z4yRNv3Yu', 'tLhSCgnHIocxMFJFirE', 'wE5QvEnoUBxGHr3gWT1', 'JefSQtnOMHPBld0T0QZ'
Source: 0.3.c62q1qZ8kX.exe.4c2c542.1.raw.unpack, ITweK3ukUMqUJMmCggr.cs	High entropy of concatenated method names: 'YnLbrWplwZ', 'h38b0JY6WX', 'aubbsYHPDB', 'CBZbZ68hU3', 'TFnbUvxJlV', 'okKbMcHt5U', 'dSLnWeOQb4Fk5MC6cc9', 'Lu0g8JOKbn5UdDoyqFD', 'Vjg1j4O7T99VMbQUlXC', 'hpK1XEOD01Q62XLevCc'
Source: 0.3.c62q1qZ8kX.exe.4c2c542.1.raw.unpack, ioEvwZFbttBQc45dkP.cs	High entropy of concatenated method names: '_3OK', 'YZ8', '_321', 'G9C', 'wSlZMXIWe7HZVr8tmVH', 'jtUWyKISP9Ug2Yy5sDX', 'L0P7HiIz7HD6cpwfcSD', 'oY6P5Yf09Ea5rBH93Lm', 'URUUENf17eQIpFp9b6J', 'efLKq1fI1okV5gjTgXG'
Source: 0.3.c62q1qZ8kX.exe.4c2c542.1.raw.unpack, HOCYtPNw5puUyVBU8kF.cs	High entropy of concatenated method names: 'W78uSUHh6M', 'f71XdY2AucZIKAJPKUQ', 'TYsulv2YURe28dEPErT', 'ImLKcX29K2nC6F3vTKU', 'nhaZ7O2niAV3vCkf3Hc', 'i9L01g2sYIcs294ckWp', '_5q7', 'YZ8', '_6kf', 'G9C'
Source: 0.3.c62q1qZ8kX.exe.4c2c542.1.raw.unpack, L1d70Fur44t99Okv5Am.cs	High entropy of concatenated method names: 'TTYq0BKiHs', 'AL0qsw1j0A', 'iBKqZXmOvt', 'OqRqUcVBFo', 'dhHbvypLW79VvEUQejN', 'x6heJ9pReMicmnUgQCF', 'CaDvqLpTBcCyrmFOxcR', 'jauchJpluLOy5O9xNWC', 'qpIjLepvRg6fcXecWiG', 'FSkLJkpyJlpqTPKxaty'
Source: 0.3.c62q1qZ8kX.exe.4c2c542.1.raw.unpack, VYPOAE8jSuxkkDEhjaP.cs	High entropy of concatenated method names: 'q4Y', '_71O', '_6H6', 's0r4N9L7X1', '_13H', 'I64', '_67a', '_71t', 'fEj', '_9OJ'
Source: 0.3.c62q1qZ8kX.exe.4c2c542.1.raw.unpack, CoyjF5uwyE4VG5snr6S.cs	High entropy of concatenated method names: 'vr8achxybhpYNDsIk05', 'ysnpJsxw7pXd8YspY9p', 'tEj2PnxRxTemWnSFy15', 'VveuP9xTj8ILEuDLL23', 'IWF', 'j72', 'X1kOlkoayX', 'RJ9OaZV8VS', 'j4z', 'OjMOC6IVXQ'
Source: 0.3.c62q1qZ8kX.exe.4c2c542.1.raw.unpack, ACQ6lKBc4lxqGVer53.cs	High entropy of concatenated method names: '_66K', 'YZ8', 'O46', 'G9C', 'BQZaEL9aOmelQwOheAE', 'mMlqmC92W2BJl2i3oQO', 'ua2m5T9N03MsU9fpCpG', 'pmdBYr9581oJNpvsyVk', 'tdG9ML9uT7JFZCqI0j6', 'oR1R1y9Egx1SFX8nlcT'
Source: 0.3.c62q1qZ8kX.exe.4c2c542.1.raw.unpack, JjIZs0DPNgnARjdkqs.cs	High entropy of concatenated method names: '_59M', 'YZ8', '_1zA', 'G9C', 'ct2NWcfTgGt4ORZPTO7', 'FODWtIfyndJDSt5LPGf', 'Nlqujjfwn4linhZXr13', 'V3hwIgfUBoC1n1LF8WG', 'EwPnbdf3EWu6aUyAsVs', 'loT8JhfZq4lgJRhnprj'
Source: 0.3.c62q1qZ8kX.exe.4c2c542.1.raw.unpack, UrajRjwWtor5KKr6oZ.cs	High entropy of concatenated method names: '_88Z', 'YZ8', 'ffV', 'G9C', 'kd0p7Xngy4xc613d4j5', 'tY92tPnqa9bMdQMQq7r', 'C53qHond3ea8iSgJUYv', 'W8bAGtncq5HbIDIoWqY', 'Dq6xd7nrc0hk5w6ebnu', 'aAjb1wneCUN7DBCkBed'
Source: 0.3.c62q1qZ8kX.exe.4c2c542.1.raw.unpack, pV9c13v8XUsaBdn405.cs	High entropy of concatenated method names: 'OiRoqUEY3', 'dPm4n6ifZ', 'QvEmVYyWt', 'VrxY1XNwA', 'RD9EdAeV7', 'vhOnk1rif', 'gm15DwrEw', 'uSB4l01sc0Ch093DZiL', 'r7ul8Z1tqKWgTFCQ6tf', 'hH9LjO1Fc1ubZEntViY'
Source: 0.3.c62q1qZ8kX.exe.4c2c542.1.raw.unpack, ohhLC5NsmiVVavt9LQk.cs	High entropy of concatenated method names: 'hFCj5Nn6GZ', 'gtJxjbsHRmA7aoLCXok', 'p37qBIsoWc3vWDW4EjT', 'rgwkOysis8jtwt7u1Vc', 'FAat99s81eOniDRUHgI', 'kcpCfSsOKhJEbrajssa', 'Gme9p4skkAlsN1bQGqe', 'A7UOebspHIUwfKsZhm0', 'EIo488sbAfecjxUwSOa', 'f28'
Source: 0.3.c62q1qZ8kX.exe.4c2c542.1.raw.unpack, mwqinnNuQiLMS9mjPUw.cs	High entropy of concatenated method names: 'R1x', 'YZ8', '_8U7', 'G9C', 'inFCcgADPrrUKNn8HLr', 'jaEKcCAmBcJ0txPedSk', 'qc6RF1Alv7cnNMKsFTp', 'C9ckMsAvNNNWyutY1BT', 'b6eh76ALXDTP0Opcphb', 'DPwviFARkcSAC9YHDku'
Source: 0.3.c62q1qZ8kX.exe.4c2c542.1.raw.unpack, UM4LuJkwA3XtCUVatCj.cs	High entropy of concatenated method names: 'lmty4Pc2mX', 'zg5yYSqIHI', 'ArByw505MV', 'QIfyvjgT0R', 'MD2yy6RC6K', 'C9ny2g0uGY', 'IUOylfwyV3', 'OmXya9Nvdt', 'rNwyCrTuBj', 'LMBySFaB0S'
Source: 0.3.c62q1qZ8kX.exe.4c2c542.1.raw.unpack, lpcMosZ6u1U0Ynh7NCs.cs	High entropy of concatenated method names: 'PSqB5loZPa', 'gvU2v88WaYNBwrVCmXB', 'M56ynt8S799SkDK8vJ6', 'rxfV5j8hEwp7qmJMLiw', 't0MyXt8VRnE4s2KQIoN', 'WGJAXI8zriDE9qb3n1y', 'qTtDXPH0avX1fBp9kbR', 'mnHxlxH1kx973mpGT3s', 'OqOuqfHIriHgaXsrybp', 'm0qSrhHftVT9YD1poDr'
Source: 0.3.c62q1qZ8kX.exe.4c2c542.1.raw.unpack, ydmouJ8ij20jc5Bn0Cn.cs	High entropy of concatenated method names: 'TDDoMjMcNp', 'a5Ao3MwGWX', 'GFto6DyU3r', 'LGd2GLy3YNToAP5vuCO', 'hfKjG2yw144Bbu01n7u', 'RJ3jpmyUVB76fjQpxnv', 'Im3fapyZakmRcZBEeUV', 'lHVEHByPtlNrPOtOAHW', 'KFbxdcyBY0EPnyNrPoV', 'pSpwMUygqmisF0fLx0O'
Source: 0.3.c62q1qZ8kX.exe.4c2c542.1.raw.unpack, dc6xslNHWa1GnniWTsY.cs	High entropy of concatenated method names: '_3fO', 'YZ8', '_48A', 'G9C', 'VDRJcJYYW9HWaqIuZGt', 'FO04GNYsIoHUDrWJ8Ys', 'Wxjw0DYtSmysrlbkwTU', 'tO7tJEYFUtMEt6Oi10X', 'GatbR6YakvxT7o8CL8c', 'JcA85YY2xXosokqHL5Y'
Source: 0.3.c62q1qZ8kX.exe.4c2c542.1.raw.unpack, fk2gUpSSR2s6eG0LHHo.cs	High entropy of concatenated method names: 'Qkp', '_72e', 'R26', '_7w6', 'Awi', 'n73', 'cek', 'ro1', '_9j4', '_453'
Source: 0.3.c62q1qZ8kX.exe.4c2c542.1.raw.unpack, t2eSrNNNgqHXkQsJFXy.cs	High entropy of concatenated method names: 'tO4', 'YZ8', '_4kf', 'G9C', 'SDFKIJAOrVMUNbGTZef', 'ETX6IFAkkiVbZl3IFKX', 'Xh3xeVAp7wuPnIryr0T', 'JOrMMDAbRBIWFcciLAM', 'Ue7ckoA4T0xPst3YQg7', 'kXGD3fA6EiJ0wvYhb02'
Source: 0.3.c62q1qZ8kX.exe.4c2c542.1.raw.unpack, bf2YQfN9fNHIn69PRkc.cs	High entropy of concatenated method names: 'kNf', 'YZ8', 'U31', 'G9C', 'w8G6jhsRrahXhpqKZr7', 'IjmNLosTZeFXTQxdAdO', 'BrCLHbsyoSk8mmA7GWB', 'edpBmdsw7X9v88B9PXL', 'AUyT8bsUEwAS61OmWjq', 'YZNqcWs3ATWrGwl0eaj'
Source: 0.3.c62q1qZ8kX.exe.4c2c542.1.raw.unpack, Ah49hCZH3dw5D4YGQl4.cs	High entropy of concatenated method names: 'PCaWLydNhN', 'OWuWXCRPj5', 'CwMWfYq3nF', 'nvXW9WQBO7', 'zcHWQaP0Rh', 'EVXWtd6amQ', 'DsSWdmAov0', 'eErx9g5x8NnUcCLdQpv', 'h4W9R954EWKdvYoxUt7', 'HDlyd15689gMi7gCBoR'
Source: 0.3.c62q1qZ8kX.exe.4c2c542.1.raw.unpack, nUm2qtNKyxVEmrB0iG2.cs	High entropy of concatenated method names: '_6H9', 'YZ8', '_66N', 'G9C', 'pW6kNHAJy0nWl91eFtb', 'Owrwp8AhNAP8c6L2rOC', 'UygNTjAVwULOaRHbEfc', 'sh7cErAWCxKBWI4UEPB', 'tsbDLZASkD2SfEWjf02', 'pJChsNAzNyCm6RUKbnm'
Source: 0.3.c62q1qZ8kX.exe.4c2c542.1.raw.unpack, clJaP6N7W7JsEcrC24c.cs	High entropy of concatenated method names: 'kSEuA8hYt9', 'FHQuNESlai', 's7wuoep3Bk', 'HDwymo2aMCH6pQyZwSA', 'QKRMFX2tf86kgk0F8lR', 'gy8M7U2FjIOlihussor', 'yj2yCf22DSHKk7Qx12Z', 'R7QV2K2N4LpSpGrguMr', 'Uf4KgG25Ixbju6UEyLR', 'okH6662uHQC3Alfjsr8'
Source: 0.3.c62q1qZ8kX.exe.4c2c542.1.raw.unpack, xNjZupNtJqn3lKVKe1e.cs	High entropy of concatenated method names: 'W7IuV53vPS', 'X5DuDBI4Ss', 'peYiyUa2ww1B8U3cGuR', 'oHFsf5aF1ak7PZaNHZO', 'xbGZJpaakxaMtrSMJri', 'lnChu4aNBdQmAAyXKPE', 'CiQ8EWa5GMKGe4hWPD5', 'eb53BsauhHBUKOrGIYc', 'rS2INvaE4JYHe6sOv9K', 'lDQ8WNaijZZaWbxiWZC'
Source: 0.3.c62q1qZ8kX.exe.4c2c542.1.raw.unpack, IBUAZhkphp374UBLOov.cs	High entropy of concatenated method names: '_4J6', '_5Di', '_1y5', '_77a', '_1X1', '_7fn', 'OUK', '_8S4', 'wUn', '_447'
Source: 0.3.c62q1qZ8kX.exe.4c2c542.1.raw.unpack, XswEw8Zby6v73LbvGGB.cs	High entropy of concatenated method names: 'TJkW8fd8EP', 'yZYW7vxYZx', 'rKDIZluOjAjHgy4biSP', 'YIWKjrukHiv2gJKJyoX', 'MDvKA7upZDekqvP0qYN', 'KgI8xbubmL0GIpjaEpD', 'PmuRsgu4LNVdeu2QnYJ', 'eTYQFGu6sHrk41xY5m9', 'SsaiGDux7wvIhYXDxug', 'tEUuFZujm5mV35WaFVP'
Source: 0.3.c62q1qZ8kX.exe.4c2c542.1.raw.unpack, eOGGSEZEbT1IHKSepkV.cs	High entropy of concatenated method names: 'UiQpwJHIrv', 'QTjpvltQS8', 'cmjORcExjOpu9AfRY0Y', 'eQV8XJEj3HMavVmAUmZ', 'tQEj4kE4f6Zdxh6WjRT', 'bips9RE6tDg4kgXVWHB', 'sj6IqGECD0nKkxoMePm', 'BfEt7AEK8MXqykhvwUn', 'bT6rKDE7xqXUHgKgOuf', 'btWePhEQLgEMabKuBWi'
Source: 0.3.c62q1qZ8kX.exe.4c2c542.1.raw.unpack, fl4uPe8CyOOZH6FMDT2.cs	High entropy of concatenated method names: 'OdloHro1w6', 'sArox2LolJ', 's5Yoi1mG3X', 'kXSoKJkZUb', 'Iyfoeu6mVh', 'V3Vo8UapLp', 'xGVN8ayc0NpBJvto4UL', 'TCv1j4yqnkm7lLCnK0o', 'hlq7UOydeZMxB2hI4h6', 'VAD4FYyrJXYLp7wOqNU'
Source: 0.3.c62q1qZ8kX.exe.4c2c542.1.raw.unpack, Ebw2DvN6Ts1IFR4XO7r.cs	High entropy of concatenated method names: 'LT2jxBjY9l', 'gSsQAaFxFxPcWijGAIN', 'g1Cr1rFjsrg7j7Luk2o', 'GyrWQNF4Fv3pXRCMSPi', 'GhVAv3F6XRPUeqMpDUX', 'SaIePQFCQ3L05LjQrgG', 'QLw', 'YZ8', 'cC5', 'G9C'
Source: 0.3.c62q1qZ8kX.exe.4c2c542.1.raw.unpack, eWfce3uy46HsE5iGM3t.cs	High entropy of concatenated method names: '_525', 'L97', '_3t2', 'UL2', '_6V2', '_968', 'wcftKQ45emAGskcNWak', 'BJc37C4uxGQJxLL8VKd', 'iFy9Lx4EcF8tbgl2Col', 'sI49B54io6k7a0KWfrO'
Source: 0.3.c62q1qZ8kX.exe.4c2c542.1.raw.unpack, hXVLLCuabIYtdNAkTl3.cs	High entropy of concatenated method names: '_223', 'rQHywepHOR33qUgcVn2', 'LVnPDBpoxsJlTO9MJ4A', 'G1hY3mpO8pIWSSKJbyk', 'tI3ZRApkH4jMoY83w5X', 'pCgWSIppy7e2oUN4pRf', 'SNpNPYpbTqmZH4TuJ5r', 'k3BeIwp4w0CdmHLRaAg', 'CRgNmnp6RK6fOgf66TU', 'IWipVXpxMNOKvYlW6ov'
Source: 0.3.c62q1qZ8kX.exe.4c2c542.1.raw.unpack, EJg1c4uNLWX6qHnWDeU.cs	High entropy of concatenated method names: 'NFDb5gBMTM', 'Ce9bGNcHoJ', 'JMEbPXy0kZ', 'tMEbLRKnJ8', 'CxbBl9ozlybIko4o1GE', 'AjqvhCoWbRJ2QNVT6dW', 'vuaAvIoSFI6hXIuVrfF', 'hcPiWBO0Zp5rcVMarMr', 'MXiQA0O1uT1v9BWnoLk', 'yBO7m0OIuaVIcFdpWpl'
Source: 0.3.c62q1qZ8kX.exe.4c2c542.1.raw.unpack, Segm1DSJ7h057T1iACN.cs	High entropy of concatenated method names: 'aFb4ZGFU8i', 'K294UB3UiB', 'TG54MHXd5C', 'KpX43OJl3c', 'Rhi46L7oLF', 'MUw4RCfeN6', '_838', 'vVb', 'g24', '_9oL'
Source: 0.3.c62q1qZ8kX.exe.4c2c542.1.raw.unpack, zg6p92kWoFRGbT09bL3.cs	High entropy of concatenated method names: 'P29', '_3xW', 'bOP', 'Th1', '_36d', 'vWnvyvCg5a', 'l7Gv2bRqxv', 'r8j', 'LS1', '_55S'
Source: 0.3.c62q1qZ8kX.exe.4c2c542.1.raw.unpack, or1ZTaZZo7kGg6Gp9CI.cs	High entropy of concatenated method names: 'AxNuMmTCAc', 'lNCu3fn0CI', 'QQIu6a11S9', 'xG1uRc9QFd', 'SiGuHRa6B0', 'rJ1ux0LgZ5', 'rC1mijNHDDQR45CQc5p', 'XC2TgiNowP50qfZP5B7', 'mpMB1WNikYvS60BFyUA', 'EvPJq7N8E0eJ3KsNKVc'
Source: 0.3.c62q1qZ8kX.exe.4c2c542.1.raw.unpack, vZB1GE8qyJpocdawATL.cs	High entropy of concatenated method names: 'qeh4pWhchs', 'B2n4BfpvZ3', 'yex4TawG6n', 'U0S4b8bXE0', 'GuC4qADPld', 'ynm4FVaBCN', 'wLd4OxLt63', 'Kqf4V9cfp8', 'VO24DSbxwQ', 'eWp4I4rfmr'
Source: 0.3.c62q1qZ8kX.exe.4c2c542.1.raw.unpack, cge3SyShgmbSaYPUfXr.cs	High entropy of concatenated method names: 'D4M', '_4DP', 'HU2', '_4Ke', '_5C9', '_7b1', 'lV5', 'H7p', 'V5L', '_736'
Source: 0.3.c62q1qZ8kX.exe.4c2c542.1.raw.unpack, nsaDQdUwQPeLfNfew4.cs	High entropy of concatenated method names: 'pHw', 'YZ8', 'v2R', 'G9C', 'MhagLln7FP1BA8Uc3TS', 'u6HD3anQromPbyaGpcU', 'ajAjUonD3XTSZ7DO2WO', 'xKYuKHnmpJ5rYfNZ1L9', 'N4SOCWnlViHefm7DCah', 'Kkv909nvMZQKULhqX9G'
Source: 0.3.c62q1qZ8kX.exe.4c2c542.1.raw.unpack, Ix8C8L8HdOGgxm8fo2s.cs	High entropy of concatenated method names: 'beyoh0EFLO', 'Ijiogt0RKp', 'Mc3i7gTGegbJ6sHb7qX', 'QU8PbGTJCoaFTXHwC4D', 'FlC1XrThr93ZcV3YgTd', 'J7veOETVdKoeE7pRHAs', 'WOmafVTWABAOXqsLTRM', 'hbGWfuTS6ZDCOaD7Woo', 'aHZUNbTzK4AP2suCZ45', 'VBTRJBy0KPYRDdE8J0E'
Source: 0.3.c62q1qZ8kX.exe.4c2c542.1.raw.unpack, PMRD0Zka2PVyKSXLcWO.cs	High entropy of concatenated method names: 'EbZD9lJ68s', 'TMJDQKDWEZ', 'dohDt0E3b5', 'j87DdFg5NA', 'LoLDk7GPgf', 'n0Hm7LjSLA2YsRbB7og', 'xwE9WojzE6GbopyLOBg', 'ge0eLAjVIGNwqUIRMt0', 'G2GprojW5xnrFXYsPq0', 'zIXXbMC0Xk51awegpng'
Source: 0.3.c62q1qZ8kX.exe.4c2c542.1.raw.unpack, h0He62kvIIiMjGBFDGb.cs	High entropy of concatenated method names: 'fJ3p6wCgvZy02tv5v2D', 'hJeK8mCqiYHX4GT1iOj', 'Qk9UjACdP8EYnJKAh17', 'guKLomCPGaH5ju3FtNU', 'vLoHIsCBVwCXwSVv5mk'
Source: 0.3.c62q1qZ8kX.exe.4c2c542.1.raw.unpack, FhawSoNaGDD5xFYr4dn.cs	High entropy of concatenated method names: 'd43', 'YZ8', 'g67', 'G9C', 'KsCjOeYK0uJEZCmYDjg', 'GjTYtrY7Rij6FHqb2b2', 'feETlmYQ5Gnit8N7U5n', 'dWw26VYDCmfoPLTGmYT', 'dWDfvDYmyEEEHgH0W7h', 'Ws39kxYlDYEC7AOaJHt'
Source: 0.3.c62q1qZ8kX.exe.4c2c542.1.raw.unpack, L2YDcmKRhuRvjZdhj5X.cs	High entropy of concatenated method names: 'C1PoZeqC0qCB5WY3uYy', 'MfoMASqKDPgtJklBReA', 'soSfrCqx3Ob7yS0MUQn', 'ovfAJ3qjyQpalE2gSAS', 'iT0Pvt69jD', 'aJdCCSqDS87mXt7quW0', 'P1ObEoqmPNvtaPsogTI', 'fyLvxEqlH5tg7AR9Iiw', 'Axm1M6qvnAtXlOyJfk3', 'MKMmZhqLeYZviSQdhav'
Source: 0.3.c62q1qZ8kX.exe.4c2c542.1.raw.unpack, XiVHBOKpTsyO0RJSoDM.cs	High entropy of concatenated method names: 'vZpPHLsswkXOn', 'F6MAOnqExSmcXTtPnEj', 'SaGTZqqibCgXNavTOfn', 'KSdb4aq8fCDaaZh8tYh', 'QrGOXcqH2qLUDURqIOb', 'l89u9PqoxkXjncofy0n', 'siqEFeq57ZppCLomiO7', 'FAQ0qmqudJi36H3QnyR', 'lBKh1RqO8mwkKsxoW7J', 'jHLaREqkxiueL3dHBM2'
Source: 0.3.c62q1qZ8kX.exe.4c2c542.1.raw.unpack, wXj5tDZeTROgyIw8Wj7.cs	High entropy of concatenated method names: 'Rqdp8tamWQ', 'Kc4p7XlVZT', 'sJSpzCnab6', 'ccMBco74Yp', 'RIRBjD2yHA', 'upuBuu0wMy', 'RmbBW81syI', 'tHaBpx0T45', 'ydKBBpBgJp', 'u7LdYbiJ6qtyuqdcMsu'
Source: 0.3.c62q1qZ8kX.exe.4c2c542.1.raw.unpack, liHH7yNUcqjjbA2TRM8.cs	High entropy of concatenated method names: '_589', 'YZ8', '_491', 'G9C', 'H3tXA5arvFUSeVRmPV3', 'N3JStOaeowXZo4sK6Kh', 'Gd2GlqaXxsuqBkDcawh', 'odc8oOaMCOGvF8IT9Vf', 'cYSZOpaG4AfBgreshto', 'hfI97maJvnNIaLubRiu'
Source: 0.3.c62q1qZ8kX.exe.4c2c542.1.raw.unpack, KVX6N0NTilAdDyuH8NM.cs	High entropy of concatenated method names: '_981', 'YZ8', 'd52', 'G9C', 'bIyP1fYMm3axh6Xl2M5', 'wqV81OYGx1bwAcJ8MZQ', 'vH2ECUYJHlirnLxIrr7', 'xU49wqYh7c72wHWDfeN', 'GA9Br2YVAC0yENLjPSr', 'HO0aVGYW5aqSipN5iIm'
Source: 0.3.c62q1qZ8kX.exe.4c2c542.1.raw.unpack, PDnesVnvSO9iDM9Zjw.cs	High entropy of concatenated method names: '_468', 'YZ8', '_2M1', 'G9C', 'kKZPiv9HIsbUN5O72Kd', 'bOw4QX9oV3LjmL8UVVv', 'a1QkiS9OGZ8yn3cFJun', 'zxDdA69k5qR4lpgGadt', 's2JhnP9pvZpsfp83tvk', 'E7mWOr9bagGxwt9Jaie'
Source: 0.3.c62q1qZ8kX.exe.4c2c542.1.raw.unpack, w15WUwLeQ0wKR3imis.cs	High entropy of concatenated method names: '_52Y', 'YZ8', 'Eg4', 'G9C', 'XyhkMftUe', 'JaBk1qIOcgicyDS7r0P', 'DfJD3vIk3J52ZiSCNtf', 'zSpedgIpb91qlVeWpmG', 'ifkNydIbhxld5AXDFMj', 'bdolMxI4QRS809M4AiN'
Source: 0.3.c62q1qZ8kX.exe.4c2c542.1.raw.unpack, BH0XUkutAY872hob19q.cs	High entropy of concatenated method names: 'oYo', '_1Z5', 'ENyLbwrsXZ', 'w4XOprgjCU', 'maGLq5bDiH', 'AC35GY65bJLi3BvUAOd', 'ousesR6ufngrtFNnAGf', 'jbGoYb6EbaOicajFQFs', 'rwNbkD6iCFKROjFxxPS', 'V2p1SN68Hg7SZUyFaF2'
Source: 0.3.c62q1qZ8kX.exe.4c2c542.1.raw.unpack, BgeFqCkVuNgJJ9V1jjj.cs	High entropy of concatenated method names: 'ICU', 'j9U', 'IBK', '_6qM', 'Amn', 'Mc2', 'og6', 'z6i', '_5G6', 'r11'
Source: 0.3.c62q1qZ8kX.exe.4c2c542.1.raw.unpack, vW90CPk8I6bgVlYefD8.cs	High entropy of concatenated method names: 'IqcDlQVuZC', 'AtLY49joMxVwmKqZNdP', 'OUJDiGjORcJRxfbFC3G', 'yBQqT9j8w5gYgdaSKIZ', 'PxuBefjHpSv377JM5t2', 'r3tOGXduva', 'j99OP8mNwI', 'dVuOLNGaPC', 'c3KOXkbdqZ', 'FE0Ofh1LBD'
Source: 0.3.c62q1qZ8kX.exe.4c2c542.1.raw.unpack, q5vwrDIrTL77p3cqbs.cs	High entropy of concatenated method names: 'Nhefn0pDs', 'HOq9ZvleL', 'LakQtC7ZE', 'Ta09lb1wlG661HQZdXc', 'UToRYU1Tj9LffyjABK5', 'LLODuJ1yNJC3nQ58Foj', 'sOvMQp1UryfJMYqQgwe', 'UUpgCj13PbiUJhWd7G6', 'ucOPA21Z6QuBgJ3tVOG', 'jXnSof1P0gEXHmK86yI'
Source: 0.3.c62q1qZ8kX.exe.4c2c542.1.raw.unpack, LbHd3dS9u0hlFuDwrHn.cs	High entropy of concatenated method names: 'IGD', 'CV5', 'PDjmoatwQQ', '_3k4', 'elq', 'hlH', 'yc1', 'Y17', '_2QC', 'En1'
Source: 0.3.c62q1qZ8kX.exe.4c2c542.1.raw.unpack, M7T7yjNpIgyA1rJ8w6R.cs	High entropy of concatenated method names: '_6U6', 'YZ8', '_694', 'G9C', 'ILGcLjYOLLxYVt6p34M', 'tjim0NYk2HhOpnMr2bY', 'cdgx6lYpsKttevXM0l8', 'XSbUOoYb5Aia581weY5', 'OXUdoJY445tbCUP1iJk', 'kECdygY6bR4TxkBf6MP'
Source: 0.3.c62q1qZ8kX.exe.4c2c542.1.raw.unpack, bNj6eUPbclWJLKvWx8.cs	High entropy of concatenated method names: 'kcq', 'YZ8', '_4bQ', 'G9C', 'MiRU7EnAFuYbGIww300', 'RY315snYnPi62f1IMpj', 'X0viuJnsNwRsggEaZEw', 'tIpD22ntD4tisyg7dXw', 'UAKUsJnFaqHUxCA1X0L', 'EuxFlvnaoT1RDUVhbXA'
Source: 0.3.c62q1qZ8kX.exe.4c2c542.1.raw.unpack, lTkOEi8u7TmEhYYYXUn.cs	High entropy of concatenated method names: 'Butcocv4grNrRNSpZGk', 'kv25SVv6XZhN4LgY9JZ', 'WQ8KE8vpmMpt3v5Csfr', 'AptlvbvboSIOrOFwbkt', 'MqshobqkU3', 'KomSaAvC0R1WEuanGp6', 'AWsxiMvKYyk8tPfJKxF', 'vr18I6vxxfv3ZoH1ULm', 'dpqULHvjHpqTV6SQCr7', 'VXxJISv7WnloKFb0R2A'
Source: 0.3.c62q1qZ8kX.exe.4c2c542.1.raw.unpack, rnbstSkcHs1Jkow974I.cs	High entropy of concatenated method names: '_45b', 'ne2', '_115', '_3vY', 'sOZwcuhJVj', '_3il', 'PnWwjkP8AA', 'IMxwulZGfV', '_78N', 'z3K'
Source: 0.3.c62q1qZ8kX.exe.4c2c542.1.raw.unpack, D2akdWk0HUpbspsiXcs.cs	High entropy of concatenated method names: '_7zt', 'NwaISkOJnT', 'GWFIhxncPr', 'b4bIgRXbqN', 'ekDI1pD7kG', 'N6EIA7Xo1H', 'DcxINtQ4L6', 'x0soVfC4C6HAxxr6jis', 'S10aDLC6gEJXNqaL1Uc', 'r4njfCCprjiUSIGBZCt'
Source: 0.3.c62q1qZ8kX.exe.4c2c542.1.raw.unpack, u8QwAQNhoIFqWUeGUoq.cs	High entropy of concatenated method names: 'Ai7', 'YZ8', '_56U', 'G9C', 'EtqZAOsSYYROSUDmDFT', 'rWaIGEszevQPeFscSCn', 'KY8VFQt0NHDJWJNYqWn', 'TByIDVt1NZ9xS4FmYBo', 'Dc7xp3tI23FDLGTcnJY', 'tlG9wDtfZK8JyFhSMQr'
Source: 0.3.c62q1qZ8kX.exe.4c2c542.1.raw.unpack, Wq9urVtVi019PaNmS5.cs	High entropy of concatenated method names: 'P37', 'YZ8', 'b2I', 'G9C', 'Wlkici9BidNaUHm8QXK', 'VZ0Tvx9gcmROGFQ45iG', 'ovPmSn9qsLnqSwuGvs4', 'WIpENp9dpXkGkqKXXIP', 'ky4rJl9c3homMP8WA1V', 'nStaAX9rAaRfXlTg2cJ'
Source: 0.3.c62q1qZ8kX.exe.4c2c542.1.raw.unpack, ioigxVN8TNnxGU2EiPN.cs	High entropy of concatenated method names: 'K55', 'YZ8', '_9yX', 'G9C', 'K9hW4fAqnO9sZnr4m6q', 'KQe3BYAdwZ5reVvVZR7', 'HTNNrOAcdMkKP9YVFBn', 'Yf4Fd8Ark65fgBqKZMC', 'F2PSN0AebeqdopY1PO5', 'eih42fAX8ZPFUAhRYJc'
Source: 0.3.c62q1qZ8kX.exe.4c2c542.1.raw.unpack, xQYJ1MuP4VWG5qY6oGW.cs	High entropy of concatenated method names: '_9YY', '_57I', 'w51', 'RgyLOiKtk2', '_168', 'bi8wRP6jyXYkkNwLDat', 'CEnGP46Co0EVBrrCPEk', 'YZA3NS6KrJTP5IPZnaE', 'JhqceV67uIXWkbrSFiJ', 'FQIILS6QwdQYu18oYGx'
Source: 0.3.c62q1qZ8kX.exe.4c2c542.1.raw.unpack, fYgsDNunHfG8dWY7sx9.cs	High entropy of concatenated method names: '_5u9', 'sdyLpcIkJB', 'P5AOcHlRLC', 'eVyLBWhiYF', 'EVD63I4Vtn8siwft6MF', 'pweGSe4WMw9GVFFMG13', 'VmMsfM4SjuDsbtaQUb0', 'nE2kgy4JYDmgVQPRSQF', 'k4U7cM4hiTPvTa8HPDy', 'lCkPpn4zGEEQV0fu7ER'
Source: 0.3.c62q1qZ8kX.exe.4c2c542.1.raw.unpack, vFc2NbSWgcDAEfPGw0r.cs	High entropy of concatenated method names: 'XU05AxXanE', '_1kO', '_9v4', '_294', 'Isv5NstKc0', 'euj', 'HWo5olJNYG', 'DIv542otcT', 'o87', 'hqI5m12rcN'
Source: 0.3.c62q1qZ8kX.exe.4c2c542.1.raw.unpack, e7qXoLZraLdlSx0bfJy.cs	High entropy of concatenated method names: 'MZSWKse2mL', 'F5KhRSufpqxfZ0Oo9uP', 'GWdp3yu9j3tDMu1IZ8B', 'X4g5Itu1PXnUeIfkcka', 'fZcNc3uI8l9sdYOgZsl', 'cb7e7UunVD5EyJNWRUq', 'WcSrfxuApUSGtYWvDFX', 'fPmuRfuYux6u1JflMUd', 'gysrDyusyNHx8gkNX0x', 'pHVN9rutjS1FWUdeoRV'
Source: 0.3.c62q1qZ8kX.exe.4c2c542.1.raw.unpack, KfLtnaZv23eIIYbvUHq.cs	High entropy of concatenated method names: 'TUUpgoBNlR', 'joHp1g2XPC', 'gEcpAlFIga', 'QLjpNxbbwq', 'Rf6pot3UK3', 'Qj68Toi04SRpAYZArtA', 'FbEDXGi12mw9URibI3c', 'UQrDBkESFcLVKm0HNGf', 'CiO7RrEzuKvg66dqM2h', 'ACkW2MiIAVKCbfQTSMq'
Source: 0.3.c62q1qZ8kX.exe.4c2c542.1.raw.unpack, Y3D0b0uTvQv7DhMAmZN.cs	High entropy of concatenated method names: 'fGFq3UjQ4E', 'y9kq6NMm5r', 'UWIqRi2CsR', 'R4MQ3LpqM9PELWfnNDo', 'pnbiwnpdc9hDSWonjMi', 'lDqQLkpcxS4dhWSQvTd', 'brtDHcprKZYvWHr33m6', 'TgVbJZpeWjXecw0wRwg', 'cee17IpXNZiFZg6hlhB', 'NvIYFLpMNymBLq7YByA'
Source: 0.3.c62q1qZ8kX.exe.4c2c542.1.raw.unpack, StBSLES40vH4latTFen.cs	High entropy of concatenated method names: 'aJsxD3B93gpRJMROnY9', 'e10vJfBnvicj0HdxaUS', 'MwiEdCBIFgv6hsNv1pr', 'HNnU8fBfHtLEjrKFUXU', 'BLiYfZilxk', 'WM4', '_499', 'LpdY9B3HrM', 'GpxYQgfcxg', 'qyAYtiX4bA'
Source: 0.3.c62q1qZ8kX.exe.4c2c542.1.raw.unpack, q19di7SLKcyasLtZRZg.cs	High entropy of concatenated method names: '_159', 'rI9', '_2Cj', 'o6QY4FoQ5i', 'YrVYmoYyCX', 'lECYYaue5w', 'Ja3YEauafL', 'UaRYnCMRIM', 'xfLY5E15Ol', 'gcy5W6PytU1l7t0YqK9'
Source: 0.3.c62q1qZ8kX.exe.4c2c542.1.raw.unpack, ONcMMsl4eyKUDOhuV2.cs	High entropy of concatenated method names: '_23T', 'YZ8', 'ELp', 'G9C', 'lxq98BfhW5phSFWUTie', 'PrNofsfVjld0F45XEgw', 'VQjYp0fW5sjjBaaHkX0', 'CpnDISfSuXj3TFvQIMH', 'rNED0dfz0kQ1Yet0HNh', 'xlw3fL903mOIRH4R81C'
Source: 0.3.c62q1qZ8kX.exe.4c2c542.1.raw.unpack, xjm59PSnyhiAsLMBQfr.cs	High entropy of concatenated method names: 'PJ1', 'jo3', 'xV35FbRL8e', 'ARu5Or1bZ2', 'iEK5VeO8uX', 'EC9', '_74a', '_8pl', '_27D', '_524'

Persistence and Installation Behavior

Creates processes via WMI

Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create

Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	File created: C:\Program Files (x86)\Java\jre-1.8\lib\applet\WmiPrvSE.exe	Jump to dropped file
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	File created: C:\Program Files (x86)\Microsoft OneDrive\setup\logs\Idle.exe	Jump to dropped file
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	File created: C:\Users\Default\mmeUVmNHPOdst.exe	Jump to dropped file
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	File created: C:\Recovery\mmeUVmNHPOdst.exe	Jump to dropped file
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	File created: C:\Program Files\Windows NT\Accessories\en-GB\conhost.exe	Jump to dropped file
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	File created: C:\Program Files\7-Zip\Lang\TextInputHost.exe	Jump to dropped file
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	File created: C:\Program Files\Windows Defender\en-US\mmeUVmNHPOdst.exe	Jump to dropped file
Source: C:\Users\user\Desktop\c62q1qZ8kX.exe	File created: C:\blockrefSessionBrokerDll\chainMonitor.exe	Jump to dropped file
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	File created: C:\Users\Public\Pictures\mmeUVmNHPOdst.exe	Jump to dropped file
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	File created: C:\Users\Default\AppData\Local\Microsoft\Windows\History\mmeUVmNHPOdst.exe	Jump to dropped file
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	File created: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe	Jump to dropped file

Source: C:\blockrefSessionBrokerDll\chainMonitor.exe

File created: C:\Users\Default\mmeUVmNHPOdst.exe

Jump to dropped file

Boot Survival

Drops PE files to the user root directory

Source: C:\blockrefSessionBrokerDll\chainMonitor.exe

File created: C:\Users\Default\mmeUVmNHPOdst.exe

Jump to dropped file

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\blockrefSessionBrokerDll\chainMonitor.exe

Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "mmeUVmNHPOdstm" /sc MINUTE /mo 9 /tr "'C:\Users\Default\mmeUVmNHPOdst.exe'" /f

Source: C:\Users\user\Desktop\c62q1qZ8kX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\History\mmeUVmNHPOdst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\History\mmeUVmNHPOdst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\History\mmeUVmNHPOdst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\History\mmeUVmNHPOdst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\History\mmeUVmNHPOdst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\History\mmeUVmNHPOdst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\History\mmeUVmNHPOdst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\History\mmeUVmNHPOdst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\History\mmeUVmNHPOdst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\History\mmeUVmNHPOdst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\History\mmeUVmNHPOdst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\History\mmeUVmNHPOdst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\History\mmeUVmNHPOdst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\History\mmeUVmNHPOdst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\History\mmeUVmNHPOdst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\History\mmeUVmNHPOdst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\History\mmeUVmNHPOdst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\History\mmeUVmNHPOdst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\History\mmeUVmNHPOdst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\History\mmeUVmNHPOdst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\History\mmeUVmNHPOdst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\History\mmeUVmNHPOdst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\History\mmeUVmNHPOdst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\History\mmeUVmNHPOdst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\History\mmeUVmNHPOdst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\History\mmeUVmNHPOdst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\History\mmeUVmNHPOdst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\History\mmeUVmNHPOdst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\History\mmeUVmNHPOdst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\History\mmeUVmNHPOdst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\History\mmeUVmNHPOdst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\History\mmeUVmNHPOdst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\History\mmeUVmNHPOdst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\History\mmeUVmNHPOdst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\History\mmeUVmNHPOdst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\History\mmeUVmNHPOdst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\History\mmeUVmNHPOdst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\History\mmeUVmNHPOdst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\History\mmeUVmNHPOdst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\History\mmeUVmNHPOdst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\History\mmeUVmNHPOdst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\History\mmeUVmNHPOdst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\History\mmeUVmNHPOdst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\History\mmeUVmNHPOdst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\History\mmeUVmNHPOdst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\History\mmeUVmNHPOdst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\History\mmeUVmNHPOdst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\History\mmeUVmNHPOdst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\History\mmeUVmNHPOdst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\History\mmeUVmNHPOdst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\History\mmeUVmNHPOdst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\History\mmeUVmNHPOdst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\History\mmeUVmNHPOdst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\History\mmeUVmNHPOdst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\History\mmeUVmNHPOdst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\History\mmeUVmNHPOdst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\History\mmeUVmNHPOdst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\History\mmeUVmNHPOdst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\History\mmeUVmNHPOdst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\History\mmeUVmNHPOdst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\History\mmeUVmNHPOdst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\History\mmeUVmNHPOdst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\History\mmeUVmNHPOdst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\History\mmeUVmNHPOdst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\History\mmeUVmNHPOdst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\History\mmeUVmNHPOdst.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	Memory allocated: 1320000 memory reserve \| memory write watch	Jump to behavior
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	Memory allocated: 1AFC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe	Memory allocated: 2C50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe	Memory allocated: 1AE30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe	Memory allocated: 1630000 memory reserve \| memory write watch
Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe	Memory allocated: 1B230000 memory reserve \| memory write watch
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\History\mmeUVmNHPOdst.exe	Memory allocated: 3050000 memory reserve \| memory write watch
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\History\mmeUVmNHPOdst.exe	Memory allocated: 1B2B0000 memory reserve \| memory write watch
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\History\mmeUVmNHPOdst.exe	Memory allocated: 1640000 memory reserve \| memory write watch
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\History\mmeUVmNHPOdst.exe	Memory allocated: 1B2A0000 memory reserve \| memory write watch

Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\History\mmeUVmNHPOdst.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\History\mmeUVmNHPOdst.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	Window / User API: threadDelayed 1888	Jump to behavior
Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe	Window / User API: threadDelayed 367	Jump to behavior
Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe	Window / User API: threadDelayed 365
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\History\mmeUVmNHPOdst.exe	Window / User API: threadDelayed 365
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\History\mmeUVmNHPOdst.exe	Window / User API: threadDelayed 365

Source: C:\blockrefSessionBrokerDll\chainMonitor.exe

Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft OneDrive\setup\logs\Idle.exe

Jump to dropped file

Source: C:\blockrefSessionBrokerDll\chainMonitor.exe TID: 6820	Thread sleep count: 1888 > 30	Jump to behavior
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe TID: 3384	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe TID: 6896	Thread sleep count: 367 > 30	Jump to behavior
Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe TID: 5308	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe TID: 7316	Thread sleep count: 365 > 30
Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe TID: 7176	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\History\mmeUVmNHPOdst.exe TID: 7404	Thread sleep count: 365 > 30
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\History\mmeUVmNHPOdst.exe TID: 7268	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\History\mmeUVmNHPOdst.exe TID: 7460	Thread sleep count: 365 > 30
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\History\mmeUVmNHPOdst.exe TID: 7180	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\History\mmeUVmNHPOdst.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\History\mmeUVmNHPOdst.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\c62q1qZ8kX.exe	Code function: 0_2_001DA5F4 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,		0_2_001DA5F4
Source: C:\Users\user\Desktop\c62q1qZ8kX.exe	Code function: 0_2_001EB8E0 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,		0_2_001EB8E0

Source: C:\Users\user\Desktop\c62q1qZ8kX.exe

Code function: 0_2_001EDD72 VirtualQuery,GetSystemInfo,

0_2_001EDD72

Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\History\mmeUVmNHPOdst.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\History\mmeUVmNHPOdst.exe	Thread delayed: delay time: 922337203685477

Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior

Source: c62q1qZ8kX.exe, 00000000.00000003.1679882118.00000000026E1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: c62q1qZ8kX.exe, mmeUVmNHPOdst.exe0.4.dr, mmeUVmNHPOdst.exe.4.dr, mmeUVmNHPOdst.exe2.4.dr, fontdrvhost.exe.4.dr, mmeUVmNHPOdst.exe3.4.dr, TextInputHost.exe.4.dr, WmiPrvSE.exe.4.dr, chainMonitor.exe.0.dr, Idle.exe.4.dr, mmeUVmNHPOdst.exe1.4.dr, conhost.exe.4.dr	Binary or memory string: rlcSOw8JW2XqemuVKQL

Source: C:\Users\user\Desktop\c62q1qZ8kX.exe

API call chain: ExitProcess graph end node

graph_0-23658

Source: C:\blockrefSessionBrokerDll\chainMonitor.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\c62q1qZ8kX.exe

Code function: 0_2_001F866F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_001F866F

Source: C:\Users\user\Desktop\c62q1qZ8kX.exe

Code function: 0_2_001F753D mov eax, dword ptr fs:[00000030h]

0_2_001F753D

Source: C:\Users\user\Desktop\c62q1qZ8kX.exe

Code function: 0_2_001FB710 GetProcessHeap,

0_2_001FB710

Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe	Process token adjusted: Debug
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\History\mmeUVmNHPOdst.exe	Process token adjusted: Debug
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\History\mmeUVmNHPOdst.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\c62q1qZ8kX.exe	Code function: 0_2_001EF063 SetUnhandledExceptionFilter,	0_2_001EF063
Source: C:\Users\user\Desktop\c62q1qZ8kX.exe	Code function: 0_2_001EF22B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_001EF22B
Source: C:\Users\user\Desktop\c62q1qZ8kX.exe	Code function: 0_2_001F866F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_001F866F
Source: C:\Users\user\Desktop\c62q1qZ8kX.exe	Code function: 0_2_001EEF05 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_001EEF05

Source: C:\blockrefSessionBrokerDll\chainMonitor.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\c62q1qZ8kX.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\blockrefSessionBrokerDll\5sVJrvWE.vbe"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\blockrefSessionBrokerDll\jNiINMcACfpGfudqTH4IxZpVWTbF.bat" "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\blockrefSessionBrokerDll\chainMonitor.exe "C:\blockrefSessionBrokerDll\chainMonitor.exe"	Jump to behavior
Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\c62q1qZ8kX.exe

Code function: 0_2_001EED5B cpuid

0_2_001EED5B

Source: C:\Users\user\Desktop\c62q1qZ8kX.exe

Code function: GetLocaleInfoW,GetNumberFormatW,

0_2_001EA63C

Source: C:\blockrefSessionBrokerDll\chainMonitor.exe	Queries volume information: C:\blockrefSessionBrokerDll\chainMonitor.exe VolumeInformation	Jump to behavior
Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe	Queries volume information: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe VolumeInformation	Jump to behavior
Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe	Queries volume information: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe VolumeInformation
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\History\mmeUVmNHPOdst.exe	Queries volume information: C:\Users\Default\AppData\Local\Microsoft\Windows\History\mmeUVmNHPOdst.exe VolumeInformation
Source: C:\Users\Default\AppData\Local\Microsoft\Windows\History\mmeUVmNHPOdst.exe	Queries volume information: C:\Users\Default\AppData\Local\Microsoft\Windows\History\mmeUVmNHPOdst.exe VolumeInformation

Source: C:\Users\user\Desktop\c62q1qZ8kX.exe

Code function: 0_2_001ED5D4 GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle,

0_2_001ED5D4

Source: C:\Users\user\Desktop\c62q1qZ8kX.exe

Code function: 0_2_001DACF5 GetVersionExW,

0_2_001DACF5

Source: C:\Windows\SysWOW64\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected DCRat

Source: Yara match	File source: 00000022.00000002.1884618745.00000000032F2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.1884278845.00000000032F8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.1884618745.00000000032B5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.1884618745.00000000032E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1801910999.0000000002FC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.1879455048.0000000002E31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1801910999.0000000003371000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.1884278845.00000000032B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.1884137133.0000000003231000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: chainMonitor.exe PID: 6192, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: fontdrvhost.exe PID: 3592, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: fontdrvhost.exe PID: 4444, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mmeUVmNHPOdst.exe PID: 2148, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mmeUVmNHPOdst.exe PID: 6556, type: MEMORYSTR

Remote Access Functionality

Yara detected DCRat

Source: Yara match	File source: 00000022.00000002.1884618745.00000000032F2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.1884278845.00000000032F8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.1884618745.00000000032B5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.1884618745.00000000032E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1801910999.0000000002FC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.1879455048.0000000002E31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1801910999.0000000003371000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.1884278845.00000000032B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.1884137133.0000000003231000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: chainMonitor.exe PID: 6192, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: fontdrvhost.exe PID: 3592, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: fontdrvhost.exe PID: 4444, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mmeUVmNHPOdst.exe PID: 2148, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mmeUVmNHPOdst.exe PID: 6556, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	11 Scripting	Valid Accounts	11 Windows Management Instrumentation	1 Scheduled Task/Job	11 Process Injection	113 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	11 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	11 Scripting	1 Scheduled Task/Job	1 Disable or Modify Tools	LSASS Memory	121 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	31 Virtualization/Sandbox Evasion	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	31 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	11 Deobfuscate/Decode Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Obfuscated Files or Information	Cached Domain Credentials	3 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	21 Software Packing	DCSync	37 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
c62q1qZ8kX.exe	59%	Virustotal		Browse
c62q1qZ8kX.exe	100%	Avira	VBS/Runner.VPG
c62q1qZ8kX.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Program Files\Windows Defender\en-US\mmeUVmNHPOdst.exe	100%	Avira	HEUR/AGEN.1323984
C:\Program Files\Windows Defender\en-US\mmeUVmNHPOdst.exe	100%	Avira	HEUR/AGEN.1323984
C:\Program Files\Windows Defender\en-US\mmeUVmNHPOdst.exe	100%	Avira	HEUR/AGEN.1323984
C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe	100%	Avira	HEUR/AGEN.1323984
C:\Program Files\Windows Defender\en-US\mmeUVmNHPOdst.exe	100%	Avira	HEUR/AGEN.1323984
C:\Program Files\7-Zip\Lang\TextInputHost.exe	100%	Avira	HEUR/AGEN.1323984
C:\blockrefSessionBrokerDll\5sVJrvWE.vbe	100%	Avira	VBS/Runner.VPG
C:\Program Files (x86)\Java\jre-1.8\lib\applet\WmiPrvSE.exe	100%	Avira	HEUR/AGEN.1323984
C:\blockrefSessionBrokerDll\chainMonitor.exe	100%	Avira	HEUR/AGEN.1323984
C:\Program Files (x86)\Microsoft OneDrive\setup\logs\Idle.exe	100%	Avira	TR/Dropper.Gen
C:\Program Files\Windows Defender\en-US\mmeUVmNHPOdst.exe	100%	Avira	HEUR/AGEN.1323984
C:\Users\user\AppData\Local\Temp\nfAOklRSeu.bat	100%	Avira	BAT/Delbat.C
C:\Program Files\Windows NT\Accessories\en-GB\conhost.exe	100%	Avira	HEUR/AGEN.1323984
C:\Program Files\Windows Defender\en-US\mmeUVmNHPOdst.exe	100%	Joe Sandbox ML
C:\Program Files\Windows Defender\en-US\mmeUVmNHPOdst.exe	100%	Joe Sandbox ML
C:\Program Files\Windows Defender\en-US\mmeUVmNHPOdst.exe	100%	Joe Sandbox ML
C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe	100%	Joe Sandbox ML
C:\Program Files\Windows Defender\en-US\mmeUVmNHPOdst.exe	100%	Joe Sandbox ML
C:\Program Files\7-Zip\Lang\TextInputHost.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Java\jre-1.8\lib\applet\WmiPrvSE.exe	100%	Joe Sandbox ML
C:\blockrefSessionBrokerDll\chainMonitor.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Microsoft OneDrive\setup\logs\Idle.exe	100%	Joe Sandbox ML
C:\Program Files\Windows Defender\en-US\mmeUVmNHPOdst.exe	100%	Joe Sandbox ML
C:\Program Files\Windows NT\Accessories\en-GB\conhost.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Java\jre-1.8\lib\applet\WmiPrvSE.exe	79%	ReversingLabs	ByteCode-MSIL.Backdoor.DCRat
C:\Program Files (x86)\Java\jre-1.8\lib\applet\WmiPrvSE.exe	76%	Virustotal		Browse
C:\Program Files\7-Zip\Lang\TextInputHost.exe	79%	ReversingLabs	ByteCode-MSIL.Backdoor.DCRat
C:\Program Files\7-Zip\Lang\TextInputHost.exe	76%	Virustotal		Browse
C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe	79%	ReversingLabs	ByteCode-MSIL.Backdoor.DCRat
C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe	76%	Virustotal		Browse
C:\Program Files\Windows Defender\en-US\mmeUVmNHPOdst.exe	79%	ReversingLabs	ByteCode-MSIL.Backdoor.DCRat
C:\Program Files\Windows NT\Accessories\en-GB\conhost.exe	79%	ReversingLabs	ByteCode-MSIL.Backdoor.DCRat
C:\Recovery\mmeUVmNHPOdst.exe	79%	ReversingLabs	ByteCode-MSIL.Backdoor.DCRat
C:\Users\Default\AppData\Local\Microsoft\Windows\History\mmeUVmNHPOdst.exe	79%	ReversingLabs	ByteCode-MSIL.Backdoor.DCRat
C:\Users\Default\mmeUVmNHPOdst.exe	79%	ReversingLabs	ByteCode-MSIL.Backdoor.DCRat
C:\Users\Public\Pictures\mmeUVmNHPOdst.exe	79%	ReversingLabs	ByteCode-MSIL.Backdoor.DCRat
C:\blockrefSessionBrokerDll\chainMonitor.exe	79%	ReversingLabs	ByteCode-MSIL.Backdoor.DCRat

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	chainMonitor.exe, 00000004.00000002.1801910999.0000000003396000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1562033
Start date and time:	2024-11-25 05:51:10 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 8s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	43
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	c62q1qZ8kX.exe renamed because original name is a hash value
Original Sample Name:	11DA048860021B6C22E171032E48B023.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@39/28@0/0
EGA Information:	Successful, ratio: 16.7%
HCA Information:	Successful, ratio: 71% Number of executed functions: 360 Number of non-executed functions: 107
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): Conhost.exe, conhost.exe, TextInputHost.exe
Excluded domains from analysis (whitelisted): a1053620.xsph.ru, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target chainMonitor.exe, PID 6192 because it is empty
Execution Graph export aborted for target fontdrvhost.exe, PID 3592 because it is empty
Execution Graph export aborted for target fontdrvhost.exe, PID 4444 because it is empty
Execution Graph export aborted for target mmeUVmNHPOdst.exe, PID 2148 because it is empty
Execution Graph export aborted for target mmeUVmNHPOdst.exe, PID 6556 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
04:52:16	Task Scheduler	Run new task: conhost path: "C:\Program Files\Windows NT\Accessories\en-GB\conhost.exe"
04:52:16	Task Scheduler	Run new task: conhostc path: "C:\Program Files\Windows NT\Accessories\en-GB\conhost.exe"
04:52:16	Task Scheduler	Run new task: fontdrvhost path: "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe"
04:52:16	Task Scheduler	Run new task: fontdrvhostf path: "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe"
04:52:16	Task Scheduler	Run new task: mmeUVmNHPOdst path: "C:\Program Files\Windows Defender\en-US\mmeUVmNHPOdst.exe"
04:52:16	Task Scheduler	Run new task: mmeUVmNHPOdstm path: "C:\Users\Default User\AppData\Local\Application Data\History\mmeUVmNHPOdst.exe"
04:52:16	Task Scheduler	Run new task: TextInputHost path: "C:\Program Files\7-Zip\Lang\TextInputHost.exe"
04:52:16	Task Scheduler	Run new task: TextInputHostT path: "C:\Program Files\7-Zip\Lang\TextInputHost.exe"
04:52:19	Task Scheduler	Run new task: Idle path: "C:\Program Files (x86)\microsoft onedrive\setup\logs\Idle.exe"
04:52:19	Task Scheduler	Run new task: IdleI path: "C:\Program Files (x86)\microsoft onedrive\setup\logs\Idle.exe"
04:52:19	Task Scheduler	Run new task: WmiPrvSE path: "C:\Program Files (x86)\java\jre-1.8\lib\applet\WmiPrvSE.exe"
04:52:19	Task Scheduler	Run new task: WmiPrvSEW path: "C:\Program Files (x86)\java\jre-1.8\lib\applet\WmiPrvSE.exe"

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Program Files (x86)\Java\jre-1.8\lib\applet\24dbde2999530e

Download File

Process:	C:\blockrefSessionBrokerDll\chainMonitor.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	180
Entropy (8bit):	5.7409532916271315
Encrypted:	false
SSDEEP:	3:WuiXZww6HAUkP44QiC/JpdpB/CJ3PXUjeN9FOoH2jXTqtG2jVOq6wguxn:Wui+nHJXX/JbpJK3/UOF6oGaVOJwln
MD5:	4822D6359C0504E5016C604B4ED1F142
SHA1:	B5CEE90B4CAD269A88FF609E36AE6B42A3F23273
SHA-256:	89B6D05E2709AF387E262BE347D4FEAA50677D6ED1019C5E72CEB549B8611F58
SHA-512:	94BE7023F11B3CF6278516D4DC07075DA8924460E938D37D6A36F2CC217F90920FC894C6F33481AD7B9865811C9F7283B2D8C80A1C7B37B275708911D3A0D858
Malicious:	false
Preview:	s4KcP2Sa8KilC3BUiQPQaoNmUC9bPupHeeTXKEDqjsqixfELWWnwmuuDqhHN20LOeaGhjoKeNjqs7ozy8yE2H3ftuPqm6zxshcEWZglsMJjCECFBrTPEwSGk5XxT7hhXv7KfkcZbMVp8TdpsJo4mkt6OVdbCtRuplMQG1kbP4x1amIRcrEKT

C:\Program Files (x86)\Java\jre-1.8\lib\applet\WmiPrvSE.exe

Download File

Process:	C:\blockrefSessionBrokerDll\chainMonitor.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	847872
Entropy (8bit):	6.079346881696685
Encrypted:	false
SSDEEP:	12288:D0OPXYnImrdBcepsmMLWpFMKZsNqBOAROfIJZ0S/J:DI7rd5XFM2cxARnZ0S/J
MD5:	F6B809FA6BD0E72435FAB78E9744CCD7
SHA1:	52749158484CF20A6511FCD36FDA0E8100EBE316
SHA-256:	AF8A81F4387BA5EBE96F5111D56B65585C194602E5BD147997EAB1B6E28AE7B2
SHA-512:	12C63EDCD1F347B519DA80C814FCF3640294FDBD2482A7BE4DA4D20F8F5D785D2E97F784DF39AD28B317D2DB3CC43D904C5584FC9EEA2C1F1DF01B999362ADF9
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 79% Antivirus: Virustotal, Detection: 76%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6........... ........@.. .......................`............@.................................`...K.... .......................@....................................................... ............... ..H............text........ ...................... ..`.sdata.../.......0..................@....rsrc........ ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft OneDrive\setup\logs\6ccacd8608530f

Download File

Process:	C:\blockrefSessionBrokerDll\chainMonitor.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.14693314801683788
Encrypted:	false
SSDEEP:	24:bp8Tv06Xfg0AqSa08/KNmBmZ2gtzMPCechk8Sgwj7Dn:ybBX0RaF/KIBmZjtzF/hCgwj7
MD5:	C2B428243D89BAE93D4D63857B6AF12B
SHA1:	F56D0B1A4E71F26CE73CE6C54891C68C030976CA
SHA-256:	B646989B74689737BFFBCDCF4EFBD21BB48B52EA2AE0B7943B3DD9199B5CC001
SHA-512:	8F3802BBD56EC464E70D9D428263FF8F05434A2732CA7EC38A020C50DD9F3EDD49F8C74F2739591D104D827821C8C8074FD604A1B1B431C4DE368D237F72F8F3
Malicious:	false
Preview:	NlQI2sp8o7Zg2tMir7roKc1ve0xQ9D2IBtmS4VVuc8UXs2IQLNo0IyguufnB5Z9kEReIH4nWl7LLIeClsgEvZB9MN1iZrTzD9uSaY9IRkSPLnUmPcCTYUNLDSR5PVOpRIIMXLmNsXxLGwyj2PS7pAaswjPIGE35Vm7DeIOEzylAgBEQdsDADQARrZay6eHoe20ezvEuAOH0YZLve8oXA22EmpVFrZHVq7foKkbsnT9yJJ3SNpT7ztnm9v1JZ9ClGvKb3hk4g5ur3D5cwC1CFJg6T3oZsSSoRYsX9bZqEZb396t5zYXWI9f6PNH92KMOnGaeVhdUnL8qsm6XKsjT55gR3vIvTZx3MNQ3fOkS5Ct6ByNmQuyKl3TrkIljZsAOYEefWD26IRY2MjQEhfejkmST3jTWmA2MBei6UsQN12BUfaeA2gC3NanvwLlxtfTIYL1sATuzPQsrl8xcESeG899k0xKJGdeWj35Ujw9iwNn6s6KxXIsaANKZMQ1NIlswwVIrCd3ST6TuVC14nWw8uDWVtgHT4wZLe1JXxcv3PaHE3ZDKY6kwzuBt8x7gVjXggIQe2eHKl2sU5ScUc748MnWuzaYAeOhpCkhvIjR4zZK6BrxqUnEYoZU3wfocFHpWVCRVuqL2qAIwcZsImrp1KJAnQo8n5zystxl8Zc6obLroQhaWwgzXbxML.................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft OneDrive\setup\logs\Idle.exe

Download File

Process:	C:\blockrefSessionBrokerDll\chainMonitor.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	851968
Entropy (8bit):	6.059509469218102
Encrypted:	false
SSDEEP:	12288:D0OPXYnImrdBcepsmMLWpFMKZsNqBOAROfIJZ0S/J:DI7rd5XFM2cxARnZ0S/J
MD5:	67C628F5E4AD720822BD25865F0D1015
SHA1:	6E8ECC563B4C69AAFF803B3C56D77C2E38A117E3
SHA-256:	754E654B04029867090D8DD9D6AA650284F8C854A15111C820B4B71365175D52
SHA-512:	50ACA0454350941DA8D2C47DD656942D73AF02DACA57F8366AC840C44F85E62C760134CA0AE651C4490C72AB5EC2C4774C890DA2FEBF53437FEEC5F625316DFB
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6........... ........@.. .......................`............@.................................`...K.... .......................@....................................................... ............... ..H............text........ ...................... ..`.sdata.../.......0..................@....rsrc........ ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files\7-Zip\Lang\22eafd247d37c3

Download File

Process:	C:\blockrefSessionBrokerDll\chainMonitor.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	211
Entropy (8bit):	5.675798157024419
Encrypted:	false
SSDEEP:	3:f4WTggEgskiEtiAa6V/HXn575uGf3k8yKjq4IxrLyB/lBkpocCoKAPcZpTayqCPn:gWsgEg1Ha43F57vk54q12KC5AkTTTNn
MD5:	E91F684824F03C66E65C78463C51BD04
SHA1:	5FE0587B8DABB4D072011004F126236952A0D090
SHA-256:	3E6450614A338875FAC394B5DE0DB69F3A5662EC5B38DFF7DF48A3F6009DDA73
SHA-512:	F42B8043A791C96C84F7219B416F5106BF8DD4FDA652EA217CC78401149318CF44A9FEB2FCB423D9B77C99961F7564DCE1D9D778CFCCA16E71E1DB7EB715176D
Malicious:	false
Preview:	A3KzHMi9mbIRYc6UssqbGsoXw9ks9YLE44Sdb9WoZdNTjAq4T9tSANGROwDHmz9OPEWeKd2tWBCmeVxvSpZ9p3DrxAOo6OBjd9DfoMu0HA59Kew39Rz7aAiWAoqJONwH9cIfRSHF5i1p7EhTNVppZEJdare9glm3Ny9rWRmqJtC1I3Y6HX53hGr5ToFjyIjU68bIEz66s9fpBRUgTi1

C:\Program Files\7-Zip\Lang\TextInputHost.exe

Download File

Process:	C:\blockrefSessionBrokerDll\chainMonitor.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	847872
Entropy (8bit):	6.079346881696685
Encrypted:	false
SSDEEP:	12288:D0OPXYnImrdBcepsmMLWpFMKZsNqBOAROfIJZ0S/J:DI7rd5XFM2cxARnZ0S/J
MD5:	F6B809FA6BD0E72435FAB78E9744CCD7
SHA1:	52749158484CF20A6511FCD36FDA0E8100EBE316
SHA-256:	AF8A81F4387BA5EBE96F5111D56B65585C194602E5BD147997EAB1B6E28AE7B2
SHA-512:	12C63EDCD1F347B519DA80C814FCF3640294FDBD2482A7BE4DA4D20F8F5D785D2E97F784DF39AD28B317D2DB3CC43D904C5584FC9EEA2C1F1DF01B999362ADF9
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 79% Antivirus: Virustotal, Detection: 76%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6........... ........@.. .......................`............@.................................`...K.... .......................@....................................................... ............... ..H............text........ ...................... ..`.sdata.../.......0..................@....rsrc........ ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\5b884080fd4f94

Download File

Process:	C:\blockrefSessionBrokerDll\chainMonitor.exe
File Type:	ASCII text, with very long lines (565), with no line terminators
Category:	dropped
Size (bytes):	565
Entropy (8bit):	5.840878319506011
Encrypted:	false
SSDEEP:	12:0EzIHbeJdHwqdcVEAbdSfgUrfRXDj8eF8nwriR1uLoLgqa1Nn:/E7eJBwqdcV3SoyvZriR1uLo2Hn
MD5:	F8E92F97122CED54963F1381E5005FE6
SHA1:	86FB3E1F0A6BA1F391D4B685001B7285ED86516F
SHA-256:	881DE1A264EA8D7CDCD189C60C6EE8272A7523C754637111F33D75A9AC2B6A3B
SHA-512:	9A80623697829DB279ACC8F6242078FD368A7968ECB512B43C804146A3412D92485D7B04E43601C195C892DF4EC02ACAEF436BAE355CD8E6DD4058C654791E3C
Malicious:	false
Preview:	ZyHAYV0WPUmNQgbVK78S8ijPaYdGpWUk50nGAKgs9kmTcaFZybRvkok0O2jA1tq3ACRZ3VVAbQSY6Qw9SESOFi9QQw2Hkf0P4tSaIqfdGQUUWM48FkswacycDAJGcNa5ZCdM7W1mjzHyNo4E23CAxDyb50WHgYA20Z5TsrBtsGNlU9OYGEOjLaHVNCRG9tFKzO8ytlWL2SRr0NG5m8BbKaraRjFpZ4t9ADvFBapfsCr2IafA5WeBrn9YhigJfqv7iRqwbA3LSgsHtyR1EFuDZsSWEWid3g9CRuT1tti4cSsK41psQoFa5rh09UsEcaSwhq08eZIVgzlHAHbMq0MPaiGjMd2YAdcBA5nOAqN0ft4FGaz12fXlOCV9kRwBhuUDXjGEeNLAnVtroAcvoAgfF0x8koot4MTvZ1shUvXpUX82SoUjyAWgNz7gvIezibFbC8RxS5b2n1Lr25p5TF53zwhj3MvLRhG2ShzUXhR2ie3WoPn0digdgMlQar3GKQlGuSZVFUivxCUU2K5ni5ssAmWF5j3poLsS3xmV0RuIAvqd1RXQwPhPh

C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe

Download File

Process:	C:\blockrefSessionBrokerDll\chainMonitor.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	847872
Entropy (8bit):	6.079346881696685
Encrypted:	false
SSDEEP:	12288:D0OPXYnImrdBcepsmMLWpFMKZsNqBOAROfIJZ0S/J:DI7rd5XFM2cxARnZ0S/J
MD5:	F6B809FA6BD0E72435FAB78E9744CCD7
SHA1:	52749158484CF20A6511FCD36FDA0E8100EBE316
SHA-256:	AF8A81F4387BA5EBE96F5111D56B65585C194602E5BD147997EAB1B6E28AE7B2
SHA-512:	12C63EDCD1F347B519DA80C814FCF3640294FDBD2482A7BE4DA4D20F8F5D785D2E97F784DF39AD28B317D2DB3CC43D904C5584FC9EEA2C1F1DF01B999362ADF9
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 79% Antivirus: Virustotal, Detection: 76%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6........... ........@.. .......................`............@.................................`...K.... .......................@....................................................... ............... ..H............text........ ...................... ..`.sdata.../.......0..................@....rsrc........ ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files\Windows Defender\en-US\1824f7f43360d2

Download File

Process:	C:\blockrefSessionBrokerDll\chainMonitor.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	121
Entropy (8bit):	5.6478904605873055
Encrypted:	false
SSDEEP:	3:EX4oxp8frHfVMVLXJXptzMfnrghtmK4ODDj:BfTiVZBM874ODf
MD5:	55609D3CB4E4B9F9490FEE9DBDB8C06A
SHA1:	07533B99CEA252EB6E4BAFF7C6A3DD8419FBDAD8
SHA-256:	E056ADB5C05C4838E5F6C7964DD46C35BA2394485AEBB2842FF52026B9AD3CA8
SHA-512:	34FA84BBA67FA9233C2D13A03BC8D638CB843CCD2865C65060273E9FD0F50DD45C4FD2740ACFB997D3B1F5FBA63D98A336E5C8BDD941A565B9C5609C6A6EF283
Malicious:	false
Preview:	mUBbFijxQKkrP63OoLn2YndvAsdZg1OqHoDIzzSrMcRE7KzMDFwUyAs90QaXFKQY53kl2uYy36p6VYxz2RVbE42G5ESjY4mCM2JEkNTTr8a1UwnbdlexzzUAA

C:\Program Files\Windows Defender\en-US\mmeUVmNHPOdst.exe

Download File

Process:	C:\blockrefSessionBrokerDll\chainMonitor.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	847872
Entropy (8bit):	6.079346881696685
Encrypted:	false
SSDEEP:	12288:D0OPXYnImrdBcepsmMLWpFMKZsNqBOAROfIJZ0S/J:DI7rd5XFM2cxARnZ0S/J
MD5:	F6B809FA6BD0E72435FAB78E9744CCD7
SHA1:	52749158484CF20A6511FCD36FDA0E8100EBE316
SHA-256:	AF8A81F4387BA5EBE96F5111D56B65585C194602E5BD147997EAB1B6E28AE7B2
SHA-512:	12C63EDCD1F347B519DA80C814FCF3640294FDBD2482A7BE4DA4D20F8F5D785D2E97F784DF39AD28B317D2DB3CC43D904C5584FC9EEA2C1F1DF01B999362ADF9
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 79%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6........... ........@.. .......................`............@.................................`...K.... .......................@....................................................... ............... ..H............text........ ...................... ..`.sdata.../.......0..................@....rsrc........ ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files\Windows NT\Accessories\en-GB\088424020bedd6

Download File

Process:	C:\blockrefSessionBrokerDll\chainMonitor.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	250
Entropy (8bit):	5.783896601928897
Encrypted:	false
SSDEEP:	3:GfRMMvhtSUwe9/uPQnbzWKI8m0K1uXVxAKZqj8Vbx1CLdEOQMyVVBbWOjT6VtPkG:GrUu/AQnby/aPF6IVV5W+SPJW9LRdVQL
MD5:	21C3E433D81E45CF15EBAA8BF32FAB27
SHA1:	3CCC6599A0DC160246C7EBF3DE7EDF8E1D36306E
SHA-256:	31EEBCFA5A3F03A781049F37755C8E1A9FEA449757F9CD1EE8E329FF4C3B78B2
SHA-512:	CC13B928F075B824FF5BE44604DB03E225FB0EE7380058EAB77DE7A780A8AFD6EA45E5E29756A6E3A0B7C9652EE200C6CA8CE35725FE2E75DD3F5684B8A5E8BB
Malicious:	false
Preview:	o8CtGeAwJa0FxZyMWiJDHhe12ibhrCKMuWzzxFNg9rgXltljfaX4FpHGdK1hCcEGQnVbj9ZQVmDZBGQI71CQoPHEOsVmOpdgmZH7XJ9fAGjdlrFW3skKaybAgRN0owCpJhxl9Svx2hPipncgn8sfESGx7GbG6I1ND3UE4eXl7xS2j3V2yrNpEhk0a9n21o0upBevTYmIkHiRANOEviSP4LJgSdn40fuS6iMhZjiZFEE68T0MvjGSWlzd17

C:\Program Files\Windows NT\Accessories\en-GB\conhost.exe

Download File

Process:	C:\blockrefSessionBrokerDll\chainMonitor.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	847872
Entropy (8bit):	6.079346881696685
Encrypted:	false
SSDEEP:	12288:D0OPXYnImrdBcepsmMLWpFMKZsNqBOAROfIJZ0S/J:DI7rd5XFM2cxARnZ0S/J
MD5:	F6B809FA6BD0E72435FAB78E9744CCD7
SHA1:	52749158484CF20A6511FCD36FDA0E8100EBE316
SHA-256:	AF8A81F4387BA5EBE96F5111D56B65585C194602E5BD147997EAB1B6E28AE7B2
SHA-512:	12C63EDCD1F347B519DA80C814FCF3640294FDBD2482A7BE4DA4D20F8F5D785D2E97F784DF39AD28B317D2DB3CC43D904C5584FC9EEA2C1F1DF01B999362ADF9
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 79%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6........... ........@.. .......................`............@.................................`...K.... .......................@....................................................... ............... ..H............text........ ...................... ..`.sdata.../.......0..................@....rsrc........ ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Recovery\1824f7f43360d2

Download File

Process:	C:\blockrefSessionBrokerDll\chainMonitor.exe
File Type:	ASCII text, with very long lines (952), with no line terminators
Category:	dropped
Size (bytes):	952
Entropy (8bit):	5.907308514382015
Encrypted:	false
SSDEEP:	24:QXSbigG15FKfQ8vL0qEqMREjnBxFtto5+QCob6IeFqhG:McEYfQ8T0kMRoDto5+YWlt
MD5:	B18B9AC9D857340ACC4FE02C9096DDDB
SHA1:	D58BEAF47C18A2A54DAAF052723AA2AF39FA6727
SHA-256:	30410F01A5B5CCB761A763763ED2B935C100CE2C39B5592B06B7DE9AC30ED03E
SHA-512:	C98193DA861E734E6E56F7919324F0F5AD6F4ACF010A3295D4291647EC9B866635832517EA192CF80D47C09F2CE07FFAEA0DAD5CB73936C18FCFDD085A1D5D31
Malicious:	false
Preview:	z0xC4LsO0LBwfPbQm4CM0a6x8HVtmNalvOch2ZlUDLoavfENd9dokhGY39Dwz9lmvaBRx4XMTsJpwgCcDIPntvANHDo2VyeEjBpUexZjlQV2YamX7ltrt739ZyJtQe1fNEFv0r8QtpCcaHzrbR5uExUlIq4qnpTGZzpTV0gPnd7D5aiS8cS8iGaaudnJxSmDW5CkcfVkuqHlzQqrImrKXUhTZPj1NXcU03r9X7zdGrO19ykdx5BKkbqCYtLN6eXXOwu6jqUKwOEpGpTkoFDRVRtYNplnvmgmT1mMEo4Gl0XWXA6sZki1aFB7CWs4EqYKrcWOCHgAL6qf3XAMt3OLDpLOzpJr59C5bMo5orpSEiqdZfDpVgLLbNHCQIYX7yFL4uDqsFiBO5Hf8ryTmeWYy0dNFlpgSRUPceiocW6Q8J6fGmDiTFvdbqWDR0lGaBt6l1CdIK1PhGap47HdiGNNg1xwIeWlv0z6ZA4OkkaINf5VPrJTsIiUygZtDPVoxQerQeP3C238qE9A5cgaUD2mRfH2kLLUOvV7BOEvbQR0PknugZxlt4TuX1ZuWWT1rit4tC9rYu9EwCXr1XWLXjkTckkKzTZE6ZJq0tBeZGM85O8Vdr28AHeH8abIcz2FV4HW2r0IW1vRXmXOmPqHaaEz5CsaS2BkOHmBGlcw1umIVNtVCNgNIuo40Sbz9Zzd0KDP9WHAw3Ppx5dsSWYFWycdcrLyKmxb4JSKJdVpFfbPf9H4ythmBuGCsjxRLT0JGyunnSiyBs91XN8dkQ9aFKaKCQckqDewoRIrOdRfLslSvPpflTr5TZE5XklW08I7ONMFEQOH8dPWjHYxk68WWicOMMTo24pMknEhDjbUFj60KrWQLxv49vkpv7327kODyCw5C1tBenRwmlEezCcEIuNzDYwGpjXeV2CH5aNUEuZWdxDJ2ZC5IK5Dz62o

C:\Recovery\mmeUVmNHPOdst.exe

Download File

Process:	C:\blockrefSessionBrokerDll\chainMonitor.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	847872
Entropy (8bit):	6.079346881696685
Encrypted:	false
SSDEEP:	12288:D0OPXYnImrdBcepsmMLWpFMKZsNqBOAROfIJZ0S/J:DI7rd5XFM2cxARnZ0S/J
MD5:	F6B809FA6BD0E72435FAB78E9744CCD7
SHA1:	52749158484CF20A6511FCD36FDA0E8100EBE316
SHA-256:	AF8A81F4387BA5EBE96F5111D56B65585C194602E5BD147997EAB1B6E28AE7B2
SHA-512:	12C63EDCD1F347B519DA80C814FCF3640294FDBD2482A7BE4DA4D20F8F5D785D2E97F784DF39AD28B317D2DB3CC43D904C5584FC9EEA2C1F1DF01B999362ADF9
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 79%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6........... ........@.. .......................`............@.................................`...K.... .......................@....................................................... ............... ..H............text........ ...................... ..`.sdata.../.......0..................@....rsrc........ ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\Default\1824f7f43360d2

Download File

Process:	C:\blockrefSessionBrokerDll\chainMonitor.exe
File Type:	ASCII text, with very long lines (914), with no line terminators
Category:	dropped
Size (bytes):	914
Entropy (8bit):	5.908668874648046
Encrypted:	false
SSDEEP:	24:5C5dK1Rrb8grryABFMiWzuTLWuNpdrXgTG59csZLvF/It+Um:5Cyogb2iW4p9ifsZyts
MD5:	367C51187A4F5FC99B1FEEC32F493437
SHA1:	E83CFE72976D85E786246CA47A8E737D64973C59
SHA-256:	83ADF6D294946F13F467AE9B83550600A661229541DC5DF184997F8BC5C34172
SHA-512:	2F8E48FC17EB92DD5FA8CE2049D593729F4DC47FAC8D6A582BC61CABAE0C88216329BE8921DDF45910DD1801EEBD76D7D4B23E21D0701AE70F8AAC79AC4FAD0C
Malicious:	false
Preview:	uYrGEA3xgQSfwyRFOJURfMZVhuqRWrI7b4Ni9pvzHaIrHmNKbXmlr5Zi8WiUTlazIUE2ksFjXfKEEsN4gg08EhQfepjnGbffASixiUksSDNMvUdPInxxvbvkEiX4Ibc69oEvJZWM5HqBTDtJMUfdortih8t97pj1lRNGQrFsRl1nvuRAzNsy69SR4fOLqWOQhzZC0m3eOwLCzGxxqsKt7u4m95Mvd4C4WlF6UOKMUOkKxPbyrae7MeSx4xD4aIAUtRqOA1dci8ZsKuyteXDDZFs1SSBgLQvMOQafjNy07CYNFjmJ8TaCE64oiy5rz6QSMNe3USKQjMGWqfwtq2h1zsHRVw7vSGBAwGA1FszqJJd20i7DBMB7ZYceFNiiVY8cLGkje4n7C1spPPaxy3uGFEkYogv1KRUvLBqu8YjGiE4hqwP0wuuco2XHfL47Iwwvh7eNiqzZTnhBJCs2R5Fag1GTnjOwdl7vRIAsRBRF5UIAUV7cdCqNrWOp0Kk9cC6sqvtBC9kPn9eMtG9RlwSb4tE53V2GbRn2YaUim5aebajr1C5uLSXpuex6rxIqHdyWVlyTvbppWx9eKXD1aH5J37I3mX1zxtX8mNVPNm8umsT6fTwTtRQAipcXd4qYj02maB26BxnxIKgLoMYTlhFgdXZ6v7wS5kKw0rfdazS5oc1XIQtRgWxCuVIDl5LEBU2iAtV7q43vPJ2BfBxeOfwjwHBeic1foN4UjSXZ4vkldCxldHhjIqzfhSv2r1ZODYHBPibMoYjc5KFuUaBb4RW7XZwRgfrDWViF4vW4pU5tGXjWMBhQz8UvBJnzwKpIqgFjmAziEGvjWn0AzZEf8aOYBwEuIgIfowCkRAuML8LsMuZXSnAWGKKQSrhz6Eai8P5jkQsyo2U9OfLRXqcffv

C:\Users\Default\AppData\Local\Microsoft\Windows\History\1824f7f43360d2

Download File

Process:	C:\blockrefSessionBrokerDll\chainMonitor.exe
File Type:	ASCII text, with very long lines (566), with no line terminators
Category:	dropped
Size (bytes):	566
Entropy (8bit):	5.88232739066755
Encrypted:	false
SSDEEP:	12:EDCfzsdjCrUbTRkNHNNlqPyCL/6uBxeUrGez2u7g:Emo1FTOBl4/6uBxeUrHSu7g
MD5:	2598EF8257908DC8B687EC93C554C83A
SHA1:	FA116964C6EA857F01EC4284BC07527985D7AA82
SHA-256:	A8E5FAF18DCA56B3FB5DF7DDB6DE17617619F2FE5AC54E85D611A0B80CB7CBF1
SHA-512:	650F4390EADC5972F17BA7FFBC75500BD72F329E86848201FBBEAC83993FA8646AC758A724FA35C170F2055D0D6FF227DB3DFDEA8224FFD483236E959DE68505
Malicious:	false
Preview:	1jMpsw2gmNM9UoHbCqZOF4aVNhF6zlwKPINkG7MAKeU64CCExJ8qr8d6J1cKr5rAbBtLbhVFdZDlkdbLfBJpnFdQpQbPeBSOxTf2S0nQy3MS42WpaRpqwBXVidgKFFkbGzyQ8i2pX21u3KVx4wyNWmcv6KTzUcKsSuLFEFq1Y9S3JnbXHsPTRWFeWCTyODV5sJbI9PtzF6zWTjmTs5rlM0a6prtBv2mUoXKALSY19aOUhsKxZAFTVts1sfdRgrDMTer6YlHZh0lvmGY7h6lvxT85oSRqzHUSXCACANYy2qvfI6PmGgukFRY9fwSFUbkafTYjFW6Uhx3HidwrDpkSWuMFnBhN5TdaFVAyiqgukaDRYRbC9kCo0RDuGS6EzsZNTcBMc8JWI0s6r4rVjeNUQzkySQrPtc51Bz85QPkBbpf9iGDMlkeUfE7e2N3MQ3nq51526vFU4L2lUkPLMfoJ8kV62dDCVXviCzErLLPzeKaTMVJS8r9uPdsVf89csD8gaUiffhABPyoxKCugUvEnYBTiHtLMLwHbM331xowaq8eaz4KdOdI78U

C:\Users\Default\AppData\Local\Microsoft\Windows\History\mmeUVmNHPOdst.exe

Download File

Process:	C:\blockrefSessionBrokerDll\chainMonitor.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	847872
Entropy (8bit):	6.079346881696685
Encrypted:	false
SSDEEP:	12288:D0OPXYnImrdBcepsmMLWpFMKZsNqBOAROfIJZ0S/J:DI7rd5XFM2cxARnZ0S/J
MD5:	F6B809FA6BD0E72435FAB78E9744CCD7
SHA1:	52749158484CF20A6511FCD36FDA0E8100EBE316
SHA-256:	AF8A81F4387BA5EBE96F5111D56B65585C194602E5BD147997EAB1B6E28AE7B2
SHA-512:	12C63EDCD1F347B519DA80C814FCF3640294FDBD2482A7BE4DA4D20F8F5D785D2E97F784DF39AD28B317D2DB3CC43D904C5584FC9EEA2C1F1DF01B999362ADF9
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 79%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6........... ........@.. .......................`............@.................................`...K.... .......................@....................................................... ............... ..H............text........ ...................... ..`.sdata.../.......0..................@....rsrc........ ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\Default\mmeUVmNHPOdst.exe

Download File

Process:	C:\blockrefSessionBrokerDll\chainMonitor.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	847872
Entropy (8bit):	6.079346881696685
Encrypted:	false
SSDEEP:	12288:D0OPXYnImrdBcepsmMLWpFMKZsNqBOAROfIJZ0S/J:DI7rd5XFM2cxARnZ0S/J
MD5:	F6B809FA6BD0E72435FAB78E9744CCD7
SHA1:	52749158484CF20A6511FCD36FDA0E8100EBE316
SHA-256:	AF8A81F4387BA5EBE96F5111D56B65585C194602E5BD147997EAB1B6E28AE7B2
SHA-512:	12C63EDCD1F347B519DA80C814FCF3640294FDBD2482A7BE4DA4D20F8F5D785D2E97F784DF39AD28B317D2DB3CC43D904C5584FC9EEA2C1F1DF01B999362ADF9
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 79%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6........... ........@.. .......................`............@.................................`...K.... .......................@....................................................... ............... ..H............text........ ...................... ..`.sdata.../.......0..................@....rsrc........ ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\Public\Pictures\1824f7f43360d2

Download File

Process:	C:\blockrefSessionBrokerDll\chainMonitor.exe
File Type:	ASCII text, with very long lines (818), with no line terminators
Category:	dropped
Size (bytes):	818
Entropy (8bit):	5.903646347789358
Encrypted:	false
SSDEEP:	24:HBeVyz2oxY6MY0LlBOZputrPravXf38fIqy5pqVv:HBAY6JlPQ38fIqycv
MD5:	DDC05FF815904435579C25908433159B
SHA1:	7E5E9A6B91B30CB9B348331E00B1159AC1FB7DF5
SHA-256:	854052CC2CAAFCD1CB903B45E79CC27591F7ED5A6BBFFB94D9A64814AEFA7939
SHA-512:	A43A694030F713DFF9461912ED2B59CAC5BB40BB42ECFCA0B82EFC3BEAEA2D8ED601DB63F9A6A31324A54C3BEC0F33B7AA6ADCB5D77A47CEF57E68E2DC1A2D67
Malicious:	false
Preview:	5YeJ9GWH7CbkguSceSVV4YN3nn5bpTDBrb82V0yOVHMdwxqVZem7AV4gLlgWK5bn8a2EwZHneG9wMtGz6jBKqGBVhbqtUbDZpifW4mi9X8d3WHUbfqZl3Q61YhhVtXTCCjGnOt4UACxsnH8ZGOOnBcfYln7XFNPApa0wBqNvwFk1dOORiHOeIpAkDrCkvhPwwwCMQMYZAd162o5WZpy79v19aQsTon9PzxErLBBWtydpyDsYwqKFsRxB5Dw9dFvXdmGEkNKYocOLRLKWiUg7c3hhADvIOC3nCGMM6nyifwbPDmtu2ZaJjx5jFjEgcCJmjkIL98Z5f7cpbReXTBPyltEOKmHXiRGcmzqcehv4AfnmVPHxEqNbxUAzg3AW1BWN09DmlB3wQUyFFc35eTT1EppSy06kgYD8JavVMfMDxaLcf5tE9F2hseILUuxuFTP1R06prit8GPEneMw3H2kbgfPoRjAbsc8eLTLp8DWbV3bdZfrI83nMsxVvlRYHhSQoRkcKBH4DfJFnEwOw22cyzvvX8ZErpP4DmwLzDgG19jrisrryCmPozcygyEMlDNXQPCARkZsVvlzPEMpQrPoDAPOK8pA8UfxvMbTqraOn342NmjclZ63yiUP9x0T5YuBQxDDm39iRBBJFWAhYNZjXl9M1LU20GSOJ2lZjgzsaXlwhKKnxS4s9Knpx0LbjGrLswANuk82YqJ99NpqBqEiLjO8P6lsVXJTpaEvK62MUCUTBnqkLea2BJ9IhB7y8PhAhzUiI4gEy2OJP57lPBh06RRgb5NJ9DNEfTvLTHbR8WDJ503mDWi

C:\Users\Public\Pictures\mmeUVmNHPOdst.exe

Download File

Process:	C:\blockrefSessionBrokerDll\chainMonitor.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	847872
Entropy (8bit):	6.079346881696685
Encrypted:	false
SSDEEP:	12288:D0OPXYnImrdBcepsmMLWpFMKZsNqBOAROfIJZ0S/J:DI7rd5XFM2cxARnZ0S/J
MD5:	F6B809FA6BD0E72435FAB78E9744CCD7
SHA1:	52749158484CF20A6511FCD36FDA0E8100EBE316
SHA-256:	AF8A81F4387BA5EBE96F5111D56B65585C194602E5BD147997EAB1B6E28AE7B2
SHA-512:	12C63EDCD1F347B519DA80C814FCF3640294FDBD2482A7BE4DA4D20F8F5D785D2E97F784DF39AD28B317D2DB3CC43D904C5584FC9EEA2C1F1DF01B999362ADF9
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 79%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6........... ........@.. .......................`............@.................................`...K.... .......................@....................................................... ............... ..H............text........ ...................... ..`.sdata.../.......0..................@....rsrc........ ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\chainMonitor.exe.log

Download File

Process:	C:\blockrefSessionBrokerDll\chainMonitor.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1740
Entropy (8bit):	5.36827240602657
Encrypted:	false
SSDEEP:	48:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhAHKKkhHNpaHKlT4x:iq+wmj0qCYqGSI6oPtzHeqKkhtpaqZ4x
MD5:	B28E0CCD25623D173B2EB29F3A99B9DD
SHA1:	070E4C4A7F903505259E41AFDF7873C31F90D591
SHA-256:	3A108902F93EF9E952D9E748207778718A2CBAEB0AB39C41BD37E9BB0B85BF3A
SHA-512:	17F5FBF18EE0058F928A4D7C53AA4B1191BA3110EDF8E853F145D720381FCEA650A3C997E3D56597150149771E14C529F1BDFDC4A2BBD3719336259C4DD8B342
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\fontdrvhost.exe.log

Download File

Process:	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1281
Entropy (8bit):	5.370111951859942
Encrypted:	false
SSDEEP:	24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhA2
MD5:	12C61586CD59AA6F2A21DF30501F71BD
SHA1:	E6B279DC134544867C868E3FF3C267A06CE340C7
SHA-256:	EC20A856DBBCF320F7F24C823D6E9D2FD10E9335F5DE2F56AB9A7DF1ED358543
SHA-512:	B0731F59C74C9D25A4C82E166B3DC300BBCF89F6969918EC748B867C641ED0D8E0DE81AAC68209EF140219861B4939F1B07D0885ACA112D494D23AAF9A9C03FE
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\mmeUVmNHPOdst.exe.log

Download File

Process:	C:\Users\Default\AppData\Local\Microsoft\Windows\History\mmeUVmNHPOdst.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1281
Entropy (8bit):	5.370111951859942
Encrypted:	false
SSDEEP:	24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhA2
MD5:	12C61586CD59AA6F2A21DF30501F71BD
SHA1:	E6B279DC134544867C868E3FF3C267A06CE340C7
SHA-256:	EC20A856DBBCF320F7F24C823D6E9D2FD10E9335F5DE2F56AB9A7DF1ED358543
SHA-512:	B0731F59C74C9D25A4C82E166B3DC300BBCF89F6969918EC748B867C641ED0D8E0DE81AAC68209EF140219861B4939F1B07D0885ACA112D494D23AAF9A9C03FE
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

C:\Users\user\AppData\Local\Temp\QiyHNrWFuo

Download File

Process:	C:\blockrefSessionBrokerDll\chainMonitor.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.1834651896016455
Encrypted:	false
SSDEEP:	3:6+MEAc1D:NMQ
MD5:	D585A0DEC592309CEF7D6321B02A0C65
SHA1:	DC8516CCA0F073EE81446F06A47AD016BFAC72D1
SHA-256:	0677D889E3C48613ABA718497AE51F9994DE7EF1E32975F2E10AD4AAC9EB9265
SHA-512:	2306FC7E87633CB48AD48916D309DD339196E2558EB341F7CF78A20BE9359053EBB689F8ACD84FC1245CAB29D9DB5E674DC7607DB54AD20E94940C69EDE3D0E5
Malicious:	false
Preview:	Kn6JvRIjP2kNIlkCkFmePVyPf

C:\Users\user\AppData\Local\Temp\nfAOklRSeu.bat

Download File

Process:	C:\blockrefSessionBrokerDll\chainMonitor.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	243
Entropy (8bit):	5.026693025606782
Encrypted:	false
SSDEEP:	6:hITg3Nou11r+DE1WD5J23k6dkZKNKOZG1wkn23f1kjPn:OTg9YDEoMUhZ2f6n
MD5:	E7D09EE311D7CCF2EC8A6951581F7CBA
SHA1:	E1B2332395AFEDA14BD8E9B7E659DAE811FDDC72
SHA-256:	3F91A8D214396DFEBD584D0EA94E5AB1582FD5769E182B9F820EFD44911DD08C
SHA-512:	9D4B4B822CB176D4F905CC7E8B534C52FF6C98E28A333EC10985A94970EF3251BF8E7D4469CACF3E9562DCA0469A8D873143783169E48241C4ED1FEE1D286B43
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	@echo off..w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 1>nul..start "" "C:\Users\Default User\AppData\Local\Application Data\History\mmeUVmNHPOdst.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\nfAOklRSeu.bat"

C:\blockrefSessionBrokerDll\5sVJrvWE.vbe

Download File

Process:	C:\Users\user\Desktop\c62q1qZ8kX.exe
File Type:	data
Category:	dropped
Size (bytes):	229
Entropy (8bit):	5.8208040513409705
Encrypted:	false
SSDEEP:	6:GbvwqK+NkLzWbHhE18nZNDd3RL1wQJRXu8OdnojlztHhbWwVs:GKMCzWLy14d3XBJYihzBNWwK
MD5:	7533C94864B144AA157DBD00F03E9871
SHA1:	807BAD6D8CB143E2FAC7EC32A6E07A4016AF308D
SHA-256:	1DCEABAD90F9B4E74E59D62EEBBC86662708D2C28761074E8B4FD73AA73F60AA
SHA-512:	3D536E931DADB7D6EFC079FC9FF336EE4F2C7A291FCD1DF7139C565E74D73E4C12745B886DBB746F060CD46C36CB3D774BC2B9F3A5407A737CB94AC44ED70F8C
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	#@~^zAAAAA==j.Y~q/4?t.V^~',Z.+mYn6(L+1O`r.?1.rwDRUtnVsE@#@&.U^DbwO UV+n2v%T!Zb@#@&j.Y,./4?4nV^PxP;DnCD+r(%+1Y`r.jmMkaY ?4n^VE#@#@&.ktj4.VV ]!x~J;lJ4sKm0D+6?.d/bWUAMWVnMfV^&Lgkqg\^b;0aMWE[5:CqXtwj.P8wR4COr~~!B~6lsk+CUIAAA==^#~@.

C:\blockrefSessionBrokerDll\chainMonitor.exe

Download File

Process:	C:\Users\user\Desktop\c62q1qZ8kX.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	847872
Entropy (8bit):	6.079346881696685
Encrypted:	false
SSDEEP:	12288:D0OPXYnImrdBcepsmMLWpFMKZsNqBOAROfIJZ0S/J:DI7rd5XFM2cxARnZ0S/J
MD5:	F6B809FA6BD0E72435FAB78E9744CCD7
SHA1:	52749158484CF20A6511FCD36FDA0E8100EBE316
SHA-256:	AF8A81F4387BA5EBE96F5111D56B65585C194602E5BD147997EAB1B6E28AE7B2
SHA-512:	12C63EDCD1F347B519DA80C814FCF3640294FDBD2482A7BE4DA4D20F8F5D785D2E97F784DF39AD28B317D2DB3CC43D904C5584FC9EEA2C1F1DF01B999362ADF9
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 79%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6........... ........@.. .......................`............@.................................`...K.... .......................@....................................................... ............... ..H............text........ ...................... ..`.sdata.../.......0..................@....rsrc........ ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\blockrefSessionBrokerDll\jNiINMcACfpGfudqTH4IxZpVWTbF.bat

Download File

Process:	C:\Users\user\Desktop\c62q1qZ8kX.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	46
Entropy (8bit):	4.3173892722447516
Encrypted:	false
SSDEEP:	3:I5pKulLLFAxJ3GL0s4i:IpFyZGL0Li
MD5:	6F0B3744C91BC8641C6CEF0AE9BE66B5
SHA1:	5E45AEF1422D839F27A9E73B395C58EEAB7AE476
SHA-256:	6442DE1CDF0BF9500DE8B74C00506A7D84193B3780F9242F55497335526AAD5C
SHA-512:	97089E966A4969391AA2FA10D0693C103A16EEA70BFBC01481ECDA46AE6953E3A25ABF3034500E275CC60E0E8DE6F95435B2BA2C9DF2CDA5BF58685AF4CBA8E0
Malicious:	false
Preview:	"C:\blockrefSessionBrokerDll\chainMonitor.exe"

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.371970204419641
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.97% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	c62q1qZ8kX.exe
File size:	1'164'947 bytes
MD5:	11da048860021b6c22e171032e48b023
SHA1:	b3b636a8bd17223454b4522fdbdb4863e0c4a565
SHA256:	c0d51cad38cd578ac0f62737185d0e15184843b8a118bb978d11d9e86998eef3
SHA512:	09b8bc3f1fa034d28a14e0fc5e44722ee84cfd9b32dc7887674100d967b3c9232d7ae42156c8d45050ea781ba87a3ee29a54bfc04bef98c6e5f6d9123444509f
SSDEEP:	24576:U2G/nvxW3Ww0tpI7rd5XFM2cxARnZ0S/J1:UbA30pILXZjv
TLSH:	25454A057E48CE12F0181637C2FF450847B4AC516AA6E72B7EBA376E55123A37C1DACB
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......b`..&...&...&.....h.+.....j.......k.>.....^.$...._..0...._..5...._....../y..,.../y..#...&...*...._......._..'...._f.'...._..'..

File Icon


Icon Hash:	1515d4d4442f2d2d

Static PE Info

General

Entrypoint:	0x41ec40
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x5FC684D7 [Tue Dec 1 18:00:55 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	fcf1390e9ce472c7270447fc5c61a0c1

Entrypoint Preview

Instruction
call 00007F1B3CB1E6B9h
jmp 00007F1B3CB1E0CDh
cmp ecx, dword ptr [0043E668h]
jne 00007F1B3CB1E245h
ret
jmp 00007F1B3CB1E83Eh
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F1B3CB10FD7h
mov dword ptr [esi], 00435580h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 00435588h
mov dword ptr [ecx], 00435580h
ret
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 00435568h
push eax
call 00007F1B3CB213DDh
pop ecx
ret
push ebp
mov ebp, esp
sub esp, 0Ch
lea ecx, dword ptr [ebp-0Ch]
call 00007F1B3CB10F6Eh
push 0043B704h
lea eax, dword ptr [ebp-0Ch]
push eax
call 00007F1B3CB20AF2h
int3
push ebp
mov ebp, esp
sub esp, 0Ch
lea ecx, dword ptr [ebp-0Ch]
call 00007F1B3CB1E1E4h
push 0043B91Ch
lea eax, dword ptr [ebp-0Ch]
push eax
call 00007F1B3CB20AD5h
int3
jmp 00007F1B3CB22B23h
jmp dword ptr [00433260h]
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push 00421EB0h
push dword ptr fs:[00000000h]

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[C++] VS2015 UPD3.1 build 24215
[EXP] VS2015 UPD3.1 build 24215
[RES] VS2015 UPD3 build 24213
[LNK] VS2015 UPD3.1 build 24215

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x3c820	0x34	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3c854	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x63000	0xdfd0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x71000	0x2268	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x3aac0	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x35508	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x33000	0x260	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x3bdc4	0x120	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x310ea	0x31200	c5bf61bbedb6ad471e9dc6266398e965	False	0.583959526081425	data	6.708075396341128	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x33000	0xa612	0xa800	7980b588d5b28128a2f3c36cabe2ce98	False	0.45284598214285715	data	5.221742709250668	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3e000	0x23728	0x1000	201530c9e56f172adf2473053298d48f	False	0.36767578125	data	3.7088186669877685	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.didat	0x62000	0x188	0x200	c5d41d8f254f69e567595ab94266cfdc	False	0.4453125	data	3.2982538067961342	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x63000	0xdfd0	0xe000	f6c0f34fae6331b50a7ad2efc4bfefdb	False	0.6370326450892857	data	6.6367506404157535	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x71000	0x2268	0x2400	c7a942b723cb29d9c02f7c611b544b50	False	0.7681206597222222	data	6.5548620101740545	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
PNG	0x63650	0xb45	PNG image data, 93 x 302, 8-bit/color RGB, non-interlaced	English	United States	1.0027729636048528
PNG	0x64198	0x15a9	PNG image data, 186 x 604, 8-bit/color RGB, non-interlaced	English	United States	0.9363390441839495
RT_ICON	0x65748	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, resolution 2834 x 2834 px/m, 256 important colors	English	United States	0.47832369942196534
RT_ICON	0x65cb0	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, resolution 2834 x 2834 px/m, 256 important colors	English	United States	0.5410649819494585
RT_ICON	0x66558	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, resolution 2834 x 2834 px/m, 256 important colors	English	United States	0.4933368869936034
RT_ICON	0x67400	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2834 x 2834 px/m	English	United States	0.5390070921985816
RT_ICON	0x67868	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2834 x 2834 px/m	English	United States	0.41393058161350843
RT_ICON	0x68910	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2834 x 2834 px/m	English	United States	0.3479253112033195
RT_ICON	0x6aeb8	0x3d71	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9809269502193401
RT_DIALOG	0x6f588	0x286	data	English	United States	0.5092879256965944
RT_DIALOG	0x6f358	0x13a	data	English	United States	0.60828025477707
RT_DIALOG	0x6f498	0xec	data	English	United States	0.6991525423728814
RT_DIALOG	0x6f228	0x12e	data	English	United States	0.5927152317880795
RT_DIALOG	0x6eef0	0x338	data	English	United States	0.45145631067961167
RT_DIALOG	0x6ec98	0x252	data	English	United States	0.5757575757575758
RT_STRING	0x6ff68	0x1e2	data	English	United States	0.3900414937759336
RT_STRING	0x70150	0x1cc	data	English	United States	0.4282608695652174
RT_STRING	0x70320	0x1b8	data	English	United States	0.45681818181818185
RT_STRING	0x704d8	0x146	data	English	United States	0.5153374233128835
RT_STRING	0x70620	0x446	data	English	United States	0.340036563071298
RT_STRING	0x70a68	0x166	data	English	United States	0.49162011173184356
RT_STRING	0x70bd0	0x152	data	English	United States	0.5059171597633136
RT_STRING	0x70d28	0x10a	data	English	United States	0.49624060150375937
RT_STRING	0x70e38	0xbc	data	English	United States	0.6329787234042553
RT_STRING	0x70ef8	0xd6	data	English	United States	0.5747663551401869
RT_GROUP_ICON	0x6ec30	0x68	data	English	United States	0.7019230769230769
RT_MANIFEST	0x6f810	0x753	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.3957333333333333

Imports

DLL

Import

KERNEL32.dll

GetLastError, SetLastError, FormatMessageW, GetCurrentProcess, DeviceIoControl, SetFileTime, CloseHandle, CreateDirectoryW, RemoveDirectoryW, CreateFileW, DeleteFileW, CreateHardLinkW, GetShortPathNameW, GetLongPathNameW, MoveFileW, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, SetFileAttributesW, GetFileAttributesW, FindClose, FindFirstFileW, FindNextFileW, GetVersionExW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleFileNameW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, GetCurrentProcessId, ExitProcess, SetThreadExecutionState, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, GetProcessAffinityMask, CreateThread, SetThreadPriority, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, SetEvent, ResetEvent, ReleaseSemaphore, WaitForSingleObject, CreateEventW, CreateSemaphoreW, GetSystemTime, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, FileTimeToLocalFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, LockResource, GlobalLock, GlobalUnlock, GlobalFree, LoadResource, SizeofResource, SetCurrentDirectoryW, GetExitCodeProcess, GetLocalTime, GetTickCount, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, ExpandEnvironmentStringsW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetTimeFormatW, GetDateFormatW, GetNumberFormatW, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapSize, SetStdHandle, GetProcessHeap, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, IsProcessorFeaturePresent, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, TerminateProcess, RtlUnwind, EncodePointer, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapAlloc, HeapReAlloc, GetStringTypeW, LCMapStringW, FindFirstFileExA, FindNextFileA, IsValidCodePage, GetOEMCP, GetCommandLineA, GetEnvironmentStringsW, FreeEnvironmentStringsW, DecodePointer

gdiplus.dll

GdiplusShutdown, GdiplusStartup, GdipCreateHBITMAPFromBitmap, GdipCreateBitmapFromStreamICM, GdipCreateBitmapFromStream, GdipDisposeImage, GdipCloneImage, GdipFree, GdipAlloc

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Target ID:	0
Start time:	23:52:05
Start date:	24/11/2024
Path:	C:\Users\user\Desktop\c62q1qZ8kX.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\c62q1qZ8kX.exe"
Imagebase:	0x1d0000
File size:	1'164'947 bytes
MD5 hash:	11DA048860021B6C22E171032E48B023
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	23:52:05
Start date:	24/11/2024
Path:	C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WScript.exe" "C:\blockrefSessionBrokerDll\5sVJrvWE.vbe"
Imagebase:	0xd80000
File size:	147'456 bytes
MD5 hash:	FF00E0480075B095948000BDC66E81F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	23:52:13
Start date:	24/11/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\blockrefSessionBrokerDll\jNiINMcACfpGfudqTH4IxZpVWTbF.bat" "
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	23:52:13
Start date:	24/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	23:52:14
Start date:	24/11/2024
Path:	C:\blockrefSessionBrokerDll\chainMonitor.exe
Wow64 process (32bit):	false
Commandline:	"C:\blockrefSessionBrokerDll\chainMonitor.exe"
Imagebase:	0xd30000
File size:	847'872 bytes
MD5 hash:	F6B809FA6BD0E72435FAB78E9744CCD7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000004.00000002.1801910999.0000000002FC1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000004.00000002.1801910999.0000000003371000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 79%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	23:52:15
Start date:	24/11/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "mmeUVmNHPOdstm" /sc MINUTE /mo 9 /tr "'C:\Users\Default\mmeUVmNHPOdst.exe'" /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	23:52:15
Start date:	24/11/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "mmeUVmNHPOdst" /sc ONLOGON /tr "'C:\Users\Default\mmeUVmNHPOdst.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	23:52:15
Start date:	24/11/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "mmeUVmNHPOdstm" /sc MINUTE /mo 9 /tr "'C:\Users\Default\mmeUVmNHPOdst.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	23:52:15
Start date:	24/11/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "mmeUVmNHPOdstm" /sc MINUTE /mo 5 /tr "'C:\Recovery\mmeUVmNHPOdst.exe'" /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	23:52:15
Start date:	24/11/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "mmeUVmNHPOdst" /sc ONLOGON /tr "'C:\Recovery\mmeUVmNHPOdst.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	23:52:15
Start date:	24/11/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "mmeUVmNHPOdstm" /sc MINUTE /mo 11 /tr "'C:\Recovery\mmeUVmNHPOdst.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	23:52:15
Start date:	24/11/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe'" /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	23:52:15
Start date:	24/11/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	23:52:15
Start date:	24/11/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	23:52:16
Start date:	24/11/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "mmeUVmNHPOdstm" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Defender\en-US\mmeUVmNHPOdst.exe'" /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	23:52:16
Start date:	24/11/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "mmeUVmNHPOdst" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\en-US\mmeUVmNHPOdst.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	23:52:16
Start date:	24/11/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "mmeUVmNHPOdstm" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Defender\en-US\mmeUVmNHPOdst.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	23:52:16
Start date:	24/11/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows NT\Accessories\en-GB\conhost.exe'" /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	23:52:16
Start date:	24/11/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\en-GB\conhost.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	23:52:16
Start date:	24/11/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows NT\Accessories\en-GB\conhost.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	23:52:16
Start date:	24/11/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 6 /tr "'C:\Program Files\7-Zip\Lang\TextInputHost.exe'" /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	23:52:16
Start date:	24/11/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\TextInputHost.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	23:52:16
Start date:	24/11/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 11 /tr "'C:\Program Files\7-Zip\Lang\TextInputHost.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	23:52:16
Start date:	24/11/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\java\jre-1.8\lib\applet\WmiPrvSE.exe'" /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	23:52:16
Start date:	24/11/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\java\jre-1.8\lib\applet\WmiPrvSE.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	23:52:16
Start date:	24/11/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\java\jre-1.8\lib\applet\WmiPrvSE.exe'" /rl HIGHEST /f
Imagebase:	0x7ff70f330000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	23:52:16
Start date:	24/11/2024
Path:	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe"
Imagebase:	0xba0000
File size:	847'872 bytes
MD5 hash:	F6B809FA6BD0E72435FAB78E9744CCD7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 0000001C.00000002.1879455048.0000000002E31000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 79%, ReversingLabs Detection: 76%, Virustotal, Browse
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	23:52:16
Start date:	24/11/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "mmeUVmNHPOdstm" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\AppData\Local\Application Data\History\mmeUVmNHPOdst.exe'" /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	23:52:16
Start date:	24/11/2024
Path:	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe"
Imagebase:	0xe30000
File size:	847'872 bytes
MD5 hash:	F6B809FA6BD0E72435FAB78E9744CCD7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 0000001E.00000002.1884137133.0000000003231000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	23:52:16
Start date:	24/11/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "mmeUVmNHPOdst" /sc ONLOGON /tr "'C:\Users\Default User\AppData\Local\Application Data\History\mmeUVmNHPOdst.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	23:52:16
Start date:	24/11/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "mmeUVmNHPOdstm" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\AppData\Local\Application Data\History\mmeUVmNHPOdst.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	23:52:16
Start date:	24/11/2024
Path:	C:\Users\Default\AppData\Local\Microsoft\Windows\History\mmeUVmNHPOdst.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\Default User\AppData\Local\Application Data\History\mmeUVmNHPOdst.exe"
Imagebase:	0xfa0000
File size:	847'872 bytes
MD5 hash:	F6B809FA6BD0E72435FAB78E9744CCD7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000021.00000002.1884278845.00000000032F8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000021.00000002.1884278845.00000000032B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 79%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	23:52:16
Start date:	24/11/2024
Path:	C:\Users\Default\AppData\Local\Microsoft\Windows\History\mmeUVmNHPOdst.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\Default User\AppData\Local\Application Data\History\mmeUVmNHPOdst.exe"
Imagebase:	0xe50000
File size:	847'872 bytes
MD5 hash:	F6B809FA6BD0E72435FAB78E9744CCD7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000022.00000002.1884618745.00000000032F2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000022.00000002.1884618745.00000000032B5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000022.00000002.1884618745.00000000032E9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	23:52:16
Start date:	24/11/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\microsoft onedrive\setup\logs\Idle.exe'" /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	37
Start time:	23:52:16
Start date:	24/11/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\microsoft onedrive\setup\logs\Idle.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	39
Start time:	23:52:16
Start date:	24/11/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\microsoft onedrive\setup\logs\Idle.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	40
Start time:	23:52:17
Start date:	24/11/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "mmeUVmNHPOdstm" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Pictures\mmeUVmNHPOdst.exe'" /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	41
Start time:	23:52:17
Start date:	24/11/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "mmeUVmNHPOdst" /sc ONLOGON /tr "'C:\Users\Public\Pictures\mmeUVmNHPOdst.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	9.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	9.3%
Total number of Nodes:	1498
Total number of Limit Nodes:	26

Executed Functions

Function 001ED5D4 Relevance: 42.2, APIs: 17, Strings: 7, Instructions: 197
filesleeptimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 001E00CF: GetModuleHandleW.KERNEL32(kernel32), ref: 001E00E4
Part of subcall function 001E00CF: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 001E00F6
Part of subcall function 001E00CF: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 001E0127

Part of subcall function 001E9DA4: GetCurrentDirectoryW.KERNEL32(?,?), ref: 001E9DAC

Part of subcall function 001EA335: OleInitialize.OLE32(00000000), ref: 001EA34E
Part of subcall function 001EA335: GdiplusStartup.GDIPLUS(?,?,00000000), ref: 001EA385
Part of subcall function 001EA335: SHGetMalloc.SHELL32(00218430), ref: 001EA38F

Part of subcall function 001E13B3: GetCPInfo.KERNEL32(00000000,?), ref: 001E13C4
Part of subcall function 001E13B3: IsDBCSLeadByte.KERNEL32(00000000), ref: 001E13D8

GetCommandLineW.KERNEL32 ref: 001ED61C
OpenFileMappingW.KERNEL32(000F001F,00000000,winrarsfxmappingfile.tmp), ref: 001ED643
MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00007104), ref: 001ED654
UnmapViewOfFile.KERNEL32(00000000), ref: 001ED68E

Part of subcall function 001ED287: SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 001ED29D
Part of subcall function 001ED287: SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 001ED2D9

CloseHandle.KERNEL32(00000000), ref: 001ED697
GetModuleFileNameW.KERNEL32(00000000,0022DC90,00000800), ref: 001ED6B2
SetEnvironmentVariableW.KERNEL32(sfxname,0022DC90), ref: 001ED6BE
GetLocalTime.KERNEL32(?), ref: 001ED6C9
_swprintf.LIBCMT ref: 001ED708
SetEnvironmentVariableW.KERNEL32(sfxstime,?), ref: 001ED71A
GetModuleHandleW.KERNEL32(00000000), ref: 001ED721
LoadIconW.USER32(00000000,00000064), ref: 001ED738
DialogBoxParamW.USER32(00000000,STARTDLG,00000000,Function_0001AEE0,00000000), ref: 001ED789
Sleep.KERNEL32(?), ref: 001ED7B7
DeleteObject.GDI32 ref: 001ED7F0
DeleteObject.GDI32(?), ref: 001ED800
CloseHandle.KERNEL32 ref: 001ED843

Strings

%4d-%02d-%02d-%02d-%02d-%02d-%03d, xrefs: 001ED6F9
sfxstime, xrefs: 001ED715
C:\Users\user\Desktop, xrefs: 001ED5E9
winrarsfxmappingfile.tmp, xrefs: 001ED637
xj", xrefs: 001ED7CB
sfxname, xrefs: 001ED6B9
STARTDLG, xrefs: 001ED77E

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: EnvironmentFileHandleVariable$Module$AddressCloseDeleteObjectProcView$ByteCommandCurrentDialogDirectoryGdiplusIconInfoInitializeLeadLineLoadLocalMallocMappingNameOpenParamSleepStartupTimeUnmap_swprintf
String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$C:\Users\user\Desktop$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp$xj"
API String ID: 788466649-3421357007
Opcode ID: 763e273817e1e421b0d273a39238159da8d5b43bdb5ad7bfa33339af97f5cd06
Instruction ID: 9250131dd5d7ff32441a5b4d3f5a931d844af33112e6b897b63bc5c26f0fa9dc
Opcode Fuzzy Hash: 763e273817e1e421b0d273a39238159da8d5b43bdb5ad7bfa33339af97f5cd06
Instruction Fuzzy Hash: 7261F671900791BFD320AFA2FC8DF6F77ACAB69744F004429F549922A2DF748944C762

Function 001E9E1C Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 100
memorywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindResourceW.KERNEL32(001EAE4D,PNG,?,?,?,001EAE4D,00000066), ref: 001E9E2E
SizeofResource.KERNEL32(00000000,00000000,?,?,?,001EAE4D,00000066), ref: 001E9E46
LoadResource.KERNEL32(00000000,?,?,?,001EAE4D,00000066), ref: 001E9E59
LockResource.KERNEL32(00000000,?,?,?,001EAE4D,00000066), ref: 001E9E64
GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,001EAE4D,00000066), ref: 001E9E82
GlobalLock.KERNEL32(00000000), ref: 001E9E93
CreateStreamOnHGlobal.COMBASE(00000000,00000000,?), ref: 001E9EB7
GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 001E9EFC
GlobalUnlock.KERNEL32(00000000), ref: 001E9F1B
GlobalFree.KERNEL32(00000000), ref: 001E9F22

Strings

PNG, xrefs: 001E9E1F

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: Global$Resource$CreateLock$AllocBitmapFindFreeFromGdipLoadSizeofStreamUnlock
String ID: PNG
API String ID: 3656887471-364855578
Opcode ID: 3cffc9804983e1c6706e576206f7ae4f7d725a9765c2cd294e2ced96c3fa1939
Instruction ID: bc99dd906f1fdf0c973f735d0ff79c995096d0878d6e8eed00b0b6ee450fa7d6
Opcode Fuzzy Hash: 3cffc9804983e1c6706e576206f7ae4f7d725a9765c2cd294e2ced96c3fa1939
Instruction Fuzzy Hash: 48316F71204B46AFC7119F62EC4C96FBFADFF89751B044518F946D2261EB72DC108BA1

Function 001DA5F4 Relevance: 7.6, APIs: 5, Instructions: 107
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(?,?,?,?,?,?,001DA4EF,000000FF,?,?), ref: 001DA628
FindFirstFileW.KERNELBASE(?,?,?,?,00000800,?,?,?,?,001DA4EF,000000FF,?,?), ref: 001DA65E
GetLastError.KERNEL32(?,?,00000800,?,?,?,?,001DA4EF,000000FF,?,?), ref: 001DA66A
FindNextFileW.KERNEL32(?,?,?,?,?,?,001DA4EF,000000FF,?,?), ref: 001DA692
GetLastError.KERNEL32(?,?,?,?,001DA4EF,000000FF,?,?), ref: 001DA69E

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: FileFind$ErrorFirstLast$Next
String ID:
API String ID: 869497890-0
Opcode ID: 31929ca665347c3f664ff592db6efb18a8373972661dacf6ec912122560e0aa1
Instruction ID: 074a913934f3dcb898e6eb0ae9aeab1ed971ffa54e92331af876a09301215cf4
Opcode Fuzzy Hash: 31929ca665347c3f664ff592db6efb18a8373972661dacf6ec912122560e0aa1
Instruction Fuzzy Hash: 98416072505781EFC324EF78C884ADAF7E8BF58340F050A2AF599D3241D774A9548B92

Function 001F753D Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,?,001F7513,00000000,0020BAD8,0000000C,001F766A,00000000,00000002,00000000), ref: 001F755E
TerminateProcess.KERNEL32(00000000,?,001F7513,00000000,0020BAD8,0000000C,001F766A,00000000,00000002,00000000), ref: 001F7565
ExitProcess.KERNEL32 ref: 001F7577

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: fac224761f553d53c9c97584fcd6889ef4a87e2d08d0b97c1d7ea7dd94c2d1f6
Instruction ID: 7ccf1a44bfccee170d84bd623089ff7326085aea59021a2d0fbc99579d6a469a
Opcode Fuzzy Hash: fac224761f553d53c9c97584fcd6889ef4a87e2d08d0b97c1d7ea7dd94c2d1f6
Instruction Fuzzy Hash: 3AE0B671005A48ABDF11EF64ED0DA697B6AEF54782F108414FA098A272CB35DE42DA90

Function 001D857B Relevance: 3.9, APIs: 2, Instructions: 947COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 001D8580
_memcmp.LIBVCRUNTIME ref: 001D8A08

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: H_prolog_memcmp
String ID:
API String ID: 3004599000-0
Opcode ID: a5a891fdd8e9cc826e875ca619deb7ade061a83bbd26c205b95857cf1e6144db
Instruction ID: 3fee89e0151147b414e7a559b67b0e708c1e3445ac91e6a277d7d436e0ce58e8
Opcode Fuzzy Hash: a5a891fdd8e9cc826e875ca619deb7ade061a83bbd26c205b95857cf1e6144db
Instruction Fuzzy Hash: FD820A71904285AEDF25DF74C895BFEB7B9AF15300F0841BBE8599B382DB315A48CB60

Function 001EAEE0 Relevance: 98.7, APIs: 47, Strings: 9, Instructions: 724COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 001EAEE5

Part of subcall function 001D130B: GetDlgItem.USER32(00000000,00003021), ref: 001D134F
Part of subcall function 001D130B: SetWindowTextW.USER32(00000000,002035B4), ref: 001D1365

Strings

C:\Users\user\Desktop, xrefs: 001EB2DF
-el -s2 "-d%s" "-sp%s", xrefs: 001EB281
winrarsfxmappingfile.tmp, xrefs: 001EB2BC
"%s"%s, xrefs: 001EB423
@, xrefs: 001EB2A7
__tmp_rar_sfx_access_check_%u, xrefs: 001EB1CB
<, xrefs: 001EB29A
STARTDLG, xrefs: 001EAF04
LICENSEDLG, xrefs: 001EB771

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: H_prologItemTextWindow
String ID: "%s"%s$-el -s2 "-d%s" "-sp%s"$<$@$C:\Users\user\Desktop$LICENSEDLG$STARTDLG$__tmp_rar_sfx_access_check_%u$winrarsfxmappingfile.tmp
API String ID: 810644672-8108337
Opcode ID: 590a3e412959c11d35049b766e956d762ea02621a3bb06bcaee514aa0612d8f2
Instruction ID: fae76fa02e37d1fd484655a4af141c36345f2dddc5a1aea03496abe0899e408f
Opcode Fuzzy Hash: 590a3e412959c11d35049b766e956d762ea02621a3bb06bcaee514aa0612d8f2
Instruction Fuzzy Hash: 0A42E070948694BEEB21ABA1ACCEFEF7BBCAB21700F404055F645A61D2CF745948CB61

Function 001E00CF Relevance: 98.3, APIs: 22, Strings: 34, Instructions: 317
libraryfileloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(kernel32), ref: 001E00E4
GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 001E00F6
GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 001E0127
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 001E03D4
CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 001E03F0
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 001E0402
ReadFile.KERNEL32(00000000,?,00007FFE,00203BA4,00000000), ref: 001E0421
CloseHandle.KERNEL32(00000000), ref: 001E0479
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 001E048F
CompareStringW.KERNEL32(00000400,00001001,?,?,DXGIDebug.dll,?,?,00000000,?,00000800), ref: 001E04E7
GetFileAttributesW.KERNELBASE(?,?,?,00000800,?,00000000,?,00000800), ref: 001E0510
GetFileAttributesW.KERNEL32(?,?,?,00000800), ref: 001E054A

Part of subcall function 001E0085: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 001E00A0
Part of subcall function 001E0085: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,001DEB86,Crypt32.dll,00000000,001DEC0A,?,?,001DEBEC,?,?,?), ref: 001E00C2

_swprintf.LIBCMT ref: 001E05BE
_swprintf.LIBCMT ref: 001E060A

Part of subcall function 001D400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 001D401D

AllocConsole.KERNEL32 ref: 001E0612
GetCurrentProcessId.KERNEL32 ref: 001E061C
AttachConsole.KERNEL32(00000000), ref: 001E0623
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000), ref: 001E0649
WriteConsoleW.KERNEL32(00000000), ref: 001E0650
Sleep.KERNEL32(00002710), ref: 001E065B
FreeConsole.KERNEL32 ref: 001E0661
ExitProcess.KERNEL32 ref: 001E0669

Strings

`= , xrefs: 001E01FC
? , xrefs: 001E02AA
> , xrefs: 001E0289
SetDllDirectoryW, xrefs: 001E00F0
T; , xrefs: 001E0154
< , xrefs: 001E018C
4= , xrefs: 001E01EC
0A , xrefs: 001E0391
dwmapi.dll, xrefs: 001E0581
(> , xrefs: 001E023C
? , xrefs: 001E0302
SetDefaultDllDirectories, xrefs: 001E0121
X> , xrefs: 001E0252
l< , xrefs: 001E055C
p@ , xrefs: 001E0344
T? , xrefs: 001E02C0
@@ , xrefs: 001E032E
\A , xrefs: 001E03A7
Please remove %s from %s folder. It is unsecure to run %s until it is done., xrefs: 001E05F8
uxtheme.dll, xrefs: 001E058B
<? , xrefs: 001E02B5
P< , xrefs: 001E019C
kernel32, xrefs: 001E00DD
DA , xrefs: 001E039C
p? , xrefs: 001E02CB
p> , xrefs: 001E025D
D= , xrefs: 001E01F4
X@ , xrefs: 001E0339
8< , xrefs: 001E0194
|< , xrefs: 001E01AC
x= , xrefs: 001E0204
@> , xrefs: 001E0247
DXGIDebug.dll, xrefs: 001E0169, 001E04D3
(@ , xrefs: 001E0323

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: File$Console$HandleModule$AddressAttributesNameProcProcess_swprintf$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadPointerReadSleepStringSystemWrite__vswprintf_c_l
String ID: < $ ? $(> $(@ $0A $4= $8< $<? $@> $@@ $D= $DA $DXGIDebug.dll$P< $Please remove %s from %s folder. It is unsecure to run %s until it is done.$SetDefaultDllDirectories$SetDllDirectoryW$T; $T? $X> $X@ $\A $`= $dwmapi.dll$kernel32$l< $p> $p? $p@ $uxtheme.dll$x= $|< $> $?
API String ID: 1201351596-768046499
Opcode ID: 5ea681f017f43dc4547350e6da5eb7e3b987a562a410cc78d970fc3babd3c075
Instruction ID: 0bb2544224fb71d73182680aefa4ec8c038b008a8f5d1bd520905a1c6d89f0c6
Opcode Fuzzy Hash: 5ea681f017f43dc4547350e6da5eb7e3b987a562a410cc78d970fc3babd3c075
Instruction Fuzzy Hash: 72D183B10187849BD321EF51D84DB9FBAEDBF89704F00491DF689962C2DBB086588B62

Function 001EBDF5 Relevance: 31.9, APIs: 14, Strings: 4, Instructions: 429
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 001EBDFA

Part of subcall function 001EAA36: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00001000), ref: 001EAAFE

SetWindowTextW.USER32(?,?), ref: 001EC127
_wcsrchr.LIBVCRUNTIME ref: 001EC2B1
GetDlgItem.USER32(?,00000066), ref: 001EC2EC
SetWindowTextW.USER32(00000000,?), ref: 001EC2FC
SendMessageW.USER32(00000000,00000143,00000000,0021A472), ref: 001EC30A
SendMessageW.USER32(00000000,00000143,00000000,?), ref: 001EC335

Strings

ProgramFilesDir, xrefs: 001EC1FB
Software\Microsoft\Windows\CurrentVersion, xrefs: 001EC1D0
<br>, xrefs: 001EC08A
%s.%d.tmp, xrefs: 001EBFF6

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: MessageSendTextWindow$EnvironmentExpandH_prologItemStrings_wcsrchr
String ID: %s.%d.tmp$<br>$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion
API String ID: 3564274579-312220925
Opcode ID: 093affa4729bff42c370e32d91685827a0a1c2118d1f9d840cf7dd315359bed0
Instruction ID: 563a9a480e13d86d0106b487df1fc420a48b1424d3051544c35dc6dfdd065507
Opcode Fuzzy Hash: 093affa4729bff42c370e32d91685827a0a1c2118d1f9d840cf7dd315359bed0
Instruction Fuzzy Hash: 8EE19276D04659AADF25DBA1EC89DEF737CAF58310F0040A6F609E3191EB709B858F90

Function 001DD341 Relevance: 25.1, APIs: 4, Strings: 10, Instructions: 555
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 001DD346
_wcschr.LIBVCRUNTIME ref: 001DD367
GetModuleFileNameW.KERNEL32(00000000,?,00000800,?,?,?,001DD328,?), ref: 001DD382
__fprintf_l.LIBCMT ref: 001DD873

Part of subcall function 001E137A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,001DB652,00000000,?,?,?,0001043C), ref: 001E1396

Strings

a, xrefs: 001DD4EF
*messages***, xrefs: 001DD4D3
RTL, xrefs: 001DD838
R, xrefs: 001DD4E5
*messages***, xrefs: 001DD49A
@%s:, xrefs: 001DD85D, 001DD869
, xrefs: 001DD67A
$9 , xrefs: 001DD6AF
$%s:, xrefs: 001DD856
,, xrefs: 001DD8AE

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: ByteCharFileH_prologModuleMultiNameWide__fprintf_l_wcschr
String ID: $ ,$$%s:$$9 $*messages***$*messages***$@%s:$R$RTL$a
API String ID: 4184910265-731868787
Opcode ID: 58d41431d0ec8bdd7a115989572ad648b8896df1800083a8163da2363de9cb09
Instruction ID: 4d3f557395355b0b84703066bfa87c36e5332414ca6dde68e5eaca154ac38d72
Opcode Fuzzy Hash: 58d41431d0ec8bdd7a115989572ad648b8896df1800083a8163da2363de9cb09
Instruction Fuzzy Hash: 4612C371900219AACF24DFA4EC91BEEB7B5FF14304F10456BF606A7391EB719A41CB60

Function 001ECB5A Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 97
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 001EAC74: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 001EAC85
Part of subcall function 001EAC74: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 001EAC96
Part of subcall function 001EAC74: IsDialogMessageW.USER32(0001043C,?), ref: 001EACAA
Part of subcall function 001EAC74: TranslateMessage.USER32(?), ref: 001EACB8
Part of subcall function 001EAC74: DispatchMessageW.USER32(?), ref: 001EACC2

GetDlgItem.USER32(00000068,0022ECB0), ref: 001ECB6E
ShowWindow.USER32(00000000,00000005,?,?,?,?,?,?,?,001EA632,00000001,?,?,001EAECB,00204F88,0022ECB0), ref: 001ECB96
SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 001ECBA1
SendMessageW.USER32(00000000,000000C2,00000000,002035B4), ref: 001ECBAF
SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 001ECBC5
SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 001ECBDF
SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 001ECC23
SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 001ECC31
SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 001ECC40
SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 001ECC67
SendMessageW.USER32(00000000,000000C2,00000000,0020431C), ref: 001ECC76

Strings

\, xrefs: 001ECBCF

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: Message$Send$DialogDispatchItemPeekShowTranslateWindow
String ID: \
API String ID: 3569833718-2967466578
Opcode ID: 0835579afe8eff188c7e439b383aa3f2eacd4a7688ae15acec95772fdae6c73b
Instruction ID: 001ecca2ef6ea979bf3a571ed37cea34b21fdcc2f53f4d44254ee620ff740d68
Opcode Fuzzy Hash: 0835579afe8eff188c7e439b383aa3f2eacd4a7688ae15acec95772fdae6c73b
Instruction Fuzzy Hash: 2D319C71185742FBE301DF20AC4EFAF7EACEBA6704F000508F691961A1DB65590DCBB6

Function 001ECE22 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 179
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ShellExecuteExW.SHELL32(?), ref: 001ECF54
ShowWindow.USER32(?,00000000), ref: 001ECF93
GetExitCodeProcess.KERNEL32(?,?), ref: 001ECFCF
CloseHandle.KERNEL32(?), ref: 001ECFF5
ShowWindow.USER32(?,00000001), ref: 001ED084

Part of subcall function 001E17AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,001DBB05,00000000,.exe,?,?,00000800,?,?,001E85DF,?), ref: 001E17C2

Strings

, xrefs: 001ECEA2
.inf, xrefs: 001ECF10
.exe, xrefs: 001ECFFF

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: ShowWindow$CloseCodeCompareExecuteExitHandleProcessShellString
String ID: $.exe$.inf
API String ID: 3686203788-2452507128
Opcode ID: 8a4d985f3a0225debb7e365c8d9eefcf93c2987dccdc6f50c321d5ea5b8f426b
Instruction ID: 18585bc78ba7105d146d80a24a822206515be7f6f611797e4824ca01ab72d733
Opcode Fuzzy Hash: 8a4d985f3a0225debb7e365c8d9eefcf93c2987dccdc6f50c321d5ea5b8f426b
Instruction Fuzzy Hash: 72610871404BC1AADB31DF66E8146AFBBF5AF91300F08481EF5C597251D7B1898ACB92

Function 001FA058 Relevance: 9.2, APIs: 6, Instructions: 216
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,001F4E35,001F4E35,?,?,?,001FA2A9,00000001,00000001,3FE85006), ref: 001FA0B2
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,001FA2A9,00000001,00000001,3FE85006,?,?,?), ref: 001FA138
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,3FE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 001FA232
__freea.LIBCMT ref: 001FA23F

Part of subcall function 001F8518: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,001FC13D,00000000,?,001F67E2,?,00000008,?,001F89AD,?,?,?), ref: 001F854A

__freea.LIBCMT ref: 001FA248
__freea.LIBCMT ref: 001FA26D

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: a93defe03a6ebdafcd76b91237210bcee0d26704d9a6f7eaead1ed18ce7ea769
Instruction ID: f2e987fc6d74d959dc3872810a13a9f476c1abe5f7a1d5e5a7f3d7ee3cf81a7e
Opcode Fuzzy Hash: a93defe03a6ebdafcd76b91237210bcee0d26704d9a6f7eaead1ed18ce7ea769
Instruction Fuzzy Hash: 7651D2F271021AAFEB258F64CC41EBB77A9EF54750F954228FE08D6141DB39DC40C6A2

Function 001EA335 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 35
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 001E0085: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 001E00A0
Part of subcall function 001E0085: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,001DEB86,Crypt32.dll,00000000,001DEC0A,?,?,001DEBEC,?,?,?), ref: 001E00C2

OleInitialize.OLE32(00000000), ref: 001EA34E
GdiplusStartup.GDIPLUS(?,?,00000000), ref: 001EA385
SHGetMalloc.SHELL32(00218430), ref: 001EA38F

Strings

riched20.dll, xrefs: 001EA33D
3Ro, xrefs: 001EA366

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: DirectoryGdiplusInitializeLibraryLoadMallocStartupSystem
String ID: riched20.dll$3Ro
API String ID: 3498096277-3613677438
Opcode ID: 55de0de69925b332f3022c8dac7525b23eb46b90ce165090d61f80db39b29bb3
Instruction ID: 4e1b781b8a506e8b842f8d08ad37d6b44257525b89c2f239068a2326959d101f
Opcode Fuzzy Hash: 55de0de69925b332f3022c8dac7525b23eb46b90ce165090d61f80db39b29bb3
Instruction Fuzzy Hash: C1F0F4B1D00209ABC710AF99D9499EFFBFCEF65701F004156E954E2241DBB456498BA1

Function 001D99B0 Relevance: 7.6, APIs: 5, Instructions: 117
filetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,00000000,00000003,?,00000000,?,00000000,?,?,001D78AD,?,00000005,?,00000011), ref: 001D9A4C
GetLastError.KERNEL32(?,?,001D78AD,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 001D9A59
CreateFileW.KERNEL32(?,?,?,00000000,00000003,?,00000000,?,?,00000800,?,?,001D78AD,?,00000005,?), ref: 001D9A8E
GetLastError.KERNEL32(?,?,001D78AD,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 001D9A96
SetFileTime.KERNEL32(00000000,00000000,000000FF,00000000,?,001D78AD,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 001D9ADB

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: File$CreateErrorLast$Time
String ID:
API String ID: 1999340476-0
Opcode ID: a29174358d05ebd7825ac08f478a00c61701695948d6cca40bee12dd563a1de5
Instruction ID: c0c43cb4e89dc61b048d3dbe568ba047aaf065bb46a55dffc0464eb4864cff06
Opcode Fuzzy Hash: a29174358d05ebd7825ac08f478a00c61701695948d6cca40bee12dd563a1de5
Instruction Fuzzy Hash: 4B4133725447466FE320DB24DC09BDABBD4BB05324F10071AF9E4972D1E7B5A988CB91

Function 001EAC74 Relevance: 7.5, APIs: 5, Instructions: 39
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 001EAC85
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 001EAC96
IsDialogMessageW.USER32(0001043C,?), ref: 001EACAA
TranslateMessage.USER32(?), ref: 001EACB8
DispatchMessageW.USER32(?), ref: 001EACC2

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: Message$DialogDispatchPeekTranslate
String ID:
API String ID: 1266772231-0
Opcode ID: fd3a91b8634fda2b8ec3de89499799029b18a699e4464827226d0c2c403821c8
Instruction ID: df5f6ef0e0c7b73c2abd0a0115f730ceff0ff852d0263e977b1e03535d45705a
Opcode Fuzzy Hash: fd3a91b8634fda2b8ec3de89499799029b18a699e4464827226d0c2c403821c8
Instruction Fuzzy Hash: F1F01D71901129EBCB249BE2AC4CDEF7F6CEE152517404415F405D3110EB24E409C7B1

Function 001EA2C7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetClassNameW.USER32(?,?,00000050), ref: 001EA2DE
SHAutoComplete.SHLWAPI(?,00000010), ref: 001EA315

Part of subcall function 001E17AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,001DBB05,00000000,.exe,?,?,00000800,?,?,001E85DF,?), ref: 001E17C2

FindWindowExW.USER32(?,00000000,EDIT,00000000), ref: 001EA305

Strings

EDIT, xrefs: 001EA2E9, 001EA2F4, 001EA301

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: AutoClassCompareCompleteFindNameStringWindow
String ID: EDIT
API String ID: 4243998846-3080729518
Opcode ID: f84d29d286c4ceb62954bc8eb4bbe8ebfe820907bf81e0b35bb8eaa7e3e865fc
Instruction ID: ff2e4884c47ac26ca2070f0ae09f8b7c03a166668761a12dad3b0f84584b4cd7
Opcode Fuzzy Hash: f84d29d286c4ceb62954bc8eb4bbe8ebfe820907bf81e0b35bb8eaa7e3e865fc
Instruction Fuzzy Hash: 89F02732A41A28B7E7306A65AC09FDF73ACAF56F00F440052BE04F3180D760AD49C6F6

Function 001ED287 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 32
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 001ED29D
SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 001ED2D9

Strings

sfxpar, xrefs: 001ED2D4
sfxcmd, xrefs: 001ED298

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: EnvironmentVariable
String ID: sfxcmd$sfxpar
API String ID: 1431749950-3493335439
Opcode ID: bd5f284f5763bd73d4d68bf5635899fbce43fec48aa407b9100413ab772a8ff5
Instruction ID: a7582024ffb40ef0bbe14ed11dcfb448d8daa4cc2c35cb787b11a81679acd96c
Opcode Fuzzy Hash: bd5f284f5763bd73d4d68bf5635899fbce43fec48aa407b9100413ab772a8ff5
Instruction Fuzzy Hash: 03F0A772811739E6D7206FD5AC09EBEB79DAF1D741B004016FD8956242D760CD50DAF1

Function 001D984E Relevance: 6.1, APIs: 4, Instructions: 57
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32(000000F6), ref: 001D985E
ReadFile.KERNELBASE(?,?,00000001,?,00000000), ref: 001D9876
GetLastError.KERNEL32 ref: 001D98A8
GetLastError.KERNEL32 ref: 001D98C7

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: ErrorLast$FileHandleRead
String ID:
API String ID: 2244327787-0
Opcode ID: 2a99b46eb4a3762495b33d5107c3f872caf33df46af841b8d7b91bccdca06126
Instruction ID: ffba51440297b8f1d148090911f73ee3bc7942e62d976897a0484cfebd59f76a
Opcode Fuzzy Hash: 2a99b46eb4a3762495b33d5107c3f872caf33df46af841b8d7b91bccdca06126
Instruction Fuzzy Hash: 89118E3090020CEFDB249B55D808A7A77ADFB16B31F10C52BF86A86790D7759E40AF51

Function 001FA4F4 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,001F3713,00000000,00000000,?,001FA49B,001F3713,00000000,00000000,00000000,?,001FA698,00000006,FlsSetValue), ref: 001FA526
GetLastError.KERNEL32(?,001FA49B,001F3713,00000000,00000000,00000000,?,001FA698,00000006,FlsSetValue,00207348,00207350,00000000,00000364,?,001F9077), ref: 001FA532
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,001FA49B,001F3713,00000000,00000000,00000000,?,001FA698,00000006,FlsSetValue,00207348,00207350,00000000), ref: 001FA540

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: cde9f59d356fe0e4b606d2b804b113b54d762d8401b6c3667e5c0796d1a8cf9c
Instruction ID: 729d5653f51ecb63a306fc476cf4a864abae917ad75092cc63bce0bbec04f633
Opcode Fuzzy Hash: cde9f59d356fe0e4b606d2b804b113b54d762d8401b6c3667e5c0796d1a8cf9c
Instruction Fuzzy Hash: 1E01FCB671132AABC7218B68BC48A76779CAF45BA17510520FA0ED7251D735D900C6E1

Function 001FB188 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 91COMMON

Download Yara Rule

APIs

Part of subcall function 001F8FA5: GetLastError.KERNEL32(?,00210EE8,001F3E14,00210EE8,?,?,001F3713,00000050,?,00210EE8,00000200), ref: 001F8FA9
Part of subcall function 001F8FA5: _free.LIBCMT ref: 001F8FDC
Part of subcall function 001F8FA5: SetLastError.KERNEL32(00000000,?,00210EE8,00000200), ref: 001F901D
Part of subcall function 001F8FA5: _abort.LIBCMT ref: 001F9023

Part of subcall function 001FB2AE: _abort.LIBCMT ref: 001FB2E0
Part of subcall function 001FB2AE: _free.LIBCMT ref: 001FB314

Part of subcall function 001FAF1B: GetOEMCP.KERNEL32(00000000,?,?,001FB1A5,?), ref: 001FAF46

_free.LIBCMT ref: 001FB200
_free.LIBCMT ref: 001FB236

Strings

, xrefs: 001FB22A

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: _free$ErrorLast_abort
String ID:
API String ID: 2991157371-771276903
Opcode ID: a17118522f3e3726117761dba8286f33821f01a8b4cdfade66eb2f204cd08fe4
Instruction ID: f4cd4a2523ec0e41599bfcbfbbbfa2b703412fe9b08bf433658c739e4438998d
Opcode Fuzzy Hash: a17118522f3e3726117761dba8286f33821f01a8b4cdfade66eb2f204cd08fe4
Instruction Fuzzy Hash: 3531D93190820CAFDB10EFA9D885B7DB7F5EF55320F254099F6149B291DB716D41CB50

Function 001D9F2F Relevance: 4.6, APIs: 3, Instructions: 107fileCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F5,?,00000001,?,?,001DCC94,00000001,?,?,?,00000000,001E4ECD,?,?,?), ref: 001D9F4C
WriteFile.KERNEL32(?,?,?,00000000,00000000,?,?,00000000,001E4ECD,?,?,?,?,?,001E4972,?), ref: 001D9F8E
WriteFile.KERNELBASE(?,?,?,00000000,00000000,?,?,?,00000001,?,?,001DCC94,00000001,?,?), ref: 001D9FB8

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: FileWrite$Handle
String ID:
API String ID: 4209713984-0
Opcode ID: cea05fb7a6cf57289b3bc2deef39ed33abd7406d7577e8f26f6f4a1ca758b63e
Instruction ID: 79850ee74ff86313ee45bb6f47e19f3407b52c868f6c634b8faa2e6472e1de4e
Opcode Fuzzy Hash: cea05fb7a6cf57289b3bc2deef39ed33abd7406d7577e8f26f6f4a1ca758b63e
Instruction Fuzzy Hash: AF31E0712083059BDF24DF24D848B6ABFA9EF90710F04465AF945DB381CB74ED48CBA2

Function 001DA207 Relevance: 4.6, APIs: 3, Instructions: 56COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,00000000,?,?,?,001DA113,?,00000001,00000000,?,?), ref: 001DA22E
CreateDirectoryW.KERNEL32(?,00000000,?,?,00000800,?,?,?,?,001DA113,?,00000001,00000000,?,?), ref: 001DA261
GetLastError.KERNEL32(?,?,?,?,001DA113,?,00000001,00000000,?,?), ref: 001DA27E

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: CreateDirectory$ErrorLast
String ID:
API String ID: 2485089472-0
Opcode ID: 198ee0ce48ebfe30eadee02a6de6ce55bd7a589512ec25b2f29f0234737a3c76
Instruction ID: 50949d4d01a2877ef1d9975ef090e594b60dbaf841a6ccc9ad83316724bcbe6f
Opcode Fuzzy Hash: 198ee0ce48ebfe30eadee02a6de6ce55bd7a589512ec25b2f29f0234737a3c76
Instruction Fuzzy Hash: BF01D831181214A6DF32EBB65C49BEE374CAF16791F844457F801D5251DB66CA41C6B3

Function 001FAFF4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 001FB019

Strings

, xrefs: 001FB05E

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: Info
String ID:
API String ID: 1807457897-3916222277
Opcode ID: 1b4afbf43f9741ffe66dbec709ef878a0d86aff663f49b4629666e6095bd94cd
Instruction ID: df9716fccc84c1c68954ec78da215dfc8a46481fb9825fa9402829e43519f475
Opcode Fuzzy Hash: 1b4afbf43f9741ffe66dbec709ef878a0d86aff663f49b4629666e6095bd94cd
Instruction Fuzzy Hash: B94126B050C38C9ADF258A24DCD4AFBBBBEDB55304F2404ECE69A87142D7359A45CF60

Function 001FA72C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,3FE85006,00000001,?,?), ref: 001FA79D

Strings

LCMapStringEx, xrefs: 001FA73D, 001FA747

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: String
String ID: LCMapStringEx
API String ID: 2568140703-3893581201
Opcode ID: 1ba34f439c54f57a94047b87a20a046d7127b1c0cb51a553318238816df9f342
Instruction ID: 7f4e19e9e7cacbdbef9661e894e6c0ba722d3ba1334bd87f80978b9812fa30e6
Opcode Fuzzy Hash: 1ba34f439c54f57a94047b87a20a046d7127b1c0cb51a553318238816df9f342
Instruction Fuzzy Hash: E901447250020CBBCF12AFA0EC06DEE3F66EF18760F454254FE1826161CB369A31EB91

Function 001FA6CA Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,001F9D2F), ref: 001FA715

Strings

InitializeCriticalSectionEx, xrefs: 001FA6E5

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: CountCriticalInitializeSectionSpin
String ID: InitializeCriticalSectionEx
API String ID: 2593887523-3084827643
Opcode ID: e45b41d63fffc0a6625cb4fbb4d9c9236a482e382fe0e611250902a9168b5670
Instruction ID: 185700a828f5d70e52474ed3512c4e744e4ea3cebc668a3617f882792e33df0b
Opcode Fuzzy Hash: e45b41d63fffc0a6625cb4fbb4d9c9236a482e382fe0e611250902a9168b5670
Instruction Fuzzy Hash: 7FF02470A4431CBBCB006F10DC09CAE7F65EF05720B408154FD0816262CB325E20EB90

Function 001FA56F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32 ref: 001FA5AE

Strings

FlsAlloc, xrefs: 001FA58A

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: Alloc
String ID: FlsAlloc
API String ID: 2773662609-671089009
Opcode ID: 9ffd869feaafffca45b91d5c8ddbd10cb5ecefbb2df9a46cfec4ff08d3d153d4
Instruction ID: 4da79007df6b1a374d36f33769353ff43acfb2afe56274bb3c5c5cdd6d8fdeb5
Opcode Fuzzy Hash: 9ffd869feaafffca45b91d5c8ddbd10cb5ecefbb2df9a46cfec4ff08d3d153d4
Instruction Fuzzy Hash: CBE0ABB0B5533C6FD314AB60AC0ACBEBB98CF66710B810154FC0817282CF751E109AD6

Function 001F329A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 001F32AF

Strings

FlsAlloc, xrefs: 001F329E, 001F32A8

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: try_get_function
String ID: FlsAlloc
API String ID: 2742660187-671089009
Opcode ID: d6f5d1019d4402062140ff219a309161eaa97558102bfd5da8a92caaa0297cf8
Instruction ID: b439e31c01fe57c27302922b522460268b016a93bd7445b3996f3d21ea7a2497
Opcode Fuzzy Hash: d6f5d1019d4402062140ff219a309161eaa97558102bfd5da8a92caaa0297cf8
Instruction Fuzzy Hash: 37D05B31781B796AD71132D56C039BFBE4C8702FF5F450252FF0C5A5C3966649604DD5

Function 001EE1F9 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 001EE20B

Part of subcall function 001EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 001EDFD6
Part of subcall function 001EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001EDFE7

Strings

3Ro, xrefs: 001EE1F9, 001EE205

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: 3Ro
API String ID: 1269201914-1492261280
Opcode ID: 8782d90b5d5a7dc33bc38252f303055974878786da1ad2610b36f750ed7bb153
Instruction ID: cb7c6283e864534f4d1a96bfaad4efe8c8812877b8981a3534f67f09d1b6838b
Opcode Fuzzy Hash: 8782d90b5d5a7dc33bc38252f303055974878786da1ad2610b36f750ed7bb153
Instruction Fuzzy Hash: 8DB012E127E542BC330C5102BE06C3E031CC4D1B50370C01AB305D40C19780DC1E4032

Function 001FB350 Relevance: 3.2, APIs: 2, Instructions: 168COMMON

Download Yara Rule

APIs

Part of subcall function 001FAF1B: GetOEMCP.KERNEL32(00000000,?,?,001FB1A5,?), ref: 001FAF46

IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,001FB1EA,?,00000000), ref: 001FB3C4
GetCPInfo.KERNEL32(00000000,001FB1EA,?,?,?,001FB1EA,?,00000000), ref: 001FB3D7

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: CodeInfoPageValid
String ID:
API String ID: 546120528-0
Opcode ID: f4b7aef2093a9706fe7a07ed457ac68ef7bdb3605755cdbec1e20aa836bf7529
Instruction ID: 3606a0b4e15f1841f969edb10375e4c9d60a8f3a69f191b439972e39c5b38dc5
Opcode Fuzzy Hash: f4b7aef2093a9706fe7a07ed457ac68ef7bdb3605755cdbec1e20aa836bf7529
Instruction Fuzzy Hash: F75157B0A0830D9EDB24DF35C8D06BABBE5EF51310F18846ED2878B253D7399942CB90

Function 001D1385 Relevance: 3.1, APIs: 2, Instructions: 97COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 001D1385

Part of subcall function 001D6057: __EH_prolog.LIBCMT ref: 001D605C

Part of subcall function 001DC827: __EH_prolog.LIBCMT ref: 001DC82C
Part of subcall function 001DC827: new.LIBCMT ref: 001DC86F
Part of subcall function 001DC827: new.LIBCMT ref: 001DC893

new.LIBCMT ref: 001D13FE

Part of subcall function 001DB07D: __EH_prolog.LIBCMT ref: 001DB082

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: ba36ebfcc2eb4f4d654d054ac6d446b6e46409030a8cbd53b1da2db7e80ec5a7
Instruction ID: 09aa26c5bdb7644a82a44d1cd0b2d2e3bbfa9a563fd21b4105194438d41e4816
Opcode Fuzzy Hash: ba36ebfcc2eb4f4d654d054ac6d446b6e46409030a8cbd53b1da2db7e80ec5a7
Instruction Fuzzy Hash: 324116B0905B40AED724DF7984859E7FBE5FF28300F504A2ED6EE83282DB326554CB11

Function 001D1380 Relevance: 3.1, APIs: 2, Instructions: 95COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 001D1385

Part of subcall function 001D6057: __EH_prolog.LIBCMT ref: 001D605C

Part of subcall function 001DC827: __EH_prolog.LIBCMT ref: 001DC82C
Part of subcall function 001DC827: new.LIBCMT ref: 001DC86F
Part of subcall function 001DC827: new.LIBCMT ref: 001DC893

new.LIBCMT ref: 001D13FE

Part of subcall function 001DB07D: __EH_prolog.LIBCMT ref: 001DB082

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 7d257c746bd926a7491de3dbb0c2d9423b29d215f91c4843401a097ddb8e7297
Instruction ID: 99fcd0b90925e1b400a29c5c28c6d7835c128700fa3fd4f0c6c18bd126f00ad3
Opcode Fuzzy Hash: 7d257c746bd926a7491de3dbb0c2d9423b29d215f91c4843401a097ddb8e7297
Instruction Fuzzy Hash: 104115B0905B40AEE724DF7984859E7FBE5FF29300F504A2ED6EE83282DB326554CB15

Function 001D971E Relevance: 3.1, APIs: 2, Instructions: 86fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,00000000,00000001,00000000,00000002,00000000,00000000,?,00000000,?,?,?,001D9EDC,?,?,001D7867), ref: 001D97A6
CreateFileW.KERNEL32(?,00000000,00000001,00000000,00000002,00000000,00000000,?,?,00000800,?,?,001D9EDC,?,?,001D7867), ref: 001D97DB

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 82f603a816a20a824556b65cc72f14692657afaf4222f497778d8df473d9f390
Instruction ID: d66647332583515a11205ed6307e54d71b6ebfd88a69616d8a4266482c017d79
Opcode Fuzzy Hash: 82f603a816a20a824556b65cc72f14692657afaf4222f497778d8df473d9f390
Instruction Fuzzy Hash: BE21F6B1514749AFD7308F64C885BA777E8EB49764F00492EF5E682291C374AC458F61

Function 001D9D62 Relevance: 3.1, APIs: 2, Instructions: 82timeCOMMON

Download Yara Rule

APIs

FlushFileBuffers.KERNEL32(?,?,?,?,?,?,001D7547,?,?,?,?), ref: 001D9D7C
SetFileTime.KERNELBASE(?,?,?,?), ref: 001D9E2C

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: File$BuffersFlushTime
String ID:
API String ID: 1392018926-0
Opcode ID: 56ff42577362588aeb93a2b03d662e9161d3869ddfd5b1ec4f718e23faac859b
Instruction ID: f1b23cf43bbff6186ca072facb2f9df7e8b1238a5803cac9f9c4179f9da295f7
Opcode Fuzzy Hash: 56ff42577362588aeb93a2b03d662e9161d3869ddfd5b1ec4f718e23faac859b
Instruction Fuzzy Hash: 0821D631158786ABC715DE65C451AABBBE5AF55704F04081EF4D187241D329DA0CDB61

Function 001FA458 Relevance: 3.1, APIs: 2, Instructions: 65libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,?), ref: 001FA4B8
__crt_fast_encode_pointer.LIBVCRUNTIME ref: 001FA4C5

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: AddressProc__crt_fast_encode_pointer
String ID:
API String ID: 2279764990-0
Opcode ID: 8292739308ad11921e13b8ae6709a812dd3c20e7d03216dab045a4071a593da2
Instruction ID: 78552a868fd60969e7c33f02018293fa30ff37e2515a8252c9932d79c1e57435
Opcode Fuzzy Hash: 8292739308ad11921e13b8ae6709a812dd3c20e7d03216dab045a4071a593da2
Instruction Fuzzy Hash: 041127B36016288BDF25DE28FC4887A73999F8032075F4120EF19AB245DB78DC41C6D2

Function 001D9B59 Relevance: 3.1, APIs: 2, Instructions: 57COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,?,?,?,-00001964,?,00000800,-00001964,001D9B35,?,?,00000000,?,?,001D8D9C,?), ref: 001D9BC0
GetLastError.KERNEL32 ref: 001D9BCD

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: b5fa9869388136ef28248fb4166602c851817f99a1394f2203613d9fc2c2880f
Instruction ID: 525b6712a16e30282f5a37fdfd4805fcb32c2b5e664e2e57c9c8e1dedbc1d692
Opcode Fuzzy Hash: b5fa9869388136ef28248fb4166602c851817f99a1394f2203613d9fc2c2880f
Instruction Fuzzy Hash: 1901A1322043159B8B08CE69BC94D7FB399AFC5722B16462FE91787391CB759C059A21

Function 001D9E40 Relevance: 3.1, APIs: 2, Instructions: 54COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,00000000,00000000,00000001), ref: 001D9E76
GetLastError.KERNEL32 ref: 001D9E82

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: cba57e570ba86fbbf271687d01eab0e2f79bb03f7b19567f652930be724353ff
Instruction ID: 6e985985a0253088d1cc579fa4519dca4eb83fb0ec1f440d7e8ee7ba85db0749
Opcode Fuzzy Hash: cba57e570ba86fbbf271687d01eab0e2f79bb03f7b19567f652930be724353ff
Instruction Fuzzy Hash: 43015E717057006BEB34DF29DC89B6BB7D99B88319F144A3FB156C2790DB75EC888610

Function 001F8606 Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 001F8627

Part of subcall function 001F8518: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,001FC13D,00000000,?,001F67E2,?,00000008,?,001F89AD,?,?,?), ref: 001F854A

HeapReAlloc.KERNEL32(00000000,?,?,?,?,00210F50,001DCE57,?,?,?,?,?,?), ref: 001F8663

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: Heap$AllocAllocate_free
String ID:
API String ID: 2447670028-0
Opcode ID: 5b4172d4abf51f7a439a36aa74f08dad575a6bcb6f18af41510cf53ebc88da71
Instruction ID: c4092f9450de701ecd1421636e2a45396382e5d9b8226292c0e6fb53f047a3d4
Opcode Fuzzy Hash: 5b4172d4abf51f7a439a36aa74f08dad575a6bcb6f18af41510cf53ebc88da71
Instruction Fuzzy Hash: E1F0B43220551DAADB212B25AC05F7F376DEFE2BB0F254125FB14DA2A1DF30CC0195A5

Function 001E0908 Relevance: 3.0, APIs: 2, Instructions: 33COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?), ref: 001E0915
GetProcessAffinityMask.KERNEL32(00000000), ref: 001E091C

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: Process$AffinityCurrentMask
String ID:
API String ID: 1231390398-0
Opcode ID: 6775f1ccbda1e32c72849435433ebd34ac6dde02062de6286fe4e106d6157990
Instruction ID: 02437a6a7bac7bebfee3bd805ed0bd664d381efa7a21d44fd7c5f268f77d753a
Opcode Fuzzy Hash: 6775f1ccbda1e32c72849435433ebd34ac6dde02062de6286fe4e106d6157990
Instruction Fuzzy Hash: 79E09B32A11545ABBF0ACEA5AC044FF739EDB0C3187114179E80ED3103F774DD418660

Function 001DA444 Relevance: 3.0, APIs: 2, Instructions: 30COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,001DA27A,?,?,?,001DA113,?,00000001,00000000,?,?), ref: 001DA458
SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,001DA27A,?,?,?,001DA113,?,00000001,00000000,?,?), ref: 001DA489

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: db90cfc35719f9541872fec2028075d45d7f849e1db6637b246b930a5e0e0f1a
Instruction ID: 903605fb12c98f5c7befd414521bff3cbf8ee505bd4a559f07a505ad30a1ec3e
Opcode Fuzzy Hash: db90cfc35719f9541872fec2028075d45d7f849e1db6637b246b930a5e0e0f1a
Instruction Fuzzy Hash: FDF0A03124120DBBDF01AF60DC45FDA376DBF04381F488056BC8886261DB72CAA8AA50

Function 001ED573 Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 001ED5A1
SetDlgItemTextW.USER32(00000065,?), ref: 001ED5B8

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: ItemText_swprintf
String ID:
API String ID: 3011073432-0
Opcode ID: f98b0c1e3ca2b2e5923ab952983036aaf97589f96f4cb359c32f2a8829680a67
Instruction ID: b3c1b36f96fdf8d3dbed8218e35107b3ed04eb92d54c6eb7876fad654953ebd2
Opcode Fuzzy Hash: f98b0c1e3ca2b2e5923ab952983036aaf97589f96f4cb359c32f2a8829680a67
Instruction Fuzzy Hash: 63F0E5715007887BEB11ABB1AC0BFEE3BADAB14745F040596B604931A2DF716A608B62

Function 001DA12D Relevance: 3.0, APIs: 2, Instructions: 28fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?,?,?,001D984C,?,?,001D9688,?,?,?,?,00201FA1,000000FF), ref: 001DA13E
DeleteFileW.KERNEL32(?,?,?,00000800,?,?,001D984C,?,?,001D9688,?,?,?,?,00201FA1,000000FF), ref: 001DA16C

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 02f06675c802ea8b69f7b04ba643ccaf9ac46b5e1a9acc70d2234b25f7f4dd95
Instruction ID: b2b7d34f70b83fc364b3f5542149ea33db4f5cc5f432fb6714115a2dd3bbad64
Opcode Fuzzy Hash: 02f06675c802ea8b69f7b04ba643ccaf9ac46b5e1a9acc70d2234b25f7f4dd95
Instruction Fuzzy Hash: 31E09235641209ABDB11EF60EC45FE9779CBF08381F884066B888C3161DB61DD94EA90

Function 001EA39D Relevance: 3.0, APIs: 2, Instructions: 27COMMON

Download Yara Rule

APIs

GdiplusShutdown.GDIPLUS(?,?,?,?,00201FA1,000000FF), ref: 001EA3D1
CoUninitialize.COMBASE(?,?,?,?,00201FA1,000000FF), ref: 001EA3D6

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: GdiplusShutdownUninitialize
String ID:
API String ID: 3856339756-0
Opcode ID: 1e361e05956f8101eb59bd1ee0659161b71bf1a77c0945f0bb8c2f619b7038f2
Instruction ID: 99ee65adeb681ec90ba29ac53637537d1af184a27eec83fda96780a052905a85
Opcode Fuzzy Hash: 1e361e05956f8101eb59bd1ee0659161b71bf1a77c0945f0bb8c2f619b7038f2
Instruction Fuzzy Hash: 89F0A032518655DFC700DB4CEC09B09FBACFB49B20F00436AF409837A1CB346C10CA80

Function 001DA194 Relevance: 3.0, APIs: 2, Instructions: 26COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,?,?,001DA189,?,001D76B2,?,?,?,?), ref: 001DA1A5
GetFileAttributesW.KERNELBASE(?,?,?,00000800,?,001DA189,?,001D76B2,?,?,?,?), ref: 001DA1D1

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 6551126faddf01468dd0347a5e6196ff77b249d43ef20ba47d092a02acf82efa
Instruction ID: 2457b7e6f86881ad038af5dce083c002b7822986a5d6b51289697e2ecd139e8f
Opcode Fuzzy Hash: 6551126faddf01468dd0347a5e6196ff77b249d43ef20ba47d092a02acf82efa
Instruction Fuzzy Hash: 4EE092365002289BDB20FB68DC09BD9B79CAB183E1F0042A2FD45E3291DB70DD449AE0

Function 001E0085 Relevance: 3.0, APIs: 2, Instructions: 25libraryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?,00000800), ref: 001E00A0
LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,001DEB86,Crypt32.dll,00000000,001DEC0A,?,?,001DEBEC,?,?,?), ref: 001E00C2

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: DirectoryLibraryLoadSystem
String ID:
API String ID: 1175261203-0
Opcode ID: a1616fee1281bccfa8987bf7e433abdcb624e36ad3b388059dc0079a330b66c7
Instruction ID: 059546ae6f5e6a3f7a5860ac037b7603530a99e9828bb07c5bfedddaac76a07b
Opcode Fuzzy Hash: a1616fee1281bccfa8987bf7e433abdcb624e36ad3b388059dc0079a330b66c7
Instruction Fuzzy Hash: 29E09B7550165C56CB21D695AC08FDA775CFF0C381F040055F504D3104D7709A40CBA0

Function 001E9B0F Relevance: 3.0, APIs: 2, Instructions: 24windowCOMMON

Download Yara Rule

APIs

GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 001E9B30
GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 001E9B37

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: BitmapCreateFromGdipStream
String ID:
API String ID: 1918208029-0
Opcode ID: d31b14643c2ac05b6445eb8041f711ec6ee977152303df3a53310b8932dc6f8a
Instruction ID: 7a71f8be9abbce4c0aad521c3600218ba78069467ac18cb65589a200d863d465
Opcode Fuzzy Hash: d31b14643c2ac05b6445eb8041f711ec6ee977152303df3a53310b8932dc6f8a
Instruction Fuzzy Hash: E0E0ED71911619EBCB10DF99D501A9DB7ECEB08721F10805BED9593301E7B16E149B91

Function 001F215C Relevance: 3.0, APIs: 2, Instructions: 19COMMON

Download Yara Rule

APIs

Part of subcall function 001F329A: try_get_function.LIBVCRUNTIME ref: 001F32AF

___vcrt_FlsSetValue.LIBVCRUNTIME ref: 001F217A
___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 001F2185

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: Value___vcrt____vcrt_uninitialize_ptdtry_get_function
String ID:
API String ID: 806969131-0
Opcode ID: bfa5087132783d26b00b944a150b3d59fa602284f0bb1dc92427e4c0bcf822a8
Instruction ID: 428229a3719ae290f6ade92844e5699d16498e196c2afa2caed8737e2b418176
Opcode Fuzzy Hash: bfa5087132783d26b00b944a150b3d59fa602284f0bb1dc92427e4c0bcf822a8
Instruction Fuzzy Hash: 1BD0223920C30E24BE0CA7B07C420F82348A872BB03F00B46F730CA0D2EF718044B419

Function 001EDC67 Relevance: 3.0, APIs: 2, Instructions: 13COMMONLIBRARYCODE

Download Yara Rule

APIs

DloadLock.DELAYIMP ref: 001EDC73
DloadProtectSection.DELAYIMP ref: 001EDC8F

Part of subcall function 001EDE67: DloadObtainSection.DELAYIMP ref: 001EDE77

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: Dload$Section$LockObtainProtect
String ID:
API String ID: 731663317-0
Opcode ID: 239346367de1145e2b627456b9efa278d428b306ef04b687e81ef76eff76037b
Instruction ID: 5209b505aef0cae761a6d7d91c81dd30a3f4c8426e2c9b1015fdf6f1aba2d7b6
Opcode Fuzzy Hash: 239346367de1145e2b627456b9efa278d428b306ef04b687e81ef76eff76037b
Instruction Fuzzy Hash: 02D01270100BD04EC215EB66BDDE75D32B0B714B85FB81A06F106C74E1DFF44491C626

Function 001D12E6 Relevance: 3.0, APIs: 2, Instructions: 11COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 001D12FB
ShowWindow.USER32(00000000), ref: 001D1302

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: ItemShowWindow
String ID:
API String ID: 3351165006-0
Opcode ID: fab1b5abe33b2b97fc1c2c5709074457abc6405161f626400be8c6db6b194fb0
Instruction ID: fa94457020664b308581cf7ceabbc9e348ac12b2e981554e2c897878fb07c1c6
Opcode Fuzzy Hash: fab1b5abe33b2b97fc1c2c5709074457abc6405161f626400be8c6db6b194fb0
Instruction Fuzzy Hash: 79C01232058200FECB010BB0ED0DD2FBBA8ABA4212F05C908B6E9C0061C238C018DB11

Function 001D19A6 Relevance: 1.8, APIs: 1, Instructions: 310COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 001D19AB

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: b68582b6415dac7bb0863b2efaeda98d43bf8dd26767591ac51a7d51559a293d
Instruction ID: 9723bb60cde894e71523c8569b018672289bb051bac0a3264510d094fa6b4d67
Opcode Fuzzy Hash: b68582b6415dac7bb0863b2efaeda98d43bf8dd26767591ac51a7d51559a293d
Instruction Fuzzy Hash: 2FC19030A04294BFEF15CF68C498BA97BA5AF1A314F1840BBEC45DB386DB359D44CB61

Function 001D3B3D Relevance: 1.7, APIs: 1, Instructions: 176COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 001D3B42

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 6dda19acf6427346cb69687f4fc8e4711bae5ffa2df44f637427d97c341f4097
Instruction ID: f2f0cd601284c684b0d8c28070b53b663f5d8a8aba75bdb4a33d7204e334fdaf
Opcode Fuzzy Hash: 6dda19acf6427346cb69687f4fc8e4711bae5ffa2df44f637427d97c341f4097
Instruction Fuzzy Hash: 4571BD71104F44AEDB25DB70CC91AEBB7E9AF24301F84496FE5AB47242DB316A48CF52

Function 001D837F Relevance: 1.6, APIs: 1, Instructions: 110COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 001D8384

Part of subcall function 001D1380: __EH_prolog.LIBCMT ref: 001D1385
Part of subcall function 001D1380: new.LIBCMT ref: 001D13FE

Part of subcall function 001D19A6: __EH_prolog.LIBCMT ref: 001D19AB

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: cc43e8264622850e267c2e3654dd32d83da1904746650fc8ff1a7489cb388450
Instruction ID: da7c8cc97265323713ec221640dde4980e0cce34c1278e17b1703a19230d8a73
Opcode Fuzzy Hash: cc43e8264622850e267c2e3654dd32d83da1904746650fc8ff1a7489cb388450
Instruction Fuzzy Hash: 5241B371940655AADF24EB60CC55BEAB3A8AF60304F0540EBE58AA3293DF745FC8DF50

Function 001D1E00 Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 001D1E05

Part of subcall function 001D3B3D: __EH_prolog.LIBCMT ref: 001D3B42

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 1a597e7f4c1aec59dcb266e374ab77a169831c68cad3827d50eac5b0185af66b
Instruction ID: 88201425d816160e6dba08e00d0c81278c2511f68b60002f6040d652cce1e05a
Opcode Fuzzy Hash: 1a597e7f4c1aec59dcb266e374ab77a169831c68cad3827d50eac5b0185af66b
Instruction Fuzzy Hash: 93213772944248AFCB15EF99D9419EEFBF6BF68300B10016EE845A7351CB325E10CB60

Function 001EA7C3 Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 001EA7C8

Part of subcall function 001D1380: __EH_prolog.LIBCMT ref: 001D1385
Part of subcall function 001D1380: new.LIBCMT ref: 001D13FE

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 8a50c9bc198fb34117a00ac21acbc9e00cd0761eafc033967386fba67da6d097
Instruction ID: 2b42956f4293e28e1769ef0ca65e735d4c69336efb2194df2be0395b017b2341
Opcode Fuzzy Hash: 8a50c9bc198fb34117a00ac21acbc9e00cd0761eafc033967386fba67da6d097
Instruction Fuzzy Hash: 30216B71C04689AACF15DF95C9529EEBBB4AF29300F4004AEE809A3242DB356E06CB61

Function 001D92E6 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 001D92EB

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 7cacb3d17e3043f0b1dfae2654f22ac1d6e2c1ce87f02017f989134cc6150a1e
Instruction ID: 762483c1af2ed373481f5115b844143e207d1e3a278a1eb2ef12f3df98a6cb6d
Opcode Fuzzy Hash: 7cacb3d17e3043f0b1dfae2654f22ac1d6e2c1ce87f02017f989134cc6150a1e
Instruction Fuzzy Hash: 6F118E73A10929ABCF22AEA8CC919EEB736BF98750F054116F804A7391DB349D10C7E0

Function 001FBB8A Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

Part of subcall function 001F85A9: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,001F8FD3,00000001,00000364,?,001F3713,00000050,?,00210EE8,00000200), ref: 001F85EA

_free.LIBCMT ref: 001FBBF6

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: aa7cfc08f8c271ce16935b528c62ef837d81ae20f42aba82ac1fb9d51323eae8
Instruction ID: 0b5c0525ba67ebfd31fc03e6225eb67d9a5bd009f0f617aaa9572f556a32d66a
Opcode Fuzzy Hash: aa7cfc08f8c271ce16935b528c62ef837d81ae20f42aba82ac1fb9d51323eae8
Instruction Fuzzy Hash: F701F97360430D6BE3358F65D88596AFBEDFB95370F25051DE69483280EB30A806C774

Function 001DAA88 Relevance: 1.5, APIs: 1, Instructions: 40COMMON

Download Yara Rule

APIs

new.LIBCMT ref: 001DAA9A

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dae87922ec1b8facf4cbd1f95d3770f60e2097a5265b52e6532e4d2d30c47c6e
Instruction ID: 861cc20303893d178611d29d96bca70fb6eb1a38a6b8659a6999104be938d89a
Opcode Fuzzy Hash: dae87922ec1b8facf4cbd1f95d3770f60e2097a5265b52e6532e4d2d30c47c6e
Instruction Fuzzy Hash: D1F08C30500B069FDB30DE65C94162AB7E8EF21320F608A1BE496C3780E770D880C782

Function 001F85A9 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,001F8FD3,00000001,00000364,?,001F3713,00000050,?,00210EE8,00000200), ref: 001F85EA

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 405713e39d64fefecd42a78122700bdca18720ae6b8c182322894e7fb92fb637
Instruction ID: db6f95f506736df7de5090bada8bf7b2146990599e5ac6084cf5aa8c37905a36
Opcode Fuzzy Hash: 405713e39d64fefecd42a78122700bdca18720ae6b8c182322894e7fb92fb637
Instruction Fuzzy Hash: 2DF0E93164452D6BEB216F669C05B7B778CAF917B0B158111AF19E61E1CF30DD028AE4

Function 001D5BD7 Relevance: 1.5, APIs: 1, Instructions: 32COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 001D5BDC

Part of subcall function 001DB07D: __EH_prolog.LIBCMT ref: 001DB082

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 31dbd79961b7ff7634a5e7e340f315a7893b475220f6e69c9700fe7004666ce5
Instruction ID: e4ebf0763eba6a86f01a83ab11a438420a628d017590f3baeed5e06107a792a4
Opcode Fuzzy Hash: 31dbd79961b7ff7634a5e7e340f315a7893b475220f6e69c9700fe7004666ce5
Instruction Fuzzy Hash: CC016D34A15684DAC725F7A4C0553EDF7A49F69700F41419EA85A53383CBB81B09C7A2

Function 001F8518 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00000000,?,001FC13D,00000000,?,001F67E2,?,00000008,?,001F89AD,?,?,?), ref: 001F854A

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 4a6e4dd0b475cfc3f10a5c5ae29dd129e7c9730711bd4ddb3756f631ce9ad626
Instruction ID: a6fb481749a27f07344738120e9900e0f68a9cf21ab31ea92659dd0a42d56e8f
Opcode Fuzzy Hash: 4a6e4dd0b475cfc3f10a5c5ae29dd129e7c9730711bd4ddb3756f631ce9ad626
Instruction Fuzzy Hash: 8BE0656164426D5BEB3126696C05B7A77CCDF917B4F150220AF55EA0B1CF70CC0185F5

Function 001DA4C6 Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 001DA4F5

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: 753af1fed442edd72126944a561a0718fe6e3690d250b671e3bce1b74749d8a4
Instruction ID: fb411ea3a67b95839eef43dc11493f1be0dda635e2c348fda2c6113b2c4af269
Opcode Fuzzy Hash: 753af1fed442edd72126944a561a0718fe6e3690d250b671e3bce1b74749d8a4
Instruction Fuzzy Hash: 15F0E9320093C0AACA229B7848447C67B956F25331F44CA0AF1FD02292C37414859723

Function 001E067C Relevance: 1.5, APIs: 1, Instructions: 21threadCOMMON

Download Yara Rule

APIs

SetThreadExecutionState.KERNEL32(00000001), ref: 001E06B1

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: ExecutionStateThread
String ID:
API String ID: 2211380416-0
Opcode ID: 5867812170ff2dfa3c9ac8cf3465a9c6fe0439b749b8c211a98ad4df1a1bf208
Instruction ID: 6215921910cef71476302856ed68171832bc92d342e7f43ef06c39ae2808df7e
Opcode Fuzzy Hash: 5867812170ff2dfa3c9ac8cf3465a9c6fe0439b749b8c211a98ad4df1a1bf208
Instruction Fuzzy Hash: 9ED0C22420019025C6227326A84A7FE1B0A0FEA720F080023F00D53687CF9A08C652A2

Function 001E9D7B Relevance: 1.5, APIs: 1, Instructions: 17memoryCOMMON

Download Yara Rule

APIs

GdipAlloc.GDIPLUS(00000010), ref: 001E9D81

Part of subcall function 001E9B0F: GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 001E9B30

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: Gdip$AllocBitmapCreateFromStream
String ID:
API String ID: 1915507550-0
Opcode ID: 4cf3c4e169e0f80c123d24ade4c43f63bdfd109b4bf71df52acedaf40aa9962d
Instruction ID: aac58a8093f82f52b56073af958a7908b5cf3b70473972a424b43a632daf4858
Opcode Fuzzy Hash: 4cf3c4e169e0f80c123d24ade4c43f63bdfd109b4bf71df52acedaf40aa9962d
Instruction Fuzzy Hash: 28D0A73061464DBADF40BEB28C0297E7BEDEB10300F008025BC0886141EFB1DE10A261

Function 001D9989 Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(000000FF,001D9887), ref: 001D9995

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 6db3dc2fdc6ceeb7e06d00bf8120ba8dbb900ffbdf7ffdcc19605a3682b10a6b
Instruction ID: 76c8d275e4df0ff625617579312ff391d913a2b835f9cd60a683106f2d7979ea
Opcode Fuzzy Hash: 6db3dc2fdc6ceeb7e06d00bf8120ba8dbb900ffbdf7ffdcc19605a3682b10a6b
Instruction Fuzzy Hash: 38D01231011241A58F2986345D5909A7756DB8336EB38D6A9D025C41A1D737C803F541

Function 001ED41A Relevance: 1.5, APIs: 1, Instructions: 13windowCOMMON

Download Yara Rule

APIs

SendDlgItemMessageW.USER32(0000006A,00000402,00000000,?,?), ref: 001ED43F

Part of subcall function 001EAC74: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 001EAC85
Part of subcall function 001EAC74: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 001EAC96
Part of subcall function 001EAC74: IsDialogMessageW.USER32(0001043C,?), ref: 001EACAA
Part of subcall function 001EAC74: TranslateMessage.USER32(?), ref: 001EACB8
Part of subcall function 001EAC74: DispatchMessageW.USER32(?), ref: 001EACC2

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: Message$DialogDispatchItemPeekSendTranslate
String ID:
API String ID: 897784432-0
Opcode ID: 208bd934656b56217d7a8ab8b78592892d241ae23d8608075b208fe7cad3e874
Instruction ID: d8ed714ea7327639d82765dc82f5e8f0cdbc1a727d68e415828f7d9f17df1426
Opcode Fuzzy Hash: 208bd934656b56217d7a8ab8b78592892d241ae23d8608075b208fe7cad3e874
Instruction Fuzzy Hash: FFD09E31144300ABD6112B51DE06F0F7AE6AB98B04F404554B349750B2CA62AD21AB16

Function 001ED891 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 001ED8A3

Part of subcall function 001EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 001EDFD6
Part of subcall function 001EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001EDFE7

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 85b32fe4541a2d702195fb4865e3d3edd45859e1b8673b23f2e453f8fde02ed2
Instruction ID: 62fade973dd760bc61d9958dd50ab4b8208e5d81c379bff8731c5c39560e7edc
Opcode Fuzzy Hash: 85b32fe4541a2d702195fb4865e3d3edd45859e1b8673b23f2e453f8fde02ed2
Instruction Fuzzy Hash: 19B012E527CB42BC320C61027D62C3F020CC4C1B11331452AF44DE00C2D6805C5D4431

Function 001ED8B6 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 001ED8A3

Part of subcall function 001EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 001EDFD6
Part of subcall function 001EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001EDFE7

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: bb15d31e59831e7452f21c4a1c168ca94b77cc09ff663b56de74175de24a0e87
Instruction ID: 1264eca3ea7961a38d445bfdd6e825c40a89b4766e5b32fd5584cd3775293324
Opcode Fuzzy Hash: bb15d31e59831e7452f21c4a1c168ca94b77cc09ff663b56de74175de24a0e87
Instruction Fuzzy Hash: 6DB012E127C942AC320CA1067D12D3E020CC4C2B11330C01AF44DD02C2D6405C1E0431

Function 001ED8AC Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 001ED8A3

Part of subcall function 001EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 001EDFD6
Part of subcall function 001EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001EDFE7

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 4819ebc993e49013e8ff9ec57eb3aaedfecf17e6e5014feee70dfc2866bb167b
Instruction ID: eca32afbc837c748ea18e1e8f9456182df4d2d94ecec200ff84a7292e2080cd7
Opcode Fuzzy Hash: 4819ebc993e49013e8ff9ec57eb3aaedfecf17e6e5014feee70dfc2866bb167b
Instruction Fuzzy Hash: B3B012E527CA42AC320CA1067D52D3F020CD4C1B11330401AF44DD01C2D7405C190531

Function 001ED8DE Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 001ED8A3

Part of subcall function 001EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 001EDFD6
Part of subcall function 001EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001EDFE7

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: d2c168c6cda004c6695020f412e9287ac8b95ea3240b66bde1945364cb0990d7
Instruction ID: bd942b9dded016ea6689e58539fa9ddfad6c18b89f4b76056a791ff15d1fab65
Opcode Fuzzy Hash: d2c168c6cda004c6695020f412e9287ac8b95ea3240b66bde1945364cb0990d7
Instruction Fuzzy Hash: 42B012F137C942AC320CA1067D12E3E021CC4C2B11330801AF44DD01C2D6405C190431

Function 001ED8CA Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 001ED8A3

Part of subcall function 001EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 001EDFD6
Part of subcall function 001EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001EDFE7

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 25b08f9a4b3dc7cd096624fd43bfc36c44bcc1bab40815e0a5c07253c6c2446a
Instruction ID: e689de40c5c19632c8248acbe7709603bca9a3baecd5c3b8f7c9baf36cafae31
Opcode Fuzzy Hash: 25b08f9a4b3dc7cd096624fd43bfc36c44bcc1bab40815e0a5c07253c6c2446a
Instruction Fuzzy Hash: AAB012E127C942AC320CA1077E12D3E020CC4C1B11330801AF04DD02C2D6405C1F1431

Function 001ED8C0 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 001ED8A3

Part of subcall function 001EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 001EDFD6
Part of subcall function 001EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001EDFE7

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: a488f66754ef71a71fd0f885d193e179dd6a2bad01d51bd36eb53080a101bd23
Instruction ID: ebd22258209988b392eab42a6a8ba29d94813433ea80c3b898a46cdd539f7212
Opcode Fuzzy Hash: a488f66754ef71a71fd0f885d193e179dd6a2bad01d51bd36eb53080a101bd23
Instruction Fuzzy Hash: C1B012E127CA82AC324CA1067D12D3E020CC4C1B11331811AF04DD02C2D6805C9E0431

Function 001ED8FC Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 001ED8A3

Part of subcall function 001EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 001EDFD6
Part of subcall function 001EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001EDFE7

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: e42baac8e22cf0d55b877fe545ce29c837e26483c75cbd77b9cb248c8525f671
Instruction ID: caddff31d579bd04f61ca31974cd18e227fb5a6862f9b27415d487a0a27c6684
Opcode Fuzzy Hash: e42baac8e22cf0d55b877fe545ce29c837e26483c75cbd77b9cb248c8525f671
Instruction Fuzzy Hash: 5BB012F137C942AC320CA1077D12E3E021CC4C1B11330401AF04DD01C2D6405C190431

Function 001ED8F2 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 001ED8A3

Part of subcall function 001EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 001EDFD6
Part of subcall function 001EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001EDFE7

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: c176b206e07d26dafcbb61d748901dace28a432d21130c46013803062243bcac
Instruction ID: f77c51fd3cf0977482d853d9733bf3398b4dec6c6f69e8edae17723f2e1b77bb
Opcode Fuzzy Hash: c176b206e07d26dafcbb61d748901dace28a432d21130c46013803062243bcac
Instruction Fuzzy Hash: 16B012F137C942AC320CA1067E12E3E021CC4C1B11330401AF04DD01C2D6405D1A1431

Function 001ED8E8 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 001ED8A3

Part of subcall function 001EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 001EDFD6
Part of subcall function 001EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001EDFE7

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: d6c3db389a829ec0d929eee7764975f355c6076bb90e265bfd36d09ab863731e
Instruction ID: bc084330f1b043e0df6cf70b9d02bb2a1b742c18a8658500741edf6d41637a0f
Opcode Fuzzy Hash: d6c3db389a829ec0d929eee7764975f355c6076bb90e265bfd36d09ab863731e
Instruction Fuzzy Hash: F6B012F137CA42AC324CA1067D12E3E021CC4C1B11331411AF04DD01C2D6805C590431

Function 001ED910 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 001ED8A3

Part of subcall function 001EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 001EDFD6
Part of subcall function 001EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001EDFE7

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: f293772f0ba4026075e88e36a109511116ffe2d53784d7cd576351aa08466ac0
Instruction ID: 1a1ec760095634cf6a9c87f6766bef23ed6fea113d88dc2642633dd83dc1862c
Opcode Fuzzy Hash: f293772f0ba4026075e88e36a109511116ffe2d53784d7cd576351aa08466ac0
Instruction Fuzzy Hash: A0B012F127DA42AC324CA2067E12D3E020DC4C1B11731411AF14DD01C2D6809C590431

Function 001ED906 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 001ED8A3

Part of subcall function 001EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 001EDFD6
Part of subcall function 001EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001EDFE7

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 3724680a7f26c12bce0574981797761039095ac990b7bd93f1eea7da91a5f942
Instruction ID: 398e48b734a520f13820f3930c8048cd49283b7d7e7dbe0b4e30289887cc99c1
Opcode Fuzzy Hash: 3724680a7f26c12bce0574981797761039095ac990b7bd93f1eea7da91a5f942
Instruction Fuzzy Hash: 09B012E137D942AC320CA1067E12D3E020DC4C2B11730801AF54DD01C2D6409C190431

Function 001ED92E Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 001ED8A3

Part of subcall function 001EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 001EDFD6
Part of subcall function 001EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001EDFE7

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 52299ddf2fd30f53da195eda6beaac1f3888719fa986acac6d27cfbc60c2506a
Instruction ID: 1033d3ae0a5ef4402d99a890a77b5da0b993c69cd746b1ef3803f96d5cf50b42
Opcode Fuzzy Hash: 52299ddf2fd30f53da195eda6beaac1f3888719fa986acac6d27cfbc60c2506a
Instruction Fuzzy Hash: 31B012E127CA42AC320DA1167D12D3E024CC4C2B11331801AF54DD01C2D7405C190831

Function 001ED924 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 001ED8A3

Part of subcall function 001EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 001EDFD6
Part of subcall function 001EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001EDFE7

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 0e98d2de75f328ab20c0c345e4897da5054beac27b35e61818d15a76c26b8afa
Instruction ID: 00570d9ed17ca408a53baee61f3d7d288a1915842447d6befc6189281b083703
Opcode Fuzzy Hash: 0e98d2de75f328ab20c0c345e4897da5054beac27b35e61818d15a76c26b8afa
Instruction Fuzzy Hash: 55B012E127D942AC320CA1067E12D3E024DC8C1B11730401AF18DD01C2D6409C190431

Function 001ED942 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 001ED8A3

Part of subcall function 001EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 001EDFD6
Part of subcall function 001EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001EDFE7

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 12f9f239939605230bd9804b80b4df36568c63acee732117f6fc82cdc1ee8a39
Instruction ID: 0119b88312d14dd19cef947397ad4a311e8939ae1f01d2e362e47dd08dfe8ee4
Opcode Fuzzy Hash: 12f9f239939605230bd9804b80b4df36568c63acee732117f6fc82cdc1ee8a39
Instruction Fuzzy Hash: 41B012F127CA42AC320DA1067E12D3E028CC4C1B11730401AF04DD01C2D7405C1A1831

Function 001EDAD9 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 001EDAB2

Part of subcall function 001EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 001EDFD6
Part of subcall function 001EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001EDFE7

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 710825dd9546d614b63687cbd80625d58261eda78d3f4d26a3c9e87cb3640a51
Instruction ID: 0b7ce78a8c83ce90ed5e83da9d60c1506567e72b4886ef152cf9eb9ea4a8f059
Opcode Fuzzy Hash: 710825dd9546d614b63687cbd80625d58261eda78d3f4d26a3c9e87cb3640a51
Instruction Fuzzy Hash: 1EB012E527C541AC320CB1077D02E3E024CC0D4B10330852BF009C1185D6404C1E4432

Function 001EDACF Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 001EDAB2

Part of subcall function 001EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 001EDFD6
Part of subcall function 001EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001EDFE7

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 8324f4146cc691a836556bb6878370e1269458ed3ea31ee77156b0044920f831
Instruction ID: 50c163f7e583f6571017c45a420178754cca7bf00fced57982a5d85c970bce03
Opcode Fuzzy Hash: 8324f4146cc691a836556bb6878370e1269458ed3ea31ee77156b0044920f831
Instruction Fuzzy Hash: 8EB012F537C541EC320CB1077C02D3E024CC0D0B10330C12BF409C1185D6444D1D4832

Function 001EDB01 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 001EDAB2

Part of subcall function 001EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 001EDFD6
Part of subcall function 001EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001EDFE7

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: b2f0a2d91f51adc4f06ceb054ee742c51e567871faaa2d572ac800d402a063ab
Instruction ID: c8531394d86a45aa7485c494d7238f1686d9a70e1afc651ef7aaf67ff183fbf2
Opcode Fuzzy Hash: b2f0a2d91f51adc4f06ceb054ee742c51e567871faaa2d572ac800d402a063ab
Instruction Fuzzy Hash: 5AB012E52BC641AC720CB1077D02E3E024CD0D0B10330412BF009C1185D7404C1D4532

Function 001EDBDE Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 001EDBD5

Part of subcall function 001EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 001EDFD6
Part of subcall function 001EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001EDFE7

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 2d4b89a0636be1d2c0e2aeef005f94e2ae734771079e142b5a3ecae7354c918e
Instruction ID: f22f3818964ed29df58be2b282c07d0b7cf36cb29c2ab2e353799b85b2b12789
Opcode Fuzzy Hash: 2d4b89a0636be1d2c0e2aeef005f94e2ae734771079e142b5a3ecae7354c918e
Instruction Fuzzy Hash: 2EB012E537C541AD320C91167D07F3E022CD0E5B10371402AF00AE01C1EB404C1D4031

Function 001EDBC3 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 001EDBD5

Part of subcall function 001EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 001EDFD6
Part of subcall function 001EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001EDFE7

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: d53d8e5712fe1f73501ed3b1d178fb49dbe280b206b03cf7ff04c831ad936482
Instruction ID: 5f4c67f62074452289033fabd5dd763d101d5edcfd9cb361c28d0c911364a767
Opcode Fuzzy Hash: d53d8e5712fe1f73501ed3b1d178fb49dbe280b206b03cf7ff04c831ad936482
Instruction Fuzzy Hash: 99B012E537C646BD330C51027C07D3F021CC0D1B10371412AF005E00C1EB404C5D4031

Function 001EDBFC Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 001EDBD5

Part of subcall function 001EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 001EDFD6
Part of subcall function 001EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001EDFE7

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 243138e2c1993d16f8c72c3d2c1d8fc26cb21f6541361cf2f4d4a7b29c21749b
Instruction ID: aba4c4e12d05542ae209bd0d0a8beee3de3d6b93f70d4ccf17115c0f80068c94
Opcode Fuzzy Hash: 243138e2c1993d16f8c72c3d2c1d8fc26cb21f6541361cf2f4d4a7b29c21749b
Instruction Fuzzy Hash: FAB012E537C582AD320C91067D07E3F021CC0D5B10371801AF109D01C1EB404C1E4031

Function 001EDBE8 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 001EDBD5

Part of subcall function 001EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 001EDFD6
Part of subcall function 001EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001EDFE7

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 195f70d6850169b9e01777cc1007f29cf6dca2ced8ec72356a144608e2e85acf
Instruction ID: 552230140cf239e589625a4101d66a8e49b94656a5cc7ffc619a88bc4e92255e
Opcode Fuzzy Hash: 195f70d6850169b9e01777cc1007f29cf6dca2ced8ec72356a144608e2e85acf
Instruction Fuzzy Hash: 53B012E537C542ED320C91067C07E3F026CC0D5B10371801AF409D11C1EB404C1D4031

Function 001EDC24 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 001EDC36

Part of subcall function 001EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 001EDFD6
Part of subcall function 001EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001EDFE7

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: e64cb978610dc2cfdd67323115df22715af673fb3724a16c2027b6997b9be969
Instruction ID: 2dff0f682e12ec7d6f163dee6e8231740d2ad1bab62db2898628701a93ec7c0c
Opcode Fuzzy Hash: e64cb978610dc2cfdd67323115df22715af673fb3724a16c2027b6997b9be969
Instruction Fuzzy Hash: 7AB012E527CB41BC320C6116BF02C3E022CC1C0F50371461EB10DE00C397C05C595031

Function 001EDC5D Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 001EDC36

Part of subcall function 001EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 001EDFD6
Part of subcall function 001EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001EDFE7

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: ae70dcc46d357f2d223765e435d7b01d172c211347ccc869eccdfe4f2ff28ea2
Instruction ID: 65eaac8ffda27f7cc83001c2841577b2c34ca2cee3f82242a0fa04914d618377
Opcode Fuzzy Hash: ae70dcc46d357f2d223765e435d7b01d172c211347ccc869eccdfe4f2ff28ea2
Instruction Fuzzy Hash: 86B012E527CB41AC320CA11ABD02D3E022CC0C0F50370451FB10DD11C3D7809C194031

Function 001EDC53 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 001EDC36

Part of subcall function 001EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 001EDFD6
Part of subcall function 001EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001EDFE7

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 7f47e49784eb7496e23db626945c9d9f8b4b259c4baccd26a60b3ee3eedc2ad1
Instruction ID: 23fc85d80ae9f437e7d8a783b6e17ae7764a86f98ce4e98a1f135022d0f99744
Opcode Fuzzy Hash: 7f47e49784eb7496e23db626945c9d9f8b4b259c4baccd26a60b3ee3eedc2ad1
Instruction Fuzzy Hash: 81B012E527CA41AC320CA11ABD02D3E022CC0C5F50370851EB50DD11C3D7805C194031

Function 001ED8D9 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 001ED8A3

Part of subcall function 001EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 001EDFD6
Part of subcall function 001EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001EDFE7

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 4bb4f5888f65ad373173177e9076a799aa69966bff7a4350fb358e8d3a678ebb
Instruction ID: f6fed302859e05ae0ff025f8adf6163d229c6ff6f9cdf17dcf505f8258994004
Opcode Fuzzy Hash: 4bb4f5888f65ad373173177e9076a799aa69966bff7a4350fb358e8d3a678ebb
Instruction Fuzzy Hash: 6AA0129117C9437C310C61027C12C3E020CC4C1B113304409F00A900C196401C050430

Function 001ED91F Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 001ED8A3

Part of subcall function 001EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 001EDFD6
Part of subcall function 001EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001EDFE7

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 0c412d0c59645369ff963752784de9fe4d311675e5abc110bb91fa84529980b4
Instruction ID: f6fed302859e05ae0ff025f8adf6163d229c6ff6f9cdf17dcf505f8258994004
Opcode Fuzzy Hash: 0c412d0c59645369ff963752784de9fe4d311675e5abc110bb91fa84529980b4
Instruction Fuzzy Hash: 6AA0129117C9437C310C61027C12C3E020CC4C1B113304409F00A900C196401C050430

Function 001ED93D Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 001ED8A3

Part of subcall function 001EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 001EDFD6
Part of subcall function 001EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001EDFE7

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 150f3ffd81b1e021bd2af7b9b26c7d90638c931d37e4f7da1f41731faab72d97
Instruction ID: f6fed302859e05ae0ff025f8adf6163d229c6ff6f9cdf17dcf505f8258994004
Opcode Fuzzy Hash: 150f3ffd81b1e021bd2af7b9b26c7d90638c931d37e4f7da1f41731faab72d97
Instruction Fuzzy Hash: 6AA0129117C9437C310C61027C12C3E020CC4C1B113304409F00A900C196401C050430

Function 001ED95B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 001ED8A3

Part of subcall function 001EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 001EDFD6
Part of subcall function 001EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001EDFE7

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 85fdd1e0c2d0b0179ef44584ac3d698118576f5f162fe710298f49f0be503e1f
Instruction ID: f6fed302859e05ae0ff025f8adf6163d229c6ff6f9cdf17dcf505f8258994004
Opcode Fuzzy Hash: 85fdd1e0c2d0b0179ef44584ac3d698118576f5f162fe710298f49f0be503e1f
Instruction Fuzzy Hash: 6AA0129117C9437C310C61027C12C3E020CC4C1B113304409F00A900C196401C050430

Function 001ED951 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 001ED8A3

Part of subcall function 001EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 001EDFD6
Part of subcall function 001EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001EDFE7

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: cb5e7a3980e316dde763820bc350dd4ad64bf3ececac0104721311889846aab8
Instruction ID: f6fed302859e05ae0ff025f8adf6163d229c6ff6f9cdf17dcf505f8258994004
Opcode Fuzzy Hash: cb5e7a3980e316dde763820bc350dd4ad64bf3ececac0104721311889846aab8
Instruction Fuzzy Hash: 6AA0129117C9437C310C61027C12C3E020CC4C1B113304409F00A900C196401C050430

Function 001ED979 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 001ED8A3

Part of subcall function 001EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 001EDFD6
Part of subcall function 001EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001EDFE7

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: b1d832613a5f68be1dcf41c6680934c01af33aa56c9513a9c2ba08de0f443216
Instruction ID: f6fed302859e05ae0ff025f8adf6163d229c6ff6f9cdf17dcf505f8258994004
Opcode Fuzzy Hash: b1d832613a5f68be1dcf41c6680934c01af33aa56c9513a9c2ba08de0f443216
Instruction Fuzzy Hash: 6AA0129117C9437C310C61027C12C3E020CC4C1B113304409F00A900C196401C050430

Function 001ED96F Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 001ED8A3

Part of subcall function 001EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 001EDFD6
Part of subcall function 001EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001EDFE7

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: f146ca993c14836a45d74d88401d5ca7265e17a0feeaaa10316a5bfbb859eb94
Instruction ID: f6fed302859e05ae0ff025f8adf6163d229c6ff6f9cdf17dcf505f8258994004
Opcode Fuzzy Hash: f146ca993c14836a45d74d88401d5ca7265e17a0feeaaa10316a5bfbb859eb94
Instruction Fuzzy Hash: 6AA0129117C9437C310C61027C12C3E020CC4C1B113304409F00A900C196401C050430

Function 001ED965 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 001ED8A3

Part of subcall function 001EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 001EDFD6
Part of subcall function 001EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001EDFE7

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 1b03629ffe7bcb29690a196d338f7ed88e1839ce2d110f16042371e1159d3a43
Instruction ID: f6fed302859e05ae0ff025f8adf6163d229c6ff6f9cdf17dcf505f8258994004
Opcode Fuzzy Hash: 1b03629ffe7bcb29690a196d338f7ed88e1839ce2d110f16042371e1159d3a43
Instruction Fuzzy Hash: 6AA0129117C9437C310C61027C12C3E020CC4C1B113304409F00A900C196401C050430

Function 001ED997 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 001ED8A3

Part of subcall function 001EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 001EDFD6
Part of subcall function 001EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001EDFE7

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 86703fc61856811786a1b2952d0f50e2d253a759df8d6758425f5f9b17b4c2a3
Instruction ID: f6fed302859e05ae0ff025f8adf6163d229c6ff6f9cdf17dcf505f8258994004
Opcode Fuzzy Hash: 86703fc61856811786a1b2952d0f50e2d253a759df8d6758425f5f9b17b4c2a3
Instruction Fuzzy Hash: 6AA0129117C9437C310C61027C12C3E020CC4C1B113304409F00A900C196401C050430

Function 001ED98D Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 001ED8A3

Part of subcall function 001EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 001EDFD6
Part of subcall function 001EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001EDFE7

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 5d88b4afbad3d412414b24b48dd5a63a036d046218623e138c567b17a3dbf905
Instruction ID: f6fed302859e05ae0ff025f8adf6163d229c6ff6f9cdf17dcf505f8258994004
Opcode Fuzzy Hash: 5d88b4afbad3d412414b24b48dd5a63a036d046218623e138c567b17a3dbf905
Instruction Fuzzy Hash: 6AA0129117C9437C310C61027C12C3E020CC4C1B113304409F00A900C196401C050430

Function 001ED983 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 001ED8A3

Part of subcall function 001EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 001EDFD6
Part of subcall function 001EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001EDFE7

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: f4fb111947a17a7195bac9adda83b3df4915ebc52de6d3b962b39c995ad8d2d0
Instruction ID: f6fed302859e05ae0ff025f8adf6163d229c6ff6f9cdf17dcf505f8258994004
Opcode Fuzzy Hash: f4fb111947a17a7195bac9adda83b3df4915ebc52de6d3b962b39c995ad8d2d0
Instruction Fuzzy Hash: 6AA0129117C9437C310C61027C12C3E020CC4C1B113304409F00A900C196401C050430

Function 001EDAA5 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 001EDAB2

Part of subcall function 001EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 001EDFD6
Part of subcall function 001EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001EDFE7

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 01d81fb41cf6de7bc4f2bf2d2703ad0760c1eaf4cf032d1f0688234420039e02
Instruction ID: 1d55b6d1f3c8d46500540a1ca58e21fbfe284c277859e027fa6554dd6cbc2681
Opcode Fuzzy Hash: 01d81fb41cf6de7bc4f2bf2d2703ad0760c1eaf4cf032d1f0688234420039e02
Instruction Fuzzy Hash: 09A0129527C9413C310CB103BC02C3E020CC0D0B11330411AF0069008556400C050431

Function 001EDACA Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 001EDAB2

Part of subcall function 001EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 001EDFD6
Part of subcall function 001EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001EDFE7

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: fb12761e3fd9839cd2b8e2b6856f7c33d9f6cbc4408766ba829986375e9adfea
Instruction ID: 6b992a00460de8c6d1f15712e688f6f0d702babe8c412b2487825f3781060b5d
Opcode Fuzzy Hash: fb12761e3fd9839cd2b8e2b6856f7c33d9f6cbc4408766ba829986375e9adfea
Instruction Fuzzy Hash: 6CA011AA2BCA82BC320CB203BC02C3E020CC0C0B203308A2AF00A8008AAA800C0A0832

Function 001EDAC0 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 001EDAB2

Part of subcall function 001EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 001EDFD6
Part of subcall function 001EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001EDFE7

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: f0a95b7f1b123138de8624b72d1585087550c30137b3e53f84fb9e67fcdf0ffd
Instruction ID: 6b992a00460de8c6d1f15712e688f6f0d702babe8c412b2487825f3781060b5d
Opcode Fuzzy Hash: f0a95b7f1b123138de8624b72d1585087550c30137b3e53f84fb9e67fcdf0ffd
Instruction Fuzzy Hash: 6CA011AA2BCA82BC320CB203BC02C3E020CC0C0B203308A2AF00A8008AAA800C0A0832

Function 001EDAFC Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 001EDAB2

Part of subcall function 001EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 001EDFD6
Part of subcall function 001EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001EDFE7

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: e98e4e6f1d1a7640fa6e8267e7c9e8f9d58170e0069957879128c259c9864ce8
Instruction ID: 6b992a00460de8c6d1f15712e688f6f0d702babe8c412b2487825f3781060b5d
Opcode Fuzzy Hash: e98e4e6f1d1a7640fa6e8267e7c9e8f9d58170e0069957879128c259c9864ce8
Instruction Fuzzy Hash: 6CA011AA2BCA82BC320CB203BC02C3E020CC0C0B203308A2AF00A8008AAA800C0A0832

Function 001EDAF2 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 001EDAB2

Part of subcall function 001EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 001EDFD6
Part of subcall function 001EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001EDFE7

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 1689062e84fd373b608a3039a0a1ffe8264fef8a7f2c63f796222e617ac7b8ad
Instruction ID: 6b992a00460de8c6d1f15712e688f6f0d702babe8c412b2487825f3781060b5d
Opcode Fuzzy Hash: 1689062e84fd373b608a3039a0a1ffe8264fef8a7f2c63f796222e617ac7b8ad
Instruction Fuzzy Hash: 6CA011AA2BCA82BC320CB203BC02C3E020CC0C0B203308A2AF00A8008AAA800C0A0832

Function 001EDAE8 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 001EDAB2

Part of subcall function 001EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 001EDFD6
Part of subcall function 001EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001EDFE7

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: da4aca856d7db8d72ac8d789eeb25ac1d7d6190c4df67b27b1876416801f3dca
Instruction ID: 6b992a00460de8c6d1f15712e688f6f0d702babe8c412b2487825f3781060b5d
Opcode Fuzzy Hash: da4aca856d7db8d72ac8d789eeb25ac1d7d6190c4df67b27b1876416801f3dca
Instruction Fuzzy Hash: 6CA011AA2BCA82BC320CB203BC02C3E020CC0C0B203308A2AF00A8008AAA800C0A0832

Function 001EDBF7 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 001EDBD5

Part of subcall function 001EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 001EDFD6
Part of subcall function 001EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001EDFE7

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 10ef172acac0b06aecc9ed696bdd53440f3f92d68144b8af5b25a41afc59eb3b
Instruction ID: 732598d837e3528b9c45e0709fc5b729587547f455efd783643603fc333263f2
Opcode Fuzzy Hash: 10ef172acac0b06aecc9ed696bdd53440f3f92d68144b8af5b25a41afc59eb3b
Instruction Fuzzy Hash: F0A0129527C5427C310C51027C07D3E021CC0C5B103714409F006900C16B400C050030

Function 001EDC1F Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 001EDBD5

Part of subcall function 001EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 001EDFD6
Part of subcall function 001EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001EDFE7

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 27fcec2489f3726cdf03d47fbe0cfd856182a762a928b0e2f556782277c13512
Instruction ID: 732598d837e3528b9c45e0709fc5b729587547f455efd783643603fc333263f2
Opcode Fuzzy Hash: 27fcec2489f3726cdf03d47fbe0cfd856182a762a928b0e2f556782277c13512
Instruction Fuzzy Hash: F0A0129527C5427C310C51027C07D3E021CC0C5B103714409F006900C16B400C050030

Function 001EDC15 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 001EDBD5

Part of subcall function 001EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 001EDFD6
Part of subcall function 001EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001EDFE7

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 8500adc0e399c69142e68badcf190874c6ccc7f5cc3003ff84ce747ad9572eac
Instruction ID: 732598d837e3528b9c45e0709fc5b729587547f455efd783643603fc333263f2
Opcode Fuzzy Hash: 8500adc0e399c69142e68badcf190874c6ccc7f5cc3003ff84ce747ad9572eac
Instruction Fuzzy Hash: F0A0129527C5427C310C51027C07D3E021CC0C5B103714409F006900C16B400C050030

Function 001EDC0B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 001EDBD5

Part of subcall function 001EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 001EDFD6
Part of subcall function 001EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001EDFE7

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 93d9e2a1c7acbbcf3355406500eb146a89e009cd25735b7615a4c4c2dd6a884f
Instruction ID: 732598d837e3528b9c45e0709fc5b729587547f455efd783643603fc333263f2
Opcode Fuzzy Hash: 93d9e2a1c7acbbcf3355406500eb146a89e009cd25735b7615a4c4c2dd6a884f
Instruction Fuzzy Hash: F0A0129527C5427C310C51027C07D3E021CC0C5B103714409F006900C16B400C050030

Function 001EDC4E Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 001EDC36

Part of subcall function 001EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 001EDFD6
Part of subcall function 001EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001EDFE7

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: e9fae8bf35d07a9046448717f2445ca71c4c667632c7080114312d57a119f040
Instruction ID: ac2682be5eb3fe74dc147f184e18e3a024b79a4eba6fea9f02e592f56a0548e2
Opcode Fuzzy Hash: e9fae8bf35d07a9046448717f2445ca71c4c667632c7080114312d57a119f040
Instruction Fuzzy Hash: 80A0129517CA427C310C61127C02C3E021CC0C0F90370480DB00A900C257801C054030

Function 001EDC44 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 001EDC36

Part of subcall function 001EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 001EDFD6
Part of subcall function 001EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001EDFE7

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: a1e33b7a52d44412c867b00c481b876cf90fbc034d05d2cec779bb4b57481ce9
Instruction ID: ac2682be5eb3fe74dc147f184e18e3a024b79a4eba6fea9f02e592f56a0548e2
Opcode Fuzzy Hash: a1e33b7a52d44412c867b00c481b876cf90fbc034d05d2cec779bb4b57481ce9
Instruction Fuzzy Hash: 80A0129517CA427C310C61127C02C3E021CC0C0F90370480DB00A900C257801C054030

Function 001EA322 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetCurrentDirectoryW.KERNELBASE(?,001EA587,C:\Users\user\Desktop,00000000,0021946A,00000006), ref: 001EA326

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: CurrentDirectory
String ID:
API String ID: 1611563598-0
Opcode ID: 4c8da97724495a8979b042b3c2c2737a6e9ab5daee9955abd59721d6bb5c8e11
Instruction ID: b6229ee00fac0dbac528519583827484ab2d151d9124ff4ba62a9af2a935ff75
Opcode Fuzzy Hash: 4c8da97724495a8979b042b3c2c2737a6e9ab5daee9955abd59721d6bb5c8e11
Instruction Fuzzy Hash: 24A0123019410656CE004B30DC0DC15B6545760702F0086207006C00A0CB308814A500

Function 001D96D0 Relevance: 1.3, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(000000FF,?,?,001D968F,?,?,?,?,00201FA1,000000FF), ref: 001D96EB

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 683615d73347cdc15a7c3796a8c142495ea31de1ea49d5bc08de81410912c48c
Instruction ID: 83458758a77ef32147c95ee8d3087185790e5f500c3dda9ce5dcf5d8c86c8dd7
Opcode Fuzzy Hash: 683615d73347cdc15a7c3796a8c142495ea31de1ea49d5bc08de81410912c48c
Instruction Fuzzy Hash: 7BF08271556B048FDB308E24D589792B7E89B12735F049B1FD0F753AE0D761A88D8F00

Non-executed Functions

Function 001EB8E0 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 286timewindowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 001D130B: GetDlgItem.USER32(00000000,00003021), ref: 001D134F
Part of subcall function 001D130B: SetWindowTextW.USER32(00000000,002035B4), ref: 001D1365

SendDlgItemMessageW.USER32(?,00000066,00000171,00000000,00000000), ref: 001EB971
EndDialog.USER32(?,00000006), ref: 001EB984
GetDlgItem.USER32(?,0000006C), ref: 001EB9A0
SetFocus.USER32(00000000), ref: 001EB9A7
SetDlgItemTextW.USER32(?,00000065,?), ref: 001EB9E1
SendDlgItemMessageW.USER32(?,00000066,00000170,?,00000000), ref: 001EBA18
FindFirstFileW.KERNEL32(?,?), ref: 001EBA2E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 001EBA4C
FileTimeToSystemTime.KERNEL32(?,?), ref: 001EBA5C
GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 001EBA78
GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 001EBA94
_swprintf.LIBCMT ref: 001EBAC4

Part of subcall function 001D400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 001D401D

SetDlgItemTextW.USER32(?,0000006A,?), ref: 001EBAD7
FindClose.KERNEL32(00000000), ref: 001EBADE
_swprintf.LIBCMT ref: 001EBB37
SetDlgItemTextW.USER32(?,00000068,?), ref: 001EBB4A
SendDlgItemMessageW.USER32(?,00000067,00000170,?,00000000), ref: 001EBB67
FileTimeToLocalFileTime.KERNEL32(?,?,?), ref: 001EBB87
FileTimeToSystemTime.KERNEL32(?,?), ref: 001EBB97
GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 001EBBB1
GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 001EBBC9
_swprintf.LIBCMT ref: 001EBBF5
SetDlgItemTextW.USER32(?,0000006B,?), ref: 001EBC08
_swprintf.LIBCMT ref: 001EBC5C
SetDlgItemTextW.USER32(?,00000069,?), ref: 001EBC6F

Part of subcall function 001EA63C: GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 001EA662
Part of subcall function 001EA63C: GetNumberFormatW.KERNEL32(00000400,00000000,?,0020E600,?,?), ref: 001EA6B1

Strings

%s %s, xrefs: 001EBB29, 001EBC4E
%s %s %s, xrefs: 001EBAB2, 001EBBE7
REPLACEFILEDLG, xrefs: 001EB907

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: ItemTime$File$Text$Format$_swprintf$MessageSend$DateFindLocalSystem$CloseDialogFirstFocusInfoLocaleNumberWindow__vswprintf_c_l
String ID: %s %s$%s %s %s$REPLACEFILEDLG
API String ID: 797121971-1840816070
Opcode ID: 9b36f98d991233b7ed18fd95e2b0d010202771a301734043c82c09f453b7e872
Instruction ID: 5f8edc579a19fa511d7848d65bebabee15861bf7f1f756762c89fa3d3322e2e8
Opcode Fuzzy Hash: 9b36f98d991233b7ed18fd95e2b0d010202771a301734043c82c09f453b7e872
Instruction Fuzzy Hash: 7B9184B2248388BBD721DBA1DD8DFFFB7ACEB49704F044819B749D2192D77196088762

Function 001D718C Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 296fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 001D7191
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000001,00000080,00000000,?,00000001), ref: 001D72F1
CloseHandle.KERNEL32(00000000), ref: 001D7301

Part of subcall function 001D7BF5: GetCurrentProcess.KERNEL32(00000020,?), ref: 001D7C04
Part of subcall function 001D7BF5: GetLastError.KERNEL32 ref: 001D7C4A
Part of subcall function 001D7BF5: CloseHandle.KERNEL32(?), ref: 001D7C59

CreateDirectoryW.KERNEL32(?,00000000,?,00000001), ref: 001D730C
CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,02200000,00000000), ref: 001D741A
DeviceIoControl.KERNEL32(00000000,000900A4,?,-00000008,00000000,00000000,?,00000000), ref: 001D7446
CloseHandle.KERNEL32(?), ref: 001D7457
GetLastError.KERNEL32 ref: 001D7467
RemoveDirectoryW.KERNEL32(?), ref: 001D74B3
DeleteFileW.KERNEL32(?), ref: 001D74DB

Strings

SeRestorePrivilege, xrefs: 001D71B2
UNC\, xrefs: 001D723C
\??\, xrefs: 001D7217
SeCreateSymbolicLinkPrivilege, xrefs: 001D71BC

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: CloseCreateFileHandle$DirectoryErrorLast$ControlCurrentDeleteDeviceH_prologProcessRemove
String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
API String ID: 3935142422-3508440684
Opcode ID: d4b23b4728d15c0d9b43a036db42ac345d92d26d51456418375d9abc156c9e59
Instruction ID: 6cb1ec8d9fa601a9d339d3d2d154e7ec839da648e2ef2ca95a0116efdb811575
Opcode Fuzzy Hash: d4b23b4728d15c0d9b43a036db42ac345d92d26d51456418375d9abc156c9e59
Instruction Fuzzy Hash: 1EB10471904219ABDF21DF64DC45BFEB7B8BF14300F04456AF949E7282E734AA49CB61

Function 001D3281 Relevance: 12.9, APIs: 4, Strings: 3, Instructions: 608COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 001D328A
_memcmp.LIBVCRUNTIME ref: 001D3377

Strings

hc%u, xrefs: 001D367B
h%u, xrefs: 001D362D
CMT, xrefs: 001D3990

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: H_prolog_memcmp
String ID: CMT$h%u$hc%u
API String ID: 3004599000-3282847064
Opcode ID: 51cb4efa50896b99d461c7d463f30ffaa5479ff9652ae22fab0f33f111d18313
Instruction ID: c3f274c892499aa14ab957a6e95f1c6f7b402b316e1aa6ba8414f801893c289b
Opcode Fuzzy Hash: 51cb4efa50896b99d461c7d463f30ffaa5479ff9652ae22fab0f33f111d18313
Instruction Fuzzy Hash: 0F32B171610285AFDF14DF64C895AEA37A5AF24300F04457FFD9ACB382DB74AA48CB61

Function 001FD00E Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODE

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 001FD154

Strings

1#QNAN, xrefs: 001FE35A
1#IND, xrefs: 001FE34C
1#SNAN, xrefs: 001FE353
1#INF, xrefs: 001FE361

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 71edeb5c57d40568cfeeb7fa5966ca8a7611e36a85feb8c3920dd29a6e144c3c
Instruction ID: 37188bbe738ad4cb6f96314bfe8e7c73afc65d4188257593ff1e6625803e9c20
Opcode Fuzzy Hash: 71edeb5c57d40568cfeeb7fa5966ca8a7611e36a85feb8c3920dd29a6e144c3c
Instruction Fuzzy Hash: 07C23A71E0862C8FDB29CE28AD447F9B7B6EB85314F1541EAD90DE7240E775AE818F40

Function 001D27E8 Relevance: 7.8, APIs: 3, Strings: 1, Instructions: 794COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 001D27F1
_strlen.LIBCMT ref: 001D2D7F

Part of subcall function 001E137A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,001DB652,00000000,?,?,?,0001043C), ref: 001E1396

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 001D2EE0

Strings

CMT, xrefs: 001D2F13

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: ByteCharH_prologMultiUnothrow_t@std@@@Wide__ehfuncinfo$??2@_strlen
String ID: CMT
API String ID: 1706572503-2756464174
Opcode ID: 219c2818093c795106f7144f259d761760eed1ad5185b229fdcefff103d3ad1d
Instruction ID: 71e6e41a3e873f016682160fa127c6d96807d88e84e057c520e62adb01a490d4
Opcode Fuzzy Hash: 219c2818093c795106f7144f259d761760eed1ad5185b229fdcefff103d3ad1d
Instruction Fuzzy Hash: D562F3716006448FDF19DF78C8956EA3BE1AF65304F09457FECAA8B382DB70A945CB60

Function 001F866F Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 001F8767
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 001F8771
UnhandledExceptionFilter.KERNEL32(-00000327,?,?,?,?,?,00000000), ref: 001F877E

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: a72818938c000e3871ffd92131705247933c52475060739e520be6dd0b60d700
Instruction ID: 2331b4eeccf773e331caf6f7d4296d17944ecb84440e08b65a9b6c261e607fe4
Opcode Fuzzy Hash: a72818938c000e3871ffd92131705247933c52475060739e520be6dd0b60d700
Instruction Fuzzy Hash: 8631B57590122C9BCB21DF65D889B9DB7B8BF58310F5041EAF90CA7251EB309B858F45

Function 001FCB60 Relevance: 3.5, APIs: 2, Instructions: 464COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f40ebe10d214b85774591126f504afcb75e73f030a81f23e755a653bb72e8d1
Instruction ID: baa96ebe5c46086758f5915072d12aff00ea75564ed499651ea4a65c7e58c81e
Opcode Fuzzy Hash: 3f40ebe10d214b85774591126f504afcb75e73f030a81f23e755a653bb72e8d1
Instruction Fuzzy Hash: 9D022C71E0021D9BDF14CFA9C9906AEFBF2EF88314F25416AE919E7385D731A941DB80

Function 001EA63C Relevance: 3.0, APIs: 2, Instructions: 46COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 001EA662
GetNumberFormatW.KERNEL32(00000400,00000000,?,0020E600,?,?), ref: 001EA6B1

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: FormatInfoLocaleNumber
String ID:
API String ID: 2169056816-0
Opcode ID: 54e94b2ae835b40f57c6e6a0e04233ba4a1268e63749fd6cf5f54ab54f609329
Instruction ID: 70513e54e3be737531ee6a92a0427a48fc1ee84ce7b2a4adb46a4cd3628746ca
Opcode Fuzzy Hash: 54e94b2ae835b40f57c6e6a0e04233ba4a1268e63749fd6cf5f54ab54f609329
Instruction Fuzzy Hash: D2015E76510308BADB10CFA4FC49F9BB7BCEF19710F015822BA0897251D3719A6587E5

Function 001D6EC9 Relevance: 3.0, APIs: 2, Instructions: 17windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(001E117C,?,00000200), ref: 001D6EC9
FormatMessageW.KERNEL32(00001200,00000000,00000000,00000400,?,?,00000000), ref: 001D6EEA

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 01b224e740d04b4b6148fe25652dea9cb6638fb08b7cee6fd9de0ce8f52db589
Instruction ID: 2254f7adf2a260baa1962e733f09f98a433962f9d138219d42497239931c7614
Opcode Fuzzy Hash: 01b224e740d04b4b6148fe25652dea9cb6638fb08b7cee6fd9de0ce8f52db589
Instruction Fuzzy Hash: BBD0C9363C8302BFEA118A75DC0AF2B7BA9A755B82F20C515B356E90E1CA7090149629

Function 00201194 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,0020118F,?,?,00000008,?,?,00200E2F,00000000), ref: 002013C1

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: dc33a4f4bcf1001e5a41c8e2b30232d5ec177b2e8f4017bc2385018bc5127f1f
Instruction ID: d9083664b88171507d477a035f9e47cacb36764b1167c7a92e9cfb9bd9fac44d
Opcode Fuzzy Hash: dc33a4f4bcf1001e5a41c8e2b30232d5ec177b2e8f4017bc2385018bc5127f1f
Instruction Fuzzy Hash: 8FB14C316207099FD719CF28C48AB657BE0FF45364F258698E999CF2E2C375E9A1CB40

Function 001D407E Relevance: 1.6, Strings: 1, Instructions: 332COMMON

Download Yara Rule

Strings

gj, xrefs: 001D40C1

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID:
String ID: gj
API String ID: 0-4203073231
Opcode ID: c005a7398494b657a22f16eb0a75e071e460126ff9f864e62de7883356f4712e
Instruction ID: 6bf3220ce14ba8ff0b034d89a88f3f378c330d140da5134bc466170e00ee81fd
Opcode Fuzzy Hash: c005a7398494b657a22f16eb0a75e071e460126ff9f864e62de7883356f4712e
Instruction Fuzzy Hash: FDF1C2B1A083418FC748CF29D880A1AFBE5BFC8208F19892EF598D7711E635E9558F56

Function 001DACF5 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(?), ref: 001DAD1A

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: 0737635af67cf7cee67c509a5222f6daf2b88a5568e5acb1449547ad292e4fb2
Instruction ID: dabfe86f4926477d01668cf08b54491b1bcec6a59bb6b5fdf3fac2f9e58368b4
Opcode Fuzzy Hash: 0737635af67cf7cee67c509a5222f6daf2b88a5568e5acb1449547ad292e4fb2
Instruction Fuzzy Hash: 66F090B090030C8FCB28CF98FC8A6E973B6FB59301F20429AE91453754DBB0AD81CE91

Function 001EF063 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_0001F070,001EEAC5), ref: 001EF068

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 80a02a4a9bc10f9c96c2a1660eb583620f2bd18b447e81c56ef8d99e371ab862
Instruction ID: 0eca4f7ad071f0ba4e6e196920e2624daba69971a6aea22224d1746c5abd23c3
Opcode Fuzzy Hash: 80a02a4a9bc10f9c96c2a1660eb583620f2bd18b447e81c56ef8d99e371ab862
Instruction Fuzzy Hash:

Function 001FB710 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 001FB710

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 95619f84a1689403fa53222ab3b067c31815326dfc6533c2d10e900382e683d9
Instruction ID: 14ef85d6eb57f007e3bac7f3723840d6b1307e6af12b0400f02b15326d713bbf
Opcode Fuzzy Hash: 95619f84a1689403fa53222ab3b067c31815326dfc6533c2d10e900382e683d9
Instruction Fuzzy Hash: 40A001B46012018BD740CFB6BA0E2097AADAA49A91709826AA509C6161EA2485609F11

Function 001E5C77 Relevance: .8, Instructions: 800COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a6e4fef8a49dcc930715721b7d4fffbd12b6467634e9eef11ded152ea66fbae
Instruction ID: 2e8f6510726168db71aa30903e080028b8d32d011972c9b95c176e52b41d3871
Opcode Fuzzy Hash: 8a6e4fef8a49dcc930715721b7d4fffbd12b6467634e9eef11ded152ea66fbae
Instruction Fuzzy Hash: 9862F671604FC59FCB29CF39C8906BDBBE1AFA5304F58856DD9AA8B342D730A945CB10

Function 001E70BF Relevance: .8, Instructions: 773COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 575a8806441ce9a72c04ae9113137d22797e0c306676329538b0a0bf3ae15e30
Instruction ID: 1210b5322109bb3c9ce49dd21541e2ab294783f4ae78104ef75e787e1cbf1dd2
Opcode Fuzzy Hash: 575a8806441ce9a72c04ae9113137d22797e0c306676329538b0a0bf3ae15e30
Instruction Fuzzy Hash: 7C621370608BC69FD719CF29C8905BDBBE1BF55308F14866EE99687782D330E956CB80

Function 001DED14 Relevance: .7, Instructions: 694COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5448180e84c52624f7729a892eb382d9b2428a7fa06f80140d36ae3f2e7eaf5
Instruction ID: f19ed25e1f929901b35965be39822db7ffc777c5e0418ff11594b8f531e7376a
Opcode Fuzzy Hash: d5448180e84c52624f7729a892eb382d9b2428a7fa06f80140d36ae3f2e7eaf5
Instruction Fuzzy Hash: EC522AB26047058FC718CF19C891A6AF7E1FFCC304F498A2DE9859B255D734EA19CB86

Function 001E6A7B Relevance: .5, Instructions: 509COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7300e4aedd6fc89609f0de980febbaf73199fd8d2180cf696108ef8c85203645
Instruction ID: a52dc22e8d15fbe6b84c35d7685776233c8c509553c34892ecbf2628c0cf2b94
Opcode Fuzzy Hash: 7300e4aedd6fc89609f0de980febbaf73199fd8d2180cf696108ef8c85203645
Instruction Fuzzy Hash: EC12D1B1704B868BC72CCF29C9906B9B3E0FF64308F54892EE597C7A81D774A895CB45

Function 001DBE13 Relevance: .4, Instructions: 449COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb8081c7d78bcf446ec9db9358cf185bc1d96dc754593e2325c4abd1b7468aa2
Instruction ID: c8371b622cc23b13986c7bd4b7652fda1f77c1f813375c81baaff11872b6a3a0
Opcode Fuzzy Hash: cb8081c7d78bcf446ec9db9358cf185bc1d96dc754593e2325c4abd1b7468aa2
Instruction Fuzzy Hash: 18F196766083029FC718CE29C48496ABBE6FFC9314F158E2EF59697351D730E906CB92

Function 001F0B43 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: 7bdfca17859721677f9a0e78530a484b0aaf0371c0fd994478a52163148eb271
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: 5FC1923A2150974ADF2F8639853403FBBA15AA67B131A07ADD5F7CB1C6FF20D524DA20

Function 001F0F78 Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: 37db29059668945262f23ea2110cc11b3139940fc9dbf2463476ea34461da121
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: BBC1A63A2191974ADF2E8639C53403FBBA15AA27B131A07ADD5F7CB1C5FF20D524D620

Function 001F070E Relevance: .3, Instructions: 331COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
Instruction ID: 98ca0efc2e7354fff7301961cf94f9b3fff6e8df573fa3f360bf70a4d5ae0aa4
Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
Instruction Fuzzy Hash: 6BC1823A2051970ADF2E8639857403FBBA15EA67B131A07ADD5F7CB1C6FF20D524DA20

Function 001E6646 Relevance: .3, Instructions: 325COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 331a30e44a276f4a68d3e727a7724a5b43f40d2d8c2b9601b00a74adc6719917
Instruction ID: 407594f374259da5c0861b3e3c7a9d4e8c995741a7a5ef57a4ccf789f92a8c89
Opcode Fuzzy Hash: 331a30e44a276f4a68d3e727a7724a5b43f40d2d8c2b9601b00a74adc6719917
Instruction Fuzzy Hash: 9AD127B1A047858FDB14CF2AC880B5FBBE0BFA5348F44456DE8859B242D734ED58CB96

Function 001F02F6 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: a8fe144988297f8e89516045ddc3ca33c4eb75dc500cdcf9ae07323783cf3e36
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: B1C1943A2051970ADF2F8639853403FBBA15AA57B131A07ADD5F7CB1D6FF20D524DA20

Function 001DE2A0 Relevance: .3, Instructions: 318COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfb7814fc7e923e91497a244e6d4c77b74ba5ffa4b09991b90533a43c8c83c2a
Instruction ID: bd69b7381c92d4dfdd3d3b397594912590609b801eea5e445030660791e49140
Opcode Fuzzy Hash: dfb7814fc7e923e91497a244e6d4c77b74ba5ffa4b09991b90533a43c8c83c2a
Instruction Fuzzy Hash: E9E138745083948FC304CF69E4948AEBBF1AB9A300F85499EF5D587352C735E909DB62

Function 001E3A3C Relevance: .3, Instructions: 263COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b6a3d46f10441a3051e9d0d7f9b8667803012905bf4d198d95ae77b69715ff4
Instruction ID: 6474ab223a29fd0501f4f5c925332f89cd69af894879777038a7ea307b9e0d07
Opcode Fuzzy Hash: 4b6a3d46f10441a3051e9d0d7f9b8667803012905bf4d198d95ae77b69715ff4
Instruction Fuzzy Hash: FD916971204B898BD728EF69C898BBE73D5AF90300F60092EF5A787282DB75D745C352

Function 001F4969 Relevance: .2, Instructions: 237COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4360ca2e14ac09248713bd191d79effd9dc76a4507008d0caad0e5213b6c1c95
Instruction ID: 1ff032ddab472cb63ae7bd051ba856de02786fe37e83e913770c2d4a2e451ec9
Opcode Fuzzy Hash: 4360ca2e14ac09248713bd191d79effd9dc76a4507008d0caad0e5213b6c1c95
Instruction Fuzzy Hash: 53616871780B0D57DF388A289895BBF2395EB55304F140A1EE783DB282D791DD42C75D

Function 001E3D6D Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fa2980f550074fd9d5fffc8fceb723f20dffd391df208c388f2810114909e4d
Instruction ID: 325befd527c745afff8db681a419c5c061588d69ee6c38ddf1dd333ff1a94c0e
Opcode Fuzzy Hash: 2fa2980f550074fd9d5fffc8fceb723f20dffd391df208c388f2810114909e4d
Instruction Fuzzy Hash: 1E716D71704BC54BDB24DE6AC8D8BBD77E4AFA0304F00092DF5A78B382DB748A858752

Function 001F473A Relevance: .2, Instructions: 214COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d25a7c413b64cc1c4dee81fed1a27e24b1c019bc61537549567cd7e8aefb3c1
Instruction ID: 38e07677170150ea38fee9f452a7878a2c60000531cbcc32ea7cd078eb19f36d
Opcode Fuzzy Hash: 1d25a7c413b64cc1c4dee81fed1a27e24b1c019bc61537549567cd7e8aefb3c1
Instruction Fuzzy Hash: 15515CB0600A8C57EB38E9A88855BBF77D99B53384F280719EB83D7282D715DD42C392

Function 001DDE6C Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c03cc89a8b863c62c99bef837b1633e4296ae2e080d2fb8b7509d3b8e3cffc16
Instruction ID: e6356d1913e970c2c1b40317580017b795ae0085b339735d2b8791e59aad8ab8
Opcode Fuzzy Hash: c03cc89a8b863c62c99bef837b1633e4296ae2e080d2fb8b7509d3b8e3cffc16
Instruction Fuzzy Hash: 8681718121D6E8AEC7065F7D38E82F93FA25773341B1980EAD4C986263C976465CD722

Function 001DE8A0 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7744a181c4c2259911c1ba59fd468d154fc8ea92dc61fcdf961bfc00edde62e
Instruction ID: 89c5ae75942f760172b49004865ec9ae4b2099f24cbcabe5d3905dc544c099d2
Opcode Fuzzy Hash: d7744a181c4c2259911c1ba59fd468d154fc8ea92dc61fcdf961bfc00edde62e
Instruction Fuzzy Hash: A851E1305093D24FC712EF24919046EBFE0BEEA319F59499FE4D94B312D320D64ACB92

Function 001DF968 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f621259fcfaf74df7f848b7bc33a482ca9471749c82fa40e4b1a9a2500fd2a2a
Instruction ID: f9319cb562df238720af280ca725092e2275c9bd8e95ad228eff004468a30e62
Opcode Fuzzy Hash: f621259fcfaf74df7f848b7bc33a482ca9471749c82fa40e4b1a9a2500fd2a2a
Instruction Fuzzy Hash: 87514671A083128BC748CF19D49055AF7E1FF88354F058A2EE889A7740DB34EA59CB96

Function 001E37C1 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 680dd35d5b71cc1049d84931067584ed44f7cee91fcb56c6d02cf908e44fe073
Instruction ID: 51899c0a3960b7780ed6efaa8e4c88bbd4dd5469e3b5a62673db27fec222bfc3
Opcode Fuzzy Hash: 680dd35d5b71cc1049d84931067584ed44f7cee91fcb56c6d02cf908e44fe073
Instruction Fuzzy Hash: 8931E5B1A04B468FCB14DF29C85166EBBE0FB95300F50492EE595C7342C735EA49CB91

Function 001D5F3C Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9605d2b0be62a5cfbb324b4ceb45b9348cef60c798755b2dd4a0d7af46c2710
Instruction ID: b11342d6a007b113ceef008b1cd01684cb518f4a3a72911619aadbe5afcd1293
Opcode Fuzzy Hash: b9605d2b0be62a5cfbb324b4ceb45b9348cef60c798755b2dd4a0d7af46c2710
Instruction Fuzzy Hash: BF21DA32A202654BCB58CF2DECD447777A2A786311746812BFE46CB3D1C635E965C7A0

Function 001DDA98 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 236COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 001DDABE

Part of subcall function 001D400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 001D401D

Part of subcall function 001E1596: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000200,00000000,00000000,?,00210EE8,00000200,001DD202,00000000,?,00000050,00210EE8), ref: 001E15B3

_strlen.LIBCMT ref: 001DDADF
SetDlgItemTextW.USER32(?,0020E154,?), ref: 001DDB3F
GetWindowRect.USER32(?,?), ref: 001DDB79
GetClientRect.USER32(?,?), ref: 001DDB85
GetWindowLongW.USER32(?,000000F0), ref: 001DDC25
GetWindowRect.USER32(?,?), ref: 001DDC52
SetWindowTextW.USER32(?,?), ref: 001DDC95
GetSystemMetrics.USER32(00000008), ref: 001DDC9D
GetWindow.USER32(?,00000005), ref: 001DDCA8
GetWindowRect.USER32(00000000,?), ref: 001DDCD5
GetWindow.USER32(00000000,00000002), ref: 001DDD47

Strings

T , xrefs: 001DDAFA
$%s:, xrefs: 001DDAB2
d, xrefs: 001DDBA5
CAPTION, xrefs: 001DDC77

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: Window$Rect$Text$ByteCharClientItemLongMetricsMultiSystemWide__vswprintf_c_l_strlen_swprintf
String ID: $%s:$CAPTION$T $d
API String ID: 2407758923-4271251702
Opcode ID: 4358816679430dcde0bf3c5d5b98d7956121fafe639501a923182257559adbfe
Instruction ID: 0208073291d2fff3007a9ad050a6f119fabdfba7f8d5cc87fa65f3753073201c
Opcode Fuzzy Hash: 4358816679430dcde0bf3c5d5b98d7956121fafe639501a923182257559adbfe
Instruction Fuzzy Hash: 9A818371204345AFD710DFA8DD89F6BBBE9EB89704F05091EFA8893291D770E909CB52

Function 001FC233 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 001FC277

Part of subcall function 001FBE12: _free.LIBCMT ref: 001FBE2F
Part of subcall function 001FBE12: _free.LIBCMT ref: 001FBE41
Part of subcall function 001FBE12: _free.LIBCMT ref: 001FBE53
Part of subcall function 001FBE12: _free.LIBCMT ref: 001FBE65
Part of subcall function 001FBE12: _free.LIBCMT ref: 001FBE77
Part of subcall function 001FBE12: _free.LIBCMT ref: 001FBE89
Part of subcall function 001FBE12: _free.LIBCMT ref: 001FBE9B
Part of subcall function 001FBE12: _free.LIBCMT ref: 001FBEAD
Part of subcall function 001FBE12: _free.LIBCMT ref: 001FBEBF
Part of subcall function 001FBE12: _free.LIBCMT ref: 001FBED1
Part of subcall function 001FBE12: _free.LIBCMT ref: 001FBEE3
Part of subcall function 001FBE12: _free.LIBCMT ref: 001FBEF5
Part of subcall function 001FBE12: _free.LIBCMT ref: 001FBF07

_free.LIBCMT ref: 001FC26C

Part of subcall function 001F84DE: RtlFreeHeap.NTDLL(00000000,00000000,?,001FBFA7,?,00000000,?,00000000,?,001FBFCE,?,00000007,?,?,001FC3CB,?), ref: 001F84F4
Part of subcall function 001F84DE: GetLastError.KERNEL32(?,?,001FBFA7,?,00000000,?,00000000,?,001FBFCE,?,00000007,?,?,001FC3CB,?,?), ref: 001F8506

_free.LIBCMT ref: 001FC28E
_free.LIBCMT ref: 001FC2A3
_free.LIBCMT ref: 001FC2AE
_free.LIBCMT ref: 001FC2D0
_free.LIBCMT ref: 001FC2E3
_free.LIBCMT ref: 001FC2F1
_free.LIBCMT ref: 001FC2FC
_free.LIBCMT ref: 001FC334
_free.LIBCMT ref: 001FC33B
_free.LIBCMT ref: 001FC358
_free.LIBCMT ref: 001FC370

Strings

P , xrefs: 001FC249

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID: P
API String ID: 161543041-3559530664
Opcode ID: d63a5ad2f6271c17fc41d24fdc91877de902d79c0e85f96e216c650fa179e6f7
Instruction ID: b7573730485cb51448fe5521c1eca158d32b7fedd7ec936068045ff02c56c884
Opcode Fuzzy Hash: d63a5ad2f6271c17fc41d24fdc91877de902d79c0e85f96e216c650fa179e6f7
Instruction Fuzzy Hash: FD317E3260020E9FEB20AE78DA45B7AB3E9FF10350F148829E649D7551DF31AC80EB90

Function 001ECD2E Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 79windowCOMMON

Download Yara Rule

APIs

GetWindow.USER32(?,00000005), ref: 001ECD51
GetClassNameW.USER32(00000000,?,00000800), ref: 001ECD7D

Part of subcall function 001E17AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,001DBB05,00000000,.exe,?,?,00000800,?,?,001E85DF,?), ref: 001E17C2

GetWindowLongW.USER32(00000000,000000F0), ref: 001ECD99
SendMessageW.USER32(00000000,00000173,00000000,00000000), ref: 001ECDB0
GetObjectW.GDI32(00000000,00000018,?), ref: 001ECDC4
SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 001ECDED
DeleteObject.GDI32(00000000), ref: 001ECDF4
GetWindow.USER32(00000000,00000002), ref: 001ECDFD

Strings

STATIC, xrefs: 001ECD83

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: Window$MessageObjectSend$ClassCompareDeleteLongNameString
String ID: STATIC
API String ID: 3820355801-1882779555
Opcode ID: de3e307cb49297d65a97a0830a24fc2be6ae734ab1850fdbb0b02c6ce2c1993e
Instruction ID: d06c183646216e91367e09c5c4ce714f4e1bafa1bf54910874a8ed7b2c9e70b2
Opcode Fuzzy Hash: de3e307cb49297d65a97a0830a24fc2be6ae734ab1850fdbb0b02c6ce2c1993e
Instruction Fuzzy Hash: 4E110A72540BA1FBE721ABA1AC0DFDF3A9CFF65741F004420FB46A10D2CB648D1A86E4

Function 001F8EB1 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 001F8EC5

Part of subcall function 001F84DE: RtlFreeHeap.NTDLL(00000000,00000000,?,001FBFA7,?,00000000,?,00000000,?,001FBFCE,?,00000007,?,?,001FC3CB,?), ref: 001F84F4
Part of subcall function 001F84DE: GetLastError.KERNEL32(?,?,001FBFA7,?,00000000,?,00000000,?,001FBFCE,?,00000007,?,?,001FC3CB,?,?), ref: 001F8506

_free.LIBCMT ref: 001F8ED1
_free.LIBCMT ref: 001F8EDC
_free.LIBCMT ref: 001F8EE7
_free.LIBCMT ref: 001F8EF2
_free.LIBCMT ref: 001F8EFD
_free.LIBCMT ref: 001F8F08
_free.LIBCMT ref: 001F8F13
_free.LIBCMT ref: 001F8F1E
_free.LIBCMT ref: 001F8F2C

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 8124b17e308af2eb3d29e89e889ba4c617c4a46860019de7d008dae80d4103f8
Instruction ID: c0a43397e9626d54204d0936974024306ca867b52c76a725585acea05e187222
Opcode Fuzzy Hash: 8124b17e308af2eb3d29e89e889ba4c617c4a46860019de7d008dae80d4103f8
Instruction Fuzzy Hash: E111A27651010DAFCB11EF94C852DEA3BA5FF14350B5180A5BA088B666DB31EA51DB80

Function 001D2162 Relevance: 14.5, APIs: 5, Strings: 3, Instructions: 480COMMON

Download Yara Rule

Strings

;%u, xrefs: 001D2497
xc%u, xrefs: 001D26D7
x%u, xrefs: 001D267A

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID:
String ID: ;%u$x%u$xc%u
API String ID: 0-2277559157
Opcode ID: 5455aa6479b0a9f8e8f281ab25fd9c8fd5ef739a943fb1079724e360ee54b4f8
Instruction ID: 33fe39bd33c608f2ab45cd7cd69bf5d984cef7cfcc9a14e8c283cdc7f3413a03
Opcode Fuzzy Hash: 5455aa6479b0a9f8e8f281ab25fd9c8fd5ef739a943fb1079724e360ee54b4f8
Instruction Fuzzy Hash: 2DF1F5716043415BDB25DF288895BFE779A6FB4300F08496BF8958B383DB74D944C7A2

Function 001EACD0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 98windowCOMMON

Download Yara Rule

APIs

Part of subcall function 001D130B: GetDlgItem.USER32(00000000,00003021), ref: 001D134F
Part of subcall function 001D130B: SetWindowTextW.USER32(00000000,002035B4), ref: 001D1365

EndDialog.USER32(?,00000001), ref: 001EAD20
SendMessageW.USER32(?,00000080,00000001,?), ref: 001EAD47
SendDlgItemMessageW.USER32(?,00000066,00000172,00000000,?), ref: 001EAD60
SetWindowTextW.USER32(?,?), ref: 001EAD71
GetDlgItem.USER32(?,00000065), ref: 001EAD7A
SendMessageW.USER32(00000000,00000435,00000000,00010000), ref: 001EAD8E
SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 001EADA4

Strings

LICENSEDLG, xrefs: 001EACE4

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: MessageSend$Item$TextWindow$Dialog
String ID: LICENSEDLG
API String ID: 3214253823-2177901306
Opcode ID: f9ae4df6b1a36a8db272b60a5f681c0bfdfb5c651559f809500948440826f1cc
Instruction ID: c1be3ad056160b1f4a3557d6e325587168abc0f4cd00f427994880f705d953c1
Opcode Fuzzy Hash: f9ae4df6b1a36a8db272b60a5f681c0bfdfb5c651559f809500948440826f1cc
Instruction Fuzzy Hash: 9121F632240644BBD2255FB2FD4DF7F3B6CFF6AB56F414004F604A24A0CB626905E632

Function 001D9443 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 001D9448
GetLongPathNameW.KERNEL32(?,?,00000800), ref: 001D946B
GetShortPathNameW.KERNEL32(?,?,00000800), ref: 001D948A

Part of subcall function 001E17AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,001DBB05,00000000,.exe,?,?,00000800,?,?,001E85DF,?), ref: 001E17C2

_swprintf.LIBCMT ref: 001D9526

Part of subcall function 001D400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 001D401D

MoveFileW.KERNEL32(?,?), ref: 001D9595
MoveFileW.KERNEL32(?,?), ref: 001D95D5

Strings

rtmp%d, xrefs: 001D950F

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: FileMoveNamePath$CompareH_prologLongShortString__vswprintf_c_l_swprintf
String ID: rtmp%d
API String ID: 2111052971-3303766350
Opcode ID: 55174b05545a3508300ebcdfd2ec995ab3c8be20625ae9647e764a3542dafdf6
Instruction ID: 3d423899569e5411505c04694b014a8e3ae92c7a97f128678326fae11d141709
Opcode Fuzzy Hash: 55174b05545a3508300ebcdfd2ec995ab3c8be20625ae9647e764a3542dafdf6
Instruction Fuzzy Hash: 3A411371901259B6CF20EB60DC85ADE737CAF65780F0444E7B549E3242EB74DB89CB64

Function 001E8E62 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 125memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?), ref: 001E8F38
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000003,?,00000000,00000000), ref: 001E8F59
CreateStreamOnHGlobal.COMBASE(00000000,00000001,00000000), ref: 001E8F80

Strings

<head><meta http-equiv="content-type" content="text/html; charset=, xrefs: 001E8EB2
utf-8"></head>, xrefs: 001E8EBD
</html>, xrefs: 001E8F0A
<html>, xrefs: 001E8EA7, 001E8EE0

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: Global$AllocByteCharCreateMultiStreamWide
String ID: </html>$<head><meta http-equiv="content-type" content="text/html; charset=$<html>$utf-8"></head>
API String ID: 4094277203-4209811716
Opcode ID: f03ae100af254b623f6840a1df6d8aca1c5cba3d60c454ae2ec2e827d02c35f7
Instruction ID: 4bce6738f9b719ba519fb1a5eb1c5715b4793243ecc45f52ac3f680b01c9d288
Opcode Fuzzy Hash: f03ae100af254b623f6840a1df6d8aca1c5cba3d60c454ae2ec2e827d02c35f7
Instruction Fuzzy Hash: 49319B715087457BD724BB35AC06FBFB7ACEFA2720F040109FA05A61D2EF609A0983A1

Function 001F8FA5 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00210EE8,001F3E14,00210EE8,?,?,001F3713,00000050,?,00210EE8,00000200), ref: 001F8FA9
_free.LIBCMT ref: 001F8FDC
_free.LIBCMT ref: 001F9004
SetLastError.KERNEL32(00000000,?,00210EE8,00000200), ref: 001F9011
SetLastError.KERNEL32(00000000,?,00210EE8,00000200), ref: 001F901D
_abort.LIBCMT ref: 001F9023

Strings

X , xrefs: 001F8FF7

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID: X
API String ID: 3160817290-3831130985
Opcode ID: 0d994af9c2f7229baf2523a5db8fa1bb9b7fa18eeeeca753991e437adb0bc2df
Instruction ID: 2101590d89c86a0d80dbd65c8b797f40f1233c60762c64b4130a5869d207de2f
Opcode Fuzzy Hash: 0d994af9c2f7229baf2523a5db8fa1bb9b7fa18eeeeca753991e437adb0bc2df
Instruction Fuzzy Hash: A6F0FF76505B096BC62273287C0EB3B2A2E9FE1770F260118F718E22A3EF3089425424

Function 001E0A8A Relevance: 12.1, APIs: 8, Instructions: 115timeCOMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 001E0A9D

Part of subcall function 001DACF5: GetVersionExW.KERNEL32(?), ref: 001DAD1A

FileTimeToLocalFileTime.KERNEL32(?,00000001,00000000,?,00000064,00000000,00000001,00000000,?), ref: 001E0AC0
FileTimeToSystemTime.KERNEL32(?,?,00000000,?,00000064,00000000,00000001,00000000,?), ref: 001E0AD2
SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 001E0AE3
SystemTimeToFileTime.KERNEL32(?,?), ref: 001E0AF3
SystemTimeToFileTime.KERNEL32(?,?), ref: 001E0B03
FileTimeToSystemTime.KERNEL32(?,?), ref: 001E0B3D
__aullrem.LIBCMT ref: 001E0BCB

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion__aulldiv__aullrem
String ID:
API String ID: 1247370737-0
Opcode ID: 3b897f2c4ea7d772328124bc5afcdb4cdaa081d19ce423df7be17141a96c4ac9
Instruction ID: 2ebf2aa4d8120842a58b7bf527dadfb28c521e27aeef4368c7723a77046faf38
Opcode Fuzzy Hash: 3b897f2c4ea7d772328124bc5afcdb4cdaa081d19ce423df7be17141a96c4ac9
Instruction Fuzzy Hash: 024148B54083069FC310DF65C88496FFBF8FB88714F004A2EF59692650E778E588CB52

Function 001FEE2D Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,001FF5A2,?,00000000,?,00000000,00000000), ref: 001FEE6F
__fassign.LIBCMT ref: 001FEEEA
__fassign.LIBCMT ref: 001FEF05
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 001FEF2B
WriteFile.KERNEL32(?,?,00000000,001FF5A2,00000000,?,?,?,?,?,?,?,?,?,001FF5A2,?), ref: 001FEF4A
WriteFile.KERNEL32(?,?,00000001,001FF5A2,00000000,?,?,?,?,?,?,?,?,?,001FF5A2,?), ref: 001FEF83

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 6209315467148df279281bee694939f0464e397cb38bb28d8da98609c31730bc
Instruction ID: b41fdd1e44069cc26b349d98e949f5fa7d4452baef8bc565b17d4fbfb5bbb32f
Opcode Fuzzy Hash: 6209315467148df279281bee694939f0464e397cb38bb28d8da98609c31730bc
Instruction Fuzzy Hash: 1F51D671A0064D9FCB14CFA8DC45AFEBBF9EF08310F14411AEA55E72A1D7309A50CB60

Function 001EC534 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 135COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000800,?), ref: 001EC54A
_swprintf.LIBCMT ref: 001EC57E

Part of subcall function 001D400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 001D401D

SetDlgItemTextW.USER32(?,00000066,0021946A), ref: 001EC59E
_wcschr.LIBVCRUNTIME ref: 001EC5D1
EndDialog.USER32(?,00000001), ref: 001EC6B2

Strings

%s%s%u, xrefs: 001EC573

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: DialogItemPathTempText__vswprintf_c_l_swprintf_wcschr
String ID: %s%s%u
API String ID: 2892007947-1360425832
Opcode ID: 824ce4fb559c72617ff0e7b0356342783864ca8166446d08a14522d90d629737
Instruction ID: c3a4f32f29fc94166b2180ac5d6901cf35802de880d6a8d5c1e79d37116b2494
Opcode Fuzzy Hash: 824ce4fb559c72617ff0e7b0356342783864ca8166446d08a14522d90d629737
Instruction Fuzzy Hash: 6D41D671D00A58AADF25DBA1DC49EEE77BCEF58301F0040A6E509D71A1EB719BC5CB90

Function 001E9635 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108COMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,00000000), ref: 001E964E
GetWindowRect.USER32(?,00000000), ref: 001E9693
ShowWindow.USER32(?,00000005,00000000), ref: 001E972A
SetWindowTextW.USER32(?,00000000), ref: 001E9732
ShowWindow.USER32(00000000,00000005), ref: 001E9748

Strings

RarHtmlClassName, xrefs: 001E96F4

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: Window$Show$RectText
String ID: RarHtmlClassName
API String ID: 3937224194-1658105358
Opcode ID: efd42de3e4afe2270f43e0317e136290c7dc9dfc0a14200b802dbd38b57571e9
Instruction ID: aade500f6ed29c4b34834112edc3c52d99cf946ebe2fb6b74c4327a27111494c
Opcode Fuzzy Hash: efd42de3e4afe2270f43e0317e136290c7dc9dfc0a14200b802dbd38b57571e9
Instruction Fuzzy Hash: 4F31AA31404254EFCB119F66AD4CB6FBBA8FB48301F008559FE89AA162DB34D809CF61

Function 001FBFB5 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 001FBF79: _free.LIBCMT ref: 001FBFA2

_free.LIBCMT ref: 001FC003

Part of subcall function 001F84DE: RtlFreeHeap.NTDLL(00000000,00000000,?,001FBFA7,?,00000000,?,00000000,?,001FBFCE,?,00000007,?,?,001FC3CB,?), ref: 001F84F4
Part of subcall function 001F84DE: GetLastError.KERNEL32(?,?,001FBFA7,?,00000000,?,00000000,?,001FBFCE,?,00000007,?,?,001FC3CB,?,?), ref: 001F8506

_free.LIBCMT ref: 001FC00E
_free.LIBCMT ref: 001FC019
_free.LIBCMT ref: 001FC06D
_free.LIBCMT ref: 001FC078
_free.LIBCMT ref: 001FC083
_free.LIBCMT ref: 001FC08E

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 11f2a1bb5d4160fb08a4b7348739aee2344f3630d5c617e2ee7e867637fc9caa
Instruction ID: 9227ff371edbe13bec0665b06227cae5b7d21356decb324e34cb5a4aab084bc2
Opcode Fuzzy Hash: 11f2a1bb5d4160fb08a4b7348739aee2344f3630d5c617e2ee7e867637fc9caa
Instruction Fuzzy Hash: 1B114F72544B0DFAD620BBB0CC47FEBB79D7F10700F408815B399A6452DB75F9048A90

Function 001F20CA Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,001F20C1,001EFB12), ref: 001F20D8
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 001F20E6
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 001F20FF
SetLastError.KERNEL32(00000000,?,001F20C1,001EFB12), ref: 001F2151

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: c7620c8876b2a8c825a1769c138aa05782fc7dc1e3fa5eafa518b8a6ca74c35b
Instruction ID: e1b9dbca696e823642f45310b35e5da558c661bd59d12b6bbc2f935b6c9495ef
Opcode Fuzzy Hash: c7620c8876b2a8c825a1769c138aa05782fc7dc1e3fa5eafa518b8a6ca74c35b
Instruction Fuzzy Hash: 0201D43220D3196EEA646BB5BC8963A2A4CFB217747220B29F324551E2EF324C459548

Function 001F9029 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,001F895F,001F85FB,?,001F8FD3,00000001,00000364,?,001F3713,00000050,?,00210EE8,00000200), ref: 001F902E
_free.LIBCMT ref: 001F9063
_free.LIBCMT ref: 001F908A
SetLastError.KERNEL32(00000000,?,00210EE8,00000200), ref: 001F9097
SetLastError.KERNEL32(00000000,?,00210EE8,00000200), ref: 001F90A0

Strings

X , xrefs: 001F907E

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: ErrorLast$_free
String ID: X
API String ID: 3170660625-3831130985
Opcode ID: ef36524ebec427e11f713abb61a2132eeb560c6773c0e19a319acfe9e4ad6347
Instruction ID: 2095d111c1ed33f928dd30a591d433c8388a9ab591b99b247340ff1e89900c25
Opcode Fuzzy Hash: ef36524ebec427e11f713abb61a2132eeb560c6773c0e19a319acfe9e4ad6347
Instruction Fuzzy Hash: 3101F4B2505B086BC32277357C89B3B262EAFE13717360124F70AD2253EF748C014160

Function 001EDC9A Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

Strings

ReleaseSRWLockExclusive, xrefs: 001EDCD9
AcquireSRWLockExclusive, xrefs: 001EDCC9
KERNEL32.DLL, xrefs: 001EDCB4

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID:
String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
API String ID: 0-1718035505
Opcode ID: 55abd63972a4a593ea46a8559810f6bb651d0249c5410a9d5a5ede0214c3d174
Instruction ID: 1bbfc02380f422760e0267c911668c704312e39e74900fa68e49c32b020fe0db
Opcode Fuzzy Hash: 55abd63972a4a593ea46a8559810f6bb651d0249c5410a9d5a5ede0214c3d174
Instruction Fuzzy Hash: 0301F471652BA25BCF205FB67CD92EF2399AA42392330153FE542D3280DB91C881DAB0

Function 001F8060 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 001F807E

Part of subcall function 001F84DE: RtlFreeHeap.NTDLL(00000000,00000000,?,001FBFA7,?,00000000,?,00000000,?,001FBFCE,?,00000007,?,?,001FC3CB,?), ref: 001F84F4
Part of subcall function 001F84DE: GetLastError.KERNEL32(?,?,001FBFA7,?,00000000,?,00000000,?,001FBFCE,?,00000007,?,?,001FC3CB,?,?), ref: 001F8506

_free.LIBCMT ref: 001F8090
_free.LIBCMT ref: 001F80A3
_free.LIBCMT ref: 001F80B4
_free.LIBCMT ref: 001F80C5

Strings

, xrefs: 001F8074

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-771276903
Opcode ID: cd5c8e78dadf2ce952cc614632f06ffee201f60b6b0216fb2bec181f027c8960
Instruction ID: 7bdba89dff3af8c822b69fcfdb9d800d69aeb40290ecaab97e8fe4785f5312ab
Opcode Fuzzy Hash: cd5c8e78dadf2ce952cc614632f06ffee201f60b6b0216fb2bec181f027c8960
Instruction Fuzzy Hash: 55F082B58012298BCB11AF16FC1A4263B69FB247203094A0BFA0097A71CF3108B19FC1

Function 001E0CBE Relevance: 9.1, APIs: 6, Instructions: 94timeCOMMON

Download Yara Rule

APIs

SystemTimeToFileTime.KERNEL32(?,?), ref: 001E0D0D

Part of subcall function 001DACF5: GetVersionExW.KERNEL32(?), ref: 001DAD1A

LocalFileTimeToFileTime.KERNEL32(?,001E0CB8), ref: 001E0D31
FileTimeToSystemTime.KERNEL32(?,?), ref: 001E0D47
TzSpecificLocalTimeToSystemTime.KERNEL32(00000000,?,?), ref: 001E0D56
SystemTimeToFileTime.KERNEL32(?,001E0CB8), ref: 001E0D64
SystemTimeToFileTime.KERNEL32(?,?), ref: 001E0D72

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion
String ID:
API String ID: 2092733347-0
Opcode ID: 8f70b353706ff3f9badb7edde7322c4519c1dc255e58ac4bcde1dc713696c562
Instruction ID: c8d8fed990f42ab55cc6a07c1190c4d0a65bb03e5d56f1c10addbbaa8dc6b843
Opcode Fuzzy Hash: 8f70b353706ff3f9badb7edde7322c4519c1dc255e58ac4bcde1dc713696c562
Instruction Fuzzy Hash: CC31037A90024AEBCB00DFE5D8859EFFBBDFF58300B04441AE955E3211E730AA85CB64

Function 001E91B0 Relevance: 9.1, APIs: 6, Instructions: 89COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 001E91D4
_memcmp.LIBVCRUNTIME ref: 001E91EB

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 8da11ff7b6aefad925e3ed0a5379674d909702b49fc3d9a8c25eb0a670689e04
Instruction ID: 8da9b625e1be0df7e37a4972bd3c5f73423db3747ad0bfe73eaa5244aa6cbbae
Opcode Fuzzy Hash: 8da11ff7b6aefad925e3ed0a5379674d909702b49fc3d9a8c25eb0a670689e04
Instruction Fuzzy Hash: 0D21A771600A4FBBDB089F12CC81E7F77ADEB51784B148128FD099B242E370DD918791

Function 001ED2E6 Relevance: 9.0, APIs: 6, Instructions: 43windowsynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,0000000A), ref: 001ED2F2
PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 001ED30C
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 001ED31D
TranslateMessage.USER32(?), ref: 001ED327
DispatchMessageW.USER32(?), ref: 001ED331
WaitForSingleObject.KERNEL32(?,0000000A), ref: 001ED33C

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: Message$ObjectSingleWait$DispatchPeekTranslate
String ID:
API String ID: 2148572870-0
Opcode ID: 8e56b7b3f23dc0d8c0df4dc43318ea63acc16b1e9b8517dfe0005aaa5074392c
Instruction ID: 9b48edc380da5acd98ed722a093d7805b1d781bc5b02022ee41051ca74070b20
Opcode Fuzzy Hash: 8e56b7b3f23dc0d8c0df4dc43318ea63acc16b1e9b8517dfe0005aaa5074392c
Instruction Fuzzy Hash: 69F0EC72A01219ABCB209BA6FD4CEDFBF6EEF51791F048012F606D2051D6359549C7A1

Function 001EC40E Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON

Download Yara Rule

APIs

_wcschr.LIBVCRUNTIME ref: 001EC435

Part of subcall function 001E17AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,001DBB05,00000000,.exe,?,?,00000800,?,?,001E85DF,?), ref: 001E17C2

Strings

MAX, xrefs: 001EC487
HIDE, xrefs: 001EC474
MIN, xrefs: 001EC4A3
<, xrefs: 001EC41E

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: CompareString_wcschr
String ID: <$HIDE$MAX$MIN
API String ID: 2548945186-3358265660
Opcode ID: 1c6d792c6d5a9cc14f4b5af075bbe9a4077b73654343c8376d597da0a227b36e
Instruction ID: cf6a0aa6306badc50dc045a5fef4cb704ba0eba6c0abac0820c7e91776f0d42d
Opcode Fuzzy Hash: 1c6d792c6d5a9cc14f4b5af075bbe9a4077b73654343c8376d597da0a227b36e
Instruction Fuzzy Hash: 6A318372900A89AEDF25DA96CC41EEF77BDEB64700F004066FA05D7091EBB09FC58A90

Function 001EA990 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 63COMMON

Download Yara Rule

APIs

Part of subcall function 001D130B: GetDlgItem.USER32(00000000,00003021), ref: 001D134F
Part of subcall function 001D130B: SetWindowTextW.USER32(00000000,002035B4), ref: 001D1365

EndDialog.USER32(?,00000001), ref: 001EA9DE
GetDlgItemTextW.USER32(?,00000066,?,00000080), ref: 001EA9F6
SetDlgItemTextW.USER32(?,00000067,?), ref: 001EAA24

Strings

xj", xrefs: 001EAA02
GETPASSWORD1, xrefs: 001EA9A9

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: GETPASSWORD1$xj"
API String ID: 445417207-2354614350
Opcode ID: 4e9b1b585a904e96b51952a23d07748e7361fb6c662eee0bbde1103579ba04e4
Instruction ID: 0760ac3f452f6272fda92920ce23cd3afa61b9e066e4f65dc2493498510f8d6f
Opcode Fuzzy Hash: 4e9b1b585a904e96b51952a23d07748e7361fb6c662eee0bbde1103579ba04e4
Instruction Fuzzy Hash: CB114833940228BADB219E65AD09FFF377CEF59701F010021FA45B3081D360A954D6B2

Function 001EADED Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 59windowCOMMON

Download Yara Rule

APIs

LoadBitmapW.USER32(00000065), ref: 001EADFD
GetObjectW.GDI32(00000000,00000018,?), ref: 001EAE22
DeleteObject.GDI32(00000000), ref: 001EAE54
DeleteObject.GDI32(00000000), ref: 001EAE77

Part of subcall function 001E9E1C: FindResourceW.KERNEL32(001EAE4D,PNG,?,?,?,001EAE4D,00000066), ref: 001E9E2E
Part of subcall function 001E9E1C: SizeofResource.KERNEL32(00000000,00000000,?,?,?,001EAE4D,00000066), ref: 001E9E46
Part of subcall function 001E9E1C: LoadResource.KERNEL32(00000000,?,?,?,001EAE4D,00000066), ref: 001E9E59
Part of subcall function 001E9E1C: LockResource.KERNEL32(00000000,?,?,?,001EAE4D,00000066), ref: 001E9E64

Strings

], xrefs: 001EAE2A

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: Resource$Object$DeleteLoad$BitmapFindLockSizeof
String ID: ]
API String ID: 142272564-3352871620
Opcode ID: c024d5a58a2fdc1065e13ebc75836e094202af0989f47409e210327a4f4c7947
Instruction ID: c04f670bc87f8fd618bc0d0e9433c3b14f849ec4f7f0a7f9aaa223f22c553ab7
Opcode Fuzzy Hash: c024d5a58a2fdc1065e13ebc75836e094202af0989f47409e210327a4f4c7947
Instruction Fuzzy Hash: 5D014932540AA5E7C7106766AC0AABF7BB9AFA1B41F080010FD00B7291DF318C1986B1

Function 001ECC90 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 001D130B: GetDlgItem.USER32(00000000,00003021), ref: 001D134F
Part of subcall function 001D130B: SetWindowTextW.USER32(00000000,002035B4), ref: 001D1365

EndDialog.USER32(?,00000001), ref: 001ECCDB
GetDlgItemTextW.USER32(?,00000068,00000800), ref: 001ECCF1
SetDlgItemTextW.USER32(?,00000066,?), ref: 001ECD05
SetDlgItemTextW.USER32(?,00000068), ref: 001ECD14

Strings

RENAMEDLG, xrefs: 001ECCA8

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: RENAMEDLG
API String ID: 445417207-3299779563
Opcode ID: 0e84d42ed85726263924f704c8274b68d3b3a24eebb3cd8ffe05f91f9de58bfb
Instruction ID: 1590dd776ea95fc49eb29f6322f933f47f1922deccdfaaba3bb9223e39c167be
Opcode Fuzzy Hash: 0e84d42ed85726263924f704c8274b68d3b3a24eebb3cd8ffe05f91f9de58bfb
Instruction Fuzzy Hash: DE012D32284750BAD5214FA5AD0CF9F3BACFB96742F210411F345A21D1C766551A87E5

Function 001F75C2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,001F7573,00000000,?,001F7513,00000000,0020BAD8,0000000C,001F766A,00000000,00000002), ref: 001F75E2
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 001F75F5
FreeLibrary.KERNEL32(00000000,?,?,?,001F7573,00000000,?,001F7513,00000000,0020BAD8,0000000C,001F766A,00000000,00000002), ref: 001F7618

Strings

CorExitProcess, xrefs: 001F75ED
mscoree.dll, xrefs: 001F75DB

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: ec3230121a2afd45fd274e6e06da553c05bbf9dd1beba43695ac4b9ce908ec0c
Instruction ID: 798091ce33b49b6e90c59e66a9858391d38eb88867eef4e24c38636b5627c601
Opcode Fuzzy Hash: ec3230121a2afd45fd274e6e06da553c05bbf9dd1beba43695ac4b9ce908ec0c
Instruction Fuzzy Hash: F5F04F30A1971DBBDB159B95EC0DBAEBFB9EF04721F104068F809E2191DB748E40CA94

Function 001DEB73 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 001E0085: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 001E00A0
Part of subcall function 001E0085: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,001DEB86,Crypt32.dll,00000000,001DEC0A,?,?,001DEBEC,?,?,?), ref: 001E00C2

GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 001DEB92
GetProcAddress.KERNEL32(002181C0,CryptUnprotectMemory), ref: 001DEBA2

Strings

Crypt32.dll, xrefs: 001DEB7C
CryptProtectMemory, xrefs: 001DEB8C
CryptUnprotectMemory, xrefs: 001DEB98

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: AddressProc$DirectoryLibraryLoadSystem
String ID: Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory
API String ID: 2141747552-1753850145
Opcode ID: 7b0912ce44bd66edf5e3baababd9879a33525fe8aa997045fad1a45fcc569014
Instruction ID: ae2569fc935752dfbc458a0c1ba6c40e18efba66c7575eebcbea68581a2a3e50
Opcode Fuzzy Hash: 7b0912ce44bd66edf5e3baababd9879a33525fe8aa997045fad1a45fcc569014
Instruction Fuzzy Hash: D3E04F704117419EDB21DF39A808B46BEE85B15706F00881EF4D6D3682D7F4D5808B60

Function 001F7DD9 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 001F7E4B
_free.LIBCMT ref: 001F7E6B

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: a88e4f89cba7865253218e87ede717040edcdd17d18085481ff7c972beb295dc
Instruction ID: 24c47c1f471e95ae60fe1663a1d9c79e15c9004f99501481dfa925595bab0252
Opcode Fuzzy Hash: a88e4f89cba7865253218e87ede717040edcdd17d18085481ff7c972beb295dc
Instruction Fuzzy Hash: 9441D336A003089FCB24DF78D881A6EB7E5EF99714F1545A9E615EB382DB31ED01CB80

Function 001FB610 Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 001FB619
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 001FB63C

Part of subcall function 001F8518: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,001FC13D,00000000,?,001F67E2,?,00000008,?,001F89AD,?,?,?), ref: 001F854A

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 001FB662
_free.LIBCMT ref: 001FB675
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 001FB684

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 53daef884f6582a3a8fbe318dcef38d6b597a2b1e2c33476c09f6187398db236
Instruction ID: 571f03f36ff5c26a41b07eecec7d93a795a7d513f2ec293eed8e02182d917d22
Opcode Fuzzy Hash: 53daef884f6582a3a8fbe318dcef38d6b597a2b1e2c33476c09f6187398db236
Instruction Fuzzy Hash: 710184B2605719BF63215A76ACCCC7B6A6DEEC6BB03250229BE04C7111EF60CD0191B0

Function 001E075B Relevance: 7.5, APIs: 5, Instructions: 44COMMON

Download Yara Rule

APIs

Part of subcall function 001E0A41: ResetEvent.KERNEL32(?), ref: 001E0A53
Part of subcall function 001E0A41: ReleaseSemaphore.KERNEL32(?,00000000,00000000), ref: 001E0A67

ReleaseSemaphore.KERNEL32(?,00000040,00000000), ref: 001E078F
CloseHandle.KERNEL32(?,?), ref: 001E07A9
DeleteCriticalSection.KERNEL32(?), ref: 001E07C2
CloseHandle.KERNEL32(?), ref: 001E07CE
CloseHandle.KERNEL32(?), ref: 001E07DA

Part of subcall function 001E084E: WaitForSingleObject.KERNEL32(?,000000FF,001E0A78,?), ref: 001E0854
Part of subcall function 001E084E: GetLastError.KERNEL32(?), ref: 001E0860

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: CloseHandle$ReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
String ID:
API String ID: 1868215902-0
Opcode ID: 87d438ac925c2c42d01b90a65fe73887beb082f8412f60c2955c9ad019a05fc8
Instruction ID: 2c6ac796af7717c93d96cf3a97f0e3e6560bc2c92ff61a82997068ccf2ed7c7b
Opcode Fuzzy Hash: 87d438ac925c2c42d01b90a65fe73887beb082f8412f60c2955c9ad019a05fc8
Instruction Fuzzy Hash: A801B571440B44EFC722DB65EC88FCABBEEFB49710F004529F15A421A1CBB56A84CB90

Function 001FBF10 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 001FBF28

Part of subcall function 001F84DE: RtlFreeHeap.NTDLL(00000000,00000000,?,001FBFA7,?,00000000,?,00000000,?,001FBFCE,?,00000007,?,?,001FC3CB,?), ref: 001F84F4
Part of subcall function 001F84DE: GetLastError.KERNEL32(?,?,001FBFA7,?,00000000,?,00000000,?,001FBFCE,?,00000007,?,?,001FC3CB,?,?), ref: 001F8506

_free.LIBCMT ref: 001FBF3A
_free.LIBCMT ref: 001FBF4C
_free.LIBCMT ref: 001FBF5E
_free.LIBCMT ref: 001FBF70

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 664b3a77d466e17733dd7455a31199845425de4d4b7d337fc0b1ccebb50ee410
Instruction ID: fea3ce963399d79a2fe8b2f7c867f15e5811ffd4a99ce2035d11517ec3a765f4
Opcode Fuzzy Hash: 664b3a77d466e17733dd7455a31199845425de4d4b7d337fc0b1ccebb50ee410
Instruction Fuzzy Hash: 21F0F933508209ABCA20EF68FECAD2A73EDFA107107654C09F219D7D11CB34FC808A64

Function 001F76BD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\c62q1qZ8kX.exe,00000104), ref: 001F76FD
_free.LIBCMT ref: 001F77C8
_free.LIBCMT ref: 001F77D2

Strings

C:\Users\user\Desktop\c62q1qZ8kX.exe, xrefs: 001F76F4, 001F76FB, 001F772A, 001F7762

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\c62q1qZ8kX.exe
API String ID: 2506810119-202290201
Opcode ID: e04d2a506fe211cb98df1c196bd04278cbaa3e54d9104719c51cee75ea100711
Instruction ID: a54e3568c2139bd9c32bcf65091f6b6a4a32ed8248293ea4efb718d69d3bbbf0
Opcode Fuzzy Hash: e04d2a506fe211cb98df1c196bd04278cbaa3e54d9104719c51cee75ea100711
Instruction Fuzzy Hash: CC316071A1421CAFDB21EF99EC899BEBBFCEB95710F244166E60497251D7708E40CBA0

Function 001D7574 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 93COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 001D7579

Part of subcall function 001D3B3D: __EH_prolog.LIBCMT ref: 001D3B42

GetLastError.KERNEL32(?,?,00000800,?,?,?,00000000,00000000), ref: 001D7640

Part of subcall function 001D7BF5: GetCurrentProcess.KERNEL32(00000020,?), ref: 001D7C04
Part of subcall function 001D7BF5: GetLastError.KERNEL32 ref: 001D7C4A
Part of subcall function 001D7BF5: CloseHandle.KERNEL32(?), ref: 001D7C59

Strings

SeRestorePrivilege, xrefs: 001D75D3
SeSecurityPrivilege, xrefs: 001D75BE

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: ErrorH_prologLast$CloseCurrentHandleProcess
String ID: SeRestorePrivilege$SeSecurityPrivilege
API String ID: 3813983858-639343689
Opcode ID: 162085f526d9e2f5362ee55e2002464e7ce107a34298ec37f6a507b11b9741ac
Instruction ID: a11140d9a298e63ce22bf619dea666a81e3c7b2aae570e536e8b837472030935
Opcode Fuzzy Hash: 162085f526d9e2f5362ee55e2002464e7ce107a34298ec37f6a507b11b9741ac
Instruction Fuzzy Hash: D431EA71908348AEEF20EB65EC45BEEBBB9AF25354F00405BF444A73D2EBB48944C761

Function 001EA430 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

Part of subcall function 001D130B: GetDlgItem.USER32(00000000,00003021), ref: 001D134F
Part of subcall function 001D130B: SetWindowTextW.USER32(00000000,002035B4), ref: 001D1365

EndDialog.USER32(?,00000001), ref: 001EA4B8
GetDlgItemTextW.USER32(?,00000066,?,?), ref: 001EA4CD
SetDlgItemTextW.USER32(?,00000066,?), ref: 001EA4E2

Strings

ASKNEXTVOL, xrefs: 001EA448

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: ASKNEXTVOL
API String ID: 445417207-3402441367
Opcode ID: a01ee5caa4e09846addf34a7b775fa2cc41a9fecd4453beb034d9dcebb030046
Instruction ID: 560220dbc9cfcf9fa19e2bcf508e2e6bd162d62693d74d6f9cb2c57848891474
Opcode Fuzzy Hash: a01ee5caa4e09846addf34a7b775fa2cc41a9fecd4453beb034d9dcebb030046
Instruction Fuzzy Hash: 5211E632248680BFD7219FA9EC4DF6A37A9EF5A300F584402F3419B1E0C7A1A905D732

Function 001DD1C3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67COMMON

Download Yara Rule

APIs

__fprintf_l.LIBCMT ref: 001DD22E
_strncpy.LIBCMT ref: 001DD278

Strings

$%s, xrefs: 001DD223
@%s, xrefs: 001DD218

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: __fprintf_l_strncpy
String ID: $%s$@%s
API String ID: 1857242416-834177443
Opcode ID: 89d65903fa99e6e25e31bdafc95692cdf2529fc62bebd6537c48ba70aa66ea69
Instruction ID: 1f830e09c9d901f11fb65e4a60bfb41d8ca403f73864e66b5563aad72880cf49
Opcode Fuzzy Hash: 89d65903fa99e6e25e31bdafc95692cdf2529fc62bebd6537c48ba70aa66ea69
Instruction Fuzzy Hash: 7F218E3244034CAADF20DEA4DC46FEE7BACEF15300F040513FA1596292E371EA55DB51

Function 001DB4F7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 001DB51E

Part of subcall function 001D400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 001D401D

_wcschr.LIBVCRUNTIME ref: 001DB53C
_wcschr.LIBVCRUNTIME ref: 001DB54C

Strings

%c:\, xrefs: 001DB514

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: _wcschr$__vswprintf_c_l_swprintf
String ID: %c:\
API String ID: 525462905-3142399695
Opcode ID: a157af02867afa9dc741c176d8561690da62c8c04f7c306afff082657e5f7737
Instruction ID: fb978e928ad70186bcff52a7b525213ba162cac86d5666f1ad2cf55eae28adfa
Opcode Fuzzy Hash: a157af02867afa9dc741c176d8561690da62c8c04f7c306afff082657e5f7737
Instruction Fuzzy Hash: 11012D53908311FBDB20AB75ACC2C7BB7ACDEA63A07914417F946C6291FB30D950C3A1

Function 001E06BA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(00000320,00000000,?,?,?,001DABC5,00000008,?,00000000,?,001DCB88,?,00000000), ref: 001E06F3
CreateSemaphoreW.KERNEL32(00000000,00000000,00000040,00000000,?,?,?,001DABC5,00000008,?,00000000,?,001DCB88,?,00000000), ref: 001E06FD
CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,001DABC5,00000008,?,00000000,?,001DCB88,?,00000000), ref: 001E070D

Strings

Thread pool initialization failed., xrefs: 001E0725

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: Create$CriticalEventInitializeSectionSemaphore
String ID: Thread pool initialization failed.
API String ID: 3340455307-2182114853
Opcode ID: 4d1d34096c34c0337414f4609ccf7decb769c39f0e472953ae567cab45dbf990
Instruction ID: 803165fd61addca36a8c68ac5730a8e0729b7b9ef12faf78eb082b5cae64225c
Opcode Fuzzy Hash: 4d1d34096c34c0337414f4609ccf7decb769c39f0e472953ae567cab45dbf990
Instruction Fuzzy Hash: 2D1173B1501709AFD3315F66D888AABFBECEB99754F10482EF1DA82201D7B169C1CB50

Function 001ED38B Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON

Download Yara Rule

Strings

RENAMEDLG, xrefs: 001ED3DE
REPLACEFILEDLG, xrefs: 001ED3C9, 001ED3FD

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID:
String ID: RENAMEDLG$REPLACEFILEDLG
API String ID: 0-56093855
Opcode ID: aacc09562b27fb02e1bf02629ec266e45a10e1ebec0502c85997b11d7f290759
Instruction ID: f8bae4dc4a0b2eb04a500dff30c1c759fd4ebd3935c363a723558151d401d99e
Opcode Fuzzy Hash: aacc09562b27fb02e1bf02629ec266e45a10e1ebec0502c85997b11d7f290759
Instruction Fuzzy Hash: 2B0171B1604686AFDB119F66FD8CE9A7BE9F724380B048421F505D2271DF719C50EBA1

Function 001F91DE Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 001F9269
__alldvrm.LIBCMT ref: 001F946A
__alldvrm.LIBCMT ref: 001F948C

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: e90b1fa23aba202bba093109adefdb56eea12b49e9ded63ef510ee75c2e44a9f
Instruction ID: 2a711978b7f3a6e3f52d1bf0605e02d9ceceea5637dad0c63f2be16dc0b53f56
Opcode Fuzzy Hash: e90b1fa23aba202bba093109adefdb56eea12b49e9ded63ef510ee75c2e44a9f
Instruction Fuzzy Hash: 16A1787290478A9FDB25EF68C8917BEBBE5FF65310F18416DEA859B281C3388942C750

Function 001DA2AB Relevance: 6.1, APIs: 4, Instructions: 127filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,?,00000000,?,001D80B7,?,?,?), ref: 001DA351
CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,00000800,?,00000000,?,001D80B7,?,?), ref: 001DA395
SetFileTime.KERNEL32(?,00000800,?,00000000,?,00000000,?,001D80B7,?,?,?,?,?,?,?,?), ref: 001DA416
CloseHandle.KERNEL32(?,?,00000000,?,001D80B7,?,?,?,?,?,?,?,?,?,?,?), ref: 001DA41D

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: File$Create$CloseHandleTime
String ID:
API String ID: 2287278272-0
Opcode ID: 6a40c59daf0710026d7f870727d286b5879688f21ccda5e2ee8dc8efc7e9ea1b
Instruction ID: 3035d351515421e8998e5964a34edb5aeeabad42185de9ee0e6bd9c8afe8daae
Opcode Fuzzy Hash: 6a40c59daf0710026d7f870727d286b5879688f21ccda5e2ee8dc8efc7e9ea1b
Instruction Fuzzy Hash: B741CA31288381AAE731DF24DC45BAEBBE9AF95700F48091EF5D093281D7A49A48DB53

Function 001FC099 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,001F89AD,?,00000000,?,00000001,?,?,00000001,001F89AD,?), ref: 001FC0E6
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 001FC16F
GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,001F67E2,?), ref: 001FC181
__freea.LIBCMT ref: 001FC18A

Part of subcall function 001F8518: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,001FC13D,00000000,?,001F67E2,?,00000008,?,001F89AD,?,?,?), ref: 001F854A

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: a4938974c43b34ae882687b4f82b8237dfc27e7a98fec8bd9f9ad2f9096a9edc
Instruction ID: 540a8f1232331862947c91064ea359c1167de24dde480161000dcf2d6124b4bc
Opcode Fuzzy Hash: a4938974c43b34ae882687b4f82b8237dfc27e7a98fec8bd9f9ad2f9096a9edc
Instruction Fuzzy Hash: 7D31BC72A0021EABDB24CF65DC45DBE7BA9EB44310F150228FD0497292EB35CD61DBE0

Function 001F2503 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 001F251A

Part of subcall function 001F2B52: ___AdjustPointer.LIBCMT ref: 001F2B9C

_UnwindNestedFrames.LIBCMT ref: 001F2531
___FrameUnwindToState.LIBVCRUNTIME ref: 001F2543
CallCatchBlock.LIBVCRUNTIME ref: 001F2567

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
String ID:
API String ID: 2633735394-0
Opcode ID: 8ab29acd33a3066b3f23f97a448595ce03f4b23344991831e99f7cf6ac797a0c
Instruction ID: afc2ac357388cff7e5caed9d01a9aec103c091e72e2a0e6ffdfc96f327543d82
Opcode Fuzzy Hash: 8ab29acd33a3066b3f23f97a448595ce03f4b23344991831e99f7cf6ac797a0c
Instruction Fuzzy Hash: D501293200010CBBCF129F55CC11EEA3BBAFF69714F158018FE1866160C336E962EBA1

Function 001E9DBB Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 001E9DBE
GetDeviceCaps.GDI32(00000000,00000058), ref: 001E9DCD
GetDeviceCaps.GDI32(00000000,0000005A), ref: 001E9DDB
ReleaseDC.USER32(00000000,00000000), ref: 001E9DE9

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 9cfe9b4f9739aadeb8c637f728ae97daca0346624628e8927e099452d2b3ccc4
Instruction ID: d27b926cc0ce83f3ddf1a8eebdd12b859db87a029593fec5759ad8782be1b760
Opcode Fuzzy Hash: 9cfe9b4f9739aadeb8c637f728ae97daca0346624628e8927e099452d2b3ccc4
Instruction Fuzzy Hash: 9AE0EC31989B21E7D3245BA5BC4DB8B3B59AB29712F054005F60596190DE70444DCB95

Function 001F2016 Relevance: 6.0, APIs: 4, Instructions: 14COMMON

Download Yara Rule

APIs

___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 001F2016
___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 001F201B
___vcrt_initialize_locks.LIBVCRUNTIME ref: 001F2020

Part of subcall function 001F310E: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 001F311F

___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 001F2035

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
String ID:
API String ID: 1761009282-0
Opcode ID: 50341c1e121bd6f5d5b78c5b3ee2afe6a0478775b34c66270a9efbcfed992c13
Instruction ID: ba99dde8b88adc44a34a356122731ee548b007cd1bf0bae3dd14681748c79ec2
Opcode Fuzzy Hash: 50341c1e121bd6f5d5b78c5b3ee2afe6a0478775b34c66270a9efbcfed992c13
Instruction Fuzzy Hash: D1C04C2610964CE41C113AB261031BE07401C737C4B9220C2FBA017143DF260A0AA037

Function 001E9F5D Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 224COMMON

Download Yara Rule

APIs

Part of subcall function 001E9DF1: GetDC.USER32(00000000), ref: 001E9DF5
Part of subcall function 001E9DF1: GetDeviceCaps.GDI32(00000000,0000000C), ref: 001E9E00
Part of subcall function 001E9DF1: ReleaseDC.USER32(00000000,00000000), ref: 001E9E0B

GetObjectW.GDI32(?,00000018,?), ref: 001E9F8D

Part of subcall function 001EA1E5: GetDC.USER32(00000000), ref: 001EA1EE
Part of subcall function 001EA1E5: GetObjectW.GDI32(?,00000018,?), ref: 001EA21D
Part of subcall function 001EA1E5: ReleaseDC.USER32(00000000,?), ref: 001EA2B5

Strings

(, xrefs: 001EA0A3

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: ObjectRelease$CapsDevice
String ID: (
API String ID: 1061551593-3887548279
Opcode ID: 4cb93403a2c8899b44787bf37f1219c6bce02df3d262d4b318388710b7b10752
Instruction ID: 8ac3bdca19b8f9e72582f4cebf26e74f2b5e304bee469e8d798ed7486e5fbe68
Opcode Fuzzy Hash: 4cb93403a2c8899b44787bf37f1219c6bce02df3d262d4b318388710b7b10752
Instruction Fuzzy Hash: A1811071208754AFC714DF69D848A2EBBE9FF88704F00891DF98AD7261DB31AD05CB62

Function 001E0E37 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 179COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 001E0FF1

Strings

%ls, xrefs: 001E0E76, 001E0E8C
%s: %s, xrefs: 001E1000

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: _swprintf
String ID: %ls$%s: %s
API String ID: 589789837-2259941744
Opcode ID: 65de7b1c9c39de172c6bc14d2a305a9c0d40933c4963fb2ecc415c05dad9fbfd
Instruction ID: 14d727d87baff0c56b34ee74ed338155b9fe1e1bd16da4050db12023f1c4b2e0
Opcode Fuzzy Hash: 65de7b1c9c39de172c6bc14d2a305a9c0d40933c4963fb2ecc415c05dad9fbfd
Instruction Fuzzy Hash: CA51C93124CFC0FAEA2A16D6DC42F3E7666AB1CB00F264916F39A744D5C7F254E06612

Function 001D772B Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138timeCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 001D7730
SetFileTime.KERNEL32(?,?,?,?,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 001D78CC

Part of subcall function 001DA444: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,001DA27A,?,?,?,001DA113,?,00000001,00000000,?,?), ref: 001DA458
Part of subcall function 001DA444: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,001DA27A,?,?,?,001DA113,?,00000001,00000000,?,?), ref: 001DA489

Strings

:, xrefs: 001D77A1

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: File$Attributes$H_prologTime
String ID: :
API String ID: 1861295151-336475711
Opcode ID: d035d97d281c5d02b377e34de1f62c486676f76b135668f2bdedd7a1175decb9
Instruction ID: e0aaa06483c1086e054e61ebde0afa468d8ef6f5080c7b389931ebe6a47babc9
Opcode Fuzzy Hash: d035d97d281c5d02b377e34de1f62c486676f76b135668f2bdedd7a1175decb9
Instruction Fuzzy Hash: 2E418571805268AADB24EB50DD59EEEB37CAF55300F0041DBB609A3292EB745F84DF61

Function 001DB66C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 130COMMON

Download Yara Rule

Strings

\\?\, xrefs: 001DB6BE, 001DB6FA, 001DB75B, 001DB7AE
UNC, xrefs: 001DB708

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID:
String ID: UNC$\\?\
API String ID: 0-253988292
Opcode ID: 83d30d4643e0e4c9d3bc4876e30cfa738c8635de5d0aa9fc13153a5003bbf51c
Instruction ID: 0089eedab91d7405262caae2eda7917b1c583e8c17550882cfd690b48cb096d9
Opcode Fuzzy Hash: 83d30d4643e0e4c9d3bc4876e30cfa738c8635de5d0aa9fc13153a5003bbf51c
Instruction Fuzzy Hash: 4F419435404259EBCF20AF21DCC1EEF77ADAF55750B12406BF81697392E770DA50CA60

Function 001E8FB6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 85COMMON

Download Yara Rule

APIs

new.LIBCMT ref: 001E8FC4

Strings

Shell.Explorer, xrefs: 001E8FEF
about:blank, xrefs: 001E9082

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID:
String ID: Shell.Explorer$about:blank
API String ID: 0-874089819
Opcode ID: b6a8e6bedaf6c48ad5b133f36b6a14906c22458358449f74df9a53c5168a432d
Instruction ID: b52ba4e8333e133e60c001a4b259f4b08e05bc32b6b4e8cd3ccdab4b6215755c
Opcode Fuzzy Hash: b6a8e6bedaf6c48ad5b133f36b6a14906c22458358449f74df9a53c5168a432d
Instruction Fuzzy Hash: FA219F71214B849FCB18EF66D895A2E77A8FF84711B14856EF9098F282DF70EC00CB60

Function 001ED44D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 70COMMON

Download Yara Rule

APIs

DialogBoxParamW.USER32(GETPASSWORD1,0001043C,001EA990,?,?), ref: 001ED4C5

Strings

xj", xrefs: 001ED4D5
GETPASSWORD1, xrefs: 001ED4BA

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: DialogParam
String ID: GETPASSWORD1$xj"
API String ID: 665744214-2354614350
Opcode ID: c27a7df59ce218724381711580b8992c23e70cdb5839472e333fc0e1fd08c751
Instruction ID: 748443df3ab9056a31ce9ff9720f48b3c727aed36c560883b761636b9d382e8d
Opcode Fuzzy Hash: c27a7df59ce218724381711580b8992c23e70cdb5839472e333fc0e1fd08c751
Instruction Fuzzy Hash: 72115E71614684ABDB21DE35BC49BEF37E8BB15350F198074BD45A71D1CBB0AC54C760

Function 001DEBF2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 69COMMON

Download Yara Rule

APIs

Part of subcall function 001DEB73: GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 001DEB92
Part of subcall function 001DEB73: GetProcAddress.KERNEL32(002181C0,CryptUnprotectMemory), ref: 001DEBA2

GetCurrentProcessId.KERNEL32(?,?,?,001DEBEC), ref: 001DEC84

Strings

CryptUnprotectMemory failed, xrefs: 001DEC7C
CryptProtectMemory failed, xrefs: 001DEC3B

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: AddressProc$CurrentProcess
String ID: CryptProtectMemory failed$CryptUnprotectMemory failed
API String ID: 2190909847-396321323
Opcode ID: b072588d33b052f0e45e0b7dbc30b554c32c3556a1d4c0128ea3cada6b778f5d
Instruction ID: 7e5a0ca982a54f9024662dfc200776be61f6bd2ae86b97461ec23e5fefde3d01
Opcode Fuzzy Hash: b072588d33b052f0e45e0b7dbc30b554c32c3556a1d4c0128ea3cada6b778f5d
Instruction Fuzzy Hash: 78117F32A203186FDB15BB34DC466AE3798EF14721B04801BFC055F382CB75AD4187D0

Function 001F9B90 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 001F9BBE
_free.LIBCMT ref: 001F9BE4

Strings

X , xrefs: 001F9C4B

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: _free
String ID: X
API String ID: 269201875-3831130985
Opcode ID: c0dc8496647a80c707ca846f670655847d588912b00f205faaa84964253390c4
Instruction ID: f13743735e847668b6fcf6039eef9025b481cb634a7000d7f6b95b17f58b0679
Opcode Fuzzy Hash: c0dc8496647a80c707ca846f670655847d588912b00f205faaa84964253390c4
Instruction Fuzzy Hash: 55119D71A103259BEB24AB38BC49F773695AB61730F140626FA21CA2E1E774C8528680

Function 001EEC4A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 001EF25E
___raise_securityfailure.LIBCMT ref: 001EF345

Strings

8#, xrefs: 001EF340

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: FeaturePresentProcessor___raise_securityfailure
String ID: 8#
API String ID: 3761405300-3270533637
Opcode ID: 29b813825dd9f463bd92f531d8ecc6969c90c0ebbe087abbe737f2cc843608d6
Instruction ID: d32216d1b0a1e4a2aa62c58828c6fccc7dd73f06308c2c86b5670552ee792b9c
Opcode Fuzzy Hash: 29b813825dd9f463bd92f531d8ecc6969c90c0ebbe087abbe737f2cc843608d6
Instruction Fuzzy Hash: E32134B97103048BD718EF55F9E9A043BE8FB4C310F10586AE9088B7A1E3B1A981CF65

Function 001E0889 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00010000,001E09D0,?,00000000,00000000), ref: 001E08AD
SetThreadPriority.KERNEL32(?,00000000), ref: 001E08F4

Part of subcall function 001D6E91: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 001D6EAF

Strings

CreateThread failed, xrefs: 001E08B9

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: Thread$CreatePriority__vswprintf_c_l
String ID: CreateThread failed
API String ID: 2655393344-3849766595
Opcode ID: 8d9052dcd50672ed34a3069827a4ece195fa9d6fe23d9b01ce56de1a7aaf6230
Instruction ID: 7483b9bf7b1097d650801f82390eae27a64090f2c9ece96f5363ff5d5125c568
Opcode Fuzzy Hash: 8d9052dcd50672ed34a3069827a4ece195fa9d6fe23d9b01ce56de1a7aaf6230
Instruction Fuzzy Hash: 6B01D6B13447056FD631AF55EC86FAA7398EB58715F10042EFA8A92181CFE1A8C19664

Function 001FB2AE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 001F8FA5: GetLastError.KERNEL32(?,00210EE8,001F3E14,00210EE8,?,?,001F3713,00000050,?,00210EE8,00000200), ref: 001F8FA9
Part of subcall function 001F8FA5: _free.LIBCMT ref: 001F8FDC
Part of subcall function 001F8FA5: SetLastError.KERNEL32(00000000,?,00210EE8,00000200), ref: 001F901D
Part of subcall function 001F8FA5: _abort.LIBCMT ref: 001F9023

_abort.LIBCMT ref: 001FB2E0
_free.LIBCMT ref: 001FB314

Strings

, xrefs: 001FB30B

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: ErrorLast_abort_free
String ID:
API String ID: 289325740-771276903
Opcode ID: aa110fc49cbc0116a7615ab50afabbadc0d7a17c9a7a7d99b118c522d4b4981b
Instruction ID: 47f91724b46ce19d696909a41b51eeb8875a9994f2d7c0bfb87c91de8b2407db
Opcode Fuzzy Hash: aa110fc49cbc0116a7615ab50afabbadc0d7a17c9a7a7d99b118c522d4b4981b
Instruction Fuzzy Hash: 9A01C071D05B29DFCB25AF59D88127DB374FF18B21B0A050AE62067682CB302D428FC2

Function 001D130B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 001DDA98: _swprintf.LIBCMT ref: 001DDABE
Part of subcall function 001DDA98: _strlen.LIBCMT ref: 001DDADF
Part of subcall function 001DDA98: SetDlgItemTextW.USER32(?,0020E154,?), ref: 001DDB3F
Part of subcall function 001DDA98: GetWindowRect.USER32(?,?), ref: 001DDB79
Part of subcall function 001DDA98: GetClientRect.USER32(?,?), ref: 001DDB85

GetDlgItem.USER32(00000000,00003021), ref: 001D134F
SetWindowTextW.USER32(00000000,002035B4), ref: 001D1365

Strings

0, xrefs: 001D130E

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: ItemRectTextWindow$Client_strlen_swprintf
String ID: 0
API String ID: 2622349952-4108050209
Opcode ID: eaefda52cac060bf96cc481385f37b7d50b2fbb7719a542aa2ed1029b3e25715
Instruction ID: 91cbed0e4f7f7839fd413fb79430888a52b72d126a8a6767440b4c09b35e8382
Opcode Fuzzy Hash: eaefda52cac060bf96cc481385f37b7d50b2fbb7719a542aa2ed1029b3e25715
Instruction Fuzzy Hash: C1F0AF3010038CB6DF254F619D0DBE93B98BB24315F088416FD89556A2C774C995EB10

Function 001E084E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF,001E0A78,?), ref: 001E0854
GetLastError.KERNEL32(?), ref: 001E0860

Part of subcall function 001D6E91: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 001D6EAF

Strings

WaitForMultipleObjects error %d, GetLastError %d, xrefs: 001E0869

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: ErrorLastObjectSingleWait__vswprintf_c_l
String ID: WaitForMultipleObjects error %d, GetLastError %d
API String ID: 1091760877-2248577382
Opcode ID: 609c32ec20279b7008baa2ec6db76d2a54f3b2694c7c99ac3b965e1697e42282
Instruction ID: 1179413525d4505c689716cf9af4bc2173bbd419f09ab806b8c3588051a34306
Opcode Fuzzy Hash: 609c32ec20279b7008baa2ec6db76d2a54f3b2694c7c99ac3b965e1697e42282
Instruction Fuzzy Hash: 77D05B7190952126C6117724BC0EDAF7A095F62730F504716F639552F6DF71099141D5

Function 001DDA4E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,001DD32F,?), ref: 001DDA53
FindResourceW.KERNEL32(00000000,RTL,00000005,?,001DD32F,?), ref: 001DDA61

Strings

RTL, xrefs: 001DDA5B

Memory Dump Source

Source File: 00000000.00000002.1680205141.00000000001D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000000.00000002.1680188372.00000000001D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680231754.0000000000203000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.000000000020E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000214000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680252607.0000000000231000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680307021.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d0000_c62q1qZ8kX.jbxd

Similarity

API ID: FindHandleModuleResource
String ID: RTL
API String ID: 3537982541-834975271
Opcode ID: 1d50a5051e336c05a3c3a0d69d32e0a7c3152470e83e58f2a8ab7230b37967fc
Instruction ID: a321413d3e1fc1c11b87a3121bf9a481e91b134c6d8985aecc0b5075d8bbea5c
Opcode Fuzzy Hash: 1d50a5051e336c05a3c3a0d69d32e0a7c3152470e83e58f2a8ab7230b37967fc
Instruction Fuzzy Hash: BBC08C3238A750B6EB30A7317C0DB832E4D6B11F12F09044DF281DB6D2DAE5CA48C7A0

Analysis Process: chainMonitor.exePID: 6192, Parent PID: 1856COMMON

Executed Functions

Function 00007FFD9BAA3595 Relevance: .3, Instructions: 297COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1810552040.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9baa0000_chainMonitor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: beb8f4523fc1faa99007f8295c7f29d0f5510f0a8c8edbaf5ab9bfe3bc87c1b5
Instruction ID: 5b6c09971901f83fe5e6049da7c6a225a5a5a83ddde3641f06e1e12fc603a850
Opcode Fuzzy Hash: beb8f4523fc1faa99007f8295c7f29d0f5510f0a8c8edbaf5ab9bfe3bc87c1b5
Instruction Fuzzy Hash: 94A19172A1994E8FEB98DB68C8657A97BE1FF59314F5001BED00DD72DACBB42801CB50

Function 00007FFD9BAA1718 Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1810552040.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9baa0000_chainMonitor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe8244bc2b2e6f55f056fba1e7d0fdf09821d17a0382f8dbf1376df3866e4aab
Instruction ID: 9a217ed87450429d6cbf87c3055fe16e6b4b45d7cd77ff75f05c8fecb647081d
Opcode Fuzzy Hash: fe8244bc2b2e6f55f056fba1e7d0fdf09821d17a0382f8dbf1376df3866e4aab
Instruction Fuzzy Hash: 2781DF31B0DA894FDB58DF5888605A977E3EFE9310B15417EE49EC32A6DE74AD02C780

Function 00007FFD9BAA1D8D Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1810552040.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9baa0000_chainMonitor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e263845e041e1d6b7ea0cae1aea377e1125fe4fef5d2f87b2baf89531b77aae
Instruction ID: 7bb3972fb1e1bfc237fadc5b19d4960523767b483a95e5372f9e574d8aee6fb1
Opcode Fuzzy Hash: 5e263845e041e1d6b7ea0cae1aea377e1125fe4fef5d2f87b2baf89531b77aae
Instruction Fuzzy Hash: CD51ED31B08B894FDB58DF4888645BA77E2FFE9310B15427EE45AC7296CE74AC02C780

Function 00007FFD9BAB52B0 Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1810552040.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9baa0000_chainMonitor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82b6252e4750089df9829a2d64c3f6051a842203089a3f8f1cb5fa91b430ac26
Instruction ID: 2d61d6f149bdd7e0ea7989fe00bc01dd7571edd837a9381225848c806ca6851c
Opcode Fuzzy Hash: 82b6252e4750089df9829a2d64c3f6051a842203089a3f8f1cb5fa91b430ac26
Instruction Fuzzy Hash: 76513D71E1991D8FEBA8EBA8D865BACB7F1FF58301F40007AD01DE7291DE7569818B40

Function 00007FFD9BAA31F1 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1810552040.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9baa0000_chainMonitor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0753aadc19a9fae34bb60f9ec098c793251e2de54ca8649caec71e8f25a7af1
Instruction ID: 7faada2b7af69d785082c74700cf2970c19989e6a2e481a6fe3c5fc304c89cc7
Opcode Fuzzy Hash: d0753aadc19a9fae34bb60f9ec098c793251e2de54ca8649caec71e8f25a7af1
Instruction Fuzzy Hash: 62514B70E0A60E8FEB64EB94C4646EDBBF2EF58301F514179D009E72A1DF786A44CB60

Function 00007FFD9BAA21A5 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1810552040.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9baa0000_chainMonitor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a63c24a04715cdbd3cecd9fdbc29e4e694c890f914d9d01e7fc42250255f4b68
Instruction ID: 5ac8f5ddff8e28194064bfa6ebc8326cf4f44cd246fbd0c94c706b4123ca2274
Opcode Fuzzy Hash: a63c24a04715cdbd3cecd9fdbc29e4e694c890f914d9d01e7fc42250255f4b68
Instruction Fuzzy Hash: BA417831B0EB8E0FE765D7B888751B8BBE1EF86310B0545FBE44CC71A6DE68A9058351

Function 00007FFD9BAA1150 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1810552040.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9baa0000_chainMonitor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bcbaf7a2bfd8bfaecc5341c35c33b6e814deb2ddccbf033cfe3aa8cbc96aa62
Instruction ID: 6db14c782c5bd03205adc1cfb291bc40596ed7fba3f7a022427642fdd3bc9d7a
Opcode Fuzzy Hash: 2bcbaf7a2bfd8bfaecc5341c35c33b6e814deb2ddccbf033cfe3aa8cbc96aa62
Instruction Fuzzy Hash: 3D31E230E1A64E5EEBA8EBA4C4786B97BE1FF2A304F01057ED01ED21E1DE646540C650

Function 00007FFD9BAA0A01 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1810552040.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9baa0000_chainMonitor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 262ae2f5201b6183d9590cc8d9d62cecce3d3c0841b4d1c438654d4a9931c256
Instruction ID: 6f27135bde92bb47aedceb2b133b933fa532fee85601f91b332bf38cce9b6943
Opcode Fuzzy Hash: 262ae2f5201b6183d9590cc8d9d62cecce3d3c0841b4d1c438654d4a9931c256
Instruction Fuzzy Hash: 6911C131F0A50E4FE7A0EBA8C8695BD7BE2FF58700F4245BAD41CC70A6EE74A6448710

Function 00007FFD9BAA3515 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1810552040.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9baa0000_chainMonitor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9f1db74fd1168ea3c0f62b85a5e6804482182891112418c7f087cc8d949350b
Instruction ID: 83442b1cd8a72ce2f88699d12fda7f110ece3151cf0a5007bbe39cd5ee425af0
Opcode Fuzzy Hash: a9f1db74fd1168ea3c0f62b85a5e6804482182891112418c7f087cc8d949350b
Instruction Fuzzy Hash: BB115E70E0A68E8FDB58EFA8C4696BD7BE1FF19300F4508BED419C71A1DB75A6408B10

Function 00007FFD9BAA28DD Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1810552040.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9baa0000_chainMonitor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f4c500646f5c453f504088c5583ca6f71ed86e59961a9f067a6aeb7325f63c5
Instruction ID: 3ded79cce7d3b37bcd1098b7899650a17d08776c67ef8cd79e0298d79f8551f8
Opcode Fuzzy Hash: 3f4c500646f5c453f504088c5583ca6f71ed86e59961a9f067a6aeb7325f63c5
Instruction Fuzzy Hash: 4601BC31E0A64E4FE7A5EBB489A86B97BE1EF19300F0245B6D408C70B2EA74E254C710

Function 00007FFD9BAA342A Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1810552040.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9baa0000_chainMonitor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aabd192d8a458538b4a0c57204d4d162202b51469f73e62546b35976b2ec81de
Instruction ID: e6733b2240aca13116c1bca929d1c5225646e6cb63de023a4cdafc686bb71d8a
Opcode Fuzzy Hash: aabd192d8a458538b4a0c57204d4d162202b51469f73e62546b35976b2ec81de
Instruction Fuzzy Hash: 12014F31E0A90E8FEB51EFA884585B97BE5FF18302F41497AD41DD31A5EB74A6808B50

Function 00007FFD9BAA2F79 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1810552040.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9baa0000_chainMonitor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b4f15d873071c9773a4180639eb5b999983628f330bb54767639d98901e2019
Instruction ID: 3b7350f6eae61afa8247f7390b751da38a075a065ea8c23e46f0d41564af46be
Opcode Fuzzy Hash: 3b4f15d873071c9773a4180639eb5b999983628f330bb54767639d98901e2019
Instruction Fuzzy Hash: 7201D870A0E78D4FD752A7B485695AD7BE1EF49300F0604F6C408C70B6DE74A5688711

Function 00007FFD9BAA05D8 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1810552040.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9baa0000_chainMonitor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf5e0b2825c017d8d5cc13a9b3aa01306072cb0e9aca35485b8c44242886765e
Instruction ID: 3d95f151886b0baa1aa5f8ab54816e7e522f9066a47b54256512b8f8febbe60a
Opcode Fuzzy Hash: cf5e0b2825c017d8d5cc13a9b3aa01306072cb0e9aca35485b8c44242886765e
Instruction Fuzzy Hash: ED018F30A0950E9FEBA8EF64C0686BA77E2EF69305F51447ED41EC21A0CAB5A640CB50

Function 00007FFD9BAA0610 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1810552040.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9baa0000_chainMonitor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e01d2ce876eaa5f9492c93ce46bd1fd3502a6be947ba2037e4875bfd7a6263d
Instruction ID: 182e7e3622f03c3c628a2990cf1e55d98efd546f15988f4d1c66f4d06077e5eb
Opcode Fuzzy Hash: 7e01d2ce876eaa5f9492c93ce46bd1fd3502a6be947ba2037e4875bfd7a6263d
Instruction Fuzzy Hash: F1018630A1560E8EEB5CEBA4C5685B9B3A1FF1C305F11047EE41EC21E5DF75A550CA10

Function 00007FFD9BAA0608 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1810552040.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9baa0000_chainMonitor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6f768e2676e99f6ff5ffe4892855ac613aa8ba53427c3afa0d5df801546cc73
Instruction ID: 8b78f3f57fafc1ee481a31cb9f2017cc2dee86f1584563ceb692fc9979788a71
Opcode Fuzzy Hash: a6f768e2676e99f6ff5ffe4892855ac613aa8ba53427c3afa0d5df801546cc73
Instruction Fuzzy Hash: 6201D130A1560E8BEB68EFA4C5696B9B3A1FF0C304F11087EE41EC21E5DF75A660CA10

Function 00007FFD9BAA1D0D Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1810552040.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9baa0000_chainMonitor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fa616c0138f359700deba7947ac53812264075277e65bce1b79e947fe9edfb0
Instruction ID: 4d9c85dac307004198261750a83117ec1cf51304ac8003a5d61a290bf9d76e5d
Opcode Fuzzy Hash: 1fa616c0138f359700deba7947ac53812264075277e65bce1b79e947fe9edfb0
Instruction Fuzzy Hash: 9F01F930A0A68E8FDBA9DF14C4652F97BE1FF66300F51007AD40CC71A1DBB5A550C750

Function 00007FFD9BAA0F00 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1810552040.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9baa0000_chainMonitor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91dd53e2764c0bff646656ebaf333ef4cb3c76dc3810774a0538f33829a01d81
Instruction ID: 603f8126875a6080de5c5a74e9d5481bbf5b9dfcc4524843372795f4c1e87c68
Opcode Fuzzy Hash: 91dd53e2764c0bff646656ebaf333ef4cb3c76dc3810774a0538f33829a01d81
Instruction Fuzzy Hash: C901B530E0950E8FE774DB54C850AEDB3B2EB50710F008279C40DA72A0CE7466498F94

Function 00007FFD9BAA27F9 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1810552040.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9baa0000_chainMonitor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6e2fd273815d80df2d27adf33c4bfb85029c7e089116abe3631f66145101ce5
Instruction ID: 74d5bab669abd38b667f4e7951788319e3ad3889d6f976bb83eadbb2eac4ca01
Opcode Fuzzy Hash: f6e2fd273815d80df2d27adf33c4bfb85029c7e089116abe3631f66145101ce5
Instruction Fuzzy Hash: 97F0C23190E38D8FDB699FA089651E97F60AF1A200F4604BFE458C60E2DA78A918C711

Function 00007FFD9BAA286D Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1810552040.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9baa0000_chainMonitor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed320d0183d42c61a34730e277e2c031478eb1f6b5ece7ae36435751f2d53663
Instruction ID: 87e129b1f10c850b2fb6876a607ad22aee206b1c70b9ef89fe26ff8c7d43ecca
Opcode Fuzzy Hash: ed320d0183d42c61a34730e277e2c031478eb1f6b5ece7ae36435751f2d53663
Instruction Fuzzy Hash: D4F02431A0A78E8FEB689FA084241F97BA0FF19300F4200BAF818C11E5DF78E5608710

Function 00007FFD9BAA0F5F Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1810552040.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9baa0000_chainMonitor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cd457bb471e43ff6077805471366db2f7261754bf9bf22a4be582814702511d
Instruction ID: d11433c420ec7386300f62497417b36f9ca6aa764464d349e0380d821c57c313
Opcode Fuzzy Hash: 3cd457bb471e43ff6077805471366db2f7261754bf9bf22a4be582814702511d
Instruction Fuzzy Hash: 23F0F430E0590E8FEB64DB48CC54FAEB7B1EB94315F108266D40DD7254DE745A858F94

Function 00007FFD9BAA663F Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1810552040.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9baa0000_chainMonitor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d59481e915d0eecf5c834ee0ee2b702a4409094ec294a6d9f951a1d898d9c13
Instruction ID: 76162520e2bcc56cd33a1618a191ef18b1d9e2d4e022b31df6635cd8498c1534
Opcode Fuzzy Hash: 6d59481e915d0eecf5c834ee0ee2b702a4409094ec294a6d9f951a1d898d9c13
Instruction Fuzzy Hash: E6E0BD30E0992D8EEBE4DB588C643A9B2B1EB18302F1140E9D40EE2290DE302A84AF10

Function 00007FFD9BAA11B6 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1810552040.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9baa0000_chainMonitor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac7a1329a316df95cc09e4671272a661e2f9cbb4893fecbdc5abc1eec89c8701
Instruction ID: 599ba8b05d6e88bc2c3572b88ff5e902eef7d3ad762691f80cce70a9ced2864e
Opcode Fuzzy Hash: ac7a1329a316df95cc09e4671272a661e2f9cbb4893fecbdc5abc1eec89c8701
Instruction Fuzzy Hash: 32C08C30D2264E8FEB64EF90AC214FDB370FF48208F401172E42CE3092DFB026108680

Analysis Process: fontdrvhost.exePID: 3592, Parent PID: 1044COMMON

Executed Functions

Function 00007FFD9BAA42A1 Relevance: .9, Instructions: 854COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1881144968.00007FFD9BAA1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9baa1000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5111de4732edafc15721d671fb272522d12aa55bd7ab0bd049aeb1aeb73a08fd
Instruction ID: 01d3a4c7c99c2bfc4e2ce7c26c505c918f58ce2f3c24a1595a59d6850161deea
Opcode Fuzzy Hash: 5111de4732edafc15721d671fb272522d12aa55bd7ab0bd049aeb1aeb73a08fd
Instruction Fuzzy Hash: 2562C131A0E78E8FE7A59B6488292F97BE1FF19310F0501BFE458C61B3DE6866448752

Function 00007FFD9BAA3748 Relevance: .8, Instructions: 829COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1881144968.00007FFD9BAA1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9baa1000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ded6dea1e41d1b07d7665599c6f719d66feceba60fcd6a33c9bb09b2805c76c
Instruction ID: 9fe92dc3b119ae50496fc1595ff3611347e2bfe0ccd7845ccfd4b0e14d13aca8
Opcode Fuzzy Hash: 9ded6dea1e41d1b07d7665599c6f719d66feceba60fcd6a33c9bb09b2805c76c
Instruction Fuzzy Hash: 4A52D430A0E68E8FEB95EB6488696F97BE1FF19300F0105BEE419C71B2DE78A544C751

Function 00007FFD9BAA3740 Relevance: .8, Instructions: 758COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1881144968.00007FFD9BAA1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9baa1000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 049d4dfc8be574a1813d21368cb910e88c49603788a32e1366da8c99f1171044
Instruction ID: 2d37a1570df72796fffc987bfaf9786f0eb51d1a23d27e2160c6a021d1c72b14
Opcode Fuzzy Hash: 049d4dfc8be574a1813d21368cb910e88c49603788a32e1366da8c99f1171044
Instruction Fuzzy Hash: 2342D530A0E68E8FEBA59F6488252F97BE1FF19310F0501BFE458C61F2DE7866448752

Function 00007FFD9BAA4D2D Relevance: .7, Instructions: 727COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1881144968.00007FFD9BAA1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9baa1000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b918f01cbf005eeb5cf061fc99855134d79a8b56746a7d29c4941966c1261446
Instruction ID: 22404f8382a9f73ce6d3f2a2e01cb2d935a74beb2d39a5a94c3dc221698f0115
Opcode Fuzzy Hash: b918f01cbf005eeb5cf061fc99855134d79a8b56746a7d29c4941966c1261446
Instruction Fuzzy Hash: A742B130A0A64E8FEBA4EB6888696FD7BF1FF19300F0145BED419C71A2DE74A544CB51

Function 00007FFD9BAA4409 Relevance: .7, Instructions: 713COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1881144968.00007FFD9BAA1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9baa1000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2521ebee44fb8653ef1fd757a971dba62b826e4c366ec5f85caa8c0104746db9
Instruction ID: a77ecfe8916b8d5431bdc379bbc56f2830b1e0afc0f3b53c48d28f97ee01c5f0
Opcode Fuzzy Hash: 2521ebee44fb8653ef1fd757a971dba62b826e4c366ec5f85caa8c0104746db9
Instruction Fuzzy Hash: 7A42D531A0E78E8FEBA59F6488252F97BE1FF19310F0501BEE458C61F2DE7866448752

Function 00007FFD9BAA5DE1 Relevance: .4, Instructions: 450COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1881144968.00007FFD9BAA1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9baa1000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a03c3cdd0f3d5a9abc9061c357509a35e48b49177fd3b7f0da14ef14f23db216
Instruction ID: b5e54a9b4f35b854348becfb7a56d0183439c1f991203e614e5687dcefd49608
Opcode Fuzzy Hash: a03c3cdd0f3d5a9abc9061c357509a35e48b49177fd3b7f0da14ef14f23db216
Instruction Fuzzy Hash: AAF1F430A0A64E8FEBA8EB64C8696B97BF1FF19300F0145BED41DC71A2DE746644CB41

Function 00007FFD9BAA6C40 Relevance: .4, Instructions: 403COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1881144968.00007FFD9BAA1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9baa1000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69507741cf6c2afb9d1483196b016afee6b4d1211ee550a48974ea7ab3d65514
Instruction ID: 5904b5dbb416b0cf2b764bb110595d83d87c2ea37542948a580317593c6c552b
Opcode Fuzzy Hash: 69507741cf6c2afb9d1483196b016afee6b4d1211ee550a48974ea7ab3d65514
Instruction Fuzzy Hash: 58D1143090E78A4FE766DB68C8655A97FF1FF16300F0641FBD458CB0A3DA686648CB61

Function 00007FFD9BAA7521 Relevance: .3, Instructions: 306COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1881144968.00007FFD9BAA1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9baa1000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ec6a57113705f32bcf66b5ab9b1073b38d18ac81435f1a06ac205f36a5d8157
Instruction ID: 99974c7129d122d9a136e53dfa0048c171db1df8392ed21c14aacdf324a04a00
Opcode Fuzzy Hash: 6ec6a57113705f32bcf66b5ab9b1073b38d18ac81435f1a06ac205f36a5d8157
Instruction Fuzzy Hash: ECA1A330A0A64E8FDB55EB64C8686FE7BE1FF19300F0545BAD419C71A2DF78AA44CB11

Function 00007FFD9BA93595 Relevance: .3, Instructions: 298COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1881144968.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9ba90000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf3a0abd6993b6fb98a65662ebb8308e006ab26215a53d803f137ecc14a4c821
Instruction ID: b619b2fb713518d947f214d630a7461ebd09bdde28bc1eeefdc4ae16ac12689c
Opcode Fuzzy Hash: cf3a0abd6993b6fb98a65662ebb8308e006ab26215a53d803f137ecc14a4c821
Instruction Fuzzy Hash: 12A19272A1994E8FEB98DB68C8657AD7BE1FF99314F50417AD01DC72D6CBB42801CB40

Function 00007FFD9BAA11B2 Relevance: 2.5, Strings: 2, Instructions: 49COMMON

Download Yara Rule

Strings

!, xrefs: 00007FFD9BAA11BC
/, xrefs: 00007FFD9BAA198A

Memory Dump Source

Source File: 0000001C.00000002.1881144968.00007FFD9BAA1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9baa1000_fontdrvhost.jbxd

Similarity

API ID:
String ID: !$/
API String ID: 0-2633443642
Opcode ID: 73b88585df990de86deeaec5219026b8b66dc84a08460b270a21e8120d513a37
Instruction ID: 9b99e09192ceef221ed33092334529608fc34b9cb805f3150ccd9019b10b15de
Opcode Fuzzy Hash: 73b88585df990de86deeaec5219026b8b66dc84a08460b270a21e8120d513a37
Instruction Fuzzy Hash: E5111F70D0562DCBEB28DF94C8A47EDB3B2FB55301F0546A9D40EA7290CB745A85CF50

Function 00007FFD9BAA3AFB Relevance: 1.7, Strings: 1, Instructions: 415COMMON

Download Yara Rule

Strings

O_^, xrefs: 00007FFD9BAA3B01

Memory Dump Source

Source File: 0000001C.00000002.1881144968.00007FFD9BAA1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9baa1000_fontdrvhost.jbxd

Similarity

API ID:
String ID: O_^
API String ID: 0-2524604163
Opcode ID: f30b0ca8dd1df93bbfa9fdfbc8fb5869e329aac3335842a9a28648c5f9f56d30
Instruction ID: 2502a98494afd8fa50193b4476eb1f5a30793104ef30e004c10f3873160d1f2a
Opcode Fuzzy Hash: f30b0ca8dd1df93bbfa9fdfbc8fb5869e329aac3335842a9a28648c5f9f56d30
Instruction Fuzzy Hash: 59F1FD70E0961D9EDBA4EB98C8657FDB7F2FF58301F0141BAD00DE32A1DA746A848B50

Function 00007FFD9BA9C75D Relevance: 1.5, Strings: 1, Instructions: 279COMMON

Download Yara Rule

Strings

[}O, xrefs: 00007FFD9BA9C75F

Memory Dump Source

Source File: 0000001C.00000002.1881144968.00007FFD9BA9A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA9A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9ba9a000_fontdrvhost.jbxd

Similarity

API ID:
String ID: [}O
API String ID: 0-927243165
Opcode ID: 09df804b5876b873b0c4d44e6b29755de3bc225414255697196bc72e99efbc95
Instruction ID: dd4cf0bc77ef5d08950094a0ad88feeb03a90daba25737ceae46aea90af6d1f5
Opcode Fuzzy Hash: 09df804b5876b873b0c4d44e6b29755de3bc225414255697196bc72e99efbc95
Instruction Fuzzy Hash: 5281172770C92A4AE325B7ACB8655FD3740DF9533AB0902B7E588CD0E7EE1C2586C2D4

Function 00007FFD9BAA4498 Relevance: .7, Instructions: 670COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1881144968.00007FFD9BAA1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9baa1000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 161b4db4e73320638101651c658a3bc2d27f614b72d9c07d9d565f548b4505fa
Instruction ID: cde47cb39e4111a30f66bbbb6c949bedd3cdbdd2bd21bde2fe529e86326fd014
Opcode Fuzzy Hash: 161b4db4e73320638101651c658a3bc2d27f614b72d9c07d9d565f548b4505fa
Instruction Fuzzy Hash: 6232D531A0E68E8FEBA59F6488252F97BE1FF19310F0501BFE458C61F2DE7866448752

Function 00007FFD9BAA4659 Relevance: .5, Instructions: 533COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1881144968.00007FFD9BAA1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9baa1000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f787f1d823cd9531b92231bbc08e2e7b92a80510716bd2ed8055680d925d7dc
Instruction ID: 6529c4019a099b5815bad46ac6d4961988a2c71fda4457172fc91f52e1cd8f97
Opcode Fuzzy Hash: 5f787f1d823cd9531b92231bbc08e2e7b92a80510716bd2ed8055680d925d7dc
Instruction Fuzzy Hash: 5502E531A0E68E4FEBA5DF6488292F97BE1FF19310F0501BEE458C61F2DE7866448752

Function 00007FFD9BAA3770 Relevance: .5, Instructions: 531COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1881144968.00007FFD9BAA1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9baa1000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d701c0589f456376b0a4185b502501da867cc47cfbad997c8d14530265c1f800
Instruction ID: cfa8b2df843bda6bd8a4566c3b50ba4b58d04132fd16e92184830d4cd5a03ef1
Opcode Fuzzy Hash: d701c0589f456376b0a4185b502501da867cc47cfbad997c8d14530265c1f800
Instruction Fuzzy Hash: C802D631A0E68E4FEBA5DF6488292F97BE1FF19310F0501BEE458C61F2DE7866448752

Function 00007FFD9BAA7BAD Relevance: .5, Instructions: 517COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1881144968.00007FFD9BAA1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9baa1000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a728dee42d498a7d3e58658d8b58c3b842efe09e84faa07f4494b50d11792fac
Instruction ID: 101991a93341955168082a578f621aff2a118a55168af42a79db830e82486eae
Opcode Fuzzy Hash: a728dee42d498a7d3e58658d8b58c3b842efe09e84faa07f4494b50d11792fac
Instruction Fuzzy Hash: 9351B43094A28E4FDB5AEF7488695FA7BB1EF06304F0104BFD419C70E2DA796A45C751

Function 00007FFD9BAA4E60 Relevance: .5, Instructions: 506COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1881144968.00007FFD9BAA1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9baa1000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0815edc5b6cf962a99aa72226ce7872a06e84939b0b0b5c6dfa189ed38e39abe
Instruction ID: bc5d878a61829f92b1e51c43a9c1bb9dc273d49ea1a6445535508c3c6d09474a
Opcode Fuzzy Hash: 0815edc5b6cf962a99aa72226ce7872a06e84939b0b0b5c6dfa189ed38e39abe
Instruction Fuzzy Hash: 5902A330E1E68E8FEBA4EBA888656FD7BF1FF15300F4101BAD418D71A2DE7865448B51

Function 00007FFD9BAA46E8 Relevance: .5, Instructions: 489COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1881144968.00007FFD9BAA1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9baa1000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b29a5b66149d4e6ff631ec1bb85571cb4e6484f6ca29c57a9053c6a95994f2f7
Instruction ID: a6909d0163f6a7eae1649868954416104fb4ab74d5f93647de12e09eeafb414d
Opcode Fuzzy Hash: b29a5b66149d4e6ff631ec1bb85571cb4e6484f6ca29c57a9053c6a95994f2f7
Instruction Fuzzy Hash: F702E731A0E68E4FE7A5DF6488292F97BE1FF19310F0501BEE458C61F2DE7865448752

Function 00007FFD9BAA3383 Relevance: .4, Instructions: 450COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1881144968.00007FFD9BAA1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9baa1000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cb179069512ac26caf7f7c2034e3db0a8bd825cd818818e1017eec683290020
Instruction ID: 28a29b0b9dbf1a87e391672073f520e223aecc55afefbfa4eac9b267a7c0c930
Opcode Fuzzy Hash: 7cb179069512ac26caf7f7c2034e3db0a8bd825cd818818e1017eec683290020
Instruction Fuzzy Hash: D4119431A0E68E4FE752EB6488695AA7BF1EF16300F0544B7D058C71B3DA74A5048751

Function 00007FFD9BAA4789 Relevance: .4, Instructions: 439COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1881144968.00007FFD9BAA1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9baa1000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3974b72c8998f0266efe208148b86b63c11676f9b1f85adfbef586f92abf84b1
Instruction ID: 3f13e42c2667f11524eb4b828009a9c8005b5fc0ebc40140cd48c2ebda73b879
Opcode Fuzzy Hash: 3974b72c8998f0266efe208148b86b63c11676f9b1f85adfbef586f92abf84b1
Instruction Fuzzy Hash: 06E1F631A0E68E4FE7A59F6488692F97BE1FF19310F0501BEE858C60F3DE6866448752

Function 00007FFD9BA9D959 Relevance: .4, Instructions: 397COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1881144968.00007FFD9BA9A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA9A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9ba9a000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec386a8cedeef4321929e595ce18c54b202129f357856e598ed64acd06f6d148
Instruction ID: 59bedc10c066b3ec44e0ecd38d86dff523f48197015ab9edd1183fed5b917b24
Opcode Fuzzy Hash: ec386a8cedeef4321929e595ce18c54b202129f357856e598ed64acd06f6d148
Instruction Fuzzy Hash: 09E16D71E19A5D8FDB68EF98C4647ACB7B1FF58300F4041BAD04DD72A2CA746980DB40

Function 00007FFD9BAA4828 Relevance: .4, Instructions: 387COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1881144968.00007FFD9BAA1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9baa1000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e892a6378c77f5f1f5ebf49a9433943c89ef905b8b8a934d25d65398668947f
Instruction ID: 14705e0297f9fcacaf87399e5c9901a7f6a6d16a9ac7a9273ed184a6642feff8
Opcode Fuzzy Hash: 3e892a6378c77f5f1f5ebf49a9433943c89ef905b8b8a934d25d65398668947f
Instruction Fuzzy Hash: 76D1F631A0E68E4FE7A59F6488792F97BE1FF19310F0501BEE458C60F3EE6866448752

Function 00007FFD9BAA7260 Relevance: .3, Instructions: 308COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1881144968.00007FFD9BAA1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9baa1000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 110fc1a1f73c95691b39a883000cd1e6cf3d1d9d17052cc7834a43b45add3d07
Instruction ID: 60d3d8ed0858dedbc7dedc5dd862258ffaf7189f1692528d294a83edda11ca1c
Opcode Fuzzy Hash: 110fc1a1f73c95691b39a883000cd1e6cf3d1d9d17052cc7834a43b45add3d07
Instruction Fuzzy Hash: 71A1A631A0E68E4FE752EB7488695FA7FF1FF06310F0644B7D448C70A2DA68AA44C761

Function 00007FFD9BAA5150 Relevance: .3, Instructions: 307COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1881144968.00007FFD9BAA1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9baa1000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b9ccd500a27f049596ba755eca8fc72b59b2f90da4cd268898c0fcd4a5e7da2
Instruction ID: b4381a1bfb5dba95ecc7e8086d8f69e25125b46984ba45366dae9db05474b7ea
Opcode Fuzzy Hash: 1b9ccd500a27f049596ba755eca8fc72b59b2f90da4cd268898c0fcd4a5e7da2
Instruction Fuzzy Hash: D2A18130E19A4D8FDBA4EBA8C8656BDBBE1FF58300F41007AD40DD71A2DA75A944CB51

Function 00007FFD9BAA4948 Relevance: .3, Instructions: 302COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1881144968.00007FFD9BAA1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9baa1000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cd95f8552eb13d85c50d70618273cc50054901bccf599de45b4784c80fe6920
Instruction ID: b4c9a57c7c12c2d1fb98a7c42a48e914282abb6263abaca06f8b3356587c18e9
Opcode Fuzzy Hash: 6cd95f8552eb13d85c50d70618273cc50054901bccf599de45b4784c80fe6920
Instruction Fuzzy Hash: 97A1E531A0E68E4FE7A59B6488792F97BE1FF19314F0501BEE848C60F3EE6865448752

Function 00007FFD9BA91718 Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1881144968.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9ba90000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e00a1098f28891ee86854d3adab343ebe367ad46b5673716c3915ff8c848b9e6
Instruction ID: 212938577c69ffe07a41cc91680be6c0ab99eb960d0037c1aef9ad73088cda51
Opcode Fuzzy Hash: e00a1098f28891ee86854d3adab343ebe367ad46b5673716c3915ff8c848b9e6
Instruction Fuzzy Hash: 9E81DF31B1DA4D4FEB58DF5C88615A977E2EFE8300B15417AE45EC32A6DE74AD02C780

Function 00007FFD9BAA49F9 Relevance: .2, Instructions: 243COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1881144968.00007FFD9BAA1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9baa1000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c46f5d2fdff6e6d6e8e22a2a80a943975b0ac166c71881735176d70fb09323ef
Instruction ID: a21c42c41366486b4a6e2f5d3d99c5a1d50c160c5056484c52815beaef0137c4
Opcode Fuzzy Hash: c46f5d2fdff6e6d6e8e22a2a80a943975b0ac166c71881735176d70fb09323ef
Instruction Fuzzy Hash: 5381F231A0E68E4FE7A59B6448392F97BE1FF15310F4541BEE84CC60F3EEA866448752

Function 00007FFD9BAA26B4 Relevance: .2, Instructions: 243COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1881144968.00007FFD9BAA1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9baa1000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68787867b63e3cecf3d08130edbfdeba513a6d94785133a1c7ae7909b53c6c6b
Instruction ID: 03b8effb54423cd534e7560731d2f1e682dc70be8ad77182234f3f383b39c3bd
Opcode Fuzzy Hash: 68787867b63e3cecf3d08130edbfdeba513a6d94785133a1c7ae7909b53c6c6b
Instruction Fuzzy Hash: 4881D130A1A78D8FDB59EBA4C8656FD7BB1FF19301F0501BAE409D71E2CA78A940CB51

Function 00007FFD9BAA37C0 Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1881144968.00007FFD9BAA1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9baa1000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43bb0d206febe7b9f5229fae79acd6b266d10550f0fca59150ecdb896113d63a
Instruction ID: 94f8801a840602fe72f58eb7c8348e796cbbf8f9b023e7bf380bf529088ea746
Opcode Fuzzy Hash: 43bb0d206febe7b9f5229fae79acd6b266d10550f0fca59150ecdb896113d63a
Instruction Fuzzy Hash: 1681F231A0E68E4FE7A59B6448392F97BE1FF15314F0541BEE84CC60F3EEA866448752

Function 00007FFD9BAA6FED Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1881144968.00007FFD9BAA1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9baa1000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34b98f0d636735ce53d7ea00e6a16a3b483d76d856d0eec3e65b8fd93c5bba0d
Instruction ID: b8c0fab5c83931a89da4052491c4a055681fbc2a86470c8b5ff8b46fa5c528f8
Opcode Fuzzy Hash: 34b98f0d636735ce53d7ea00e6a16a3b483d76d856d0eec3e65b8fd93c5bba0d
Instruction Fuzzy Hash: F671A030E0A64D8FEB64DF94C8646FE7BF2EF59300F11417AD009D62A6DA786A448B90

Function 00007FFD9BAA4A78 Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1881144968.00007FFD9BAA1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9baa1000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cd72f67cddeb2ed1f9bf9693535079fad7c6e3e20093ae2ba64fb4a09af6ff5
Instruction ID: 1b8be2fba6bc23809ccc688b1b06c429549e2b28e851367bfec655dc568bd8e9
Opcode Fuzzy Hash: 8cd72f67cddeb2ed1f9bf9693535079fad7c6e3e20093ae2ba64fb4a09af6ff5
Instruction Fuzzy Hash: D561E431A0E68E4FE7A59B6448392F97AE1FF15314F0541BEE84CC60F3EE6866448752

Function 00007FFD9BA9C119 Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1881144968.00007FFD9BA9A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA9A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9ba9a000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bec7c9790931dc98c79e5ded0bbcbf0043e5df07656e7c9dd5c632d12b174b8
Instruction ID: 728ddbe6fffb5322367d9562bbe3b2937f3bc7840d1ee6c80460ce7a4e8eb5fd
Opcode Fuzzy Hash: 8bec7c9790931dc98c79e5ded0bbcbf0043e5df07656e7c9dd5c632d12b174b8
Instruction Fuzzy Hash: C9616C30E09A5D8FEB64EBA8C8656EDB7F1FF59300F51017AD00DD32A2DE786A419B44

Function 00007FFD9BA91D8D Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1881144968.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9ba90000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75cd08e8d71847e21aba834fa4e6edd04d9b3bb48afa5c3bd3a8b58f210cb8fe
Instruction ID: c824deb4d5c2d057edaa1767b1dfbfd55a6090d4ea33298c685dc2915d8f9293
Opcode Fuzzy Hash: 75cd08e8d71847e21aba834fa4e6edd04d9b3bb48afa5c3bd3a8b58f210cb8fe
Instruction Fuzzy Hash: 6E51DD31B18B4D4FDB58DF4888A45BA77E2FFE8310B15467EE45AC7296DE74A8028780

Function 00007FFD9BAA6030 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1881144968.00007FFD9BAA1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9baa1000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ab9e7e283fc26b8d1e3d4188259949f7de6901c104d97a272586da71387eb32
Instruction ID: 278bd0db963b5fd012ffe347229b0930073bfd3d5636a67af7e5e7b14792252e
Opcode Fuzzy Hash: 5ab9e7e283fc26b8d1e3d4188259949f7de6901c104d97a272586da71387eb32
Instruction Fuzzy Hash: C9616130E0A65E8FEBA49B6888657B97BB1FF05300F0141BAD45DD31A2DF786A84CF51

Function 00007FFD9BAA4AF8 Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1881144968.00007FFD9BAA1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9baa1000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1417ac8e6918bbeaa9d13c521762544cf346bfa8b36125f1a5aee94cde50230
Instruction ID: 7f3225ed6edb960a16e81d75644ac75d56f811a3a4b3accb4c9fac1456a53fe6
Opcode Fuzzy Hash: e1417ac8e6918bbeaa9d13c521762544cf346bfa8b36125f1a5aee94cde50230
Instruction Fuzzy Hash: 5F51E731A0E68E8FEBA59F6488392F97BE1FF15314F0501BEE45CC60F2DE6866448752

Function 00007FFD9BAA3738 Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1881144968.00007FFD9BAA1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9baa1000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9235efd1d8c34c42a5ee5ca2407162494da88ce98ee65029c641e3775a4ec48b
Instruction ID: 33cb732403856575332a09eb06236adcb3a9e52a3b3ce3aeb69e167b5c59e765
Opcode Fuzzy Hash: 9235efd1d8c34c42a5ee5ca2407162494da88ce98ee65029c641e3775a4ec48b
Instruction Fuzzy Hash: 5151DF30A0E64E8FEBA9EB6488656B97BA1FF18300F0145BEE41DC60B2DE7966448751

Function 00007FFD9BA931F1 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1881144968.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9ba90000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a606b86825b2c77fe3afb244aa2748f2e1b62af6f573c501420477d051ed0d58
Instruction ID: 3f6e83d5c315ce7bb11dbcfaf7c15c68deb30c8e9d671cddb6d528fa31966a51
Opcode Fuzzy Hash: a606b86825b2c77fe3afb244aa2748f2e1b62af6f573c501420477d051ed0d58
Instruction Fuzzy Hash: 3C515B71E0A60E8FEB68DB98C4A46EDBBF1EF58311F514079D009E72A1DB786A44DB40

Function 00007FFD9BAA52B0 Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1881144968.00007FFD9BAA1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9baa1000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ccf8b151f2f1aab486692200dfe12ebeeb30e75d84027dd4eac75ec03fcf0117
Instruction ID: 35ff79edcbc1c8457ae3a909ee56d39fffabd24bc8df1b346d30c46c0ee3c2f1
Opcode Fuzzy Hash: ccf8b151f2f1aab486692200dfe12ebeeb30e75d84027dd4eac75ec03fcf0117
Instruction Fuzzy Hash: EB512E70E19A1D8FDFA4EB98D865BADB7F2FF58301F40007AD00DE3292DA7569818B54

Function 00007FFD9BAA2911 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1881144968.00007FFD9BAA1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9baa1000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1fe95710f9bcca28adaaeaa44c2385dfd92b6d334381890d71700c3e021eebb
Instruction ID: 67e81fdfbb25c3d16a09e7fd8debbc330b0a42216536df076675493255b3dbe3
Opcode Fuzzy Hash: c1fe95710f9bcca28adaaeaa44c2385dfd92b6d334381890d71700c3e021eebb
Instruction Fuzzy Hash: 86519030E0964E8FEB61EBE8C9686ED7BF1FF09300F01457AD019D71A6DA78A654CB10

Function 00007FFD9BA9AE5A Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1881144968.00007FFD9BA9A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA9A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9ba9a000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdeef6a4dab06ce5c17ee5f9993c35a50273c960545f241063aee42cb7f14bd7
Instruction ID: e2ba12486e6e0da6511fd8d263bcee375b79aa01a9f8cd6d0bf8adbdae0711ed
Opcode Fuzzy Hash: cdeef6a4dab06ce5c17ee5f9993c35a50273c960545f241063aee42cb7f14bd7
Instruction Fuzzy Hash: 41412675F0A91E8FE761EBA8C8695E877E0FF55300F0549B7C018C70A2EE74AA09C381

Function 00007FFD9BA921A5 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1881144968.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9ba90000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bafb6797cac42deee08754304ba54fba48eab10c6a69a1dfad686aac2907824
Instruction ID: b38a0fa4d65bf49dd7f18f20825a1dfc2956528789b97038a1228776126d2e92
Opcode Fuzzy Hash: 9bafb6797cac42deee08754304ba54fba48eab10c6a69a1dfad686aac2907824
Instruction Fuzzy Hash: B9414931B0E78E0FE769D7B888655B97BE0EF86310B0545FBE44CC71E6DE68A9418341

Function 00007FFD9BAA6E50 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1881144968.00007FFD9BAA1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9baa1000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30695e0c509df1fb34e1004b40e19281bb01c7ab9521665d2d4fecc0aefae153
Instruction ID: 13f4a229a887d307d5d7912978060819ea2c1dabd6174b92fde3ba7de789aa26
Opcode Fuzzy Hash: 30695e0c509df1fb34e1004b40e19281bb01c7ab9521665d2d4fecc0aefae153
Instruction Fuzzy Hash: 9841F931A1E68E4FEB759F6848351BD7AE1FF15310F0500BED858C60E2DE645548CB51

Function 00007FFD9BAA4B88 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1881144968.00007FFD9BAA1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9baa1000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7d80f43a2d00c215de5ef1e26f9826db33fd93b7a78df08dd348bf699d3cdba
Instruction ID: e65b5cf72a8b972d0f52b40910e138589cda4c6ba9534e7b97911be9a85f978d
Opcode Fuzzy Hash: b7d80f43a2d00c215de5ef1e26f9826db33fd93b7a78df08dd348bf699d3cdba
Instruction Fuzzy Hash: 1941F731A0E68E8FEBA59F6488352F97BE1FF15314F0501BEE45CC60F2DEA866448752

Function 00007FFD9BAA2A5A Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1881144968.00007FFD9BAA1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9baa1000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd10c20517a051278aadc87ee6a7f83eb7466d7123ead33777db40b44d3aa124
Instruction ID: 0484e6b0b47fb3ef056799dc2050cf92c2b3ab823994fd0af8ef1c87288bdd0e
Opcode Fuzzy Hash: fd10c20517a051278aadc87ee6a7f83eb7466d7123ead33777db40b44d3aa124
Instruction Fuzzy Hash: 7951B970E15A1D8FDBA4EB98C8557ACB7B1FF58300F4041A9901DE3292DF746A84CF01

Function 00007FFD9BA91150 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1881144968.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9ba90000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a16dd4f45bec0ee3959b29f98503c8a40908ecc60337462707b2f60197f37ae
Instruction ID: b984b2f832f17bab9208c93914c40e641bc1b0dae62272cabd7abfffe4692bba
Opcode Fuzzy Hash: 5a16dd4f45bec0ee3959b29f98503c8a40908ecc60337462707b2f60197f37ae
Instruction Fuzzy Hash: 2531A030E1A64E5EEBA9EBA8C4686BA77E0FF29304F11057ED01ED21E5DE6566408640

Function 00007FFD9BAA22B1 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1881144968.00007FFD9BAA1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9baa1000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8a83a54de4b98c00c0c27018b27552308aa11802d1b3806853277b78ba4ca6a
Instruction ID: 6cfd3a023343133fa4953c036ac446643ddcf3918de1b09e0cc5acbe106bc0ea
Opcode Fuzzy Hash: e8a83a54de4b98c00c0c27018b27552308aa11802d1b3806853277b78ba4ca6a
Instruction Fuzzy Hash: E321FF3094E3C94FD716ABB088755E57FB0AF17200F0A45EFD48ACB4E3CA696656C362

Function 00007FFD9BA9B7E1 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1881144968.00007FFD9BA9A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA9A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9ba9a000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3276ab9c94ec2465ca1dd421d6b771d3a2ed356b8e5354fad686e79de7f9b74c
Instruction ID: e6b976eebea0be580cb6f24bb302c89f1ecb69de53e09ac6a7f1710fe3bed375
Opcode Fuzzy Hash: 3276ab9c94ec2465ca1dd421d6b771d3a2ed356b8e5354fad686e79de7f9b74c
Instruction Fuzzy Hash: D8215C31E0A62D8FEB64EB44C890BE9B3B1FF5D310F5142A6C00DD62A5CB349A85CF41

Function 00007FFD9BA90A01 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1881144968.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9ba90000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1db7da003136c3e92063c9698bff214d577f69181e5d9075162a2d164aaffa76
Instruction ID: 91d0ca49bddfdf7ad40b1bf768e29c45ca1e43d54fcf75133bfc88cf363dad72
Opcode Fuzzy Hash: 1db7da003136c3e92063c9698bff214d577f69181e5d9075162a2d164aaffa76
Instruction Fuzzy Hash: 75110431E0950E4FEBA4EBA888991FD7BE0FF18740F4245B6D41CC70B6EE74A6409740

Function 00007FFD9BA9BDF2 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1881144968.00007FFD9BA9A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA9A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9ba9a000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c5009ec993ef8cdba211d9b1f14774dcdaf10ec8c530e9058987ca4f7f48097
Instruction ID: e2df80e70547c035ea11f1aa85c05eb6af8d26ac6319d235f3202ac77ed17dc3
Opcode Fuzzy Hash: 9c5009ec993ef8cdba211d9b1f14774dcdaf10ec8c530e9058987ca4f7f48097
Instruction Fuzzy Hash: F321A370E0562D8FDF64DF94D894AECB7F1FF58311F41012AE409E6291DBB86944DB40

Function 00007FFD9BA9BC35 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1881144968.00007FFD9BA9A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA9A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9ba9a000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4be9237830d7d09b36ae256c63779c03f24221ae654599947dd1ea05f8eecc0e
Instruction ID: fa60c1543c11605206b2bca89aa5c831249a83427abd96ddf5ba221af5807e05
Opcode Fuzzy Hash: 4be9237830d7d09b36ae256c63779c03f24221ae654599947dd1ea05f8eecc0e
Instruction Fuzzy Hash: EA118230A0954E8FEB58EF64C4A82BD7BE0FF18301F4104BAD41DC61A1DE75A640CB00

Function 00007FFD9BA9C940 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1881144968.00007FFD9BA9A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA9A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9ba9a000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97e109658e7ec79da38512112a29829c6c78b6840dbf3921ce7523fcbd69419c
Instruction ID: 596961adb78011b201093ad50dfc49180e3e01ba1f4d25108ff2ede6b37a20db
Opcode Fuzzy Hash: 97e109658e7ec79da38512112a29829c6c78b6840dbf3921ce7523fcbd69419c
Instruction Fuzzy Hash: 2C118230A09A4E4FDB55EB6888695FD7BB0FF19304F0504BBD41DCB0A2EE785640C751

Function 00007FFD9BA9C095 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1881144968.00007FFD9BA9A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA9A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9ba9a000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 199076248859bcfdf74f5e01c72a71e45e52d247cf59c309e8d959b4514d939a
Instruction ID: 3b33d8b6fb2f460f60c8db460ecaa5eb97bd7d36cd80c89ad276b50e58e1a90a
Opcode Fuzzy Hash: 199076248859bcfdf74f5e01c72a71e45e52d247cf59c309e8d959b4514d939a
Instruction Fuzzy Hash: 43118E30A09A4E9FEB98EF64C4692BD7BE0FF18305F0104BAD419C21A2EE79A640C700

Function 00007FFD9BA93515 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1881144968.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9ba90000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63ff9377696e2e538599685af2a320e59dfec05f329cdde64f959b6c5daa35ab
Instruction ID: 7fdb87dc3d4479f28dcfd1697f02537f652264cce08fd1dca89df650bf2a70da
Opcode Fuzzy Hash: 63ff9377696e2e538599685af2a320e59dfec05f329cdde64f959b6c5daa35ab
Instruction Fuzzy Hash: F2113C70A0A68E8FDB58EF6884696B97BF0FF18304F4104BED419C61A1DA75A6409700

Function 00007FFD9BAA2C2E Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1881144968.00007FFD9BAA1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9baa1000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa19e3b9b604b914cad2257349c239fe7d63cbdeadb7ecac565e7c86174d6a41
Instruction ID: 42962a8b1d1bfdf3fb4adfcd40232afe69808370acda5b7b187bd73b0915c117
Opcode Fuzzy Hash: aa19e3b9b604b914cad2257349c239fe7d63cbdeadb7ecac565e7c86174d6a41
Instruction Fuzzy Hash: AE115870E1891D8FDBA4EB98C8557FDBBB1FB58301F0141B9801DE32A1DAB45A809F40

Function 00007FFD9BA928DD Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1881144968.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9ba90000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59797f959d5328af4814bf2cce2a1763409fdf00164dd26eaaa0c26753446855
Instruction ID: 0ff53dfa4b5392a60554ea05f14c2a3c5fad428ce077a6908d406e265336207a
Opcode Fuzzy Hash: 59797f959d5328af4814bf2cce2a1763409fdf00164dd26eaaa0c26753446855
Instruction Fuzzy Hash: 89017131E0A64E4FE769EBB488986B97BE0EF19304F4245B6D408C70B6EA74E644D701

Function 00007FFD9BA9AA59 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1881144968.00007FFD9BA9A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA9A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9ba9a000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb8fbbfb506baea2d39d91105de56a70485538012b121c5f90c5734eba7f36be
Instruction ID: e9252876b432374f7ba3762eb4b6e4b121595008855a5a0c49e7d0df10f37695
Opcode Fuzzy Hash: fb8fbbfb506baea2d39d91105de56a70485538012b121c5f90c5734eba7f36be
Instruction Fuzzy Hash: 1801F730A0E24E4FE766EBB8C9691A97FE0EF19300F4648F7D408C70B2EA78A5449701

Function 00007FFD9BA9342A Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1881144968.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9ba90000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a3d2770167db0d3907157cd452b8c49a519a5335ce9bde7670ac822c0014b29
Instruction ID: 6e7e9ded61f29c7777abd9c12732c1b47f01bedeb2cc78ed32cc3de1399e12fb
Opcode Fuzzy Hash: 6a3d2770167db0d3907157cd452b8c49a519a5335ce9bde7670ac822c0014b29
Instruction Fuzzy Hash: 13018F34E0990E8EEB51EF68C4585B97BF0FF58302F424976D41DC31A5EB74A2809B40

Function 00007FFD9BA92F79 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1881144968.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9ba90000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b02ece0885a9efb688647f1cc9ef384dc423f50733ec8e720f5fae16e001e34b
Instruction ID: a2e095baa1b4cb98f8c45e05114387de8241bbcceef954a208b1eab9946f1e67
Opcode Fuzzy Hash: b02ece0885a9efb688647f1cc9ef384dc423f50733ec8e720f5fae16e001e34b
Instruction Fuzzy Hash: 6601D471A0E78E4FE766E7B488695A97BE0EF4A300F0604F6C40CCB0B6DA78A558C701

Function 00007FFD9BA905D8 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1881144968.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9ba90000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 676d0448fcc460a53ced18b9a60f8bb27b38bb6ea423c1033fea6d2e930d21fe
Instruction ID: e6f00e383380108189b9eb72eedd375c7bd84a27cbf84fc51466ca1fa3e63e4d
Opcode Fuzzy Hash: 676d0448fcc460a53ced18b9a60f8bb27b38bb6ea423c1033fea6d2e930d21fe
Instruction Fuzzy Hash: E6018430A0550E9FDB98EF64C0646BA77E1EF68305F51447DD40EC21E4CA75A640DB40

Function 00007FFD9BA90610 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1881144968.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9ba90000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fd971088d303de723bd66b583a799a6a8671400a4711d6b37c943ba6f1c603b
Instruction ID: bfaf6f38cae9627c49f2030598b91a60460cf020a68d80b5bc9ec417e002f885
Opcode Fuzzy Hash: 1fd971088d303de723bd66b583a799a6a8671400a4711d6b37c943ba6f1c603b
Instruction Fuzzy Hash: F9018130A19A0E8EEB6CEBA4C4686B973A0FF18305F11487ED41EC21E5DF75A690CA00

Function 00007FFD9BA90608 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1881144968.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9ba90000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a335c37787d06d1bbb1b6352e5b939f2338b2407983bd1363981b8b6826258d
Instruction ID: 9a00422c8ad61ebd6a37fe114c362ac4b7c2f84e4a6e3610191bc6b3e131934d
Opcode Fuzzy Hash: 8a335c37787d06d1bbb1b6352e5b939f2338b2407983bd1363981b8b6826258d
Instruction Fuzzy Hash: EC018130A1960E8BEB6CEFA4C4696B973A0FF18305F5188BED41EC21E5DF75A654CA00

Function 00007FFD9BA91D0D Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1881144968.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9ba90000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9f4473ff746decdbc564d63ea2c0a97c832542c8b3be2c35ebfc061b74ec740
Instruction ID: 62d840432e775416bbacc4e058181493dbea3277edd5a537801c588850add6ec
Opcode Fuzzy Hash: c9f4473ff746decdbc564d63ea2c0a97c832542c8b3be2c35ebfc061b74ec740
Instruction Fuzzy Hash: 5701D630A0A68E8FEBA9DF1484652B93BA0EF65304F51007AD40CC61E1DAB5A654D740

Function 00007FFD9BA9AAC5 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1881144968.00007FFD9BA9A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA9A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9ba9a000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a4bebc5b06982afd3f4aed6f250d1d105e4fe3c7b391bb4467908279ded7173
Instruction ID: 141e0d8b269af470b312446cdc5506098b127466bc347bc3d02ba74ff98656ca
Opcode Fuzzy Hash: 3a4bebc5b06982afd3f4aed6f250d1d105e4fe3c7b391bb4467908279ded7173
Instruction Fuzzy Hash: 77F02825A0F38E4FE322EB7899B11E97FA09F82225F0A45F7C088CA4E3D96C5449D310

Function 00007FFD9BAA4CA9 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1881144968.00007FFD9BAA1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9baa1000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e212c834141826b5b760004d2927656fa899d8de6061c186b9d0210ddcc5e67d
Instruction ID: f8a87545a280731f64c7493827355d2205e25791e66f67120472f65ddff92a35
Opcode Fuzzy Hash: e212c834141826b5b760004d2927656fa899d8de6061c186b9d0210ddcc5e67d
Instruction Fuzzy Hash: 22F02D71E0F68E46FBA49F6448352B97AD1FF15304F0501BDF45CC21F2DEB525548251

Function 00007FFD9BA90F00 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1881144968.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9ba90000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8862a6360a5c801d5593583b9d8091b25c523ff9e7042875dd7ae564e1a0061b
Instruction ID: f18820b5b88fc432eac32052fa1c7ce79519c296ce661f6be8a90c370717b5fd
Opcode Fuzzy Hash: 8862a6360a5c801d5593583b9d8091b25c523ff9e7042875dd7ae564e1a0061b
Instruction Fuzzy Hash: 9B01B130E0950E8FEB74DB44C860AEEB7B1EB50715F008279C41A972A4CE746A49EF88

Function 00007FFD9BA927F9 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1881144968.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9ba90000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd7fa8c788c2f216bd6b072e09acece21ce301150b492378e47e7ad55931001f
Instruction ID: d2f37e2a72f1ea2cc3706f318ad5e3c614218685defc43076d45721ea19336d4
Opcode Fuzzy Hash: cd7fa8c788c2f216bd6b072e09acece21ce301150b492378e47e7ad55931001f
Instruction Fuzzy Hash: CAF0C23190E38E8FDB699FA088651F93F60AF16204F4644FBE448C60E2DA78A908D701

Function 00007FFD9BA9BD46 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1881144968.00007FFD9BA9A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA9A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9ba9a000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c1782aaffd6152c93e65dba499fb07e1fb604e184d571e6b8da3a53efbeb59a
Instruction ID: e928d6fd23f20cac5dd52965de4221632eea7009c2d23580eb768c88dc3c30e8
Opcode Fuzzy Hash: 5c1782aaffd6152c93e65dba499fb07e1fb604e184d571e6b8da3a53efbeb59a
Instruction Fuzzy Hash: 8501E470A0562D8FEF60DF84C8A47ECB7F1FB18701F11022AE409E7290DBB86A44DB40

Function 00007FFD9BA9286D Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1881144968.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9ba90000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76fb960cc36176aabc98e6ba92865ee53cfac1b96e193a0b6a131d18b1b77ef5
Instruction ID: e5eac3b6e5bbd01919b99af0d7e5f1436d675dec46152ab42c4f9b444c3d9610
Opcode Fuzzy Hash: 76fb960cc36176aabc98e6ba92865ee53cfac1b96e193a0b6a131d18b1b77ef5
Instruction Fuzzy Hash: 05F0243190A78E8BEB6C9FA084641F93BA0FF15300F4240BAE418C11E5DF78E5448700

Function 00007FFD9BA923A5 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1881144968.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9ba90000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eac47bdc71e758d366e5fe40b93aa0017f0ca2d14ff692d2d4873676f49881aa
Instruction ID: 6fe5e56d6421a49751de52e2e459ba748abdee4e49a89d1c69e3d184c1ae1e64
Opcode Fuzzy Hash: eac47bdc71e758d366e5fe40b93aa0017f0ca2d14ff692d2d4873676f49881aa
Instruction Fuzzy Hash: D5F0D030A0961DCBE7B8DF94CCA47E972A1FB55320F5142B5C45DD22E1DFB86A88AB00

Function 00007FFD9BA90F5F Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1881144968.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9ba90000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f3489c0ae1c361e77cb0ceec07d6095f4b94c4f419a2944a5ad6b4956fd0a8a
Instruction ID: d39502076a521db1b214e1270e031b6127225ba5647be3a9bcda201f854cb93a
Opcode Fuzzy Hash: 2f3489c0ae1c361e77cb0ceec07d6095f4b94c4f419a2944a5ad6b4956fd0a8a
Instruction Fuzzy Hash: 49F05E30E0590E8FEB60DB48CC50FAEB3B1EB94315F008266D409D3294CE786A85CF84

Function 00007FFD9BA92422 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1881144968.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9ba90000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94bd504af1a47655b9ab914b532e4a50f3bf3bc7f44986f610f89b2ce44f040d
Instruction ID: ca31a785ca8f38eb3ca9748132c07d5b69441707168309f58e1ec72df35bc00f
Opcode Fuzzy Hash: 94bd504af1a47655b9ab914b532e4a50f3bf3bc7f44986f610f89b2ce44f040d
Instruction Fuzzy Hash: FEF0C031A0851DCBEB64EF50CC947E973B1FB54311F5145B9C40DD71A1DFB86A889B40

Function 00007FFD9BAA2CC6 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1881144968.00007FFD9BAA1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9baa1000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 129fbaf3d633461b3c3e35fb0a0bf4e79fb37ba496557c06830bdddc4011c84c
Instruction ID: 407513d3895e25536d10f3de1419cf7ddd7b0404abf57af5b0a620ae6311093a
Opcode Fuzzy Hash: 129fbaf3d633461b3c3e35fb0a0bf4e79fb37ba496557c06830bdddc4011c84c
Instruction Fuzzy Hash: 21D04260E1991E8FEB64EBE8C4A96ACAEB1EF45304F514039D519B21A2DE7C65409B10

Function 00007FFD9BA911B6 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1881144968.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9ba90000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 455f056184316a41b4b9beb1bfd79aa2487955c1a3eb9b535dde6bce44315c3a
Instruction ID: b75f73f818bd2ff948d58dca33a1ca8397354ef48cfb816912a1e63a274461e0
Opcode Fuzzy Hash: 455f056184316a41b4b9beb1bfd79aa2487955c1a3eb9b535dde6bce44315c3a
Instruction Fuzzy Hash: 88C08C31D2264E8FEB64EF90AC214FDB370FF48204F401172E42CE3092DFB026108680

Non-executed Functions

Function 00007FFD9BAA10D4 Relevance: 8.9, Strings: 7, Instructions: 194COMMON

Download Yara Rule

Strings

-, xrefs: 00007FFD9BAA1722
}, xrefs: 00007FFD9BAA117C
[, xrefs: 00007FFD9BAA14F0
$, xrefs: 00007FFD9BAA1912
], xrefs: 00007FFD9BAA1777
/, xrefs: 00007FFD9BAA198A
", xrefs: 00007FFD9BAA1718

Memory Dump Source

Source File: 0000001C.00000002.1881144968.00007FFD9BAA1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9baa1000_fontdrvhost.jbxd

Similarity

API ID:
String ID: "$$$-$/$[$]$}
API String ID: 0-3346241342
Opcode ID: 1a399733918b7f0d9a599c436ffdf12fe3c162113a21e39a5aa94e12d49ccf37
Instruction ID: 947dc949b93863bba0132a3abe68d7ef3284c5de0d07dd5bed72536b7329c5bc
Opcode Fuzzy Hash: 1a399733918b7f0d9a599c436ffdf12fe3c162113a21e39a5aa94e12d49ccf37
Instruction Fuzzy Hash: 6191C470E0962DCFDB68DF94C8A47FDB7B2AB59301F1141AAD00DA7291CB786A84DF50

Function 00007FFD9BAA1446 Relevance: 6.3, Strings: 5, Instructions: 62COMMON

Download Yara Rule

Strings

-, xrefs: 00007FFD9BAA1377
,, xrefs: 00007FFD9BAA1450
%, xrefs: 00007FFD9BAA1345
/, xrefs: 00007FFD9BAA198A
{, xrefs: 00007FFD9BAA133B

Memory Dump Source

Source File: 0000001C.00000002.1881144968.00007FFD9BAA1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9baa1000_fontdrvhost.jbxd

Similarity

API ID:
String ID: %$,$-$/${
API String ID: 0-3562811445
Opcode ID: 93c57897778952066de2fd17d0b5eb3575932481b596b54c9bdb0af07ce58855
Instruction ID: df42a3ecb139c8aa082589e57ec3ac01fca2372c3230ba4edba3b5b5c2e22089
Opcode Fuzzy Hash: 93c57897778952066de2fd17d0b5eb3575932481b596b54c9bdb0af07ce58855
Instruction Fuzzy Hash: FB21F670A0522E8BEF689F90D8A47FDB7B2AB55311F15417AD00E96290CB786A84DB10

Function 00007FFD9BA9EDE7 Relevance: 6.3, Strings: 5, Instructions: 51COMMON

Download Yara Rule

Strings

\, xrefs: 00007FFD9BA9EB72
<, xrefs: 00007FFD9BA9EDF5
H, xrefs: 00007FFD9BA9EB7F
[, xrefs: 00007FFD9BA9EE55
', xrefs: 00007FFD9BA9EE20

Memory Dump Source

Source File: 0000001C.00000002.1881144968.00007FFD9BA9A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA9A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9ba9a000_fontdrvhost.jbxd

Similarity

API ID:
String ID: '$<$H$[$\
API String ID: 0-978586023
Opcode ID: 70811a1f5260896d409af6c46a8f5f8b3ad5adb04a426629b3f03a87309b0cde
Instruction ID: 1fe4a8a673d781847151773c96bce28a552e42cbe3e78c97c82c9e4cea7d03cb
Opcode Fuzzy Hash: 70811a1f5260896d409af6c46a8f5f8b3ad5adb04a426629b3f03a87309b0cde
Instruction Fuzzy Hash: 1A210B70E0926ECFDF78CF40D8607A9B7B1BB55311F2141BEC409A62A1DB786A88DF40

Function 00007FFD9BA9E713 Relevance: 5.1, Strings: 4, Instructions: 126COMMON

Download Yara Rule

Strings

^, xrefs: 00007FFD9BA9E828
=, xrefs: 00007FFD9BA9E7A6
I, xrefs: 00007FFD9BA9E689
, xrefs: 00007FFD9BA9E6C9

Memory Dump Source

Source File: 0000001C.00000002.1881144968.00007FFD9BA9A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA9A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9ba9a000_fontdrvhost.jbxd

Similarity

API ID:
String ID: $=$I$^
API String ID: 0-3128807046
Opcode ID: 7ea7f60a9ecef5186b4536b364222cda4a09a790cf6a85b2a659cc86cae1598f
Instruction ID: 01caaefc6bf5e471ebde0f53282a7707f3542d665be2942ae776a4d5aeec76c4
Opcode Fuzzy Hash: 7ea7f60a9ecef5186b4536b364222cda4a09a790cf6a85b2a659cc86cae1598f
Instruction Fuzzy Hash: BB51B570E0962E8FDBA8DF54C8A57A9B7B1FF54301F1141EAD40EA62A1CB746E84DF40

Function 00007FFD9BAA132A Relevance: 5.1, Strings: 4, Instructions: 67COMMON

Download Yara Rule

Strings

-, xrefs: 00007FFD9BAA1377
%, xrefs: 00007FFD9BAA1345
/, xrefs: 00007FFD9BAA198A
{, xrefs: 00007FFD9BAA133B

Memory Dump Source

Source File: 0000001C.00000002.1881144968.00007FFD9BAA1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9baa1000_fontdrvhost.jbxd

Similarity

API ID:
String ID: %$-$/${
API String ID: 0-2415596918
Opcode ID: 3b87ecb8a63f30ec8abd7102f8f10bad35101881e384fa859010cdeece5833f4
Instruction ID: af6bf083ecdf03c3c01f59560fccfd28d12c9f2245217956e6f6f9911b9b2d79
Opcode Fuzzy Hash: 3b87ecb8a63f30ec8abd7102f8f10bad35101881e384fa859010cdeece5833f4
Instruction Fuzzy Hash: C521F370E0522E8BDF689F91D8A47FDB7B2FB55301F14417AD00EAB290CB786A84DB10

Analysis Process: fontdrvhost.exePID: 4444, Parent PID: 1044COMMON

Executed Functions

Function 00007FFD9BAB3595 Relevance: .3, Instructions: 296COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1888257985.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9bab0000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 880b9fca9694c172f138838ea0295c9a5619f256aa8ba569a2a77b9f07afc132
Instruction ID: 799b391028f33a64bd8c0ecc0b43b59022be6f590ee676bce457d457b0c38a27
Opcode Fuzzy Hash: 880b9fca9694c172f138838ea0295c9a5619f256aa8ba569a2a77b9f07afc132
Instruction Fuzzy Hash: 92A1A471A1994E8FEB58EB68C8657AD7BE1FF5A314F5002BAD01DC72D6CFB428418B40

Function 00007FFD9BAB1718 Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1888257985.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9bab0000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5c127599ddf1aa2da6915180fd9e824d16d5be9cf7ac3a25cc03d7238223b76
Instruction ID: 02d665118c7ec2ee6114105fe1d2d7dabada75b7d1f0ea4cb8624e3263d611df
Opcode Fuzzy Hash: d5c127599ddf1aa2da6915180fd9e824d16d5be9cf7ac3a25cc03d7238223b76
Instruction Fuzzy Hash: BD81D031B2DA594FDB58DF5888605A977E2FFE8300F15417AE46DC32A6DE74AD02CB80

Function 00007FFD9BAB1D8D Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1888257985.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9bab0000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48730fee80ade19eee46e1ec246a4be5e51ae4d50714cae3fdf5861df5560bdb
Instruction ID: bdaf7f84addd366b6c84cb062a526fb48dfd4b435503395319b2c25a6915576e
Opcode Fuzzy Hash: 48730fee80ade19eee46e1ec246a4be5e51ae4d50714cae3fdf5861df5560bdb
Instruction Fuzzy Hash: BB51D031B18B594FDB58DF5888645BA77E2FFA8310F15417EE46AC7295CE74A802CB80

Function 00007FFD9BAC52B0 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1888257985.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9bab0000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06691c17b9a30fe94bcabba2c6399cebbe0821efc65769af1387c91a0c859b0a
Instruction ID: 00e460b4d4be4f13e174edbc06a5eda24485b814cea683f099e9f16176be94dc
Opcode Fuzzy Hash: 06691c17b9a30fe94bcabba2c6399cebbe0821efc65769af1387c91a0c859b0a
Instruction Fuzzy Hash: 52513070E1991D8FDB94EBA8C865ABDB7F1FF58301F50017AD00DE3291DE7569818B40

Function 00007FFD9BAB31F1 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1888257985.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9bab0000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce00a5858e75f6368b2e4a6cd571e7f3516af70d9459d9f32840e563d8d1767f
Instruction ID: 93e173c5a197e6272d392e01de5c29e488e4d9d9206073f679edadc483e9e6b4
Opcode Fuzzy Hash: ce00a5858e75f6368b2e4a6cd571e7f3516af70d9459d9f32840e563d8d1767f
Instruction Fuzzy Hash: 12513971E0A62E8FEB64EB94C4646EDBBF1EF58300F51417AD019E72A1DB786A44CF40

Function 00007FFD9BAB21A5 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1888257985.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9bab0000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fe93c1961959c46355b1de6ebdc3c571622203de17c1350178d82fab603e974
Instruction ID: 23a7433c678ef3f33eceb33eb1add6df07aa724ff598291e785a4e597ebf4da5
Opcode Fuzzy Hash: 1fe93c1961959c46355b1de6ebdc3c571622203de17c1350178d82fab603e974
Instruction Fuzzy Hash: 5E417731B0E69D0FE765E7B898651B8BBE0EF86310F0545FBE05CC71A2DE68A9018741

Function 00007FFD9BAB1150 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1888257985.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9bab0000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c05b0c7707191b0139d71e792d756c535c98540ed161fcf65b4d515d2ddfa99c
Instruction ID: 8d865f517dd504d82b08c82e3248fe5b10f279413de1f5287a33c3d1764468d1
Opcode Fuzzy Hash: c05b0c7707191b0139d71e792d756c535c98540ed161fcf65b4d515d2ddfa99c
Instruction Fuzzy Hash: A031C330E2955E4FEBA8EBA4D4646B977E0FF25304F01057ED02ED21E5DE6565418B40

Function 00007FFD9BAB33EC Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1888257985.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9bab0000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 688b97b79eaf511c6e4355a38288936234bba9bb30405821510b5a1462e147b2
Instruction ID: ab9548884b7cdd17bd1fe37f1c7c0f0a352e0799cae20f506c3f9a5f0c6df1a9
Opcode Fuzzy Hash: 688b97b79eaf511c6e4355a38288936234bba9bb30405821510b5a1462e147b2
Instruction Fuzzy Hash: 9221D131A4E29E8FD742ABB4C8685A93BF0FF4A311F0644FBD458CB072DA789585CB10

Function 00007FFD9BAB24A9 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1888257985.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9bab0000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7dbfdece9ba37b44b9456ce462adbce30ab1cb43277309028f7763608c7b8bf2
Instruction ID: 6fcd2e366a07865c4b0c97bb3633a14c3bcab3d43514fb9eb1d6a93f1eb63a1d
Opcode Fuzzy Hash: 7dbfdece9ba37b44b9456ce462adbce30ab1cb43277309028f7763608c7b8bf2
Instruction Fuzzy Hash: 11212F31E5A62D8EEB74DB94D8607FCB6B4EF55301F4151BAC01D921A1DEB82A84CF00

Function 00007FFD9BAB0A01 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1888257985.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9bab0000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62cbe42d67b751cc94d645c8ffaab8a16113bb66dad86396a6649e2bd385b83a
Instruction ID: c14b3a4c94adf07fdb661011c64b640f357f3969cac3ff365ede18eb596a6224
Opcode Fuzzy Hash: 62cbe42d67b751cc94d645c8ffaab8a16113bb66dad86396a6649e2bd385b83a
Instruction Fuzzy Hash: 1211C471E1961E4FE7A0EBA8C8695FD7BE0FF58700F4149BAD42CC70A6EE74A5408B40

Function 00007FFD9BAB2390 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1888257985.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9bab0000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad276900358cd8ab975ec8ec6e13f6cf9d64a64073c2fa96a0e6af83d5085981
Instruction ID: 88ee20d3c5d62778326957d1489e1afb781c0e60f32c75c171de4f0a77f755e2
Opcode Fuzzy Hash: ad276900358cd8ab975ec8ec6e13f6cf9d64a64073c2fa96a0e6af83d5085981
Instruction Fuzzy Hash: 4B115E31E1962D8AEB74EFC0E8657FDB6A0FF14311F51427AC02ED21A1DEB826489F40

Function 00007FFD9BAB23B4 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1888257985.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9bab0000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04732005e043c221efd64af34a39f4d9ccce4d62e883413dca14988f5a40cace
Instruction ID: 90633a7501241b9d434f415e0333ab2001c62c93d492a87c3f909ff990cbb0ea
Opcode Fuzzy Hash: 04732005e043c221efd64af34a39f4d9ccce4d62e883413dca14988f5a40cace
Instruction Fuzzy Hash: 1A112E31E5A52D8EEB68DB90E8606FCB774FB55310F41517AC02E931A1DEB86A448F40

Function 00007FFD9BAB3515 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1888257985.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9bab0000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3e9ceceb40b2833d3fb20c69b15354699dea994f11306bd0996d12cb35f7704
Instruction ID: 91d21dd7853742205c0fb618b48fa67b5bf3b4052a25a581801e74b06b01da7a
Opcode Fuzzy Hash: e3e9ceceb40b2833d3fb20c69b15354699dea994f11306bd0996d12cb35f7704
Instruction Fuzzy Hash: BB113070A0965E8FDB59EF64C8696BD7BE0FF18300F4105BED429C61A2DA75A5408B00

Function 00007FFD9BAB2F01 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1888257985.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9bab0000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06432aab314566022b63f40bdcc3edbb6d47f796b168b0410f54db23fa5cb4d9
Instruction ID: 47776095ef6951a12bac9d668909163b27494c9ee5372ed800ac0e433e817aa7
Opcode Fuzzy Hash: 06432aab314566022b63f40bdcc3edbb6d47f796b168b0410f54db23fa5cb4d9
Instruction Fuzzy Hash: AC01B170A1A65E4FE761EBB484595A97BE0EF19300F0649B6D428C60B2EA74E2548B00

Function 00007FFD9BAB28DD Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1888257985.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9bab0000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b32e37a2a4d88850f5be84e1e1e010e9b6d6cf645fe4346df11694d084284db9
Instruction ID: 71034f8237bd3e16c75fea7876b4f60309e323ba76d35f32175be135c3dd5fda
Opcode Fuzzy Hash: b32e37a2a4d88850f5be84e1e1e010e9b6d6cf645fe4346df11694d084284db9
Instruction Fuzzy Hash: 8E017131E1A65E4FE765EBB488986B97FE0EF19300F4245B6D42CC70B6EA74E644CB01

Function 00007FFD9BAB2F79 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1888257985.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9bab0000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4548eef3371a77ebdb5460dd934f4e396a8446ce61ea182afb0af03c0b140da
Instruction ID: 0508070ac60313d0e5c3f976179a2f72f2e4fc4525d06cf3723ef26e54497061
Opcode Fuzzy Hash: f4548eef3371a77ebdb5460dd934f4e396a8446ce61ea182afb0af03c0b140da
Instruction Fuzzy Hash: 7C018870A4E78D4FD751A7B484695A97FE0EF5A300F0644F7D418CB0B6DA74A5588B01

Function 00007FFD9BAB05D8 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1888257985.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9bab0000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97801dc2e1ac9505d99acdb7bf974dfcd83828890b485dfc02df54073b41ec1e
Instruction ID: 2eb7bbbe0280f96980cd90f83baeaa6cd7caa183e0ec1241acdcb58c25228a63
Opcode Fuzzy Hash: 97801dc2e1ac9505d99acdb7bf974dfcd83828890b485dfc02df54073b41ec1e
Instruction Fuzzy Hash: 5C018430A1551E8FDB98EF64C0646BA77E1EF68305F61447DD41EC21A4CA75A650CF40

Function 00007FFD9BAB0610 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1888257985.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9bab0000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e21c77b9919c09b6eec20733170208c9d2b65bb11a27161bcdab07f9e3b3cac3
Instruction ID: 3b8a2c2e83c0eed9414a14a517aacfe3e8fa7d9acee2257cb1253bd8199ec086
Opcode Fuzzy Hash: e21c77b9919c09b6eec20733170208c9d2b65bb11a27161bcdab07f9e3b3cac3
Instruction Fuzzy Hash: C0016230A1561E8AEB58EBE4D4686B977A0FF19305F11047FD42EC61E5DF75A550CA00

Function 00007FFD9BAB0608 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1888257985.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9bab0000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d102e1a47e3cb55c4227af5d6d341c6d75cf49c4ce1a992c8720ead6bc0e98c
Instruction ID: bdfd9b72eaa89e3d1e62836a5f060f48e518b5813203d797e8bc269639027320
Opcode Fuzzy Hash: 8d102e1a47e3cb55c4227af5d6d341c6d75cf49c4ce1a992c8720ead6bc0e98c
Instruction Fuzzy Hash: DE018130A1560E8BEB68EFE4D4696B977A0FF18305F51487FE42EC21E5DF75A650CA00

Function 00007FFD9BAB1D0D Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1888257985.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9bab0000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07a418cfd0659028fd95dbe767ae51527b637c921143eba2dc0fb6a4a57f695d
Instruction ID: d9e98c27ca5db0f161bf7f0e20b082cba48609a9dcb3259c77423f863730e897
Opcode Fuzzy Hash: 07a418cfd0659028fd95dbe767ae51527b637c921143eba2dc0fb6a4a57f695d
Instruction Fuzzy Hash: 6501D630A1A68E8FDBA9DF5484652B93BA0EF65300F5100BAD41CC71A2DAB59550CB40

Function 00007FFD9BAB0F00 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1888257985.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9bab0000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8caca8a8b115ba130d03f04fea8bcef6c2e0fe42254362938ff2f9145d3f9f4a
Instruction ID: 72d99237224066e8fc54665910a55620813e994cd46db74344298b5f3af9b933
Opcode Fuzzy Hash: 8caca8a8b115ba130d03f04fea8bcef6c2e0fe42254362938ff2f9145d3f9f4a
Instruction Fuzzy Hash: 6D019230F0951E8FE774DB55C850AE9B3B0AB54714F008369C41A972A0DE746A498F84

Function 00007FFD9BAB27F9 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1888257985.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9bab0000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddca514eab9c019979cdddf19fa7127dbc4a841fe0817fd6497ebec91fbefd3c
Instruction ID: 556df1567e95bdf1b559d2b7677bc53fddd2068b9ea5347bf155ef699bed502a
Opcode Fuzzy Hash: ddca514eab9c019979cdddf19fa7127dbc4a841fe0817fd6497ebec91fbefd3c
Instruction Fuzzy Hash: 43F0C83190E38D4FD7699FA088651E93F60BF15200F4604BBE458C60E3DA789504CB01

Function 00007FFD9BAB286D Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1888257985.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9bab0000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7a29f7c30045aef764db47bc33202c3146b36c8bb3bfaedeff9b40bdd221a8d
Instruction ID: 7bcf82ea3ccc2d46b2cc41df2d9c726f7f86f7d0ad6173af8d6c4cc5ed7c4ea8
Opcode Fuzzy Hash: e7a29f7c30045aef764db47bc33202c3146b36c8bb3bfaedeff9b40bdd221a8d
Instruction Fuzzy Hash: 2DF0B43191A78E8BEB689FE494652F93FA0FF56300F4204BBE429C51E6DF78E5508B00

Function 00007FFD9BAB0F5F Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1888257985.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9bab0000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2c0446028cff28d6e5db660619faea13d1aff62cf45939d0dd4afe388fbf5ce
Instruction ID: 69325acb314b14e067e1c6cc01a06ecead62128228ee8c7d3858bc0377a1ba19
Opcode Fuzzy Hash: b2c0446028cff28d6e5db660619faea13d1aff62cf45939d0dd4afe388fbf5ce
Instruction Fuzzy Hash: 0FF05430F0591E8FEB60DB48CC50FAEB371EB54315F108366D419D3254CE745A858F84

Function 00007FFD9BAB2422 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1888257985.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9bab0000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94bd504af1a47655b9ab914b532e4a50f3bf3bc7f44986f610f89b2ce44f040d
Instruction ID: 644ab1e5298d2f9f7158d82ca78d3786d5e130f1826a737e5cbba3a75e193f5d
Opcode Fuzzy Hash: 94bd504af1a47655b9ab914b532e4a50f3bf3bc7f44986f610f89b2ce44f040d
Instruction Fuzzy Hash: F8F01C30A0852D8AEB64EF40C8647E973B1FB50311F4141BAC01DD31A1DFB86A888F00

Function 00007FFD9BAB663F Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1888257985.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9bab0000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d59481e915d0eecf5c834ee0ee2b702a4409094ec294a6d9f951a1d898d9c13
Instruction ID: ead040fd9a7e1eac4e575497956ed3e3ecd83a8bc6fbfaf632048b0a9441e562
Opcode Fuzzy Hash: 6d59481e915d0eecf5c834ee0ee2b702a4409094ec294a6d9f951a1d898d9c13
Instruction Fuzzy Hash: 64E0B630D0992D8EEBE4DB588C643B9B6B0FB18302F1140E9D40DE2290DE305A809F00

Function 00007FFD9BAB11B6 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1888257985.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffd9bab0000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78373d8f96d9c2ba925e3ab8532e17776f1f23c91976e2fc1444358e497175da
Instruction ID: 088edcb79f621caaecbc9e42080fde800766c5d9ff02c8d5ab75eba2b995434b
Opcode Fuzzy Hash: 78373d8f96d9c2ba925e3ab8532e17776f1f23c91976e2fc1444358e497175da
Instruction Fuzzy Hash: B2C08C30D2265E8FEB64EF94AC214FDB370FF48204F401176E42CE3092DFB026108A80

Analysis Process: mmeUVmNHPOdst.exePID: 2148, Parent PID: 1044COMMON

Executed Functions

Function 00007FFD9BAAA7ED Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1889155786.00007FFD9BAAA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAAA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9baaa000_mmeUVmNHPOdst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbffc66b8f4a36c121d9643de057223ad6e29b38bd3c46a1c457ff8a0d382068
Instruction ID: d0c0abe7e766f8b5f175541d32e945315e4f5125b9e6d2115601ab1e18c2363f
Opcode Fuzzy Hash: fbffc66b8f4a36c121d9643de057223ad6e29b38bd3c46a1c457ff8a0d382068
Instruction Fuzzy Hash: A1B1C230A0A68E8FD756EF64C8696F97BF1FF1A304F0645BBD409C70A2DA78A644C711

Function 00007FFD9BAA3595 Relevance: .3, Instructions: 297COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1889155786.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9baa0000_mmeUVmNHPOdst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e0c5c18d9d700a2b834d0ab36dd23f4e7bc5fa792bf1698d96f45d8db122abf
Instruction ID: 973c34b47eb9ad9ae31005f029e7813f6f4d0f2fe6ba53fafc4176ec721b646f
Opcode Fuzzy Hash: 5e0c5c18d9d700a2b834d0ab36dd23f4e7bc5fa792bf1698d96f45d8db122abf
Instruction Fuzzy Hash: BAA1C371A1994E8FEB98EB6CC8657ADBBE1FF59314F50017AD00DC72DACBB428018B40

Function 00007FFD9BAAC75D Relevance: 2.8, Strings: 2, Instructions: 334COMMON

Download Yara Rule

Strings

[}N, xrefs: 00007FFD9BAAC75F
zN_^, xrefs: 00007FFD9BAACA01

Memory Dump Source

Source File: 00000021.00000002.1889155786.00007FFD9BAAA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAAA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9baaa000_mmeUVmNHPOdst.jbxd

Similarity

API ID:
String ID: zN_^$[}N
API String ID: 0-3494769916
Opcode ID: cd57560a35bb92e855241d2ecfe9254f35907ffdffefc4cb6bfc5db6632abb69
Instruction ID: 211f30cd141d3e7b625b5226d90ccb52ff34fc56aea3c27e758dde9db30fbd27
Opcode Fuzzy Hash: cd57560a35bb92e855241d2ecfe9254f35907ffdffefc4cb6bfc5db6632abb69
Instruction Fuzzy Hash: 33A1372770C56A4AE325B7ACBC614F97754EF5533AB0902B7E58DCD0E7E91C2046C2A4

Function 00007FFD9BAB11B2 Relevance: 2.5, Strings: 2, Instructions: 49COMMON

Download Yara Rule

Strings

!, xrefs: 00007FFD9BAB11BC
/, xrefs: 00007FFD9BAB198A

Memory Dump Source

Source File: 00000021.00000002.1889155786.00007FFD9BAB1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9bab1000_mmeUVmNHPOdst.jbxd

Similarity

API ID:
String ID: !$/
API String ID: 0-2633443642
Opcode ID: b3749cc00926a4c45237bdc46cc052f07e9f717ab7069c0151c688d03de5f16f
Instruction ID: a8e20684f2593c2594d2445c233464674190e44eadbc35399e5db9b28a56dced
Opcode Fuzzy Hash: b3749cc00926a4c45237bdc46cc052f07e9f717ab7069c0151c688d03de5f16f
Instruction Fuzzy Hash: 60111F70D1562DCBEB28DF94C8A47EDB7B2FB54301F0142A9D41EA7290CB745A84CF40

Function 00007FFD9BAAC940 Relevance: 1.3, Strings: 1, Instructions: 96COMMON

Download Yara Rule

Strings

zN_^, xrefs: 00007FFD9BAACA01

Memory Dump Source

Source File: 00000021.00000002.1889155786.00007FFD9BAAA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAAA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9baaa000_mmeUVmNHPOdst.jbxd

Similarity

API ID:
String ID: zN_^
API String ID: 0-3996254790
Opcode ID: 5b829f980dbe1c02744af1ab8323989b8a034ba1c0a792e5e96562640f60d6c0
Instruction ID: 872f620894caf2e7b991323931607a717bfe2db4142d77ecd775bf336472141d
Opcode Fuzzy Hash: 5b829f980dbe1c02744af1ab8323989b8a034ba1c0a792e5e96562640f60d6c0
Instruction Fuzzy Hash: 1031E130A0D38A4FE716AB789C755F93FB0EF06229B0505FBE459CE0E3DA286445C762

Function 00007FFD9BAB3AFB Relevance: 1.3, Strings: 1, Instructions: 81COMMON

Download Yara Rule

Strings

N_^, xrefs: 00007FFD9BAB3B01

Memory Dump Source

Source File: 00000021.00000002.1889155786.00007FFD9BAB1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9bab1000_mmeUVmNHPOdst.jbxd

Similarity

API ID:
String ID: N_^
API String ID: 0-2545421620
Opcode ID: 7495654f04bb18e9418adc32fcd48f679979900ce88912a410c66331a350fcf9
Instruction ID: 38255d9de772865d8b4c7f6403167c8d491291a36efb781251b82af06d92d9d6
Opcode Fuzzy Hash: 7495654f04bb18e9418adc32fcd48f679979900ce88912a410c66331a350fcf9
Instruction Fuzzy Hash: D5212831B0EA9E4FE761AB688C682E97BE0FF56310F0505B7D168CB0B7D96065448B41

Function 00007FFD9BAAD83C Relevance: .5, Instructions: 513COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1889155786.00007FFD9BAAA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAAA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9baaa000_mmeUVmNHPOdst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ccc546ee70f0c0a6f212bb8da69f7a934bf08d50d78916cae107d0363c6f1a60
Instruction ID: 632908d9d019c4e361c04ba8a3d3d32606db90aa5a67bad08e110865a680ff93
Opcode Fuzzy Hash: ccc546ee70f0c0a6f212bb8da69f7a934bf08d50d78916cae107d0363c6f1a60
Instruction Fuzzy Hash: B3126C70A1964D8FEBA8DF68C8647B8B7B2FF18304F4541BED08DD72A2CA746940CB51

Function 00007FFD9BAB3383 Relevance: .4, Instructions: 450COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1889155786.00007FFD9BAB1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9bab1000_mmeUVmNHPOdst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee33d7ce6ed6b550984d8683ce13d6f523fa2c1ef9eac2215951957871a1a8ac
Instruction ID: c9cb6596d0e2d151696b538a10f73d3d9f55830a70cee5787d02a0b3c5c17e4c
Opcode Fuzzy Hash: ee33d7ce6ed6b550984d8683ce13d6f523fa2c1ef9eac2215951957871a1a8ac
Instruction Fuzzy Hash: 76119431A0E69E4FE752EB6488795AA7BF0EF16300F0544BBD068C71B7DA74A5448B01

Function 00007FFD9BAAC038 Relevance: .3, Instructions: 289COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1889155786.00007FFD9BAAA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAAA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9baaa000_mmeUVmNHPOdst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b06c51ed797c1d067db3646cf718d4b7db9cf3f6a04ea52ec8eb1500971af8b3
Instruction ID: 1f2d1d9a1565d469d7de61ed6b10e4c35c51e2fe7150da6ad0b474370fbe51a0
Opcode Fuzzy Hash: b06c51ed797c1d067db3646cf718d4b7db9cf3f6a04ea52ec8eb1500971af8b3
Instruction Fuzzy Hash: F1A14F30E1964D8FEB64EBA8C8656FD7BE6FF59300F41017AD019D31A2EE786A44CB50

Function 00007FFD9BAA1718 Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1889155786.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9baa0000_mmeUVmNHPOdst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe8244bc2b2e6f55f056fba1e7d0fdf09821d17a0382f8dbf1376df3866e4aab
Instruction ID: 9a217ed87450429d6cbf87c3055fe16e6b4b45d7cd77ff75f05c8fecb647081d
Opcode Fuzzy Hash: fe8244bc2b2e6f55f056fba1e7d0fdf09821d17a0382f8dbf1376df3866e4aab
Instruction Fuzzy Hash: 2781DF31B0DA894FDB58DF5888605A977E3EFE9310B15417EE49EC32A6DE74AD02C780

Function 00007FFD9BAAC040 Relevance: .2, Instructions: 228COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1889155786.00007FFD9BAAA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAAA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9baaa000_mmeUVmNHPOdst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a0ab0724653bf9e5197f4a70981ce01b746c1e85cbc6934dcca82535f7c2389
Instruction ID: 1159d80e8e50d1253a4973c60d9f261cf806141ca1be9c4efe98472855e4b1fc
Opcode Fuzzy Hash: 3a0ab0724653bf9e5197f4a70981ce01b746c1e85cbc6934dcca82535f7c2389
Instruction Fuzzy Hash: 92716030E19A4D8FEBA4EBA888657FDBBB5FF19300F41017AD41DD3192DE785A448B50

Function 00007FFD9BAAAE5A Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1889155786.00007FFD9BAAA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAAA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9baaa000_mmeUVmNHPOdst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33d55fae8e3504e9e6f5ff0c60d7acaed0c10394e8e38ff4d2d07c645ce9e28d
Instruction ID: 7a8382c6b4cfb18a34d6dbfa3bdcf862e9d0b58a30317e05c13540a573d636f3
Opcode Fuzzy Hash: 33d55fae8e3504e9e6f5ff0c60d7acaed0c10394e8e38ff4d2d07c645ce9e28d
Instruction Fuzzy Hash: 3B610471B0E64E8FE766EBB8C8695ED77E1FF15300F0644B6C018C70A2EE74A6088761

Function 00007FFD9BAB529D Relevance: .2, Instructions: 196COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1889155786.00007FFD9BAB1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9bab1000_mmeUVmNHPOdst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 180ae356d59decf7773158ce63f64d39fdd7cd5908ed35987fdd02397aed15ea
Instruction ID: 3c406937e0cc9b6b52eed04e3c62515cff3a2d144f85c66ce2390003b62e04dc
Opcode Fuzzy Hash: 180ae356d59decf7773158ce63f64d39fdd7cd5908ed35987fdd02397aed15ea
Instruction Fuzzy Hash: 3A617171E09A5D8FEB94EBA8C8657ACB7F1FF58301F40007AD01DE7292DE7569818B40

Function 00007FFD9BAA1D8D Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1889155786.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9baa0000_mmeUVmNHPOdst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e263845e041e1d6b7ea0cae1aea377e1125fe4fef5d2f87b2baf89531b77aae
Instruction ID: 7bb3972fb1e1bfc237fadc5b19d4960523767b483a95e5372f9e574d8aee6fb1
Opcode Fuzzy Hash: 5e263845e041e1d6b7ea0cae1aea377e1125fe4fef5d2f87b2baf89531b77aae
Instruction Fuzzy Hash: CD51ED31B08B894FDB58DF4888645BA77E2FFE9310B15427EE45AC7296CE74AC02C780

Function 00007FFD9BAABBDA Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1889155786.00007FFD9BAAA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAAA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9baaa000_mmeUVmNHPOdst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 550e1f531140c3411d952ec87b6d07c83974f5c46c9099daaf7c054f3c010d12
Instruction ID: ec1e56dac5c4517e90ed745d5f3f5d2c841bca4b164c11a40a38b8d3e56ae6f2
Opcode Fuzzy Hash: 550e1f531140c3411d952ec87b6d07c83974f5c46c9099daaf7c054f3c010d12
Instruction Fuzzy Hash: 90517C30A0A64E8FEBA9EFA4C8646FD7BF1FF19300F51447AD409D71A1DE74AA448B50

Function 00007FFD9BAB7079 Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1889155786.00007FFD9BAB1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9bab1000_mmeUVmNHPOdst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b14d0031e910bb5a683e4a80557343fda201d7d96e3c7055dde22a98707bfc3c
Instruction ID: 36345debd92584296e00e9ba9cec18dd2b072ce71aabf2c98ab365d7b19fa374
Opcode Fuzzy Hash: b14d0031e910bb5a683e4a80557343fda201d7d96e3c7055dde22a98707bfc3c
Instruction Fuzzy Hash: BB51C430E0A61D8FEB64DF94D4606FDB7B2FF44300F11817AD019D72A5DEB86A458B50

Function 00007FFD9BAA31F1 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1889155786.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9baa0000_mmeUVmNHPOdst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbea12bb10603b4633929e2b4eb9b5cf7e04071d9fd859c1b059c3252c7ab442
Instruction ID: cb7d696df7f5bd8e8c0636ca5a6cfd263de6b9eeaaaa8d1173e806efdf749208
Opcode Fuzzy Hash: dbea12bb10603b4633929e2b4eb9b5cf7e04071d9fd859c1b059c3252c7ab442
Instruction Fuzzy Hash: DD513A30E0A60E8FEB64EB94C4646EDBBF2EF58301F514179D009E72A5DB786A44CB60

Function 00007FFD9BAB52B0 Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1889155786.00007FFD9BAB1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9bab1000_mmeUVmNHPOdst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55fcf94f74328d6bb9e2b7d6eedbb64b1e72df543a54482df751ede6d2bfd235
Instruction ID: 0f8bff441fd8805d1b24dfefbb019dd5855c0f30af999f8459335870cb8bc8f5
Opcode Fuzzy Hash: 55fcf94f74328d6bb9e2b7d6eedbb64b1e72df543a54482df751ede6d2bfd235
Instruction Fuzzy Hash: 87513C71E19A1D8FEFA4EBA8C865BACB7F1FF58301F40016AD01DE7291DA7569818F40

Function 00007FFD9BAA21A5 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1889155786.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9baa0000_mmeUVmNHPOdst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96fd975f819372d14f2b30f241654b8cb62130a45bfbb5aa7395acb5fc5d7ff9
Instruction ID: 78311049d9e60f3f7b373af01a64e51f2f493644e0db79bc8dfeb0032c71c6db
Opcode Fuzzy Hash: 96fd975f819372d14f2b30f241654b8cb62130a45bfbb5aa7395acb5fc5d7ff9
Instruction Fuzzy Hash: 87417A31B0EB8E0FE765D7B888751B8BBE1EF86310B0545FBE44CC71A6DE68A9058351

Function 00007FFD9BAB6148 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1889155786.00007FFD9BAB1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9bab1000_mmeUVmNHPOdst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bab6e283ffedfaf567d82e4698364c27c2dc61bf9e8257b5cf4d2c587e8b3275
Instruction ID: 62bfbde6d60da61ac8f7a14d215ef0585d5da43fa25732027935ab514a9c1af5
Opcode Fuzzy Hash: bab6e283ffedfaf567d82e4698364c27c2dc61bf9e8257b5cf4d2c587e8b3275
Instruction Fuzzy Hash: B9512130E0A52D8EEB68DB58D8657A9B6B1FF55301F1141BAD01DD31A2DF78AA84CF01

Function 00007FFD9BAB2A5A Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1889155786.00007FFD9BAB1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9bab1000_mmeUVmNHPOdst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a7ea134a2671fc31ed92ec7c9ea62b75bcf4df8a9076d51d8ba6829b1ef8602
Instruction ID: 6d492828da3fd7e252f533ce838afc8f0d9a0ca99fccddcdd514f4ee2ef4e5e2
Opcode Fuzzy Hash: 7a7ea134a2671fc31ed92ec7c9ea62b75bcf4df8a9076d51d8ba6829b1ef8602
Instruction Fuzzy Hash: 7751B970E1561D8EEBA4EF98CC557ACB7B2FF58300F4041A9900DE3292DF746A848F01

Function 00007FFD9BAA1150 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1889155786.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9baa0000_mmeUVmNHPOdst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bcbaf7a2bfd8bfaecc5341c35c33b6e814deb2ddccbf033cfe3aa8cbc96aa62
Instruction ID: 6db14c782c5bd03205adc1cfb291bc40596ed7fba3f7a022427642fdd3bc9d7a
Opcode Fuzzy Hash: 2bcbaf7a2bfd8bfaecc5341c35c33b6e814deb2ddccbf033cfe3aa8cbc96aa62
Instruction Fuzzy Hash: 3D31E230E1A64E5EEBA8EBA4C4786B97BE1FF2A304F01057ED01ED21E1DE646540C650

Function 00007FFD9BAB6D91 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1889155786.00007FFD9BAB1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9bab1000_mmeUVmNHPOdst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f53e647c2473a080b59725ae7452c74d5e88870db6c07f3a235db7ca825c4ffa
Instruction ID: cf816409a833c6d031aaab791d1aa32e9cfa9d077d0611b2b1e7967fa6cada3c
Opcode Fuzzy Hash: f53e647c2473a080b59725ae7452c74d5e88870db6c07f3a235db7ca825c4ffa
Instruction Fuzzy Hash: 3B21A030A09A1E8FEFA8EF68C4655BA77A0FF18300F0045BAD42DC71A5CE75A5508B40

Function 00007FFD9BAB6F55 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1889155786.00007FFD9BAB1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9bab1000_mmeUVmNHPOdst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c74562e47db03de05fbc3013dadda6e69a9298179e8a72fd7f617b08388b6b68
Instruction ID: d210fee3f5051bc86b140250df1ace2102cbd84b92b5e503343a9aae6b29aa00
Opcode Fuzzy Hash: c74562e47db03de05fbc3013dadda6e69a9298179e8a72fd7f617b08388b6b68
Instruction Fuzzy Hash: 5F21F630A0AA4E8FEB69DFA884751B97BA1FF15304F0144BED42DC61E2CE75E518CB41

Function 00007FFD9BAB7491 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1889155786.00007FFD9BAB1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9bab1000_mmeUVmNHPOdst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca708b9b989e3c98cf25fbc55bc3fa692e5dda9c6fb46f5111e736f080780f91
Instruction ID: 448f18aeef4a1df05673939c66dca1aa8083f0ba525a858031ada2efe066e480
Opcode Fuzzy Hash: ca708b9b989e3c98cf25fbc55bc3fa692e5dda9c6fb46f5111e736f080780f91
Instruction Fuzzy Hash: 3821A131E0955E4FEB65EBA8C8659FE7BE1FF19301F020572D42CD70A5DAB8EA408B50

Function 00007FFD9BAB7521 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1889155786.00007FFD9BAB1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9bab1000_mmeUVmNHPOdst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 133a8bf827658cfedcf80bef07d943de7fe659c7e4e1a7dee3096fca5a2e144e
Instruction ID: eeda17710ffe75f748fec6fc62476c30cc64735e138dd0ad6823177f04bbce65
Opcode Fuzzy Hash: 133a8bf827658cfedcf80bef07d943de7fe659c7e4e1a7dee3096fca5a2e144e
Instruction Fuzzy Hash: F9214F30A0A55E8FEB61EBA8C8589A97BF4FF19301F0105B6D42DD7161EAB4AA408B50

Function 00007FFD9BAB22B1 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1889155786.00007FFD9BAB1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9bab1000_mmeUVmNHPOdst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d552bc39b18498441bdde4d2a5c3d7cc0abb28aa226ebb093f232abce0338be
Instruction ID: 714c7c1b7ea72cc1881dc452a43d007a955df68b796ececf0d1efc71a0e0a17e
Opcode Fuzzy Hash: 4d552bc39b18498441bdde4d2a5c3d7cc0abb28aa226ebb093f232abce0338be
Instruction Fuzzy Hash: 5021DE3094E3C94FD7169BB088755E57FA0AF06200F0A45EFD4AACB4E3C9696646C712

Function 00007FFD9BAAB7E1 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1889155786.00007FFD9BAAA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAAA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9baaa000_mmeUVmNHPOdst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2eeb41fd11356138e335eb7bb220cfc1cbcde416ebae4045703e42f4164c9c32
Instruction ID: 5d754eb390dfa0b5bbd0392d2a382961f89e5ca3d02dbe70ca264e23cda64566
Opcode Fuzzy Hash: 2eeb41fd11356138e335eb7bb220cfc1cbcde416ebae4045703e42f4164c9c32
Instruction Fuzzy Hash: D1214B31E0962D8EEB64EB44C850BE9B3B2FF59310F5142A6C00DD62A5DB349A85CF51

Function 00007FFD9BAA0A01 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1889155786.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9baa0000_mmeUVmNHPOdst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b28e5260f0dea44d744d0c1226bfa420cc0a5a92efbe096e3edbb8a7e3d0aadc
Instruction ID: 8a28a39a6399154e4fa708b76d06462410ba56fe377d9e8a26fe5105004e105a
Opcode Fuzzy Hash: b28e5260f0dea44d744d0c1226bfa420cc0a5a92efbe096e3edbb8a7e3d0aadc
Instruction Fuzzy Hash: BB11C131F0A50E4FE7A0EBA8C8691BD7BE2FF58700F4245B6D41CC70A6EE78A6448710

Function 00007FFD9BAB46D9 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1889155786.00007FFD9BAB1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9bab1000_mmeUVmNHPOdst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77692bd5734c69bdd1c2529899c1345b265fe4e714d8335d150c37b4407e6d42
Instruction ID: f98e5aac63081e0afcc7d0b5e5b5b54838b60f5dfa45129300c9b751fa69cd9e
Opcode Fuzzy Hash: 77692bd5734c69bdd1c2529899c1345b265fe4e714d8335d150c37b4407e6d42
Instruction Fuzzy Hash: 3B219030A0A64E8FEB99EF6884692B97BE1FF59301F0105BED42DC71A2DE756580CB41

Function 00007FFD9BAB4775 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1889155786.00007FFD9BAB1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9bab1000_mmeUVmNHPOdst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b7538398dc146203d516f02332a417309bc287ed9eaea4886cd4616156f99ba
Instruction ID: 43cc1fb66b987a5b2c49c2a2443c90fe5bb477576422db400b242418537aec74
Opcode Fuzzy Hash: 0b7538398dc146203d516f02332a417309bc287ed9eaea4886cd4616156f99ba
Instruction Fuzzy Hash: 3E11B430A0AA4E8FEB98EF6884692BD7BE1FF59300F0105BED41DC61A2DE756580CB40

Function 00007FFD9BAB6EB5 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1889155786.00007FFD9BAB1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9bab1000_mmeUVmNHPOdst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4366361e73f10b8347e948c180027fd4b30c6eb838089985e51657276f670f7
Instruction ID: 69d297b6264e64f6dd977ec57ec6310e68917d10cc4248e07ef39d011eea1218
Opcode Fuzzy Hash: c4366361e73f10b8347e948c180027fd4b30c6eb838089985e51657276f670f7
Instruction Fuzzy Hash: 8311B730A0964E4FEB58EF68C4692B97BE1FF18300F01457ED42DC61A6DA759544CB40

Function 00007FFD9BAB4C95 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1889155786.00007FFD9BAB1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9bab1000_mmeUVmNHPOdst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b770e638806decd314ca651218d8e3491ea2731eb451b0c1bfcd90889fe796d
Instruction ID: bf9a6c2f66bde8a9e722d7c0c0757e6af21a95eb18d4483eb489d5b620aec2bc
Opcode Fuzzy Hash: 1b770e638806decd314ca651218d8e3491ea2731eb451b0c1bfcd90889fe796d
Instruction Fuzzy Hash: C411C471A0EA8D4BEB69DBA488752B87BA0FF15304F4540BED02DC65F2DEA66540CB01

Function 00007FFD9BAABDF2 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1889155786.00007FFD9BAAA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAAA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9baaa000_mmeUVmNHPOdst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f094eb01952ee6b1d99bef93fb6f7bdccf934032225178daa8a601b6db8af35a
Instruction ID: 8fd7d6937b21b3835088bb2241eca5362404986415ca2b9e85e2ad3ed2b5dc4b
Opcode Fuzzy Hash: f094eb01952ee6b1d99bef93fb6f7bdccf934032225178daa8a601b6db8af35a
Instruction Fuzzy Hash: 5821A070E0962D8FEF64EFD4D894AECB7F2FF58311F41012AE409E6291DBB869448B50

Function 00007FFD9BAB5009 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1889155786.00007FFD9BAB1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9bab1000_mmeUVmNHPOdst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 982c2afe236c7726784584a51726d1004366403dcc9a7612e85681cde2772739
Instruction ID: c9bd5129166da2eff6df386b4c19d7c5b476bf026f213c2affe95607b30833bb
Opcode Fuzzy Hash: 982c2afe236c7726784584a51726d1004366403dcc9a7612e85681cde2772739
Instruction Fuzzy Hash: D411BE30A0A68E5FEBA9EB6488792B97BB0FF19301F0104BAD429C61A2DA746540CB41

Function 00007FFD9BAB5EF1 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1889155786.00007FFD9BAB1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9bab1000_mmeUVmNHPOdst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ed36a3596f72297c25908620c6736287c61d27de09b2b3e2786d2debb7c7f16
Instruction ID: 64bb8f2c5e17868b96c4a9fed5067e99563f763ef240b391fe7e4b9c2645e330
Opcode Fuzzy Hash: 0ed36a3596f72297c25908620c6736287c61d27de09b2b3e2786d2debb7c7f16
Instruction Fuzzy Hash: 95110C30A0A64D4FE759DB74887A6B9BBE0FF14310F0604BED81DC61E2DE656544CB01

Function 00007FFD9BAB60A9 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1889155786.00007FFD9BAB1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9bab1000_mmeUVmNHPOdst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17a7b697ac9546925aff222f7f252b28f6e0179cea1d65a12c04d0515f1283f9
Instruction ID: 018abaf8c9017fc69b951313e5fefa73926b674281ce81e181cf7da01760d48b
Opcode Fuzzy Hash: 17a7b697ac9546925aff222f7f252b28f6e0179cea1d65a12c04d0515f1283f9
Instruction Fuzzy Hash: CD11C430A0A64E4FEB51EB6888691A9BBE0FF19300F0545B6D42CC70A3DE74A6408B41

Function 00007FFD9BAB4F7D Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1889155786.00007FFD9BAB1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9bab1000_mmeUVmNHPOdst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 866908ea017c7445f483e18fb5e1172d888e6ec8a52667bffb9aa6e163df439c
Instruction ID: ae69a26468d0cc7f8329c5c0e74a697a91fb26bb6be874fe91b3afb4e0573294
Opcode Fuzzy Hash: 866908ea017c7445f483e18fb5e1172d888e6ec8a52667bffb9aa6e163df439c
Instruction Fuzzy Hash: 7C11C430A0964E8FEB58EF6884696B97BE1FF18304F0105BED42DC71B2DE7465448B00

Function 00007FFD9BAB4DBD Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1889155786.00007FFD9BAB1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9bab1000_mmeUVmNHPOdst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9fa111f98ed26f9414275ade793e489665a7a3d1d561e1a0f806484ccd1ef11
Instruction ID: aa528adec73c54fc0c66987048e3a6e45044f0e8a3324467e5b1912a18f13ec3
Opcode Fuzzy Hash: b9fa111f98ed26f9414275ade793e489665a7a3d1d561e1a0f806484ccd1ef11
Instruction Fuzzy Hash: A211B230E0A64E4FEB69EF6488696F97BA0FF18304F0505BED42DC71A6DE7562408B01

Function 00007FFD9BAB2911 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1889155786.00007FFD9BAB1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9bab1000_mmeUVmNHPOdst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4c88741460489e4ea0365f02f8782452900a672fa3ddb3624d6432518b89a1a
Instruction ID: 1044fc3d19ac475d1bb19a0b447ab3e79fa1560be65c9405836686bb088c9f42
Opcode Fuzzy Hash: d4c88741460489e4ea0365f02f8782452900a672fa3ddb3624d6432518b89a1a
Instruction Fuzzy Hash: 8B116131E1A65E4EE752EBB898586FD7FE0FF19300F0549B6D42CC7066EA7492448B41

Function 00007FFD9BAB6FED Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1889155786.00007FFD9BAB1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9bab1000_mmeUVmNHPOdst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffd3d03e11f43f755486db926a327b1c27565ed716e69ce92ddc4780729b388f
Instruction ID: 654bd43815799d7739faea17f1e6ae776363d29d9aedadb50cbbf5a3d28adce4
Opcode Fuzzy Hash: ffd3d03e11f43f755486db926a327b1c27565ed716e69ce92ddc4780729b388f
Instruction Fuzzy Hash: 1E11E730A0E64E5FEBA8DF5484656B97BE0FF19300F0541BFD41DC61E2DEB56A448B41

Function 00007FFD9BAA3515 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1889155786.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9baa0000_mmeUVmNHPOdst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9f1db74fd1168ea3c0f62b85a5e6804482182891112418c7f087cc8d949350b
Instruction ID: 83442b1cd8a72ce2f88699d12fda7f110ece3151cf0a5007bbe39cd5ee425af0
Opcode Fuzzy Hash: a9f1db74fd1168ea3c0f62b85a5e6804482182891112418c7f087cc8d949350b
Instruction Fuzzy Hash: BB115E70E0A68E8FDB58EFA8C4696BD7BE1FF19300F4508BED419C71A1DB75A6408B10

Function 00007FFD9BAB2745 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1889155786.00007FFD9BAB1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9bab1000_mmeUVmNHPOdst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 833c6fe8990552008e1d29d48b46e6970e3e44271ead6d25b9f8d08725dd3467
Instruction ID: c3a916ba67518316f265551272c3ad0cacc5ad24e07919d930f8259b6b3f609f
Opcode Fuzzy Hash: 833c6fe8990552008e1d29d48b46e6970e3e44271ead6d25b9f8d08725dd3467
Instruction Fuzzy Hash: 2F01D83091564D8FDB58EBA0D4681B97BA0FF19304F4204BFD41DC60E1DE75A690CB00

Function 00007FFD9BAA2F01 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1889155786.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9baa0000_mmeUVmNHPOdst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c2f06b57559d0a33e77a8d21ff9e2076f889a00ae7ad1393dee5b56b648acf5
Instruction ID: 67970fba25c1a4644b71aa5216c6276750ab6fbf9cba2a1f04e25c012bddf9ae
Opcode Fuzzy Hash: 9c2f06b57559d0a33e77a8d21ff9e2076f889a00ae7ad1393dee5b56b648acf5
Instruction Fuzzy Hash: B001D470A0A74E8FE761EBA485591AD7BE1EF19300F0688B6D40CC70B2EE74E2648710

Function 00007FFD9BAB2C2E Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1889155786.00007FFD9BAB1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9bab1000_mmeUVmNHPOdst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68d08e4e0afac7f48d62b9cbb5dd20b2c9805a5cb0299e4a4095dbf5eeb51bbe
Instruction ID: eef53c647baef9474dda9a74c05fbf20908919bf2cb147b2f2a755a03c6964e8
Opcode Fuzzy Hash: 68d08e4e0afac7f48d62b9cbb5dd20b2c9805a5cb0299e4a4095dbf5eeb51bbe
Instruction Fuzzy Hash: 8F115870E1991D8EDBA5EF98C8557FDB7B1FB58301F0141AAD01DE2291DEB45A808F40

Function 00007FFD9BAB7C49 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1889155786.00007FFD9BAB1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9bab1000_mmeUVmNHPOdst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29b2ecf51f18de00021d81a0190184be4eb0665454bd05ea910442f47ddc896e
Instruction ID: bfb4075a4598488c225a9121270cf2af03d46377b97d513e0af7d7daf4a73b28
Opcode Fuzzy Hash: 29b2ecf51f18de00021d81a0190184be4eb0665454bd05ea910442f47ddc896e
Instruction Fuzzy Hash: 4801963090E68D4FDB599F64C8755B97FA0EF16304F0104FED419C70E6DAB56A54CB01

Function 00007FFD9BAA28DD Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1889155786.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9baa0000_mmeUVmNHPOdst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f4c500646f5c453f504088c5583ca6f71ed86e59961a9f067a6aeb7325f63c5
Instruction ID: 3ded79cce7d3b37bcd1098b7899650a17d08776c67ef8cd79e0298d79f8551f8
Opcode Fuzzy Hash: 3f4c500646f5c453f504088c5583ca6f71ed86e59961a9f067a6aeb7325f63c5
Instruction Fuzzy Hash: 4601BC31E0A64E4FE7A5EBB489A86B97BE1EF19300F0245B6D408C70B2EA74E254C710

Function 00007FFD9BAA342A Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1889155786.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9baa0000_mmeUVmNHPOdst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aabd192d8a458538b4a0c57204d4d162202b51469f73e62546b35976b2ec81de
Instruction ID: e6733b2240aca13116c1bca929d1c5225646e6cb63de023a4cdafc686bb71d8a
Opcode Fuzzy Hash: aabd192d8a458538b4a0c57204d4d162202b51469f73e62546b35976b2ec81de
Instruction Fuzzy Hash: 12014F31E0A90E8FEB51EFA884585B97BE5FF18302F41497AD41DD31A5EB74A6808B50

Function 00007FFD9BAA2F79 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1889155786.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9baa0000_mmeUVmNHPOdst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b4f15d873071c9773a4180639eb5b999983628f330bb54767639d98901e2019
Instruction ID: 3b7350f6eae61afa8247f7390b751da38a075a065ea8c23e46f0d41564af46be
Opcode Fuzzy Hash: 3b4f15d873071c9773a4180639eb5b999983628f330bb54767639d98901e2019
Instruction Fuzzy Hash: 7201D870A0E78D4FD752A7B485695AD7BE1EF49300F0604F6C408C70B6DE74A5688711

Function 00007FFD9BAA05D8 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1889155786.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9baa0000_mmeUVmNHPOdst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf5e0b2825c017d8d5cc13a9b3aa01306072cb0e9aca35485b8c44242886765e
Instruction ID: 3d95f151886b0baa1aa5f8ab54816e7e522f9066a47b54256512b8f8febbe60a
Opcode Fuzzy Hash: cf5e0b2825c017d8d5cc13a9b3aa01306072cb0e9aca35485b8c44242886765e
Instruction Fuzzy Hash: ED018F30A0950E9FEBA8EF64C0686BA77E2EF69305F51447ED41EC21A0CAB5A640CB50

Function 00007FFD9BAB7CBD Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1889155786.00007FFD9BAB1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9bab1000_mmeUVmNHPOdst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44602a09743a68a734fe21276d0c4bb795e3041b53e8fd8f8f21f85503c0c2ac
Instruction ID: b936ed2f871d4812329ac131ee8c9e4dd2d9e029c4a1bcfba01921ff080e21d6
Opcode Fuzzy Hash: 44602a09743a68a734fe21276d0c4bb795e3041b53e8fd8f8f21f85503c0c2ac
Instruction Fuzzy Hash: B601B530A4A64E4FDB58DF64C4A55BA77A0FF05304F1104BED419C60A1DB75A654CB40

Function 00007FFD9BAB76A9 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1889155786.00007FFD9BAB1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9bab1000_mmeUVmNHPOdst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3dfd10663d1ab147ac90381eb0dc2847b5467adafc617f6f3c97b5579586b0fb
Instruction ID: 7af2597cefabe3706b5bc25cc3281e93439ca045350c0b9bb72d93226854b26b
Opcode Fuzzy Hash: 3dfd10663d1ab147ac90381eb0dc2847b5467adafc617f6f3c97b5579586b0fb
Instruction Fuzzy Hash: C601A730A4F24A4FD352EB7884695A97BE0EF06300F0649F7D41CCB0B6DA74A944CB11

Function 00007FFD9BAA0610 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1889155786.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9baa0000_mmeUVmNHPOdst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e01d2ce876eaa5f9492c93ce46bd1fd3502a6be947ba2037e4875bfd7a6263d
Instruction ID: 182e7e3622f03c3c628a2990cf1e55d98efd546f15988f4d1c66f4d06077e5eb
Opcode Fuzzy Hash: 7e01d2ce876eaa5f9492c93ce46bd1fd3502a6be947ba2037e4875bfd7a6263d
Instruction Fuzzy Hash: F1018630A1560E8EEB5CEBA4C5685B9B3A1FF1C305F11047EE41EC21E5DF75A550CA10

Function 00007FFD9BAA0608 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1889155786.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9baa0000_mmeUVmNHPOdst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6f768e2676e99f6ff5ffe4892855ac613aa8ba53427c3afa0d5df801546cc73
Instruction ID: 8b78f3f57fafc1ee481a31cb9f2017cc2dee86f1584563ceb692fc9979788a71
Opcode Fuzzy Hash: a6f768e2676e99f6ff5ffe4892855ac613aa8ba53427c3afa0d5df801546cc73
Instruction Fuzzy Hash: 6201D130A1560E8BEB68EFA4C5696B9B3A1FF0C304F11087EE41EC21E5DF75A660CA10

Function 00007FFD9BAA1D0D Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1889155786.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9baa0000_mmeUVmNHPOdst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fa616c0138f359700deba7947ac53812264075277e65bce1b79e947fe9edfb0
Instruction ID: 4d9c85dac307004198261750a83117ec1cf51304ac8003a5d61a290bf9d76e5d
Opcode Fuzzy Hash: 1fa616c0138f359700deba7947ac53812264075277e65bce1b79e947fe9edfb0
Instruction Fuzzy Hash: 9F01F930A0A68E8FDBA9DF14C4652F97BE1FF66300F51007AD40CC71A1DBB5A550C750

Function 00007FFD9BAA0F00 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1889155786.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9baa0000_mmeUVmNHPOdst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a351587bc6d841e28047824eeccb4e815a528b383b2278b7265697ec107c32b6
Instruction ID: 3d8c0067b2f79abc16347edf2f47bf131b7f0396ee9e9db273bfff465d08a273
Opcode Fuzzy Hash: a351587bc6d841e28047824eeccb4e815a528b383b2278b7265697ec107c32b6
Instruction Fuzzy Hash: 46017530E0950E8FE774DB54C850AEDB3B2EB50714F118279C40EA72A4DE7466499F98

Function 00007FFD9BAA27F9 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1889155786.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9baa0000_mmeUVmNHPOdst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6e2fd273815d80df2d27adf33c4bfb85029c7e089116abe3631f66145101ce5
Instruction ID: 74d5bab669abd38b667f4e7951788319e3ad3889d6f976bb83eadbb2eac4ca01
Opcode Fuzzy Hash: f6e2fd273815d80df2d27adf33c4bfb85029c7e089116abe3631f66145101ce5
Instruction Fuzzy Hash: 97F0C23190E38D8FDB699FA089651E97F60AF1A200F4604BFE458C60E2DA78A918C711

Function 00007FFD9BAABD46 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1889155786.00007FFD9BAAA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAAA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9baaa000_mmeUVmNHPOdst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c1782aaffd6152c93e65dba499fb07e1fb604e184d571e6b8da3a53efbeb59a
Instruction ID: fa4723895abde144858af415b719480a10746ff7b13445ca46952a16d13f8624
Opcode Fuzzy Hash: 5c1782aaffd6152c93e65dba499fb07e1fb604e184d571e6b8da3a53efbeb59a
Instruction Fuzzy Hash: 1401A470A0561D9FEF60DF94C8A47ECB7F2FB58315F51022AE409E7291DBB86A44CB50

Function 00007FFD9BAA286D Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1889155786.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9baa0000_mmeUVmNHPOdst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed320d0183d42c61a34730e277e2c031478eb1f6b5ece7ae36435751f2d53663
Instruction ID: 87e129b1f10c850b2fb6876a607ad22aee206b1c70b9ef89fe26ff8c7d43ecca
Opcode Fuzzy Hash: ed320d0183d42c61a34730e277e2c031478eb1f6b5ece7ae36435751f2d53663
Instruction Fuzzy Hash: D4F02431A0A78E8FEB689FA084241F97BA0FF19300F4200BAF818C11E5DF78E5608710

Function 00007FFD9BAA0F5F Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1889155786.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9baa0000_mmeUVmNHPOdst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 332702966127232082a275f7ac96c2b37a087540220ab49531e5897116409e7c
Instruction ID: 1f8b1c050a2bdc1f27745b6e6c41e369e0cb06f8a5704b2bdcd6c657ed2c772c
Opcode Fuzzy Hash: 332702966127232082a275f7ac96c2b37a087540220ab49531e5897116409e7c
Instruction Fuzzy Hash: AFF0F430E0590E8FEB64DB48CC54FAEB3B1EB94315F108266D40DD7254DE745A898F94

Function 00007FFD9BAB2CC6 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1889155786.00007FFD9BAB1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9bab1000_mmeUVmNHPOdst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 129fbaf3d633461b3c3e35fb0a0bf4e79fb37ba496557c06830bdddc4011c84c
Instruction ID: 3e514a1bdd194ed4ae08512062940014e4fdbe2d5a9afde383282b8fd7223422
Opcode Fuzzy Hash: 129fbaf3d633461b3c3e35fb0a0bf4e79fb37ba496557c06830bdddc4011c84c
Instruction Fuzzy Hash: 61D0EC20E0961D8EFB60EFE8C8556AC6AB1EF04304F110039C009A2192DE7C26404B50

Function 00007FFD9BAA11B6 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1889155786.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9baa0000_mmeUVmNHPOdst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac7a1329a316df95cc09e4671272a661e2f9cbb4893fecbdc5abc1eec89c8701
Instruction ID: 599ba8b05d6e88bc2c3572b88ff5e902eef7d3ad762691f80cce70a9ced2864e
Opcode Fuzzy Hash: ac7a1329a316df95cc09e4671272a661e2f9cbb4893fecbdc5abc1eec89c8701
Instruction Fuzzy Hash: 32C08C30D2264E8FEB64EF90AC214FDB370FF48208F401172E42CE3092DFB026108680

Non-executed Functions

Function 00007FFD9BAB10D4 Relevance: 8.9, Strings: 7, Instructions: 194COMMON

Download Yara Rule

Strings

-, xrefs: 00007FFD9BAB1722
}, xrefs: 00007FFD9BAB117C
", xrefs: 00007FFD9BAB1718
], xrefs: 00007FFD9BAB1777
[, xrefs: 00007FFD9BAB14F0
/, xrefs: 00007FFD9BAB198A
$, xrefs: 00007FFD9BAB1912

Memory Dump Source

Source File: 00000021.00000002.1889155786.00007FFD9BAB1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9bab1000_mmeUVmNHPOdst.jbxd

Similarity

API ID:
String ID: "$$$-$/$[$]$}
API String ID: 0-3346241342
Opcode ID: 4056371cf947badb48d877a64a0315233ec83e1c92c711c3b88389ada28b76e8
Instruction ID: f42fcc2abcc0b0364f508afdffa296b17653050dbc67edc105f3e2c5a92d7f90
Opcode Fuzzy Hash: 4056371cf947badb48d877a64a0315233ec83e1c92c711c3b88389ada28b76e8
Instruction Fuzzy Hash: 9591D570E1562D8FDB68DF95C8A47EDB7B2EB58301F1141BAD01DA7291CB786A84CF40

Function 00007FFD9BAB1446 Relevance: 6.3, Strings: 5, Instructions: 62COMMON

Download Yara Rule

Strings

%, xrefs: 00007FFD9BAB1345
{, xrefs: 00007FFD9BAB133B
-, xrefs: 00007FFD9BAB1377
,, xrefs: 00007FFD9BAB1450
/, xrefs: 00007FFD9BAB198A

Memory Dump Source

Source File: 00000021.00000002.1889155786.00007FFD9BAB1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9bab1000_mmeUVmNHPOdst.jbxd

Similarity

API ID:
String ID: %$,$-$/${
API String ID: 0-3562811445
Opcode ID: 931009058795e4fb5b4e114c431f09ce23dbfce87db316376303ee3770add370
Instruction ID: 7b7ece4238be063f1009cde3e479048a5bf7edb6ad4f46341e41f861b4d02602
Opcode Fuzzy Hash: 931009058795e4fb5b4e114c431f09ce23dbfce87db316376303ee3770add370
Instruction Fuzzy Hash: D621F671A1522E8BEB68CF90D8A47FDB7B2AB54311F15417AD01E96290DB785A84CF00

Function 00007FFD9BAAEDE7 Relevance: 6.3, Strings: 5, Instructions: 51COMMON

Download Yara Rule

Strings

<, xrefs: 00007FFD9BAAEDF5
', xrefs: 00007FFD9BAAEE20
[, xrefs: 00007FFD9BAAEE55
\, xrefs: 00007FFD9BAAEB72
H, xrefs: 00007FFD9BAAEB7F

Memory Dump Source

Source File: 00000021.00000002.1889155786.00007FFD9BAAA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAAA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9baaa000_mmeUVmNHPOdst.jbxd

Similarity

API ID:
String ID: '$<$H$[$\
API String ID: 0-978586023
Opcode ID: 70811a1f5260896d409af6c46a8f5f8b3ad5adb04a426629b3f03a87309b0cde
Instruction ID: aeee2f00ca9bf204b01772cf53e7ecaabeefeed7ccd250fe95c5f7f40366d799
Opcode Fuzzy Hash: 70811a1f5260896d409af6c46a8f5f8b3ad5adb04a426629b3f03a87309b0cde
Instruction Fuzzy Hash: 7E21F970E0926ECFDB68CF80D8607A9B7B2BB55301F2141BEC409A6290CB786A84CF50

Function 00007FFD9BAAE713 Relevance: 5.1, Strings: 4, Instructions: 126COMMON

Download Yara Rule

Strings

=, xrefs: 00007FFD9BAAE7A6
, xrefs: 00007FFD9BAAE6C9
^, xrefs: 00007FFD9BAAE828
I, xrefs: 00007FFD9BAAE689

Memory Dump Source

Source File: 00000021.00000002.1889155786.00007FFD9BAAA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAAA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9baaa000_mmeUVmNHPOdst.jbxd

Similarity

API ID:
String ID: $=$I$^
API String ID: 0-3128807046
Opcode ID: 4b8df3827ef0af161d587a8a26cd904ef9e99121d95d2a5637b8f72d1d3e79d6
Instruction ID: 3368a7a2db638b63e43148509928fb8b9865cdcd69574795150d1b786233b61e
Opcode Fuzzy Hash: 4b8df3827ef0af161d587a8a26cd904ef9e99121d95d2a5637b8f72d1d3e79d6
Instruction Fuzzy Hash: C4519770E0562D8FDBA8DF54C8A57A9B7B2FF55301F1141EAD40EA22A0CB746E81CF50

Function 00007FFD9BAB132A Relevance: 5.1, Strings: 4, Instructions: 67COMMON

Download Yara Rule

Strings

%, xrefs: 00007FFD9BAB1345
{, xrefs: 00007FFD9BAB133B
-, xrefs: 00007FFD9BAB1377
/, xrefs: 00007FFD9BAB198A

Memory Dump Source

Source File: 00000021.00000002.1889155786.00007FFD9BAB1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9bab1000_mmeUVmNHPOdst.jbxd

Similarity

API ID:
String ID: %$-$/${
API String ID: 0-2415596918
Opcode ID: 8e0d11e9fb33994c6314699794577981ec387bfd80d1aea026ea80901737cd49
Instruction ID: 9038cc4b8a59d465c9ab8cfa46a6903e38216a36bfae8f63a5cc712d4862b045
Opcode Fuzzy Hash: 8e0d11e9fb33994c6314699794577981ec387bfd80d1aea026ea80901737cd49
Instruction Fuzzy Hash: FC21F271E1522E8BDB688F90D8A47FDB7B2AB54301F10417AD01EAB290CB786A84DF00

Analysis Process: mmeUVmNHPOdst.exePID: 6556, Parent PID: 1044COMMON

Executed Functions

Function 00007FFD9BAB3595 Relevance: .3, Instructions: 296COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1888476644.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9bab0000_mmeUVmNHPOdst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbcabee2f742a29659a93071a075a8300af87e0f698a6d59c05aa02d84f2fcc3
Instruction ID: db8af9c55ea15298fc6ccc9544eed18701b2734f1ea68ce400ad4f031958379c
Opcode Fuzzy Hash: dbcabee2f742a29659a93071a075a8300af87e0f698a6d59c05aa02d84f2fcc3
Instruction Fuzzy Hash: 79A1A371A1994E8FEB58EB6CC8657A97BE1FF59314F5002BAD01DC72D6CFB428418B40

Function 00007FFD9BABC75D Relevance: 2.8, Strings: 2, Instructions: 279COMMON

Download Yara Rule

Strings

^, xrefs: 00007FFD9BABC839
[}M, xrefs: 00007FFD9BABC75F

Memory Dump Source

Source File: 00000022.00000002.1888476644.00007FFD9BABA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BABA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9baba000_mmeUVmNHPOdst.jbxd

Similarity

API ID:
String ID: ^$[}M
API String ID: 0-1995732992
Opcode ID: 9775716cb89305da2dd63cac902fdaad8542b243a11aa3fc977e72e500df9571
Instruction ID: e885574663a19c35ebd61716e2fa0776f75292c904a709018138a956434b7dc4
Opcode Fuzzy Hash: 9775716cb89305da2dd63cac902fdaad8542b243a11aa3fc977e72e500df9571
Instruction Fuzzy Hash: 2B81382770C52A4AE725BBACBC258FD3740DF5533EF0902B7E5A98D0D7ED182146C690

Function 00007FFD9BAC11B2 Relevance: 2.5, Strings: 2, Instructions: 49COMMON

Download Yara Rule

Strings

/, xrefs: 00007FFD9BAC198A
!, xrefs: 00007FFD9BAC11BC

Memory Dump Source

Source File: 00000022.00000002.1888476644.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9bac1000_mmeUVmNHPOdst.jbxd

Similarity

API ID:
String ID: !$/
API String ID: 0-2633443642
Opcode ID: 39dfdb01d33159a7548a147f08e22e3cfdf7fae841c90d00b8c2b3dc276cff77
Instruction ID: 49fadb26eb1bd98255684e4ca3a839dc73319e285e74c993d95d424d73300ddb
Opcode Fuzzy Hash: 39dfdb01d33159a7548a147f08e22e3cfdf7fae841c90d00b8c2b3dc276cff77
Instruction Fuzzy Hash: 0A110D70E0562DCBEB28DF94C8A47FDB3B2AB54301F0146A9D40EA7290CB745A84CF40

Function 00007FFD9BABAE5A Relevance: 1.4, Strings: 1, Instructions: 152COMMON

Download Yara Rule

Strings

U, xrefs: 00007FFD9BABAED9

Memory Dump Source

Source File: 00000022.00000002.1888476644.00007FFD9BABA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BABA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9baba000_mmeUVmNHPOdst.jbxd

Similarity

API ID:
String ID: U
API String ID: 0-3372436214
Opcode ID: 8138987f0da5d571416e4c79d4bd4d8583f84efacd9a6d86d4b8f8515c956301
Instruction ID: daef1df0a2f57c69813ecc7722779d6d7cb37e976f2c7ed5a36c5393e4b06baf
Opcode Fuzzy Hash: 8138987f0da5d571416e4c79d4bd4d8583f84efacd9a6d86d4b8f8515c956301
Instruction Fuzzy Hash: 7F412771F0A96E9FE761EBB8C8694F877E0FF55300F0549B6C068C70A2EE74A6058B41

Function 00007FFD9BAC3AFA Relevance: 1.3, Strings: 1, Instructions: 80COMMON

Download Yara Rule

Strings

M_^, xrefs: 00007FFD9BAC3B01

Memory Dump Source

Source File: 00000022.00000002.1888476644.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9bac1000_mmeUVmNHPOdst.jbxd

Similarity

API ID:
String ID: M_^
API String ID: 0-2516497261
Opcode ID: 5ae9bf5f74250f0c21278bc54fcc8150f1b4a4c6f6ad774ebb64581f74799da3
Instruction ID: e27c34c469b34580b458d93bef77ddda88289561f27a4f542dd5fdd1dfeb371b
Opcode Fuzzy Hash: 5ae9bf5f74250f0c21278bc54fcc8150f1b4a4c6f6ad774ebb64581f74799da3
Instruction Fuzzy Hash: 5621C431B0F68E5EE761BB68886A1F97BE0FF56310F0506B7D458CB0B3D97465448741

Function 00007FFD9BAC3383 Relevance: .4, Instructions: 450COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1888476644.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9bac1000_mmeUVmNHPOdst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57ca3f94abd5d69b00d1efaa783fcf698d01d9eef3ebc2ad1be1b9c64234f7a6
Instruction ID: 9f97c6c66d4df15d6e9340f6a64267d432832b9311fb7a43181746911c47ad23
Opcode Fuzzy Hash: 57ca3f94abd5d69b00d1efaa783fcf698d01d9eef3ebc2ad1be1b9c64234f7a6
Instruction Fuzzy Hash: 96119431A0E68E4FE752FB64886A5B97BF0EF16304F0544B7D058CB1B3DA74A5048712

Function 00007FFD9BABD959 Relevance: .4, Instructions: 397COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1888476644.00007FFD9BABA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BABA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9baba000_mmeUVmNHPOdst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10961ea344a2149efdfc3e55db1e3af342eaf832c34b1365b908adf2afe017ee
Instruction ID: b3f50db2031a2352caff8412eb1a4445da1bc06769dd3cb36bd0c791c4aac42a
Opcode Fuzzy Hash: 10961ea344a2149efdfc3e55db1e3af342eaf832c34b1365b908adf2afe017ee
Instruction Fuzzy Hash: 64E15D71E19A5D8FEBA8DF98C8A47BCB7A1FF58304F4041BAD05D972A2CA746941CF01

Function 00007FFD9BAB1718 Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1888476644.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9bab0000_mmeUVmNHPOdst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5c127599ddf1aa2da6915180fd9e824d16d5be9cf7ac3a25cc03d7238223b76
Instruction ID: 02d665118c7ec2ee6114105fe1d2d7dabada75b7d1f0ea4cb8624e3263d611df
Opcode Fuzzy Hash: d5c127599ddf1aa2da6915180fd9e824d16d5be9cf7ac3a25cc03d7238223b76
Instruction Fuzzy Hash: BD81D031B2DA594FDB58DF5888605A977E2FFE8300F15417AE46DC32A6DE74AD02CB80

Function 00007FFD9BABC119 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1888476644.00007FFD9BABA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BABA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9baba000_mmeUVmNHPOdst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3df1a236ea062329f27d1913ca48fe8ab77238356a0e9c2636f7445766597ff2
Instruction ID: f9edab84f09975d72578ce44739eb53a7c8f6346e8cd73f962060182745f99de
Opcode Fuzzy Hash: 3df1a236ea062329f27d1913ca48fe8ab77238356a0e9c2636f7445766597ff2
Instruction Fuzzy Hash: 14613C70E0992D8FDB64EB98D865AEDB7B1FF59300F41017AD01DE32A2DE7869418F40

Function 00007FFD9BAC529D Relevance: .2, Instructions: 195COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1888476644.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9bac1000_mmeUVmNHPOdst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53151b56cb1d60bbac87f19c3d14810af566bde60f98ed01727aa9e574eeeff0
Instruction ID: 24373bb371fa331a82d7a6c21bc6656171bd0d5377844b8260a16b1983deb7ec
Opcode Fuzzy Hash: 53151b56cb1d60bbac87f19c3d14810af566bde60f98ed01727aa9e574eeeff0
Instruction Fuzzy Hash: 0A614170E0995D8FDBA4EBA8C8666BCB7F1FF58301F41017AD00DE72A2DE7569818B40

Function 00007FFD9BAB1D8D Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1888476644.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9bab0000_mmeUVmNHPOdst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48730fee80ade19eee46e1ec246a4be5e51ae4d50714cae3fdf5861df5560bdb
Instruction ID: bdaf7f84addd366b6c84cb062a526fb48dfd4b435503395319b2c25a6915576e
Opcode Fuzzy Hash: 48730fee80ade19eee46e1ec246a4be5e51ae4d50714cae3fdf5861df5560bdb
Instruction Fuzzy Hash: BB51D031B18B594FDB58DF5888645BA77E2FFA8310F15417EE46AC7295CE74A802CB80

Function 00007FFD9BAC7079 Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1888476644.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9bac1000_mmeUVmNHPOdst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0be63e8f5afb2cfda624d21489c693c39d97b17fa47cb70cae7ea949452c7da7
Instruction ID: 1a2d35ccec0d533ffd3509493c56785791e31104e0c27dc2f4525e6467ccccbb
Opcode Fuzzy Hash: 0be63e8f5afb2cfda624d21489c693c39d97b17fa47cb70cae7ea949452c7da7
Instruction Fuzzy Hash: 86519130E0A60D8FEB64EF94C4646FDB7B2FF55310F11817AD019D72A6DE78AA458B80

Function 00007FFD9BAB31F1 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1888476644.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9bab0000_mmeUVmNHPOdst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df02004b3a7aca20fcf5c30089dcd1e9445f1724217d20714bc50072ef25402e
Instruction ID: ea00cffe94f0ec583a73671573e330939e352df8ed8bd45df21be9f685fe8efc
Opcode Fuzzy Hash: df02004b3a7aca20fcf5c30089dcd1e9445f1724217d20714bc50072ef25402e
Instruction Fuzzy Hash: 1D513931E0A62E8FEB64EB94C4646EDBBF1EF58301F51417AD019E72A1DB786A44CF40

Function 00007FFD9BAC52B0 Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1888476644.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9bac1000_mmeUVmNHPOdst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9201fc21844e767de6e66e358362ed2a793176b7d8864704148561b60dfb49e4
Instruction ID: e1b3c55dd7903a180e2ee24709192009b88c3b8eee6fd66ba906f28e8e5d0ebf
Opcode Fuzzy Hash: 9201fc21844e767de6e66e358362ed2a793176b7d8864704148561b60dfb49e4
Instruction Fuzzy Hash: FB512E70E1991D8FDFA4EB98C866BADB7F1FF58301F50016AE00DE3295DE7569818B40

Function 00007FFD9BAB21A5 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1888476644.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9bab0000_mmeUVmNHPOdst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eae830da8a100dfe331918c9f501d3eac054f92722022c3a3991338ca9d814a7
Instruction ID: 0a7ebddd1f2358e25193bc7652e81505170877ab741c3887f1a67831593f64b0
Opcode Fuzzy Hash: eae830da8a100dfe331918c9f501d3eac054f92722022c3a3991338ca9d814a7
Instruction Fuzzy Hash: 84417731B0E69D0FE765E7B898651B8BBE0EF86310F0545FBE05CC71A6DE68A9018741

Function 00007FFD9BAC6148 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1888476644.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9bac1000_mmeUVmNHPOdst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c590e45d0c40b8ec594f32a814586c4429e11b9127793278b7d0864efd9c2de4
Instruction ID: 918df9acce613b0bd7062ec461998e33edda8170787dc2105156d83d0b49b60b
Opcode Fuzzy Hash: c590e45d0c40b8ec594f32a814586c4429e11b9127793278b7d0864efd9c2de4
Instruction Fuzzy Hash: E2511D30E0951E8EEBA8EB58C8657B977A1FF65301F1141BAD01DD72A2DF786A84CF01

Function 00007FFD9BAC2A5A Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1888476644.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9bac1000_mmeUVmNHPOdst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bb9bfbe195ddfcfca4c94ebc96083ee31d37a5aa38d344a11a1d3f1c93f2187
Instruction ID: cef659e70f2a130c82290f74c23986a9a9ac8e72422ff3502a683bc9351adbee
Opcode Fuzzy Hash: 7bb9bfbe195ddfcfca4c94ebc96083ee31d37a5aa38d344a11a1d3f1c93f2187
Instruction Fuzzy Hash: 3351B970E1562D8FDBA4EB98C855BADB7B1FF59300F4041A9901DE3292DF746E848F41

Function 00007FFD9BAB1150 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1888476644.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9bab0000_mmeUVmNHPOdst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c05b0c7707191b0139d71e792d756c535c98540ed161fcf65b4d515d2ddfa99c
Instruction ID: 8d865f517dd504d82b08c82e3248fe5b10f279413de1f5287a33c3d1764468d1
Opcode Fuzzy Hash: c05b0c7707191b0139d71e792d756c535c98540ed161fcf65b4d515d2ddfa99c
Instruction Fuzzy Hash: A031C330E2955E4FEBA8EBA4D4646B977E0FF25304F01057ED02ED21E5DE6565418B40

Function 00007FFD9BAC6D91 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1888476644.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9bac1000_mmeUVmNHPOdst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64d0b31af715dc9395f83286b1f4d8344f94c5c7b9be058241a736f2354e9f8d
Instruction ID: 2a62cb3e18656c0fb5509a755f1265aa0f3e00ac957cac5fdca677a2a9cf7a73
Opcode Fuzzy Hash: 64d0b31af715dc9395f83286b1f4d8344f94c5c7b9be058241a736f2354e9f8d
Instruction Fuzzy Hash: BF21D530A09A0E8FDF69EF68C4656BE37A0FF68300F01457AD41DC71A5CF75A5408B41

Function 00007FFD9BAC6F55 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1888476644.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9bac1000_mmeUVmNHPOdst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d19c740a002ca762c8138bf430090462d03de486a48f426a50888b8c93d5d477
Instruction ID: bc3b88fc798a89494daf35b1911a5a9ba2c07a6fde29112cd499a3579d59b5d3
Opcode Fuzzy Hash: d19c740a002ca762c8138bf430090462d03de486a48f426a50888b8c93d5d477
Instruction Fuzzy Hash: 4321E431A0AA4E8FDB69EF6884752B937A0FF29304F1140BED41DC71A2DE75A514C781

Function 00007FFD9BAC7521 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1888476644.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9bac1000_mmeUVmNHPOdst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2aceb4bc05a9959c61d2a5989a84a18508e7eb674ccee7ea2d06c5c6adc518b
Instruction ID: c08505fd2ea1c4b6e982bb091424d7c508399b4b311e9b65a56862ecfde94796
Opcode Fuzzy Hash: b2aceb4bc05a9959c61d2a5989a84a18508e7eb674ccee7ea2d06c5c6adc518b
Instruction Fuzzy Hash: E8213D34A0A55E8FEB61EFA8C8585B97BE4FF19301F0144B6D429D7161DA74AA408B50

Function 00007FFD9BAC7491 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1888476644.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9bac1000_mmeUVmNHPOdst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 331b70e25cdd9f6b262b25114f1b9c4efe6b166ecb8d4f2eddab9b90f25c0b68
Instruction ID: de6a1c09631113b68c60a94908aa5619a3b86e7391a2face7cedc2a23fb52f3b
Opcode Fuzzy Hash: 331b70e25cdd9f6b262b25114f1b9c4efe6b166ecb8d4f2eddab9b90f25c0b68
Instruction Fuzzy Hash: 5E219D35A0954E8FEB61FFA8C9659FE7BE1FF19300F020472D418D70A5EA78AA408B50

Function 00007FFD9BAB33EC Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1888476644.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9bab0000_mmeUVmNHPOdst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 688b97b79eaf511c6e4355a38288936234bba9bb30405821510b5a1462e147b2
Instruction ID: ab9548884b7cdd17bd1fe37f1c7c0f0a352e0799cae20f506c3f9a5f0c6df1a9
Opcode Fuzzy Hash: 688b97b79eaf511c6e4355a38288936234bba9bb30405821510b5a1462e147b2
Instruction Fuzzy Hash: 9221D131A4E29E8FD742ABB4C8685A93BF0FF4A311F0644FBD458CB072DA789585CB10

Function 00007FFD9BAC22B1 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1888476644.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9bac1000_mmeUVmNHPOdst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 699ab05de442a4b2b6dd12fcd9e2864461149b72a21f76088094f82b3c219335
Instruction ID: 6fc7530e41b5820094c6e54e4d9f2ecd6646f4397e92511d67e873d942099c03
Opcode Fuzzy Hash: 699ab05de442a4b2b6dd12fcd9e2864461149b72a21f76088094f82b3c219335
Instruction Fuzzy Hash: 7321BE3094E3C94FD726ABB488755F97FA0AF07200F0A45EFD49ACB4E3C9696646C352

Function 00007FFD9BABB7E1 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1888476644.00007FFD9BABA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BABA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9baba000_mmeUVmNHPOdst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73616ad0c99dc84cf57ee4633cf52f944d52ab478ae1c8f6556112fee75749b9
Instruction ID: e7ecd9a7f1a6b6144807061924dbef686d692761e7fae62e845f3f65a72e48c1
Opcode Fuzzy Hash: 73616ad0c99dc84cf57ee4633cf52f944d52ab478ae1c8f6556112fee75749b9
Instruction Fuzzy Hash: D3217C31E0962D8FEB64EB84C850BEAB3B1FF59310F5042A6C00DD62A5CB74AA85CF41

Function 00007FFD9BAB0A01 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1888476644.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9bab0000_mmeUVmNHPOdst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4840f01316f44db8270842d06367d5db7af8944d86e087c074be0fd2a303b9a8
Instruction ID: 66cf816960f6ba338ea1200c271e347556531a632bb04f3df79667d8a073b715
Opcode Fuzzy Hash: 4840f01316f44db8270842d06367d5db7af8944d86e087c074be0fd2a303b9a8
Instruction Fuzzy Hash: 6811C431E1951E4FE7A0EBA8C8695FD7BE0FF58700F4149BAD42CC70A6EE74A5408B40

Function 00007FFD9BAC46D9 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1888476644.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9bac1000_mmeUVmNHPOdst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03ec24e36373a508e0e849195824a36fa56f9a8ffca5b73d19304958566af0ce
Instruction ID: 5468b8bc1340c219bfdaedf591864c6594f368b04ffe2ab4debe84a798f1924b
Opcode Fuzzy Hash: 03ec24e36373a508e0e849195824a36fa56f9a8ffca5b73d19304958566af0ce
Instruction Fuzzy Hash: 00219030A0A64E8FDB99EF6884692B97BE0FF59311F1105BED41DC71A2DE746540CB41

Function 00007FFD9BAC4775 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1888476644.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9bac1000_mmeUVmNHPOdst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63d00b805cc9f6481fe8745683b7ae0c6aa33e7b87854d86c07c1e6743c95e57
Instruction ID: b1919042aeacbc3faf76c58e0e24e2001ea24a13ab0aee38d104e71f1d6c5100
Opcode Fuzzy Hash: 63d00b805cc9f6481fe8745683b7ae0c6aa33e7b87854d86c07c1e6743c95e57
Instruction Fuzzy Hash: A911B430A0AA8E8FEB58EF6884692BD7BE0FF59300F1105BED41DC71A2DE75A540C741

Function 00007FFD9BAC6EB5 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1888476644.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9bac1000_mmeUVmNHPOdst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a214def8c3009a8e0a28aa5e65f5f796831b3e3cd23678ccce2478c55e968a2
Instruction ID: 945fd9c2d1f409a1e8a29ac6bf4e91291b929a0bd57e6b039c5120440f93426d
Opcode Fuzzy Hash: 8a214def8c3009a8e0a28aa5e65f5f796831b3e3cd23678ccce2478c55e968a2
Instruction Fuzzy Hash: D411A230A0964E8FDB58EF6884692B97BE0FF68300F0145BFD41DC71A2DA75A544CB81

Function 00007FFD9BAC4C95 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1888476644.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9bac1000_mmeUVmNHPOdst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 848feea2157f43081985743a0ac8a40060407f32e5c9ed8d825dc7613b6cfecb
Instruction ID: 555bb262b41e32510a51665195317a784dc24f424a627af87dbf97877f79a6d7
Opcode Fuzzy Hash: 848feea2157f43081985743a0ac8a40060407f32e5c9ed8d825dc7613b6cfecb
Instruction Fuzzy Hash: A611B271A0EA8D8FEB69EBA488B52B87A90EF55304F4540BED01DC75F3DEA56540C701

Function 00007FFD9BAC5009 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1888476644.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9bac1000_mmeUVmNHPOdst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7fe3e9693bf815d6e08adf475d6ff55822e9d7c2ba502a82c63d6bbc1ce2157
Instruction ID: 400df60024947df78c47ef1faef8faf70901d04494d765fb3e6dc529917bab9a
Opcode Fuzzy Hash: e7fe3e9693bf815d6e08adf475d6ff55822e9d7c2ba502a82c63d6bbc1ce2157
Instruction Fuzzy Hash: 4211B130A0A68E9FEB99EB64886A2BD7BA0FF19301F0104BAE419C71A2DE746540C741

Function 00007FFD9BABBDF2 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1888476644.00007FFD9BABA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BABA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9baba000_mmeUVmNHPOdst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c5009ec993ef8cdba211d9b1f14774dcdaf10ec8c530e9058987ca4f7f48097
Instruction ID: 1ced6eff7b84d5ae8f9021fd995972beb63010ff3f34d6580e653f8321c11eb8
Opcode Fuzzy Hash: 9c5009ec993ef8cdba211d9b1f14774dcdaf10ec8c530e9058987ca4f7f48097
Instruction Fuzzy Hash: 02219E70E0962D9FEF64EF94D894AECB7B1FB58311F41013AE419E62A1DBB869448B40

Function 00007FFD9BAC5EF1 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1888476644.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9bac1000_mmeUVmNHPOdst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6de376b7142e9fafd099aa961bb61313d243fe1e821407a51b9cb05a18bb207d
Instruction ID: 80ae9f0cdf30553fafe4ddd2b85c3e0e2cedbc2ad46df60b0e57e0455ddeec81
Opcode Fuzzy Hash: 6de376b7142e9fafd099aa961bb61313d243fe1e821407a51b9cb05a18bb207d
Instruction Fuzzy Hash: 1211C270A0A68D4FEB68AB64886A6B97BE0FF19310F0604BEE81DC70E2DE656544C741

Function 00007FFD9BAC60A9 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1888476644.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9bac1000_mmeUVmNHPOdst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43aebd3d5d69e0523f1bf419cff46fc4771d2942600c3d766e2c463d1e67b22a
Instruction ID: 51ac57b0a842b3e65f7af677dc40eb7dff4b8ba5f086a606b8cddd5ec9dd1439
Opcode Fuzzy Hash: 43aebd3d5d69e0523f1bf419cff46fc4771d2942600c3d766e2c463d1e67b22a
Instruction Fuzzy Hash: 6511C130A0A64E4FEB91FB6888696B97BE0FF29300F0545B6D418C70A3EE74A6408741

Function 00007FFD9BABBC35 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1888476644.00007FFD9BABA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BABA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9baba000_mmeUVmNHPOdst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 909731c3e60efd20a27d3a519819ac66f2892056355eab98f14d1aaf0808e051
Instruction ID: 1b94f0f343181e62ff45438191a2ea19c619e85851a00081ec59ab2bad2dbd2b
Opcode Fuzzy Hash: 909731c3e60efd20a27d3a519819ac66f2892056355eab98f14d1aaf0808e051
Instruction Fuzzy Hash: 77118230A0955E8FEB99EF64C4682BD7BE0FF19301F4104BAD42DC21A2DE75A640CB00

Function 00007FFD9BAC4F7D Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1888476644.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9bac1000_mmeUVmNHPOdst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b383ea9243e8727b1ee35e709251b70eb649f29dbde64a3c9af065abff1389c
Instruction ID: 1c14d0bfc5b57e1983336195fba0e4af1549e5102e9f3f45df35080136ccfc44
Opcode Fuzzy Hash: 0b383ea9243e8727b1ee35e709251b70eb649f29dbde64a3c9af065abff1389c
Instruction Fuzzy Hash: 8411C130A0964E8FEB68FB688869AB977E0FF18304F0105BED42DC71B2DE74A5448741

Function 00007FFD9BAC4DBD Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1888476644.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9bac1000_mmeUVmNHPOdst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ed8cf4cd17ee16b7535ab29520720fd20496f3abe625772b385927ccc353707
Instruction ID: 3f7b6241daca7b5afd8822cb87894c806e88c4a5264105eac6e7e477a0287340
Opcode Fuzzy Hash: 8ed8cf4cd17ee16b7535ab29520720fd20496f3abe625772b385927ccc353707
Instruction Fuzzy Hash: 00119D30A0A64E8FEB69EF6488696F97BA0FF28304F0505BED419C71A6DF75A2408701

Function 00007FFD9BAC2911 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1888476644.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9bac1000_mmeUVmNHPOdst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09aafaae7fd9c557c35519def8c7d62cd82221830d1e0724652b1c5d84b583fa
Instruction ID: b35b223a8d19b19a3f1b74bb114298f409915347754481ff0e50978781ede160
Opcode Fuzzy Hash: 09aafaae7fd9c557c35519def8c7d62cd82221830d1e0724652b1c5d84b583fa
Instruction Fuzzy Hash: BE116131A1964E8EEB91FBB884586FD7BE0EF1A300F0549B6D418C7066EA7492448741

Function 00007FFD9BABC940 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1888476644.00007FFD9BABA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BABA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9baba000_mmeUVmNHPOdst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c4e538075a389eead188d90384aff25c2752a7931dd84540e372d0e05c6eebc
Instruction ID: 956c883972f2363d30362213598bc480a5e93f373558985039e5e636ca9cd689
Opcode Fuzzy Hash: 8c4e538075a389eead188d90384aff25c2752a7931dd84540e372d0e05c6eebc
Instruction Fuzzy Hash: E4118230A0969E4FEB55EB6488696FD7BB0FF19304F0104BBD429C70A2EE785640CB51

Function 00007FFD9BAC6FED Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1888476644.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9bac1000_mmeUVmNHPOdst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 939af49a35f47636f9b9ff878dcad39c0a673b9615b059c47ffa75c230fc067d
Instruction ID: 3fac9b37b04ca1cf38d198b0cb316fca0355e7162759d3ce15a6eef687070653
Opcode Fuzzy Hash: 939af49a35f47636f9b9ff878dcad39c0a673b9615b059c47ffa75c230fc067d
Instruction Fuzzy Hash: 8111E730A0A64E9FEBA8EF5484666B97BE0FF59300F0141BED41DC71E2DE756944C741

Function 00007FFD9BABC095 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1888476644.00007FFD9BABA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BABA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9baba000_mmeUVmNHPOdst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc4bcf184489d3d00f48a5edf9d98b64a366116ceacf4c8e6f2baa0ccc08aa6e
Instruction ID: 4ec1597aa1e55330340669d71de7823aa0cc1f4aa74f9c23836f00077ad17f75
Opcode Fuzzy Hash: cc4bcf184489d3d00f48a5edf9d98b64a366116ceacf4c8e6f2baa0ccc08aa6e
Instruction Fuzzy Hash: 9D118230A0965E5FDB54EF64C4696BD7BE0FF18301F0104BAD429C21A1EE799650CB00

Function 00007FFD9BAB3515 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1888476644.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9bab0000_mmeUVmNHPOdst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3e9ceceb40b2833d3fb20c69b15354699dea994f11306bd0996d12cb35f7704
Instruction ID: 91d21dd7853742205c0fb618b48fa67b5bf3b4052a25a581801e74b06b01da7a
Opcode Fuzzy Hash: e3e9ceceb40b2833d3fb20c69b15354699dea994f11306bd0996d12cb35f7704
Instruction Fuzzy Hash: BB113070A0965E8FDB59EF64C8696BD7BE0FF18300F4105BED429C61A2DA75A5408B00

Function 00007FFD9BAC2745 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1888476644.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9bac1000_mmeUVmNHPOdst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07439ed376ac3385f43108ea4a1a364e4c8ad1f626d661b48fde720e266c833b
Instruction ID: a22cf76d09d8095ba8a6aecd4d21e7c40624675e0297ada1ecdb24ea8def1939
Opcode Fuzzy Hash: 07439ed376ac3385f43108ea4a1a364e4c8ad1f626d661b48fde720e266c833b
Instruction Fuzzy Hash: D301D83090574D8FDB58EBA0C4A41B977A0FF19304F5204BED40DC30E2DE75A650CB00

Function 00007FFD9BAB2F01 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1888476644.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9bab0000_mmeUVmNHPOdst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06432aab314566022b63f40bdcc3edbb6d47f796b168b0410f54db23fa5cb4d9
Instruction ID: 47776095ef6951a12bac9d668909163b27494c9ee5372ed800ac0e433e817aa7
Opcode Fuzzy Hash: 06432aab314566022b63f40bdcc3edbb6d47f796b168b0410f54db23fa5cb4d9
Instruction Fuzzy Hash: AC01B170A1A65E4FE761EBB484595A97BE0EF19300F0649B6D428C60B2EA74E2548B00

Function 00007FFD9BAC2C2E Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1888476644.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9bac1000_mmeUVmNHPOdst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6424939deed716207cc779b45068e46a40e68d6fd2ea8b174fe25a52e9934ea
Instruction ID: 3c8e1620c4cfa1f782948a927527026c6a329b4fbda104acb358c853582bb6a8
Opcode Fuzzy Hash: a6424939deed716207cc779b45068e46a40e68d6fd2ea8b174fe25a52e9934ea
Instruction Fuzzy Hash: 63115B70E1952E8EDBA4EB58C855BFDB7B1FB69301F0141A9C01DE3291DAB46A808F40

Function 00007FFD9BAC7C49 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1888476644.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9bac1000_mmeUVmNHPOdst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d562115e5a1394cc5fe1f77f83e0a8055bec288f9c6d79073cd9d3ebfc4d9a4d
Instruction ID: d3cd1194c0dfc99edef47aa98cdecf5ed04b9d847e3707255c3084910dfe3a2e
Opcode Fuzzy Hash: d562115e5a1394cc5fe1f77f83e0a8055bec288f9c6d79073cd9d3ebfc4d9a4d
Instruction Fuzzy Hash: B1018030A0E68E4FDBA9AF6488655B97BA0EF15304F0604BED019C70E3DA65AA54C701

Function 00007FFD9BAB28DD Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1888476644.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9bab0000_mmeUVmNHPOdst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b32e37a2a4d88850f5be84e1e1e010e9b6d6cf645fe4346df11694d084284db9
Instruction ID: 71034f8237bd3e16c75fea7876b4f60309e323ba76d35f32175be135c3dd5fda
Opcode Fuzzy Hash: b32e37a2a4d88850f5be84e1e1e010e9b6d6cf645fe4346df11694d084284db9
Instruction Fuzzy Hash: 8E017131E1A65E4FE765EBB488986B97FE0EF19300F4245B6D42CC70B6EA74E644CB01

Function 00007FFD9BABAA59 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1888476644.00007FFD9BABA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BABA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9baba000_mmeUVmNHPOdst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2db4cb4cb8753cd770dab5d07ea9a086c6cb3b5c4ce8bb1f9d7aaa68c818fe20
Instruction ID: c65f3b47372a874141c3dbb020f4a9e2dfbab82b4dd210969bc72f94dc94e50d
Opcode Fuzzy Hash: 2db4cb4cb8753cd770dab5d07ea9a086c6cb3b5c4ce8bb1f9d7aaa68c818fe20
Instruction Fuzzy Hash: 7501FC30A0E24E4FD762EBB4C5691A97FE0EF19300F4644F7D418C70B2EE74A5448B11

Function 00007FFD9BAC7CBD Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1888476644.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9bac1000_mmeUVmNHPOdst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc371026cf9654aa7a5552618716148db958a72e63fe0810ef068e5ad4988bd7
Instruction ID: e6acb8f1a56f66b2de5d865b1406e2a2c9e965cae7172bdb13caeb1a90bdbfec
Opcode Fuzzy Hash: cc371026cf9654aa7a5552618716148db958a72e63fe0810ef068e5ad4988bd7
Instruction Fuzzy Hash: 50017130A4A64E8FDB59EF64C4A55BA7BA0FF09304F1104BEE419C70A2DB75AA50CB41

Function 00007FFD9BAC76A9 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1888476644.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9bac1000_mmeUVmNHPOdst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4560cc711cc530c15a92bbf4960b53ac66f037f2ace2e5af380616a97ee85f42
Instruction ID: e8bf27292c7995961359686b7c681669a8941c6003485cfe99e29c4cff97cee6
Opcode Fuzzy Hash: 4560cc711cc530c15a92bbf4960b53ac66f037f2ace2e5af380616a97ee85f42
Instruction Fuzzy Hash: F6018F30A4E24A4FE352FB7888695B97BA0EF16300F0649F3D418CB0B6DA38A944CB11

Function 00007FFD9BAB2F79 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1888476644.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9bab0000_mmeUVmNHPOdst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4548eef3371a77ebdb5460dd934f4e396a8446ce61ea182afb0af03c0b140da
Instruction ID: 0508070ac60313d0e5c3f976179a2f72f2e4fc4525d06cf3723ef26e54497061
Opcode Fuzzy Hash: f4548eef3371a77ebdb5460dd934f4e396a8446ce61ea182afb0af03c0b140da
Instruction Fuzzy Hash: 7C018870A4E78D4FD751A7B484695A97FE0EF5A300F0644F7D418CB0B6DA74A5588B01

Function 00007FFD9BAB05D8 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1888476644.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9bab0000_mmeUVmNHPOdst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97801dc2e1ac9505d99acdb7bf974dfcd83828890b485dfc02df54073b41ec1e
Instruction ID: 2eb7bbbe0280f96980cd90f83baeaa6cd7caa183e0ec1241acdcb58c25228a63
Opcode Fuzzy Hash: 97801dc2e1ac9505d99acdb7bf974dfcd83828890b485dfc02df54073b41ec1e
Instruction Fuzzy Hash: 5C018430A1551E8FDB98EF64C0646BA77E1EF68305F61447DD41EC21A4CA75A650CF40

Function 00007FFD9BAB0610 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1888476644.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9bab0000_mmeUVmNHPOdst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e21c77b9919c09b6eec20733170208c9d2b65bb11a27161bcdab07f9e3b3cac3
Instruction ID: 3b8a2c2e83c0eed9414a14a517aacfe3e8fa7d9acee2257cb1253bd8199ec086
Opcode Fuzzy Hash: e21c77b9919c09b6eec20733170208c9d2b65bb11a27161bcdab07f9e3b3cac3
Instruction Fuzzy Hash: C0016230A1561E8AEB58EBE4D4686B977A0FF19305F11047FD42EC61E5DF75A550CA00

Function 00007FFD9BAB0608 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1888476644.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9bab0000_mmeUVmNHPOdst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d102e1a47e3cb55c4227af5d6d341c6d75cf49c4ce1a992c8720ead6bc0e98c
Instruction ID: bdfd9b72eaa89e3d1e62836a5f060f48e518b5813203d797e8bc269639027320
Opcode Fuzzy Hash: 8d102e1a47e3cb55c4227af5d6d341c6d75cf49c4ce1a992c8720ead6bc0e98c
Instruction Fuzzy Hash: DE018130A1560E8BEB68EFE4D4696B977A0FF18305F51487FE42EC21E5DF75A650CA00

Function 00007FFD9BAB1D0D Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1888476644.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9bab0000_mmeUVmNHPOdst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07a418cfd0659028fd95dbe767ae51527b637c921143eba2dc0fb6a4a57f695d
Instruction ID: d9e98c27ca5db0f161bf7f0e20b082cba48609a9dcb3259c77423f863730e897
Opcode Fuzzy Hash: 07a418cfd0659028fd95dbe767ae51527b637c921143eba2dc0fb6a4a57f695d
Instruction Fuzzy Hash: 6501D630A1A68E8FDBA9DF5484652B93BA0EF65300F5100BAD41CC71A2DAB59550CB40

Function 00007FFD9BABAAC5 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1888476644.00007FFD9BABA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BABA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9baba000_mmeUVmNHPOdst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c81a088d3953f95d84a2d531a8fe4e638a5d8935c098c4fd63db211d84b80160
Instruction ID: c1a11c307be54e00af0d71191f6eea48d7e72a812b6ca95d628bf019323d8c75
Opcode Fuzzy Hash: c81a088d3953f95d84a2d531a8fe4e638a5d8935c098c4fd63db211d84b80160
Instruction Fuzzy Hash: B9F0F431A0F39E4FD362AB7499B11E97FA09F42215F0A45FBC088CA0E3DD6C54058720

Function 00007FFD9BAB0F00 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1888476644.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9bab0000_mmeUVmNHPOdst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56e6c5a969077d35adbdef6b7ae117ae6296d7b0e50ea0d80af88762897df7cc
Instruction ID: 2c6b06d57682c988cc5146cc43cbac8158d561a13dec58918578b06d66f756ae
Opcode Fuzzy Hash: 56e6c5a969077d35adbdef6b7ae117ae6296d7b0e50ea0d80af88762897df7cc
Instruction Fuzzy Hash: D8019230F0951E8BE774DB55C850AEAB3B1AB50710F008369C41A972A4DE746A49CF84

Function 00007FFD9BAB27F9 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1888476644.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9bab0000_mmeUVmNHPOdst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddca514eab9c019979cdddf19fa7127dbc4a841fe0817fd6497ebec91fbefd3c
Instruction ID: 556df1567e95bdf1b559d2b7677bc53fddd2068b9ea5347bf155ef699bed502a
Opcode Fuzzy Hash: ddca514eab9c019979cdddf19fa7127dbc4a841fe0817fd6497ebec91fbefd3c
Instruction Fuzzy Hash: 43F0C83190E38D4FD7699FA088651E93F60BF15200F4604BBE458C60E3DA789504CB01

Function 00007FFD9BABBD46 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1888476644.00007FFD9BABA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BABA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9baba000_mmeUVmNHPOdst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c1782aaffd6152c93e65dba499fb07e1fb604e184d571e6b8da3a53efbeb59a
Instruction ID: 78ebc97f96f37fb2db163ad6c4edb0310cf5aa37e4bf672e6c2172b2f3db1d3c
Opcode Fuzzy Hash: 5c1782aaffd6152c93e65dba499fb07e1fb604e184d571e6b8da3a53efbeb59a
Instruction Fuzzy Hash: 5601D270A0562D9FEB60DF84C8A47ECB7F1FB18301F11023AE419E3290DBB86A44CB10

Function 00007FFD9BAB286D Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1888476644.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9bab0000_mmeUVmNHPOdst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7a29f7c30045aef764db47bc33202c3146b36c8bb3bfaedeff9b40bdd221a8d
Instruction ID: 7bcf82ea3ccc2d46b2cc41df2d9c726f7f86f7d0ad6173af8d6c4cc5ed7c4ea8
Opcode Fuzzy Hash: e7a29f7c30045aef764db47bc33202c3146b36c8bb3bfaedeff9b40bdd221a8d
Instruction Fuzzy Hash: 2DF0B43191A78E8BEB689FE494652F93FA0FF56300F4204BBE429C51E6DF78E5508B00

Function 00007FFD9BAB0F5F Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1888476644.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9bab0000_mmeUVmNHPOdst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ee503aa56c95c08e01767f446ab4ccfdbdb4ed6aab2ce0330f56398ef21c5d9
Instruction ID: 031353dcf26dc294a903293eec8cb8e8a3cc6fcf7052562f8a64838ec19e46fa
Opcode Fuzzy Hash: 6ee503aa56c95c08e01767f446ab4ccfdbdb4ed6aab2ce0330f56398ef21c5d9
Instruction Fuzzy Hash: A1F03030B0591E8BEB60DB48CC50FAEB371EB54311F108266D419D3254CE745A858F84

Function 00007FFD9BAC2CC6 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1888476644.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9bac1000_mmeUVmNHPOdst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 129fbaf3d633461b3c3e35fb0a0bf4e79fb37ba496557c06830bdddc4011c84c
Instruction ID: fd867566721dc2303979c5110a4a33c8a0117e04379232373173edf96074235c
Opcode Fuzzy Hash: 129fbaf3d633461b3c3e35fb0a0bf4e79fb37ba496557c06830bdddc4011c84c
Instruction Fuzzy Hash: 42D0E220E0952E8EEB60EBE8C4A9AACAAB0EF16304F110039C019A31A2DE7C25408F10

Function 00007FFD9BAB11B6 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1888476644.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9bab0000_mmeUVmNHPOdst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78373d8f96d9c2ba925e3ab8532e17776f1f23c91976e2fc1444358e497175da
Instruction ID: 088edcb79f621caaecbc9e42080fde800766c5d9ff02c8d5ab75eba2b995434b
Opcode Fuzzy Hash: 78373d8f96d9c2ba925e3ab8532e17776f1f23c91976e2fc1444358e497175da
Instruction Fuzzy Hash: B2C08C30D2265E8FEB64EF94AC214FDB370FF48204F401176E42CE3092DFB026108A80

Non-executed Functions

Function 00007FFD9BAC10F0 Relevance: 8.9, Strings: 7, Instructions: 184COMMON

Download Yara Rule

Strings

-, xrefs: 00007FFD9BAC1722
[, xrefs: 00007FFD9BAC14F0
", xrefs: 00007FFD9BAC1718
}, xrefs: 00007FFD9BAC117C
$, xrefs: 00007FFD9BAC1912
], xrefs: 00007FFD9BAC1777
/, xrefs: 00007FFD9BAC198A

Memory Dump Source

Source File: 00000022.00000002.1888476644.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9bac1000_mmeUVmNHPOdst.jbxd

Similarity

API ID:
String ID: "$$$-$/$[$]$}
API String ID: 0-3346241342
Opcode ID: 461d49c0e039345e1586c75c9af080cefe8b12f509a1deec3f22a684d2e4f320
Instruction ID: ffdb973a403d3ecdbc5d7779ebf472aa193cf40521c06c150880e65a38bb6302
Opcode Fuzzy Hash: 461d49c0e039345e1586c75c9af080cefe8b12f509a1deec3f22a684d2e4f320
Instruction Fuzzy Hash: BD81C570E0962D8FEBA8DF95C8A47FDB6B1BB54301F1145BAD00EA7291CB785A84DF40

Function 00007FFD9BAC1446 Relevance: 6.3, Strings: 5, Instructions: 62COMMON

Download Yara Rule

Strings

-, xrefs: 00007FFD9BAC1377
%, xrefs: 00007FFD9BAC1345
,, xrefs: 00007FFD9BAC1450
/, xrefs: 00007FFD9BAC198A
{, xrefs: 00007FFD9BAC133B

Memory Dump Source

Source File: 00000022.00000002.1888476644.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9bac1000_mmeUVmNHPOdst.jbxd

Similarity

API ID:
String ID: %$,$-$/${
API String ID: 0-3562811445
Opcode ID: 931009058795e4fb5b4e114c431f09ce23dbfce87db316376303ee3770add370
Instruction ID: 199ff9c5c2897937f74af409b75091ed6466f342200c792d21791ec855cf36c4
Opcode Fuzzy Hash: 931009058795e4fb5b4e114c431f09ce23dbfce87db316376303ee3770add370
Instruction Fuzzy Hash: 1B21D470B0522E8BEB68DF90D8A47FDB7B1AF54311F05457AD40EAB2A0CB785A84CB00

Function 00007FFD9BABEDE7 Relevance: 6.3, Strings: 5, Instructions: 51COMMON

Download Yara Rule

Strings

\, xrefs: 00007FFD9BABEB72
', xrefs: 00007FFD9BABEE20
[, xrefs: 00007FFD9BABEE55
H, xrefs: 00007FFD9BABEB7F
<, xrefs: 00007FFD9BABEDF5

Memory Dump Source

Source File: 00000022.00000002.1888476644.00007FFD9BABA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BABA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9baba000_mmeUVmNHPOdst.jbxd

Similarity

API ID:
String ID: '$<$H$[$\
API String ID: 0-978586023
Opcode ID: 70811a1f5260896d409af6c46a8f5f8b3ad5adb04a426629b3f03a87309b0cde
Instruction ID: 2c0c74aa8cfa6457fad5c9bf4aaa1c9b6aac33a6f618f9d3f2f54fe1d4220a7b
Opcode Fuzzy Hash: 70811a1f5260896d409af6c46a8f5f8b3ad5adb04a426629b3f03a87309b0cde
Instruction Fuzzy Hash: AC21F970E0926ECFDBA8DF50D8607A9B7B1BB55301F1145BEC41AA6290CB786E84CF40

Function 00007FFD9BABE713 Relevance: 5.1, Strings: 4, Instructions: 126COMMON

Download Yara Rule

Strings

I, xrefs: 00007FFD9BABE689
=, xrefs: 00007FFD9BABE7A6
, xrefs: 00007FFD9BABE6C9
^, xrefs: 00007FFD9BABE828

Memory Dump Source

Source File: 00000022.00000002.1888476644.00007FFD9BABA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BABA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9baba000_mmeUVmNHPOdst.jbxd

Similarity

API ID:
String ID: $=$I$^
API String ID: 0-3128807046
Opcode ID: f82c77b2feb001e49c4c038ad54664dcba24dc9fbadd0db70e896da7f47f4698
Instruction ID: c51a239b13dae317ecfa199662a4714d8e5cb814eb303b59dbde7ec18ac190b6
Opcode Fuzzy Hash: f82c77b2feb001e49c4c038ad54664dcba24dc9fbadd0db70e896da7f47f4698
Instruction Fuzzy Hash: 3151A570E0962D8FDBA8DF54C8A57A9B7B1FB55301F1141EED41EA22A1CB746E81CF40

Function 00007FFD9BAC132A Relevance: 5.1, Strings: 4, Instructions: 67COMMON

Download Yara Rule

Strings

-, xrefs: 00007FFD9BAC1377
%, xrefs: 00007FFD9BAC1345
/, xrefs: 00007FFD9BAC198A
{, xrefs: 00007FFD9BAC133B

Memory Dump Source

Source File: 00000022.00000002.1888476644.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9bac1000_mmeUVmNHPOdst.jbxd

Similarity

API ID:
String ID: %$-$/${
API String ID: 0-2415596918
Opcode ID: 8e0d11e9fb33994c6314699794577981ec387bfd80d1aea026ea80901737cd49
Instruction ID: 86a7fa18661d39867947a6f7e0350b4c4bff36355f3369b1c3523895de53052b
Opcode Fuzzy Hash: 8e0d11e9fb33994c6314699794577981ec387bfd80d1aea026ea80901737cd49
Instruction Fuzzy Hash: E421D270F0522E8BEB68DF91D8A47FDB7B2AB54311F01456AD40EAB290CB785A84DF00

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report c62q1qZ8kX.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: DCRat

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\Java\jre-1.8\lib\applet\24dbde2999530e

C:\Program Files (x86)\Java\jre-1.8\lib\applet\WmiPrvSE.exe

C:\Program Files (x86)\Microsoft OneDrive\setup\logs\6ccacd8608530f

C:\Program Files (x86)\Microsoft OneDrive\setup\logs\Idle.exe

C:\Program Files\7-Zip\Lang\22eafd247d37c3

C:\Program Files\7-Zip\Lang\TextInputHost.exe

C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\5b884080fd4f94

C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe

C:\Program Files\Windows Defender\en-US\1824f7f43360d2

C:\Program Files\Windows Defender\en-US\mmeUVmNHPOdst.exe

C:\Program Files\Windows NT\Accessories\en-GB\088424020bedd6

C:\Program Files\Windows NT\Accessories\en-GB\conhost.exe

C:\Recovery\1824f7f43360d2

C:\Recovery\mmeUVmNHPOdst.exe

C:\Users\Default\1824f7f43360d2

C:\Users\Default\AppData\Local\Microsoft\Windows\History\1824f7f43360d2

Windows Analysis Report
c62q1qZ8kX.exe