Edit tour

Windows Analysis Report
Arrival_Notice.bat.exe

Overview

General Information

Sample name:	Arrival_Notice.bat.exe
Analysis ID:	1592064
MD5:	4a3e89823f63f74eb56bd268f0c697c1
SHA1:	3fa8133b2c2b19bfbcf8110a58b0a01b0b82fbce
SHA256:	a938112a54a6d8f1cb129c26253d2c11b2285837131c33d702a9e0cb5411c929
Tags:	batexeuser-abuse_ch
Infos:

Detection

FormBook, PureLog Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Yara detected AntiVM3

Yara detected FormBook

Yara detected PureLog Stealer

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Allocates memory in foreign processes

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

Arrival_Notice.bat.exe (PID: 7160 cmdline: "C:\Users\user\Desktop\Arrival_Notice.bat.exe" MD5: 4A3E89823F63F74EB56BD268F0C697C1)

powershell.exe (PID: 3232 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Arrival_Notice.bat.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 5608 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 7440 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

powershell.exe (PID: 6976 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\mjiCFnur.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 6452 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 5900 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mjiCFnur" /XML "C:\Users\user\AppData\Local\Temp\tmpA612.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 3452 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegSvcs.exe (PID: 7348 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

RegSvcs.exe (PID: 7364 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

mjiCFnur.exe (PID: 7416 cmdline: C:\Users\user\AppData\Roaming\mjiCFnur.exe MD5: 4A3E89823F63F74EB56BD268F0C697C1)

schtasks.exe (PID: 7676 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mjiCFnur" /XML "C:\Users\user\AppData\Local\Temp\tmpD06D.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7684 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegSvcs.exe (PID: 7724 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

RegSvcs.exe (PID: 7732 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
0000000B.00000002.1626748999.0000000000E70000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000000.00000002.1396043095.0000000005590000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000B.00000002.1626145289.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000000.00000002.1389360953.0000000002B06000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000C.00000002.1617781341.000000000296D000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Process Memory Space: Arrival_Notice.bat.exe PID: 7160	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: mjiCFnur.exe PID: 7416	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 2 entries

Unpacked PEs

Source	Rule	Description	Author
0.2.Arrival_Notice.bat.exe.5590000.5.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.Arrival_Notice.bat.exe.2da1614.1.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
11.2.RegSvcs.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
12.2.mjiCFnur.exe.2d415f8.1.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
11.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0.2.Arrival_Notice.bat.exe.5590000.5.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.Arrival_Notice.bat.exe.2da1614.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
12.2.mjiCFnur.exe.2d415f8.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
12.2.mjiCFnur.exe.2b1f7ec.0.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.Arrival_Notice.bat.exe.2b7f808.0.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Click to see the 5 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Arrival_Notice.bat.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Arrival_Notice.bat.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Arrival_Notice.bat.exe", ParentImage: C:\Users\user\Desktop\Arrival_Notice.bat.exe, ParentProcessId: 7160, ParentProcessName: Arrival_Notice.bat.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Arrival_Notice.bat.exe", ProcessId: 3232, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mjiCFnur" /XML "C:\Users\user\AppData\Local\Temp\tmpD06D.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mjiCFnur" /XML "C:\Users\user\AppData\Local\Temp\tmpD06D.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\mjiCFnur.exe, ParentImage: C:\Users\user\AppData\Roaming\mjiCFnur.exe, ParentProcessId: 7416, ParentProcessName: mjiCFnur.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mjiCFnur" /XML "C:\Users\user\AppData\Local\Temp\tmpD06D.tmp", ProcessId: 7676, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mjiCFnur" /XML "C:\Users\user\AppData\Local\Temp\tmpA612.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mjiCFnur" /XML "C:\Users\user\AppData\Local\Temp\tmpA612.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Arrival_Notice.bat.exe", ParentImage: C:\Users\user\Desktop\Arrival_Notice.bat.exe, ParentProcessId: 7160, ParentProcessName: Arrival_Notice.bat.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mjiCFnur" /XML "C:\Users\user\AppData\Local\Temp\tmpA612.tmp", ProcessId: 5900, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Arrival_Notice.bat.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Arrival_Notice.bat.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Arrival_Notice.bat.exe", ParentImage: C:\Users\user\Desktop\Arrival_Notice.bat.exe, ParentProcessId: 7160, ParentProcessName: Arrival_Notice.bat.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Arrival_Notice.bat.exe", ProcessId: 3232, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mjiCFnur" /XML "C:\Users\user\AppData\Local\Temp\tmpA612.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mjiCFnur" /XML "C:\Users\user\AppData\Local\Temp\tmpA612.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Arrival_Notice.bat.exe", ParentImage: C:\Users\user\Desktop\Arrival_Notice.bat.exe, ParentProcessId: 7160, ParentProcessName: Arrival_Notice.bat.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mjiCFnur" /XML "C:\Users\user\AppData\Local\Temp\tmpA612.tmp", ProcessId: 5900, ProcessName: schtasks.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\mjiCFnur.exe	Virustotal: Detection: 41%			Perma Link
Source: C:\Users\user\AppData\Roaming\mjiCFnur.exe	ReversingLabs: Detection: 60%

Multi AV Scanner detection for submitted file

Source: Arrival_Notice.bat.exe	Virustotal: Detection: 41%			Perma Link
Source: Arrival_Notice.bat.exe	ReversingLabs: Detection: 60%

Yara detected FormBook

Source: Yara match	File source: 11.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.1626748999.0000000000E70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1626145289.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\mjiCFnur.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: Arrival_Notice.bat.exe

Joe Sandbox ML: detected

Source: Arrival_Notice.bat.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Arrival_Notice.bat.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: wntdll.pdbUGP source: RegSvcs.exe, 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: RegSvcs.exe, RegSvcs.exe, 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp

Source: Arrival_Notice.bat.exe, mjiCFnur.exe.0.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: Arrival_Notice.bat.exe, mjiCFnur.exe.0.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: Arrival_Notice.bat.exe, mjiCFnur.exe.0.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: Arrival_Notice.bat.exe, 00000000.00000002.1389360953.00000000029CD000.00000004.00000800.00020000.00000000.sdmp, mjiCFnur.exe, 0000000C.00000002.1617781341.000000000296D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Arrival_Notice.bat.exe, mjiCFnur.exe.0.dr	String found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 11.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.1626748999.0000000000E70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1626145289.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

System Summary

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Arrival_Notice.bat.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0042CA33 NtClose,	11_2_0042CA33
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FB2C70 NtFreeVirtualMemory,LdrInitializeThunk,	11_2_00FB2C70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FB2DF0 NtQuerySystemInformation,LdrInitializeThunk,	11_2_00FB2DF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FB35C0 NtCreateMutant,LdrInitializeThunk,	11_2_00FB35C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FB4340 NtSetContextThread,	11_2_00FB4340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FB4650 NtSuspendThread,	11_2_00FB4650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FB2AF0 NtWriteFile,	11_2_00FB2AF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FB2AD0 NtReadFile,	11_2_00FB2AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FB2AB0 NtWaitForSingleObject,	11_2_00FB2AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FB2BF0 NtAllocateVirtualMemory,	11_2_00FB2BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FB2BE0 NtQueryValueKey,	11_2_00FB2BE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FB2BA0 NtEnumerateValueKey,	11_2_00FB2BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FB2B80 NtQueryInformationFile,	11_2_00FB2B80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FB2B60 NtClose,	11_2_00FB2B60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FB2CF0 NtOpenProcess,	11_2_00FB2CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FB2CC0 NtQueryVirtualMemory,	11_2_00FB2CC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FB2CA0 NtQueryInformationToken,	11_2_00FB2CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FB2C60 NtCreateKey,	11_2_00FB2C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FB2C00 NtQueryInformationProcess,	11_2_00FB2C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FB2DD0 NtDelayExecution,	11_2_00FB2DD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FB2DB0 NtEnumerateKey,	11_2_00FB2DB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FB2D30 NtUnmapViewOfSection,	11_2_00FB2D30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FB2D10 NtMapViewOfSection,	11_2_00FB2D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FB2D00 NtSetInformationFile,	11_2_00FB2D00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FB2EE0 NtQueueApcThread,	11_2_00FB2EE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FB2EA0 NtAdjustPrivilegesToken,	11_2_00FB2EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FB2E80 NtReadVirtualMemory,	11_2_00FB2E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FB2E30 NtWriteVirtualMemory,	11_2_00FB2E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FB2FE0 NtCreateFile,	11_2_00FB2FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FB2FB0 NtResumeThread,	11_2_00FB2FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FB2FA0 NtQuerySection,	11_2_00FB2FA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FB2F90 NtProtectVirtualMemory,	11_2_00FB2F90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FB2F60 NtCreateProcessEx,	11_2_00FB2F60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FB2F30 NtCreateSection,	11_2_00FB2F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FB3090 NtSetValueKey,	11_2_00FB3090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FB3010 NtOpenDirectoryObject,	11_2_00FB3010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FB39B0 NtGetContextThread,	11_2_00FB39B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FB3D70 NtOpenThread,	11_2_00FB3D70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FB3D10 NtOpenProcessToken,	11_2_00FB3D10

Source: C:\Users\user\Desktop\Arrival_Notice.bat.exe	Code function: 0_2_00D2E0CC	0_2_00D2E0CC
Source: C:\Users\user\Desktop\Arrival_Notice.bat.exe	Code function: 0_2_06C75D40	0_2_06C75D40
Source: C:\Users\user\Desktop\Arrival_Notice.bat.exe	Code function: 0_2_06C768B0	0_2_06C768B0
Source: C:\Users\user\Desktop\Arrival_Notice.bat.exe	Code function: 0_2_06C7D599	0_2_06C7D599
Source: C:\Users\user\Desktop\Arrival_Notice.bat.exe	Code function: 0_2_06C7F520	0_2_06C7F520
Source: C:\Users\user\Desktop\Arrival_Notice.bat.exe	Code function: 0_2_06C7DE09	0_2_06C7DE09
Source: C:\Users\user\Desktop\Arrival_Notice.bat.exe	Code function: 0_2_06C7DE18	0_2_06C7DE18
Source: C:\Users\user\Desktop\Arrival_Notice.bat.exe	Code function: 0_2_06C74B20	0_2_06C74B20
Source: C:\Users\user\Desktop\Arrival_Notice.bat.exe	Code function: 0_2_06C74B30	0_2_06C74B30
Source: C:\Users\user\Desktop\Arrival_Notice.bat.exe	Code function: 0_2_06C7689F	0_2_06C7689F
Source: C:\Users\user\Desktop\Arrival_Notice.bat.exe	Code function: 0_2_06C7D9CF	0_2_06C7D9CF
Source: C:\Users\user\Desktop\Arrival_Notice.bat.exe	Code function: 0_2_06C875E8	0_2_06C875E8
Source: C:\Users\user\Desktop\Arrival_Notice.bat.exe	Code function: 0_2_06C89F50	0_2_06C89F50
Source: C:\Users\user\Desktop\Arrival_Notice.bat.exe	Code function: 0_2_06C875E1	0_2_06C875E1
Source: C:\Users\user\Desktop\Arrival_Notice.bat.exe	Code function: 0_2_06C84590	0_2_06C84590
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0042F043	11_2_0042F043
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_004100DA	11_2_004100DA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_004100E3	11_2_004100E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_004029D8	11_2_004029D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_004029E0	11_2_004029E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00401200	11_2_00401200
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0040E2D9	11_2_0040E2D9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00416AE3	11_2_00416AE3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0040E2E3	11_2_0040E2E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00410303	11_2_00410303
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00402328	11_2_00402328
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00402330	11_2_00402330
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0040E427	11_2_0040E427
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0040E433	11_2_0040E433
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_004025B0	11_2_004025B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00402ED6	11_2_00402ED6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00402EE0	11_2_00402EE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0101A118	11_2_0101A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01008158	11_2_01008158
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_010341A2	11_2_010341A2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_010401AA	11_2_010401AA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_010381CC	11_2_010381CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01012000	11_2_01012000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F70100	11_2_00F70100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0103A352	11_2_0103A352
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_010403E6	11_2_010403E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F8E3F0	11_2_00F8E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01020274	11_2_01020274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_010002C0	11_2_010002C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01040591	11_2_01040591
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01024420	11_2_01024420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01032446	11_2_01032446
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F80535	11_2_00F80535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0102E4F6	11_2_0102E4F6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F9C6E0	11_2_00F9C6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F7C7C0	11_2_00F7C7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F80770	11_2_00F80770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FA4750	11_2_00FA4750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FAE8F0	11_2_00FAE8F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F668B8	11_2_00F668B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0104A9A6	11_2_0104A9A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F8A840	11_2_00F8A840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F82840	11_2_00F82840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F829A0	11_2_00F829A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F96962	11_2_00F96962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0103AB40	11_2_0103AB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F7EA80	11_2_00F7EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01036BD7	11_2_01036BD7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F70CF2	11_2_00F70CF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0101CD1F	11_2_0101CD1F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F80C00	11_2_00F80C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F7ADE0	11_2_00F7ADE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F98DBF	11_2_00F98DBF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01020CB5	11_2_01020CB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F8AD00	11_2_00F8AD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01022F30	11_2_01022F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F92E90	11_2_00F92E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F80E59	11_2_00F80E59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F8CFE0	11_2_00F8CFE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0103EE26	11_2_0103EE26
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F72FC8	11_2_00F72FC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FFEFA0	11_2_00FFEFA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0103CE93	11_2_0103CE93
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FF4F40	11_2_00FF4F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FA0F30	11_2_00FA0F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FC2F28	11_2_00FC2F28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0103EEDB	11_2_0103EEDB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F870C0	11_2_00F870C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0104B16B	11_2_0104B16B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F8B1B0	11_2_00F8B1B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F6F172	11_2_00F6F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FB516C	11_2_00FB516C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0102F0CC	11_2_0102F0CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0103F0E0	11_2_0103F0E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_010370E9	11_2_010370E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0103132D	11_2_0103132D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F9B2C0	11_2_00F9B2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F852A0	11_2_00F852A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FC739A	11_2_00FC739A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F6D34C	11_2_00F6D34C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_010212ED	11_2_010212ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01037571	11_2_01037571
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F71460	11_2_00F71460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0101D5B0	11_2_0101D5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_010495C3	11_2_010495C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0103F43F	11_2_0103F43F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0103F7B0	11_2_0103F7B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FC5630	11_2_00FC5630
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_010316CC	11_2_010316CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01015910	11_2_01015910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F838E0	11_2_00F838E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FED800	11_2_00FED800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F89950	11_2_00F89950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F9B950	11_2_00F9B950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FC5AA0	11_2_00FC5AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0103FB76	11_2_0103FB76
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FF3A6C	11_2_00FF3A6C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FBDBF9	11_2_00FBDBF9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FF5BF0	11_2_00FF5BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01037A46	11_2_01037A46
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0103FA49	11_2_0103FA49
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F9FB80	11_2_00F9FB80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01021AA3	11_2_01021AA3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0101DAAC	11_2_0101DAAC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0102DAC6	11_2_0102DAC6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01031D5A	11_2_01031D5A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01037D73	11_2_01037D73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FF9C32	11_2_00FF9C32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F9FDC0	11_2_00F9FDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F83D40	11_2_00F83D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0103FCF2	11_2_0103FCF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0103FF09	11_2_0103FF09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F89EB0	11_2_00F89EB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0103FFB1	11_2_0103FFB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F43FD5	11_2_00F43FD5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F43FD2	11_2_00F43FD2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F81F92	11_2_00F81F92
Source: C:\Users\user\AppData\Roaming\mjiCFnur.exe	Code function: 12_2_00B3E0CC	12_2_00B3E0CC
Source: C:\Users\user\AppData\Roaming\mjiCFnur.exe	Code function: 12_2_00B34AE0	12_2_00B34AE0
Source: C:\Users\user\AppData\Roaming\mjiCFnur.exe	Code function: 12_2_069F5D40	12_2_069F5D40
Source: C:\Users\user\AppData\Roaming\mjiCFnur.exe	Code function: 12_2_069F68B0	12_2_069F68B0
Source: C:\Users\user\AppData\Roaming\mjiCFnur.exe	Code function: 12_2_069FD599	12_2_069FD599
Source: C:\Users\user\AppData\Roaming\mjiCFnur.exe	Code function: 12_2_069FF520	12_2_069FF520
Source: C:\Users\user\AppData\Roaming\mjiCFnur.exe	Code function: 12_2_069FDE18	12_2_069FDE18
Source: C:\Users\user\AppData\Roaming\mjiCFnur.exe	Code function: 12_2_069FDE09	12_2_069FDE09
Source: C:\Users\user\AppData\Roaming\mjiCFnur.exe	Code function: 12_2_069F4B30	12_2_069F4B30
Source: C:\Users\user\AppData\Roaming\mjiCFnur.exe	Code function: 12_2_069F4B20	12_2_069F4B20
Source: C:\Users\user\AppData\Roaming\mjiCFnur.exe	Code function: 12_2_069F689F	12_2_069F689F
Source: C:\Users\user\AppData\Roaming\mjiCFnur.exe	Code function: 12_2_069F683F	12_2_069F683F
Source: C:\Users\user\AppData\Roaming\mjiCFnur.exe	Code function: 12_2_069FD9CF	12_2_069FD9CF
Source: C:\Users\user\AppData\Roaming\mjiCFnur.exe	Code function: 12_2_06A075E8	12_2_06A075E8
Source: C:\Users\user\AppData\Roaming\mjiCFnur.exe	Code function: 12_2_06A09F50	12_2_06A09F50
Source: C:\Users\user\AppData\Roaming\mjiCFnur.exe	Code function: 12_2_06A04590	12_2_06A04590
Source: C:\Users\user\AppData\Roaming\mjiCFnur.exe	Code function: 12_2_08490040	12_2_08490040
Source: C:\Users\user\AppData\Roaming\mjiCFnur.exe	Code function: 12_2_08496418	12_2_08496418
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 18_2_01950100	18_2_01950100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 18_2_019A6000	18_2_019A6000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 18_2_019E02C0	18_2_019E02C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 18_2_01960535	18_2_01960535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 18_2_0195C7C0	18_2_0195C7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 18_2_01984750	18_2_01984750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 18_2_01960770	18_2_01960770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 18_2_0197C6E0	18_2_0197C6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 18_2_019629A0	18_2_019629A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 18_2_01976962	18_2_01976962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 18_2_01998890	18_2_01998890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 18_2_019468B8	18_2_019468B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 18_2_0198E8F0	18_2_0198E8F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 18_2_01962840	18_2_01962840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 18_2_0196A840	18_2_0196A840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 18_2_0195EA80	18_2_0195EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 18_2_01978DBF	18_2_01978DBF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 18_2_01968DC0	18_2_01968DC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 18_2_0195ADE0	18_2_0195ADE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 18_2_0196AD00	18_2_0196AD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 18_2_0196ED7A	18_2_0196ED7A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 18_2_01950CF2	18_2_01950CF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 18_2_01960C00	18_2_01960C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 18_2_019DEFA0	18_2_019DEFA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 18_2_01952FC8	18_2_01952FC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 18_2_01980F30	18_2_01980F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 18_2_019A2F28	18_2_019A2F28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 18_2_019D4F40	18_2_019D4F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 18_2_01972E90	18_2_01972E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 18_2_01960E59	18_2_01960E59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 18_2_0196B1B0	18_2_0196B1B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 18_2_0194F172	18_2_0194F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 18_2_0199516C	18_2_0199516C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 18_2_019633F3	18_2_019633F3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 18_2_0194D34C	18_2_0194D34C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 18_2_019652A0	18_2_019652A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 18_2_0197B2C0	18_2_0197B2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 18_2_0197D2F0	18_2_0197D2F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 18_2_01963497	18_2_01963497
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 18_2_019A74E0	18_2_019A74E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 18_2_01951460	18_2_01951460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 18_2_0196B730	18_2_0196B730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 18_2_01965990	18_2_01965990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 18_2_01969950	18_2_01969950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 18_2_0197B950	18_2_0197B950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 18_2_019638E0	18_2_019638E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 18_2_019CD800	18_2_019CD800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 18_2_0197FB80	18_2_0197FB80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 18_2_0199DBF9	18_2_0199DBF9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 18_2_019D5BF0	18_2_019D5BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 18_2_019D3A6C	18_2_019D3A6C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 18_2_0197FDC0	18_2_0197FDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 18_2_01963D40	18_2_01963D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 18_2_019D9C32	18_2_019D9C32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 18_2_01979C20	18_2_01979C20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 18_2_01961F92	18_2_01961F92
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 18_2_01969EB0	18_2_01969EB0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 00FB5130 appears 58 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 00FEEA12 appears 86 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 019A7E54 appears 97 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 00FFF290 appears 105 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 019CEA12 appears 37 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 00FC7E54 appears 111 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 00F6B970 appears 277 times

Source: Arrival_Notice.bat.exe

Static PE information: invalid certificate

Source: Arrival_Notice.bat.exe, 00000000.00000002.1389360953.0000000002B06000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCaptive.dll" vs Arrival_Notice.bat.exe
Source: Arrival_Notice.bat.exe, 00000000.00000002.1396888754.0000000008448000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename$c vs Arrival_Notice.bat.exe
Source: Arrival_Notice.bat.exe, 00000000.00000002.1396888754.0000000008448000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameqEjd.exe: vs Arrival_Notice.bat.exe
Source: Arrival_Notice.bat.exe, 00000000.00000002.1385104344.0000000000D4E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Arrival_Notice.bat.exe
Source: Arrival_Notice.bat.exe, 00000000.00000002.1396043095.0000000005590000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameCaptive.dll" vs Arrival_Notice.bat.exe
Source: Arrival_Notice.bat.exe, 00000000.00000002.1397487810.0000000008910000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs Arrival_Notice.bat.exe
Source: Arrival_Notice.bat.exe, 00000000.00000002.1392224859.00000000039C7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs Arrival_Notice.bat.exe
Source: Arrival_Notice.bat.exe, 00000000.00000000.1283869792.00000000006F0000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameqEjd.exe: vs Arrival_Notice.bat.exe
Source: Arrival_Notice.bat.exe, 00000000.00000002.1389360953.0000000002981000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs Arrival_Notice.bat.exe
Source: Arrival_Notice.bat.exe	Binary or memory string: OriginalFilenameqEjd.exe: vs Arrival_Notice.bat.exe

Source: Arrival_Notice.bat.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Arrival_Notice.bat.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: mjiCFnur.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.evad.winEXE@23/15@0/0

Source: C:\Users\user\Desktop\Arrival_Notice.bat.exe

File created: C:\Users\user\AppData\Roaming\mjiCFnur.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\mjiCFnur.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3452:120:WilError_03
Source: C:\Users\user\AppData\Roaming\mjiCFnur.exe	Mutant created: \Sessions\1\BaseNamedObjects\ZpvNoKgnIAxCeUNkGdGtBaLlh
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6452:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7684:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5608:120:WilError_03

Source: C:\Users\user\Desktop\Arrival_Notice.bat.exe

File created: C:\Users\user\AppData\Local\Temp\tmpA612.tmp

Jump to behavior

Source: Arrival_Notice.bat.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Arrival_Notice.bat.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.98%

Source: C:\Users\user\Desktop\Arrival_Notice.bat.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Arrival_Notice.bat.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Arrival_Notice.bat.exe	Virustotal: Detection: 41%
Source: Arrival_Notice.bat.exe	ReversingLabs: Detection: 60%

Source: C:\Users\user\Desktop\Arrival_Notice.bat.exe

File read: C:\Users\user\Desktop\Arrival_Notice.bat.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Arrival_Notice.bat.exe "C:\Users\user\Desktop\Arrival_Notice.bat.exe"
Source: C:\Users\user\Desktop\Arrival_Notice.bat.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Arrival_Notice.bat.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Arrival_Notice.bat.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\mjiCFnur.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Arrival_Notice.bat.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mjiCFnur" /XML "C:\Users\user\AppData\Local\Temp\tmpA612.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Arrival_Notice.bat.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Users\user\Desktop\Arrival_Notice.bat.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\mjiCFnur.exe C:\Users\user\AppData\Roaming\mjiCFnur.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\mjiCFnur.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mjiCFnur" /XML "C:\Users\user\AppData\Local\Temp\tmpD06D.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\mjiCFnur.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Users\user\AppData\Roaming\mjiCFnur.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Users\user\Desktop\Arrival_Notice.bat.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Arrival_Notice.bat.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Arrival_Notice.bat.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\mjiCFnur.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Arrival_Notice.bat.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mjiCFnur" /XML "C:\Users\user\AppData\Local\Temp\tmpA612.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\Arrival_Notice.bat.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Arrival_Notice.bat.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjiCFnur.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mjiCFnur" /XML "C:\Users\user\AppData\Local\Temp\tmpD06D.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjiCFnur.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjiCFnur.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Arrival_Notice.bat.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Arrival_Notice.bat.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Arrival_Notice.bat.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Arrival_Notice.bat.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Arrival_Notice.bat.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Arrival_Notice.bat.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Arrival_Notice.bat.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Arrival_Notice.bat.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Arrival_Notice.bat.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Arrival_Notice.bat.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Arrival_Notice.bat.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Arrival_Notice.bat.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Arrival_Notice.bat.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Arrival_Notice.bat.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Arrival_Notice.bat.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\Arrival_Notice.bat.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Arrival_Notice.bat.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\Arrival_Notice.bat.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\Arrival_Notice.bat.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\Arrival_Notice.bat.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Arrival_Notice.bat.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Arrival_Notice.bat.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Arrival_Notice.bat.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Arrival_Notice.bat.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Arrival_Notice.bat.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\Desktop\Arrival_Notice.bat.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Arrival_Notice.bat.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Arrival_Notice.bat.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Arrival_Notice.bat.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Arrival_Notice.bat.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Arrival_Notice.bat.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Arrival_Notice.bat.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Arrival_Notice.bat.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Arrival_Notice.bat.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Arrival_Notice.bat.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Arrival_Notice.bat.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Arrival_Notice.bat.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Arrival_Notice.bat.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Arrival_Notice.bat.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Arrival_Notice.bat.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Arrival_Notice.bat.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjiCFnur.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjiCFnur.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjiCFnur.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjiCFnur.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjiCFnur.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjiCFnur.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjiCFnur.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjiCFnur.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjiCFnur.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjiCFnur.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjiCFnur.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjiCFnur.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjiCFnur.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjiCFnur.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjiCFnur.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjiCFnur.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjiCFnur.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjiCFnur.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjiCFnur.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjiCFnur.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjiCFnur.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjiCFnur.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjiCFnur.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjiCFnur.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjiCFnur.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjiCFnur.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjiCFnur.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjiCFnur.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjiCFnur.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjiCFnur.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjiCFnur.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjiCFnur.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjiCFnur.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjiCFnur.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjiCFnur.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjiCFnur.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjiCFnur.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjiCFnur.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjiCFnur.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjiCFnur.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior

Source: C:\Users\user\Desktop\Arrival_Notice.bat.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\Arrival_Notice.bat.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Arrival_Notice.bat.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Arrival_Notice.bat.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: wntdll.pdbUGP source: RegSvcs.exe, 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: RegSvcs.exe, RegSvcs.exe, 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\Arrival_Notice.bat.exe	Code function: 0_2_06C74236 push dword ptr [ebp+01h]; ret	0_2_06C7423B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0041F842 push FFFFFFFEh; retf	11_2_0041F857
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00402804 pushad ; iretd	11_2_00402809
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00403160 push eax; ret	11_2_00403162
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0040696F push es; ret	11_2_00406970
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00416123 push esi; retf	11_2_0041612E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0041A930 push esp; iretd	11_2_0041A946
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00411A0C push ebx; ret	11_2_00411A0D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00408294 push ebx; retf	11_2_00408296
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00423CCF push ebp; retf	11_2_00423CE3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00413E40 push ecx; iretd	11_2_00413E71
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00413E72 push ecx; iretd	11_2_00413E71
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0041F632 push ebx; retf	11_2_0041F633
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00417713 push ds; iretd	11_2_00417716
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F4225F pushad ; ret	11_2_00F427F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F427FA pushad ; ret	11_2_00F427F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F4283D push eax; iretd	11_2_00F42858
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F709AD push ecx; mov dword ptr [esp], ecx	11_2_00F709B6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F41200 push eax; iretd	11_2_00F41369
Source: C:\Users\user\AppData\Roaming\mjiCFnur.exe	Code function: 12_2_04E1E0E8 push eax; ret	12_2_04E1E0F5
Source: C:\Users\user\AppData\Roaming\mjiCFnur.exe	Code function: 12_2_04E1D508 push eax; mov dword ptr [esp], ecx	12_2_04E1D51C
Source: C:\Users\user\AppData\Roaming\mjiCFnur.exe	Code function: 12_2_04E1D6B5 push eax; ret	12_2_04E1D6B6
Source: C:\Users\user\AppData\Roaming\mjiCFnur.exe	Code function: 12_2_04E1DFF0 push eax; ret	12_2_04E1E023
Source: C:\Users\user\AppData\Roaming\mjiCFnur.exe	Code function: 12_2_069F4236 push dword ptr [ebp+01h]; ret	12_2_069F423B
Source: C:\Users\user\AppData\Roaming\mjiCFnur.exe	Code function: 12_2_069FB1E3 push ss; retf	12_2_069FB1E5
Source: C:\Users\user\AppData\Roaming\mjiCFnur.exe	Code function: 12_2_069FAA05 push ds; retf	12_2_069FAA07
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 18_2_0199C54D pushfd ; ret	18_2_0199C54E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 18_2_0199C54F push 8B019267h; ret	18_2_0199C554
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 18_2_019509AD push ecx; mov dword ptr [esp], ecx	18_2_019509B6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 18_2_0199C9D7 push edi; ret	18_2_0199C9D9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 18_2_01921368 push eax; iretd	18_2_01921369

Source: Arrival_Notice.bat.exe	Static PE information: section name: .text entropy: 7.7562159370679815
Source: mjiCFnur.exe.0.dr	Static PE information: section name: .text entropy: 7.7562159370679815

Source: C:\Users\user\Desktop\Arrival_Notice.bat.exe

File created: C:\Users\user\AppData\Roaming\mjiCFnur.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\Arrival_Notice.bat.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mjiCFnur" /XML "C:\Users\user\AppData\Local\Temp\tmpA612.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\Arrival_Notice.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arrival_Notice.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arrival_Notice.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arrival_Notice.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arrival_Notice.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arrival_Notice.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arrival_Notice.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arrival_Notice.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arrival_Notice.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arrival_Notice.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arrival_Notice.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arrival_Notice.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arrival_Notice.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arrival_Notice.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arrival_Notice.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arrival_Notice.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arrival_Notice.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arrival_Notice.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arrival_Notice.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arrival_Notice.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arrival_Notice.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arrival_Notice.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arrival_Notice.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arrival_Notice.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arrival_Notice.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arrival_Notice.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arrival_Notice.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arrival_Notice.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arrival_Notice.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arrival_Notice.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arrival_Notice.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arrival_Notice.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arrival_Notice.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arrival_Notice.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arrival_Notice.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arrival_Notice.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arrival_Notice.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arrival_Notice.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arrival_Notice.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arrival_Notice.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arrival_Notice.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arrival_Notice.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arrival_Notice.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arrival_Notice.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arrival_Notice.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arrival_Notice.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arrival_Notice.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arrival_Notice.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arrival_Notice.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arrival_Notice.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjiCFnur.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjiCFnur.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjiCFnur.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjiCFnur.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjiCFnur.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjiCFnur.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjiCFnur.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjiCFnur.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjiCFnur.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjiCFnur.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjiCFnur.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjiCFnur.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjiCFnur.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjiCFnur.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjiCFnur.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjiCFnur.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjiCFnur.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjiCFnur.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjiCFnur.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjiCFnur.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjiCFnur.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjiCFnur.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjiCFnur.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjiCFnur.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjiCFnur.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjiCFnur.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjiCFnur.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjiCFnur.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjiCFnur.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjiCFnur.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjiCFnur.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjiCFnur.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjiCFnur.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjiCFnur.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjiCFnur.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjiCFnur.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjiCFnur.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjiCFnur.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjiCFnur.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjiCFnur.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjiCFnur.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjiCFnur.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjiCFnur.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjiCFnur.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjiCFnur.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjiCFnur.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjiCFnur.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjiCFnur.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjiCFnur.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: Arrival_Notice.bat.exe PID: 7160, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mjiCFnur.exe PID: 7416, type: MEMORYSTR

Source: C:\Users\user\Desktop\Arrival_Notice.bat.exe	Memory allocated: D20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Arrival_Notice.bat.exe	Memory allocated: 2980000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Arrival_Notice.bat.exe	Memory allocated: 4980000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Arrival_Notice.bat.exe	Memory allocated: 8AA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Arrival_Notice.bat.exe	Memory allocated: 9AA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Arrival_Notice.bat.exe	Memory allocated: 9CA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Arrival_Notice.bat.exe	Memory allocated: ACA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjiCFnur.exe	Memory allocated: B30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjiCFnur.exe	Memory allocated: 2920000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjiCFnur.exe	Memory allocated: 2560000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjiCFnur.exe	Memory allocated: 8890000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjiCFnur.exe	Memory allocated: 9890000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjiCFnur.exe	Memory allocated: 9A90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjiCFnur.exe	Memory allocated: AA90000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 11_2_00FB096E rdtsc

11_2_00FB096E

Source: C:\Users\user\Desktop\Arrival_Notice.bat.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjiCFnur.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5224			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5508			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	API coverage: 0.6 %
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	API coverage: 0.3 %

Source: C:\Users\user\Desktop\Arrival_Notice.bat.exe TID: 2684	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7404	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7356	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7400	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7224	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7388	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjiCFnur.exe TID: 7516	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Arrival_Notice.bat.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjiCFnur.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: mjiCFnur.exe, 0000000C.00000002.1593294466.0000000000BA2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: mjiCFnur.exe, 0000000C.00000002.1637637011.0000000006F56000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
Source: mjiCFnur.exe, 0000000C.00000002.1593294466.0000000000BA2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}8
Source: Arrival_Notice.bat.exe, 00000000.00000002.1397487810.0000000008910000.00000004.08000000.00040000.00000000.sdmp, Arrival_Notice.bat.exe, 00000000.00000002.1392224859.00000000039C7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: hGFSyx7kLM

Source: C:\Users\user\Desktop\Arrival_Notice.bat.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 11_2_00FB096E rdtsc

11_2_00FB096E

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 11_2_00417A73 LdrLoadDll,

11_2_00417A73

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F6C0F0 mov eax, dword ptr fs:[00000030h]	11_2_00F6C0F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FB20F0 mov ecx, dword ptr fs:[00000030h]	11_2_00FB20F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0101E10E mov eax, dword ptr fs:[00000030h]	11_2_0101E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0101E10E mov ecx, dword ptr fs:[00000030h]	11_2_0101E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0101E10E mov eax, dword ptr fs:[00000030h]	11_2_0101E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0101E10E mov eax, dword ptr fs:[00000030h]	11_2_0101E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0101E10E mov ecx, dword ptr fs:[00000030h]	11_2_0101E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0101E10E mov eax, dword ptr fs:[00000030h]	11_2_0101E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0101E10E mov eax, dword ptr fs:[00000030h]	11_2_0101E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0101E10E mov ecx, dword ptr fs:[00000030h]	11_2_0101E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0101E10E mov eax, dword ptr fs:[00000030h]	11_2_0101E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0101E10E mov ecx, dword ptr fs:[00000030h]	11_2_0101E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F6A0E3 mov ecx, dword ptr fs:[00000030h]	11_2_00F6A0E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01030115 mov eax, dword ptr fs:[00000030h]	11_2_01030115
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0101A118 mov ecx, dword ptr fs:[00000030h]	11_2_0101A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0101A118 mov eax, dword ptr fs:[00000030h]	11_2_0101A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0101A118 mov eax, dword ptr fs:[00000030h]	11_2_0101A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0101A118 mov eax, dword ptr fs:[00000030h]	11_2_0101A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F780E9 mov eax, dword ptr fs:[00000030h]	11_2_00F780E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FF60E0 mov eax, dword ptr fs:[00000030h]	11_2_00FF60E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FF20DE mov eax, dword ptr fs:[00000030h]	11_2_00FF20DE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01004144 mov eax, dword ptr fs:[00000030h]	11_2_01004144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01004144 mov eax, dword ptr fs:[00000030h]	11_2_01004144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01004144 mov ecx, dword ptr fs:[00000030h]	11_2_01004144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01004144 mov eax, dword ptr fs:[00000030h]	11_2_01004144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01004144 mov eax, dword ptr fs:[00000030h]	11_2_01004144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F680A0 mov eax, dword ptr fs:[00000030h]	11_2_00F680A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01008158 mov eax, dword ptr fs:[00000030h]	11_2_01008158
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01044164 mov eax, dword ptr fs:[00000030h]	11_2_01044164
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01044164 mov eax, dword ptr fs:[00000030h]	11_2_01044164
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F7208A mov eax, dword ptr fs:[00000030h]	11_2_00F7208A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01014180 mov eax, dword ptr fs:[00000030h]	11_2_01014180
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01014180 mov eax, dword ptr fs:[00000030h]	11_2_01014180
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0102C188 mov eax, dword ptr fs:[00000030h]	11_2_0102C188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0102C188 mov eax, dword ptr fs:[00000030h]	11_2_0102C188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F9C073 mov eax, dword ptr fs:[00000030h]	11_2_00F9C073
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F72050 mov eax, dword ptr fs:[00000030h]	11_2_00F72050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FF6050 mov eax, dword ptr fs:[00000030h]	11_2_00FF6050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_010361C3 mov eax, dword ptr fs:[00000030h]	11_2_010361C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_010361C3 mov eax, dword ptr fs:[00000030h]	11_2_010361C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F6A020 mov eax, dword ptr fs:[00000030h]	11_2_00F6A020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F6C020 mov eax, dword ptr fs:[00000030h]	11_2_00F6C020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_010461E5 mov eax, dword ptr fs:[00000030h]	11_2_010461E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F8E016 mov eax, dword ptr fs:[00000030h]	11_2_00F8E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F8E016 mov eax, dword ptr fs:[00000030h]	11_2_00F8E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F8E016 mov eax, dword ptr fs:[00000030h]	11_2_00F8E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F8E016 mov eax, dword ptr fs:[00000030h]	11_2_00F8E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FF4000 mov ecx, dword ptr fs:[00000030h]	11_2_00FF4000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01012000 mov eax, dword ptr fs:[00000030h]	11_2_01012000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01012000 mov eax, dword ptr fs:[00000030h]	11_2_01012000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01012000 mov eax, dword ptr fs:[00000030h]	11_2_01012000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01012000 mov eax, dword ptr fs:[00000030h]	11_2_01012000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01012000 mov eax, dword ptr fs:[00000030h]	11_2_01012000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01012000 mov eax, dword ptr fs:[00000030h]	11_2_01012000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01012000 mov eax, dword ptr fs:[00000030h]	11_2_01012000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01012000 mov eax, dword ptr fs:[00000030h]	11_2_01012000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FA01F8 mov eax, dword ptr fs:[00000030h]	11_2_00FA01F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FEE1D0 mov eax, dword ptr fs:[00000030h]	11_2_00FEE1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FEE1D0 mov eax, dword ptr fs:[00000030h]	11_2_00FEE1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FEE1D0 mov ecx, dword ptr fs:[00000030h]	11_2_00FEE1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FEE1D0 mov eax, dword ptr fs:[00000030h]	11_2_00FEE1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FEE1D0 mov eax, dword ptr fs:[00000030h]	11_2_00FEE1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01006030 mov eax, dword ptr fs:[00000030h]	11_2_01006030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FF019F mov eax, dword ptr fs:[00000030h]	11_2_00FF019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FF019F mov eax, dword ptr fs:[00000030h]	11_2_00FF019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FF019F mov eax, dword ptr fs:[00000030h]	11_2_00FF019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FF019F mov eax, dword ptr fs:[00000030h]	11_2_00FF019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F6A197 mov eax, dword ptr fs:[00000030h]	11_2_00F6A197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F6A197 mov eax, dword ptr fs:[00000030h]	11_2_00F6A197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F6A197 mov eax, dword ptr fs:[00000030h]	11_2_00F6A197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FB0185 mov eax, dword ptr fs:[00000030h]	11_2_00FB0185
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F6C156 mov eax, dword ptr fs:[00000030h]	11_2_00F6C156
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F76154 mov eax, dword ptr fs:[00000030h]	11_2_00F76154
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F76154 mov eax, dword ptr fs:[00000030h]	11_2_00F76154
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_010080A8 mov eax, dword ptr fs:[00000030h]	11_2_010080A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_010360B8 mov eax, dword ptr fs:[00000030h]	11_2_010360B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_010360B8 mov ecx, dword ptr fs:[00000030h]	11_2_010360B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FA0124 mov eax, dword ptr fs:[00000030h]	11_2_00FA0124
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F802E1 mov eax, dword ptr fs:[00000030h]	11_2_00F802E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F802E1 mov eax, dword ptr fs:[00000030h]	11_2_00F802E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F802E1 mov eax, dword ptr fs:[00000030h]	11_2_00F802E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01048324 mov eax, dword ptr fs:[00000030h]	11_2_01048324
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01048324 mov ecx, dword ptr fs:[00000030h]	11_2_01048324
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01048324 mov eax, dword ptr fs:[00000030h]	11_2_01048324
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01048324 mov eax, dword ptr fs:[00000030h]	11_2_01048324
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F7A2C3 mov eax, dword ptr fs:[00000030h]	11_2_00F7A2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F7A2C3 mov eax, dword ptr fs:[00000030h]	11_2_00F7A2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F7A2C3 mov eax, dword ptr fs:[00000030h]	11_2_00F7A2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F7A2C3 mov eax, dword ptr fs:[00000030h]	11_2_00F7A2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F7A2C3 mov eax, dword ptr fs:[00000030h]	11_2_00F7A2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0104634F mov eax, dword ptr fs:[00000030h]	11_2_0104634F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0103A352 mov eax, dword ptr fs:[00000030h]	11_2_0103A352
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01018350 mov ecx, dword ptr fs:[00000030h]	11_2_01018350
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F802A0 mov eax, dword ptr fs:[00000030h]	11_2_00F802A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F802A0 mov eax, dword ptr fs:[00000030h]	11_2_00F802A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FF0283 mov eax, dword ptr fs:[00000030h]	11_2_00FF0283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FF0283 mov eax, dword ptr fs:[00000030h]	11_2_00FF0283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FF0283 mov eax, dword ptr fs:[00000030h]	11_2_00FF0283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0101437C mov eax, dword ptr fs:[00000030h]	11_2_0101437C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FAE284 mov eax, dword ptr fs:[00000030h]	11_2_00FAE284
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FAE284 mov eax, dword ptr fs:[00000030h]	11_2_00FAE284
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F74260 mov eax, dword ptr fs:[00000030h]	11_2_00F74260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F74260 mov eax, dword ptr fs:[00000030h]	11_2_00F74260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F74260 mov eax, dword ptr fs:[00000030h]	11_2_00F74260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F6826B mov eax, dword ptr fs:[00000030h]	11_2_00F6826B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F6A250 mov eax, dword ptr fs:[00000030h]	11_2_00F6A250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F76259 mov eax, dword ptr fs:[00000030h]	11_2_00F76259
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FF8243 mov eax, dword ptr fs:[00000030h]	11_2_00FF8243
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FF8243 mov ecx, dword ptr fs:[00000030h]	11_2_00FF8243
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F6823B mov eax, dword ptr fs:[00000030h]	11_2_00F6823B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0102C3CD mov eax, dword ptr fs:[00000030h]	11_2_0102C3CD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_010143D4 mov eax, dword ptr fs:[00000030h]	11_2_010143D4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_010143D4 mov eax, dword ptr fs:[00000030h]	11_2_010143D4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0101E3DB mov eax, dword ptr fs:[00000030h]	11_2_0101E3DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0101E3DB mov eax, dword ptr fs:[00000030h]	11_2_0101E3DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0101E3DB mov ecx, dword ptr fs:[00000030h]	11_2_0101E3DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0101E3DB mov eax, dword ptr fs:[00000030h]	11_2_0101E3DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FA63FF mov eax, dword ptr fs:[00000030h]	11_2_00FA63FF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F8E3F0 mov eax, dword ptr fs:[00000030h]	11_2_00F8E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F8E3F0 mov eax, dword ptr fs:[00000030h]	11_2_00F8E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F8E3F0 mov eax, dword ptr fs:[00000030h]	11_2_00F8E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F803E9 mov eax, dword ptr fs:[00000030h]	11_2_00F803E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F803E9 mov eax, dword ptr fs:[00000030h]	11_2_00F803E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F803E9 mov eax, dword ptr fs:[00000030h]	11_2_00F803E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F803E9 mov eax, dword ptr fs:[00000030h]	11_2_00F803E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F803E9 mov eax, dword ptr fs:[00000030h]	11_2_00F803E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F803E9 mov eax, dword ptr fs:[00000030h]	11_2_00F803E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F803E9 mov eax, dword ptr fs:[00000030h]	11_2_00F803E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F803E9 mov eax, dword ptr fs:[00000030h]	11_2_00F803E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F7A3C0 mov eax, dword ptr fs:[00000030h]	11_2_00F7A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F7A3C0 mov eax, dword ptr fs:[00000030h]	11_2_00F7A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F7A3C0 mov eax, dword ptr fs:[00000030h]	11_2_00F7A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F7A3C0 mov eax, dword ptr fs:[00000030h]	11_2_00F7A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F7A3C0 mov eax, dword ptr fs:[00000030h]	11_2_00F7A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F7A3C0 mov eax, dword ptr fs:[00000030h]	11_2_00F7A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F783C0 mov eax, dword ptr fs:[00000030h]	11_2_00F783C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F783C0 mov eax, dword ptr fs:[00000030h]	11_2_00F783C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F783C0 mov eax, dword ptr fs:[00000030h]	11_2_00F783C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F783C0 mov eax, dword ptr fs:[00000030h]	11_2_00F783C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FF63C0 mov eax, dword ptr fs:[00000030h]	11_2_00FF63C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0102A250 mov eax, dword ptr fs:[00000030h]	11_2_0102A250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0102A250 mov eax, dword ptr fs:[00000030h]	11_2_0102A250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0104625D mov eax, dword ptr fs:[00000030h]	11_2_0104625D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F68397 mov eax, dword ptr fs:[00000030h]	11_2_00F68397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F68397 mov eax, dword ptr fs:[00000030h]	11_2_00F68397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F68397 mov eax, dword ptr fs:[00000030h]	11_2_00F68397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01020274 mov eax, dword ptr fs:[00000030h]	11_2_01020274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01020274 mov eax, dword ptr fs:[00000030h]	11_2_01020274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01020274 mov eax, dword ptr fs:[00000030h]	11_2_01020274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01020274 mov eax, dword ptr fs:[00000030h]	11_2_01020274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01020274 mov eax, dword ptr fs:[00000030h]	11_2_01020274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01020274 mov eax, dword ptr fs:[00000030h]	11_2_01020274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01020274 mov eax, dword ptr fs:[00000030h]	11_2_01020274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01020274 mov eax, dword ptr fs:[00000030h]	11_2_01020274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01020274 mov eax, dword ptr fs:[00000030h]	11_2_01020274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01020274 mov eax, dword ptr fs:[00000030h]	11_2_01020274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01020274 mov eax, dword ptr fs:[00000030h]	11_2_01020274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01020274 mov eax, dword ptr fs:[00000030h]	11_2_01020274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F9438F mov eax, dword ptr fs:[00000030h]	11_2_00F9438F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F9438F mov eax, dword ptr fs:[00000030h]	11_2_00F9438F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F6E388 mov eax, dword ptr fs:[00000030h]	11_2_00F6E388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F6E388 mov eax, dword ptr fs:[00000030h]	11_2_00F6E388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F6E388 mov eax, dword ptr fs:[00000030h]	11_2_00F6E388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_010062A0 mov eax, dword ptr fs:[00000030h]	11_2_010062A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_010062A0 mov ecx, dword ptr fs:[00000030h]	11_2_010062A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_010062A0 mov eax, dword ptr fs:[00000030h]	11_2_010062A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_010062A0 mov eax, dword ptr fs:[00000030h]	11_2_010062A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_010062A0 mov eax, dword ptr fs:[00000030h]	11_2_010062A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_010062A0 mov eax, dword ptr fs:[00000030h]	11_2_010062A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FF035C mov eax, dword ptr fs:[00000030h]	11_2_00FF035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FF035C mov eax, dword ptr fs:[00000030h]	11_2_00FF035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FF035C mov eax, dword ptr fs:[00000030h]	11_2_00FF035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FF035C mov ecx, dword ptr fs:[00000030h]	11_2_00FF035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FF035C mov eax, dword ptr fs:[00000030h]	11_2_00FF035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FF035C mov eax, dword ptr fs:[00000030h]	11_2_00FF035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FF2349 mov eax, dword ptr fs:[00000030h]	11_2_00FF2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FF2349 mov eax, dword ptr fs:[00000030h]	11_2_00FF2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FF2349 mov eax, dword ptr fs:[00000030h]	11_2_00FF2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FF2349 mov eax, dword ptr fs:[00000030h]	11_2_00FF2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FF2349 mov eax, dword ptr fs:[00000030h]	11_2_00FF2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FF2349 mov eax, dword ptr fs:[00000030h]	11_2_00FF2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FF2349 mov eax, dword ptr fs:[00000030h]	11_2_00FF2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FF2349 mov eax, dword ptr fs:[00000030h]	11_2_00FF2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FF2349 mov eax, dword ptr fs:[00000030h]	11_2_00FF2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FF2349 mov eax, dword ptr fs:[00000030h]	11_2_00FF2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FF2349 mov eax, dword ptr fs:[00000030h]	11_2_00FF2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FF2349 mov eax, dword ptr fs:[00000030h]	11_2_00FF2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FF2349 mov eax, dword ptr fs:[00000030h]	11_2_00FF2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FF2349 mov eax, dword ptr fs:[00000030h]	11_2_00FF2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FF2349 mov eax, dword ptr fs:[00000030h]	11_2_00FF2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_010462D6 mov eax, dword ptr fs:[00000030h]	11_2_010462D6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F6C310 mov ecx, dword ptr fs:[00000030h]	11_2_00F6C310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F90310 mov ecx, dword ptr fs:[00000030h]	11_2_00F90310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FAA30B mov eax, dword ptr fs:[00000030h]	11_2_00FAA30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FAA30B mov eax, dword ptr fs:[00000030h]	11_2_00FAA30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FAA30B mov eax, dword ptr fs:[00000030h]	11_2_00FAA30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01006500 mov eax, dword ptr fs:[00000030h]	11_2_01006500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01044500 mov eax, dword ptr fs:[00000030h]	11_2_01044500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01044500 mov eax, dword ptr fs:[00000030h]	11_2_01044500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01044500 mov eax, dword ptr fs:[00000030h]	11_2_01044500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01044500 mov eax, dword ptr fs:[00000030h]	11_2_01044500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01044500 mov eax, dword ptr fs:[00000030h]	11_2_01044500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01044500 mov eax, dword ptr fs:[00000030h]	11_2_01044500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01044500 mov eax, dword ptr fs:[00000030h]	11_2_01044500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F704E5 mov ecx, dword ptr fs:[00000030h]	11_2_00F704E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FA44B0 mov ecx, dword ptr fs:[00000030h]	11_2_00FA44B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FFA4B0 mov eax, dword ptr fs:[00000030h]	11_2_00FFA4B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F764AB mov eax, dword ptr fs:[00000030h]	11_2_00F764AB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F9A470 mov eax, dword ptr fs:[00000030h]	11_2_00F9A470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F9A470 mov eax, dword ptr fs:[00000030h]	11_2_00F9A470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F9A470 mov eax, dword ptr fs:[00000030h]	11_2_00F9A470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FFC460 mov ecx, dword ptr fs:[00000030h]	11_2_00FFC460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F9245A mov eax, dword ptr fs:[00000030h]	11_2_00F9245A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F6645D mov eax, dword ptr fs:[00000030h]	11_2_00F6645D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FAE443 mov eax, dword ptr fs:[00000030h]	11_2_00FAE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FAE443 mov eax, dword ptr fs:[00000030h]	11_2_00FAE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FAE443 mov eax, dword ptr fs:[00000030h]	11_2_00FAE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FAE443 mov eax, dword ptr fs:[00000030h]	11_2_00FAE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FAE443 mov eax, dword ptr fs:[00000030h]	11_2_00FAE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FAE443 mov eax, dword ptr fs:[00000030h]	11_2_00FAE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FAE443 mov eax, dword ptr fs:[00000030h]	11_2_00FAE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FAE443 mov eax, dword ptr fs:[00000030h]	11_2_00FAE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FAA430 mov eax, dword ptr fs:[00000030h]	11_2_00FAA430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F6C427 mov eax, dword ptr fs:[00000030h]	11_2_00F6C427
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F6E420 mov eax, dword ptr fs:[00000030h]	11_2_00F6E420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F6E420 mov eax, dword ptr fs:[00000030h]	11_2_00F6E420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F6E420 mov eax, dword ptr fs:[00000030h]	11_2_00F6E420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FF6420 mov eax, dword ptr fs:[00000030h]	11_2_00FF6420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FF6420 mov eax, dword ptr fs:[00000030h]	11_2_00FF6420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FF6420 mov eax, dword ptr fs:[00000030h]	11_2_00FF6420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FF6420 mov eax, dword ptr fs:[00000030h]	11_2_00FF6420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FF6420 mov eax, dword ptr fs:[00000030h]	11_2_00FF6420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FF6420 mov eax, dword ptr fs:[00000030h]	11_2_00FF6420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FF6420 mov eax, dword ptr fs:[00000030h]	11_2_00FF6420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FA8402 mov eax, dword ptr fs:[00000030h]	11_2_00FA8402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FA8402 mov eax, dword ptr fs:[00000030h]	11_2_00FA8402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FA8402 mov eax, dword ptr fs:[00000030h]	11_2_00FA8402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F725E0 mov eax, dword ptr fs:[00000030h]	11_2_00F725E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FAC5ED mov eax, dword ptr fs:[00000030h]	11_2_00FAC5ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FAC5ED mov eax, dword ptr fs:[00000030h]	11_2_00FAC5ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F9E5E7 mov eax, dword ptr fs:[00000030h]	11_2_00F9E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F9E5E7 mov eax, dword ptr fs:[00000030h]	11_2_00F9E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F9E5E7 mov eax, dword ptr fs:[00000030h]	11_2_00F9E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F9E5E7 mov eax, dword ptr fs:[00000030h]	11_2_00F9E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F9E5E7 mov eax, dword ptr fs:[00000030h]	11_2_00F9E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F9E5E7 mov eax, dword ptr fs:[00000030h]	11_2_00F9E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F9E5E7 mov eax, dword ptr fs:[00000030h]	11_2_00F9E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F9E5E7 mov eax, dword ptr fs:[00000030h]	11_2_00F9E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F765D0 mov eax, dword ptr fs:[00000030h]	11_2_00F765D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FAA5D0 mov eax, dword ptr fs:[00000030h]	11_2_00FAA5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FAA5D0 mov eax, dword ptr fs:[00000030h]	11_2_00FAA5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FAE5CF mov eax, dword ptr fs:[00000030h]	11_2_00FAE5CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FAE5CF mov eax, dword ptr fs:[00000030h]	11_2_00FAE5CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F945B1 mov eax, dword ptr fs:[00000030h]	11_2_00F945B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F945B1 mov eax, dword ptr fs:[00000030h]	11_2_00F945B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0102A456 mov eax, dword ptr fs:[00000030h]	11_2_0102A456
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FF05A7 mov eax, dword ptr fs:[00000030h]	11_2_00FF05A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FF05A7 mov eax, dword ptr fs:[00000030h]	11_2_00FF05A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FF05A7 mov eax, dword ptr fs:[00000030h]	11_2_00FF05A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FAE59C mov eax, dword ptr fs:[00000030h]	11_2_00FAE59C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FA4588 mov eax, dword ptr fs:[00000030h]	11_2_00FA4588
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F72582 mov eax, dword ptr fs:[00000030h]	11_2_00F72582
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F72582 mov ecx, dword ptr fs:[00000030h]	11_2_00F72582
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FA656A mov eax, dword ptr fs:[00000030h]	11_2_00FA656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FA656A mov eax, dword ptr fs:[00000030h]	11_2_00FA656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FA656A mov eax, dword ptr fs:[00000030h]	11_2_00FA656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0102A49A mov eax, dword ptr fs:[00000030h]	11_2_0102A49A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F78550 mov eax, dword ptr fs:[00000030h]	11_2_00F78550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F78550 mov eax, dword ptr fs:[00000030h]	11_2_00F78550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F9E53E mov eax, dword ptr fs:[00000030h]	11_2_00F9E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F9E53E mov eax, dword ptr fs:[00000030h]	11_2_00F9E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F9E53E mov eax, dword ptr fs:[00000030h]	11_2_00F9E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F9E53E mov eax, dword ptr fs:[00000030h]	11_2_00F9E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F9E53E mov eax, dword ptr fs:[00000030h]	11_2_00F9E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F80535 mov eax, dword ptr fs:[00000030h]	11_2_00F80535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F80535 mov eax, dword ptr fs:[00000030h]	11_2_00F80535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F80535 mov eax, dword ptr fs:[00000030h]	11_2_00F80535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F80535 mov eax, dword ptr fs:[00000030h]	11_2_00F80535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F80535 mov eax, dword ptr fs:[00000030h]	11_2_00F80535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F80535 mov eax, dword ptr fs:[00000030h]	11_2_00F80535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FEE6F2 mov eax, dword ptr fs:[00000030h]	11_2_00FEE6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FEE6F2 mov eax, dword ptr fs:[00000030h]	11_2_00FEE6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FEE6F2 mov eax, dword ptr fs:[00000030h]	11_2_00FEE6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FEE6F2 mov eax, dword ptr fs:[00000030h]	11_2_00FEE6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FF06F1 mov eax, dword ptr fs:[00000030h]	11_2_00FF06F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FF06F1 mov eax, dword ptr fs:[00000030h]	11_2_00FF06F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FAA6C7 mov ebx, dword ptr fs:[00000030h]	11_2_00FAA6C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FAA6C7 mov eax, dword ptr fs:[00000030h]	11_2_00FAA6C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FA66B0 mov eax, dword ptr fs:[00000030h]	11_2_00FA66B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FAC6A6 mov eax, dword ptr fs:[00000030h]	11_2_00FAC6A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F74690 mov eax, dword ptr fs:[00000030h]	11_2_00F74690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F74690 mov eax, dword ptr fs:[00000030h]	11_2_00F74690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FA2674 mov eax, dword ptr fs:[00000030h]	11_2_00FA2674
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0101678E mov eax, dword ptr fs:[00000030h]	11_2_0101678E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FAA660 mov eax, dword ptr fs:[00000030h]	11_2_00FAA660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FAA660 mov eax, dword ptr fs:[00000030h]	11_2_00FAA660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_010247A0 mov eax, dword ptr fs:[00000030h]	11_2_010247A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F8C640 mov eax, dword ptr fs:[00000030h]	11_2_00F8C640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FA6620 mov eax, dword ptr fs:[00000030h]	11_2_00FA6620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FA8620 mov eax, dword ptr fs:[00000030h]	11_2_00FA8620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F7262C mov eax, dword ptr fs:[00000030h]	11_2_00F7262C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F8E627 mov eax, dword ptr fs:[00000030h]	11_2_00F8E627
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FB2619 mov eax, dword ptr fs:[00000030h]	11_2_00FB2619
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F8260B mov eax, dword ptr fs:[00000030h]	11_2_00F8260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F8260B mov eax, dword ptr fs:[00000030h]	11_2_00F8260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F8260B mov eax, dword ptr fs:[00000030h]	11_2_00F8260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F8260B mov eax, dword ptr fs:[00000030h]	11_2_00F8260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F8260B mov eax, dword ptr fs:[00000030h]	11_2_00F8260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F8260B mov eax, dword ptr fs:[00000030h]	11_2_00F8260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F8260B mov eax, dword ptr fs:[00000030h]	11_2_00F8260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FEE609 mov eax, dword ptr fs:[00000030h]	11_2_00FEE609
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F747FB mov eax, dword ptr fs:[00000030h]	11_2_00F747FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F747FB mov eax, dword ptr fs:[00000030h]	11_2_00F747FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F927ED mov eax, dword ptr fs:[00000030h]	11_2_00F927ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F927ED mov eax, dword ptr fs:[00000030h]	11_2_00F927ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F927ED mov eax, dword ptr fs:[00000030h]	11_2_00F927ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FFE7E1 mov eax, dword ptr fs:[00000030h]	11_2_00FFE7E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F7C7C0 mov eax, dword ptr fs:[00000030h]	11_2_00F7C7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FF07C3 mov eax, dword ptr fs:[00000030h]	11_2_00FF07C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F707AF mov eax, dword ptr fs:[00000030h]	11_2_00F707AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0103866E mov eax, dword ptr fs:[00000030h]	11_2_0103866E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0103866E mov eax, dword ptr fs:[00000030h]	11_2_0103866E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F78770 mov eax, dword ptr fs:[00000030h]	11_2_00F78770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F80770 mov eax, dword ptr fs:[00000030h]	11_2_00F80770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F80770 mov eax, dword ptr fs:[00000030h]	11_2_00F80770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F80770 mov eax, dword ptr fs:[00000030h]	11_2_00F80770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F80770 mov eax, dword ptr fs:[00000030h]	11_2_00F80770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F80770 mov eax, dword ptr fs:[00000030h]	11_2_00F80770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F80770 mov eax, dword ptr fs:[00000030h]	11_2_00F80770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F80770 mov eax, dword ptr fs:[00000030h]	11_2_00F80770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F80770 mov eax, dword ptr fs:[00000030h]	11_2_00F80770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F80770 mov eax, dword ptr fs:[00000030h]	11_2_00F80770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F80770 mov eax, dword ptr fs:[00000030h]	11_2_00F80770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F80770 mov eax, dword ptr fs:[00000030h]	11_2_00F80770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F80770 mov eax, dword ptr fs:[00000030h]	11_2_00F80770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FFE75D mov eax, dword ptr fs:[00000030h]	11_2_00FFE75D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F70750 mov eax, dword ptr fs:[00000030h]	11_2_00F70750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FF4755 mov eax, dword ptr fs:[00000030h]	11_2_00FF4755
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FB2750 mov eax, dword ptr fs:[00000030h]	11_2_00FB2750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FB2750 mov eax, dword ptr fs:[00000030h]	11_2_00FB2750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FA674D mov esi, dword ptr fs:[00000030h]	11_2_00FA674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FA674D mov eax, dword ptr fs:[00000030h]	11_2_00FA674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FA674D mov eax, dword ptr fs:[00000030h]	11_2_00FA674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FA273C mov eax, dword ptr fs:[00000030h]	11_2_00FA273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FA273C mov ecx, dword ptr fs:[00000030h]	11_2_00FA273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FA273C mov eax, dword ptr fs:[00000030h]	11_2_00FA273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FEC730 mov eax, dword ptr fs:[00000030h]	11_2_00FEC730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FAC720 mov eax, dword ptr fs:[00000030h]	11_2_00FAC720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FAC720 mov eax, dword ptr fs:[00000030h]	11_2_00FAC720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F70710 mov eax, dword ptr fs:[00000030h]	11_2_00F70710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FA0710 mov eax, dword ptr fs:[00000030h]	11_2_00FA0710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FAC700 mov eax, dword ptr fs:[00000030h]	11_2_00FAC700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FAC8F9 mov eax, dword ptr fs:[00000030h]	11_2_00FAC8F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FAC8F9 mov eax, dword ptr fs:[00000030h]	11_2_00FAC8F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0100892B mov eax, dword ptr fs:[00000030h]	11_2_0100892B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F9E8C0 mov eax, dword ptr fs:[00000030h]	11_2_00F9E8C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01044940 mov eax, dword ptr fs:[00000030h]	11_2_01044940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FFC89D mov eax, dword ptr fs:[00000030h]	11_2_00FFC89D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F70887 mov eax, dword ptr fs:[00000030h]	11_2_00F70887
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01014978 mov eax, dword ptr fs:[00000030h]	11_2_01014978
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01014978 mov eax, dword ptr fs:[00000030h]	11_2_01014978
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FFE872 mov eax, dword ptr fs:[00000030h]	11_2_00FFE872
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FFE872 mov eax, dword ptr fs:[00000030h]	11_2_00FFE872
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F74859 mov eax, dword ptr fs:[00000030h]	11_2_00F74859
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F74859 mov eax, dword ptr fs:[00000030h]	11_2_00F74859
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FA0854 mov eax, dword ptr fs:[00000030h]	11_2_00FA0854
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F82840 mov ecx, dword ptr fs:[00000030h]	11_2_00F82840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_010069C0 mov eax, dword ptr fs:[00000030h]	11_2_010069C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FAA830 mov eax, dword ptr fs:[00000030h]	11_2_00FAA830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F92835 mov eax, dword ptr fs:[00000030h]	11_2_00F92835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F92835 mov eax, dword ptr fs:[00000030h]	11_2_00F92835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F92835 mov eax, dword ptr fs:[00000030h]	11_2_00F92835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F92835 mov ecx, dword ptr fs:[00000030h]	11_2_00F92835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F92835 mov eax, dword ptr fs:[00000030h]	11_2_00F92835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F92835 mov eax, dword ptr fs:[00000030h]	11_2_00F92835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0103A9D3 mov eax, dword ptr fs:[00000030h]	11_2_0103A9D3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FFC810 mov eax, dword ptr fs:[00000030h]	11_2_00FFC810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FA29F9 mov eax, dword ptr fs:[00000030h]	11_2_00FA29F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FA29F9 mov eax, dword ptr fs:[00000030h]	11_2_00FA29F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FFE9E0 mov eax, dword ptr fs:[00000030h]	11_2_00FFE9E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F7A9D0 mov eax, dword ptr fs:[00000030h]	11_2_00F7A9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F7A9D0 mov eax, dword ptr fs:[00000030h]	11_2_00F7A9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F7A9D0 mov eax, dword ptr fs:[00000030h]	11_2_00F7A9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F7A9D0 mov eax, dword ptr fs:[00000030h]	11_2_00F7A9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F7A9D0 mov eax, dword ptr fs:[00000030h]	11_2_00F7A9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F7A9D0 mov eax, dword ptr fs:[00000030h]	11_2_00F7A9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FA49D0 mov eax, dword ptr fs:[00000030h]	11_2_00FA49D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0101483A mov eax, dword ptr fs:[00000030h]	11_2_0101483A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0101483A mov eax, dword ptr fs:[00000030h]	11_2_0101483A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FF89B3 mov esi, dword ptr fs:[00000030h]	11_2_00FF89B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FF89B3 mov eax, dword ptr fs:[00000030h]	11_2_00FF89B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FF89B3 mov eax, dword ptr fs:[00000030h]	11_2_00FF89B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F829A0 mov eax, dword ptr fs:[00000030h]	11_2_00F829A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F829A0 mov eax, dword ptr fs:[00000030h]	11_2_00F829A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F829A0 mov eax, dword ptr fs:[00000030h]	11_2_00F829A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F829A0 mov eax, dword ptr fs:[00000030h]	11_2_00F829A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F829A0 mov eax, dword ptr fs:[00000030h]	11_2_00F829A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F829A0 mov eax, dword ptr fs:[00000030h]	11_2_00F829A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F829A0 mov eax, dword ptr fs:[00000030h]	11_2_00F829A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F829A0 mov eax, dword ptr fs:[00000030h]	11_2_00F829A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F829A0 mov eax, dword ptr fs:[00000030h]	11_2_00F829A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F829A0 mov eax, dword ptr fs:[00000030h]	11_2_00F829A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F829A0 mov eax, dword ptr fs:[00000030h]	11_2_00F829A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F829A0 mov eax, dword ptr fs:[00000030h]	11_2_00F829A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F829A0 mov eax, dword ptr fs:[00000030h]	11_2_00F829A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F709AD mov eax, dword ptr fs:[00000030h]	11_2_00F709AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F709AD mov eax, dword ptr fs:[00000030h]	11_2_00F709AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01006870 mov eax, dword ptr fs:[00000030h]	11_2_01006870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01006870 mov eax, dword ptr fs:[00000030h]	11_2_01006870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FFC97C mov eax, dword ptr fs:[00000030h]	11_2_00FFC97C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FB096E mov eax, dword ptr fs:[00000030h]	11_2_00FB096E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FB096E mov edx, dword ptr fs:[00000030h]	11_2_00FB096E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FB096E mov eax, dword ptr fs:[00000030h]	11_2_00FB096E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F96962 mov eax, dword ptr fs:[00000030h]	11_2_00F96962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F96962 mov eax, dword ptr fs:[00000030h]	11_2_00F96962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F96962 mov eax, dword ptr fs:[00000030h]	11_2_00F96962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FF0946 mov eax, dword ptr fs:[00000030h]	11_2_00FF0946
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_010408C0 mov eax, dword ptr fs:[00000030h]	11_2_010408C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FF892A mov eax, dword ptr fs:[00000030h]	11_2_00FF892A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0103A8E4 mov eax, dword ptr fs:[00000030h]	11_2_0103A8E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FFC912 mov eax, dword ptr fs:[00000030h]	11_2_00FFC912
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F68918 mov eax, dword ptr fs:[00000030h]	11_2_00F68918
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F68918 mov eax, dword ptr fs:[00000030h]	11_2_00F68918
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FEE908 mov eax, dword ptr fs:[00000030h]	11_2_00FEE908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FEE908 mov eax, dword ptr fs:[00000030h]	11_2_00FEE908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01044B00 mov eax, dword ptr fs:[00000030h]	11_2_01044B00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FAAAEE mov eax, dword ptr fs:[00000030h]	11_2_00FAAAEE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FAAAEE mov eax, dword ptr fs:[00000030h]	11_2_00FAAAEE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F70AD0 mov eax, dword ptr fs:[00000030h]	11_2_00F70AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FA4AD0 mov eax, dword ptr fs:[00000030h]	11_2_00FA4AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FA4AD0 mov eax, dword ptr fs:[00000030h]	11_2_00FA4AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01038B28 mov eax, dword ptr fs:[00000030h]	11_2_01038B28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01038B28 mov eax, dword ptr fs:[00000030h]	11_2_01038B28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FC6ACC mov eax, dword ptr fs:[00000030h]	11_2_00FC6ACC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FC6ACC mov eax, dword ptr fs:[00000030h]	11_2_00FC6ACC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FC6ACC mov eax, dword ptr fs:[00000030h]	11_2_00FC6ACC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01006B40 mov eax, dword ptr fs:[00000030h]	11_2_01006B40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01006B40 mov eax, dword ptr fs:[00000030h]	11_2_01006B40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0103AB40 mov eax, dword ptr fs:[00000030h]	11_2_0103AB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01018B42 mov eax, dword ptr fs:[00000030h]	11_2_01018B42
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01024B4B mov eax, dword ptr fs:[00000030h]	11_2_01024B4B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01024B4B mov eax, dword ptr fs:[00000030h]	11_2_01024B4B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0101EB50 mov eax, dword ptr fs:[00000030h]	11_2_0101EB50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01042B57 mov eax, dword ptr fs:[00000030h]	11_2_01042B57
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01042B57 mov eax, dword ptr fs:[00000030h]	11_2_01042B57
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01042B57 mov eax, dword ptr fs:[00000030h]	11_2_01042B57
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01042B57 mov eax, dword ptr fs:[00000030h]	11_2_01042B57
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F78AA0 mov eax, dword ptr fs:[00000030h]	11_2_00F78AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F78AA0 mov eax, dword ptr fs:[00000030h]	11_2_00F78AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FC6AA4 mov eax, dword ptr fs:[00000030h]	11_2_00FC6AA4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FA8A90 mov edx, dword ptr fs:[00000030h]	11_2_00FA8A90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F7EA80 mov eax, dword ptr fs:[00000030h]	11_2_00F7EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F7EA80 mov eax, dword ptr fs:[00000030h]	11_2_00F7EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F7EA80 mov eax, dword ptr fs:[00000030h]	11_2_00F7EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F7EA80 mov eax, dword ptr fs:[00000030h]	11_2_00F7EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F7EA80 mov eax, dword ptr fs:[00000030h]	11_2_00F7EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F7EA80 mov eax, dword ptr fs:[00000030h]	11_2_00F7EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F7EA80 mov eax, dword ptr fs:[00000030h]	11_2_00F7EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F7EA80 mov eax, dword ptr fs:[00000030h]	11_2_00F7EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F7EA80 mov eax, dword ptr fs:[00000030h]	11_2_00F7EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FECA72 mov eax, dword ptr fs:[00000030h]	11_2_00FECA72
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FECA72 mov eax, dword ptr fs:[00000030h]	11_2_00FECA72
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FACA6F mov eax, dword ptr fs:[00000030h]	11_2_00FACA6F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FACA6F mov eax, dword ptr fs:[00000030h]	11_2_00FACA6F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FACA6F mov eax, dword ptr fs:[00000030h]	11_2_00FACA6F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F80A5B mov eax, dword ptr fs:[00000030h]	11_2_00F80A5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F80A5B mov eax, dword ptr fs:[00000030h]	11_2_00F80A5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F76A50 mov eax, dword ptr fs:[00000030h]	11_2_00F76A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F76A50 mov eax, dword ptr fs:[00000030h]	11_2_00F76A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F76A50 mov eax, dword ptr fs:[00000030h]	11_2_00F76A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F76A50 mov eax, dword ptr fs:[00000030h]	11_2_00F76A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F76A50 mov eax, dword ptr fs:[00000030h]	11_2_00F76A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F76A50 mov eax, dword ptr fs:[00000030h]	11_2_00F76A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F76A50 mov eax, dword ptr fs:[00000030h]	11_2_00F76A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01024BB0 mov eax, dword ptr fs:[00000030h]	11_2_01024BB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01024BB0 mov eax, dword ptr fs:[00000030h]	11_2_01024BB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FACA38 mov eax, dword ptr fs:[00000030h]	11_2_00FACA38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F94A35 mov eax, dword ptr fs:[00000030h]	11_2_00F94A35
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F94A35 mov eax, dword ptr fs:[00000030h]	11_2_00F94A35
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0101EBD0 mov eax, dword ptr fs:[00000030h]	11_2_0101EBD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F9EA2E mov eax, dword ptr fs:[00000030h]	11_2_00F9EA2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FACA24 mov eax, dword ptr fs:[00000030h]	11_2_00FACA24
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FFCA11 mov eax, dword ptr fs:[00000030h]	11_2_00FFCA11
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F9EBFC mov eax, dword ptr fs:[00000030h]	11_2_00F9EBFC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F78BF0 mov eax, dword ptr fs:[00000030h]	11_2_00F78BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F78BF0 mov eax, dword ptr fs:[00000030h]	11_2_00F78BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F78BF0 mov eax, dword ptr fs:[00000030h]	11_2_00F78BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00FFCBF0 mov eax, dword ptr fs:[00000030h]	11_2_00FFCBF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F90BCB mov eax, dword ptr fs:[00000030h]	11_2_00F90BCB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F90BCB mov eax, dword ptr fs:[00000030h]	11_2_00F90BCB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F90BCB mov eax, dword ptr fs:[00000030h]	11_2_00F90BCB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F70BCD mov eax, dword ptr fs:[00000030h]	11_2_00F70BCD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F70BCD mov eax, dword ptr fs:[00000030h]	11_2_00F70BCD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F70BCD mov eax, dword ptr fs:[00000030h]	11_2_00F70BCD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F80BBE mov eax, dword ptr fs:[00000030h]	11_2_00F80BBE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F80BBE mov eax, dword ptr fs:[00000030h]	11_2_00F80BBE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0101EA60 mov eax, dword ptr fs:[00000030h]	11_2_0101EA60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_01044A80 mov eax, dword ptr fs:[00000030h]	11_2_01044A80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F6CB7E mov eax, dword ptr fs:[00000030h]	11_2_00F6CB7E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_00F68B50 mov eax, dword ptr fs:[00000030h]	11_2_00F68B50

Source: C:\Users\user\Desktop\Arrival_Notice.bat.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\Arrival_Notice.bat.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\Arrival_Notice.bat.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Arrival_Notice.bat.exe"
Source: C:\Users\user\Desktop\Arrival_Notice.bat.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\mjiCFnur.exe"
Source: C:\Users\user\Desktop\Arrival_Notice.bat.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Arrival_Notice.bat.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Arrival_Notice.bat.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\mjiCFnur.exe"	Jump to behavior

Allocates memory in foreign processes

Source: C:\Users\user\AppData\Roaming\mjiCFnur.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Roaming\mjiCFnur.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\AppData\Roaming\mjiCFnur.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjiCFnur.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 401000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjiCFnur.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 10A6008	Jump to behavior

Source: C:\Users\user\Desktop\Arrival_Notice.bat.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Arrival_Notice.bat.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Arrival_Notice.bat.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\mjiCFnur.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Arrival_Notice.bat.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mjiCFnur" /XML "C:\Users\user\AppData\Local\Temp\tmpA612.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\Arrival_Notice.bat.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Arrival_Notice.bat.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjiCFnur.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mjiCFnur" /XML "C:\Users\user\AppData\Local\Temp\tmpD06D.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjiCFnur.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjiCFnur.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Arrival_Notice.bat.exe	Queries volume information: C:\Users\user\Desktop\Arrival_Notice.bat.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Arrival_Notice.bat.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Arrival_Notice.bat.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Arrival_Notice.bat.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Arrival_Notice.bat.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjiCFnur.exe	Queries volume information: C:\Users\user\AppData\Roaming\mjiCFnur.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjiCFnur.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjiCFnur.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjiCFnur.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mjiCFnur.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Arrival_Notice.bat.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 11.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.1626748999.0000000000E70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1626145289.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.Arrival_Notice.bat.exe.5590000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Arrival_Notice.bat.exe.2da1614.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.mjiCFnur.exe.2d415f8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Arrival_Notice.bat.exe.5590000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Arrival_Notice.bat.exe.2da1614.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.mjiCFnur.exe.2d415f8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.mjiCFnur.exe.2b1f7ec.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Arrival_Notice.bat.exe.2b7f808.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1396043095.0000000005590000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1389360953.0000000002B06000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.1617781341.000000000296D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 11.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.1626748999.0000000000E70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1626145289.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.Arrival_Notice.bat.exe.5590000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Arrival_Notice.bat.exe.2da1614.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.mjiCFnur.exe.2d415f8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Arrival_Notice.bat.exe.5590000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Arrival_Notice.bat.exe.2da1614.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.mjiCFnur.exe.2d415f8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.mjiCFnur.exe.2b1f7ec.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Arrival_Notice.bat.exe.2b7f808.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1396043095.0000000005590000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1389360953.0000000002B06000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.1617781341.000000000296D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	311 Process Injection	1 Masquerading	OS Credential Dumping	121 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Scheduled Task/Job	11 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	41 Virtualization/Sandbox Evasion	Security Account Manager	41 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	311 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	3 Obfuscated Files or Information	Cached Domain Credentials	12 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Arrival_Notice.bat.exe	41%	Virustotal		Browse
Arrival_Notice.bat.exe	61%	ReversingLabs	Win32.Virus.Virut
Arrival_Notice.bat.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\mjiCFnur.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\mjiCFnur.exe	41%	Virustotal		Browse
C:\Users\user\AppData\Roaming\mjiCFnur.exe	61%	ReversingLabs	Win32.Virus.Virut

Name	Source	Malicious	Antivirus Detection	Reputation
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Arrival_Notice.bat.exe, 00000000.00000002.1389360953.00000000029CD000.00000004.00000800.00020000.00000000.sdmp, mjiCFnur.exe, 0000000C.00000002.1617781341.000000000296D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.chiark.greenend.org.uk/~sgtatham/putty/0	Arrival_Notice.bat.exe, mjiCFnur.exe.0.dr	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1592064
Start date and time:	2025-01-15 18:08:09 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 49s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Arrival_Notice.bat.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@23/15@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 167 Number of non-executed functions: 299
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 2.23.242.162, 13.107.246.45, 172.202.163.200
Excluded domains from analysis (whitelisted): fs.microsoft.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
12:09:09	API Interceptor	1x Sleep call for process: Arrival_Notice.bat.exe modified
12:09:16	API Interceptor	43x Sleep call for process: powershell.exe modified
12:09:20	API Interceptor	1x Sleep call for process: mjiCFnur.exe modified
12:09:40	API Interceptor	6x Sleep call for process: RegSvcs.exe modified
18:09:17	Task Scheduler	Run new task: mjiCFnur path: C:\Users\user\AppData\Roaming\mjiCFnur.exe

Process:	C:\Users\user\Desktop\Arrival_Notice.bat.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\mjiCFnur.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\mjiCFnur.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	2232
Entropy (8bit):	5.3792772635987225
Encrypted:	false
SSDEEP:	48:bWSU4xympjgZ9tz4RIoUl8NPZHUl7u1iMugeC/ZM0Uyus:bLHxvCZfIfSKRHmOugw1s
MD5:	06024139959C86D30C6F10EDAC4630F2
SHA1:	B2B9242D55BBADFFCF3021482E191BEF4583F9AA
SHA-256:	FFB17AC4D1994688069EECF899DD8494402AAB3686D8530BDA43A2B712B79D2B
SHA-512:	0F895D2DBBA7F2E2E235FCE9FE52A5EEBC14CCA14C5176023A80E2EAA034CEC9A96448552507DF808F0E8F89AA00C3BF008C783A0164403A790C79C25DE46534
Malicious:	false
Preview:	@...e.................................&..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.L.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_15usn100.210.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2pq32cui.eh0.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4t5eliis.4jm.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_c3eufo0x.qul.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mmizh345.esh.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xydign3g.1gh.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ytrxx1lh.ffp.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yuasz5rf.g5z.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\tmpA612.tmp

Download File

Process:	C:\Users\user\Desktop\Arrival_Notice.bat.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1602
Entropy (8bit):	5.1185695244999785
Encrypted:	false
SSDEEP:	24:2di4+S2qhH1jy1m4UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtJxvn:cgeHgYrFdOFzOzN33ODOiDdKrsuT/v
MD5:	EFD1DAE16F10F1B1FE8B5D0F2898D674
SHA1:	14E8371DDC7440B551D565183EBA647EC652BB0F
SHA-256:	88CE18CABE4FE2C878283BDC0BE212C7615EE2B63518FDDF4F186DC057DE7E53
SHA-512:	5405EA25CF9EE11FB03EA5AD81BCAD92986604FC7A771267DF55F1F555850042A13953295CC2C0501AA830635B214458C879701DCC772B8DE123E15D33273A4E
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>.

C:\Users\user\AppData\Local\Temp\tmpD06D.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\mjiCFnur.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1602
Entropy (8bit):	5.1185695244999785
Encrypted:	false
SSDEEP:	24:2di4+S2qhH1jy1m4UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtJxvn:cgeHgYrFdOFzOzN33ODOiDdKrsuT/v
MD5:	EFD1DAE16F10F1B1FE8B5D0F2898D674
SHA1:	14E8371DDC7440B551D565183EBA647EC652BB0F
SHA-256:	88CE18CABE4FE2C878283BDC0BE212C7615EE2B63518FDDF4F186DC057DE7E53
SHA-512:	5405EA25CF9EE11FB03EA5AD81BCAD92986604FC7A771267DF55F1F555850042A13953295CC2C0501AA830635B214458C879701DCC772B8DE123E15D33273A4E
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>.

C:\Users\user\AppData\Roaming\mjiCFnur.exe

Download File

Process:	C:\Users\user\Desktop\Arrival_Notice.bat.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	795656
Entropy (8bit):	7.7535225780146355
Encrypted:	false
SSDEEP:	12288:wetrYRxA4Y5lyA/BxSPCDi1wcnZSKhJfLXHkTyg8VgJbqAHtPg6io2+etJ4CJ7+O:wetsR5wc/bETAVgJbq8g6ikqJ38e
MD5:	4A3E89823F63F74EB56BD268F0C697C1
SHA1:	3FA8133B2C2B19BFBCF8110A58B0A01B0B82FBCE
SHA-256:	A938112A54A6D8F1CB129C26253D2C11B2285837131C33D702A9E0CB5411C929
SHA-512:	50C3BA3DEDA69925F2209ADD05BE93C1CCBE3168E3D042B8FBC7E858EB042F45AED4BC148ED636FBEA884A0BBEBF6B01D40BF4CB7F7AB1290C2D4134DB6C23E5
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Virustotal, Detection: 41%, Browse Antivirus: ReversingLabs, Detection: 61%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g..............0......&......R.... ........@.. .......................`............@.....................................O........"...............6...@....................................................... ............... ..H............text........ ...................... ..`.rsrc....".......$..................@..@.reloc.......@......................@..B................4.......H........T..@F......q........H..........................................>.-.r...ps....zV.-.r...ps....z.o......(.......0.. ........(....r...p(....s......s....}.....(.....{....(....o ....{.....o!....{....r=..p"..@A...s"...o#....{.... ....($...o%....{.....o&....{....rm..po'....{.....o(...."...@"..PAs)...(.....(+.... .... ....s,...(-....(.....{....o/.....r...po0...tZ...(1....r...p('....r...po2.....(3....(4.....(5...:.(......o2...6.{.....o6...J..(7...(8...(.....0..........

C:\Users\user\AppData\Roaming\mjiCFnur.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\Arrival_Notice.bat.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.7535225780146355
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.98% Win32 Executable (generic) a (10002005/4) 49.93% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	Arrival_Notice.bat.exe
File size:	795'656 bytes
MD5:	4a3e89823f63f74eb56bd268f0c697c1
SHA1:	3fa8133b2c2b19bfbcf8110a58b0a01b0b82fbce
SHA256:	a938112a54a6d8f1cb129c26253d2c11b2285837131c33d702a9e0cb5411c929
SHA512:	50c3ba3deda69925f2209add05be93c1ccbe3168e3d042b8fbc7e858eb042f45aed4bc148ed636fbea884a0bbebf6b01d40bf4cb7f7ab1290c2d4134db6c23e5
SSDEEP:	12288:wetrYRxA4Y5lyA/BxSPCDi1wcnZSKhJfLXHkTyg8VgJbqAHtPg6io2+etJ4CJ7+O:wetsR5wc/bETAVgJbq8g6ikqJ38e
TLSH:	15050161321EE803C5E20BB009A2D3F95B346E9DA921C347CFEA7EEBBD657502545363
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g..............0......&......R.... ........@.. .......................`............@................................

File Icon


Icon Hash:	f0aea8aaaa8ee80f

Static PE Info

General

Entrypoint:	0x4be452
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6785C0AA [Tue Jan 14 01:40:58 2025 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	13/11/2018 01:00:00 09/11/2021 00:59:59
Subject Chain	CN=Simon Tatham, O=Simon Tatham, L=Cambridge, S=Cambridgeshire, C=GB
Version:	3
Thumbprint MD5:	DABD77E44EF6B3BB91740FA46696B779
Thumbprint SHA-1:	5B9E273CF11941FD8C6BE3F038C4797BBE884268
Thumbprint SHA-256:	4CD3325617EBB63319BA6E8F2A74B0B8CCA58920B48D8026EBCA2C756630D570
Serial:	7C1118CBBADC95DA3752C46E47A27438

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
and dword ptr [eax], eax
inc eax
add byte ptr [ebx], ah
add byte ptr [eax+eax], ah
and eax, 26005E00h
add byte ptr [edx], ch
add byte ptr [eax], ch
add byte ptr [ecx], ch
add byte ptr [edi], bh
add byte ptr [eax], al
add byte ptr [edx+003E9999h], bl
add byte ptr [eax], al
aas
int CCh
dec esp
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xbe400	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc0000	0x22f0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0xbee00	0x3608
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xc4000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xbc480	0xbc600	7e72e8caf8de0c915fa9ac2a7328fec4	False	0.9187463711015262	data	7.7562159370679815	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xc0000	0x22f0	0x2400	790ad8d76b054c73eed49b63a7d3ddf5	False	0.8781467013888888	data	7.3789240259627	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xc4000	0xc	0x200	f3ab3365ef3a0ba699705f2cd13184c9	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0xc00c8	0x1e50	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9755154639175257
RT_GROUP_ICON	0xc1f28	0x14	data	1.05
RT_VERSION	0xc1f4c	0x3a0	data	0.41810344827586204

Imports

DLL	Import
mscoree.dll	_CorExeMain

Target ID:	0
Start time:	12:09:08
Start date:	15/01/2025
Path:	C:\Users\user\Desktop\Arrival_Notice.bat.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Arrival_Notice.bat.exe"
Imagebase:	0x630000
File size:	795'656 bytes
MD5 hash:	4A3E89823F63F74EB56BD268F0C697C1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1396043095.0000000005590000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1389360953.0000000002B06000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	12:09:14
Start date:	15/01/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Arrival_Notice.bat.exe"
Imagebase:	0x100000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	12:09:14
Start date:	15/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	12:09:15
Start date:	15/01/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\mjiCFnur.exe"
Imagebase:	0x100000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	12:09:15
Start date:	15/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	12:09:15
Start date:	15/01/2025
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mjiCFnur" /XML "C:\Users\user\AppData\Local\Temp\tmpA612.tmp"
Imagebase:	0x460000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	12:09:15
Start date:	15/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	12:09:15
Start date:	15/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Imagebase:	0x2b0000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	12:09:15
Start date:	15/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Imagebase:	0x5f0000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000B.00000002.1626748999.0000000000E70000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000B.00000002.1626145289.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	12:09:17
Start date:	15/01/2025
Path:	C:\Users\user\AppData\Roaming\mjiCFnur.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\mjiCFnur.exe
Imagebase:	0x3f0000
File size:	795'656 bytes
MD5 hash:	4A3E89823F63F74EB56BD268F0C697C1
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000C.00000002.1617781341.000000000296D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 41%, Virustotal, Browse Detection: 61%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	12:09:18
Start date:	15/01/2025
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff7fb730000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	15
Start time:	12:09:26
Start date:	15/01/2025
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mjiCFnur" /XML "C:\Users\user\AppData\Local\Temp\tmpD06D.tmp"
Imagebase:	0x460000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	12:09:26
Start date:	15/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	12:09:26
Start date:	15/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Imagebase:	0x150000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	12:09:26
Start date:	15/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Imagebase:	0xed0000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	10.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	5%
Total number of Nodes:	60
Total number of Limit Nodes:	4

Executed Functions

Function 06C875E8 Relevance: 6.9, Strings: 5, Instructions: 624
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Hq, xrefs: 06C8A521
Hq, xrefs: 06C8A6C5
Hq, xrefs: 06C8A783
Hq, xrefs: 06C8A5B4
Hq, xrefs: 06C8A63B

Memory Dump Source

Source File: 00000000.00000002.1396339756.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c80000_Arrival_Notice.jbxd

Similarity

API ID:
String ID: Hq$Hq$Hq$Hq$Hq
API String ID: 0-3799487529
Opcode ID: 3cfc945c373c8a5f4819f79abec2440e203c89602f532441677c0dd385958115
Instruction ID: a8d5298e6abc506ed144a29c36828ec6702aa4860572f089b1365cdc8ed610c2
Opcode Fuzzy Hash: 3cfc945c373c8a5f4819f79abec2440e203c89602f532441677c0dd385958115
Instruction Fuzzy Hash: 17328230E002148FEB64EFA9C85579EBBF2AFC4304F1485AAD40AEB355DB34AD45CB95

Function 06C768B0 Relevance: .3, Instructions: 289COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1396296902.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c70000_Arrival_Notice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8945cbd1a88f3440ebfd640bcfa0042e95e6c607e2b875280a190fcb5c22fb03
Instruction ID: e71ba41711089cce79bf7c35679dc9f6145ef8511b3fe9d01f27673e6f5e2024
Opcode Fuzzy Hash: 8945cbd1a88f3440ebfd640bcfa0042e95e6c607e2b875280a190fcb5c22fb03
Instruction Fuzzy Hash: 6EC1E270D04628CFEB94DFAAC8847ADFBF2BF89300F24816AD419A7251DB745989CF50

Function 06C89F50 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1396339756.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c80000_Arrival_Notice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06ffd0cd1cf85da550af6f309a02b86097746d4de18794c5d8e3200b1fbe4149
Instruction ID: 3955ee8fdb0852631929d07603597c0d306d83f1414122f4bb5816bfa9476330
Opcode Fuzzy Hash: 06ffd0cd1cf85da550af6f309a02b86097746d4de18794c5d8e3200b1fbe4149
Instruction Fuzzy Hash: 62C16D70E002588FDF64EFA9C88479DBBF2AF89304F14C1AAD409AB255EB34D985CF50

Function 06C875E1 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1396339756.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c80000_Arrival_Notice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70dcfe20c02562a3cbdddae3bd3dd589bc0bcff1d15ff7eaa9b4891440ccbaa0
Instruction ID: f11be15a85d8be91abe32cee22cf2b09cebb6904c46621321318a4c7d843c584
Opcode Fuzzy Hash: 70dcfe20c02562a3cbdddae3bd3dd589bc0bcff1d15ff7eaa9b4891440ccbaa0
Instruction Fuzzy Hash: 71C15D70E002189FDF65EFA9C88479DBBF2AF85304F14C5AAD409AB255EB34E985CF50

Function 06C7689F Relevance: .3, Instructions: 274COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1396296902.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c70000_Arrival_Notice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5d0dfa2c169fb90d14b05d926e6da8eed2276c2ef1d7833ddb99a600e76d13e
Instruction ID: a4132299fd6678e2a576b98ef3895be0708834867cc0df8482f36d9bb5fa4be7
Opcode Fuzzy Hash: e5d0dfa2c169fb90d14b05d926e6da8eed2276c2ef1d7833ddb99a600e76d13e
Instruction Fuzzy Hash: 8AC1D274E04618CFEB94DFAAC8847EDBBF2BF89300F14816AD419A7251DB745985CF41

Function 06C75D40 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1396296902.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c70000_Arrival_Notice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d32cd08230b75c84b2948cc8062b3108ea862eadcb700407f616a8d896b6f26
Instruction ID: 4d436778fdf52cc22f711490d8d5eb8169f1c89d7e98ae5e2829bd629ca31e69
Opcode Fuzzy Hash: 1d32cd08230b75c84b2948cc8062b3108ea862eadcb700407f616a8d896b6f26
Instruction Fuzzy Hash: 83910170D05219DFEB94CFAAD9887EDBBB2FF49300F508069E419A7261DB744A85CF80

Function 00D2B2CD Relevance: 1.7, APIs: 1, Instructions: 194COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 00D2B51E

Memory Dump Source

Source File: 00000000.00000002.1385050132.0000000000D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d20000_Arrival_Notice.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: ef46cdcbad672137b44270ec259e4dd16b578ca3f0c094b427f3c36a0c552e58
Instruction ID: 6514904076a9b7340d374b01227d5077fc46526fa5cdf284965ee4952f6f87a2
Opcode Fuzzy Hash: ef46cdcbad672137b44270ec259e4dd16b578ca3f0c094b427f3c36a0c552e58
Instruction Fuzzy Hash: 64716770A00B158FD724DF6AE04075ABBF1FF88318F14892EE486DBA50D775E946CBA1

Function 00D25CEC Relevance: 1.6, APIs: 1, Instructions: 99COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 00D25DA9

Memory Dump Source

Source File: 00000000.00000002.1385050132.0000000000D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d20000_Arrival_Notice.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: c4e3be9d10377d5f333e9b9143a5607e9c69768352550d4a1f95cca648cc1818
Instruction ID: 59287b030168f05649aff2a96a57713adae5405c5c4143e0795290438bb61997
Opcode Fuzzy Hash: c4e3be9d10377d5f333e9b9143a5607e9c69768352550d4a1f95cca648cc1818
Instruction Fuzzy Hash: 5D41E0B0C00729CFEB24DFA9D884B8DBBB1BF48314F20816AD418AB255DB756946CF90

Function 00D24538 Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 00D25DA9

Memory Dump Source

Source File: 00000000.00000002.1385050132.0000000000D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d20000_Arrival_Notice.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 9c78c3586096bdcb785f0f1802870043d4bf9bdca2ca04df7523e76dc2860cc7
Instruction ID: 3f04bd0d579efb602c8f8ea6ca018b5926baec975968399cc93c5d38d239ac34
Opcode Fuzzy Hash: 9c78c3586096bdcb785f0f1802870043d4bf9bdca2ca04df7523e76dc2860cc7
Instruction Fuzzy Hash: AE41F270C00B29CFEB24DFA9D844B8DBBF5BF48304F20816AD418AB255DB756946CF90

Function 06C8A888 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1396339756.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c80000_Arrival_Notice.jbxd

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: 6788c189048b9b40289002ffe35ecc2ee046dd18abd17239de9e5c778b03b1f0
Instruction ID: 5fa301d4739a612efa4711bbf524bfc29d80b483a009118904b94f514a740e9b
Opcode Fuzzy Hash: 6788c189048b9b40289002ffe35ecc2ee046dd18abd17239de9e5c778b03b1f0
Instruction Fuzzy Hash: 38319C729043899FCB11DFAAD840ADEBFF8EF09310F15805AE654A7261C3359954DFA1

Function 00D2D7A0 Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00D2D76E,?,?,?,?,?), ref: 00D2D82F

Memory Dump Source

Source File: 00000000.00000002.1385050132.0000000000D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d20000_Arrival_Notice.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 22eb35dd7da735cfa30e7b9de45ef924df04dd72f7b6ef24f54ccb61bc459ad9
Instruction ID: f82255927c27a8d3999d4d3b47a2b6862cc28d437cec8bee00ab94dec7bfd317
Opcode Fuzzy Hash: 22eb35dd7da735cfa30e7b9de45ef924df04dd72f7b6ef24f54ccb61bc459ad9
Instruction Fuzzy Hash: 702103B5D002499FDB10CFAAD885ADEFBF5FB48324F14802AE918A7310D379A941CF60

Function 00D2B1B4 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00D2D76E,?,?,?,?,?), ref: 00D2D82F

Memory Dump Source

Source File: 00000000.00000002.1385050132.0000000000D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d20000_Arrival_Notice.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 64bf7e899aaf901fd66630b6a620f7014d831e3db0432f9a74f732e5032ac153
Instruction ID: 9a31b6787c4e62e9d10a859991e1b087202111747a2f2411f5751273ef1c0234
Opcode Fuzzy Hash: 64bf7e899aaf901fd66630b6a620f7014d831e3db0432f9a74f732e5032ac153
Instruction Fuzzy Hash: 7321D2B5D002589FDB10CF9AD984AEEBBF5EB48314F14802AE918A3350D378A945CFA1

Function 06C7FE48 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06C7FEC6

Memory Dump Source

Source File: 00000000.00000002.1396296902.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c70000_Arrival_Notice.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 1a4bc97a4a957e2bdcc948d302cc17dfcdfa03e4ecd946799d98b889763b6db6
Instruction ID: a505a30774792947a927b67b52ef863109997363943f6ed0c177b930ad4981b3
Opcode Fuzzy Hash: 1a4bc97a4a957e2bdcc948d302cc17dfcdfa03e4ecd946799d98b889763b6db6
Instruction Fuzzy Hash: 87213771D003098FDB10DFAAC485BAEBBF4AB48214F54842ED429A7241CB789945CFA4

Function 06C7FE4A Relevance: 1.6, APIs: 1, Instructions: 62threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06C7FEC6

Memory Dump Source

Source File: 00000000.00000002.1396296902.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c70000_Arrival_Notice.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 52c17fb74b08572ff61bbb19dbce646b35c76862ab9f5dfa78e6a59f810311e2
Instruction ID: 0d4f8cb0d488146fe7b62e2c1b9a45748c4a7330ca3ac990c828d09ecdf62dd9
Opcode Fuzzy Hash: 52c17fb74b08572ff61bbb19dbce646b35c76862ab9f5dfa78e6a59f810311e2
Instruction Fuzzy Hash: 40210771D003098FDB10DFAAC4857AEBBF4AB88314F54842ED469A7641CB789945CFA4

Function 06C87624 Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON

Download Yara Rule

APIs

CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?,?,?,?,06C8A8A2,?,?,?,?,?), ref: 06C8A947

Memory Dump Source

Source File: 00000000.00000002.1396339756.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c80000_Arrival_Notice.jbxd

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: dfb1fa293fa732ba75078f1f87b04de8055f00ab48066c902c7f1e01a984218d
Instruction ID: a66f89f5e86a2b10c8809539cd80afcb8cf3dafaa6cf8fb42ce6e489e5337c06
Opcode Fuzzy Hash: dfb1fa293fa732ba75078f1f87b04de8055f00ab48066c902c7f1e01a984218d
Instruction Fuzzy Hash: B11156B58003499FDB20DF9AC844BDEBFF8EB48320F14801AE914A3210C335A950DFA4

Function 06C7FD92 Relevance: 1.6, APIs: 1, Instructions: 53threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNEL32 ref: 06C7FDFA

Memory Dump Source

Source File: 00000000.00000002.1396296902.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c70000_Arrival_Notice.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 7d377cdddbe7f980957943e101f4052d13270d81edd13290b61a50e001975b03
Instruction ID: 7c1a8610900c37e5655314554adcdfaac2e7972afe378ac347145fb319581d2b
Opcode Fuzzy Hash: 7d377cdddbe7f980957943e101f4052d13270d81edd13290b61a50e001975b03
Instruction Fuzzy Hash: A5115B75C003498FDB20DFAAC845BDEFBF5AB88324F24841ED529A7240CB356545CFA4

Function 06C7FD98 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNEL32 ref: 06C7FDFA

Memory Dump Source

Source File: 00000000.00000002.1396296902.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c70000_Arrival_Notice.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 87a3351a54249cb3561974e2730ef609ea562f0cc74e53d6c3caee661d2e0713
Instruction ID: 8d9254a61bd013b2f7b3660112c46680c91d8638d48db3548e6f81b2c32fddba
Opcode Fuzzy Hash: 87a3351a54249cb3561974e2730ef609ea562f0cc74e53d6c3caee661d2e0713
Instruction Fuzzy Hash: 88113A71D003498FDB20DFAAC845B9EFBF5EB88324F24841DD529A7240CB756945CFA4

Function 00D2B4B8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 00D2B51E

Memory Dump Source

Source File: 00000000.00000002.1385050132.0000000000D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d20000_Arrival_Notice.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: d6cacfce0a23e7d47056dce1122e8a4ca309e034c090cbca9f62a7cea061863d
Instruction ID: 2e0d334128a84d887a34fc6c88933aa2064e9e3ca452831e602848f271498a44
Opcode Fuzzy Hash: d6cacfce0a23e7d47056dce1122e8a4ca309e034c090cbca9f62a7cea061863d
Instruction Fuzzy Hash: 4511DFB5C002598FDB20DF9AD844A9EFBF4AF88324F14842AD429A7610D3B9A545CFA1

Function 00CBD4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1384120549.0000000000CBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cbd000_Arrival_Notice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc9eea79e22462b69c1bf863b2145f0fbbfcd9ade3d6ddcd154b9afa54347be8
Instruction ID: 87ade5b78302eb234c6ed5cb9f5f632b11b87dabbe94553b4578e50e113359af
Opcode Fuzzy Hash: fc9eea79e22462b69c1bf863b2145f0fbbfcd9ade3d6ddcd154b9afa54347be8
Instruction Fuzzy Hash: F02137B1504240DFDB25DF14D9C0B66BF65FB98328F20C569E80A0F256D336D95ACBA2

Function 00CBD3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1384120549.0000000000CBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cbd000_Arrival_Notice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fd7c5f73c26afe3f9b180b460f7d9f86dac83c82419fdebc87e1d3b920a33cc
Instruction ID: 733af71c55aaa6a55e9a118f6097241a8eec6b727806b560ff1c1aa92793af8b
Opcode Fuzzy Hash: 6fd7c5f73c26afe3f9b180b460f7d9f86dac83c82419fdebc87e1d3b920a33cc
Instruction Fuzzy Hash: 7A212571604304DFDB14DF10D9C0B56BB65FB98324F20C6A9E80A0F256D336E85ACFA2

Function 00CCD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1384260850.0000000000CCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ccd000_Arrival_Notice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eab16f27dd658bcc488acecf9b175f94198f37db777d0f82fe4a5f4bed97a7eb
Instruction ID: eb38e165ef8b493ab68200cc01bcc59689a9fb4c939bca750f957f31b5b3ac52
Opcode Fuzzy Hash: eab16f27dd658bcc488acecf9b175f94198f37db777d0f82fe4a5f4bed97a7eb
Instruction Fuzzy Hash: DD21B075604344DFDB14DF18D9C4F16BBA5EB84324F24C5BDE84A4B296C336D847CA62

Function 00CCD1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1384260850.0000000000CCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ccd000_Arrival_Notice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b9a3f2a5fbc18ba956c8887388a3d7485e1abefd1de4703074d1d255e619a80
Instruction ID: c3ca33f32859bd12babdb203124facc15c4708e4f77aeeaafa3b2299f3c77450
Opcode Fuzzy Hash: 0b9a3f2a5fbc18ba956c8887388a3d7485e1abefd1de4703074d1d255e619a80
Instruction Fuzzy Hash: 6221C275A04204EFDB15DF14D9C4F26BBA5FB84324F24C6BDE84A4B296C336DC46CA61

Function 00CCD005 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1384260850.0000000000CCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ccd000_Arrival_Notice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a36efdfa241d7e01759baaaac3e87cbd4514fb68d246b1feba2fc0be7e7b791
Instruction ID: 6bf2d453dabc10d6e614e5c3e61d819707c420fd5a2effb64b58bef89d30c0d0
Opcode Fuzzy Hash: 2a36efdfa241d7e01759baaaac3e87cbd4514fb68d246b1feba2fc0be7e7b791
Instruction Fuzzy Hash: 762183755093808FC702CF24D590B15BF71EB46314F28C5EED8498B6A7C33A980ACB62

Function 00CBD3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1384120549.0000000000CBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cbd000_Arrival_Notice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
Instruction ID: 1c0e295c63eb8cfe2f7db378d16d0cb8a9e555d3125fdc26eced8b8b2113f26d
Opcode Fuzzy Hash: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
Instruction Fuzzy Hash: 13112676504240CFCB05CF00D5C0B56BF72FB94324F24C6A9D80A0B256C33AE95ACFA2

Function 00CBD4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1384120549.0000000000CBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cbd000_Arrival_Notice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
Instruction ID: 92b6dc1cda319cbc7328f978e4fc05ab697fa7d0f12710b3496e6dc24ed0ec26
Opcode Fuzzy Hash: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
Instruction Fuzzy Hash: 4F11E6B6504280CFCB15CF14D5C4B56BF72FB94324F24C6A9D84A0B656C33AD95ACBA1

Function 00CCD1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1384260850.0000000000CCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ccd000_Arrival_Notice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
Instruction ID: 17c86b95f7d8bfbd790e42ddc27397cefe40496a746704946dadd5b83be6088b
Opcode Fuzzy Hash: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
Instruction Fuzzy Hash: AD119D76504280DFCB15DF14D9C4B15FBB2FB84324F24C6AED84A4B696C33AD94ACB61

Non-executed Functions

Function 06C84590 Relevance: 1.6, Strings: 1, Instructions: 340COMMON

Download Yara Rule

Strings

Xq, xrefs: 06C84848

Memory Dump Source

Source File: 00000000.00000002.1396339756.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c80000_Arrival_Notice.jbxd

Similarity

API ID:
String ID: Xq
API String ID: 0-599127549
Opcode ID: 435c346f79fd0796c3637faf87dd5d0e1d9311a36d1e720b86867e183ccb35dd
Instruction ID: 1f2e5f388663ce057134ae47c3073ce5876c2e9eb5f47eed12f5cb8f1ebd3a84
Opcode Fuzzy Hash: 435c346f79fd0796c3637faf87dd5d0e1d9311a36d1e720b86867e183ccb35dd
Instruction Fuzzy Hash: DAC18434B002069FDB68EF66D988A6E7BF6AFC5614F15806DE806DB361DB30DD41CB90

Function 06C74B20 Relevance: 1.4, Strings: 1, Instructions: 165COMMON

Download Yara Rule

Strings

4'q, xrefs: 06C74C02

Memory Dump Source

Source File: 00000000.00000002.1396296902.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c70000_Arrival_Notice.jbxd

Similarity

API ID:
String ID: 4'q
API String ID: 0-1807707664
Opcode ID: 97f2e1f397b0f6f3bab84bdc6aef5bb96310b7ea37e2b6754241dac025f4a05b
Instruction ID: 1d4f8f10348b5200a297aec74d52438e1b28f315ab3c9858385b170e971faef6
Opcode Fuzzy Hash: 97f2e1f397b0f6f3bab84bdc6aef5bb96310b7ea37e2b6754241dac025f4a05b
Instruction Fuzzy Hash: 3A610B70D142488FDB48EFAAF84569E7FF2BFC8300F14C129E0149B299DB745906DB91

Function 06C74B30 Relevance: 1.4, Strings: 1, Instructions: 159COMMON

Download Yara Rule

Strings

4'q, xrefs: 06C74C02

Memory Dump Source

Source File: 00000000.00000002.1396296902.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c70000_Arrival_Notice.jbxd

Similarity

API ID:
String ID: 4'q
API String ID: 0-1807707664
Opcode ID: 5d9353ce3b781592e0c9f25bc82ec1e4c1c416521c1bea0ce21030470266ad56
Instruction ID: bc832e6a387cd4e73483aa0c9bf2df06e5ab8e282546859d9250e67adae89c56
Opcode Fuzzy Hash: 5d9353ce3b781592e0c9f25bc82ec1e4c1c416521c1bea0ce21030470266ad56
Instruction Fuzzy Hash: 8261FA70E142488FDB48EFAAF85569EBFF2BFC8310F14C529E0049B299DB745906DB91

Function 06C7D599 Relevance: .3, Instructions: 321COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1396296902.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c70000_Arrival_Notice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f58ab03a33b48f5ce3c45368288fbb188d3cc869fc22ec324c9b897e4beb98fb
Instruction ID: ef188fba7e457b5c80e0eec613df405adcce93d2b7d65b26a398bbc91d726ca6
Opcode Fuzzy Hash: f58ab03a33b48f5ce3c45368288fbb188d3cc869fc22ec324c9b897e4beb98fb
Instruction Fuzzy Hash: 11E14A74E042598FDB14DFA9C590AAEFBB2FF89304F248169D455AB359CB30AD41CFA0

Function 06C7D9CF Relevance: .3, Instructions: 320COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1396296902.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c70000_Arrival_Notice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6974c73d7df05a9bcf15a92ba067552a650564e2787bae7fc84424aef33b8744
Instruction ID: 1b1f68b765ee3a1de1e2b9c7eac9dbcfa097e1c92dd5ee57968cab16d1a87b4c
Opcode Fuzzy Hash: 6974c73d7df05a9bcf15a92ba067552a650564e2787bae7fc84424aef33b8744
Instruction Fuzzy Hash: 63E12874E042598FDB14DFA9C580AAEFBB2FF89304F248169D415AB356D730AD42CFA1

Function 06C7F520 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1396296902.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c70000_Arrival_Notice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 616f20fef63436d2760e8313ef0ce4ebbfd8f0042c9d6c3aa92709c841983f80
Instruction ID: bb85e2427093a7dcebe223ccf66ba904565b3478703f20d1b9be639ea3a1a40c
Opcode Fuzzy Hash: 616f20fef63436d2760e8313ef0ce4ebbfd8f0042c9d6c3aa92709c841983f80
Instruction Fuzzy Hash: B4E10674E002598FDB14DFA9C590AAEFBB2FF89304F248169D465AB355D730AD42CFA0

Function 06C7DE18 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1396296902.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c70000_Arrival_Notice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff0dfa3327717e6147f69a809975ae1fcdeb732683b5d9044860117cf1b21e89
Instruction ID: 01c227e144fe0ad90291c43c1ce2c55c4b0c361779d819c6c0660f26166c880c
Opcode Fuzzy Hash: ff0dfa3327717e6147f69a809975ae1fcdeb732683b5d9044860117cf1b21e89
Instruction Fuzzy Hash: D9E10774E042598FDB14DFA9C580AAEFBB2FF89304F248169D415AB356DB34AD41CFA0

Function 00D2E0CC Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1385050132.0000000000D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d20000_Arrival_Notice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1831ebf76f0813ae6a1669642bdd318c652537162e08b240c35fe00bef1685ef
Instruction ID: 865f01cf8769627586faea2d16ebd59878bc960c4e07bcff229bc0574f17c4b3
Opcode Fuzzy Hash: 1831ebf76f0813ae6a1669642bdd318c652537162e08b240c35fe00bef1685ef
Instruction Fuzzy Hash: C4A18C32E002298FCF05DFB5D84059EBBB2FF99305B19457AE805AB265DB31ED16CB60

Function 06C7DE09 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1396296902.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c70000_Arrival_Notice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81d57b65d82b043d532d3ceaff61fefb62269badd5524350fbd20773d27f350f
Instruction ID: e3b1c8987012868f36354406fdebdc0f7e7cc3d4c8a525a8be732f6b159269f5
Opcode Fuzzy Hash: 81d57b65d82b043d532d3ceaff61fefb62269badd5524350fbd20773d27f350f
Instruction Fuzzy Hash: 00511874E042598FDB14CFA9C5805AEFBF2BF89304F24816AD419AB355D734AE41CFA1

Analysis Process: RegSvcs.exePID: 7364, Parent PID: 7160COMMON

Execution Graph

Execution Coverage:	0.8%
Dynamic/Decrypted Code Coverage:	4.6%
Signature Coverage:	8.3%
Total number of Nodes:	109
Total number of Limit Nodes:	10

Executed Functions

Function 00417A73 Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00417AE5

Memory Dump Source

Source File: 0000000B.00000002.1626145289.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: dc9ae75bc94ee3b664d7248879e2d607786fa7ed482b9854d9e10482c3b4706a
Instruction ID: 9720badb706dbdaf170a15be5538a536f3bcc5b5d7656db67b10d54ea797cf6b
Opcode Fuzzy Hash: dc9ae75bc94ee3b664d7248879e2d607786fa7ed482b9854d9e10482c3b4706a
Instruction Fuzzy Hash: FF015EB1E0020DBBDF10DAA1DC42FDEB378AF54308F4441AAE90897240F634EB588B95

Function 0042CA33 Relevance: 1.5, APIs: 1, Instructions: 25
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtClose.NTDLL(?,?,00000000,00000000,0000001F,?,FA0A1F00), ref: 0042CA6A

Memory Dump Source

Source File: 0000000B.00000002.1626145289.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: da32537c40a2923ffbe398b9b70dafef16f857ea780faa791fe1686b3ab41c0f
Instruction ID: 00d4a8c42547b6f82383c43849cfacc7478172fe9aa51888d876711746820e1a
Opcode Fuzzy Hash: da32537c40a2923ffbe398b9b70dafef16f857ea780faa791fe1686b3ab41c0f
Instruction Fuzzy Hash: 91E046362042147BD220BA5AEC41F9B776DEBC5714F40842AFA08A7242C6B5BA1186E4

Function 00FB2C70 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 00FB2C7A

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 77a57dddc62965488e89132ef8ce156c341a64f860157b92796d966612a4d28d
Instruction ID: 478c82dba3950a886dacb26628c784f6d74f3b536b17e01a4bdc7c22baf068b5
Opcode Fuzzy Hash: 77a57dddc62965488e89132ef8ce156c341a64f860157b92796d966612a4d28d
Instruction Fuzzy Hash: 3F90023120148912D2107159C505B4A000587D0341F59C426A4424658E8A9A89927121

Function 00FB2DF0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 00FB2DFA

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 0e559e56f872fcd1b7d1478be51161b8b36a7ec463f8eb8d4c2437ebf3504c47
Instruction ID: ba70b703e36e9163feae64d6d06dffea3f1e0448f123e9780496bda7c6cc744a
Opcode Fuzzy Hash: 0e559e56f872fcd1b7d1478be51161b8b36a7ec463f8eb8d4c2437ebf3504c47
Instruction Fuzzy Hash: 2390023120140523D21171598605B07000987D0381F95C427A0424558E9A5B8A53B121

Function 00FB35C0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 00FB35CA

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c77d57a1c558aafc4d3fae7fb9be1c2238bfd0e9415eb34bf345e1db7a0edf55
Instruction ID: 76e28ed9f350a4ad1f76669855933339268c00f56b0119d7f2b7e96b06a9b182
Opcode Fuzzy Hash: c77d57a1c558aafc4d3fae7fb9be1c2238bfd0e9415eb34bf345e1db7a0edf55
Instruction Fuzzy Hash: D790023160550512D20071598615B06100587D0341F65C426A0424568E8B9A8A5275A2

Function 0042CD53 Relevance: 1.5, APIs: 1, Instructions: 29
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,0041E884,?,?,00000000,?,0041E884,?,?,?), ref: 0042CD92

Memory Dump Source

Source File: 0000000B.00000002.1626145289.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 76e4ca7d2afabf8f3c76df57d3f282b254fb52b8c7294f8b141870eacfe56a6a
Instruction ID: d59367111e8aa2f37646da8e31f6571745c7d10653c96b3eb11090c806545d91
Opcode Fuzzy Hash: 76e4ca7d2afabf8f3c76df57d3f282b254fb52b8c7294f8b141870eacfe56a6a
Instruction Fuzzy Hash: 99E06D712042047BD610EE59DC42F9B33ACEFC5714F404419F908A7241D675BD5086B9

Function 0042CDA3 Relevance: 1.5, APIs: 1, Instructions: 29
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000000,00000004,00000000,74AD7F2F,00000007,00000000,00000004,00000000,004172F8,000000F4), ref: 0042CDE2

Memory Dump Source

Source File: 0000000B.00000002.1626145289.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 7f74d0abd1f8ca11db068b41084607e540bc07fcf42ccaaf9598a753211a920c
Instruction ID: 988cbbefe34dcfba4db29bcac636718eea775f7bfc5fb98cdd12279c3ab32776
Opcode Fuzzy Hash: 7f74d0abd1f8ca11db068b41084607e540bc07fcf42ccaaf9598a753211a920c
Instruction Fuzzy Hash: F0E06DB22042047BDA10EE59DC45F9B37ADEFC9714F00041AFA08A7241D670B91086B8

Function 0042CDF3 Relevance: 1.5, APIs: 1, Instructions: 25
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(?), ref: 0042CE2A

Memory Dump Source

Source File: 0000000B.00000002.1626145289.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: b6c85a97c7af96b264ea91ad541b5833b11094b4b7a51d0c87749af0de37d8cf
Instruction ID: aee03707da485cf4c686838fcfc2394ea29b203b0ec9ebbac9aaf1d12a3070b9
Opcode Fuzzy Hash: b6c85a97c7af96b264ea91ad541b5833b11094b4b7a51d0c87749af0de37d8cf
Instruction Fuzzy Hash: 45E046762046147BD220AA5AEC01F9B77ADDBC6714F00442AFA08A7242C6B5B90087F9

Function 00FB2C0A Relevance: 1.5, APIs: 1, Instructions: 8
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 00FB2C24

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e57106ef2f184f3785d77388ccedf33099499218afcf82acf602713834556214
Instruction ID: 4197e17a98aac88052eed55bc4bf83f98d9f911cf9d010573d113f9e9389cfa8
Opcode Fuzzy Hash: e57106ef2f184f3785d77388ccedf33099499218afcf82acf602713834556214
Instruction Fuzzy Hash: 0BB09B71D015C5D5DB51E7614709B1B7E0067D0751F15C076D2030641F473DC5D1F575

Non-executed Functions

Function 00FF2349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON

Download Yara Rule

Strings

DisableExceptionChainValidation, xrefs: 00FF275F
Initializing the application verifier package failed with status 0x%08lx, xrefs: 00FF3176
ExecuteOptions, xrefs: 00FF25A0
MinimumStackCommitInBytes, xrefs: 00FF2BB0
LdrpInitializeExecutionOptions, xrefs: 00FF317D
@, xrefs: 00FF2942
GlobalFlag2, xrefs: 00FF2FC0
TracingFlags, xrefs: 00FF2549
UnloadEventTraceDepth, xrefs: 00FF24C0
CFGOptions, xrefs: 00FF2967
UseImpersonatedDeviceMap, xrefs: 00FF251C
GlobalFlag, xrefs: 00FF2F3F, 00FF3059
ShutdownFlags, xrefs: 00FF24A1
MaxLoaderThreads, xrefs: 00FF24EC
MaxDeadActivationContexts, xrefs: 00FF2D82
RaiseExceptionOnPossibleDeadlock, xrefs: 00FF2579
@, xrefs: 00FF2B74
FrontEndHeapDebugOptions, xrefs: 00FF2489
DisableHeapLookaside, xrefs: 00FF246D
minkernel\ntdll\ldrinit.c, xrefs: 00FF3187

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
API String ID: 0-2160512332
Opcode ID: 3f2156b39b72b4c7d4bfa00a4bd3ea0aa912b3dfeef70c205a713f451ee1c42f
Instruction ID: a68ccb417c3ebc16656292551e6384a4601503a3a40e45065922be92af674680
Opcode Fuzzy Hash: 3f2156b39b72b4c7d4bfa00a4bd3ea0aa912b3dfeef70c205a713f451ee1c42f
Instruction Fuzzy Hash: 0F92CC71A04345AFE760DF24C881B6BB7E8BF84760F04482DFA84D72A1D774E944EB92

Function 00FA8620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON

Download Yara Rule

Strings

Critical section debug info address, xrefs: 00FE541F, 00FE552E
First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 00FE54E2
Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 00FE54CE
Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 00FE540A, 00FE5496, 00FE5519
corrupted critical section, xrefs: 00FE54C2
Address of the debug info found in the active list., xrefs: 00FE54AE, 00FE54FA
Invalid debug info address of this critical section, xrefs: 00FE54B6
Critical section address, xrefs: 00FE5425, 00FE54BC, 00FE5534
double initialized or corrupted critical section, xrefs: 00FE5508
Critical section address., xrefs: 00FE5502
Thread is in a state in which it cannot own a critical section, xrefs: 00FE5543
undeleted critical section in freed memory, xrefs: 00FE542B
Thread identifier, xrefs: 00FE553A
8, xrefs: 00FE52E3

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
API String ID: 0-2368682639
Opcode ID: 905d3c58330d402f2dbd4fd15e0818cb1d5efc436747825aa7ca25239e5fd52f
Instruction ID: f937d6a7722a1e6d5b36b741c7b87da46b4ad9c054815362ba9eca10b8e1b039
Opcode Fuzzy Hash: 905d3c58330d402f2dbd4fd15e0818cb1d5efc436747825aa7ca25239e5fd52f
Instruction Fuzzy Hash: 9881BFB1E00748AFDB20CF95C841BAEBBB5FB08B58F244119FA05B7280D7B5AD45EB51

Function 00FA29F9 Relevance: 14.2, Strings: 11, Instructions: 411COMMON

Download Yara Rule

Strings

RtlpResolveAssemblyStorageMapEntry, xrefs: 00FE261F
SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx, xrefs: 00FE2498
SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p, xrefs: 00FE22E4
SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx, xrefs: 00FE2409
@, xrefs: 00FE259B
SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx, xrefs: 00FE2412
SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx, xrefs: 00FE2624
SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries, xrefs: 00FE24C0
SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 00FE25EB
SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx, xrefs: 00FE2602
SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 00FE2506

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID: @$RtlpResolveAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx$SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p$SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx$SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx$SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx$SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries
API String ID: 0-4009184096
Opcode ID: 5288463be45af12578a698e3eed17e1e93ba014672dc1ae08dec388deb83c524
Instruction ID: b07b2b62d0bfc6a1c20a2987efb6c4b4efc490285c76ace812f14159b0b2c607
Opcode Fuzzy Hash: 5288463be45af12578a698e3eed17e1e93ba014672dc1ae08dec388deb83c524
Instruction Fuzzy Hash: 740262F2D002689BDB71DB15CC81BDDB7B8AF45724F0041EAA609A7241EB349F84EF59

Function 01018B42 Relevance: 12.6, Strings: 10, Instructions: 146COMMON

Download Yara Rule

Strings

services.exe, xrefs: 01018B96
csrss.exe, xrefs: 01018B80
runtimebroker.exe, xrefs: 01018B73
smss.exe, xrefs: 01018B8B
heapType, xrefs: 01018BCB
svchost.exe, xrefs: 01018B68
http://schemas.microsoft.com/SMI/2020/WindowsSettings, xrefs: 01018BD0
SegmentHeap, xrefs: 01018BE9
lsass.exe, xrefs: 01018BA1
DefaultBrowser_NOPUBLISHERID, xrefs: 01018D00

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID: DefaultBrowser_NOPUBLISHERID$SegmentHeap$csrss.exe$heapType$http://schemas.microsoft.com/SMI/2020/WindowsSettings$lsass.exe$runtimebroker.exe$services.exe$smss.exe$svchost.exe
API String ID: 0-2515994595
Opcode ID: e2dec7c154d33ce43950d6485f76ed2299b02eed4bf689700b1f3c86e29ca4b8
Instruction ID: 5d926383a66821f7e0ca0be58bbabc68d1ae04c9fec2147390201a9738e23b6b
Opcode Fuzzy Hash: e2dec7c154d33ce43950d6485f76ed2299b02eed4bf689700b1f3c86e29ca4b8
Instruction Fuzzy Hash: 1B51D2B11083059BD325EF188848BABBBE8FF84340F54891EF998C3249E778D604DBD2

Function 01020274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON

Download Yara Rule

Strings

Just reallocated block at %p to 0x%Ix bytes with tag %ws, xrefs: 0102069F
HEAP[%wZ]: , xrefs: 01020399, 010204A8, 010205D0, 01020675, 010206CC
About to rellocate block at %p to 0x%Ix bytes with tag %ws, xrefs: 010204D3
Just reallocated block at %p to %Ix bytes, xrefs: 010205F1
RtlReAllocateHeap, xrefs: 010202BF, 01020362
HEAP: , xrefs: 010203A6, 010204B5, 010205DD, 01020682, 010206D9
About to reallocate block at %p to %Ix bytes, xrefs: 010203BA
Invalid allocation size - %Ix (exceeded %Ix), xrefs: 010206EA

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
API String ID: 0-1700792311
Opcode ID: aee0ebaf540824922077953dd2fd9976923fba291a11cde493e098b9415f760b
Instruction ID: c6b7d2bd6f5f0e722813e1bb541f130143cf81d17a6ed0f059738a352a420a68
Opcode Fuzzy Hash: aee0ebaf540824922077953dd2fd9976923fba291a11cde493e098b9415f760b
Instruction Fuzzy Hash: 45D1E0316007A5DFDB22DF68C845AAEBBF1FF4A704F088099F5859B666C739D980DB10

Function 00FF89B3 Relevance: 9.0, Strings: 7, Instructions: 259COMMON

Download Yara Rule

Strings

VerifierDebug, xrefs: 00FF8CA5
AVRF: -*- final list of providers -*- , xrefs: 00FF8B8F
VerifierDlls, xrefs: 00FF8CBD
HandleTraces, xrefs: 00FF8C8F
VerifierFlags, xrefs: 00FF8C50
AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error., xrefs: 00FF8A67
AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled, xrefs: 00FF8A3D

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID: AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error.$AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled$AVRF: -*- final list of providers -*- $HandleTraces$VerifierDebug$VerifierDlls$VerifierFlags
API String ID: 0-3223716464
Opcode ID: 4587ab3330010277dffc0d0d759d6e0370ec2cd8963029e9462e9dee53b19187
Instruction ID: 28add1ffc71ab32adb01d5332ee069c746bb1b1379ac4825d286bff7cc481b6e
Opcode Fuzzy Hash: 4587ab3330010277dffc0d0d759d6e0370ec2cd8963029e9462e9dee53b19187
Instruction Fuzzy Hash: 02913872A0531AAFD321DF24CC81B2A77A4EF84794F040418FB806B2A1DB79EC06E791

Function 00F7EA80 Relevance: 8.6, Strings: 6, Instructions: 1073COMMON

Download Yara Rule

Strings

R, xrefs: 00F7EB62
LdrpResSearchResourceInsideDirectory Enter, xrefs: 00F7EB58
T, xrefs: 00F7EB4E
{, xrefs: 00FD4643
, xrefs: 00F7F299
LdrpResSearchResourceInsideDirectory Exit, xrefs: 00F7EB6C

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID: $LdrpResSearchResourceInsideDirectory Enter$LdrpResSearchResourceInsideDirectory Exit$R$T${
API String ID: 0-1109411897
Opcode ID: 1dd1dc67577360e7733d2347bab525281d4cfaa5fc4279677f922bc497e1a68b
Instruction ID: ac84745b02a0cbf50cf7d1d70976398c0b22141d0a75525f1f84ba0b19c543c5
Opcode Fuzzy Hash: 1dd1dc67577360e7733d2347bab525281d4cfaa5fc4279677f922bc497e1a68b
Instruction Fuzzy Hash: 15A22C75E056298FDB64DF14CC887A9B7B5AF49314F2482EAD80DA7350DB30AE85EF01

Function 00FA63FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON

Download Yara Rule

Strings

Process initialization failed with status 0x%08lx, xrefs: 00FE413A
LDR:MRDATA: Process initialization failed with status 0x%08lx, xrefs: 00FE40D8
NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop, xrefs: 00FE41FE
Delaying execution failed with status 0x%08lx, xrefs: 00FE4258
_LdrpInitialize, xrefs: 00FE40DF, 00FE4141, 00FE4205, 00FE425F
minkernel\ntdll\ldrinit.c, xrefs: 00FE40E9, 00FE414B, 00FE420F, 00FE4269

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
API String ID: 0-792281065
Opcode ID: 3b056190b913b231f979244df63722cb2d3f76c9bd4f9147c591e849804db139
Instruction ID: 7653a61f7dfd6eae113e64fa6cd04ff652dc03809a35214b7807fba1b1776928
Opcode Fuzzy Hash: 3b056190b913b231f979244df63722cb2d3f76c9bd4f9147c591e849804db139
Instruction Fuzzy Hash: B19143B1E003549BDB35DF15DC45BAA37A0BB4AB64F18012DFA40AB2D1D77DA801F791

Function 00F6645D Relevance: 7.6, Strings: 6, Instructions: 150COMMON

Download Yara Rule

Strings

LdrpInitShimEngine, xrefs: 00FC99F4, 00FC9A07, 00FC9A30
apphelp.dll, xrefs: 00F66496
Getting the shim engine exports failed with status 0x%08lx, xrefs: 00FC9A01
Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 00FC99ED
Loading the shim engine DLL failed with status 0x%08lx, xrefs: 00FC9A2A
minkernel\ntdll\ldrinit.c, xrefs: 00FC9A11, 00FC9A3A

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
API String ID: 0-204845295
Opcode ID: ddf528e98ac3cb556f85194c68308ba0d6dbc57270953485627bd1b6decf2b11
Instruction ID: 35949154688e75eb75821a6c58d8f0d398e7fd32b7bc4729258e3d56bb397e5f
Opcode Fuzzy Hash: ddf528e98ac3cb556f85194c68308ba0d6dbc57270953485627bd1b6decf2b11
Instruction Fuzzy Hash: 4C51AEB12083019FD320DF24DD46FAB77E4BB84754F14091DF9869B1A1DA79E904AB92

Function 00FAC6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON

Download Yara Rule

Strings

LdrpInitializeProcess, xrefs: 00FAC6C4
Loading import redirection DLL: '%wZ', xrefs: 00FE8170
minkernel\ntdll\ldrredirect.c, xrefs: 00FE8181, 00FE81F5
Unable to build import redirection Table, Status = 0x%x, xrefs: 00FE81E5
LdrpInitializeImportRedirection, xrefs: 00FE8177, 00FE81EB
minkernel\ntdll\ldrinit.c, xrefs: 00FAC6C3

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
API String ID: 0-475462383
Opcode ID: b0c5b15ab04f8470ef5372cabfec2e5b8d2f2208a134cb96d3e0f9504d9a5b4a
Instruction ID: d38b177581bf6e8251bd2f7f1afee35b2acb8cd4320d1e8ec37273dc4a387a46
Opcode Fuzzy Hash: b0c5b15ab04f8470ef5372cabfec2e5b8d2f2208a134cb96d3e0f9504d9a5b4a
Instruction Fuzzy Hash: B73129B17447459FD220FF29DD46E2A7794FF81B50F040528F984AB392EA28EC05E7E2

Function 00FA2674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON

Download Yara Rule

Strings

SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 00FE2180
RtlGetAssemblyStorageRoot, xrefs: 00FE2160, 00FE219A, 00FE21BA
SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 00FE2178
SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 00FE21BF
SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 00FE219F
SXS: %s() passed the empty activation context, xrefs: 00FE2165

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
API String ID: 0-861424205
Opcode ID: adf3d785aba6c29f088d97cf3e0587e2f20aaaa7eaeb1ce585a784bf2ee120cb
Instruction ID: 57ea711caae04f87dde4bbb9011aab141052f9a40ac01c2e0c883e5990b23ad2
Opcode Fuzzy Hash: adf3d785aba6c29f088d97cf3e0587e2f20aaaa7eaeb1ce585a784bf2ee120cb
Instruction Fuzzy Hash: E9312472F00364B7E7209E9A8C86F6A7668DF56B51F150069FB04A7281E274DF00F3A2

Function 00FB096E Relevance: 6.6, APIs: 4, Instructions: 606COMMON

Download Yara Rule

APIs

Part of subcall function 00FB2DF0: LdrInitializeThunk.NTDLL ref: 00FB2DFA

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FB0BA3
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FB0BB6
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FB0D60
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FB0D74

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$InitializeThunk
String ID:
API String ID: 1404860816-0
Opcode ID: aa8e52f0e988b70ac905938740b47ab964df05582e0cd27657de6f4a1e288b37
Instruction ID: 7fbda786996ad59fcdeec1c60e71d05c3ea2ef573041ed52af0fb56306318252
Opcode Fuzzy Hash: aa8e52f0e988b70ac905938740b47ab964df05582e0cd27657de6f4a1e288b37
Instruction Fuzzy Hash: A9425A729007159FDB60CF25C881BEAB7F5BF44310F1445A9E989EB242EB74EA84DF60

Function 00F7A3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON

Download Yara Rule

Strings

8, xrefs: 00F7A3E7
LdrResFallbackLangList Exit, xrefs: 00F7A3FF
LdrResFallbackLangList Enter, xrefs: 00F7A3EF
6, xrefs: 00F7A3F7

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
API String ID: 0-379654539
Opcode ID: 6df4352d34cff2e79a48a2816dfff08329f2a40f1fd125c6a556fd9b1827059d
Instruction ID: db54a79d3d0422bc867584164f773588708252765327a1cf989bfc6a52445559
Opcode Fuzzy Hash: 6df4352d34cff2e79a48a2816dfff08329f2a40f1fd125c6a556fd9b1827059d
Instruction Fuzzy Hash: FBC189715083828FC711CF18C544B6EB7E4BF84714F09896AF8998B261E779CA49EB93

Function 00FA8402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON

Download Yara Rule

Strings

LdrpInitializeProcess, xrefs: 00FA8422
@, xrefs: 00FA8591
\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 00FA855E
minkernel\ntdll\ldrinit.c, xrefs: 00FA8421

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
API String ID: 0-1918872054
Opcode ID: 9553090470211788c14c0b99d7501db718ae233e192633ad285a2d0c5453fa40
Instruction ID: 4583a6598cf770ee1639eb142ed1bf1caa08d26a56620ea87ec1bc778ab53eee
Opcode Fuzzy Hash: 9553090470211788c14c0b99d7501db718ae233e192633ad285a2d0c5453fa40
Instruction Fuzzy Hash: E691B1B1908340AFD721EF21CC41FABBBE8BF85794F44492DFA8492051DB78D905EB62

Function 00FA273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON

Download Yara Rule

Strings

SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 00FE22B6
RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 00FE21D9, 00FE22B1
SXS: %s() passed the empty activation context, xrefs: 00FE21DE
.Local, xrefs: 00FA28D8

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
API String ID: 0-1239276146
Opcode ID: 1825b44e963fe7fbe882d4aade4cccd9198b98a37e67131eed34d3955fa63e8a
Instruction ID: 5d026474494d9745bdbff5dbdc1a50f7cbc0176c5c68391b3894f12e3d844405
Opcode Fuzzy Hash: 1825b44e963fe7fbe882d4aade4cccd9198b98a37e67131eed34d3955fa63e8a
Instruction Fuzzy Hash: 78A1E471E00229DBDB64CF69CC84BA9B3B4BF59724F2441E9E908A7251D7349E80EF90

Function 00FA4AD0 Relevance: 5.2, Strings: 4, Instructions: 228COMMON

Download Yara Rule

Strings

SXS: %s() called with invalid cookie type 0x%08Ix, xrefs: 00FE3437
SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix, xrefs: 00FE3456
RtlDeactivateActivationContext, xrefs: 00FE3425, 00FE3432, 00FE3451
SXS: %s() called with invalid flags 0x%08lx, xrefs: 00FE342A

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID: RtlDeactivateActivationContext$SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix$SXS: %s() called with invalid cookie type 0x%08Ix$SXS: %s() called with invalid flags 0x%08lx
API String ID: 0-1245972979
Opcode ID: e9a1a81c142ee4c47b1881e9c1299c2663fdf8bc53de108fc309113f413b6e91
Instruction ID: 24ff24c09317f985e779f7b69344926d8cd8b7dae23cbd5bca59ea7f55e656bc
Opcode Fuzzy Hash: e9a1a81c142ee4c47b1881e9c1299c2663fdf8bc53de108fc309113f413b6e91
Instruction Fuzzy Hash: 7C613772A40B519BC722CF19C84AB2AB3E5EFC1B70F148529F8559B291C774FD01EB91

Function 00F764AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON

Download Yara Rule

Strings

ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 00FD106B
ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 00FD10AE
ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 00FD1028
ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 00FD0FE5

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
API String ID: 0-1468400865
Opcode ID: f7bb0c69882a5c0fbaa7125f5dbdd20505f7295ad6b42905f8665785a4172636
Instruction ID: e17917e722de02ca153cdbba4c8add4447c6fb5300410f0c76e2bbceeaef2709
Opcode Fuzzy Hash: f7bb0c69882a5c0fbaa7125f5dbdd20505f7295ad6b42905f8665785a4172636
Instruction Fuzzy Hash: C071CEB19047049FCB20EF14C885F9B7BA9AF84760F14446AF9488B286D738D588FBD2

Function 00F9245A Relevance: 5.1, Strings: 4, Instructions: 111COMMON

Download Yara Rule

Strings

apphelp.dll, xrefs: 00F92462
Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 00FDA992
LdrpDynamicShimModule, xrefs: 00FDA998
minkernel\ntdll\ldrinit.c, xrefs: 00FDA9A2

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
API String ID: 0-176724104
Opcode ID: 46586d1965132bd6a90c2527484954702af166c3b702faf8fef12ced554af14a
Instruction ID: dffb4903c0f0a9bfaec11b9029a92611717c819f05e5e9d2068fdf3e622350d3
Opcode Fuzzy Hash: 46586d1965132bd6a90c2527484954702af166c3b702faf8fef12ced554af14a
Instruction Fuzzy Hash: A6317B72A00201EFDB30DF69DC81A6A77B5FB80B14F29011AF9456B365C7799C41E782

Function 00F829A0 Relevance: 4.7, Strings: 3, Instructions: 966COMMON

Download Yara Rule

Strings

Unable to release memory at %p for %Ix bytes - Status == %x, xrefs: 00F8327D
HEAP[%wZ]: , xrefs: 00F83255
HEAP: , xrefs: 00F83264

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %Ix bytes - Status == %x
API String ID: 0-617086771
Opcode ID: b367a01b97af68a6a8fb5e341076f66a7cb8515c956afd3755d43f62d133fb74
Instruction ID: 2ba5eea66dcc042ac47b30792758202e0e57c1e83e46f5c6e20ad8dd055149c0
Opcode Fuzzy Hash: b367a01b97af68a6a8fb5e341076f66a7cb8515c956afd3755d43f62d133fb74
Instruction Fuzzy Hash: 1792BC71E042489FDB25DF68C844BEEBBF1FF48714F18805AE845AB251D739AA41EF50

Function 00F80770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 00FD50AE
(UCRBlock->Size >= *Size), xrefs: 00FD50CA
HEAP: , xrefs: 00FD50BD

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
API String ID: 0-4253913091
Opcode ID: a458fb119adb1e6315ee747f8ff0dea5fe7c0a95dd8e2002c9eee899b5dfc409
Instruction ID: 2e019467960ef2a9826a7fc7336cfaad282e880e1d66b22962a93d6d2dbb9f80
Opcode Fuzzy Hash: a458fb119adb1e6315ee747f8ff0dea5fe7c0a95dd8e2002c9eee899b5dfc409
Instruction Fuzzy Hash: 4BF1DF31B00A05DFDB24DF68C884BAAB7B6FF44710F248169E4569B391DB34ED85EB90

Function 00F96962 Relevance: 4.0, Strings: 2, Instructions: 1492COMMON

Download Yara Rule

Strings

@, xrefs: 00F96C24
, xrefs: 00FDCA51

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID: $@
API String ID: 0-1077428164
Opcode ID: 63596a5898475c00b3be180a0fe3d72ca345c14ab9c6aefffee34f8f4f7d11d0
Instruction ID: 02f44fcdecdcabc629b84428960d21cc7a738b4f3c19c29e0cfa4740d70bf546
Opcode Fuzzy Hash: 63596a5898475c00b3be180a0fe3d72ca345c14ab9c6aefffee34f8f4f7d11d0
Instruction Fuzzy Hash: 9AC29172A1C3419FEB25DF24C841BABB7E5AF88714F14892EF989C7241D734D805EB92

Function 00F6A197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON

Download Yara Rule

Strings

\??\, xrefs: 00FCC1E4
FilterFullPath, xrefs: 00FCC2E6
UseFilter, xrefs: 00F6A1C1

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID: FilterFullPath$UseFilter$\??\
API String ID: 0-2779062949
Opcode ID: 227570bc4c620c0a4969862ed281b4c5dbabda70478e8f40ce56b1be0490d71f
Instruction ID: ef43c1a8aa1ea4153d03c27114c8df10d12769c01c724e14a35cda19cf6cbd9d
Opcode Fuzzy Hash: 227570bc4c620c0a4969862ed281b4c5dbabda70478e8f40ce56b1be0490d71f
Instruction Fuzzy Hash: 67A16971D1122A9BDB31DB24CD99BEAB7B8EF44710F1041EAE90CA7250D7399E84DF90

Function 00F90BCB Relevance: 4.0, Strings: 3, Instructions: 210COMMON

Download Yara Rule

Strings

Failed to allocated memory for shimmed module list, xrefs: 00FDA10F
LdrpCheckModule, xrefs: 00FDA117
minkernel\ntdll\ldrinit.c, xrefs: 00FDA121

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID: Failed to allocated memory for shimmed module list$LdrpCheckModule$minkernel\ntdll\ldrinit.c
API String ID: 0-161242083
Opcode ID: 59e73ee04f75775c167c2d9747a37ec85ad637b0625182318d7358c37de7e79b
Instruction ID: 5df415dde7df370206920525cea09a21228d8824dd52e1e0890b721c57479810
Opcode Fuzzy Hash: 59e73ee04f75775c167c2d9747a37ec85ad637b0625182318d7358c37de7e79b
Instruction Fuzzy Hash: 2F71DF71E002059FDF24DF68CD81AAEB7F5FB44714F18412AE846AB351EB39AD41EB41

Function 00F80A5B Relevance: 3.9, Strings: 3, Instructions: 190COMMON

Download Yara Rule

Strings

((PHEAP_ENTRY)LastKnownEntry <= Entry), xrefs: 00FD534D
HEAP[%wZ]: , xrefs: 00FD5335
HEAP: , xrefs: 00FD5342

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID: ((PHEAP_ENTRY)LastKnownEntry <= Entry)$HEAP: $HEAP[%wZ]:
API String ID: 0-1334570610
Opcode ID: 1d3cd5fbbc2025b9bf9805741dd1c3d80ef9888f23757ce1c22f2995b269178d
Instruction ID: 54ad5df7ce6195d75fd805ba67b6340c1367d6d7fda9fbdcdc36b3ebbc3e6191
Opcode Fuzzy Hash: 1d3cd5fbbc2025b9bf9805741dd1c3d80ef9888f23757ce1c22f2995b269178d
Instruction Fuzzy Hash: 3561E2316007019FDB68DF24C841BAABBE2FF44714F14846AE495CF392CB74E885EB91

Function 00FAC720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON

Download Yara Rule

Strings

LdrpInitializePerUserWindowsDirectory, xrefs: 00FE82DE
Failed to reallocate the system dirs string !, xrefs: 00FE82D7
minkernel\ntdll\ldrinit.c, xrefs: 00FE82E8

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
API String ID: 0-1783798831
Opcode ID: 5fa2e515d68565d17b6f2b000da23abd61735673b0f6487ad364d97c82315ba6
Instruction ID: 3a262e8b87325d03268a94446f118c43ca641cf6be3127210c80acaf5594b47e
Opcode Fuzzy Hash: 5fa2e515d68565d17b6f2b000da23abd61735673b0f6487ad364d97c82315ba6
Instruction Fuzzy Hash: 0F41C4B1544304ABC730EB64DD45B5B77E8EF49B60F04452AF988D7261EB79EC00ABD1

Function 0102C188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON

Download Yara Rule

Strings

\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 0102C1C5
PreferredUILanguages, xrefs: 0102C212
@, xrefs: 0102C1F1

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
API String ID: 0-2968386058
Opcode ID: 9baa6cbc5fb20a5f009e7df1b21861a78372d13141c09e94006c3b31c2163720
Instruction ID: 355bd0f4cb642b6024c675f575ad8a05fb5f3bb4d67add4bf6598967b8c18bf9
Opcode Fuzzy Hash: 9baa6cbc5fb20a5f009e7df1b21861a78372d13141c09e94006c3b31c2163720
Instruction Fuzzy Hash: A441B271E00219EBEF11DAD8CD41FEEBBF8AB15704F04406AEA49B7280DB749E088B50

Function 01004144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON

Download Yara Rule

Strings

LdrpResValidateFilePath Exit, xrefs: 01004172
LdrpResValidateFilePath Enter, xrefs: 01004160
@, xrefs: 01004225

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
API String ID: 0-1373925480
Opcode ID: e3cf4a7a001f70082d33007e21d706de7e14f1d84091c85d1bdc6df3d10d40b9
Instruction ID: 21a3fa241df5fa1a305e1c8801b90e76929a79f1d2e0b0a24aec31aab7cc0670
Opcode Fuzzy Hash: e3cf4a7a001f70082d33007e21d706de7e14f1d84091c85d1bdc6df3d10d40b9
Instruction Fuzzy Hash: F041E372A042488BFB22EB99CC41BEDBBF4EF45740F140499EA81EB7D2D7389901CB15

Function 00FF4755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrredirect.c, xrefs: 00FF4899
LdrpCheckRedirection, xrefs: 00FF488F
Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 00FF4888

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
API String ID: 0-3154609507
Opcode ID: bbd81c3216fe1044e919ba58e8902f73dc27d5c2de01d82c60d3d1d42e43e449
Instruction ID: e78b934b9b25f95f0c9d77db55ce5783d846bbb5e4d062218d2352aec2ae016a
Opcode Fuzzy Hash: bbd81c3216fe1044e919ba58e8902f73dc27d5c2de01d82c60d3d1d42e43e449
Instruction Fuzzy Hash: 26418E33A046589BCB21DE589840A377BE4BF49BA0F050669EE9897375E725FC00EB91

Function 00F80BBE Relevance: 3.8, Strings: 3, Instructions: 70COMMON

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 00FD5431
(ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size), xrefs: 00FD5449
HEAP: , xrefs: 00FD543E

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID: (ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)$HEAP: $HEAP[%wZ]:
API String ID: 0-2558761708
Opcode ID: b35061680f245a99ac90d225493eb3102de7aee895b4774cba35fd14eb0370cf
Instruction ID: d34312ef04bc1129f8b59ed07010e5af7838b90459ec191ad0aa13d577c1fc2a
Opcode Fuzzy Hash: b35061680f245a99ac90d225493eb3102de7aee895b4774cba35fd14eb0370cf
Instruction Fuzzy Hash: 78110632315941DFD768E714C861BB6B3A5EF81B25F28812AE406CB351DB34DC84F752

Function 00FF20DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON

Download Yara Rule

Strings

LdrpInitializationFailure, xrefs: 00FF20FA
Process initialization failed with status 0x%08lx, xrefs: 00FF20F3
minkernel\ntdll\ldrinit.c, xrefs: 00FF2104

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
API String ID: 0-2986994758
Opcode ID: f8767194ba728975b55c388b40dd55e5d8d6484c6a916e094c64917c9ea24f9d
Instruction ID: 658e97e4f00ce44f6e76f0946754fcc11262dd404c130bb14f45acba2c5df24f
Opcode Fuzzy Hash: f8767194ba728975b55c388b40dd55e5d8d6484c6a916e094c64917c9ea24f9d
Instruction Fuzzy Hash: B6F0C271A4030CBBD734E64CDC53FA9376CFB41B55F100069FB44AB292D6B8A944EA96

Function 00F803E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 00FD4D8A

Strings

#%u, xrefs: 00FD4D82

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID: ___swprintf_l
String ID: #%u
API String ID: 48624451-232158463
Opcode ID: 70cc7fcbd7559688d9577e810cda32bf55cd91facdb967b92659a5de8ce444c5
Instruction ID: 71d74badbfa61a78bf512f82c957ecd1c95508752c4e600574018967353af6fa
Opcode Fuzzy Hash: 70cc7fcbd7559688d9577e810cda32bf55cd91facdb967b92659a5de8ce444c5
Instruction Fuzzy Hash: 3F714D72E0114A9FDB01EF98C991BEEB7F9AF08744F144065E905E7252EB38EE05DB60

Function 00F7A9D0 Relevance: 2.9, Strings: 2, Instructions: 421COMMON

Download Yara Rule

Strings

LdrResSearchResource Exit, xrefs: 00F7AA25
LdrResSearchResource Enter, xrefs: 00F7AA13

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID: LdrResSearchResource Enter$LdrResSearchResource Exit
API String ID: 0-4066393604
Opcode ID: 8c8ebe877bbc8fdfa011e26e68334ff213c08db03162512b8dcd1ca1baad2208
Instruction ID: 33be2c822d539b5b6e789233b2a88eeaed9aa85bd7cf923be1dc1aa369cf89f7
Opcode Fuzzy Hash: 8c8ebe877bbc8fdfa011e26e68334ff213c08db03162512b8dcd1ca1baad2208
Instruction Fuzzy Hash: 0CE1A372E04219DBEB21DF98C980BAEB7BAAF94310F158427E905E7240D7389D40EB53

Function 0103A352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON

Download Yara Rule

Strings

`, xrefs: 0103A551
`, xrefs: 0103A44B

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID: `$`
API String ID: 0-197956300
Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
Instruction ID: ce46e4b37d87d8e013d08e69cdbf34dd620f862cbb7ce067a480a284ac79e695
Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
Instruction Fuzzy Hash: 34C19C313043469BEB25CE28C841B6BBBE9AFC8318F084A6DF6D6CB291D775D505CB91

Function 00FEE6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON

Download Yara Rule

Strings

Legacy, xrefs: 00FEE75A
UEFI, xrefs: 00FEE751

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID: Legacy$UEFI
API String ID: 2994545307-634100481
Opcode ID: 3335401f9ba7391bc3be4ab881330c677e6d1fe3ee20ecb4e8ef70ba36828b74
Instruction ID: cbbddffdbff9447fc5c119c9b8a23ba55fe58363ffa991e5541cd6de9bbe1e83
Opcode Fuzzy Hash: 3335401f9ba7391bc3be4ab881330c677e6d1fe3ee20ecb4e8ef70ba36828b74
Instruction Fuzzy Hash: C2616D72E002589FDB14DFA9D841BADBBB9FB44740F20406DE559EB291D731EE00EB50

Function 010143D4 Relevance: 2.7, Strings: 2, Instructions: 169COMMON

Download Yara Rule

Strings

@, xrefs: 01014437
MUI, xrefs: 01014525

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID: @$MUI
API String ID: 0-17815947
Opcode ID: 8cccacd4a67fef7d34f9f62c00f3ad3d834ab738e898b9184a8411358a012ed9
Instruction ID: cd59c8b4defa8b4d2cfa11890ad8bdf71cd62684866cf7fd1fcef1da091e8610
Opcode Fuzzy Hash: 8cccacd4a67fef7d34f9f62c00f3ad3d834ab738e898b9184a8411358a012ed9
Instruction Fuzzy Hash: 485139B1E0021DAFDF11DFA9CC81AEEBBB8EB48754F100529E611F7291DB399905CB60

Function 00F704E5 Relevance: 2.7, Strings: 2, Instructions: 153COMMON

Download Yara Rule

Strings

TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 00F7063D
kLsE, xrefs: 00F70540

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
API String ID: 0-2547482624
Opcode ID: 0786919e7305f9103d008a2ea28b71f0d16170568ec65c89e5f164dcfdcc1257
Instruction ID: cab6196730b601a969f0349bc8aaf6e459d393dc9e37c4a92747057cae2330cc
Opcode Fuzzy Hash: 0786919e7305f9103d008a2ea28b71f0d16170568ec65c89e5f164dcfdcc1257
Instruction Fuzzy Hash: 9951AB71904746DBC724EF28C9406A7B7E4AF84314F04883EE9AE87281EB74E945DF92

Function 00F7A2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON

Download Yara Rule

Strings

RtlpResUltimateFallbackInfo Enter, xrefs: 00F7A2FB
RtlpResUltimateFallbackInfo Exit, xrefs: 00F7A309

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
API String ID: 0-2876891731
Opcode ID: 13b0a32d091f97a116ddbbb1ce93ef429a07876f601c5e13c22d12594a397701
Instruction ID: 2d4ad65f8419ea6a42ba1bffb8d40d707267eda6ad7757e49c2dbf3e78ce7374
Opcode Fuzzy Hash: 13b0a32d091f97a116ddbbb1ce93ef429a07876f601c5e13c22d12594a397701
Instruction Fuzzy Hash: 9241BD31A04649CBDB51DF59C840B6E77B5EF94710F2980A7E808DB3A1E376D900EB82

Function 00FAA5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON

Download Yara Rule

Strings

Threadpool!, xrefs: 00FAA5E9
Cleanup Group, xrefs: 00FAA5E4

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID: Cleanup Group$Threadpool!
API String ID: 2994545307-4008356553
Opcode ID: e800a7032a7146629a366d96a52cc234fa297504c4e80f614fdb6d18789e8235
Instruction ID: 554740cd99a8744f3251dc6218ad8703b4e0b227edc8eb61dfeb35f842ecbb0f
Opcode Fuzzy Hash: e800a7032a7146629a366d96a52cc234fa297504c4e80f614fdb6d18789e8235
Instruction Fuzzy Hash: AF01D1B2240700AFD311DF14CE46B1677E8E745B15F048939B548C7291E778D808EB46

Function 00F7C7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON

Download Yara Rule

Strings

MUI, xrefs: 00F7C8C3, 00F7CA40

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID: MUI
API String ID: 0-1339004836
Opcode ID: fe64a52ae1de536c01ef64bad9f58167714dbc6fe572b350b71ccb1058a163bb
Instruction ID: 1eec9cde4824a16cad0462f87d14edc134e0bbdf9022af64b532d2f1ca6d2fc9
Opcode Fuzzy Hash: fe64a52ae1de536c01ef64bad9f58167714dbc6fe572b350b71ccb1058a163bb
Instruction Fuzzy Hash: A8825C75E002188BDB24CFA9C880BEDB7B5BF48310F54C16AE85DAB351D7349D81EB92

Function 00FF6420 Relevance: 1.5, Strings: 1, Instructions: 264COMMON

Download Yara Rule

Strings

, xrefs: 00FF65C1

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: e651be3b5ec3f6a1e61705edc10640ce1603b2db11a60bc838fd6f58bed84b4f
Instruction ID: 71d0525b28baa521021b58f37e9d568c643187cb42d44a999974e5a1266a23a2
Opcode Fuzzy Hash: e651be3b5ec3f6a1e61705edc10640ce1603b2db11a60bc838fd6f58bed84b4f
Instruction Fuzzy Hash: ED9171B2A00219AFEB21DB95CD85FEE77B8EF45B50F140065F600FB1A1DA75AD04DBA0

Function 0101E10E Relevance: 1.5, Strings: 1, Instructions: 255COMMON

Download Yara Rule

Strings

, xrefs: 0101E1FA

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 9fa32ccb83c85c70ad26febf24b0637d30703f5a0530c6fe32724cb9e310e80b
Instruction ID: 3e10a7ca2778cf83637cdae399ebea9a90ad2c26439c201730038eb94b8e8106
Opcode Fuzzy Hash: 9fa32ccb83c85c70ad26febf24b0637d30703f5a0530c6fe32724cb9e310e80b
Instruction Fuzzy Hash: 7091CE71900608BFDB23ABA4DC55FEFBBB9EF85740F100029F941A7251DB799901DB90

Function 00FAA660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON

Download Yara Rule

Strings

GlobalTags, xrefs: 00FE67C9

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID: GlobalTags
API String ID: 0-1106856819
Opcode ID: d3bb4c0a79e467e3dcf5803a5e75e0e8e0cd6c11e203f995707bebd81173f037
Instruction ID: 5672db2b356bd288baf7bc28fcb3d0de199094eb47f56c22868e4e6441f7ac65
Opcode Fuzzy Hash: d3bb4c0a79e467e3dcf5803a5e75e0e8e0cd6c11e203f995707bebd81173f037
Instruction Fuzzy Hash: D2716E75E0024ACFDF28CF9AC9906ADBBB1BF68794F24812EE405E7241DB359D41EB50

Function 01014978 Relevance: 1.4, Strings: 1, Instructions: 153COMMON

Download Yara Rule

Strings

.mui, xrefs: 01014A7F

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID: .mui
API String ID: 0-1199573805
Opcode ID: 2ee4ed937ca29d41b5e9e6a25ad246edd4a882bebb87fe29e31670e6949dfa8a
Instruction ID: b71d5c7babe7a42c0d9c2a3983f0d8f7dfe9c21f1e58026e7928e7b04146c58d
Opcode Fuzzy Hash: 2ee4ed937ca29d41b5e9e6a25ad246edd4a882bebb87fe29e31670e6949dfa8a
Instruction Fuzzy Hash: 9F519072D002299BDF10DF99D880AEEBBB4BF04B10F05416AFA55FB265D77C9901CBA4

Function 00F8E627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON

Download Yara Rule

Strings

EXT-, xrefs: 00F8E6A4

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID: EXT-
API String ID: 0-1948896318
Opcode ID: 87340800007112036a740971f45ea189d7afece99369c276f5d6e6437ae9c56d
Instruction ID: dbf496ed565ff6bdcb8c2c5ff66d7f19be5648c74e8913bb0566e373a26e585b
Opcode Fuzzy Hash: 87340800007112036a740971f45ea189d7afece99369c276f5d6e6437ae9c56d
Instruction Fuzzy Hash: AA4192729083129BD710FB75CC41BAFB7D8AF88B14F440929F9A4E7180E678D904A797

Function 00FEC730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON

Download Yara Rule

Strings

BinaryHash, xrefs: 00FEC77F

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID: BinaryHash
API String ID: 0-2202222882
Opcode ID: 538a9ebe78966fc29669d55dd7d7c31bb531b59d933a3b4feb1395b131f31a37
Instruction ID: 927aa526cdd25b93dabb06059406cfb21675ec6feaaee3a1ea90e8209784d779
Opcode Fuzzy Hash: 538a9ebe78966fc29669d55dd7d7c31bb531b59d933a3b4feb1395b131f31a37
Instruction Fuzzy Hash: 594180F1D0026CABDB20DA61CD81FDEB77CAB45714F0045A5FA08AB141DB749E899FE4

Function 01006B40 Relevance: 1.4, Strings: 1, Instructions: 106COMMON

Download Yara Rule

Strings

#, xrefs: 01006B91

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: a3aa68492fb2e1c3a73ddb7a8685678bd0911017b10c1945e5d33be3303d7b01
Instruction ID: 61a2cd2f861f0a68a08872c7e31cc8702607bf9d2a03a87c94699ea12a28aba1
Opcode Fuzzy Hash: a3aa68492fb2e1c3a73ddb7a8685678bd0911017b10c1945e5d33be3303d7b01
Instruction Fuzzy Hash: 0331D131A006199AFB23DA69C850FEA7BA9DF05704F144068E981AB2C2CB6AE955CB50

Function 00FECA72 Relevance: 1.3, Strings: 1, Instructions: 94COMMON

Download Yara Rule

Strings

BinaryName, xrefs: 00FECAA2

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID: BinaryName
API String ID: 0-215506332
Opcode ID: 7d3624a3dc7e4534a2d8a0958e8f1a504e81e6abd966e6c7b7d41f510fe64146
Instruction ID: 0d19771285bea4c2446ce4f5bad973e704215ac48d55d3e03b01264be52e383a
Opcode Fuzzy Hash: 7d3624a3dc7e4534a2d8a0958e8f1a504e81e6abd966e6c7b7d41f510fe64146
Instruction Fuzzy Hash: 56310336D00559AFDB15DA5AC852EAFB774EBC0B20F114129F811AB291D7309E06EBE0

Function 00FF892A Relevance: 1.3, Strings: 1, Instructions: 47COMMON

Download Yara Rule

Strings

AVRF: AVrfDllUnloadNotification called for a provider (%p) , xrefs: 00FF895E

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID: AVRF: AVrfDllUnloadNotification called for a provider (%p)
API String ID: 0-702105204
Opcode ID: c8262a2ecc10831351cbf1f81914afc7ec5f655d5ea5f0f3a79561d485b3bdef
Instruction ID: 34b07d0eff3eff43983c091b6fe15f96a093286c3c7be18cbe514cf07bfd8835
Opcode Fuzzy Hash: c8262a2ecc10831351cbf1f81914afc7ec5f655d5ea5f0f3a79561d485b3bdef
Instruction Fuzzy Hash: 6901F2326002099FD7306E51CC85B7A7BA9EF86BE4F041029F78106572CFA5AC82F796

Function 01012000 Relevance: .8, Instructions: 757COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7731edbfdc18f47e86477d224a75650a348d1631f5c39b9b980638cd4418ea13
Instruction ID: a215a506b1225933ff4e5b4d8fa4e20d90ea8d9deb5c337929888602fffc823c
Opcode Fuzzy Hash: 7731edbfdc18f47e86477d224a75650a348d1631f5c39b9b980638cd4418ea13
Instruction Fuzzy Hash: EE42F3316083419FE765DF68C890A6FBBE5BF88700F28096DFAC297259D738D845CB52

Function 01008158 Relevance: .6, Instructions: 617COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17c2af8b3fdd7328168a311cbd7eb06e57413a805beed2c4f398df1e0f66339a
Instruction ID: 6836a67ea45bdc362205f6e11efa2aa1004bb9d2c767abd11f148544876ecf6a
Opcode Fuzzy Hash: 17c2af8b3fdd7328168a311cbd7eb06e57413a805beed2c4f398df1e0f66339a
Instruction Fuzzy Hash: EF424E75E002198FEB65CF69CC41BADBBF5BF48310F15C09AE589AB282DB349985CF50

Function 00F82840 Relevance: .6, Instructions: 605COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2bf99b9302af65de771f1817e2d26410f085eabb147ea2cec7f18a63ed8626c
Instruction ID: d7efd248d2773cd81b00c326b85d2eaabcac62b8a786fd91ab9df135aa9f7758
Opcode Fuzzy Hash: b2bf99b9302af65de771f1817e2d26410f085eabb147ea2cec7f18a63ed8626c
Instruction Fuzzy Hash: E132AC71A007558BDB24DF69C8547BEBBF3AF84714F28411AE486DB384DB39A842EB50

Function 0101A118 Relevance: .6, Instructions: 591COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9dad97bb087564c75613ba366f99e50b076b29da2716174f9e10720b160d3518
Instruction ID: adec3ee36b37753a482a78c3f79573bbef1a76cef334ced5cb3d5a7288aedaa2
Opcode Fuzzy Hash: 9dad97bb087564c75613ba366f99e50b076b29da2716174f9e10720b160d3518
Instruction Fuzzy Hash: 3C22AE707066A1CBEB65CF2DC454376BBE1BF44300F08889AE9D68B28AD73DD552DB60

Function 00F76A50 Relevance: .5, Instructions: 548COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8718abc02b697b5bd2fea8b24ab09888f7440ca0c8a162200da31adca8f62ed0
Instruction ID: 13bbaeefff496d34d84d4548e08d6c5b850975253f0a87352c2eef7bc8966525
Opcode Fuzzy Hash: 8718abc02b697b5bd2fea8b24ab09888f7440ca0c8a162200da31adca8f62ed0
Instruction Fuzzy Hash: 96328B71A00605DFDB25CF68C880BAAB7F2FF48310F24856AE959EB351D735AC41EB91

Function 00F94A35 Relevance: .4, Instructions: 423COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
Instruction ID: 473a95167a7c40e9bfa4248b1850d23ee43091cde615c956d984bcfadc4afce8
Opcode Fuzzy Hash: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
Instruction Fuzzy Hash: 98F17171E0121A9BEF15CF95C990FAEB7F6AF54714F09812AE905AB340E734EC42EB50

Function 0100892B Relevance: .4, Instructions: 386COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aaac6a2bcc7d57da3cb1d8486d7a1cb7d5a3a5294d1a0def6c2b703260578a90
Instruction ID: a50114ff12f9df7307aeeda54dd550aeab2f166352a9e566ae6dbd00eb99036f
Opcode Fuzzy Hash: aaac6a2bcc7d57da3cb1d8486d7a1cb7d5a3a5294d1a0def6c2b703260578a90
Instruction Fuzzy Hash: C1D1E371E00A098BEF16CF59C841AFEBBF5BF88314F18C16AD595A7281D735E905CB60

Function 00F765D0 Relevance: .4, Instructions: 383COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1be07e822cde60c5cb36dd099e04306f1cb223f21f0b1a9004d56ab2b73f0fb6
Instruction ID: ab99c6d022456a2c99ec9ea4039ac9f929b05d82c74196684b09ff3975273543
Opcode Fuzzy Hash: 1be07e822cde60c5cb36dd099e04306f1cb223f21f0b1a9004d56ab2b73f0fb6
Instruction Fuzzy Hash: 5BE18A71908741CFC714DF28C480A6ABBE1FF98318F148A6EE999CB351DB31E905DB92

Function 00F68397 Relevance: .4, Instructions: 380COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82b30516b3e934bb08539da64a032d0e6c814a4cb09ced8d8e2fb45740f347a2
Instruction ID: 17e029779c0ad15e9e8a811ffac056df82a5857be43ef14a3c9a2f0618d3aed7
Opcode Fuzzy Hash: 82b30516b3e934bb08539da64a032d0e6c814a4cb09ced8d8e2fb45740f347a2
Instruction Fuzzy Hash: 51D1E072A002169BCB14DF24CD82FBA73A5BF54394F14466DF916DB281EF34D942EB50

Function 00FF8243 Relevance: .3, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
Instruction ID: e41af184ab45a930be7f90e4132130bdeed4842490a78c77e6f230bd002bfee0
Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
Instruction Fuzzy Hash: 42B17275A006089FDF24DF94C940ABBB7B9BF84394F144459AA02A77A1EF34FD06EB10

Function 00F80535 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
Instruction ID: da0f5524e07f7fe7a2adaf742d42286dd72d4a5d559a9511010868dc6bec17f8
Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
Instruction Fuzzy Hash: C2B1F632A00646AFDB21EB64C850BFEB7F6AF44310F580165E552DB391DB34EE45EB90

Function 00F783C0 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9854f08f4b066b60b5cad4b7087747269dd417558b58d42475fe0057fd6d8d9
Instruction ID: 267d58641675a3f4cd8784ae3c3982488b411dac4df72553a233b19b4af5d895
Opcode Fuzzy Hash: f9854f08f4b066b60b5cad4b7087747269dd417558b58d42475fe0057fd6d8d9
Instruction Fuzzy Hash: F1C168746083419FD760CF15C484BABB7E5BF88354F48892EE98987390EB74E909DF92

Function 00F6C427 Relevance: .3, Instructions: 280COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a99a915babf277afd3b23896f0336e33ea2dd6938765c4fb674c7d9e224f55d2
Instruction ID: ac18e200d2eea607c0ef6ff5b50c6aa329b1114b47da965e98fa85ed2a0852b7
Opcode Fuzzy Hash: a99a915babf277afd3b23896f0336e33ea2dd6938765c4fb674c7d9e224f55d2
Instruction Fuzzy Hash: A7B1A170A002698BDB24DF64CD80BB9B3B1EF44714F1485E9D48AE7281EB34ED85DF65

Function 00F9E5E7 Relevance: .3, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8827964e158724c7c0be760516d1fc627ae2ec4ebcbf778ed9810b2f9818a47
Instruction ID: 5b7df569dd4010cf74d86d4e4a5fa41b8d43c7f9f678f0655298b74c23f53e99
Opcode Fuzzy Hash: b8827964e158724c7c0be760516d1fc627ae2ec4ebcbf778ed9810b2f9818a47
Instruction Fuzzy Hash: 44A12832E002589FEF21DB98CC44FAEB7B5AF00724F190126E951AB3D1D7789D44EB91

Function 00FB0185 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6e5563eea14bbfe38511c30c8c81ad331867f7bc323573a6495b34d40524c8c
Instruction ID: 4c02a5c2017c8898525504ab1b3f8526fd49fbec4093cb2dcf17822547486ac9
Opcode Fuzzy Hash: b6e5563eea14bbfe38511c30c8c81ad331867f7bc323573a6495b34d40524c8c
Instruction Fuzzy Hash: 64A1D171B00616DBDB24CF66C990BEAB7B1FF54324F14402AEA4597281EF78EC01EB90

Function 01044500 Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 373d7705ed1b96f455b7ea16979a9a6371161278ccd2200d03e29087bb5e3204
Instruction ID: 2139321d4a2c84b394dccda5926ca511413ccb76eefc7bc5f07ec3b575462e4f
Opcode Fuzzy Hash: 373d7705ed1b96f455b7ea16979a9a6371161278ccd2200d03e29087bb5e3204
Instruction Fuzzy Hash: F5A1B9B2A00611AFD721EF28C981B5ABBE9FF48704F45457CF589DB662C738E901CB91

Function 01042B57 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
Instruction ID: 8cfd3fc0f1a611028c6ef6e9df638767a35ea8b7c9b6700662c96895303f0f37
Opcode Fuzzy Hash: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
Instruction Fuzzy Hash: 0EB14AB1E0061ADFDF69DFA9D880AADB7F5BF48300F148179E994A7351D730A941CB90

Function 00FF60E0 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf0ca532725c7e1ce0f98cd1e30ebfd4e6fbba0dda6ad13b07bfdf6876d3b4d8
Instruction ID: a09df168a48f53807e4135eae4b2b3a3b7b4ef316f74383cb645d55e326f64f9
Opcode Fuzzy Hash: cf0ca532725c7e1ce0f98cd1e30ebfd4e6fbba0dda6ad13b07bfdf6876d3b4d8
Instruction Fuzzy Hash: 1B916071D00219ABDF15DFA8DC85BBEBBB5AF48710F154159E610EB361DB38DD00ABA0

Function 00F8E3F0 Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a57f6a3ec63f9701565998e141c1dfbe9652652d8076383bc3049c8e6cc57d58
Instruction ID: 3ddaac85e9289814f94dbd11de217f96a04e4b1b84d84ae878885657c3f10345
Opcode Fuzzy Hash: a57f6a3ec63f9701565998e141c1dfbe9652652d8076383bc3049c8e6cc57d58
Instruction Fuzzy Hash: 60911236E046158BDB24FB98C840BBEB7A2EF84724F19406AE805DF391E678DD01EB51

Function 00FC6ACC Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1847585b0ae176301b743aea480a4d236b47bc6fa424c0ad76f832c12baba18
Instruction ID: 8297c1481b907957b4db45eea7e000519b2ed6baebdc66057448d3fb10e117d2
Opcode Fuzzy Hash: d1847585b0ae176301b743aea480a4d236b47bc6fa424c0ad76f832c12baba18
Instruction Fuzzy Hash: 9F8190B1A0461A9BDB18CF69CA41BBEB7F9FB48710F00842EE445E7640E734ED41DB94

Function 0103AB40 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
Instruction ID: 9ace0b6193d1fcf2b4f0e24ef409eeccaf37f4f0cfb79e7fe1a297d9835d6f5d
Opcode Fuzzy Hash: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
Instruction Fuzzy Hash: CD816D31B10209DBDB19DF99C881AAEBBFAAFC4310F1885A9D996DB345D734E901CB50

Function 00FAE284 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac51282955962cab0f112f17f44ebc6a3edcd7a956de5ebe60014576879014fa
Instruction ID: 5f95fd237fc1869e23d09ea5aeebe0e143ef5221b72b518c51ba86c2a5c0a2f1
Opcode Fuzzy Hash: ac51282955962cab0f112f17f44ebc6a3edcd7a956de5ebe60014576879014fa
Instruction Fuzzy Hash: 48816DB1A00709AFDB25CFA5C880BEEBBF9FF89350F104429E555A7250DB70AC45EB60

Function 00F8C640 Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00943b7001ec1cf35b9317416afa552d0caec829642a1e52f66a695fcd8aa60f
Instruction ID: 4e7717b6927e59be217e00f10134d4c1aaa7848690e99d22e8d0b5b0e82dd598
Opcode Fuzzy Hash: 00943b7001ec1cf35b9317416afa552d0caec829642a1e52f66a695fcd8aa60f
Instruction Fuzzy Hash: 7971D175D00225DBCB259F59C8907FEBBB6FF58750F24412AE842AB390D7359801EBE0

Function 010247A0 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8bb2f54cab9fafe6f60bc3b27cfa2bbc8bc93b5d306f92acef1a692517b523b
Instruction ID: 6b323758c5f2a53e181842e42a6b840a377bca91f0ce19a24c73185f1d147aac
Opcode Fuzzy Hash: e8bb2f54cab9fafe6f60bc3b27cfa2bbc8bc93b5d306f92acef1a692517b523b
Instruction Fuzzy Hash: 3771A0B0E00215EFDB60DF99DA41A9ABBF8FF94310F11419AE690EB269C7778940CF54

Function 00F8260B Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81f13a0ffc58bfdb890237eceac3ee5b90a594b7bc499339e32842e109c319b6
Instruction ID: 1fb75214bf3306c013e5a49858ff52589b7dab49a815899a6728bdee74112f0d
Opcode Fuzzy Hash: 81f13a0ffc58bfdb890237eceac3ee5b90a594b7bc499339e32842e109c319b6
Instruction Fuzzy Hash: 4271D471A042418FC751EF29C484BAAB7E5FF84310F0985AAF895CB352EB38EC45DB91

Function 010062A0 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0a3f73adc29e0c40d19ffa79379a32906fb1545d18a8c1b82012a7612afffc4
Instruction ID: 5421b98c3dd6ed800f33c0bba4770e94c8274584a0cb1106a8c125714b3be382
Opcode Fuzzy Hash: e0a3f73adc29e0c40d19ffa79379a32906fb1545d18a8c1b82012a7612afffc4
Instruction Fuzzy Hash: E771D032200A01AFEB339F18CC45F5ABBE7AB44720F158458E2969B2E1DB76E954DB50

Function 00FF035C Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
Instruction ID: 8baae05cb92e0cf199a5c638c90d1e281b1fa061c711d64a6012f22d2374ab57
Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
Instruction Fuzzy Hash: 43715D71A00619EFCB10DFA9C985AEEBBB9FF48700F144569E605A7261DB34EA01DB50

Function 00F78AA0 Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0579c7a560543272826d82984eebd8f64b6317a6b84be4192c8ebd0b40bc4b58
Instruction ID: 60d48ad44d3cff4626c3332f07867a22b6c85f7dabb06225c16db13d11e0a7f1
Opcode Fuzzy Hash: 0579c7a560543272826d82984eebd8f64b6317a6b84be4192c8ebd0b40bc4b58
Instruction Fuzzy Hash: 1A81A372A043158FDB25CF58D588B6D77B2BF98321F19412AE804AB391C7799D41EBD0

Function 01048324 Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aedec857b1ad2659535974ef05a1e769398202d64f274ffda948a842e2f477e1
Instruction ID: 6bfb6fce9e8e8467ebcdf6ac4ad1e7287583e0ff37c2ead4c9b1ba68fb63abd8
Opcode Fuzzy Hash: aedec857b1ad2659535974ef05a1e769398202d64f274ffda948a842e2f477e1
Instruction Fuzzy Hash: 867109B1E00209BFDB56DF95CC81FEEBBB8FB04750F10856AF650A6290D774AA05CB90

Function 0102A250 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58a355900f9e0a456b2d37b83569c890723844955e616097bc5ed4cb05de3549
Instruction ID: 35b84924a38a6be7f4364d6574fe2334fd8270666599f7c756accbbd08cfcd26
Opcode Fuzzy Hash: 58a355900f9e0a456b2d37b83569c890723844955e616097bc5ed4cb05de3549
Instruction Fuzzy Hash: 2151BE72604622EFD311DA68C844B5BB7E8EBC9750F000969FA80DB150DF75ED05CBA2

Function 01018350 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5243efbc066a5417002a96220e1559988f68c2578b92b197e6b18769cc2d25a8
Instruction ID: ada496889153ce20f7f17f86d53498e8db38034d003d48e0a1477cd2b285978e
Opcode Fuzzy Hash: 5243efbc066a5417002a96220e1559988f68c2578b92b197e6b18769cc2d25a8
Instruction Fuzzy Hash: 8751C170900705DFD721DF9AC880AABFBF8BF94710F10861FE296976A5CBB4A645CB50

Function 00FAE443 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6fb17895732609d819e72153c0b44ca7e97d3e41738baec1344ee1af2b8d858
Instruction ID: 95397d9792b24db12f80f997472997cea0cab81a0c62107ebacd1d9a5dde9af5
Opcode Fuzzy Hash: e6fb17895732609d819e72153c0b44ca7e97d3e41738baec1344ee1af2b8d858
Instruction Fuzzy Hash: 9B514AB1A00A45DFCB21EF65D981EAAB3F9FF09794F500429E54197261D738EE40EB60

Function 01014180 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed51584d55bd98cf655ae9a63773f62b99e94eb3dadb5039d3e7bd883f68f519
Instruction ID: bcbf505dfe7bb2dd096f3f8ef110fd4318c178522f38f07c5a76187d4b3d979e
Opcode Fuzzy Hash: ed51584d55bd98cf655ae9a63773f62b99e94eb3dadb5039d3e7bd883f68f519
Instruction Fuzzy Hash: 955157B16083019FD754DF29C881AABBBE5BFC8714F44892DF589C7264EB38DA05CB52

Function 00F945B1 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
Instruction ID: e44cdcf19d0ef0382ef9bd56de3bb5ca4ac8faded371b6d40aaccbfd46f96dde
Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
Instruction Fuzzy Hash: C351AD71E0021EABEF15DF94C841FEEBBB6AF45710F05406AE900AB240D734EE45DBA1

Function 00FFE9E0 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
Instruction ID: 1b14c9ec3f86789d78714512dbea72bf6c32fbbeca35a297cd3c5ab1294df48d
Opcode Fuzzy Hash: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
Instruction Fuzzy Hash: 7F51C432D0021DEFDF219E90CC81BBEB775AF40724F254665EB12672B1D7749E40AB90

Function 01038B28 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e8ee446b1013331faf92a95840465453371dc3641018faaba26ec6d5a7b3fdb
Instruction ID: f498e7b1536e3f8c924ad4162ae46b83e892e4052f2cbabc676f7481d2d8e419
Opcode Fuzzy Hash: 3e8ee446b1013331faf92a95840465453371dc3641018faaba26ec6d5a7b3fdb
Instruction Fuzzy Hash: E241D1707056069BDA69DB2DC894B7BBBDEEFD0220F18C39AF9D587281DB34D901C690

Function 00FFCBF0 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 842f617e47e800bf49b8121f192618748c81f0c134132832e08e6780f5339e6c
Instruction ID: 7f4d9ca66ebc9c0ec74bc5059d20d64d54768264e5281e2b59497965d3c9a915
Opcode Fuzzy Hash: 842f617e47e800bf49b8121f192618748c81f0c134132832e08e6780f5339e6c
Instruction Fuzzy Hash: 4251AE72D0022DDFCB20DFA9CA809AEB7B9FF48324B118529E655A7311D735AD01DBD0

Function 00FAA430 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7486b12753dc345932276757ebf45b207a861138cbc6c976763aa64deedd2ea
Instruction ID: b627b1cfe956954c5dc956439a8a674842feb4edec73ec9e8a4db9605ed17e4f
Opcode Fuzzy Hash: f7486b12753dc345932276757ebf45b207a861138cbc6c976763aa64deedd2ea
Instruction Fuzzy Hash: C3412AB2A402169FCF24EF65DC81B6A37A4AB56B58F01002DFD41DF252D7BAAC04FB51

Function 0103A9D3 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
Instruction ID: 15214970d30a382ba5fb9634a0af7db741486ee41eb6a8405b6cf11bdd6d9427
Opcode Fuzzy Hash: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
Instruction Fuzzy Hash: 4441B432704A169FDB29DE58C980A6AB7EDFBC4210B05466EE9D287641EB34ED05C790

Function 00FA01F8 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb83bbebbc500af5173f01e731d465b3a86dddca3970dcd72e33b27e6231fccd
Instruction ID: da8168379567807bb0953619e6c6a8de24332fd94e139fbc22f583799e33d94e
Opcode Fuzzy Hash: bb83bbebbc500af5173f01e731d465b3a86dddca3970dcd72e33b27e6231fccd
Instruction Fuzzy Hash: 31419CB6D002199BCF14DF98D840BEEB7B4BF4A710F14816AE815E7250DB359D41EBA4

Function 00F9EBFC Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b185a4c77535f5debc91b1e414bd9f32f28e2be01b638f676cae4c08d106660a
Instruction ID: ec6afddbebefce271f9b7664ef2bbf0cf64251a8fdaf9e5cd24944a3d91ebc4b
Opcode Fuzzy Hash: b185a4c77535f5debc91b1e414bd9f32f28e2be01b638f676cae4c08d106660a
Instruction Fuzzy Hash: 8E4182726043019FEB24DF24C840A5AB7E6FF48324F14492AE597C7712DB35E848EB51

Function 00FB2750 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
Instruction ID: c09a2ebdec1378ac2b7612f67a134b7fbbd260ed569861197a60c5a9d83aed23
Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
Instruction Fuzzy Hash: 36515B75E00259CFCB14CF99C480AAEF7B2FF84720F2481A9D855A7390E770AE42DB91

Function 00F76154 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cb288ffb4e333416e143517b08f252aab2f05c350fe5e6f3b8f054a87b39c9a
Instruction ID: e2d7bd64b2b6fd296a840ce0a96f098f6a7a5a07ef9235882dfde0cadbe35f42
Opcode Fuzzy Hash: 3cb288ffb4e333416e143517b08f252aab2f05c350fe5e6f3b8f054a87b39c9a
Instruction Fuzzy Hash: 225104709005169FCB659B64CC01BE8B7B1EF05324F1882AAE419E72D2EB799D81EF81

Function 00F70BCD Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d517997abd8baa881ec12eee7c2e69b09943dbafef88f0710f1ab5be268574b9
Instruction ID: 108989bcd3100b80cbe1aef27f37a5a7aba661f3b8b8a2ba4e3775c79f942772
Opcode Fuzzy Hash: d517997abd8baa881ec12eee7c2e69b09943dbafef88f0710f1ab5be268574b9
Instruction Fuzzy Hash: 72417271E00228DBCB21EF64CD41FEA77B4AF45750F0541AAE909AB241DB74DE84EF92

Function 0103866E Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
Instruction ID: 160e59147225fa6e72358917e4b8f422fdf6998cf7968d67d7642d324e024da2
Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
Instruction Fuzzy Hash: 0F41A475B00205ABDB19DB99CC84AAFBBBEBFC8600F1481EAF580A7341D674DD008760

Function 00F70887 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0551453d39e2a6d46ec869bed5716aa624b720a5ff05aa9d39202866bfcba902
Instruction ID: 80aaa06d518b8f53159b7e0aa720e0dd5735eba83c78e37c293ee437ca9545e8
Opcode Fuzzy Hash: 0551453d39e2a6d46ec869bed5716aa624b720a5ff05aa9d39202866bfcba902
Instruction Fuzzy Hash: 2941B1B1600701DFD724DF24C980A26B7F5FF49314B108A6EE54A87B52EB35F845EB91

Function 00F9A470 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b8b1a8934ed3c5e89fbdf19ee2edb3cdc1a675f62c92d70a862561a322bdb3a
Instruction ID: 6eca79b0741446de5899e21489fa45ba2ef4056231003584c171355173ea0d05
Opcode Fuzzy Hash: 4b8b1a8934ed3c5e89fbdf19ee2edb3cdc1a675f62c92d70a862561a322bdb3a
Instruction Fuzzy Hash: E141C132A40204CFEF25DF68D8957EE77F1FB18320F190196D411AB2A2DB799D00EBA1

Function 00F78BF0 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37ce573338b72f1d667c8bbdeea4b80421d145faeb5af119a26aff6ae52aa25a
Instruction ID: bf6d4ed2cb8242df413756a99aa72982f0923e94ec076cfbc90bf1f16f7d3a78
Opcode Fuzzy Hash: 37ce573338b72f1d667c8bbdeea4b80421d145faeb5af119a26aff6ae52aa25a
Instruction Fuzzy Hash: 97411432A40201CBD725DF58C885B9AB7B6FB94754F24C02BE8059B356CB79DD02EBE1

Function 00F68918 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 608432d57d6a30322a000fd52ee3884c745b43fdb1de2286b4c916d0e1b272e0
Instruction ID: 7761515d245f76f55d152d744bb8477089599b702812a8c5640c31ee69a09ae3
Opcode Fuzzy Hash: 608432d57d6a30322a000fd52ee3884c745b43fdb1de2286b4c916d0e1b272e0
Instruction Fuzzy Hash: 1E419D725087169EE311DF64C942B6BB7E8EF84B94F00092EF980D7250EB31DE05AB93

Function 00F6A020 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
Instruction ID: dc120748bee34f3d728e62920ab714d2f4ecec1678ff694a71723c8c1aaca336
Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
Instruction Fuzzy Hash: 92413B36E04212EBDB10DEA48943BBAB771EF50724F25806EE845AB345D7359D40FF92

Function 00F709AD Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13a93e74c67512b65e636575e3bba9834875976f309a0480c4044afe31c86b28
Instruction ID: ab7350310fd2f2bde64bad6188dcd93f74f379de42d083635b359e9bd97b8268
Opcode Fuzzy Hash: 13a93e74c67512b65e636575e3bba9834875976f309a0480c4044afe31c86b28
Instruction Fuzzy Hash: 364166B1A40701EFD320DF18C841B66B7E5EF48724F24C56AE4498B252EB79E942DB92

Function 00FA0710 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
Instruction ID: 83441fad8301e558cb8b4c71d70764f5db6c21330c5d772e4811eb36dc9872a8
Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
Instruction Fuzzy Hash: 814138B1A00605EFCB24CF99D980AAAB7F4FF09710B20496DE556D7291DB30FA44EF94

Function 00F7262C Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 307e73f734788ce9bb7f423b542bb0593cdf47ef27834e17d82924ab98f4d6ec
Instruction ID: 0a4f12766ef6c6d813ef3c896015712b9df9d3da158eb050a71e51b501528e16
Opcode Fuzzy Hash: 307e73f734788ce9bb7f423b542bb0593cdf47ef27834e17d82924ab98f4d6ec
Instruction Fuzzy Hash: DC419171901700CFCB65EF24CA41B55B7F6FF44320F10C26BD44A9B2A1EB34A941EB52

Function 00FAC8F9 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c9f7c215ab895139599f7e4fcb604c5190ff43410204b85942cf6d0d2bf03e0
Instruction ID: ae7d7d9445dce7f1309c62fa4a859182cd6c02fd02d4891f4f6c63099586c6b3
Opcode Fuzzy Hash: 5c9f7c215ab895139599f7e4fcb604c5190ff43410204b85942cf6d0d2bf03e0
Instruction Fuzzy Hash: B3318DB2A01349DFDB51DF58C541799BBF0FB09724F2081AEE019DB251D7369902DF90

Function 00FF07C3 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2347b69f5db6a4a23d98f54e3e8192590228dd12efb6a463433f3dd4df557e3f
Instruction ID: 13b35919e9b1c6abe52f1a278a6883026137614608c406b8dc6244ee70542576
Opcode Fuzzy Hash: 2347b69f5db6a4a23d98f54e3e8192590228dd12efb6a463433f3dd4df557e3f
Instruction Fuzzy Hash: 2B4190B15043059BD720DF24C845BABBBE8FF88760F004A2EF598C7291DB749804DB92

Function 00F680A0 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7d41e75cefc9fdfb382df03cfb5f3d13421cc93f63ef734b26b6b61d78125b0
Instruction ID: df40db4de9693de80cc164cdd805ab499a494f20a49e77e4234c1dfb647c6171
Opcode Fuzzy Hash: c7d41e75cefc9fdfb382df03cfb5f3d13421cc93f63ef734b26b6b61d78125b0
Instruction Fuzzy Hash: 8841C372E056159FCB10DF18CD41AA8B7B1BF457A0F24872EE815A7281DF34ED43AB90

Function 00FF05A7 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e96da3bc0c321958b14c5c7899de14ca136e4c7385b76d84f90db98b19598d4
Instruction ID: f815b20a20ffa65d000811b8aaa3eb14d6319398320f8526da51707406757fc6
Opcode Fuzzy Hash: 3e96da3bc0c321958b14c5c7899de14ca136e4c7385b76d84f90db98b19598d4
Instruction Fuzzy Hash: E141C272A046459FC320EF68C841ABAB7E5AFC8710F040629F994D76A2EB34ED14D7A5

Function 00F74859 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0541abbb0a2334d2176d7e021b101f49a5cbe0c38fa89adbeee8e444a6901b7
Instruction ID: f766902cc19744e5aafd42a20277425acb81bc9b381cd9ab39a21efdf9b9149a
Opcode Fuzzy Hash: a0541abbb0a2334d2176d7e021b101f49a5cbe0c38fa89adbeee8e444a6901b7
Instruction Fuzzy Hash: 6641D6716003058BC725DF18D844B27B7F9EF81760F14842EF6598B2A1DB75ED41DB52

Function 00F68B50 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abba81ada7e3845ddec889556062e1e82818bb4e062d19d87ab6d75cf85ece09
Instruction ID: b76043e0ce180f43cf684f383e69c22f8422fb9d41ab99814cb914dfeef9466e
Opcode Fuzzy Hash: abba81ada7e3845ddec889556062e1e82818bb4e062d19d87ab6d75cf85ece09
Instruction Fuzzy Hash: 9E41B272E01604CFCB14DF69C981A9DB7F1FF88360F20862EE466A7291DB349942EB50

Function 00F802E1 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
Instruction ID: fe8ba300f4cd3497945faefcd38bccbfb5515fc4cd33b6bc09691d60518f30c5
Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
Instruction Fuzzy Hash: 70314A32A01244AFDB519B68CC40BDEBBE9EF04350F0481B6F455D7352C678D848EBA5

Function 0101E3DB Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb6ceb906efce772a88cd0181659beb9f6762c3f7119aaa6cf43ada3745406fe
Instruction ID: 2c9a807b15bc5801042d076626a1dbb33fa4a8dce938fc5d586f6cf4a53c049f
Opcode Fuzzy Hash: eb6ceb906efce772a88cd0181659beb9f6762c3f7119aaa6cf43ada3745406fe
Instruction Fuzzy Hash: 1331C875780705ABE723AF55CC41FAF7AA4AB49B50F100028FA00AB292CEADDD00D7A0

Function 01024B4B Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cd294e2d00812bdfc108a1ff53613b820b5b943f988021d7b41aab91463bb57
Instruction ID: 23182b982c9e4885f57f5c370517f8a668b3a09578551d588837c62fad217805
Opcode Fuzzy Hash: 1cd294e2d00812bdfc108a1ff53613b820b5b943f988021d7b41aab91463bb57
Instruction Fuzzy Hash: DB31F4726056208FC362DF1DD880E6AB7E5FB80360F1A44ADF9D5DB665D732E800CB90

Function 00F74260 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a65d50a8b106302970d96a9fc40f679e98b8a29fd91073116ec5072549d59b04
Instruction ID: b1f2efe8158313901a0ca3ac20fdd5077961bb3da3703bfa2b2e3bad5c61f060
Opcode Fuzzy Hash: a65d50a8b106302970d96a9fc40f679e98b8a29fd91073116ec5072549d59b04
Instruction Fuzzy Hash: 1441EE72601B04DFC722CF28C885FD67BEABF49710F14842AE9998B351CB74E840EB91

Function 01024BB0 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 384b44f94b9e1fd96a6ba97dc214753b2086b64a82dc9af6d7976f230059bf1b
Instruction ID: 54783fe8a688f3a9abf28a6211209c7335e8aa9337a812729d730a266230524b
Opcode Fuzzy Hash: 384b44f94b9e1fd96a6ba97dc214753b2086b64a82dc9af6d7976f230059bf1b
Instruction Fuzzy Hash: F131CB716042158FD360EF2CC880A6AB7E5FB84720F1A49ADF999DB391E730EC04CB91

Function 010361C3 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fe3362a4f6cd83d8a14e0cd035c448af29ec82d940cfa2708ecd871a86a00ad
Instruction ID: e0d9a2eedf56c12ab5bbb236b2ffaa8562b09b9e5a6f53dfec829a517cd5287e
Opcode Fuzzy Hash: 1fe3362a4f6cd83d8a14e0cd035c448af29ec82d940cfa2708ecd871a86a00ad
Instruction Fuzzy Hash: F631E175A00619BBDB15DF98CC41FAEB7B9EB84B40F464168F940EB245D7B1EE00CBA4

Function 0101483A Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9fe0533045ee71f5ea4d9082e3c107d9db9cefa7d2b7073caebb2161cddb9dd
Instruction ID: 9a4c50be27eaa87ba2e1f54716c7d58a74e74f174eb4cb6c4b8018f7d19ce0a0
Opcode Fuzzy Hash: c9fe0533045ee71f5ea4d9082e3c107d9db9cefa7d2b7073caebb2161cddb9dd
Instruction Fuzzy Hash: DC317376A4012CABCB61DF54DC84BDE7BF6AB98350F1000E5B548E7261CB349E919F90

Function 010360B8 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7fc46f43b2b514da24fe45b3302b8206c5df575b7cb9c3ee9927a8f4d5c4b9f
Instruction ID: f5500d455f12a32712ecab167c519f31303aac1452b73322c9ec47b97644fcff
Opcode Fuzzy Hash: b7fc46f43b2b514da24fe45b3302b8206c5df575b7cb9c3ee9927a8f4d5c4b9f
Instruction Fuzzy Hash: B431F471600611BBDB22AF99CC51BAEB7FDAF84750F044069F585EB352DB32EE008B90

Function 00F707AF Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 104a7ccfc40f643cbbe9e8113b8031d6a4d6bfd4a553fa0dba7e6eb259b88f96
Instruction ID: 342dc1b1be26f72de47ada73e700602cec6ddfeb6bf59d811fa868028f92e0db
Opcode Fuzzy Hash: 104a7ccfc40f643cbbe9e8113b8031d6a4d6bfd4a553fa0dba7e6eb259b88f96
Instruction Fuzzy Hash: 4031F172A04312DBC711DE64C880E6BB7A5AF94360F01842AFC59A7351DE34DC01B7E3

Function 00F78550 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 060e71eb9e116f6f9b33b853bab23b98e556bf40cc178e5f1340f928bab422c7
Instruction ID: 9ebc0f7b927b70862100e4d693e645a16afbc54713ce90b332aa836f77d41aca
Opcode Fuzzy Hash: 060e71eb9e116f6f9b33b853bab23b98e556bf40cc178e5f1340f928bab422c7
Instruction Fuzzy Hash: D0319E72A093018FD360CF19C844B1ABBE5FF98760F19896EE88897351D771EC44EB92

Function 00FAA6C7 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
Instruction ID: 208df296711adfe6afae0e06cef992c0f5d225c9e5ac2b8002991f8a2645fc14
Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
Instruction Fuzzy Hash: D3312CB2B00B01AFD760CF6ACD41B57B7F8AF19B60F14052DA59AC3650E730E904EB61

Function 0101EBD0 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc3aad5e3dc51fc6fac0c6cce727747ab80c20c8007365adbc3bed547e7bb0f3
Instruction ID: d1d3686f32ae2a8a1604d53e3d28c076bb37c7cabac8ef6a8edc801a809519f5
Opcode Fuzzy Hash: dc3aad5e3dc51fc6fac0c6cce727747ab80c20c8007365adbc3bed547e7bb0f3
Instruction Fuzzy Hash: 72317C715053068FC712EF19C94085ABBF5FF89614F0449AEE8C89B256D3359945CB92

Function 00F9438F Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c04e7c25a854d9b8243e3568d93de2619a396439db8086f17f3eb388d67e53b6
Instruction ID: 054103dd6d6a0efca6a6207fda0bde186b8697d53a89d372a184f4a5ee3906df
Opcode Fuzzy Hash: c04e7c25a854d9b8243e3568d93de2619a396439db8086f17f3eb388d67e53b6
Instruction Fuzzy Hash: C231A132A002059FEB24EFB8C981F6AB7FAAB94704F14452AE445D7295D734E942EB90

Function 00F6CB7E Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
Instruction ID: 5b99319b22c88f5b3a442d0cf5d2ab500499557c70799ae6001a865e242e06c3
Opcode Fuzzy Hash: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
Instruction Fuzzy Hash: 8A210432E4029BAACB119BB58812BBFB7B5AF45754F158039AD95E7340E231DD00A7E1

Function 00F6C156 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbdfd856c5fd31dd70602750feaf25c16196f44d2f94699ef6044b095248ffea
Instruction ID: ef75a70346b1b1336556b552d6b467d111d06a5ee3cc84ab32e36dd413698969
Opcode Fuzzy Hash: fbdfd856c5fd31dd70602750feaf25c16196f44d2f94699ef6044b095248ffea
Instruction Fuzzy Hash: 763129B19002018BC720AF24CC42FAD77B4AF40314F54C17DE8899F382DA79DD86EB90

Function 0102C3CD Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
Instruction ID: 05a7380ebe98fccc3dcf33d886d9c912a4db1ef26d69382a6f2c2d1b9deb3031
Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
Instruction Fuzzy Hash: 48216036A0066176EB15AB958D01AFFBBB4EF90714F40841AFAD587551EB38DD40C360

Function 00F6E420 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55822c2227413ef222c1388d4bef3903ae421b0a28b0ddd4debd6eb2369d6402
Instruction ID: a2c2f80c125e51477dafdf3fa2a938c96d67d30d2521376c09ad57d617b95bad
Opcode Fuzzy Hash: 55822c2227413ef222c1388d4bef3903ae421b0a28b0ddd4debd6eb2369d6402
Instruction Fuzzy Hash: A831F93BA4152C9BDB31DF24CC42FEE77B9EB15B50F0101A1F545A7291DA74AE80AF90

Function 00FA44B0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0c5e25595e9468b12d7d8d93c20f02ad238966ea9f5ec389447d31e90fb0e01
Instruction ID: 713629a5e2b6964c0d14f68ec0ea89cbce68575d864ea4bb6553e822f3b29f30
Opcode Fuzzy Hash: e0c5e25595e9468b12d7d8d93c20f02ad238966ea9f5ec389447d31e90fb0e01
Instruction Fuzzy Hash: 0521B1B2A047459FCB21DF18C881B6B77E4FB8A760F044929F9549B241D774ED01ABA2

Function 00FA4588 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
Instruction ID: 708a283527786302fb2e7e5e10a232ed570959d66f487cefc27a630ae45ebdf0
Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
Instruction Fuzzy Hash: 6B217172A00608EFCB15DF58C980A8EBBB9FF8A714F108065ED259B341D6B5EE059B90

Function 00F6E388 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
Instruction ID: 9d4051f491c48d67ad88579de41c352c580fd36b08510898d04526330c991640
Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
Instruction Fuzzy Hash: 9631BF36600605EFD721DF68C985F6AB7F8EF85354F2045A9E552CB690EB30EE01EB50

Function 00FEE609 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 370c6fbe8580dfbbd55c101f22a64f0e08994675d4caa252a6d346f2330912fd
Instruction ID: 96cb5aa84e6ecf68dde72716f3d840997345057ee47a5db5fd42a45a03b2c745
Opcode Fuzzy Hash: 370c6fbe8580dfbbd55c101f22a64f0e08994675d4caa252a6d346f2330912fd
Instruction Fuzzy Hash: D431BC75A10245EFCB14CF19D8849AEB7B5FF94304B11846AF84A9B3A1EB31EE50DB90

Function 00FF06F1 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9aa667bf15fc1912047af9057b3f035b35f306edf90129350de681af73da3e8c
Instruction ID: edc45901158025a85a6dcc1a9414021981623c5044292f6729a96954483aaa51
Opcode Fuzzy Hash: 9aa667bf15fc1912047af9057b3f035b35f306edf90129350de681af73da3e8c
Instruction Fuzzy Hash: C3218072A005299BCF20EF59C881ABEB7F4FF48740B500069F941FB251D738AD41DBA0

Function 00FF019F Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 090037e1b69b7c59b9c28f591c119a8ea45f4c3d7d178b659e396e9266f90b71
Instruction ID: ca27275e0d44677167046cdfafb3a7c397508a5871a74272cb5a988af2452fa8
Opcode Fuzzy Hash: 090037e1b69b7c59b9c28f591c119a8ea45f4c3d7d178b659e396e9266f90b71
Instruction Fuzzy Hash: 4621BC72A00608AFD715EB68CC44FAAB7A8FF48740F140069F904D76A2DB38EE00DB64

Function 00FF0283 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 809af9062f3acf30fc09d13aa4c5a75970fb371f992db0afeaebfbe12c80cdb1
Instruction ID: 662c9840992fc515bcb7e11e93e002afcd6d92b1aae2d1291c840b781e1a9a58
Opcode Fuzzy Hash: 809af9062f3acf30fc09d13aa4c5a75970fb371f992db0afeaebfbe12c80cdb1
Instruction Fuzzy Hash: 7221F1729042499BC711EF59C948FBBB7DCAF90B50F080466BE80C7272DB34DA48E7A1

Function 00F92835 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c001b739cb15be9705030134e0d329179c3f919ae42d23f9562472bda5dbd1b2
Instruction ID: 4a6ec3cc9f411f110a53c4ff8b53e8acbf6682cadf240e6da2a76a1b992cc8cb
Opcode Fuzzy Hash: c001b739cb15be9705030134e0d329179c3f919ae42d23f9562472bda5dbd1b2
Instruction Fuzzy Hash: 30210E32B45684ABF72257688C04F643796AF41B74F2C03A6F9209BBE2DB6CDC01E245

Function 00FAA30B Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b570f6e49ef94e52dbbacd8ed0e09f4eddae749799567b347fda545d4eaf897
Instruction ID: e2ea62ad450a53fcbaf0c0513857692c28869e3f87cd5247ad3bc2e468def314
Opcode Fuzzy Hash: 5b570f6e49ef94e52dbbacd8ed0e09f4eddae749799567b347fda545d4eaf897
Instruction Fuzzy Hash: 0421A976600B419FCB24DF29CC01B56B3F5EF09B44F288468A449CBB62E336E946DB94

Function 0102A49A Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 077203ef1207a19588bf2a8fde582029ed019108dce0677844730409c5572fd7
Instruction ID: 978cd5b86d38eec2e7a4f91225a4e9f832535b8f6464db14d6d99969ec37a14b
Opcode Fuzzy Hash: 077203ef1207a19588bf2a8fde582029ed019108dce0677844730409c5572fd7
Instruction Fuzzy Hash: 8C112372380A30FBE72256599C01F6BB6999BD4BB0F100069FB48CB691EF60DC019695

Function 00FF0946 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59ca298d8fd2c493b0f2411877d0a5f94cd9be3d902f1e2a82c11126565794d3
Instruction ID: 2b5b25b6163c369afd466970576de2f0355b85d86268e83ad7d1ae0a9550186a
Opcode Fuzzy Hash: 59ca298d8fd2c493b0f2411877d0a5f94cd9be3d902f1e2a82c11126565794d3
Instruction Fuzzy Hash: D42119B1E00218ABCB20DFAAD8819AEFBF8FF98710F10012FE505A7351DA759941CB50

Function 010080A8 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
Instruction ID: 85ccc2fb4af5d861dd7326633cc9584a74113596a09c3b03d83a5dd83c39c699
Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
Instruction Fuzzy Hash: E5214D72A00209EFEB129F98CC41BEEBBB9FF88310F204456F995A7291D774DA519B50

Function 00FA0124 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
Instruction ID: 064d0acf2f9d045d85abedea128a3db39d7024f59d860ac3b69ea3601e423886
Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
Instruction Fuzzy Hash: 9511C4B3A01604BFD7229F54DC41FDABBB8EB82764F204029F6059B190DA75ED45EB50

Function 00F78770 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7cfd679b5cb4771ed1b4a692a6c7a6db4eb8456839b903fa65507d6ad3e65f0
Instruction ID: 6998b6c7102aec3f9371632183bb043f29656a48b30c5580585be79b9eab0939
Opcode Fuzzy Hash: c7cfd679b5cb4771ed1b4a692a6c7a6db4eb8456839b903fa65507d6ad3e65f0
Instruction Fuzzy Hash: 7111C432B406509BCB15CF59C4C4A16B7E9AF4A7A0B28C06EED0DDF205DAB2DD03D792

Function 00FAAAEE Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
Instruction ID: bc022a04e60bf628005f8b9c526e7e2c40407fd47bfd0ac71b964c71fd41a96d
Opcode Fuzzy Hash: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
Instruction Fuzzy Hash: 4D218EB2A00641DFC731DF49C540A66F7E6EBD5BA0F25803DE44697621C734ED05EB61

Function 00F780E9 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6ac13f9209ac653e8b5c7c98332224b7bd6e5e09537be266386eb4a05250836
Instruction ID: 16168ef51e07d423d0b90ff9cc155097c17b363fdae4477afe81db0aecaaf76e
Opcode Fuzzy Hash: e6ac13f9209ac653e8b5c7c98332224b7bd6e5e09537be266386eb4a05250836
Instruction Fuzzy Hash: 54218E32A40245DFCB14CF58C581BAEBBB5FB88368F20816ED109A7310CBB1AD07DB91

Function 00FA674D Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 271b25927a861eb6bdedd13274e9c0e09b33ee6f19fe0fae3ea536448e067a0f
Instruction ID: bc03151cfcfc947be15154a3cb621549abc51ec9c2a58afe8c5c965174428825
Opcode Fuzzy Hash: 271b25927a861eb6bdedd13274e9c0e09b33ee6f19fe0fae3ea536448e067a0f
Instruction Fuzzy Hash: C4218CB1620A00EFC7209F69C881B66B3E8FF85754F14882DE4AAC7250DE74BD40EB60

Function 00F9E8C0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e9dc61f3301feaca4d50f52c3927e3c83bb6f999fabe57affce21c68292482e
Instruction ID: f2f0a391abc84ccad6680e276688f984fe7d42ea5c54fa605cf9cda429ffb177
Opcode Fuzzy Hash: 1e9dc61f3301feaca4d50f52c3927e3c83bb6f999fabe57affce21c68292482e
Instruction Fuzzy Hash: 181104736001149BCF19DB24CC81A6B729BEFD5370B394539E9238B391E935DD02E790

Function 01006870 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99cd0c37a8e338d53c13e16b4fe77868b917f6b1269759deab2ae36f3bc9b9d4
Instruction ID: 96001634611762ecab14b9c914abbd28c765422c75ecb1929290c292a9749b1f
Opcode Fuzzy Hash: 99cd0c37a8e338d53c13e16b4fe77868b917f6b1269759deab2ae36f3bc9b9d4
Instruction Fuzzy Hash: 9811C132240504EFE723DB59CD40F9A77EDEB49B50F014024F281DB2A1DA76E911C790

Function 00FA66B0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bd5f29d48f5a7c5146b022f005d98595a2a35ab8dc0cb5ac2d76ba2cfe56566
Instruction ID: e3d62311e2e579631b974130f223e6d4f13e2c97d59a7e12cedaaf53ac868cbc
Opcode Fuzzy Hash: 5bd5f29d48f5a7c5146b022f005d98595a2a35ab8dc0cb5ac2d76ba2cfe56566
Instruction Fuzzy Hash: D711C4B6E11204DFCB24DF59C580A5ABBE4AF85714F194079E805EB321DA38DD00EB90

Function 0103A8E4 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
Instruction ID: 2fe2e7e34382b7b014bc4464621b7c8bdb37569256061aeebf4725394810007e
Opcode Fuzzy Hash: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
Instruction Fuzzy Hash: B311E236A00919EFDB19CB58C801A9DBBF9EFC4310F05826AE885A7350E671AE01CB80

Function 00F70AD0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
Instruction ID: 3f8bb54bd3f8e5f2a13ea84a9c1914ad09ad54233cf3dd7a9e9144c9100ef443
Opcode Fuzzy Hash: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
Instruction Fuzzy Hash: BF21F4B5A00B059FD3A0CF29C441B52BBF4FB48B20F10892AE98AC7B40E771E914CB90

Function 00FFE7E1 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
Instruction ID: 2183e143cfc85fc641330c734ca2db9435eb7009f3e3d0c76d4ed3a01616ada2
Opcode Fuzzy Hash: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
Instruction Fuzzy Hash: 0811A032A00608EFDB20AF44CC41B66B7A5EF45BA0F158429FA099B271DB75DD40FB90

Function 00F927ED Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eeac68dd2bbd32b247be3f6adedbc6d1ee5147c09beb08f4c6926a8902c91b19
Instruction ID: 8561f21a8ce63f0e6f347dc99bf6dea5083a6675d437fe24da4c87d1d56205c6
Opcode Fuzzy Hash: eeac68dd2bbd32b247be3f6adedbc6d1ee5147c09beb08f4c6926a8902c91b19
Instruction Fuzzy Hash: CA012632B05648ABE726A26ADC44F67778EEF417A4F190076F8008B691DA18DC00F2A6

Function 00F74690 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56bef9ffadb665906b4668be06a52482c696590a97dd44a12ed7e76b1b461bee
Instruction ID: 662c58e3e42730b192ba70625f618ae4581172e047820fcf2544eb5bcb63d1b9
Opcode Fuzzy Hash: 56bef9ffadb665906b4668be06a52482c696590a97dd44a12ed7e76b1b461bee
Instruction Fuzzy Hash: 6F11C236640644AFCB29CF59D880F567BA4EB86B74F108116F918CB250C774FC41EF62

Function 01044B00 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28b6d82724ef4aa066e22ded2b7ed831c18e148f58d14c504f4de301c80a0663
Instruction ID: dbe9bf16770569d04acb38cb29eebb7e19884224bc945be01328d46d229ce2f4
Opcode Fuzzy Hash: 28b6d82724ef4aa066e22ded2b7ed831c18e148f58d14c504f4de301c80a0663
Instruction Fuzzy Hash: 6511C276200A119FD7629A29DC84F66B7E6FFC4710F154579EAC2C7690DA30E802CBD0

Function 00FA6620 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5c45c0d15f3364d64d75ca451f037ea19f1020ab4780ef642653a819539e25a
Instruction ID: e45583d2e34d61497b7cfc7e56de1c0567ccd1e2ce9b1ad473a36c94a523bbef
Opcode Fuzzy Hash: f5c45c0d15f3364d64d75ca451f037ea19f1020ab4780ef642653a819539e25a
Instruction Fuzzy Hash: 8211C2B6D00714ABCB21EF58CD81B5EF7B8EF45B50F540455E904AB301D774AE01AB50

Function 00F9EA2E Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fddae83800fac50bc00f83bc1fe5c5a06763f966166077975ab2867b38081d68
Instruction ID: 02ef689aa29ad7555bc95132715a8dd70a5a2a9d808ac58e8f1a4eaef04c58e1
Opcode Fuzzy Hash: fddae83800fac50bc00f83bc1fe5c5a06763f966166077975ab2867b38081d68
Instruction Fuzzy Hash: 28019E715001089FDB29EF15D845F56B7F9FB95368F20826AE0498B2B5CB78AC42DB90

Function 00F9E53E Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
Instruction ID: cd74a99476abf44ed1c0683cdd80777bde4c396e03c8b05b98c310b364b0bed6
Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
Instruction Fuzzy Hash: 9A110233A016C59BEB22A7288C54F6437D4AB00B68F1E00B2E902C7752E32CDC42F211

Function 00FFE75D Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
Instruction ID: 8b75aeef49d7f2a8d6943627629204105d45dc9bd71244f1b94159615fcc0b07
Opcode Fuzzy Hash: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
Instruction Fuzzy Hash: 4801D233A40108AFD725AF58CC01F7AB6A9EF80B60F158125FA159B270E775DD40E790

Function 00F6A250 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
Instruction ID: 58ad617fc492539b746d94d21eaba051884314f0411c6c641eed62e0cddc6456
Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
Instruction Fuzzy Hash: 44010032844B119BCB208F16D840A727BB8EB55B707008A2DF896AB281C735D800EFA1

Function 01044940 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04f29cce58fdb21ddfb4bb4f6f5d0b0726d06ab45f9113f7f62a9d42cbbf3c20
Instruction ID: 333d11fb3e3207318ac8536eae9754294886943f2a7d44d1666b853897524fc2
Opcode Fuzzy Hash: 04f29cce58fdb21ddfb4bb4f6f5d0b0726d06ab45f9113f7f62a9d42cbbf3c20
Instruction Fuzzy Hash: E401C4B75415009BC362DF1C9C81F56B7E8EB85770B1542A5E9E8DB1A6D730EC01D790

Function 00FEE1D0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b2a8200abfc63c145da5b23b5d9f9f52104125656533d8a37278b1969aac893
Instruction ID: 82eeac7447c6c987ecaf1c71feb7dc4a6f0ecfe9904aef005cce10c6325894ba
Opcode Fuzzy Hash: 2b2a8200abfc63c145da5b23b5d9f9f52104125656533d8a37278b1969aac893
Instruction Fuzzy Hash: 6411AD32641240EFCB15EF19DD81F56BBB8FF48B94F2000A5FA059B662C639ED01DA90

Function 00F76259 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e2e7ca2c816b5dc992c94994cc08902dfb59360b71f825ce6a523dc23effe2d
Instruction ID: 0729d4c72c8b8783ef0b50960756580002efdc475b52d3082ce6a04b982bda04
Opcode Fuzzy Hash: 0e2e7ca2c816b5dc992c94994cc08902dfb59360b71f825ce6a523dc23effe2d
Instruction Fuzzy Hash: E0119A70941228ABDF65AB64CC42FE8B3B4AF48710F508195B328A60E1DB749E81EF84

Function 00F7208A Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
Instruction ID: 27c95169a1cda01d74a591b266fbc5d5df5e452adb5d5c5b22ae9febbf770e54
Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
Instruction Fuzzy Hash: 1B012433A001018BDF549A29D880F92B776BFD4720F6580BAED09CF246DA71DC81F3A1

Function 00FF6050 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3171fe4c4ca85c2843447f078a169ff7c42e945cd1a1255ce0bcd0b7373aae3f
Instruction ID: 64e9c9939d2603a9e9e50f12000f8022812d599eb06c90286beb0f3c982a0240
Opcode Fuzzy Hash: 3171fe4c4ca85c2843447f078a169ff7c42e945cd1a1255ce0bcd0b7373aae3f
Instruction Fuzzy Hash: 9F11177390001DABCB11DB94CC85EEFBB7CEF48358F044166E906E7211EA34AA15DBA0

Function 01006500 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a31ee2764779366a7dcbf0fb0f92ffd97f1c7cdc37904bb3f7407fd32357c339
Instruction ID: 42df2362b01bc066a625c21f2045ab388a5cdb3067242fe9dffc1cb851fdda87
Opcode Fuzzy Hash: a31ee2764779366a7dcbf0fb0f92ffd97f1c7cdc37904bb3f7407fd32357c339
Instruction Fuzzy Hash: F811A5326441459FD712CF58D800BA5B7F6FB5A314F088199E8848B355D733EC85CBA0

Function 00FFC810 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a97f4405b8f6d684d2e95606eac4adc40c6aa20ea0c9565eccaf09376ebdb71
Instruction ID: ba80d8a5c994411e0afe414c39a0bebcefe2969d1268ed476fe8b99303be3e12
Opcode Fuzzy Hash: 6a97f4405b8f6d684d2e95606eac4adc40c6aa20ea0c9565eccaf09376ebdb71
Instruction Fuzzy Hash: 1511ECB1E0021D9BCB04DF9AD541AAEB7F4EF48750F10406AF905E7351D674EE01DBA4

Function 0101EA60 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85c56c84e062a2ba65cdf95a51ca306b19b59999cf147f4403b2dff35729cb31
Instruction ID: 994ddca31392269d1c5de3244a287f2d0b36390c3c566ade3bc615bfc29e0499
Opcode Fuzzy Hash: 85c56c84e062a2ba65cdf95a51ca306b19b59999cf147f4403b2dff35729cb31
Instruction Fuzzy Hash: 3801B1325402109BC773BA19C841DAEBBE9FF42750B98446EFA845B612CB29BC81DBD1

Function 00FB20F0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a175f5039ca76341371d24f0bfeb3a2213f84f3a92b78434aa7bca5d6776962
Instruction ID: a1c7a4b927eea67b623dde23e43a991d3e50481a8c9f218dc2aa14879a165dd2
Opcode Fuzzy Hash: 8a175f5039ca76341371d24f0bfeb3a2213f84f3a92b78434aa7bca5d6776962
Instruction Fuzzy Hash: 8511A971A0120CABCB00EFA9CC41FAE7BB5EF44740F104058F9019B291DA39AE01EF90

Function 00F6C020 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
Instruction ID: 245cc2d123e9520ea64f8c8da2080057a0b59d4fe50ba2ad32df2bb14e777aec
Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
Instruction Fuzzy Hash: C201F972500705EFDB22A665CA00FB773E9FFC4310F54482DA585C7540DA74E802E750

Function 00FAE5CF Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7bfe9c1c4197ec3498983e32f6ec36898963d3cf94f7d4a46eaf3e7d3fe6d13
Instruction ID: 09a97c57961e788db12fae81ff8caf966dedc0bbe3e3fc9daf9bdec814f12221
Opcode Fuzzy Hash: d7bfe9c1c4197ec3498983e32f6ec36898963d3cf94f7d4a46eaf3e7d3fe6d13
Instruction Fuzzy Hash: 8A018FB2641A40BFC651BB79CD81E97B7ECFB857A0B040629B10497A62DB68FC01D7B0

Function 010069C0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42f0983a8dc611a3fe517c0de8753c58686656c77eedb55ea69fd103c9c7a05c
Instruction ID: 148329448bcf51e53069636fb1b4332ec46eb3dd3c188cb9c9115aa0238b5f91
Opcode Fuzzy Hash: 42f0983a8dc611a3fe517c0de8753c58686656c77eedb55ea69fd103c9c7a05c
Instruction Fuzzy Hash: 60014C322142029BD320EF6EC8499ABBBE9EF49720F104129F9988B1C0E735A951CBD1

Function 00FFC460 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8fedf6c3b25633095dd96b85696c3bba89c53c065c253c4666a7770d7420ba8
Instruction ID: 6e04b9a2ad56d651b28ca0f6e0a86e1b77e12239acaf69ebbbd66e586b82f651
Opcode Fuzzy Hash: b8fedf6c3b25633095dd96b85696c3bba89c53c065c253c4666a7770d7420ba8
Instruction Fuzzy Hash: 37115771A0121CABCB15EFA4C951EAE7BB5EF48750F104059FD01973A1DA39EE11EB90

Function 00FFC97C Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bbd2cc6c9c07faf4b2b6068eda1cbf7017a80aaa3d5af4716001c84656969b1
Instruction ID: 7f8a6d909064d308da0c5270cc7056514a7b85705d091ab5cac800c59e683151
Opcode Fuzzy Hash: 2bbd2cc6c9c07faf4b2b6068eda1cbf7017a80aaa3d5af4716001c84656969b1
Instruction Fuzzy Hash: 4E118EB16043089FC710DF69C94299BBBE4EF88710F00451EF998D7361D634E900CBA2

Function 00FFCA11 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 247d483f4b5e2309a3e367e0f80106396845564c9a06f73c81e7b149c35ca314
Instruction ID: a90e8f3a14d1b3dbe9c1ec172de22419aa064093bf421488f5186a43e0a83f89
Opcode Fuzzy Hash: 247d483f4b5e2309a3e367e0f80106396845564c9a06f73c81e7b149c35ca314
Instruction Fuzzy Hash: 12118EB16043089FC300DF6AC94199BBBE4EF89750F00851EF958D7361E634E900DB92

Function 01044A80 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
Instruction ID: 8a7186add78b2d089a64b227f4c6d9747b0ba3d27e5945f0deaccf75cc7ee4e9
Opcode Fuzzy Hash: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
Instruction Fuzzy Hash: F60128B22006019FD721DA59C881F96B7E6FBC1200F044869E682CB650DA70F850C750

Function 00F8E016 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
Instruction ID: 399505ed6da505bd6d670255d3353cf182d8a0737dd27efe4b10b2cb30d5c0da
Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
Instruction Fuzzy Hash: BB01BC326045849FD322A71CCA08F6677DCEF45B68F1D08A5F805CB6A2C7A8DC40E721

Function 00F6826B Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 882687159cfbe7b18e9976dd61d5f16cf75ea826e41d7bb7c94a3c91291a7713
Instruction ID: e54dce9199fe01dbf532154144a95c8e2df2a20494b8249a25733aa107bc4773
Opcode Fuzzy Hash: 882687159cfbe7b18e9976dd61d5f16cf75ea826e41d7bb7c94a3c91291a7713
Instruction Fuzzy Hash: 8F01F272B00508DBC714EB6ADC11ABE77B9FF80760F15812DE901AB252EE30ED02E690

Function 0101EB50 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e30b6820944f008bddf0fbe3f52135706a378506ee99f437c6ee484c484b2dd6
Instruction ID: 6823ed6cff2283dbb9d9ee7e39be85a7b3de900f346c5d54a9d18ba501b9a437
Opcode Fuzzy Hash: e30b6820944f008bddf0fbe3f52135706a378506ee99f437c6ee484c484b2dd6
Instruction Fuzzy Hash: 3801A7712407009FD3325B15DC41F4BBAE8FF45B50F110429F6859F395D6B9A8409B94

Function 00F72582 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcb68b3f8ab32d2ffdfdabfb86cfef9b1d9a5beec2d8c8d2dca19e3626435263
Instruction ID: a11f35e3bcab383184cc33792b844799f514e76d60cb648ad4e2687f381c5015
Opcode Fuzzy Hash: bcb68b3f8ab32d2ffdfdabfb86cfef9b1d9a5beec2d8c8d2dca19e3626435263
Instruction Fuzzy Hash: A2F0A433A41A20B7C7319B56CD41F57BAAAEB84FA0F15802AB50997650DA34ED01EBA1

Function 00F9C073 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
Instruction ID: 0c30b1d7462c814b172af066c025a7457cb6ddfdb1af398f560cfca98a45c0cc
Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
Instruction Fuzzy Hash: 67F0C2B2A00A10ABD324DF4DDC41E57F7EADFC0B90F048128A605C7220EA31DD04CB90

Function 0104634F Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f51d267b3d85d85c0218afbb75c153bcb17c8e901efececf5db2866ca44fb24
Instruction ID: 6202c7336217f89a7bca0dcf012182f17741da46a1388e408b65ad4380699c87
Opcode Fuzzy Hash: 8f51d267b3d85d85c0218afbb75c153bcb17c8e901efececf5db2866ca44fb24
Instruction Fuzzy Hash: 260144B1A1024DEFDB04DFA9D9519DEB7F8EF48704F10406AF904E7351D778AA019BA4

Function 0104625D Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 354e4f847c010fca6db2e877f93c5cacfe27e4c10d732630dee96eeb2446dfdb
Instruction ID: d804f28878a12ab7892a13f0e0192ee7e3e2bf64200c6bc1f1fc2a2aa386421c
Opcode Fuzzy Hash: 354e4f847c010fca6db2e877f93c5cacfe27e4c10d732630dee96eeb2446dfdb
Instruction Fuzzy Hash: 540144B1A1061DEFCB04DFA9D9519AEB7F8EF48744F10406AF904E7351D678AA01CBA4

Function 010462D6 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a09753816ebe794cf481647645f12a2476c9d588cc18016dfaf4377158bebbb9
Instruction ID: 53daeaccef05d4fa8c1ac89ed00741d346136015319e57049a2b87b838ed34c1
Opcode Fuzzy Hash: a09753816ebe794cf481647645f12a2476c9d588cc18016dfaf4377158bebbb9
Instruction Fuzzy Hash: 800144B1A0024DEFDB04DFA9D95199EBBF8EF48704F50806AF914E7391D674AE018BA4

Function 00F6C310 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
Instruction ID: 1924e66ca2b35a39cb8b0afe6ce4d04988f8b01fa9baf7bd713b3a46c56c8bd5
Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
Instruction Fuzzy Hash: C6F0F673644A329BC73216594C42B7BB6958FD1BA4F2A8035F1C99B344CA648C02B7E1

Function 00FACA6F Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
Instruction ID: 702d0d3a62027ff87cfb1048062701c0875871f8fe1803643107c5a79e2562d4
Opcode Fuzzy Hash: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
Instruction Fuzzy Hash: B201D6726006C99BD722E719C805B69BB98EF42760F0840A1FA08CB6A2DB7CDD01E350

Function 010461E5 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ffb50aa2806a606daa9f34c5d433faaaf1e83f0a626f00dd4053003575776e2
Instruction ID: aa58e792775c0f51e2256a63b577da94cdde0132a01b99287317e7b642b5aa64
Opcode Fuzzy Hash: 4ffb50aa2806a606daa9f34c5d433faaaf1e83f0a626f00dd4053003575776e2
Instruction Fuzzy Hash: DA0184B1A00658EBCB00DFA9D941ADEBBF4AF44710F144069F900E7390D738EA01CB54

Function 00FF63C0 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
Instruction ID: 5b3fc16d4d60009e13fdee717bedc5bdc2f95b5da0e1faa04451972512dc58af
Opcode Fuzzy Hash: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
Instruction Fuzzy Hash: 9CF0F97220001DBFEF02AF94DD81DAF7BADEF59798B104125BA11A2161D635DE21ABA0

Function 00FFA4B0 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21a634253a705f74fcca4926a5aedb2b7fc56aa64a9207f74c4adf40866972d7
Instruction ID: 1374cb1c78f88c529c15db216f91acc88e2cc30efdc60b1d1260ad5389b5bf6c
Opcode Fuzzy Hash: 21a634253a705f74fcca4926a5aedb2b7fc56aa64a9207f74c4adf40866972d7
Instruction Fuzzy Hash: 8D017836500109ABCF129F84DC40AEA3BA6EB4C764F098101FE1866224C676D960EB81

Function 00F6C0F0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5378a2c877f93695bb1eb1140393264622a3be4b821fc02cc3f1be2992921af1
Instruction ID: 5b7c7dd036592c3d0dcbe133f2d476dc5c5ac7334352371bc27984de752eaf77
Opcode Fuzzy Hash: 5378a2c877f93695bb1eb1140393264622a3be4b821fc02cc3f1be2992921af1
Instruction Fuzzy Hash: 2BF024727083015BF314A6199C02F323696EBC1760F29803AEA898F6C3EA74DC41A3D4

Function 00FA656A Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c97e7dd6ac66388bfe7474e2c1c9ac0b06314447620743797863fb1df9b24f47
Instruction ID: 0719940a842e4b589d0b5c0a06f360e3d80c5847d0dd9fee376d39d4a7b029cb
Opcode Fuzzy Hash: c97e7dd6ac66388bfe7474e2c1c9ac0b06314447620743797863fb1df9b24f47
Instruction Fuzzy Hash: 3F01A4B1A006C49FE732AB29CD49B6537A4AB41B54F5C0194FA01CBAE6DB6CE801B610

Function 0101437C Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
Instruction ID: 83f34bd84e3e93ca08dd6a72ec313b188de6bff60e953ac2d85771397b0dc153
Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
Instruction Fuzzy Hash: 76F02E31341D1347EBB6AB2D8870B2EB6D5AF80F10B05856DA5C5DB6A4DF18DC00D780

Function 00FFC89D Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ccbee6b9ac590af74aba78429e901133b6650ac699f523a13330613c9c2533d
Instruction ID: cc55a143ceef9a50851f951715201f24da521ba72fda9d3aff37f83c45e75a8b
Opcode Fuzzy Hash: 6ccbee6b9ac590af74aba78429e901133b6650ac699f523a13330613c9c2533d
Instruction Fuzzy Hash: D9F0C8716053089FC314FF69C942E1BB7E4EF48750F40465AB894DB391E638EA00DB96

Function 00FFE872 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
Instruction ID: c697f32b4448d22360ed6de1243b9406ddc46b2af5680e28c4322197b8574a9b
Opcode Fuzzy Hash: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
Instruction Fuzzy Hash: 3DF05E73B51615ABD321AA49DC80F26B3A9AFC5BA0F290065A604AB270C760EC01E7D0

Function 00FA0854 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
Instruction ID: 63e5c5188f7f2cd133badd6220b3f367183f9e90633d657622d6afbef3c7959a
Opcode Fuzzy Hash: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
Instruction Fuzzy Hash: 44F0B4B2610204AFE714DB21CC01F96B3E9EF99350F1580789545D71A0FAB4DE01E658

Function 00FFC912 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a0fc8abddc6be8ef0e3e2bbd5da701c1a5fafdb3389abf6b701e3b3e561fbea
Instruction ID: 7bcb1f48ea92f4920eb57d2f64723f37294ab21119b3e8a27e2dffdb1e031384
Opcode Fuzzy Hash: 5a0fc8abddc6be8ef0e3e2bbd5da701c1a5fafdb3389abf6b701e3b3e561fbea
Instruction Fuzzy Hash: 82F0A470A0120CDFCB14EF65C511AAEB7B4EF04700F008055B945EB395DA78EA01DB90

Function 00F747FB Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41bce817e107f6df01665431388043164620fa1bf3669e508a4d393d503a6eb1
Instruction ID: 4390f965ccb107291b27f9159bdf70d67315e640455620053e0d6672ad6a6f46
Opcode Fuzzy Hash: 41bce817e107f6df01665431388043164620fa1bf3669e508a4d393d503a6eb1
Instruction Fuzzy Hash: 2CF0C732C022E88ED7328A288444B65B788AB02730F1CC96BD89D83102C324EC80E603

Function 01030115 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8d5f65ad6e9ea243b45b9f3985973b80b65642e8eb9a4e3231b6d5e04f2965a
Instruction ID: 79c75ca46d447b4ed2300e7cf100dba67b77b138494c7ce188de3ddc9102af67
Opcode Fuzzy Hash: d8d5f65ad6e9ea243b45b9f3985973b80b65642e8eb9a4e3231b6d5e04f2965a
Instruction Fuzzy Hash: B4F0203641B6951ADF726B2CB8A02D12BACA782510F1910C9ECE0A721EC57B8883C370

Function 00FAC5ED Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f5c650044d3c4bf999332187811012d04a9ccfd88c317ab5f97d8bb4eef89cf
Instruction ID: b1880963cf30a75eb18c45dd26ce785662fb26f38a04b91c6ab656effbfa20ce
Opcode Fuzzy Hash: 3f5c650044d3c4bf999332187811012d04a9ccfd88c317ab5f97d8bb4eef89cf
Instruction Fuzzy Hash: BBF0B8F29116909BD322DB18C148BA1B7E8AB46BB0F189526D80A87712C264CC80EAD0

Function 00FB2619 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
Instruction ID: c43c4bc7179ff15f149adc411d6a39fafffdba3ebe124819fec29661763ec916
Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
Instruction Fuzzy Hash: 2BE0D832300A002BD712AE5ACCC1F87776EEFC2B10F040079B5045F252CAE6DD099AA4

Function 01006030 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
Instruction ID: 516c6a0bb36bbb5052efc3c56dd485d8972f3b4a5a0e9aaf3054312a92e09759
Opcode Fuzzy Hash: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
Instruction Fuzzy Hash: FAF08C721442049FF3228F09D840B57B7F9EB05364F01C065F6088B1A1D33AEC50CBA0

Function 00F70710 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
Instruction ID: 0c0d47911090a5c6d4f6e577159e8626e866284517c7a1144d00ed97eff4eb4d
Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
Instruction Fuzzy Hash: C3F0ED3A204395DBDB19DF19D040BE5BBA8EF55360B10409AE84A8B351EB35FD82EB81

Function 00FA49D0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
Instruction ID: e772814120855e1c41cfeaf99cb58807e7f49642a1c76b0ccccd99adbba8f85b
Opcode Fuzzy Hash: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
Instruction Fuzzy Hash: 5DE09273684546ABC3212E55CC01B6676A59BD27A0F150429E1019B150DBB8EC40F798

Function 01044164 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f82f1890745ba05797350532c08b90bd8a8e1ead0be54799e04b8a1f34af5a35
Instruction ID: 129b1aab970ebe99bb3fc14c8ee5591efd7aef272a6bf2ca23b153de9af58886
Opcode Fuzzy Hash: f82f1890745ba05797350532c08b90bd8a8e1ead0be54799e04b8a1f34af5a35
Instruction Fuzzy Hash: 91F065F1A265914FE7B2D72CE5D4B9577E4AB11730F1A05F5D485C7922C724DC80C650

Function 0101678E Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
Instruction ID: 4983a6de58360056ca589d5acace86e56a2f2fc538afc46e05c635dec16347d0
Opcode Fuzzy Hash: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
Instruction Fuzzy Hash: E2E02672A01110FBDB21A799CD02F9BBEBCEB80FA0F050054B600E70D4E5B5EE00D6D0

Function 010408C0 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
Instruction ID: 3a005a240ab20f456a021a64279f2f232dc37dead7359e5ccd138e42c3930283
Opcode Fuzzy Hash: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
Instruction Fuzzy Hash: EBE02B716403458BDB208A2DC280AD3B7E8DF95620F1480BDEEC417202C230F842C6D0

Function 00F725E0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f74d5c7a980b807005c19753901a1a3c04f64f15b48d7c763a3c31beb843973
Instruction ID: 331ef1dee9d525797edd1c8971f48e5e47e04d2dca470100130dde2698a68e10
Opcode Fuzzy Hash: 8f74d5c7a980b807005c19753901a1a3c04f64f15b48d7c763a3c31beb843973
Instruction Fuzzy Hash: 9EE092721005549BC722BF29DD02F8B77EAEB94760F018516F159571A1CB39AD10D784

Function 0102A456 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
Instruction ID: 8e7e9fae5b680aee38bc402528fbeeedc63c76f611378cf53d1372928e11978e
Opcode Fuzzy Hash: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
Instruction Fuzzy Hash: 1AE06D31010620DFEB766B2ADC09B92BBE0AF80711F148868F1D6128B1CB78D880DA40

Function 00FF4000 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
Instruction ID: f3c2fe9cf6a59a41ee4ee1f6085cecef8709a2fa7b924a74ebd79e9f0a134183
Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
Instruction Fuzzy Hash: F2E0AE347002098BD715CF19C040B6277A6BFD5B20F28C068AA488F205EB32A8429A40

Function 00FACA38 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f26dd94a9b88c5de6f0577c3c4780141cc4d098df9fa56a89ad4a920fa4f8bf
Instruction ID: 9978fd92e5cc26eae86d54462140118cf0f50fdb527ac3a415a6cdc7857b0d13
Opcode Fuzzy Hash: 6f26dd94a9b88c5de6f0577c3c4780141cc4d098df9fa56a89ad4a920fa4f8bf
Instruction Fuzzy Hash: 19D0C7728850286ECB74E228BC28FA33A9DAB42B20F024860F20892020D92CCC81B2C4

Function 00F6823B Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
Instruction ID: e24e98c5c608f542f0bd92e749a2a15434350310e13be3694e13130676ed7b2b
Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
Instruction Fuzzy Hash: EEE08632440510DFDB312E11DC12F9176A1FB94B60F20492DF041160658B745C82FB44

Function 00F72050 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9dc0b9ad6201289bbbafcea8601b618ec1d6ff0d66bb2ea0f3143a5707d0fbfd
Instruction ID: 18739392821e778d39ad7b848ce3e72e3d773db2bc744bd017d786fd12a0961e
Opcode Fuzzy Hash: 9dc0b9ad6201289bbbafcea8601b618ec1d6ff0d66bb2ea0f3143a5707d0fbfd
Instruction Fuzzy Hash: 7EE08C321004506BC311FA5DED02E8A73EAEB95760F008122F154972A1CB69AD00D794

Function 00FA8A90 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
Instruction ID: bf1d91bfc5cadeb52a160d211d36f0ecfce6d25bf677d56b8113571c200cedd8
Opcode Fuzzy Hash: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
Instruction Fuzzy Hash: 54E02673110A0497C328EE18C411B7273A4EF45730F08423EA51347380C934E804D794

Function 00FC6AA4 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
Instruction ID: 127826dc828ade284bd9733b831d1b6f1576dc8a1d2c45c76727c0c8903e8637
Opcode Fuzzy Hash: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
Instruction Fuzzy Hash: BFD05E36511A50AFC3329F1BEE01D53BBF9FBC5F20705062EA44693920C675AC06DBA0

Function 00FAE59C Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
Instruction ID: 5251e282e97c0753ce549a77d679912a6ca153470604fefa85fce7409f84d672
Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
Instruction Fuzzy Hash: 6FD0A932A08660ABDB32AA1CFC00FC333E9AB88B20F060459B008C7160C3A4AC81DA84

Function 00FEE908 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
Instruction ID: ff90cbf2c90452be4d5617f1b6c1c961014ef9ca7bd4134aa9b747861fd61a7c
Opcode Fuzzy Hash: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
Instruction Fuzzy Hash: 80E0EC759506849BCF12EF59EA41F5EB7F9BB85B50F150054A0086B662C628AD00DB40

Function 00F6A0E3 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
Instruction ID: bb942951e78d03659cd6211df682a8da6ac66f1aa73cd98748ec9d27afc29c44
Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
Instruction Fuzzy Hash: 4CD01233616070A7CB2966656D14FA779559B82BA4F1A006D780AB3910C5198C42FAE1

Function 00FAA830 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
Instruction ID: 6ccd74eb80589b80fdc6eac700927d29733241298fa78fbcf2cab3f6b2f0be5f
Opcode Fuzzy Hash: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
Instruction Fuzzy Hash: C9D012771D054CBBCB11AF65DC02F957BA9E755BA0F444020B504875A1C63AE950D684

Function 00FACA24 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 291fcf5fb16e48ccd542971811100acbe01f543056c9bb0bd80f976e856a5407
Instruction ID: ace091a7c32a31d39d27ea6c814642a88507b5baac52e17c6f7b2b33b7d0f06c
Opcode Fuzzy Hash: 291fcf5fb16e48ccd542971811100acbe01f543056c9bb0bd80f976e856a5407
Instruction Fuzzy Hash: 2BD0A775901446CBCF16EF05C925E7E36B0EB14780B400068F60051170D72DDC02F740

Function 00F802A0 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
Instruction ID: 07bc3ab2d4943e5df7beb9e902946e6062a7d57097f66f9a647d93206eeb4c54
Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
Instruction Fuzzy Hash: 27D09235612A80CFC65A8B08C5A9B5533A4BB44B44FC504A0E401CBB61DA68E944DA00

Function 00FAC700 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
Instruction ID: 7bd1d72aae6e16c2b903a27439403c1f7f86a8ee32d6fc3f3ae043e0f9b330ae
Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
Instruction Fuzzy Hash: DAC01232290648AFC712AA98DD02F427BA9EB98B40F000021F2048B671C635E920EA84

Function 00F90310 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction ID: 5ce0f3d3b197473fe25212292d7614164be1b0149d1f09c9e4408cbe79f75d9c
Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction Fuzzy Hash: 20D01236100248EFCB01DF41C890D9A772AFBC8710F508019FD1907611CA35ED62DA50

Function 00F70750 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
Instruction ID: 1002cbe19735b7ac597ce781fc831a44117540e36f9eb93316ce0e23e910baca
Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
Instruction Fuzzy Hash: 4AC04C757015458FCF15DB19D795F4577E4F744750F150890E805CB721E724FD01DA10

Function 00FB4340 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bcde72a48987cda9e05cb18894558b581f6d66ed1014cda4d504addc06c8326
Instruction ID: 199a32aab5e0b2578fd4e6a743eb73ac95ad9e66f9600a2c68d472326d8aed90
Opcode Fuzzy Hash: 2bcde72a48987cda9e05cb18894558b581f6d66ed1014cda4d504addc06c8326
Instruction Fuzzy Hash: D890023160580122924071598985A46400597E0341B55C026E0424554D8E198A576361

Function 00FB4650 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe54f9643be165f00af676392167d74efb598cb58e4728d8b34feceaee9aed57
Instruction ID: e251afa8333ef9c0a9075f5cfa494c79900d498e8a93cbf5ea8ec03aa823952b
Opcode Fuzzy Hash: fe54f9643be165f00af676392167d74efb598cb58e4728d8b34feceaee9aed57
Instruction Fuzzy Hash: 7790026160150152424071598905906600597E1341395C12AA0554560D8A1D8956A269

Function 00FB2AF0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37b48f42b23d19792e54fa914450baf6b87684b48cb722a23df3a0443c8a39db
Instruction ID: ebd761d3fc866da883a5088b339a027de83f27527258f94f065a50313fe2decf
Opcode Fuzzy Hash: 37b48f42b23d19792e54fa914450baf6b87684b48cb722a23df3a0443c8a39db
Instruction Fuzzy Hash: BB900225221401120245B5594705A0B044597D6391395C02AF1416590DCA2689666321

Function 00FB2AD0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc2e2a8ae46621598a9b8d89313e2ffa605b89bdc8ab4146540453c844bd4d62
Instruction ID: 05424a52798a041cdd81864e3562400e0df599feb2ed4dfb52b032a459549de4
Opcode Fuzzy Hash: cc2e2a8ae46621598a9b8d89313e2ffa605b89bdc8ab4146540453c844bd4d62
Instruction Fuzzy Hash: 10900225211401130205B5594705A07004687D5391355C036F1015550DDA2689626121

Function 00FB2AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70f8a3096735f774ed7d1df2008235f3234813ab998dcf4c5e9ea8b07b51b342
Instruction ID: 99eb4c3a220f288b4c67c36a758504f9db74ebe474d3626f9c9ca70bf68483c6
Opcode Fuzzy Hash: 70f8a3096735f774ed7d1df2008235f3234813ab998dcf4c5e9ea8b07b51b342
Instruction Fuzzy Hash: DB9002A1201541A24600B259C505F0A450587E0341B55C02BE1054560DC92A8952A135

Function 00FB2BF0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab779af482f44ee505acf487c1ef767135a5d2c31de1c9aca1668798a5775784
Instruction ID: cf37b0310e7a6e786b4d594baf68cadc8904c6143597b9ced00306e5f50e071a
Opcode Fuzzy Hash: ab779af482f44ee505acf487c1ef767135a5d2c31de1c9aca1668798a5775784
Instruction Fuzzy Hash: 7890023120140912D28071598505B4A000587D1341F95C02AA0025654ECE1A8B5A77A1

Function 00FB2BE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 901e9813865d6156d14b646b5e8568b3cdf80b1ab2a999b1c6d0e4e7c00b025e
Instruction ID: 5e8201d9aeaf953534879c85dd91c39d4b2a92468df0dbdfc6d44bdb4a224a08
Opcode Fuzzy Hash: 901e9813865d6156d14b646b5e8568b3cdf80b1ab2a999b1c6d0e4e7c00b025e
Instruction Fuzzy Hash: F290023120544952D24071598505F46001587D0345F55C026A0064694E9A2A8E56B661

Function 00FB2BA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58079957634caf520aa5578f9e11ebea291a151fbd8f9cfdd31692a60a6432c1
Instruction ID: 2570fffeecd42f50bf4140091a2858a18c779015a40dc8e5d4a16874ec804ae5
Opcode Fuzzy Hash: 58079957634caf520aa5578f9e11ebea291a151fbd8f9cfdd31692a60a6432c1
Instruction Fuzzy Hash: 2790023160540912D25071598515B46000587D0341F55C026A0024654E8B5A8B5676A1

Function 00FB2B80 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: faee87bab6a1a31dc814febda3b7b220fa2f5a242cf6aaa8b11f7b368bc9d8eb
Instruction ID: c52b8c2ea6cb0448a13ae86904d3200316a9ae1f5e9c4558db1169e76f863348
Opcode Fuzzy Hash: faee87bab6a1a31dc814febda3b7b220fa2f5a242cf6aaa8b11f7b368bc9d8eb
Instruction Fuzzy Hash: BC90023120140912D20471598905B86000587D0341F55C026A6024655F9A6A89927131

Function 00FB2B60 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cf608c65efdaa56300a7c35f23e1fb2cb65d8ea9fe6f8b6b236f5630d0aed6f
Instruction ID: 47fbe135e8bea4eabfb918b7d945aeb5ab33d0f5f0e01880bd641e1ff638cd88
Opcode Fuzzy Hash: 9cf608c65efdaa56300a7c35f23e1fb2cb65d8ea9fe6f8b6b236f5630d0aed6f
Instruction Fuzzy Hash: 9B90026120240113420571598515B16400A87E0341B55C036E1014590EC92A89927125

Function 00FB2CF0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03933079a2ff41feb9591ce3649a9db34f71425ffbdcd38bbd4de103378d2227
Instruction ID: cdf690bd7675f01a11469aba6155187fe744885e3dacc795f25322d39552744d
Opcode Fuzzy Hash: 03933079a2ff41feb9591ce3649a9db34f71425ffbdcd38bbd4de103378d2227
Instruction Fuzzy Hash: D290023120140513D20071599609B07000587D0341F55D426A0424558EDA5B89527121

Function 00FB2CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be6033f21e24675d02078283ef775afa1d477a704b091b93622302e822995747
Instruction ID: eb524d8636deaa8c73fbff1303b8c3c13fcbf98c95167879a392f810e9c82eaa
Opcode Fuzzy Hash: be6033f21e24675d02078283ef775afa1d477a704b091b93622302e822995747
Instruction Fuzzy Hash: 8E90022160540512D24071599519B06001587D0341F55D026A0024554ECA5E8B5676A1

Function 00FB2CA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b968c0f4a8e8e87676919ad54706fc47c729a3753a8dee66ce1c14d4b017968
Instruction ID: c0c03be779c94eb1c66f838638771097d8ca142642de68c1fd9f70e60e7df239
Opcode Fuzzy Hash: 2b968c0f4a8e8e87676919ad54706fc47c729a3753a8dee66ce1c14d4b017968
Instruction Fuzzy Hash: 2290023120140512D20075999509B46000587E0341F55D026A5024555FCA6A89927131

Function 00FB2C60 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7522e02f0a968be4c03051a6be83e5167ed1201ebc48b7826b674fcc2a59b011
Instruction ID: 2d9a91b3821744467bf50da12439d19abfffcb0a8a76b5757fc8595650c429b5
Opcode Fuzzy Hash: 7522e02f0a968be4c03051a6be83e5167ed1201ebc48b7826b674fcc2a59b011
Instruction Fuzzy Hash: 9F90023120140952D20071598505F46000587E0341F55C02BA0124654E8A1AC9527521

Function 00FB2DD0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5206f19391a2bd638adba218f0ec52cda677e6440fd300c1f0fb8517c5d6c126
Instruction ID: 68e6baf6fbd8261568102945af2d49f153c040652d4f9f541e5ecbd752ba06b9
Opcode Fuzzy Hash: 5206f19391a2bd638adba218f0ec52cda677e6440fd300c1f0fb8517c5d6c126
Instruction Fuzzy Hash: 72900221242442625645B1598505A07400697E0381795C027A1414950D892B9957E621

Function 00FB2DB0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 509c727a14dde4a8a4a69089c7597cb2b6953f78d35a46d2d5b5ae747a186dc6
Instruction ID: ff3ab78d864ed2b9f705e29237f75c1ed837ce562d537df43a2b5f2e7cdb05ef
Opcode Fuzzy Hash: 509c727a14dde4a8a4a69089c7597cb2b6953f78d35a46d2d5b5ae747a186dc6
Instruction Fuzzy Hash: 2090023124140512D24171598505B06000997D0381F95C027A0424554F8A5A8B57BA61

Function 00FB2D30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 183e7d045ecf3ec9d0c4a81611e41c5cc7a5657bc5940a720faf2e5e262547a5
Instruction ID: acf9d1dea48d6a7b2955214d80d7ff68ba5b6ccf7cbc8ccce1e89174028439e1
Opcode Fuzzy Hash: 183e7d045ecf3ec9d0c4a81611e41c5cc7a5657bc5940a720faf2e5e262547a5
Instruction Fuzzy Hash: E790022130140113D24071599519B064005D7E1341F55D026E0414554DDD1A89576222

Function 00FB2D10 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79035a43ba252b2792360a735cf812e9cece500f16032a44e0d19c66693505a9
Instruction ID: bf571d745d479f4d5e73f70784d6f9765bbd74f5e22537b0e228f1c5af56e96e
Opcode Fuzzy Hash: 79035a43ba252b2792360a735cf812e9cece500f16032a44e0d19c66693505a9
Instruction Fuzzy Hash: 7D90022921340112D28071599509B0A000587D1342F95D42AA0015558DCD1A896A6321

Function 00FB2D00 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cfa36a31d67b36fcdbe40cf27a9c9147e0d585e1d7d7d26abfcc8e540ade7a6
Instruction ID: ce40d0e6e5f46036ac580dd71564b47921e532af5611ed79629b37493a4aba3d
Opcode Fuzzy Hash: 3cfa36a31d67b36fcdbe40cf27a9c9147e0d585e1d7d7d26abfcc8e540ade7a6
Instruction Fuzzy Hash: 2390022120544552D20075599509F06000587D0345F55D026A1064595ECA3A8952B131

Function 00FB2EE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4045589d4a43b98f1b1f5acd911d7566f6634c11e494f4c6dbfc6f8864816a5
Instruction ID: 26b299f8f03a1a5191db77788a9ea8f303587f290cbafb8c317f7a41f86ce459
Opcode Fuzzy Hash: e4045589d4a43b98f1b1f5acd911d7566f6634c11e494f4c6dbfc6f8864816a5
Instruction Fuzzy Hash: AE90026120180513D24075598905B07000587D0342F55C026A2064555F8E2E8D527135

Function 00FB2EA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34782eb9c12139f61b58002dc932c9ca853b23e611b0e4ce9da4c46239c933cb
Instruction ID: e3b98dd1b6e38068f29cdf522f6566c175c08b956858bb1858b5de8da9e1618c
Opcode Fuzzy Hash: 34782eb9c12139f61b58002dc932c9ca853b23e611b0e4ce9da4c46239c933cb
Instruction Fuzzy Hash: 5990027120140512D24071598505B46000587D0341F55C026A5064554F8A5E8ED67665

Function 00FB2E80 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a07410457777479b153f4e9509096cde1a7a27d190cc14e66a068c3845e8590
Instruction ID: c4dd6d147a74027631c04f1c2eb3054435f769b42516bad7f3f096fbc8315653
Opcode Fuzzy Hash: 0a07410457777479b153f4e9509096cde1a7a27d190cc14e66a068c3845e8590
Instruction Fuzzy Hash: 8690022160140612D20171598505B16000A87D0381F95C037A1024555FCE2A8A93B131

Function 00FB2E30 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4f2b94c5cafbd1a15159439e47342e2613e4e9387bbdb01479dde2c5a391043
Instruction ID: c87d697994dde827cc6e8617450623ce569347987c4c6c1cc9ed48eea2aa92a9
Opcode Fuzzy Hash: c4f2b94c5cafbd1a15159439e47342e2613e4e9387bbdb01479dde2c5a391043
Instruction Fuzzy Hash: 3A90022130140512D20271598515B060009C7D1385F95C027E1424555E8A2A8A53B132

Function 00FB2FE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca06db403f52a6f03c04a9fcb5a1ca5b81d43a4192a9d83a8372865f35962f3a
Instruction ID: 9447fc49d7ecfe7201fb0216b0f84dc5c70336e5462898eb1aed643878306537
Opcode Fuzzy Hash: ca06db403f52a6f03c04a9fcb5a1ca5b81d43a4192a9d83a8372865f35962f3a
Instruction Fuzzy Hash: 13900221211C0152D30075698D15F07000587D0343F55C12AA0154554DCD1A89626521

Function 00FB2FB0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b58e7f0f23298888630ee61c6a515786677760862335ed59d6e7a1e43596dfe2
Instruction ID: 32a40eccda2dea1565d2729ad8c5e4dd1bfa7f52c1841af85c109b27bf5a958f
Opcode Fuzzy Hash: b58e7f0f23298888630ee61c6a515786677760862335ed59d6e7a1e43596dfe2
Instruction Fuzzy Hash: F39002216014015242407169C945E064005ABE1351755C136A0998550E895E89666665

Function 00FB2FA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfd9012236cf71be9e0b16e5ef8e4ceb8e6f171e5df09a4d10833a045abbf85a
Instruction ID: 338525c8f979a00768f3fd09b4a34e0654ccc076339ef4152cab07fe217c6a77
Opcode Fuzzy Hash: cfd9012236cf71be9e0b16e5ef8e4ceb8e6f171e5df09a4d10833a045abbf85a
Instruction Fuzzy Hash: B490023120180512D20071598909B47000587D0342F55C026A5164555F8A6AC9927531

Function 00FB2F90 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5a7e83e8dcedc0a8b82cbd8dde6e356f6a47672cd524ccfe2448ebcdec3f9d2
Instruction ID: dd002c79d4735544dec29bd3f31651e2c12004ed7fcd99c37914abb055e96413
Opcode Fuzzy Hash: d5a7e83e8dcedc0a8b82cbd8dde6e356f6a47672cd524ccfe2448ebcdec3f9d2
Instruction Fuzzy Hash: 1290023120180512D20071598915B0B000587D0342F55C026A1164555E8A2A89527571

Function 00FB2F60 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4732048b5f0746f4811c3fe012cef0dbf284804a22dcc9f77ee9635052fcde2
Instruction ID: 8594fc3e491cf51992658a33475aab8f750cd3e322a2d85bb43d53e5728c91b9
Opcode Fuzzy Hash: d4732048b5f0746f4811c3fe012cef0dbf284804a22dcc9f77ee9635052fcde2
Instruction Fuzzy Hash: 2090026121140152D20471598505B06004587E1341F55C027A2154554DC92E8D626125

Function 00FB2F30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ffce6adc88922f68b6a4987a6c6c1c26f3bd26ef401914b23c18133a94ae830
Instruction ID: 65fa3055435cff3d52910b4497877c2f6e4c3b551711555708ffa396a622bbca
Opcode Fuzzy Hash: 1ffce6adc88922f68b6a4987a6c6c1c26f3bd26ef401914b23c18133a94ae830
Instruction Fuzzy Hash: E990026134140552D20071598515F060005C7E1341F55C02AE1064554E8A1ECD537126

Function 00FB3090 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10c2ac234b3bbcc4646f70379129bf357c9aac232293a3b2c6cfef2689fc80de
Instruction ID: d6706fd5cc59584028f50bead0c2467f4d2370f531631285b687946cdf35ba9c
Opcode Fuzzy Hash: 10c2ac234b3bbcc4646f70379129bf357c9aac232293a3b2c6cfef2689fc80de
Instruction Fuzzy Hash: B690022124140912D2407159C515B070006C7D0741F55C026A0024554E8A1B8A6676B1

Function 00FB3010 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e226dffb496be10f41393d83fa57324c9f92d3ab73f8d64aa16b4989defbf15
Instruction ID: 901518b73c84797fb36e8785eecf6c0cd221d4fdf31ba9bb825f7c06924895b8
Opcode Fuzzy Hash: 0e226dffb496be10f41393d83fa57324c9f92d3ab73f8d64aa16b4989defbf15
Instruction Fuzzy Hash: 0390022120184552D24072598905F0F410587E1342F95C02EA4156554DCD1A89566721

Function 00FB39B0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a534aacec7b760f92614495ae8ebaac0c7a5bf2b2d4c87b343613bb570195f13
Instruction ID: c63b1492a20870efe55b86a77369559deb03932e0804a347535f85b7247f7921
Opcode Fuzzy Hash: a534aacec7b760f92614495ae8ebaac0c7a5bf2b2d4c87b343613bb570195f13
Instruction Fuzzy Hash: 3C90022124545212D250715D8505B164005A7E0341F55C036A0814594E895A89567221

Function 00FB3D70 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04d5518840fd7437e2796ae56cda42d06e447ecdaed153fc07dc101644f37aae
Instruction ID: 855368dc59d132d533faf2fb852845048a9ad40bd2d821cdfeb87640e5d04715
Opcode Fuzzy Hash: 04d5518840fd7437e2796ae56cda42d06e447ecdaed153fc07dc101644f37aae
Instruction Fuzzy Hash: B290023520140512D61071599905B46004687D0341F55D426A0424558E8A5989A2B121

Function 00FB3D10 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08ec9f5f1e8659905309fb2e9f3a9f0e8dfd2256a564f306c3aed2310f754460
Instruction ID: 6a543513857fe9d9bcddc8ef53b6baadf62392f5b73fae7bc599bae8a5aa385f
Opcode Fuzzy Hash: 08ec9f5f1e8659905309fb2e9f3a9f0e8dfd2256a564f306c3aed2310f754460
Instruction Fuzzy Hash: 2690023120240252964072599905F4E410587E1342B95D42AA0015554DCD1989626221

Function 00FB2C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction ID: a97ef88a12050e85bd610e44d70fdb988a243a14889f6765f0f56bec3d8fcbee
Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction Fuzzy Hash:

Function 00FB2890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 00FB293C
___swprintf_l.LIBCMT ref: 00FB295E
___swprintf_l.LIBCMT ref: 00FB29A3
___swprintf_l.LIBCMT ref: 00FEA52E

Strings

ffff:, xrefs: 00FEA504
::%hs%u.%u.%u.%u, xrefs: 00FEA527
:%u.%u.%u.%u, xrefs: 00FEA5B8
::ffff:0:%u.%u.%u.%u, xrefs: 00FEA54E

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: f613c33047d7e8eb691e4f27baba3f80aa65e979f933c5e8936f41d89b16af3b
Instruction ID: 245f6642269519c87b6b7cbcc7c73a8eab5e1efcef675673f676d8c30fd94344
Opcode Fuzzy Hash: f613c33047d7e8eb691e4f27baba3f80aa65e979f933c5e8936f41d89b16af3b
Instruction Fuzzy Hash: 9651EBB6E00256BFCB50DF598D90ABEF7B8BB08300B148169E469D7641D734DE40BBE1

Function 01022410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 010224A6
___swprintf_l.LIBCMT ref: 010224E2
___swprintf_l.LIBCMT ref: 0102257D
___swprintf_l.LIBCMT ref: 010225A3
___swprintf_l.LIBCMT ref: 010225C8
___swprintf_l.LIBCMT ref: 01022608

Strings

:%u.%u.%u.%u, xrefs: 010225FF
::ffff:0:%u.%u.%u.%u, xrefs: 010224DA
ffff:, xrefs: 0102247D, 0102249D
::%hs%u.%u.%u.%u, xrefs: 0102249E

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: 49ad388c0e6f3209f9189e3822ab370a9ac3874a8157392e1be4b053c0f49320
Instruction ID: ea8acfc22463307e705f8a409d0b96ce5c9192de374661a98cfa410ef0686f37
Opcode Fuzzy Hash: 49ad388c0e6f3209f9189e3822ab370a9ac3874a8157392e1be4b053c0f49320
Instruction Fuzzy Hash: D151F571A00665AFDB71DEDCC99097EBBF8AF44200B448859E4D6C7682DA74DA409760

Function 00FA7630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON

Download Yara Rule

Strings

CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 00FE4725
CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 00FE4655
CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 00FE4742
ExecuteOptions, xrefs: 00FE46A0
CLIENT(ntdll): Processing section info %ws..., xrefs: 00FE4787
CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 00FE46FC
Execute=1, xrefs: 00FE4713

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 0-484625025
Opcode ID: b32c77b95396002c14e5a844dc284018967bf799896ec73deb6928623df382b5
Instruction ID: c13f74d64dd3de92939a07a8f39fbc991cacdc1d50affbf0a8e72643d8cd29f4
Opcode Fuzzy Hash: b32c77b95396002c14e5a844dc284018967bf799896ec73deb6928623df382b5
Instruction Fuzzy Hash: E1513971A043187ADF20FFA5DC86FE977B8AF05310F1400A9E605A7291E771EE45AF51

Function 01046940 Relevance: 9.4, APIs: 6, Instructions: 416COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
Instruction ID: 211f6f5f4dcaf8bc9a091815954e8fcfa0ffbe5511805a3138a79e2cd204f292
Opcode Fuzzy Hash: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
Instruction Fuzzy Hash: 9F0237B0508341AFD345DF19C890A6FBBE5EFC5700F04896DF9858B260EB76E945CB92

Function 00FBB5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 00FBB6BF

Strings

-, xrefs: 00FBB650
+, xrefs: 00FBB65A
0, xrefs: 00FBB695
0, xrefs: 00FBB66F

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-$0$0
API String ID: 1302938615-699404926
Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
Instruction ID: 54d4958207975169799cabb78e135a33163447426b1131e5b8e0dd2fab1e1522
Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
Instruction Fuzzy Hash: E581C470E052499EDF24CF6AC8517FEBBB6AF85320F284259E851A7291CBB49C41EF50

Function 010220E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 0102214F
___swprintf_l.LIBCMT ref: 01022172

Strings

]:%u, xrefs: 01022169
[, xrefs: 0102212B
%%%u, xrefs: 01022146

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$[$]:%u
API String ID: 48624451-2819853543
Opcode ID: fec2fc5ddfe5cb75eb90b103c62bf09181af38a70566d41a16382a1c5fb69736
Instruction ID: 872098e31c634487b7bb00f52ee0eead3270d56ff71829f758905bdc604464c5
Opcode Fuzzy Hash: fec2fc5ddfe5cb75eb90b103c62bf09181af38a70566d41a16382a1c5fb69736
Instruction Fuzzy Hash: 612183BAE00129ABDB10DEA9CD51EEEBBE8AF54740F140156E945D3201EB34DA019BA1

Function 00F9F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON

Download Yara Rule

Strings

RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 00FE02BD
RTL: Re-Waiting, xrefs: 00FE031E
RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 00FE02E7

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
API String ID: 0-2474120054
Opcode ID: 96bfa7008e445c06652915bbba86322f53a02ef31d975a9c900004fbe943ee54
Instruction ID: d5b58cadb1d22e8ec2493cb1f68cb802ee3f11cfb811ac1a1832894b9a318d13
Opcode Fuzzy Hash: 96bfa7008e445c06652915bbba86322f53a02ef31d975a9c900004fbe943ee54
Instruction Fuzzy Hash: 8DE1B431A047419FEB25CF29C845B6AB7E0BF84324F140A2DF595CB2E1DB74D949EB42

Function 00FABED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON

Download Yara Rule

Strings

RTL: Re-Waiting, xrefs: 00FE7BAC
RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 00FE7B7F
RTL: Resource at %p, xrefs: 00FE7B8E

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 0-871070163
Opcode ID: cb8cc05c6928c29f6a8695e980cc4523e4dbb06fdd65222f8c719b5c8be0cd0f
Instruction ID: 84c1d81cbaa9502878d58b7934a07f313ff7909011d2d68d492f369ad1afedcd
Opcode Fuzzy Hash: cb8cc05c6928c29f6a8695e980cc4523e4dbb06fdd65222f8c719b5c8be0cd0f
Instruction Fuzzy Hash: 2B4122757047429FC720DE25CC41B6AB7E5EF89720F140A2DF95ADB382DB31E805AB91

Function 00FAB4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FE728C

Strings

RTL: Re-Waiting, xrefs: 00FE72C1
RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 00FE7294
RTL: Resource at %p, xrefs: 00FE72A3

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-605551621
Opcode ID: d56ca397c6ebcbb7f11232e56002621061af17e53401dc17feafc4f4ac3ac3d6
Instruction ID: c0a828e61b9c877b6f79dc7654f3111ef17915075d1a9f0488259abf712c9b17
Opcode Fuzzy Hash: d56ca397c6ebcbb7f11232e56002621061af17e53401dc17feafc4f4ac3ac3d6
Instruction Fuzzy Hash: 76410571B04346ABC720EE26CC41F66B7A5FF45720F140619FE55E7282DB25E806BBD1

Function 01022300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 0102238D
___swprintf_l.LIBCMT ref: 010223B3

Strings

]:%u, xrefs: 010223AA
%%%u, xrefs: 01022384

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$]:%u
API String ID: 48624451-3050659472
Opcode ID: f7d360677afb628bef04678ecb17646536b2fd4c4a1ed2bf49f399992521c607
Instruction ID: f84b63d46af8433d21bea8f45b8f6653bc93a347bcd1b82422e4583a08683b0c
Opcode Fuzzy Hash: f7d360677afb628bef04678ecb17646536b2fd4c4a1ed2bf49f399992521c607
Instruction Fuzzy Hash: 07318472A002299FDB60DE69CC41BEEB7F8EF44610F454595E989E3241EB30AA459FA0

Function 00FB7D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 00FB7E8B

Strings

-, xrefs: 00FB7DDD
+, xrefs: 00FB7DE8

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-
API String ID: 1302938615-2137968064
Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
Instruction ID: 766c9f00b9988cf66362a79210f487c4e612ee8f32e0f2b732813fea367fbb6e
Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
Instruction Fuzzy Hash: FB919171E083069ADB24FE6BC8816FEB7A5AFC4360F24451AE855A7280DB34CD41EF54

Function 00F79126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON

Download Yara Rule

Strings

@, xrefs: 00F79175
$, xrefs: 00F79191

Memory Dump Source

Source File: 0000000B.00000002.1626922579.0000000000F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F40000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f40000_RegSvcs.jbxd

Similarity

API ID:
String ID: $$@
API String ID: 0-1194432280
Opcode ID: 5f7fae23f1fc6478667ad0c9bd46e64965c4e6c4a63b6eab8ea115ab807ca6e0
Instruction ID: ac91588ce284040676195d3ee387550571408f79f7ed1d3789b9b6b3ae0aa2cc
Opcode Fuzzy Hash: 5f7fae23f1fc6478667ad0c9bd46e64965c4e6c4a63b6eab8ea115ab807ca6e0
Instruction Fuzzy Hash: AA812972D002699BDB71DB54CC45BEAB7B4AF08710F0441EAE90DB7280E7749E80DFA1

Analysis Process: mjiCFnur.exePID: 7416, Parent PID: 932COMMON

Execution Graph

Execution Coverage:	11.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	225
Total number of Limit Nodes:	13

Executed Functions

Function 04E183E0 Relevance: 2.7, Strings: 2, Instructions: 213
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Hq, xrefs: 04E184A8
Hq, xrefs: 04E1850E

Memory Dump Source

Source File: 0000000C.00000002.1635582651.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4e10000_mjiCFnur.jbxd

Similarity

API ID:
String ID: Hq$Hq
API String ID: 0-925789375
Opcode ID: 6425c7e2408507c3025a3d32ad295c507d8d0c8c7e0a054805dd0a35feb4e1a3
Instruction ID: 5c1f44322852601491e4ec1ba520ce40f7822d292d9f6b80721418c26813e00a
Opcode Fuzzy Hash: 6425c7e2408507c3025a3d32ad295c507d8d0c8c7e0a054805dd0a35feb4e1a3
Instruction Fuzzy Hash: EB815C71E003189FDB14DFA9C8546AEBBF2FF88300F24856AE409EB354DB349942CB91

Function 04E139A0 Relevance: 2.7, Strings: 2, Instructions: 190
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

, xrefs: 04E139E7
, xrefs: 04E139EE

Memory Dump Source

Source File: 0000000C.00000002.1635582651.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4e10000_mjiCFnur.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-227171996
Opcode ID: 05048210b42248e7c25f11a70b801c31bdc2973b2618b227f2c89dae19607aab
Instruction ID: 9c21e158331a01c9b1936e567fe7ba3454b6dcfc94529c17341df57de13922df
Opcode Fuzzy Hash: 05048210b42248e7c25f11a70b801c31bdc2973b2618b227f2c89dae19607aab
Instruction Fuzzy Hash: 2A81DF31900B41CFEB01DF29D8C4A54BBB1FF85315B4486A9D949AB266EB31F888CB80

Function 04E12514 Relevance: 2.7, Strings: 2, Instructions: 162
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

, xrefs: 04E139E7
, xrefs: 04E139EE

Memory Dump Source

Source File: 0000000C.00000002.1635582651.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4e10000_mjiCFnur.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-227171996
Opcode ID: 084f5d90c2f8372db47bb20e275d82d7bbe292963288f4d371f0fbd063f209f5
Instruction ID: f1ec77cdd4c81803b8faf49eca8d0878a77b32c40d886da7e5840ad3c0084c19
Opcode Fuzzy Hash: 084f5d90c2f8372db47bb20e275d82d7bbe292963288f4d371f0fbd063f209f5
Instruction Fuzzy Hash: 2D71A131900701CFEB00EF29D8D5A55B7B1FF85315B4486A9E949AB266EF71F888CB80

Function 084907B4 Relevance: 1.8, APIs: 1, Instructions: 250processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 084909F6

Memory Dump Source

Source File: 0000000C.00000002.1638364150.0000000008490000.00000040.00000800.00020000.00000000.sdmp, Offset: 08490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_8490000_mjiCFnur.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: b7a5a1526878d1a591de637461200bdbe8e3b86101ab4efe741a2dbef4bd5e19
Instruction ID: 8982ca4236365f44eb4f1458653b6f9238256f025e173fbd78e3e4140b6badd7
Opcode Fuzzy Hash: b7a5a1526878d1a591de637461200bdbe8e3b86101ab4efe741a2dbef4bd5e19
Instruction Fuzzy Hash: 00A15A71D00719DFEF24DF68C840BEEBBB2AF48315F1485AAE858A7240DB749985CF91

Function 084907C0 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 084909F6

Memory Dump Source

Source File: 0000000C.00000002.1638364150.0000000008490000.00000040.00000800.00020000.00000000.sdmp, Offset: 08490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_8490000_mjiCFnur.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: d8047c28e1f9722de359fdb8f7a6084e25f279322387438a255f80880decedbb
Instruction ID: 4c06faf81ae7902b3e27fc01c61563c825c0bc6da53a47de26b345b6886bbfbb
Opcode Fuzzy Hash: d8047c28e1f9722de359fdb8f7a6084e25f279322387438a255f80880decedbb
Instruction Fuzzy Hash: 38915A71D00719CFEF24DF68C841BAEBBF2AF48311F1485AAE858A7240DB749985CF91

Function 00B3B2B9 Relevance: 1.7, APIs: 1, Instructions: 200COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00B3B51E

Memory Dump Source

Source File: 0000000C.00000002.1579831655.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b30000_mjiCFnur.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: f44d8bf8c122c234b184756fdf0e4f8d4f5c543ff4b0719c0e193875a7dc0609
Instruction ID: 4fba1c5f29056dadc07503f364de94f9fa8b38deaf8866c970a32001e70fb9f4
Opcode Fuzzy Hash: f44d8bf8c122c234b184756fdf0e4f8d4f5c543ff4b0719c0e193875a7dc0609
Instruction Fuzzy Hash: E4815370A00B058FDB24DF69D454B5ABBF1FF88300F208A6DE18AD7A54D734E84ACB95

Function 00B34538 Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 00B35DA9

Memory Dump Source

Source File: 0000000C.00000002.1579831655.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b30000_mjiCFnur.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 01d92d4df91c461589915066be10a644861f381faa0f6292d8cf4a11a4d79979
Instruction ID: f96bd0cd14e7532845384357e45653971aa12d0a895bd003ccfd51e8fd0257a4
Opcode Fuzzy Hash: 01d92d4df91c461589915066be10a644861f381faa0f6292d8cf4a11a4d79979
Instruction Fuzzy Hash: 5B41B071C00719CBEB24DFA9C844B9EBBF5FF49304F2081AAD418AB255DB756946CF90

Function 00B35CEC Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 00B35DA9

Memory Dump Source

Source File: 0000000C.00000002.1579831655.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b30000_mjiCFnur.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: ce0d597e0d3a5ed495f37a6a8c606ed4554352c79a6cbb78f8239c573f22e687
Instruction ID: ba2e49ff416783745ab6b2c5b3c714e9dfd9e4dcd71a1295f3a596bf26d63791
Opcode Fuzzy Hash: ce0d597e0d3a5ed495f37a6a8c606ed4554352c79a6cbb78f8239c573f22e687
Instruction Fuzzy Hash: 1741C071C00719CBEB25DFA9C844B9EBBF1BF49304F2081AAD418AB255DB756946CF50

Function 06A0A878 Relevance: 1.6, APIs: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?), ref: 06A0A947

Memory Dump Source

Source File: 0000000C.00000002.1636940685.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6a00000_mjiCFnur.jbxd

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: b395c455fed3ec6c2beb3cfd4f1a729c32478a4e0ae3f597508e7da093f18b2c
Instruction ID: 9298242836c6d31d5f214a8494e0a28fc6c1c72f395496cc1c36263bfd973400
Opcode Fuzzy Hash: b395c455fed3ec6c2beb3cfd4f1a729c32478a4e0ae3f597508e7da093f18b2c
Instruction Fuzzy Hash: 6E31C0719043889FDB11DFA9D800ADBBFF4EF09350F14805AF654AB2A1C3359914CFA1

Function 08490538 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 084905C8

Memory Dump Source

Source File: 0000000C.00000002.1638364150.0000000008490000.00000040.00000800.00020000.00000000.sdmp, Offset: 08490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_8490000_mjiCFnur.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 8b78b39ba313eaaed29bc6c1f8ac3523f3a150095b9f03a28600df5984f86b0a
Instruction ID: 56d5a8c70dc55d0b52be014f482000ae99c72ff92a498d9bd75a7e17696aea0a
Opcode Fuzzy Hash: 8b78b39ba313eaaed29bc6c1f8ac3523f3a150095b9f03a28600df5984f86b0a
Instruction Fuzzy Hash: 61211571D003499FDB10DFA9C885BDEBBF5FB48320F50842AE958A7240C7789945CBA4

Function 00B3B1B4 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00B3D76E,?,?,?,?,?), ref: 00B3D82F

Memory Dump Source

Source File: 0000000C.00000002.1579831655.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b30000_mjiCFnur.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: bc4d7625d6d45fa479916f56a03b416e3c27b3a0d244771856a14f252ef8318e
Instruction ID: 53f3e8446d06e0a0a43a3cc775d3d4263eed65f21fb7e58544d0cdcf885d3f91
Opcode Fuzzy Hash: bc4d7625d6d45fa479916f56a03b416e3c27b3a0d244771856a14f252ef8318e
Instruction Fuzzy Hash: 3C21E5B5D0024C9FDB10DF9AD584ADEBBF5EB48310F24806AE918A3350D378A955CFA4

Function 00B3D7A0 Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00B3D76E,?,?,?,?,?), ref: 00B3D82F

Memory Dump Source

Source File: 0000000C.00000002.1579831655.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b30000_mjiCFnur.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: a53c180e61c6d5cf2d11bf33c707b5e64b1800e017697de91a87c23909eda922
Instruction ID: 89e0bbbb735b9f39cb7c38b894aa3d84fa8941dfc3ddd70e9c50ba11e9f60829
Opcode Fuzzy Hash: a53c180e61c6d5cf2d11bf33c707b5e64b1800e017697de91a87c23909eda922
Instruction Fuzzy Hash: D521E3B5D002499FDB10CFA9D985ADEBBF5EB48320F14845AE958A3350D378A945CF60

Function 08490627 Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 084906A8

Memory Dump Source

Source File: 0000000C.00000002.1638364150.0000000008490000.00000040.00000800.00020000.00000000.sdmp, Offset: 08490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_8490000_mjiCFnur.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: e5c830aeaff08d6d8f861c9218462983f6d1ca8359bed6fadd8fba8ece28e83f
Instruction ID: ffaf69f9ce1936bcebb2e7f5b9fd6da923f0e704a780cdbf64e32f608d5460f8
Opcode Fuzzy Hash: e5c830aeaff08d6d8f861c9218462983f6d1ca8359bed6fadd8fba8ece28e83f
Instruction Fuzzy Hash: 5C211671C003499FDB20DFAAC845BDEBBF5FF48310F50842AE958A7240CB399941CBA4

Function 08490628 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 084906A8

Memory Dump Source

Source File: 0000000C.00000002.1638364150.0000000008490000.00000040.00000800.00020000.00000000.sdmp, Offset: 08490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_8490000_mjiCFnur.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 09d386e0e15046761361a659b27e223731d0a3b17219015b6ce471773c252f72
Instruction ID: 0d3db43b771eb3b82a06fa89f06c56ea55e51e588ff4bf5afe5ea783fbd391b6
Opcode Fuzzy Hash: 09d386e0e15046761361a659b27e223731d0a3b17219015b6ce471773c252f72
Instruction Fuzzy Hash: 45211671C003499FDB10DFAAC845BDEBBF5FF48310F50842AE958A7240C7399941CBA4

Function 069FFE48 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 069FFEC6

Memory Dump Source

Source File: 0000000C.00000002.1636875690.00000000069F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_69f0000_mjiCFnur.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: ecfbdefe13c126218fceebaf149c8098c090ba1fcbfbfcbff78cbdc03e8ad8ee
Instruction ID: 4d7be9a473b4ee88d7395cefa9c7e7e1873cd0124976d86c30204add1190a76a
Opcode Fuzzy Hash: ecfbdefe13c126218fceebaf149c8098c090ba1fcbfbfcbff78cbdc03e8ad8ee
Instruction Fuzzy Hash: D3213571D103098FDB20DFAAC485BAEBBF4EF48320F54842AD559A7641CB78A945CFA4

Function 069FFE4A Relevance: 1.6, APIs: 1, Instructions: 62threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 069FFEC6

Memory Dump Source

Source File: 0000000C.00000002.1636875690.00000000069F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_69f0000_mjiCFnur.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 2f37b794cb5841a371280e6d959d54a6e584b5416473fc6a1433efc9febdc511
Instruction ID: 777c6d897d059bc634e37d8a1e1ba2655273a52b6a1879898199cb8d63b6e334
Opcode Fuzzy Hash: 2f37b794cb5841a371280e6d959d54a6e584b5416473fc6a1433efc9febdc511
Instruction Fuzzy Hash: AC213571D103098FDB20DFAAC4857EEBBF4EF88320F54842AD559A7641CB789945CFA4

Function 06A0A8D8 Relevance: 1.6, APIs: 1, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?), ref: 06A0A947

Memory Dump Source

Source File: 0000000C.00000002.1636940685.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6a00000_mjiCFnur.jbxd

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: 37213a49a7879f6d729fe2530ca6d283d8c2456fe088b0c9c5117d1d6a42c3ad
Instruction ID: f22cb2cda0595878eedf5e2191b027588d9d3cb7496870967e4e11b96926feb8
Opcode Fuzzy Hash: 37213a49a7879f6d729fe2530ca6d283d8c2456fe088b0c9c5117d1d6a42c3ad
Instruction Fuzzy Hash: D21137B580034D9FDB20DFAAD845BDEBFF8EB48320F14841AE654A7250C339A950CFA4

Function 08490478 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 084904E6

Memory Dump Source

Source File: 0000000C.00000002.1638364150.0000000008490000.00000040.00000800.00020000.00000000.sdmp, Offset: 08490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_8490000_mjiCFnur.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 050d9b91b45d5b581f4d5ca436412dee6f70d114637ab2ec7aa9da7e25c45904
Instruction ID: 97c4dfb855336d6b7edd02772b29ff287d14f4f9db9bcea4b728688bb2f189d6
Opcode Fuzzy Hash: 050d9b91b45d5b581f4d5ca436412dee6f70d114637ab2ec7aa9da7e25c45904
Instruction Fuzzy Hash: E3111471C003499FDB20DFAAC845BDEBBF5EB48320F14841AE959A7250CB79A941CBA0

Function 069FFD91 Relevance: 1.6, APIs: 1, Instructions: 53threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 069FFDFA

Memory Dump Source

Source File: 0000000C.00000002.1636875690.00000000069F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_69f0000_mjiCFnur.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 0fdc6151e6cae66eb0d5f8e867d026cb072cc73587f746ee316ad8fd7f9d1f87
Instruction ID: 70c8129793224b73eb089c97dd24f4a3dd423a5f4fbaf8fad11809a024fae019
Opcode Fuzzy Hash: 0fdc6151e6cae66eb0d5f8e867d026cb072cc73587f746ee316ad8fd7f9d1f87
Instruction Fuzzy Hash: F1114675C003488FDB20EFAAC845BDEFBF5EB48320F208419D529A7240CA396941CFA4

Function 0849047A Relevance: 1.6, APIs: 1, Instructions: 52memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 084904E6

Memory Dump Source

Source File: 0000000C.00000002.1638364150.0000000008490000.00000040.00000800.00020000.00000000.sdmp, Offset: 08490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_8490000_mjiCFnur.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 8ba8bc7b79725cc4e5d69626a2112ec418ab1fe373b0b94ff760518ab8d44296
Instruction ID: 2c014b27029b477e842b9484f709168afc1c83b63111c25a4a6a132117524397
Opcode Fuzzy Hash: 8ba8bc7b79725cc4e5d69626a2112ec418ab1fe373b0b94ff760518ab8d44296
Instruction Fuzzy Hash: 73112671C002498FDF20DFA9C844BEEBFF5EB48320F14841AE559A7250CB399941CFA0

Function 04E181B4 Relevance: 1.6, Strings: 1, Instructions: 302COMMON

Download Yara Rule

Strings

(q, xrefs: 04E1995A

Memory Dump Source

Source File: 0000000C.00000002.1635582651.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4e10000_mjiCFnur.jbxd

Similarity

API ID:
String ID: (q
API String ID: 0-2414175341
Opcode ID: a196f288e72fad60f88e34c37f0d2658c76e502f83d330b916969e4b7cd1af46
Instruction ID: 70771d2b17ee13885642f84c3b287289221c33ce221c43a6adad9f2116676555
Opcode Fuzzy Hash: a196f288e72fad60f88e34c37f0d2658c76e502f83d330b916969e4b7cd1af46
Instruction Fuzzy Hash: 2391E0B1E05308DFDB14DFA5E8546AEBFF6FF85304F10846AE445A7262DB34A805CB91

Function 084940D8 Relevance: 1.5, APIs: 1, Instructions: 49windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 0849413D

Memory Dump Source

Source File: 0000000C.00000002.1638364150.0000000008490000.00000040.00000800.00020000.00000000.sdmp, Offset: 08490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_8490000_mjiCFnur.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: cc918ed2595881be44cc075121ccfe3ec0afaf3d1d9d00f613170bca0c4d8153
Instruction ID: 9b965644242979b7ca5eb615e16de62eb7af9a4109a3bca227ef19c760a6ccd3
Opcode Fuzzy Hash: cc918ed2595881be44cc075121ccfe3ec0afaf3d1d9d00f613170bca0c4d8153
Instruction Fuzzy Hash: 7B11F5B58003499FDB20DF9AD845BDEFFF8EB58320F10841AE558A3240C375AA45CFA5

Function 069FFD98 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 069FFDFA

Memory Dump Source

Source File: 0000000C.00000002.1636875690.00000000069F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_69f0000_mjiCFnur.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 70d17a4197244400f9c5430a56e37565debd46f1b0abbc061f5c22a45bc872aa
Instruction ID: 17d4b7dff1baa9554585c2dbaf25324ad032ac5b27acad08dd3b8a47550fde1a
Opcode Fuzzy Hash: 70d17a4197244400f9c5430a56e37565debd46f1b0abbc061f5c22a45bc872aa
Instruction Fuzzy Hash: E9113A71D003498FDB20DFAAC44579EFBF5EB48320F24841DD519A7640CB796941CF94

Function 00B3B4B8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00B3B51E

Memory Dump Source

Source File: 0000000C.00000002.1579831655.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b30000_mjiCFnur.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 32d15312eccd3d123b6ca2cef9bdbaeb326809588b8a127072d3b838e20333ab
Instruction ID: 2aabf242684f832b4a0878e68443d0a6ebc9255ecbce908ccf3b9d77e3a6746c
Opcode Fuzzy Hash: 32d15312eccd3d123b6ca2cef9bdbaeb326809588b8a127072d3b838e20333ab
Instruction Fuzzy Hash: B611E6B6C003498FDB10DF9AD444BDEFBF4EB48314F15845AD519A7210D379A545CFA1

Function 084940E0 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 0849413D

Memory Dump Source

Source File: 0000000C.00000002.1638364150.0000000008490000.00000040.00000800.00020000.00000000.sdmp, Offset: 08490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_8490000_mjiCFnur.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 9dfe041c0e2bd4b6ad02d96946b083ea7c539a39f8b185d6e222155c7c54f2ed
Instruction ID: d4add772a61f62cd478e2162990c1f356fa7c0d91f1883010c6eedcb15cbfe8b
Opcode Fuzzy Hash: 9dfe041c0e2bd4b6ad02d96946b083ea7c539a39f8b185d6e222155c7c54f2ed
Instruction Fuzzy Hash: 5911C2B58003499FDB20DF9AD849BDEBBF8EB48320F10841AD558A7250D379A945CFA5

Function 04E1EBF0 Relevance: 1.5, Strings: 1, Instructions: 268COMMON

Download Yara Rule

Strings

@, xrefs: 04E1EDC7

Memory Dump Source

Source File: 0000000C.00000002.1635582651.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4e10000_mjiCFnur.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 59756522a8f797b58c85e1719ccc4d874d7c64249106c9a079700b27cb38775e
Instruction ID: 0b52c8709f3758625135cf82d22e13370478528b52ebc5d39939edf114f56d5c
Opcode Fuzzy Hash: 59756522a8f797b58c85e1719ccc4d874d7c64249106c9a079700b27cb38775e
Instruction Fuzzy Hash: F4D1EC3590020ACFCF04DFA8C9949EDB7B1FF48315B159695E8166B269EB30FA85CF80

Function 04E1EBE0 Relevance: 1.5, Strings: 1, Instructions: 202COMMON

Download Yara Rule

Strings

, xrefs: 04E1ED93

Memory Dump Source

Source File: 0000000C.00000002.1635582651.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4e10000_mjiCFnur.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 1fd8882677a669ddba346b03338dfc2a4474e7287ee2f9f3514b145fed99a1a4
Instruction ID: 8d6a65a8c7bbeaa5577e00feb39323baa801f5562e707b9484646ffcb9e4561b
Opcode Fuzzy Hash: 1fd8882677a669ddba346b03338dfc2a4474e7287ee2f9f3514b145fed99a1a4
Instruction Fuzzy Hash: 2AA1FC3590024ACFCF05DFA8C8849DDB7B1FF98315B259695E8166B259DB30FA85CF80

Function 04E1EF90 Relevance: .7, Instructions: 732COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1635582651.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4e10000_mjiCFnur.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2ff51f83c75f18dc6f305b2e7721fc35ca3ff0c8d7df6dbee4009af5bb4f109
Instruction ID: a1a9e1ed37363bbe132fd67c3e3c438a9559a9628c489b7bfce78a505cde1527
Opcode Fuzzy Hash: e2ff51f83c75f18dc6f305b2e7721fc35ca3ff0c8d7df6dbee4009af5bb4f109
Instruction Fuzzy Hash: FA723D31910609CFDB14EF68C894AADBBB1FF45305F018699D54AAB265EF30EAC5CF81

Function 04E1BF48 Relevance: .6, Instructions: 551COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1635582651.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4e10000_mjiCFnur.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67127b5e656d61fadbe80ef1e2e3d8795e2f8a340f13917f69e09d601d89586e
Instruction ID: b18d1fb78d75e8647afed775cced5cdfc0eca71adc39afe53c55dba4cab07ca3
Opcode Fuzzy Hash: 67127b5e656d61fadbe80ef1e2e3d8795e2f8a340f13917f69e09d601d89586e
Instruction Fuzzy Hash: 8142E731E50619CFCB14DFA8C8946EDF7B1BF89304F209699D459BB261EB70AA85CF40

Function 04E1F0C0 Relevance: .4, Instructions: 418COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1635582651.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4e10000_mjiCFnur.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca0b6a082566cc5e698fe573e58d7ad5f7b89a53192b6f592fbe649734a43594
Instruction ID: d4b9ec1d1c5fe3b3071c37da8c68d1df9357f156613f2683ce500dd1a82f363d
Opcode Fuzzy Hash: ca0b6a082566cc5e698fe573e58d7ad5f7b89a53192b6f592fbe649734a43594
Instruction Fuzzy Hash: F91219319006198FDB18EF68C8946E9B7B1BF44315F1582D9D94AA7265EF30AEC6CF80

Function 04E1BF3B Relevance: .3, Instructions: 332COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1635582651.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4e10000_mjiCFnur.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e87bf70c545c8eacbfee062fe09cb644abf0d45c63b42130b8f29189bfb4f627
Instruction ID: f6adae74a949a1066ed24e8beafe03d7bc144ab5894e7c54aac163fa7125cc53
Opcode Fuzzy Hash: e87bf70c545c8eacbfee062fe09cb644abf0d45c63b42130b8f29189bfb4f627
Instruction Fuzzy Hash: 4FE10A31E406198FCB24DFA8C8946EDB7B1BF49304F209699D459BB261EB70BE85CF40

Function 04E117B0 Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1635582651.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4e10000_mjiCFnur.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e87294efc0b48e695736beeb01136b0be76ff58a4c4a4449eec4d09698f5678
Instruction ID: 6a087c20c661ed1df5297482db24d8942f930719d20570de0ce3723c4967f4af
Opcode Fuzzy Hash: 4e87294efc0b48e695736beeb01136b0be76ff58a4c4a4449eec4d09698f5678
Instruction Fuzzy Hash: 3081CF38A41248EFCB15DF69D884D9EBBB2BF49314B114099FA01AB761DB31EC82CB50

Function 04E1E911 Relevance: .2, Instructions: 203COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1635582651.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4e10000_mjiCFnur.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95e1826751d95b11cdac263fc24b44aacb78f5447a9aaf4d97ba521c0e563c31
Instruction ID: c658a05e5f20d8ed08c5e2e75bb2130d99b098bfbe7f3a3e2a07aa3c0b9c6704
Opcode Fuzzy Hash: 95e1826751d95b11cdac263fc24b44aacb78f5447a9aaf4d97ba521c0e563c31
Instruction Fuzzy Hash: 3191FC7590070ACFCB15DF68C884999FBF5FF49310B14979AE819EB256E730E985CB80

Function 04E1DC98 Relevance: .2, Instructions: 195COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1635582651.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4e10000_mjiCFnur.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e17a264c9323e44059d06f37c0b8842da238fc846a2f5d407a5ef7a7bf73010f
Instruction ID: 20ed942e986751e251a48ae966fb25f11e2cf3279d6e14df409f8dba7103e710
Opcode Fuzzy Hash: e17a264c9323e44059d06f37c0b8842da238fc846a2f5d407a5ef7a7bf73010f
Instruction Fuzzy Hash: 7481CFB9700A00CFC718DF29C488959BBF2FF9921971589A9E54ACB372DB71EC45CB50

Function 04E1DAB8 Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1635582651.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4e10000_mjiCFnur.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d274394ecc281150acbde41599807d39189fa7e306f5793ea2d801c357203c8
Instruction ID: 4419f5e639051ca7b82f3b454401bdc8c607271dbe237905f31b54fcbaeac710
Opcode Fuzzy Hash: 6d274394ecc281150acbde41599807d39189fa7e306f5793ea2d801c357203c8
Instruction Fuzzy Hash: C871A274A046068FC754CF69D584999FBF1BF48314B1986AAE84ADB322E734FC85CF90

Function 04E17F60 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1635582651.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4e10000_mjiCFnur.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e66a4fd2b32c8b36f6149f0be84ea426c364063c00890632ee72aa545d35eaa4
Instruction ID: 49cf5eadbd72061bd535cd5bc02aa5d52709bb5b4df2202cf0351938921af91b
Opcode Fuzzy Hash: e66a4fd2b32c8b36f6149f0be84ea426c364063c00890632ee72aa545d35eaa4
Instruction Fuzzy Hash: 68516375E002099FDB54EFA9D804AAFBBF9FF88300F10842AE555E3350DB74A905CBA5

Function 04E130A8 Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1635582651.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4e10000_mjiCFnur.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87a9f1152cb8a0185ce43bcffec6ccadca2a07d03b4e030e0e9c71d0c794cbba
Instruction ID: c3adcca5ee2103b12693a250947ebee8d3df5bff9ed86a00b4e8f5bb9579e3b6
Opcode Fuzzy Hash: 87a9f1152cb8a0185ce43bcffec6ccadca2a07d03b4e030e0e9c71d0c794cbba
Instruction Fuzzy Hash: 6E51B230B047468FCB18DF79D45446EBBB2FF8930471486ADD50AAB351EB31A942CB91

Function 04E12978 Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1635582651.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4e10000_mjiCFnur.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f57cd526775104acda39c1470fb54e740199fc104781f601346416311655f892
Instruction ID: 7997436feba961b16a33738dd2483ab3a825b0f3953e1eefd00f9dcc6714edb1
Opcode Fuzzy Hash: f57cd526775104acda39c1470fb54e740199fc104781f601346416311655f892
Instruction Fuzzy Hash: 2A51E634A10609CFCB04DF68C89899DBBB5FF89704F1585A9E506AB372EB70ED45CB40

Function 04E12988 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1635582651.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4e10000_mjiCFnur.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0db713cc4e2cc759eb5381c5a260646b97405b52d7b79c66f47871740452b81c
Instruction ID: 4dd9dceaed02d27003c998ac2c6465c61a442ef5448efd3e546ba94efebe91b7
Opcode Fuzzy Hash: 0db713cc4e2cc759eb5381c5a260646b97405b52d7b79c66f47871740452b81c
Instruction Fuzzy Hash: EC51E434A10609CFCB04EF68C8989ADBBB5FF89704F1585A9E506AB371EB71ED45CB40

Function 04E11C28 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1635582651.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4e10000_mjiCFnur.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b59db8a9290b297250bcfe74adbb69a07988344340628f4067600ee3a953383a
Instruction ID: 363cc2c15d97afba1852ecc7d2839479611eeef6f5f0014e887e664c18f6f212
Opcode Fuzzy Hash: b59db8a9290b297250bcfe74adbb69a07988344340628f4067600ee3a953383a
Instruction Fuzzy Hash: E6414934B542589FDB18DF69C884AADBBF6BF8D705F1540A9E601EB371DA71E800CB50

Function 04E14658 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1635582651.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4e10000_mjiCFnur.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04a006f21137f263c149c03f0cf7d00e453968e56c3f05ccb1596d1f96d0c2f6
Instruction ID: a12ac6a68386063898bfea7daf56df5b13010f8a33528e4ec901fb6c69d0870e
Opcode Fuzzy Hash: 04a006f21137f263c149c03f0cf7d00e453968e56c3f05ccb1596d1f96d0c2f6
Instruction Fuzzy Hash: 7541AD35E406298FCB21EFA8D844AEDBBF5AF49354F145425D801FB3A0EB30A945CFA1

Function 04E10430 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1635582651.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4e10000_mjiCFnur.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a38c159fe9b1a5b17cd5fb3c0368779aec879471f8b39f49e5ad70a91514cdc9
Instruction ID: cd5a4dc13cda61de1c9d6e89b37aa3a7f40c2ac657387266549e2cc7442b6c7c
Opcode Fuzzy Hash: a38c159fe9b1a5b17cd5fb3c0368779aec879471f8b39f49e5ad70a91514cdc9
Instruction Fuzzy Hash: 6E512775A41209AFDB24DF94D594BDEBBB2FF89310F209068E906A77A1CB71AD40CF50

Function 04E1CBD0 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1635582651.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4e10000_mjiCFnur.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d5a419bf6c6a04efb762704b09a5eb8fff7fc58fb4d0840e44ab09aed40749e
Instruction ID: d2333703621ddfb394c2a0ea6ee97de5ad4efac2485f36de09024a4c4b3ecfe7
Opcode Fuzzy Hash: 9d5a419bf6c6a04efb762704b09a5eb8fff7fc58fb4d0840e44ab09aed40749e
Instruction Fuzzy Hash: E5416F34A10709CFCB04EFA8D8449DDFBB6FF89305F008599E115AB321EB71A946CB81

Function 04E13280 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1635582651.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4e10000_mjiCFnur.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f1290a8fb4fef5b55df1fa3c755d8798b7bd2fdc361ad1a69e885cbefd83430
Instruction ID: 4c4b1c388fa690b4cef0b47940297f650405305ff1d2153dc29570ea2ff7dbb2
Opcode Fuzzy Hash: 3f1290a8fb4fef5b55df1fa3c755d8798b7bd2fdc361ad1a69e885cbefd83430
Instruction Fuzzy Hash: 49415830B40219DFDF18DBA9D8846EDB7F2AF88308F105569E516EB361EB34A941CB94

Function 04E10F08 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1635582651.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4e10000_mjiCFnur.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef6a8c308cbfa1b1ed4694e537a152fae47298dd5d42fb150d78d6fe86047150
Instruction ID: d947c36d36c3322257684058f90873a9d8260e15921a45f38247f7595ed83923
Opcode Fuzzy Hash: ef6a8c308cbfa1b1ed4694e537a152fae47298dd5d42fb150d78d6fe86047150
Instruction Fuzzy Hash: 79412D30A10709CFCB14EF78C894A9DBBB6FF89304F118559E515AB325EB71B946CB81

Function 04E1882C Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1635582651.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4e10000_mjiCFnur.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffe12f04634c55e24bb1cbb27f43a3ae3485dcb0b5fbef3fea587f5009061b7c
Instruction ID: 141ac5a9c80f703315295ac9cba2c0a3959c9955612406c0b296f75e2ac34dcc
Opcode Fuzzy Hash: ffe12f04634c55e24bb1cbb27f43a3ae3485dcb0b5fbef3fea587f5009061b7c
Instruction Fuzzy Hash: C841E4B1D00309DBDB24DFAAC585ACDFBB5BF48314F24812AD408BB210D7756A46CF91

Function 04E1DAA8 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1635582651.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4e10000_mjiCFnur.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13c0569fe6eb5ae66c76424d30e44a88797f599ab1cbf8f3579707c4df8ddf53
Instruction ID: ae6a864405bc2bc2fc2a01210e346e0160819c2c565338c9e0b20f4ac4ef58a5
Opcode Fuzzy Hash: 13c0569fe6eb5ae66c76424d30e44a88797f599ab1cbf8f3579707c4df8ddf53
Instruction Fuzzy Hash: DD410574A042068FC755CF68D984D99FBF1BF49304B1586AAD44ADB361E730FC85CB90

Function 04E1A857 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1635582651.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4e10000_mjiCFnur.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 027a89314a940234457a10edd40a48ed7391563c7b4753b969ee3d76a1faa90c
Instruction ID: fb2f38c24b8d9e9c49a30240bf8fc1c8911a8cd9945c746d1c9c01f54bc4957b
Opcode Fuzzy Hash: 027a89314a940234457a10edd40a48ed7391563c7b4753b969ee3d76a1faa90c
Instruction Fuzzy Hash: D6414F75A0024ADFCB04DF69D88499DFBB5FF49310B15C299E918AB321E730E985CF90

Function 04E18838 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1635582651.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4e10000_mjiCFnur.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 749096a9e2a3dd227feff05484b834697e43dc0261ca2c9138e238ce9bb1d724
Instruction ID: 9d9f1fdcad153d7de423bbe4e485b770ee001c82344ee2d0dad54e1d037c1a26
Opcode Fuzzy Hash: 749096a9e2a3dd227feff05484b834697e43dc0261ca2c9138e238ce9bb1d724
Instruction Fuzzy Hash: BE41CFB1D0030D8BDB24DFAAC984ADDFBB5BF48304F24852AD408BB214D7756A4ACF91

Function 04E177B0 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1635582651.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4e10000_mjiCFnur.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30c5567bfa4315e67ce4c20062eadabc77dc1f10fe3d01c655a16aeab8149a84
Instruction ID: cecb293ba0ca101c1f2993eb3b7b300899637c41b1d74ecb2e9a2be1d1025eb2
Opcode Fuzzy Hash: 30c5567bfa4315e67ce4c20062eadabc77dc1f10fe3d01c655a16aeab8149a84
Instruction Fuzzy Hash: B941BFB0D003589FDB24DF9AC888A9EFBB1FF48314F20852AE419BB254D7746845CF90

Function 04E124B4 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1635582651.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4e10000_mjiCFnur.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc474fbc0e8aef2db509d6acd595afd792b890b6d11007b628b4a45fd3ebef6e
Instruction ID: 5020dba465c4103e1accd7fc5a6d34edaa807d23984895e820f4ce79ce5c3b34
Opcode Fuzzy Hash: fc474fbc0e8aef2db509d6acd595afd792b890b6d11007b628b4a45fd3ebef6e
Instruction Fuzzy Hash: 4031AE75E047008BEB04EF69D894755BBB2FF88315F0895B9DD096B296EF31A484CB60

Function 04E137A0 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1635582651.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4e10000_mjiCFnur.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d29ef5e7b98b5a225c375f2dc53289b450d16077c26c4f5bac5f1e0353e52d6
Instruction ID: e10d34d205d73de2b4571c9641b5438077bf4b64473eb02afcef47ded0929265
Opcode Fuzzy Hash: 5d29ef5e7b98b5a225c375f2dc53289b450d16077c26c4f5bac5f1e0353e52d6
Instruction Fuzzy Hash: 2531F535E043408BEB01EF39D890795BBB1FF84314F0996B9DC096B296EF31A484CB20

Function 04E1A868 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1635582651.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4e10000_mjiCFnur.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3968105474d382c4af9e6e941e8ebdba8f0bc8a4d14449487a0e13eb82dacab
Instruction ID: 74da20746f3924a482c7056707b70c1894cac8a991c96f36cd8280640b892439
Opcode Fuzzy Hash: c3968105474d382c4af9e6e941e8ebdba8f0bc8a4d14449487a0e13eb82dacab
Instruction Fuzzy Hash: 37412C75A0020ADFCB44DF69D88499EFBB5FF49314B14C2A9E918AB311E730E985CF90

Function 04E1CAD8 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1635582651.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4e10000_mjiCFnur.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bf26e8a6cc4b4b0e92dc300ce7e818ea08d0961e208992d2e92b7bcdeaff051
Instruction ID: 675cd8bd846408972ab5b87112eb2c5b85d13beacb30b0cd39529f7bc3183bfc
Opcode Fuzzy Hash: 2bf26e8a6cc4b4b0e92dc300ce7e818ea08d0961e208992d2e92b7bcdeaff051
Instruction Fuzzy Hash: 5F318D35A002199FCF04EF64E8548DDF7B6FF89214B048569E506AB364EB71BD46CB80

Function 04E18721 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1635582651.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4e10000_mjiCFnur.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff08766a797c421d5490a27ffe1b937f0606bb3ffdee16ffd726c618ca465239
Instruction ID: 0056241db496a732fd003436e25a339006c945a0f677207eb99c3e9fb7823d4a
Opcode Fuzzy Hash: ff08766a797c421d5490a27ffe1b937f0606bb3ffdee16ffd726c618ca465239
Instruction Fuzzy Hash: 153125366043018FD711EF39D40559BBBF6FF85305B1489A9E506DB261EB70ED0ACBA1

Function 04E1A0B4 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1635582651.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4e10000_mjiCFnur.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a17705e96f1cd6a08f325e2fa42b82ef6485fffce2e0fa08a7bd68ddd3e5748e
Instruction ID: ad437715c21e39fa0bfdd5c1785cd085ecd39073254a622d7dd0fda02380c486
Opcode Fuzzy Hash: a17705e96f1cd6a08f325e2fa42b82ef6485fffce2e0fa08a7bd68ddd3e5748e
Instruction Fuzzy Hash: AE21D6327402018FD7149B2CCC896A93BD1FF89315B1999B5E40ADF376EA35FC058790

Function 04E189B1 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1635582651.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4e10000_mjiCFnur.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7af750981802bc33be91c471ad23a88c144a7137c2c8776c3e2327a8cb41c2aa
Instruction ID: b208e5159dd9a546b99e8b62aa790f8fb8b9bd0c0be6f1a8fc838d671560266c
Opcode Fuzzy Hash: 7af750981802bc33be91c471ad23a88c144a7137c2c8776c3e2327a8cb41c2aa
Instruction Fuzzy Hash: EB217171E402455FEB51EBA98C009FFBBF9BFC8604B10815AE555D7261EB70AA01CBA1

Function 04E11CAE Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1635582651.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4e10000_mjiCFnur.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 096e42f03779e662f8d96bb363d4a3608cff18ea9aa816e860120f88c559a9e0
Instruction ID: f0b7c1e4a015a88fdbb4b916cba09653903edb73657fbcbf3f1f20a69b55e5f1
Opcode Fuzzy Hash: 096e42f03779e662f8d96bb363d4a3608cff18ea9aa816e860120f88c559a9e0
Instruction Fuzzy Hash: 3D314334B542548FDB14DFA9C884AADBBF5BF48709F2510A9E601DB3B2DB71E840CB50

Function 04E1326F Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1635582651.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4e10000_mjiCFnur.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 968aaa25f2f157c04165e5f840b1c9fe38bd88f19eb57264b29dac99a4023d63
Instruction ID: 6133e55cbf27c4ae578bd783d4533e6835f33c318d293b1efb27e6f504b71ae3
Opcode Fuzzy Hash: 968aaa25f2f157c04165e5f840b1c9fe38bd88f19eb57264b29dac99a4023d63
Instruction Fuzzy Hash: 38319F30B40205DFDF19DFA9D8846EDB7F2AF48304F10556AE516E7361EB30A941CB50

Function 04E10421 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1635582651.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4e10000_mjiCFnur.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0883d4d04012c3689eccfa4e0ff20a37b2966f02c5e0c119b1731f64bd40784e
Instruction ID: 0746031c2866269e702d468b0a12900a8e8b09bd00c1b73a7ae7622eeca6e23b
Opcode Fuzzy Hash: 0883d4d04012c3689eccfa4e0ff20a37b2966f02c5e0c119b1731f64bd40784e
Instruction Fuzzy Hash: F4312774A01209AFDB20DFA4D685BDEBBF2EF88314F149068E906A7761DB31AD41CB50

Function 04E12F88 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1635582651.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4e10000_mjiCFnur.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 243b4f90e704c66d510b944b22892526395f743da5cf75334fcaa8901c09cdbd
Instruction ID: 2199e205daf368337c374f0a9498ded32f6d9fde36d35b208eff4e930d968804
Opcode Fuzzy Hash: 243b4f90e704c66d510b944b22892526395f743da5cf75334fcaa8901c09cdbd
Instruction Fuzzy Hash: 892183343402008FDB28DB38C854A6977E5AF89719B1490AEE605DF3B1DB72EC06CB51

Function 00A4D4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1546914523.0000000000A4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_a4d000_mjiCFnur.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b05bc966ddc55cbca5fe133b2435b9d94d8475559a93ecf1c29b7ccb9ad5f7ab
Instruction ID: 97c61224f5a2d8ee9d66dc4440e3992950afc426b3a76b948217e61c1aed2619
Opcode Fuzzy Hash: b05bc966ddc55cbca5fe133b2435b9d94d8475559a93ecf1c29b7ccb9ad5f7ab
Instruction Fuzzy Hash: DB210379604240DFDB15DF14D9C0B26BF65FBD8328F20C569E8090B256C736D856CAA2

Function 00A5D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1553516301.0000000000A5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_a5d000_mjiCFnur.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d83b64c0fd8fd08d12f95dd6d904013ac775c829202e0ded214252dcc4af587
Instruction ID: 84cbcd8dd97bc6b9db072c7e3fbf16513ff0ce9102cfc28e44385f8419da86ca
Opcode Fuzzy Hash: 0d83b64c0fd8fd08d12f95dd6d904013ac775c829202e0ded214252dcc4af587
Instruction Fuzzy Hash: 7921F571604300EFDB25DF10D9C0B59BB65FB84315F20C66DEC494F292C336D84ACA61

Function 00A5D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1553516301.0000000000A5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_a5d000_mjiCFnur.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6349e747aefb984fae1c274c637d773723010f4b31db5c81e3efb8b31ea1151
Instruction ID: d2a69eec80ce5454e29347cbd215d10c038b0c4fce18647cea6e70fe0496001a
Opcode Fuzzy Hash: a6349e747aefb984fae1c274c637d773723010f4b31db5c81e3efb8b31ea1151
Instruction Fuzzy Hash: AC21D075604200DFDB24DF14D9C4B16BB65FB84325F20C569DC4A4B296C33AD84BCA62

Function 04E12F98 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1635582651.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4e10000_mjiCFnur.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29539cac1c91fa0eac13fda673ac04e1e1b1c30f2abe2c884503d229610b2935
Instruction ID: a66a2bce651933a78fa763a72e013b605654acc2a967b4ad23122d1085722426
Opcode Fuzzy Hash: 29539cac1c91fa0eac13fda673ac04e1e1b1c30f2abe2c884503d229610b2935
Instruction Fuzzy Hash: D92154343406118FDB68DB39C854A2977E5EF89719B2490ADE506CF371DB72EC06CB51

Function 04E1FAD0 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1635582651.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4e10000_mjiCFnur.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 820a9d14bc83127a6fbafabed6b87026afc966132fedf23e1d6b42b640313654
Instruction ID: bc1fb1fea03d15728927f1879bfa83a9393afa639b27741f6dea7d28b426a2af
Opcode Fuzzy Hash: 820a9d14bc83127a6fbafabed6b87026afc966132fedf23e1d6b42b640313654
Instruction Fuzzy Hash: 16213631A105099FCB10EF6DD84099AFBF4FF49311F50C26AE958A7214FB31A958CBD1

Function 04E12CC0 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1635582651.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4e10000_mjiCFnur.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35f57a7032704bec1e13ee2eff04d10129dd7ad0eed8da9eb57269eeaa3afe8a
Instruction ID: b8bb5f38cefc5b5205a4741055e1cbb8c96dc04ee9b6d59feec1e3e2cd43ea7c
Opcode Fuzzy Hash: 35f57a7032704bec1e13ee2eff04d10129dd7ad0eed8da9eb57269eeaa3afe8a
Instruction Fuzzy Hash: 8011E131F40A164BDB20EFA9DC412BFB7F1EFC8714F1485AAD605B7260DB74A9418782

Function 04E136C8 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1635582651.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4e10000_mjiCFnur.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c44fa37fb8d4752976c485b3ca1d09e998d1a09789b2e7962259ef6da054aba
Instruction ID: 742e204263cb9a0325dfb924eb1dbda479997bc365e88467366c2d9dc3251c78
Opcode Fuzzy Hash: 1c44fa37fb8d4752976c485b3ca1d09e998d1a09789b2e7962259ef6da054aba
Instruction Fuzzy Hash: 4221C630500744CFD769EB34C854AAAB7B6EFC1315F0088ADD5595B271DF31B88ACB82

Function 00A5D005 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1553516301.0000000000A5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_a5d000_mjiCFnur.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8035d931cf33e7863e117b7edfa3f984a19eb2ce47c7ec6d6f3a14ccfffc2e2
Instruction ID: 55a5079956c910f8a51dca32224386d09900098e152bf26528fc20bcedbf6cdc
Opcode Fuzzy Hash: f8035d931cf33e7863e117b7edfa3f984a19eb2ce47c7ec6d6f3a14ccfffc2e2
Instruction Fuzzy Hash: 4F2162755093808FDB16CF24D994715BF71FB46314F28C5DAD8498B6A7C33A980ACB62

Function 04E12CBE Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1635582651.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4e10000_mjiCFnur.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 129fc352cf921b291a9e18fab74c3d9dd7b51f5e18b60963a9d7b2617c0582e9
Instruction ID: 45b9db02b0dbd36916550d4cfecb75ee92c8658c28fe6b5181a29f4f931e4fa2
Opcode Fuzzy Hash: 129fc352cf921b291a9e18fab74c3d9dd7b51f5e18b60963a9d7b2617c0582e9
Instruction Fuzzy Hash: D6110231F406164BDB20DEA9DC412BFB2A6EB88714F24847ADA06F72A4D674A90147C1

Function 04E12484 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1635582651.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4e10000_mjiCFnur.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a90c4384eefb7afa0d7150cb94f31e96d020fc190936bf3e1ee49605ddb7a457
Instruction ID: 4495d66dfb19e012591b148f335acc2e40a4864fc3463a81c593c3cafaab0486
Opcode Fuzzy Hash: a90c4384eefb7afa0d7150cb94f31e96d020fc190936bf3e1ee49605ddb7a457
Instruction Fuzzy Hash: 00218434600704CFDB68EB74C854AAAB7B7EF85315F0089ADD55A1B270DF31B88ACB41

Function 04E154F9 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1635582651.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4e10000_mjiCFnur.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 327cbb15e2089cdeb67cce22a3d6292472abede7e5f843c8483a7cd057b498f5
Instruction ID: bea47f27446ee9c2c029d939555c4908235c9228df03915dd20597a77a50dd56
Opcode Fuzzy Hash: 327cbb15e2089cdeb67cce22a3d6292472abede7e5f843c8483a7cd057b498f5
Instruction Fuzzy Hash: 3A110271A00204AFDB149B59C90ABAF7BF6EBC8304F1440A9E503EB354CA75AD01CBE0

Function 04E1B47F Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1635582651.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4e10000_mjiCFnur.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88bd7026c34f3555ef690064f33b5b361a2bcd5167a27ce51070bfe0363d42bc
Instruction ID: 5df1d050695c185b008bd1b6a0544785125bfff549cf0c5eef3b0f2a9923561a
Opcode Fuzzy Hash: 88bd7026c34f3555ef690064f33b5b361a2bcd5167a27ce51070bfe0363d42bc
Instruction Fuzzy Hash: 2C112B3534C3904FD72A8A358861AB93FB55F8261570980EBD542CB2B2EA18FC06D761

Function 00A4D4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1546914523.0000000000A4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_a4d000_mjiCFnur.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
Instruction ID: 04383d6986a32070045acd319ddb784b8f6b52df8dc4175e9452885bc9d371c3
Opcode Fuzzy Hash: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
Instruction Fuzzy Hash: 9411E676504280CFCB15CF14D5C4B16BF72FBD4324F24C6A9D8494B656C336D856CBA2

Function 04E11EA0 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1635582651.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4e10000_mjiCFnur.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9ab9c728d065c365ab5e3275e8515617636ea99b7937773ad198562aae7c3c7
Instruction ID: 79cd16d9584ba57d158f22bb0d3d17c24f7ad8b69620ad3b7ccfccc283964cb4
Opcode Fuzzy Hash: b9ab9c728d065c365ab5e3275e8515617636ea99b7937773ad198562aae7c3c7
Instruction Fuzzy Hash: 40119E75E4060A9FCB05DB98D815ABEBBB6EF8C310F045069E606E3751DB746A028BD1

Function 04E1B59B Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1635582651.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4e10000_mjiCFnur.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fb7a8b37357bd20ab81e7ae234cada35f98fca617324acccb13ad1de4fc818c
Instruction ID: 67be1b7364738e12019eb1303ea6a43902c0aff60623321e473e70f4b0fcf372
Opcode Fuzzy Hash: 3fb7a8b37357bd20ab81e7ae234cada35f98fca617324acccb13ad1de4fc818c
Instruction Fuzzy Hash: 9511C4367442004FE7248A29DC996A93BA2EFC9314F1984B9E04ADF377D939EC058740

Function 04E14C18 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1635582651.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4e10000_mjiCFnur.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcd484ca308f1aa2f2527dd0b7a9e7ae11a807d3bf26d996961c109191001c9e
Instruction ID: 535438c5c819115cab6ff9c2926dfb5aa9544c6282efc0e340baffd1763c93f1
Opcode Fuzzy Hash: dcd484ca308f1aa2f2527dd0b7a9e7ae11a807d3bf26d996961c109191001c9e
Instruction Fuzzy Hash: 7F119131A402089BDB14EFA9D5147DE77F2EF88315F104469D606AB790CB75AE05CBD1

Function 00A5D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1553516301.0000000000A5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_a5d000_mjiCFnur.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
Instruction ID: 94e6344c13293f3d65a264c5510786a3ce202c4e8cf11fc4b2b20c6141f781c8
Opcode Fuzzy Hash: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
Instruction Fuzzy Hash: 4911BB75504280DFCB15CF10C5C0B59BBA2FB84324F24C6ADDC494B296C33AD84ACB61

Function 04E18CD0 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1635582651.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4e10000_mjiCFnur.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7eefa7da0a5eade184df2004eff42b2681fb78a8fdbf76ab9a5e9091097c3318
Instruction ID: b5fe84893e1eadc00c214ce4c716f851654c67c095445cf37df589feed44c06c
Opcode Fuzzy Hash: 7eefa7da0a5eade184df2004eff42b2681fb78a8fdbf76ab9a5e9091097c3318
Instruction Fuzzy Hash: 0C11F3B5C002489FDB20EF9AC445A8FFBF8FB49320F14842AD859B7210D778A945CFA5

Function 04E180F0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1635582651.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4e10000_mjiCFnur.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30718a6255791198ffa6dacd30a3178edb391712cc1856426aa53d4aa45de373
Instruction ID: 4c7f944da340acf26d37590da2b3e3769b4e49ea5c8661bea241e59c15a4d6d7
Opcode Fuzzy Hash: 30718a6255791198ffa6dacd30a3178edb391712cc1856426aa53d4aa45de373
Instruction Fuzzy Hash: 8611F6B5D007488FDB20DF9AD445B9EFBF4EB58320F14841AD859B7210D778A945CFA1

Function 04E182A4 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1635582651.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4e10000_mjiCFnur.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c5dede18b2563308233703a6ad2a86bc4b34fa8f9b5383035bc022a1373dcc9
Instruction ID: fc6c23fe0b369f868cf9b903890e3d84ccc4959893b4e9d4e331e21fd10ebab9
Opcode Fuzzy Hash: 2c5dede18b2563308233703a6ad2a86bc4b34fa8f9b5383035bc022a1373dcc9
Instruction Fuzzy Hash: 4D11E4B5D006489FDB20DF9AC445B9EFBF4EB58220F14841AD859A7210D778A945CFA1

Function 04E14C08 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1635582651.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4e10000_mjiCFnur.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1994b09ae8c950869b0e5e1fbe875f8ab7018ced8d344ff15ad04d1de390f5a
Instruction ID: 42a63ada0f1acd587d2245fc91caa9ce30de5c1a7c05a20c41a03b1c86f7cb8c
Opcode Fuzzy Hash: a1994b09ae8c950869b0e5e1fbe875f8ab7018ced8d344ff15ad04d1de390f5a
Instruction Fuzzy Hash: C2112570A402448BEB29EF74D5287EFBBF2EF84301F0084A8D602AB7D0CA756905CBD0

Function 04E18294 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1635582651.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4e10000_mjiCFnur.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e8579f1dd3ac48065da369a564b9c4653f7c895bdc7e3c6240ad51ca4444bfc
Instruction ID: ea080e5604909864e11c8dbac5563c58fbed7a70de1069953fe6d591d5a5ea10
Opcode Fuzzy Hash: 4e8579f1dd3ac48065da369a564b9c4653f7c895bdc7e3c6240ad51ca4444bfc
Instruction Fuzzy Hash: 18014971B043082FDB09EBB998245EE7FEEEF85110F0494BBE409D7252E834AD01C395

Function 04E11EB0 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1635582651.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4e10000_mjiCFnur.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c5f184bbe23944f56bf29eb5035aec266ea3feae60b37cb5cb17f1f86999dcc
Instruction ID: d74dc9614cec0635e3f381d8f2c6f15d3fa18dcee521ab221e47190ae99f7162
Opcode Fuzzy Hash: 5c5f184bbe23944f56bf29eb5035aec266ea3feae60b37cb5cb17f1f86999dcc
Instruction Fuzzy Hash: 20016D75F4060A9BCB14DF98D8156BEBBB5FF8C310F044029E606E3750DB746A428BD5

Function 04E1D648 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1635582651.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4e10000_mjiCFnur.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 896722d42587ce1dce6ef91d31eeed148bd342cd0663ce608b43654fc1a0fca7
Instruction ID: 741611cf9f216c509c682d2f1cdf84281b46d70522a2aed0b6cc2612554d2014
Opcode Fuzzy Hash: 896722d42587ce1dce6ef91d31eeed148bd342cd0663ce608b43654fc1a0fca7
Instruction Fuzzy Hash: C2018B712442148FC314DB2CE888C997BE5EF4931A30145EAE149CB332CB31FC06CB80

Function 04E1A2E9 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1635582651.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4e10000_mjiCFnur.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7dbb5e341c6695114b7141ad14756b2ce04f32ffabedc8dc2588d1f51eddbc4c
Instruction ID: 6d04ec0f0e95d039fecd7ded5e1f2369c731a9fc54d717458c6ec857097d5272
Opcode Fuzzy Hash: 7dbb5e341c6695114b7141ad14756b2ce04f32ffabedc8dc2588d1f51eddbc4c
Instruction Fuzzy Hash: 7A1122B5C00248CFDB20DF9AD485BEEFBF4EB48320F24841AD559A7210C339A945CFA1

Function 04E1D5E0 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1635582651.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4e10000_mjiCFnur.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c07ddd2639282d31afa973979a39a44d016f0f12f429bd25f375f880c2a271d
Instruction ID: 7f40e5cf6cbb04639241380fa6007a0991bcbe9da3b4aa226bc00b87d92cc8fb
Opcode Fuzzy Hash: 4c07ddd2639282d31afa973979a39a44d016f0f12f429bd25f375f880c2a271d
Instruction Fuzzy Hash: 6BF0F9327043008FD7155B6AAC4889ABBA9DFC5226305057AE10ACB232DA74BC0B8790

Function 04E15508 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1635582651.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4e10000_mjiCFnur.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a5a33df6eee4d439f1591f8834f3863a9601e1717e082b23c0f26197e8d9520
Instruction ID: bcb4bf920fd95c913eb5ba23b7578fe1e8c401d91a5fbdde9664f59155d07474
Opcode Fuzzy Hash: 1a5a33df6eee4d439f1591f8834f3863a9601e1717e082b23c0f26197e8d9520
Instruction Fuzzy Hash: 3501B132A001049FDF04DF59D949B9F7BF6EF88714F0444A9F502AB384CA759C10CBA4

Function 04E11C17 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1635582651.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4e10000_mjiCFnur.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 669077a9da2c835473bc1815902736ed8ca8746c47c68129097386f5b8c4eeb1
Instruction ID: de40d29440ef5634c21e3c13e06c2256c3854c6f72ff0b9bc1d00179c784664b
Opcode Fuzzy Hash: 669077a9da2c835473bc1815902736ed8ca8746c47c68129097386f5b8c4eeb1
Instruction Fuzzy Hash: 0901BC70E181A89FEB29CE69D8C0EEEBBF2AF5D310F1540A5E401E7361D634D902CB50

Function 04E1CE18 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1635582651.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4e10000_mjiCFnur.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6940d2bd694cc040fb5a884fe91f9c3b957b47afb466626a9e66403dffd37ad2
Instruction ID: f8c1188e8dcfd89ec46a9e2ad7feca1037fdc9e03eaa177da057f37ff31d2e89
Opcode Fuzzy Hash: 6940d2bd694cc040fb5a884fe91f9c3b957b47afb466626a9e66403dffd37ad2
Instruction Fuzzy Hash: D801E931A40704CFD725EF39C44056A77B6AF86744B14D56ED5468B270EB31F981CB80

Function 04E1A7B8 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1635582651.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4e10000_mjiCFnur.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f056d1ed01080a53ea22b0e47fc72d8574ccc15ad1ebf431496460822e7de06
Instruction ID: 58f02a89727298ba17a1bbdc3cb87fd6a99a8253467a83020f023f61e4bf55d8
Opcode Fuzzy Hash: 0f056d1ed01080a53ea22b0e47fc72d8574ccc15ad1ebf431496460822e7de06
Instruction Fuzzy Hash: 19011A75D00309DFCB41EFA8C5858DDBBF0EF49200B1185ABE459EB322E770AA44CB91

Function 04E1D25B Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1635582651.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4e10000_mjiCFnur.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52dde418d4c73eff70b905234934fe20fdca337c785746a1c354a2d9721bab24
Instruction ID: 7d9c953f978b6f5d75a7564f509df91f7c6bf1b313c5448db6e95643cf2ba619
Opcode Fuzzy Hash: 52dde418d4c73eff70b905234934fe20fdca337c785746a1c354a2d9721bab24
Instruction Fuzzy Hash: 580128312087008FC7215B29D894C6ABBF6EFC9325B1505A9E49687662CB72FC43C781

Function 04E1B3E9 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1635582651.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4e10000_mjiCFnur.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7f88b50b494a36f346f5333f10c60a5556585973f0acc840294f542375dc005
Instruction ID: 48f99e2c361149266039bf53286bc876908ee9e684feb446cf110bd84c9b983d
Opcode Fuzzy Hash: e7f88b50b494a36f346f5333f10c60a5556585973f0acc840294f542375dc005
Instruction Fuzzy Hash: 9EF0FC313452104FDB1AAB35601413D7A668FC561DB05A07AD606CF3B1EE39EC02C3C2

Function 04E1A094 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1635582651.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4e10000_mjiCFnur.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ba35b2baee8d8f38379bb3acdded7b82432f3f715b91c2c53ba1e7e28f68941
Instruction ID: 0b198740fe2d13e33ddeabd72fa39c4eb56d27bb9d1b004ff3f76ad8ec8353c3
Opcode Fuzzy Hash: 1ba35b2baee8d8f38379bb3acdded7b82432f3f715b91c2c53ba1e7e28f68941
Instruction Fuzzy Hash: 15F0B4343942218FD624DE3A8854A7A32D99FC4A25705D46AEA06C3270FE20F84196A1

Function 04E19240 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1635582651.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4e10000_mjiCFnur.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b214caca0712a1026b799652d6f64dfc764946128375487018559006bbadbe68
Instruction ID: 3ffd20dc307e052b11f379e54233ab14b481530de48af0d3aa1a38dd30cf705c
Opcode Fuzzy Hash: b214caca0712a1026b799652d6f64dfc764946128375487018559006bbadbe68
Instruction Fuzzy Hash: BEF0BB72B801545B9F55FBA89C905BFBBBAFFC9514B000229E505A7350CE301E01C7E5

Function 04E19242 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1635582651.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4e10000_mjiCFnur.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2f2d8eaec40739e1737472512f2569c5718bac12a99daca149bd41db41ba16c
Instruction ID: aa087102c7dfb37e2f376a2824130915aa2a3769e4f876ca2ae1629d0bcd7d71
Opcode Fuzzy Hash: d2f2d8eaec40739e1737472512f2569c5718bac12a99daca149bd41db41ba16c
Instruction Fuzzy Hash: 61F0B472B801545F9F55FBA89C905BFBBB6BFC9214B000229E505A7390CA301E02C7A5

Function 04E1CE16 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1635582651.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4e10000_mjiCFnur.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c10e4a8ddcd54db368a5005942d322f7ceee62f4705ad2ffc453990ca7f208b
Instruction ID: f204524cd01f96d30db649d07aa34d5c188daf87245c971f7ca45785c93fe5c8
Opcode Fuzzy Hash: 7c10e4a8ddcd54db368a5005942d322f7ceee62f4705ad2ffc453990ca7f208b
Instruction Fuzzy Hash: EB016D30681B04CFD724EF39D0505AA77B2EF86344F14966DD8468B270EB31E982CF80

Function 04E1D1E4 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1635582651.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4e10000_mjiCFnur.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54caa5f56ff3d3ddcd8ac5e3e09bb8126d30546ec7e14befc327f059e9b176dd
Instruction ID: 1eafb721a31a17795be75917490b19e8b89c75b04aadd3a0da1ae5c9477cb234
Opcode Fuzzy Hash: 54caa5f56ff3d3ddcd8ac5e3e09bb8126d30546ec7e14befc327f059e9b176dd
Instruction Fuzzy Hash: 3AF0A931B007048BEB16BBB8D4005AEB776AFC1B14F00566ED84967220EF30F985CBD2

Function 04E1D1E8 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1635582651.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4e10000_mjiCFnur.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6136b064d9c786a48d520b6d10fc116b98e1eaee5198d31961cd10ddf0883040
Instruction ID: 67415a832d1f8676aec8f1030d23a8e862c5f7a3c7bd3b166c8cad0390a345c9
Opcode Fuzzy Hash: 6136b064d9c786a48d520b6d10fc116b98e1eaee5198d31961cd10ddf0883040
Instruction Fuzzy Hash: 17F0A931A007048BEB12BBB8D8009AEB7B5AFC1714F00566ED84967220EF30F581CBD2

Function 04E12C2E Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1635582651.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4e10000_mjiCFnur.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e31829c5892fce5ca445edf6f413253f8541501ed088a6f33fd3aac9d32d06e
Instruction ID: b64cf20afc6231e617e80fe176444b8176f3d445ef71fb520cc0ae345155b7a0
Opcode Fuzzy Hash: 6e31829c5892fce5ca445edf6f413253f8541501ed088a6f33fd3aac9d32d06e
Instruction Fuzzy Hash: F0F012343102109FC7649B59D858A7977EAEFC9B11B1480FAE609D7370CF61EC02CB90

Function 04E1B3F8 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1635582651.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4e10000_mjiCFnur.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 272d60cec038763b34c3d7f27dd75513818251ac5ca2f84a4566f3894b6d381d
Instruction ID: 2dd93c1a55f54822810c1c69f6a1e8e166cc4a7ca66516204758d5a1d0644331
Opcode Fuzzy Hash: 272d60cec038763b34c3d7f27dd75513818251ac5ca2f84a4566f3894b6d381d
Instruction Fuzzy Hash: 83F082313815108BDB1AAB39A41453D729A9FC4619715A07DDA06CB3B1EF3AFC42D395

Function 04E127F8 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1635582651.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4e10000_mjiCFnur.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d3d7ed1b3c93dfe8ac7483e3123f314fe86347ea1bfa8e2706477e518df45aa
Instruction ID: c7f459a434ebc15a3811f68236caf53d430c22510fcb8c2c96b9ab3b111fcb47
Opcode Fuzzy Hash: 0d3d7ed1b3c93dfe8ac7483e3123f314fe86347ea1bfa8e2706477e518df45aa
Instruction Fuzzy Hash: 21F05E363546418FC7158B2ED844DA97BE9AF8AB1430640FBE204DB373DA61EC02C794

Function 04E1D268 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1635582651.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4e10000_mjiCFnur.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b793290ada18fe229ad1be567a75bb5286650420482c8b1e888317c62f1c11c
Instruction ID: b6bf5ab9265ddaaf60c3590a5e504bb1348bda9d738ec87a79f3129888ccc87a
Opcode Fuzzy Hash: 5b793290ada18fe229ad1be567a75bb5286650420482c8b1e888317c62f1c11c
Instruction Fuzzy Hash: CCF0BE313006108FC724AB1AD888D1BB7FAEFC8326B200569E44A87724CB71FC82CB90

Function 04E1A7C8 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1635582651.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4e10000_mjiCFnur.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e26b3b693c3fa3a092213b46d9974f97095fdf38ae2968b16eb170a88f8efb51
Instruction ID: 4243ceffdd30f352615e2fe6667d750750fc4abca0ae9b7f9b7c733986b7bd1f
Opcode Fuzzy Hash: e26b3b693c3fa3a092213b46d9974f97095fdf38ae2968b16eb170a88f8efb51
Instruction Fuzzy Hash: 0601B675D00609DFCB40EFACC54589DBBF4FF49210B1185AAE859EB321E770AA44CF91

Function 04E1A2F0 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1635582651.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4e10000_mjiCFnur.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e22407159408f7b5ca98fe8e8939532909c66c02d46f40438d0c437ec57fd5a
Instruction ID: 82ca3191a24dfcd9284e38b6ae91e2e16a3c483f4858f035476c2814d0b4c09b
Opcode Fuzzy Hash: 3e22407159408f7b5ca98fe8e8939532909c66c02d46f40438d0c437ec57fd5a
Instruction Fuzzy Hash: 9A01C4B48003498FDB20DF9AC589BAEBFF4EB08314F208419D558A7350C779A945CFA5

Function 04E1D2C0 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1635582651.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4e10000_mjiCFnur.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40a1af39cd9f47dd14e9e205ff2075979573150f17759de8113219484d3d9615
Instruction ID: 15676ff52cd7147c3774f942f72e833f0c97bcff5bc245058c5b3a4860f57505
Opcode Fuzzy Hash: 40a1af39cd9f47dd14e9e205ff2075979573150f17759de8113219484d3d9615
Instruction Fuzzy Hash: 2EE022373092808FDB06A7A9B558098BBA3FBCA26730804BEE545C3B53DA31AD078351

Function 04E12850 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1635582651.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4e10000_mjiCFnur.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e24ce969416fabafd0e6297403fd968b4e52ca609cb75868c1c49199d3776ce
Instruction ID: 4327c94dfe538a17b92cf206975785d8479a6ffbbce53e12d9bba609780f8241
Opcode Fuzzy Hash: 9e24ce969416fabafd0e6297403fd968b4e52ca609cb75868c1c49199d3776ce
Instruction Fuzzy Hash: 50E09272B00A244B9B1CFB7FA40186AF6DBAFC8610328C1BEE50D8B625ED309C0587C0

Function 04E1D658 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1635582651.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4e10000_mjiCFnur.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4978ef519dd0f70f89bb954208fc62410bc14c1af2c1beb5fafe7a5c2ca2d130
Instruction ID: 1d921b21834801c315297803a6ad787e06e4c6dbffcc26a85d7ed189a8a0562c
Opcode Fuzzy Hash: 4978ef519dd0f70f89bb954208fc62410bc14c1af2c1beb5fafe7a5c2ca2d130
Instruction Fuzzy Hash: A3F0DF34240620CFC718DB28D588C597BE6EF49B1A71149A9E10ACB332CB72FC41CB80

Function 04E186C9 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1635582651.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4e10000_mjiCFnur.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c24f1c46cc78ab59341ca968c7ee1475308b1ac0637d7b23a2fcc8a69e11047
Instruction ID: f6f3de6ab24ad6b3ea78bd44ee8b656a3c01b985078f1c0c5aad888938a40fb0
Opcode Fuzzy Hash: 3c24f1c46cc78ab59341ca968c7ee1475308b1ac0637d7b23a2fcc8a69e11047
Instruction Fuzzy Hash: 58F0E575909649EFCB02FF71E81044DBFB5FB41204B104AEAD845EB21AE6312F04D795

Function 04E1BE90 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1635582651.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4e10000_mjiCFnur.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d611dfc18fd1934db2aea44d1779c3226d029686c75fb6fd8fe1ecb44d5c9ff0
Instruction ID: a795cc2378f963749d886892831240b89174aa3cd3d5b0d03547b147ae7f72cf
Opcode Fuzzy Hash: d611dfc18fd1934db2aea44d1779c3226d029686c75fb6fd8fe1ecb44d5c9ff0
Instruction Fuzzy Hash: 1AE01AA388E3D40FE303137418A90C07FB0DE631A430A55E3C5E1CF0B3A419240B9362

Function 04E12808 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1635582651.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4e10000_mjiCFnur.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab9667396a62f5ec7388eac8ad916d32927dae2263cf5ad9d22d4e997f3e3306
Instruction ID: 3ccc2b0987f14ece20cc98c740091253af1ee5db5eff697069b5ec7559256d0c
Opcode Fuzzy Hash: ab9667396a62f5ec7388eac8ad916d32927dae2263cf5ad9d22d4e997f3e3306
Instruction Fuzzy Hash: C3E0E5353604148FC714DB2ED848D55B7E9EF89B2531640FAF209CB372DA61EC02CB90

Function 04E12840 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1635582651.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4e10000_mjiCFnur.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4074d53c6f4941807f66b79369059793dbdeeeb0348c40c950c95e867b568810
Instruction ID: fa74edab548c0faef40f4bdf8aae33d349963fbc8b447e49ceda0b307cb77212
Opcode Fuzzy Hash: 4074d53c6f4941807f66b79369059793dbdeeeb0348c40c950c95e867b568810
Instruction Fuzzy Hash: 77E07D717106104FDB18A6369C40996B7FAAEC4300304C1A9D14D87E11EC217C0787D0

Function 04E1BE40 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1635582651.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4e10000_mjiCFnur.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00bd29d21a573174f1b99b63b1593053b0fe3fd5934705ee4ccfa811079fcb80
Instruction ID: 094a58e529d432560257c87145aa0471a864237fa0b38b909fe65b2c571f2219
Opcode Fuzzy Hash: 00bd29d21a573174f1b99b63b1593053b0fe3fd5934705ee4ccfa811079fcb80
Instruction Fuzzy Hash: 8BE0DF326083901BC722A2A9E85094BBB969ED5310B158A6AE1598F216DD60AD0A83D6

Function 04E124F4 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1635582651.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4e10000_mjiCFnur.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df6eef5819d8ddb9efff44c91b3e4170f1eb700c5847778dbee85e85701b8f86
Instruction ID: 1aee4760b28f69097a23f203d15ddd5eea282df2af27ccec1e92fabdff404afb
Opcode Fuzzy Hash: df6eef5819d8ddb9efff44c91b3e4170f1eb700c5847778dbee85e85701b8f86
Instruction Fuzzy Hash: 9FE0C2307507049FC328DA5CE884D6AB7E9EF8D3113549A6BF009C7320DAA0FC094689

Function 04E1989E Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1635582651.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4e10000_mjiCFnur.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b9b0094706f506e8055e023ecbb6b1822827f4305338c9e374a4cc684e82d6b
Instruction ID: f36f8ddd49aed6b68a2ba1935ecb5ccf3e2116d38a015596d96cb31740256a9a
Opcode Fuzzy Hash: 3b9b0094706f506e8055e023ecbb6b1822827f4305338c9e374a4cc684e82d6b
Instruction Fuzzy Hash: 4AE0DFB1E8010CDBDF009F81F5147EDBF70FB4430AF205416D012B1562C7711985CE90

Function 04E14CE4 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1635582651.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4e10000_mjiCFnur.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ce42a66e7681d577476b9474f3d70c369bbd6110ac85f691895cc5d48e64a97
Instruction ID: 53bb91f01e5b0b41594853ee4c7265f9ec90751752af0990985f1f53ad60b762
Opcode Fuzzy Hash: 1ce42a66e7681d577476b9474f3d70c369bbd6110ac85f691895cc5d48e64a97
Instruction Fuzzy Hash: FDF01535E41009CBCF11EFA4E6445ECB7B1EB8830AF2024A5C506B72A0D7326E50CB21

Function 04E13061 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1635582651.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4e10000_mjiCFnur.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3084fcee3e84d82f9ca16e34227058039ebdf832780f2239974ba9ba485cd093
Instruction ID: 7bc11b9c466c928468ccd528e4e3b1f20d74593f3a1b54ce9e7c04b99ef3cc6c
Opcode Fuzzy Hash: 3084fcee3e84d82f9ca16e34227058039ebdf832780f2239974ba9ba485cd093
Instruction Fuzzy Hash: B6E0C2327410509FC7118F38E224CAC7FF5EF5922031681A6E945C7366CA61CC018B80

Function 04E109E8 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1635582651.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4e10000_mjiCFnur.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 981e6a85d880d828cbfd91baf6a420ca4149be44e809204ac03da44ebf71a802
Instruction ID: ea460b11a8d49a82410aac25980214bfddba9709b7167969f40db5ebee0a9a0b
Opcode Fuzzy Hash: 981e6a85d880d828cbfd91baf6a420ca4149be44e809204ac03da44ebf71a802
Instruction Fuzzy Hash: 4AD0A7323441384B8B0477F878145AE37DDDF84665300007EE50EC3B21DE61884286C8

Function 04E105CB Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1635582651.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4e10000_mjiCFnur.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0efc756c5c6ead6e9ae3ee02f12db0aee14b97d547aa9a2baf2e5fd87d2ec0fb
Instruction ID: 30a14a3e42132f791de5569472e7abf2f7011a25d3f9884c79d73673941053cd
Opcode Fuzzy Hash: 0efc756c5c6ead6e9ae3ee02f12db0aee14b97d547aa9a2baf2e5fd87d2ec0fb
Instruction Fuzzy Hash: DEE0B636A4110DEBDF01DF80E955BDEBB72FB88316F208055FA16272A0C7725A61EB91

Function 04E186D8 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1635582651.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4e10000_mjiCFnur.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a013bfc1545fed6bebf047b98d18b334abae9d709245e14b3ca0cc2cfcfcd137
Instruction ID: 826412c03f04b33a40a5293a3763e78a3c49944f9cd5422f0290eef3742cb23d
Opcode Fuzzy Hash: a013bfc1545fed6bebf047b98d18b334abae9d709245e14b3ca0cc2cfcfcd137
Instruction Fuzzy Hash: 48E08675A0450DEFCB10FFA5E50045CBBF9FB84201B108299D805A7308EB322F149B51

Function 04E1B3BE Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1635582651.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4e10000_mjiCFnur.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02e3e7062406f0bece93973800c38721507efbaf5637aac020162f5bbff14976
Instruction ID: 890059a3850d344086c5a2877a7dffb99295bccb55ceef54808d3270e6fb6101
Opcode Fuzzy Hash: 02e3e7062406f0bece93973800c38721507efbaf5637aac020162f5bbff14976
Instruction Fuzzy Hash: 77D017307106109FC768CA2CE4808A9B7E6AF8831132486AAF04AC7761CAA1FC0A8B40

Function 04E13070 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1635582651.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4e10000_mjiCFnur.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63dec5b253df6bbdf0343e4f46bbd7637f2246b919ffc7c8df5ea94c5c10bc76
Instruction ID: ab9556b146b37c2eb2cb48d82a42d6363aaacfe7017f0ef4d97bbb4d0f15cc6b
Opcode Fuzzy Hash: 63dec5b253df6bbdf0343e4f46bbd7637f2246b919ffc7c8df5ea94c5c10bc76
Instruction Fuzzy Hash: E9D0C9367501249F8B449B68E508CA97BEAEF9D66131180A6FA09CB361CA71DC508BD4

Function 04E109D9 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1635582651.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4e10000_mjiCFnur.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89ef087787e43e3c7351e09ef8a69e6ef270f4274e0e9dca10fed1e0d3925093
Instruction ID: 19400b0850533fda595f6f3ad30c5319b8be96ddeb4e0711041e01da3ae2fff2
Opcode Fuzzy Hash: 89ef087787e43e3c7351e09ef8a69e6ef270f4274e0e9dca10fed1e0d3925093
Instruction Fuzzy Hash: 64D0223230C2A00FD3020AE83C309862F98CA4230430500AFE044D2163F0448B038382

Function 04E103FA Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1635582651.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4e10000_mjiCFnur.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cfb15d6a793a6b836c7ae54dc84eb9bac00755f383803e0bb2e200f0bfc51f8
Instruction ID: 9fbcf70e9bd34f0c6bdaf90cd0da9a69b7b02276b7b53a2db37e2db17623a748
Opcode Fuzzy Hash: 1cfb15d6a793a6b836c7ae54dc84eb9bac00755f383803e0bb2e200f0bfc51f8
Instruction Fuzzy Hash: 50D06735140548AFCB11CFA4D945DE93F76AF99624F158098FA494B232C632D862EB51

Function 04E10400 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1635582651.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4e10000_mjiCFnur.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c63055a45eeb4ae8ae8d6e3381b45a0748b663f32349da8a3f0a884f24e2bbca
Instruction ID: 103967bf13f508402a192ef6221732069224ae084a114efb1bafc53f37aadea3
Opcode Fuzzy Hash: c63055a45eeb4ae8ae8d6e3381b45a0748b663f32349da8a3f0a884f24e2bbca
Instruction Fuzzy Hash: BCD0C93614010CEFCB01CF95D844D9A3BBAFF48720F008054FA084B232C332E821EB90

Function 04E105C2 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1635582651.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4e10000_mjiCFnur.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fc304a26ba6a9b8e09db51e88682a954301326f375d2764bec1dfa900b44145
Instruction ID: 44098e6eb876570c792c93fd1ac9f5d0ad481835dae8ce642ac24625fd9504e5
Opcode Fuzzy Hash: 8fc304a26ba6a9b8e09db51e88682a954301326f375d2764bec1dfa900b44145
Instruction Fuzzy Hash: D0B09237E4410889DB108A84B4413EEF720F780225F105023C21252441937221A4A6D1

Function 04E10998 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1635582651.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4e10000_mjiCFnur.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d14dccbae6e2c47332778d965bb0c2b451ee3656083a8378c0ac995b259e2dd
Instruction ID: 0478ec6df9790ab9efb34a918f5e9e77b6a7312424a3760d37d527a4eec87f38
Opcode Fuzzy Hash: 3d14dccbae6e2c47332778d965bb0c2b451ee3656083a8378c0ac995b259e2dd
Instruction Fuzzy Hash: 49B01224AA420042B554BA350CA0E2F041297C0208B84EC01214008414D818E0491006

Non-executed Functions

Function 04E13C89 Relevance: 41.7, Strings: 33, Instructions: 438COMMON

Download Yara Rule

Strings

4'q, xrefs: 04E13E5F
4'q, xrefs: 04E13F9A
4'q, xrefs: 04E13EC8
4'q, xrefs: 04E13D8D
4'q, xrefs: 04E13FBD
4'q, xrefs: 04E1418F
4'q, xrefs: 04E14163
4'q, xrefs: 04E13EA5
4'q, xrefs: 04E140B3
4'q, xrefs: 04E13F54
4'q, xrefs: 04E141E7
4'q, xrefs: 04E13E82
4'q, xrefs: 04E140DF
4'q, xrefs: 04E13D6A
4'q, xrefs: 04E13EEB
4'q, xrefs: 04E13FE0
4'q, xrefs: 04E13DF6
4'q, xrefs: 04E1423F
4'q, xrefs: 04E14213
4'q, xrefs: 04E13DD3
4'q, xrefs: 04E14003
4'q, xrefs: 04E13E3C
4'q, xrefs: 04E1410B
4'q, xrefs: 04E13F0E
4'q, xrefs: 04E14137
4'q, xrefs: 04E14087
4'q, xrefs: 04E13DB0
4'q, xrefs: 04E13E19
4'q, xrefs: 04E1405B
4'q, xrefs: 04E13F77
4'q, xrefs: 04E141BB
4'q, xrefs: 04E1402F
4'q, xrefs: 04E13F31

Memory Dump Source

Source File: 0000000C.00000002.1635582651.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4e10000_mjiCFnur.jbxd

Similarity

API ID:
String ID: 4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q
API String ID: 0-78339950
Opcode ID: 6992c77513ef3b6eb971e5501867ff5f7cfe8af3c69f51ebce3a0adc931f5430
Instruction ID: aed9587dc69812a640a3936f65218992709e947841b5ced425888077442c249b
Opcode Fuzzy Hash: 6992c77513ef3b6eb971e5501867ff5f7cfe8af3c69f51ebce3a0adc931f5430
Instruction Fuzzy Hash: 0F12FA74E0131A8FDB68EFB5E89179D77B2BB80301F9486A990099F265DF306D49CF81

Function 04E13C98 Relevance: 41.7, Strings: 33, Instructions: 434COMMON

Download Yara Rule

Strings

4'q, xrefs: 04E13E5F
4'q, xrefs: 04E13F9A
4'q, xrefs: 04E13EC8
4'q, xrefs: 04E13D8D
4'q, xrefs: 04E13FBD
4'q, xrefs: 04E1418F
4'q, xrefs: 04E14163
4'q, xrefs: 04E13EA5
4'q, xrefs: 04E140B3
4'q, xrefs: 04E13F54
4'q, xrefs: 04E141E7
4'q, xrefs: 04E13E82
4'q, xrefs: 04E140DF
4'q, xrefs: 04E13D6A
4'q, xrefs: 04E13EEB
4'q, xrefs: 04E13FE0
4'q, xrefs: 04E13DF6
4'q, xrefs: 04E1423F
4'q, xrefs: 04E14213
4'q, xrefs: 04E13DD3
4'q, xrefs: 04E14003
4'q, xrefs: 04E13E3C
4'q, xrefs: 04E1410B
4'q, xrefs: 04E13F0E
4'q, xrefs: 04E14137
4'q, xrefs: 04E14087
4'q, xrefs: 04E13DB0
4'q, xrefs: 04E13E19
4'q, xrefs: 04E1405B
4'q, xrefs: 04E13F77
4'q, xrefs: 04E141BB
4'q, xrefs: 04E1402F
4'q, xrefs: 04E13F31

Memory Dump Source

Source File: 0000000C.00000002.1635582651.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4e10000_mjiCFnur.jbxd

Similarity

API ID:
String ID: 4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q
API String ID: 0-78339950
Opcode ID: a06a0ae828c3aa0441726b72233d9a3d6a2cac210b27fc3fbc0cf6e055827271
Instruction ID: 54678464b27dad0403e3bc3b1a7d8b98fb7e6a4002a32fed0fd9a5929d123a8e
Opcode Fuzzy Hash: a06a0ae828c3aa0441726b72233d9a3d6a2cac210b27fc3fbc0cf6e055827271
Instruction Fuzzy Hash: 2512E974E0131A8FDB68EFB5E89179D77B2BB80301F9486A990099F265DF306D49CF81

Analysis Process: RegSvcs.exePID: 7732, Parent PID: 7416COMMON

Execution Graph

Execution Coverage:	0%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	1
Total number of Limit Nodes:	0

Executed Functions

Function 01992C0A Relevance: 1.5, APIs: 1, Instructions: 8
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(019AFD4F,000000FF,00000024,01A46634,00000004,00000000,?,-00000018,7D810F61,?,?,01968B12,?,?,?,?), ref: 01992C24

Memory Dump Source

Source File: 00000012.00000002.1793855923.0000000001946000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Associated: 00000012.00000002.1793855923.0000000001920000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.0000000001927000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.00000000019A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.00000000019A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.00000000019E2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.0000000001A43000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.0000000001A49000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1920000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f1b1dbf69886bb0a4e3875b6d154bc86f8c3c1f5e01a82d1a03a1e498a1f7177
Instruction ID: f17e8227c5267afb2f1580da677366825ee390bcf95788be75c043e2c35ef6b8
Opcode Fuzzy Hash: f1b1dbf69886bb0a4e3875b6d154bc86f8c3c1f5e01a82d1a03a1e498a1f7177
Instruction Fuzzy Hash: E0B09B71D015C5D5DF11E7A4460C717794477D0702F55C061D2070651F4738D1D5E2B5

Function 01992DF0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(019CE73E,0000005A,01A2D040,00000020,00000000,01A2D040,00000080,019B4A81,00000000,-00000001,-00000001,00000002,00000000,?,-00000001,0199AE00), ref: 01992DFA

Memory Dump Source

Source File: 00000012.00000002.1793855923.0000000001946000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Associated: 00000012.00000002.1793855923.0000000001920000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.0000000001927000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.00000000019A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.00000000019A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.00000000019E2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.0000000001A43000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.0000000001A49000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1920000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 09b83223b074cb1af06e906c548df34c4a28dcdb71beb37a94d26032c7fb42c5
Instruction ID: 18ca2fdc0bf1e96872e9230d230d0045789c69c9a0e1ace1c0ced392466951fc
Opcode Fuzzy Hash: 09b83223b074cb1af06e906c548df34c4a28dcdb71beb37a94d26032c7fb42c5
Instruction Fuzzy Hash: DD90027170150413D11171984518707404D97D0242FD5C412A0464558DD6568A56A261

Function 01992C1D Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(019AFD4F,000000FF,00000024,01A46634,00000004,00000000,?,-00000018,7D810F61,?,?,01968B12,?,?,?,?), ref: 01992C24

Memory Dump Source

Source File: 00000012.00000002.1793855923.0000000001946000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Associated: 00000012.00000002.1793855923.0000000001920000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.0000000001927000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.00000000019A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.00000000019A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.00000000019E2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.0000000001A43000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.0000000001A49000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1920000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 508035d994570825b0b94a78c7273b67b267fbe71481be9c33a9289f928b71d9
Instruction ID: b9124bee4cfe79c76c2ba7e2aebc367d1838da7a188f2c4c5402a2a660b34771
Opcode Fuzzy Hash: 508035d994570825b0b94a78c7273b67b267fbe71481be9c33a9289f928b71d9
Instruction Fuzzy Hash: ECA00271A81216478346AA54485846DA159BBD422238EC356D1068AC5BC72C5497B6B1

Function 01992C70 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(0194FB34,000000FF,?,-00000018,?,00000000,00004000,00000000,?,?,019A7BE5,00001000,00004000,000000FF,?,00000000), ref: 01992C7A

Memory Dump Source

Source File: 00000012.00000002.1793855923.0000000001946000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Associated: 00000012.00000002.1793855923.0000000001920000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.0000000001927000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.00000000019A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.00000000019A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.00000000019E2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.0000000001A43000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.0000000001A49000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1920000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 65a9c19877330b4dc6ab0e008c8815641ccee102c18acdd0f4af28e445f279be
Instruction ID: b089f23618b67e638e7fd4dddb19c52dfb6f35090cc958e16a8139852c57ca8a
Opcode Fuzzy Hash: 65a9c19877330b4dc6ab0e008c8815641ccee102c18acdd0f4af28e445f279be
Instruction Fuzzy Hash: 5490027170158802D1107198841874A404997D0302F99C411A4464658DC69589957261

Function 019935C0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 019935CA

Memory Dump Source

Source File: 00000012.00000002.1793855923.0000000001946000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Associated: 00000012.00000002.1793855923.0000000001920000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.0000000001927000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.00000000019A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.00000000019A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.00000000019E2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.0000000001A43000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.0000000001A49000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1920000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 0d3de9794eb52d3335c3cabf1c92996fd88c40af89f5a4c1056bb12960fa8a0d
Instruction ID: 7033bf1eb5001d1e620d0cc911df86463199244f585eb389b7fe089823abdc97
Opcode Fuzzy Hash: 0d3de9794eb52d3335c3cabf1c92996fd88c40af89f5a4c1056bb12960fa8a0d
Instruction Fuzzy Hash: 65900271B0560402D10071984528706504997D0202FA5C411A0464568DC7958A5566E2

Non-executed Functions

Function 01994A80 Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 51
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlDebugPrintTimes.NTDLL ref: 01994A8F

Strings

0Ivw, xrefs: 01994AFA
0Ivw, xrefs: 01994AD0, 01994AD5
0Ivw, xrefs: 01994B14
0Ivw, xrefs: 01994B04, 01994B09
0Ivw, xrefs: 01994AEA, 01994AEF
0Ivw, xrefs: 01994ADA

Memory Dump Source

Source File: 00000012.00000002.1793855923.0000000001946000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Associated: 00000012.00000002.1793855923.0000000001920000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.0000000001927000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.00000000019A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.00000000019A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.00000000019E2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.0000000001A43000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.0000000001A49000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1920000_RegSvcs.jbxd

Similarity

API ID: DebugPrintTimes
String ID: 0Ivw$0Ivw$0Ivw$0Ivw$0Ivw$0Ivw
API String ID: 3446177414-4119021165
Opcode ID: 16f6c01733b1c3f3a1b610dc7844a53f9e4ee5aa358d5b4081446fb63e75ce11
Instruction ID: 081f3997be885d940ee83536e637b0d0fe03435521b7dccfb785a230edae2267
Opcode Fuzzy Hash: 16f6c01733b1c3f3a1b610dc7844a53f9e4ee5aa358d5b4081446fb63e75ce11
Instruction Fuzzy Hash: 0C015E3EE056109BDBB59A2CB90478B3A91B7CD738F05005AE90C9B289D7624863D795

Function 01992890 Relevance: 9.2, APIs: 6, Instructions: 190
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

___swprintf_l.LIBCMT ref: 0199293C
___swprintf_l.LIBCMT ref: 0199295E
___swprintf_l.LIBCMT ref: 019929A3
___swprintf_l.LIBCMT ref: 019CA52E

Memory Dump Source

Source File: 00000012.00000002.1793855923.0000000001946000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Associated: 00000012.00000002.1793855923.0000000001920000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.0000000001927000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.00000000019A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.00000000019A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.00000000019E2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.0000000001A43000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.0000000001A49000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1920000_RegSvcs.jbxd

Similarity

API ID: ___swprintf_l
String ID:
API String ID: 48624451-0
Opcode ID: edb8e566cd565c9e0d591cd309ff1551d870964dc9dbd25027f07bba409dfa27
Instruction ID: db77bb7d7daef24a02b7ac60e4c6908c8c514864428081093c3fd8bd3e7ba19f
Opcode Fuzzy Hash: edb8e566cd565c9e0d591cd309ff1551d870964dc9dbd25027f07bba409dfa27
Instruction Fuzzy Hash: 9D51F7B1A00156BFDF11DFAD898097EFBB8BB58241754C529E4ADD7641E334EE0087E1

Function 0196A250 Relevance: 9.2, APIs: 1, Strings: 4, Instructions: 404
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

RtlpFindActivationContextSection_CheckParameters, xrefs: 019B79D0, 019B79F5
SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 019B79FA
SsHd, xrefs: 0196A3E4
SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 019B79D5

Memory Dump Source

Source File: 00000012.00000002.1793855923.0000000001946000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Associated: 00000012.00000002.1793855923.0000000001920000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.0000000001927000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.00000000019A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.00000000019A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.00000000019E2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.0000000001A43000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.0000000001A49000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1920000_RegSvcs.jbxd

Similarity

API ID:
String ID: RtlpFindActivationContextSection_CheckParameters$SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx.$SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx.$SsHd
API String ID: 0-929470617
Opcode ID: 99f9bd37b4e3f3a12cb873a341a7bb5da1fbd4e0f034264f864862468369d6ad
Instruction ID: a74ef1e61c61ce0f30a7c0094199162fe918edd02135198bae47f9ad14da733a
Opcode Fuzzy Hash: 99f9bd37b4e3f3a12cb873a341a7bb5da1fbd4e0f034264f864862468369d6ad
Instruction Fuzzy Hash: 9BE1F4706043028FD729CE68C984B6ABBEDBBC4314F144A2DE95EEB2D1D731D945CB61

Function 0196D770 Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 372
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlDebugPrintTimes.NTDLL ref: 019B948C

Strings

RtlpFindActivationContextSection_CheckParameters, xrefs: 019B9341, 019B9366
SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 019B936B
SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 019B9346
GsHd, xrefs: 0196D874

Memory Dump Source

Source File: 00000012.00000002.1793855923.0000000001946000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Associated: 00000012.00000002.1793855923.0000000001920000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.0000000001927000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.00000000019A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.00000000019A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.00000000019E2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.0000000001A43000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.0000000001A49000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1920000_RegSvcs.jbxd

Similarity

API ID: DebugPrintTimes
String ID: GsHd$RtlpFindActivationContextSection_CheckParameters$SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx.$SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx.
API String ID: 3446177414-576511823
Opcode ID: 41433e8209964737f9a3d98e8a59dd112a75f33a3c68a06a862ec58ebf81b499
Instruction ID: 85afbb70d7bcadcafa5aad55ee481a54387bf047046b67e7d87cfad01e930271
Opcode Fuzzy Hash: 41433e8209964737f9a3d98e8a59dd112a75f33a3c68a06a862ec58ebf81b499
Instruction Fuzzy Hash: CFE1C5707143428FDB24CF98C5C0B6ABBE9BF89319F04492DEAAD8B291D771D944CB52

Function 0199B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__aulldvrm.LIBCMT ref: 0199B6BF

Strings

+, xrefs: 0199B65A
-, xrefs: 0199B650
0, xrefs: 0199B695
0, xrefs: 0199B66F

Memory Dump Source

Source File: 00000012.00000002.1793855923.0000000001946000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Associated: 00000012.00000002.1793855923.0000000001920000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.0000000001927000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.00000000019A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.00000000019A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.00000000019E2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.0000000001A43000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.0000000001A49000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1920000_RegSvcs.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-$0$0
API String ID: 1302938615-699404926
Opcode ID: 3c0166d9ed1e6585338f8beb812d0714c23e94af90cb0c8803cf42abb3091ffa
Instruction ID: 578a2b6046ab164701e0931806307f52b43271bfaadda4a10d4d4b369dbb9b11
Opcode Fuzzy Hash: 3c0166d9ed1e6585338f8beb812d0714c23e94af90cb0c8803cf42abb3091ffa
Instruction Fuzzy Hash: 7581F530E052499FEF25CE6CE890FFEBBB5AF44321F184619D85BA7681C7389840C752

Function 01959126 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 199
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlDebugPrintTimes.NTDLL ref: 019B2559

Strings

$, xrefs: 01959191
@, xrefs: 01959175

Memory Dump Source

Source File: 00000012.00000002.1793855923.0000000001946000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Associated: 00000012.00000002.1793855923.0000000001920000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.0000000001927000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.00000000019A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.00000000019A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.00000000019E2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.0000000001A43000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.0000000001A49000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1920000_RegSvcs.jbxd

Similarity

API ID: DebugPrintTimes
String ID: $$@
API String ID: 3446177414-1194432280
Opcode ID: 66e242824b9e5f8db9d741bae69b25dff1088f98b7ecff017a47493644bb02a7
Instruction ID: b9a0cb05a0a4d9a8225b12a7afee9a73c560b662bcf02dd94aadfa07a726a02d
Opcode Fuzzy Hash: 66e242824b9e5f8db9d741bae69b25dff1088f98b7ecff017a47493644bb02a7
Instruction Fuzzy Hash: 338109B5D00269DBDB71CB54CD44BEABAB8AB48754F0041EAAA1DB7240D7709E85CFA0

Function 01994960 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 82
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlDebugPrintTimes.NTDLL ref: 019949A4

Strings

X, xrefs: 019949F0
0Ivw, xrefs: 01994A23
0Ivw, xrefs: 01994A13
0Ivw, xrefs: 01994A03

Memory Dump Source

Source File: 00000012.00000002.1793855923.0000000001946000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Associated: 00000012.00000002.1793855923.0000000001920000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.0000000001927000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.00000000019A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.00000000019A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.00000000019E2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.0000000001A43000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.0000000001A49000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1920000_RegSvcs.jbxd

Similarity

API ID: DebugPrintTimes
String ID: 0Ivw$0Ivw$0Ivw$X
API String ID: 3446177414-3775388739
Opcode ID: 9055f34fd31d07c04adc6d983ce965585de286894313057c7c34550dfae2c12e
Instruction ID: 1f862e4b5ddeb769f0e906666bca0eb4d2aec8c0a36b9597206eb192b88e9c38
Opcode Fuzzy Hash: 9055f34fd31d07c04adc6d983ce965585de286894313057c7c34550dfae2c12e
Instruction Fuzzy Hash: 6B318D3990120AEBCF22DF5CD940B8F3BA5BBC9759F00401DF9089B245D3799A62CF95

Function 0197DB00 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 133
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlDebugPrintTimes.NTDLL ref: 019BF611

Strings

, passed to %s, xrefs: 019BF662
RtlUnlockHeap, xrefs: 019BF65D
Invalid heap signature for heap at %p, xrefs: 019BF653

Memory Dump Source

Source File: 00000012.00000002.1793855923.0000000001946000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Associated: 00000012.00000002.1793855923.0000000001920000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.0000000001927000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.00000000019A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.00000000019A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.00000000019E2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.0000000001A43000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.0000000001A49000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1920000_RegSvcs.jbxd

Similarity

API ID: DebugPrintTimes
String ID: , passed to %s$Invalid heap signature for heap at %p$RtlUnlockHeap
API String ID: 3446177414-56086060
Opcode ID: df0791eaf73d0262e5c4a6920254f2d6410d17b745d4d06badafddad1ddff489
Instruction ID: f77f01638f7c767367db6d9162442059ceebc7ef962824666b7d2448d84efbb6
Opcode Fuzzy Hash: df0791eaf73d0262e5c4a6920254f2d6410d17b745d4d06badafddad1ddff489
Instruction Fuzzy Hash: D6415631600745DFD722DFB8C985BBAB7F8EF95725F008469E80E97291C774A980C790

Function 019D4755 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlDebugPrintTimes.NTDLL ref: 019D4809

Strings

LdrpCheckRedirection, xrefs: 019D488F
Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 019D4888
minkernel\ntdll\ldrredirect.c, xrefs: 019D4899

Memory Dump Source

Source File: 00000012.00000002.1793855923.00000000019A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Associated: 00000012.00000002.1793855923.0000000001920000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.0000000001927000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.0000000001946000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.00000000019A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.00000000019E2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.0000000001A43000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.0000000001A49000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1920000_RegSvcs.jbxd

Similarity

API ID: DebugPrintTimes
String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
API String ID: 3446177414-3154609507
Opcode ID: 9ff25ddbdb1447171062baea022a6fc88a1500b51b93631137701d270cad216f
Instruction ID: 07bd0f858da3fb3dd8d92cfc8a0db15f191af061df7ebc076fae7f4e80cc8191
Opcode Fuzzy Hash: 9ff25ddbdb1447171062baea022a6fc88a1500b51b93631137701d270cad216f
Instruction Fuzzy Hash: 4D41D236A043519FCB21CE5CD841E267BE9AF89A91F06856DED8DE7B11D731D800CB92

Function 0197DBA0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 84timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 019BF757

Strings

, passed to %s, xrefs: 019BF7A8
Invalid heap signature for heap at %p, xrefs: 019BF799
RtlLockHeap, xrefs: 019BF7A3

Memory Dump Source

Source File: 00000012.00000002.1793855923.0000000001946000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Associated: 00000012.00000002.1793855923.0000000001920000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.0000000001927000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.00000000019A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.00000000019A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.00000000019E2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.0000000001A43000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.0000000001A49000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1920000_RegSvcs.jbxd

Similarity

API ID: DebugPrintTimes
String ID: , passed to %s$Invalid heap signature for heap at %p$RtlLockHeap
API String ID: 3446177414-3526935505
Opcode ID: b3f9cccc4fd251f34d4ffdd2ec0275c6112b966a24c159935ab8192828af51f3
Instruction ID: 082ff5bdeb301e4382951adfc605b5760d1bf1a83b23d7421b794f88aea550b7
Opcode Fuzzy Hash: b3f9cccc4fd251f34d4ffdd2ec0275c6112b966a24c159935ab8192828af51f3
Instruction Fuzzy Hash: 5E314739104790EFD726DBACC989FA67BECEF41B14F084488E40E97696C7B4E880C751

Function 0194C070 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 0194C0B4
RtlDebugPrintTimes.NTDLL ref: 019AD623
RtlDebugPrintTimes.NTDLL ref: 019AD651

Strings

$, xrefs: 0194C07C

Memory Dump Source

Source File: 00000012.00000002.1793855923.0000000001946000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Associated: 00000012.00000002.1793855923.0000000001920000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.0000000001927000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.00000000019A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.00000000019A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.00000000019E2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.0000000001A43000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.0000000001A49000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1920000_RegSvcs.jbxd

Similarity

API ID: DebugPrintTimes
String ID: $
API String ID: 3446177414-3993045852
Opcode ID: f74a38d6e0c38ad34da10c7a39d2670714848e12f572e7c027555b40898bb073
Instruction ID: 97f4de248927e1bc74d341a95a02c7b6b16f61d5d22b4ea897e97ecbddee667a
Opcode Fuzzy Hash: f74a38d6e0c38ad34da10c7a39d2670714848e12f572e7c027555b40898bb073
Instruction Fuzzy Hash: 07118836904218EFCF15AF94D848ADD7B71FF85761F108519F92A676D0CB325A15CF80

Function 0197EF28 Relevance: 6.3, APIs: 4, Instructions: 347COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1793855923.0000000001946000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Associated: 00000012.00000002.1793855923.0000000001920000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.0000000001927000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.00000000019A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.00000000019A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.00000000019E2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.0000000001A43000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.0000000001A49000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1920000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11dc5a844e8d4404b0245e587411815e3323e4da302a1cd63c5f5ee7e68b8859
Instruction ID: f4f73453f111c8d1d821109fbec63592322d57837095e9e99f882ba8b7df051a
Opcode Fuzzy Hash: 11dc5a844e8d4404b0245e587411815e3323e4da302a1cd63c5f5ee7e68b8859
Instruction Fuzzy Hash: 5EE11174D00608DFCF26CFA9D980AADBBF5FF89315F24496AE55AA7621D730A841CF10

Function 019CEF50 Relevance: 6.2, APIs: 4, Instructions: 187timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 019CEFE1
RtlDebugPrintTimes.NTDLL ref: 019CF009
RtlDebugPrintTimes.NTDLL ref: 019CF0AC
RtlDebugPrintTimes.NTDLL ref: 019CF160

Memory Dump Source

Source File: 00000012.00000002.1793855923.00000000019A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Associated: 00000012.00000002.1793855923.0000000001920000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.0000000001927000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.0000000001946000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.00000000019A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.00000000019E2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.0000000001A43000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.0000000001A49000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1920000_RegSvcs.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 40dc484dc3910c9c6de750b23853d9a853cb15839a51ace964be49798765f680
Instruction ID: 6cb6dc177a3728f2743bbe4d4fddb0ad90b8f2f94e9657d76e3a43153cbc18e9
Opcode Fuzzy Hash: 40dc484dc3910c9c6de750b23853d9a853cb15839a51ace964be49798765f680
Instruction Fuzzy Hash: AF713871E002199FDF05CFA8C984ADDBBF6BF88714F14402EE949EB254D734A905CB56

Function 019CF1D6 Relevance: 6.2, APIs: 4, Instructions: 150timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 019CF26D
RtlDebugPrintTimes.NTDLL ref: 019CF292
RtlDebugPrintTimes.NTDLL ref: 019CF324
RtlDebugPrintTimes.NTDLL ref: 019CF378

Memory Dump Source

Source File: 00000012.00000002.1793855923.00000000019A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Associated: 00000012.00000002.1793855923.0000000001920000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.0000000001927000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.0000000001946000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.00000000019A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.00000000019E2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.0000000001A43000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.0000000001A49000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1920000_RegSvcs.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: bf3c98c23130ced48a289fc3c0842559dbd0968d90a5bc21b7ceaa249c39e3a4
Instruction ID: a363bd507021d93f59b1d7b59a2b5eacc250b7b4fe79ed0349cb33dcf74cf221
Opcode Fuzzy Hash: bf3c98c23130ced48a289fc3c0842559dbd0968d90a5bc21b7ceaa249c39e3a4
Instruction Fuzzy Hash: 38515476E00219AFDF09CF98C844ADDBBF6BF88755F14802AE909BB250D7349905CF55

Function 01987B2F Relevance: 6.1, APIs: 4, Instructions: 81timethreadCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 01987B52
BaseThreadInitThunk.KERNEL32 ref: 01987B5C
RtlDebugPrintTimes.NTDLL ref: 019C49ED
RtlDebugPrintTimes.NTDLL ref: 019C4A70

Memory Dump Source

Source File: 00000012.00000002.1793855923.0000000001946000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Associated: 00000012.00000002.1793855923.0000000001920000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.0000000001927000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.00000000019A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.00000000019A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.00000000019E2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.0000000001A43000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.0000000001A49000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1920000_RegSvcs.jbxd

Similarity

API ID: DebugPrintTimes$BaseInitThreadThunk
String ID:
API String ID: 4281723722-0
Opcode ID: cfb118c53f9cf4a1d6b0832a6bb61efc6be92e01bfcd493b7fa4a569ed3f92ce
Instruction ID: f45b5f14a5c0438876a6123772f079f93995546bcb835d579dff67e812f9b046
Opcode Fuzzy Hash: cfb118c53f9cf4a1d6b0832a6bb61efc6be92e01bfcd493b7fa4a569ed3f92ce
Instruction Fuzzy Hash: 4E315679E00229AFCF25DFA8D844A9EBBF0FB8C720F10412AE519B7290C7359901CF95

Function 019559C0 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 494COMMON

Download Yara Rule

Strings

@, xrefs: 019B0AA7

Memory Dump Source

Source File: 00000012.00000002.1793855923.0000000001946000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Associated: 00000012.00000002.1793855923.0000000001920000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.0000000001927000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.00000000019A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.00000000019A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.00000000019E2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.0000000001A43000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.0000000001A49000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1920000_RegSvcs.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: f085fd13e8ed178969a3f1e9e53f9c55958d62ef35ab5d22773bf9e01cdb0fa6
Instruction ID: 1b757443cc13bf636c105fe8979ca591ac2119001e98957eea5775ae001fa028
Opcode Fuzzy Hash: f085fd13e8ed178969a3f1e9e53f9c55958d62ef35ab5d22773bf9e01cdb0fa6
Instruction Fuzzy Hash: B5324870D0426ADFEB61CF68C984BEDBBB4BB48304F0485E9D94DA7242D7746A84DF90

Function 01997D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 01997E8B

Strings

-, xrefs: 01997DDD
+, xrefs: 01997DE8

Memory Dump Source

Source File: 00000012.00000002.1793855923.0000000001946000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Associated: 00000012.00000002.1793855923.0000000001920000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.0000000001927000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.00000000019A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.00000000019A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.00000000019E2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.0000000001A43000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.0000000001A49000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1920000_RegSvcs.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-
API String ID: 1302938615-2137968064
Opcode ID: d84d73e5c23e50fb3757e9c39722a22be4762bc4311d32b0c95698253cae6a4f
Instruction ID: 7e7e5613dfe1c843749daa44f02b8367b4e722c457afef5b644856eb7c184780
Opcode Fuzzy Hash: d84d73e5c23e50fb3757e9c39722a22be4762bc4311d32b0c95698253cae6a4f
Instruction Fuzzy Hash: 4891A771E1020A9BEF28DFDDC881ABEBBA9AF45721F14451AE95DA72D0DF3099408F11

Function 0196D02D Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 240timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 0196D3A4

Strings

Bl, xrefs: 0196D48C
l, xrefs: 0196D46B

Memory Dump Source

Source File: 00000012.00000002.1793855923.0000000001946000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Associated: 00000012.00000002.1793855923.0000000001920000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.0000000001927000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.00000000019A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.00000000019A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.00000000019E2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.0000000001A43000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.0000000001A49000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1920000_RegSvcs.jbxd

Similarity

API ID: DebugPrintTimes
String ID: Bl$l
API String ID: 3446177414-208461968
Opcode ID: 86c526f1754e51ee0dcc932ff6cf4233da764ce145bde224336a349585efb93d
Instruction ID: 9f49e1b139830c47d6a009797945d1fe253cbe63be5d93b9a743fbabcd0a5807
Opcode Fuzzy Hash: 86c526f1754e51ee0dcc932ff6cf4233da764ce145bde224336a349585efb93d
Instruction Fuzzy Hash: 02A1C431B003198BEF31DB99C880BAAB7F9BF85704F0440A9D59DA7241DB75AD85CB61

Function 01995DA4 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 01995E34

Strings

pow, xrefs: 01995E0C, 01995E29

Memory Dump Source

Source File: 00000012.00000002.1793855923.0000000001946000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Associated: 00000012.00000002.1793855923.0000000001920000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.0000000001927000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.00000000019A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.00000000019A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.00000000019E2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.0000000001A43000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.0000000001A49000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1920000_RegSvcs.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 458ffff217970236654ed40d23172b064c57971b5c2bfe3141aeb7c144a35467
Instruction ID: 0a1b3aaaba4fbd457a0632e0a51c4e022baabc671bbc4b1510f313c42ec9f6e3
Opcode Fuzzy Hash: 458ffff217970236654ed40d23172b064c57971b5c2bfe3141aeb7c144a35467
Instruction Fuzzy Hash: 17519D71908106A7FF23BA5CE541BAB3F9CEB80711F11CD1AE0DF8629DDB3984958746

Function 01984C59 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 164COMMON

Download Yara Rule

Strings

Flst, xrefs: 01984C96
0, xrefs: 01984CC3

Memory Dump Source

Source File: 00000012.00000002.1793855923.0000000001946000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Associated: 00000012.00000002.1793855923.0000000001920000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.0000000001927000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.00000000019A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.00000000019A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.00000000019E2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.0000000001A43000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.0000000001A49000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1920000_RegSvcs.jbxd

Similarity

API ID:
String ID: 0$Flst
API String ID: 0-758220159
Opcode ID: afe6f81ffd289d212a83f7ec9dd51413083d528ce897342781242ae200359788
Instruction ID: ee00d8fa09666df6f20b3bfe9795d2c504275ae5c0a6ddfbe4cbdabdc72d3983
Opcode Fuzzy Hash: afe6f81ffd289d212a83f7ec9dd51413083d528ce897342781242ae200359788
Instruction Fuzzy Hash: 615189B1E0025A8BCF26DF99C5847A9FBF8FF54715F15802ED04D9B251E770A985CB80

Function 0197D7B0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 151timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 0197D959

Part of subcall function 01954859: RtlDebugPrintTimes.NTDLL ref: 019548F7

Strings

$, xrefs: 0197D86D
$, xrefs: 0197D900

Memory Dump Source

Source File: 00000012.00000002.1793855923.0000000001946000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Associated: 00000012.00000002.1793855923.0000000001920000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.0000000001927000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.00000000019A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.00000000019A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.00000000019E2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.0000000001A43000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.0000000001A49000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1920000_RegSvcs.jbxd

Similarity

API ID: DebugPrintTimes
String ID: $$$
API String ID: 3446177414-233714265
Opcode ID: 095c2554705e4ae9265cd2a3e4e32e2cbfb2d887daf4ec7af4edcf84e42dd181
Instruction ID: fd46635c6d46305a684ec2c1ddcff3e2caf22cc5b9a1c235a700d95eae4e636b
Opcode Fuzzy Hash: 095c2554705e4ae9265cd2a3e4e32e2cbfb2d887daf4ec7af4edcf84e42dd181
Instruction Fuzzy Hash: BC51EA79E00246DFDB24DFA8C484BDEBBF2BF88304F244059C91D6B281D771A886CB91

Function 019CFD82 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 109timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 019CFE73
RtlDebugPrintTimes.NTDLL ref: 019CFE95

Strings

$, xrefs: 019CFE3D

Memory Dump Source

Source File: 00000012.00000002.1793855923.00000000019A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Associated: 00000012.00000002.1793855923.0000000001920000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.0000000001927000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.0000000001946000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.00000000019A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.00000000019E2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.0000000001A43000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.0000000001A49000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1920000_RegSvcs.jbxd

Similarity

API ID: DebugPrintTimes
String ID: $
API String ID: 3446177414-3993045852
Opcode ID: ef0782bc2d51ad21a236e7b70b2c39db357d7e1c526f05e7bbd96ceb9e17870a
Instruction ID: bc2ea43f2f7a196ea850561c41610195aa1c4e02409dd91fc9cc168154882586
Opcode Fuzzy Hash: ef0782bc2d51ad21a236e7b70b2c39db357d7e1c526f05e7bbd96ceb9e17870a
Instruction Fuzzy Hash: 78417379A00209ABDF11DF9DD940AEEBBBAFF88B04F14411DE948A7342D771A911CF91

Function 0194DF81 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 109timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 0194E040

Strings

0, xrefs: 0194E020
0, xrefs: 0194E00B

Memory Dump Source

Source File: 00000012.00000002.1793855923.0000000001946000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Associated: 00000012.00000002.1793855923.0000000001920000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.0000000001927000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.00000000019A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.00000000019A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.00000000019E2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.0000000001A43000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.1793855923.0000000001A49000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1920000_RegSvcs.jbxd

Similarity

API ID: DebugPrintTimes
String ID: 0$0
API String ID: 3446177414-203156872
Opcode ID: 2a121d3ef32b031669499985436a738b94b0a96a470512ee687dd40cbe772c07
Instruction ID: 341a0c3b376db04e9d77e4617ec07853e7a745909e2aa968a4227bd36b3bbe8d
Opcode Fuzzy Hash: 2a121d3ef32b031669499985436a738b94b0a96a470512ee687dd40cbe772c07
Instruction Fuzzy Hash: DE416AB56087069FC320CF68C584E1ABBE8BB88314F04496EF58CDB341D771E905CB96

Input	Output
URL: email Model: Joe Sandbox AI	{ "risk_score": 1, "reasoning": [ "No headers provided to analyze", "Cannot make security assessment without header information", "Default to low risk score due to lack of evidence" ] }
Date: unknown

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Arrival_Notice.bat.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Arrival_Notice.bat.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\mjiCFnur.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_15usn100.210.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2pq32cui.eh0.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4t5eliis.4jm.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_c3eufo0x.qul.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mmizh345.esh.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xydign3g.1gh.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ytrxx1lh.ffp.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yuasz5rf.g5z.psm1

C:\Users\user\AppData\Local\Temp\tmpA612.tmp

C:\Users\user\AppData\Local\Temp\tmpD06D.tmp

C:\Users\user\AppData\Roaming\mjiCFnur.exe

C:\Users\user\AppData\Roaming\mjiCFnur.exe:Zone.Identifier

Windows Analysis Report
Arrival_Notice.bat.exe

Function 06C875E8 Relevance: 6.9, Strings: 5, Instructions: 624
COMMON