Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
CVE-2022-26809.exe

Overview

General Information

Sample Name:CVE-2022-26809.exe
Analysis ID:629914
MD5:7e0c8be0d03c75bbdc6fd286a796434a
SHA1:0e2e0d26caa32840a720be7f67b49d45094861cb
SHA256:6c676773700c1de750c3f8767dbce9106317396d66a004aabbdd29882435d5e0
Infos:

Detection

Score:60
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Machine Learning detection for sample
Uses 32bit PE files
Yara signature match
Sample file is different than original file name gathered from version info
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains long sleeps (>= 3 min)

Classification

Process Tree

  • System is w10x64
  • CVE-2022-26809.exe (PID: 7056 cmdline: "C:\Users\user\Desktop\CVE-2022-26809.exe" MD5: 7E0C8BE0D03C75BBDC6FD286A796434A)
    • conhost.exe (PID: 7068 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.414274842.0000000002867000.00000004.00000800.00020000.00000000.sdmpWiltedTulip_WindowsTaskDetects hack tool used in Operation Wilted Tulip - Windows TasksFlorian Roth
  • 0x13fe:$x3: -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgA
  • 0x2e2e:$x3: -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgA
Process Memory Space: CVE-2022-26809.exe PID: 7056WiltedTulip_WindowsTaskDetects hack tool used in Operation Wilted Tulip - Windows TasksFlorian Roth
  • 0x4be4:$x3: -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgA
  • 0x660f:$x3: -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgA

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: CVE-2022-26809.exeVirustotal: Detection: 29%Perma Link
Machine Learning detection for sample
Source: CVE-2022-26809.exeJoe Sandbox ML: detected
Source: CVE-2022-26809.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: C:\Users\user\Desktop\CVE-2022-26809.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
Source: CVE-2022-26809.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

System Summary

barindex
Malicious sample detected (through community Yara rule)
Source: 00000000.00000002.414274842.0000000002867000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects hack tool used in Operation Wilted Tulip - Windows Tasks Author: Florian Roth
Source: Process Memory Space: CVE-2022-26809.exe PID: 7056, type: MEMORYSTRMatched rule: Detects hack tool used in Operation Wilted Tulip - Windows Tasks Author: Florian Roth
Source: CVE-2022-26809.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: 00000000.00000002.414274842.0000000002867000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: WiltedTulip_WindowsTask date = 2017-07-23, hash5 = 984c7e1f76c21daf214b3f7e131ceb60c14abf1b0f4066eae563e9c184372a34, hash4 = 5046e7c28f5f2781ed7a63b0871f4a2b3065b70d62de7254491339e8fe2fa14a, hash3 = b6f515b3f713b70b808fc6578232901ffdeadeb419c9c4219fbfba417bba9f01, hash2 = 340cbbffbb7685133fc318fa20e4620ddf15e56c0e65d4cf1b2d606790d4425d, hash1 = c3cbe88b82cd0ea46868fb4f2e8ed226f3419fc6d4d6b5f7561e70f4cd33822c, author = Florian Roth, description = Detects hack tool used in Operation Wilted Tulip - Windows Tasks, reference = http://www.clearskysec.com/tulip, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: Process Memory Space: CVE-2022-26809.exe PID: 7056, type: MEMORYSTRMatched rule: WiltedTulip_WindowsTask date = 2017-07-23, hash5 = 984c7e1f76c21daf214b3f7e131ceb60c14abf1b0f4066eae563e9c184372a34, hash4 = 5046e7c28f5f2781ed7a63b0871f4a2b3065b70d62de7254491339e8fe2fa14a, hash3 = b6f515b3f713b70b808fc6578232901ffdeadeb419c9c4219fbfba417bba9f01, hash2 = 340cbbffbb7685133fc318fa20e4620ddf15e56c0e65d4cf1b2d606790d4425d, hash1 = c3cbe88b82cd0ea46868fb4f2e8ed226f3419fc6d4d6b5f7561e70f4cd33822c, author = Florian Roth, description = Detects hack tool used in Operation Wilted Tulip - Windows Tasks, reference = http://www.clearskysec.com/tulip, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: CVE-2022-26809.exeBinary or memory string: OriginalFilename vs CVE-2022-26809.exe
Source: C:\Users\user\Desktop\CVE-2022-26809.exeCode function: 0_2_049B00980_2_049B0098
Source: C:\Users\user\Desktop\CVE-2022-26809.exeCode function: 0_2_049B5C810_2_049B5C81
Source: C:\Users\user\Desktop\CVE-2022-26809.exeCode function: 0_2_049B42B90_2_049B42B9
Source: C:\Users\user\Desktop\CVE-2022-26809.exeCode function: 0_2_049B03200_2_049B0320
Source: C:\Users\user\Desktop\CVE-2022-26809.exeCode function: 0_2_049B16680_2_049B1668
Source: C:\Users\user\Desktop\CVE-2022-26809.exeCode function: 0_2_049B30600_2_049B3060
Source: C:\Users\user\Desktop\CVE-2022-26809.exeCode function: 0_2_049B00880_2_049B0088
Source: CVE-2022-26809.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: CVE-2022-26809.exeVirustotal: Detection: 29%
Source: CVE-2022-26809.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\CVE-2022-26809.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\Desktop\CVE-2022-26809.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
Source: C:\Users\user\Desktop\CVE-2022-26809.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
Source: C:\Users\user\Desktop\CVE-2022-26809.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\CVE-2022-26809.exe "C:\Users\user\Desktop\CVE-2022-26809.exe"
Source: C:\Users\user\Desktop\CVE-2022-26809.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7068:120:WilError_01
Source: C:\Users\user\Desktop\CVE-2022-26809.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\CVE-2022-26809.exe.logJump to behavior
Source: classification engineClassification label: mal60.winEXE@2/2@0/0
Source: C:\Users\user\Desktop\CVE-2022-26809.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
Source: CVE-2022-26809.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: C:\Users\user\Desktop\CVE-2022-26809.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
Source: CVE-2022-26809.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: C:\Users\user\Desktop\CVE-2022-26809.exeCode function: 0_2_00B029B4 pushfd ; ret 0_2_00B029AE
Source: C:\Users\user\Desktop\CVE-2022-26809.exeCode function: 0_2_00B02928 pushfd ; ret 0_2_00B029AE
Source: C:\Users\user\Desktop\CVE-2022-26809.exeCode function: 0_2_00B0299D pushfd ; ret 0_2_00B029AE
Source: C:\Users\user\Desktop\CVE-2022-26809.exeCode function: 0_2_00B0288C pushfd ; ret 0_2_00B02922
Source: C:\Users\user\Desktop\CVE-2022-26809.exeCode function: 0_2_00B0254C pushfd ; ret 0_2_00B0255A
Source: initial sampleStatic PE information: section name: .text entropy: 7.53756303635
Source: C:\Users\user\Desktop\CVE-2022-26809.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\CVE-2022-26809.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\CVE-2022-26809.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\CVE-2022-26809.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\CVE-2022-26809.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\CVE-2022-26809.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\CVE-2022-26809.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\CVE-2022-26809.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\CVE-2022-26809.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\CVE-2022-26809.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\CVE-2022-26809.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\CVE-2022-26809.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\CVE-2022-26809.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\CVE-2022-26809.exe TID: 7124Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\CVE-2022-26809.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\CVE-2022-26809.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\CVE-2022-26809.exeMemory allocated: page read and write | page guardJump to behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management InstrumentationPath Interception1
Process Injection		1
Masquerading		OS Credential Dumping21
Virtualization/Sandbox Evasion		Remote Services1
Archive Collected Data		Exfiltration Over Other Network Medium1
Encrypted Channel		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
Disable or Modify Tools		LSASS Memory1
System Information Discovery		Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)21
Virtualization/Sandbox Evasion		Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)2
Software Packing		NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
Process Injection		LSA SecretsRemote System DiscoverySSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.common2
Obfuscated Files or Information		Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
CVE-2022-26809.exe30%VirustotalBrowse
CVE-2022-26809.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:34.0.0 Boulder Opal
Analysis ID:629914
Start date and time: 19/05/202208:30:562022-05-19 08:30:56 +02:00
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 4m 41s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:CVE-2022-26809.exe
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:23
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Detection:MAL
Classification:mal60.winEXE@2/2@0/0
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 1.1% (good quality ratio 1.1%)
  • Quality average: 62.7%
  • Quality standard deviation: 18.5%
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 54
  • Number of non-executed functions: 0
Cookbook Comments:
  • Found application associated with file extension: .exe
  • Adjust boot time
  • Enable AMSI

Warnings

  • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, UpdateNotificationMgr.exe, WMIADAP.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
  • Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, fs.microsoft.com, settings-win.data.microsoft.com, ctldl.windowsupdate.com, arc.msn.com, ris.api.iris.microsoft.com, go.microsoft.com, store-images.s-microsoft.com, login.live.com, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net
  • Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\CVE-2022-26809.exe.log

Download File
Process:C:\Users\user\Desktop\CVE-2022-26809.exe
File Type:ASCII text, with CRLF line terminators
Category:modified
Size (bytes):20
Entropy (8bit):3.6841837197791887
Encrypted:false
SSDEEP:3:QHXMKas:Q3Las
MD5:B3AC9D09E3A47D5FD00C37E075A70ECB
SHA1:AD14E6D0E07B00BD10D77A06D68841B20675680B
SHA-256:7A23C6E7CCD8811ECDF038D3A89D5C7D68ED37324BAE2D4954125D9128FA9432
SHA-512:09B609EE1061205AA45B3C954EFC6C1A03C8FD6B3011FF88CF2C060E19B1D7FD51EE0CB9D02A39310125F3A66AA0146261BDEE3D804F472034DF711BC942E316
Malicious:true
Reputation:moderate, very likely benign file
Preview:1,"fusion","GAC",0..

\Device\ConDrv

Download File
Process:C:\Users\user\Desktop\CVE-2022-26809.exe
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):82
Entropy (8bit):4.892442669405671
Encrypted:false
SSDEEP:3:Gt5N1kAIKkp3McJdjrAyRovn:Gt5QpNJdjMn
MD5:A50E9F7198C05B1B3A5C2E6347BD0B8D
SHA1:0F9DDC40EA0564F129AD3941C21D46A702EDB953
SHA-256:8F36D3AFE6FADE20A4D598E448F568142B0655331CC45CCF10554C123BDCB2DD
SHA-512:BCC1FDEB6124580679CC161203A62D95559F113D1D557A551298C72A80121D5F02391180B754D4642DA4247A5FF25E002597247F854382A38737ED61BF495047
Malicious:false
Reputation:low
Preview:CVE-2022-26809 RPC Remote Exploit..Port: TCP 135,139,445..Usage: exp.exe IP Port..

Static File Info

General

File type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):7.320862233817581
TrID:
  • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
  • Win32 Executable (generic) a (10002005/4) 49.78%
  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
  • Generic Win/DOS Executable (2004/3) 0.01%
  • DOS Executable Generic (2002/1) 0.01%
File name:CVE-2022-26809.exe
File size:32768
MD5:7e0c8be0d03c75bbdc6fd286a796434a
SHA1:0e2e0d26caa32840a720be7f67b49d45094861cb
SHA256:6c676773700c1de750c3f8767dbce9106317396d66a004aabbdd29882435d5e0
SHA512:f56e0110374adedbc5b4ffb4a8d7e9d3213b66a7fea14ea6c294a3ddaa843c249b5451ff04af5554bcdfc838856211e0d61c1eee04421aafa7db7ebc10178996
SSDEEP:384:v/rFHbs/WPJfEjtF9/vgGmKoKdkByfqoQEkHJYFynOyvrIz67Nd/6AmsW7QGxRVy:v/pHbsuStF9QGZ0/IAN/szuoxtE
TLSH:7CE2B0456ADCE823CBE9433EC8D6DF410B35F372A566DB47BD5812E166873B2482A313
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......b.................v............... ........@.. ....................................@................................

File Icon

Icon Hash:00828e8e8686b000

Static PE Info

General

Entrypoint:0x40950e
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x400000
Subsystem:windows cui
Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:0x6285B81A [Thu May 19 03:23:06 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:v2.0.50727
OS Version Major:4
OS Version Minor:0
File Version Major:4
File Version Minor:0
Subsystem Version Major:4
Subsystem Version Minor:0
Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x94b80x53.text
IMAGE_DIRECTORY_ENTRY_RESOURCE0xa0000x510.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0xc0000xc.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x20000x75140x7600False0.838089247881data7.53756303635IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc0xa0000x5100x600False0.388020833333data3.86849876502IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc0xc0000xc0x200False0.044921875data0.0815394123432IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

NameRVASizeTypeLanguageCountry
RT_VERSION0xa0a00x284data
RT_MANIFEST0xa3240x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLLImport
mscoree.dll_CorExeMain

Version Infos

DescriptionData
Translation0x0000 0x04b0
LegalCopyrightCopyright 2022
Assembly Version1.0.0.0
InternalNameCVE-2022-26809.exe
FileVersion1.0.0.0
ProductVersion1.0.0.0
FileDescription
OriginalFilenameCVE-2022-26809.exe

Network Behavior

No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

General

Target ID:0
Start time:08:31:58
Start date:19/05/2022
Path:C:\Users\user\Desktop\CVE-2022-26809.exe
Wow64 process (32bit):true
Commandline:"C:\Users\user\Desktop\CVE-2022-26809.exe"
Imagebase:0x200000
File size:32768 bytes
MD5 hash:7E0C8BE0D03C75BBDC6FD286A796434A
Has elevated privileges:true
Has administrator privileges:true
Programmed in:.Net C# or VB.NET
Yara matches:
  • Rule: WiltedTulip_WindowsTask, Description: Detects hack tool used in Operation Wilted Tulip - Windows Tasks, Source: 00000000.00000002.414274842.0000000002867000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth
Reputation:low

General

Target ID:1
Start time:08:31:59
Start date:19/05/2022
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff77f440000
File size:625664 bytes
MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high

Disassembly

Reset < >

    Execution Graph

    Execution Coverage:22.9%
    Dynamic/Decrypted Code Coverage:100%
    Signature Coverage:48.9%
    Total number of Nodes:47
    Total number of Limit Nodes:4
    execution_graph 3310 49b3040 3311 49b304c 3310->3311 3312 49b305d 3311->3312 3314 49b5c81 3311->3314 3331 49b5cbd 3314->3331 3315 49b674f 3327 b0a1f4 VirtualProtect 3315->3327 3328 b0a23c VirtualProtect 3315->3328 3329 b0a25e VirtualProtect 3315->3329 3316 49b6615 3334 b0a1f4 VirtualProtect 3316->3334 3335 b0a23c VirtualProtect 3316->3335 3336 b0a25e VirtualProtect 3316->3336 3317 49b62e3 3317->3316 3337 b0a1f4 VirtualProtect 3317->3337 3338 b0a23c VirtualProtect 3317->3338 3339 b0a25e VirtualProtect 3317->3339 3318 49b65b4 3321 b0a1f4 VirtualProtect 3318->3321 3322 b0a23c VirtualProtect 3318->3322 3323 b0a25e VirtualProtect 3318->3323 3319 49b5eaa 3319->3312 3320 49b6877 3320->3319 3324 b0a1f4 VirtualProtect 3320->3324 3325 b0a23c VirtualProtect 3320->3325 3326 b0a25e VirtualProtect 3320->3326 3321->3316 3322->3316 3323->3316 3324->3320 3325->3320 3326->3320 3327->3320 3328->3320 3329->3320 3331->3317 3331->3319 3340 b0a1f4 3331->3340 3345 b0a23c 3331->3345 3349 b0a25e 3331->3349 3334->3315 3335->3315 3336->3315 3337->3318 3338->3318 3339->3318 3341 b0a265 VirtualProtect 3340->3341 3342 b0a211 3340->3342 3344 b0a2a8 3341->3344 3342->3331 3344->3331 3346 b0a25e VirtualProtect 3345->3346 3348 b0a2a8 3346->3348 3348->3331 3350 b0a293 VirtualProtect 3349->3350 3352 b0a2c7 3349->3352 3351 b0a2a8 3350->3351 3351->3331 3352->3350 3357 b0a42b 3358 b0a43e WriteFile 3357->3358 3360 b0a4c5 3358->3360 3361 49b3030 3362 49b3040 3361->3362 3363 49b305d 3362->3363 3364 49b5c81 3 API calls 3362->3364 3364->3363 3353 b0a45e 3355 b0a493 WriteFile 3353->3355 3356 b0a4c5 3355->3356

    Executed Functions

    Function 049B5C81 Relevance: 6.0, Strings: 4, Instructions: 951COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.414674171.00000000049B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_49b0000_CVE-2022-26809.jbxd
    Similarity
    • API ID:
    • String ID: ($<$ll.dl$ntin
    • API String ID: 0-1156427182
    • Opcode ID: ea48255ef3c0ef0f0900d6b2a2a7657c11f8021e5f34f641b73faa1edff56e5a
    • Instruction ID: 429fbaf142dfd6698cd8a5d1fa7cbefcfb25d3c8d3e8d127b1397cb3e8a6a868
    • Opcode Fuzzy Hash: ea48255ef3c0ef0f0900d6b2a2a7657c11f8021e5f34f641b73faa1edff56e5a
    • Instruction Fuzzy Hash: B7A2CD74E00219DFDB54CFA9C980ADDBBB2BF89304F2581A9D948AB355D730AD82CF51
    Uniqueness

    Uniqueness Score: -1.00%

    Function 049B0098 Relevance: 5.2, Strings: 4, Instructions: 199COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 253 49b0098-49b00af 254 49b00b1 253->254 255 49b00b6-49b00f8 253->255 254->255 257 49b00fa 255->257 258 49b00ff-49b0138 255->258 257->258 296 49b013d call 23f05f6 258->296 297 49b013d call 49b0320 258->297 261 49b0143-49b0212 275 49b0219-49b0226 261->275 276 49b0214 261->276 277 49b0228 275->277 278 49b022d-49b023f 275->278 276->275 277->278 279 49b0241 278->279 280 49b0246-49b0258 278->280 279->280 281 49b025a 280->281 282 49b025f-49b02a9 280->282 281->282 286 49b02ab-49b02b1 282->286 287 49b02b8-49b02c0 282->287 286->287 288 49b02c7-49b02d4 287->288 289 49b02ea 288->289 290 49b02d6-49b02e8 288->290 291 49b02ed-49b02ef 289->291 290->291 292 49b02f1-49b02fa 291->292 293 49b0316-49b031e 291->293 294 49b0309-49b0315 292->294 295 49b02fc-49b02ff 292->295 295->294 296->261 297->261
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.414674171.00000000049B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_49b0000_CVE-2022-26809.jbxd
    Similarity
    • API ID:
    • String ID: P $X1q$X1q$X1q
    • API String ID: 0-3588421060
    • Opcode ID: 256dddf49332b2de7b75c24515ef2e394f7bd1a1bf6fb41698812d5324dd7c8d
    • Instruction ID: 052f1b17c316948a0129ed27345238d1e3b0acbad7fc8894090c9f4e89b6fc8b
    • Opcode Fuzzy Hash: 256dddf49332b2de7b75c24515ef2e394f7bd1a1bf6fb41698812d5324dd7c8d
    • Instruction Fuzzy Hash: 19910574E01248DFDB44DFA9D584A9EBBF2FF88305F248069E419AB364DB34A945CF50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 049B0088 Relevance: 5.2, Strings: 4, Instructions: 199COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 206 49b0088-49b00af 209 49b00b1 206->209 210 49b00b6-49b00f8 206->210 209->210 212 49b00fa 210->212 213 49b00ff-49b0125 210->213 212->213 215 49b012c-49b0138 213->215 251 49b013d call 23f05f6 215->251 252 49b013d call 49b0320 215->252 216 49b0143-49b015a 218 49b0164-49b0173 216->218 219 49b017a-49b0212 218->219 230 49b0219-49b0226 219->230 231 49b0214 219->231 232 49b0228 230->232 233 49b022d-49b023f 230->233 231->230 232->233 234 49b0241 233->234 235 49b0246-49b0258 233->235 234->235 236 49b025a 235->236 237 49b025f-49b02a9 235->237 236->237 241 49b02ab-49b02b1 237->241 242 49b02b8-49b02c0 237->242 241->242 243 49b02c7-49b02d4 242->243 244 49b02ea 243->244 245 49b02d6-49b02e8 243->245 246 49b02ed-49b02ef 244->246 245->246 247 49b02f1-49b02fa 246->247 248 49b0316-49b031e 246->248 249 49b0309-49b0315 247->249 250 49b02fc-49b02ff 247->250 250->249 251->216 252->216
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.414674171.00000000049B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_49b0000_CVE-2022-26809.jbxd
    Similarity
    • API ID:
    • String ID: P $X1q$X1q$X1q
    • API String ID: 0-3588421060
    • Opcode ID: 786b0ae59765577347d75526bd364f9a0008c20fd025c0527b70e33c3db936b2
    • Instruction ID: 1d7ef368802cc8ce069e33576fe8a6558a36fda8477a5c8b480a479bacfa1ded
    • Opcode Fuzzy Hash: 786b0ae59765577347d75526bd364f9a0008c20fd025c0527b70e33c3db936b2
    • Instruction Fuzzy Hash: 8E912674E00248DFDB04DFA9C584A9EBBF2BF89305F28C069E409AB355DB34A945CF50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 049B0320 Relevance: .5, Instructions: 547COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.414674171.00000000049B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_49b0000_CVE-2022-26809.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 243b2e23ae4dabb5a07910cefbdf0e40dcdf436866b5501c8a3e2a8d153ee28a
    • Instruction ID: 08a1925101f745a5e0f109d697586b0d067f40cd0fc1911ee3a0e57904bc333f
    • Opcode Fuzzy Hash: 243b2e23ae4dabb5a07910cefbdf0e40dcdf436866b5501c8a3e2a8d153ee28a
    • Instruction Fuzzy Hash: 6942D770D00149DFDB54CFA9C68498EFBF2BF48319B69C1A9D458AB212D770E881CF95
    Uniqueness

    Uniqueness Score: -1.00%

    Function 049B42B9 Relevance: .5, Instructions: 494COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 777 49b42b9-49b42ea 778 49b42ec 777->778 779 49b42f1-49b4358 777->779 778->779 870 49b435e call 49b4a30 779->870 871 49b435e call 49b4a40 779->871 780 49b4364-49b43a9 782 49b43ab 780->782 783 49b43ba-49b43cc 780->783 784 49b43b1-49b43b4 782->784 785 49b49c4-49b49cd 782->785 786 49b43ce 783->786 787 49b43d3-49b445d 783->787 784->783 784->785 788 49b49cf 785->788 789 49b49de-49b49f8 785->789 786->787 787->785 790 49b4462-49b4486 788->790 791 49b49d5-49b49d8 788->791 866 49b49fa call 49b4d18 789->866 867 49b49fa call 49b4d28 789->867 793 49b4488 790->793 794 49b448d-49b44a7 790->794 791->789 791->790 793->794 799 49b44ad-49b44e6 794->799 800 49b45ec-49b45fb 794->800 798 49b4a00-49b4a17 811 49b456f-49b45b4 799->811 812 49b44ec-49b456d 799->812 802 49b45fd 800->802 803 49b4602-49b461c 800->803 802->803 809 49b4622-49b4631 803->809 810 49b47e7-49b4871 803->810 813 49b4638-49b4652 809->813 814 49b4633 809->814 832 49b4878-49b4898 810->832 833 49b4873 810->833 819 49b45b7-49b45e7 811->819 812->819 820 49b46f8-49b4707 813->820 821 49b4658-49b466d 813->821 814->813 819->785 823 49b4709 820->823 824 49b470e-49b4728 820->824 825 49b466f 821->825 826 49b4674-49b4694 821->826 823->824 834 49b472a-49b4731 824->834 835 49b4733-49b4742 824->835 825->826 837 49b469a-49b46f3 826->837 838 49b4792-49b47bf 826->838 843 49b489e-49b48bf 832->843 844 49b4961-49b4964 832->844 833->832 840 49b4786-49b478f 834->840 841 49b4749-49b4769 835->841 842 49b4744 835->842 837->785 868 49b47c1 call 49b5498 838->868 869 49b47c1 call 49b54a8 838->869 840->838 854 49b476b-49b4772 841->854 855 49b4774-49b477d 841->855 842->841 847 49b48c1-49b4902 843->847 848 49b4904-49b495f 843->848 849 49b4967-49b496f 844->849 845 49b47c7-49b47e2 845->849 847->849 848->849 852 49b4978-49b4984 849->852 853 49b4971 849->853 858 49b498c-49b49c1 852->858 859 49b4986-49b498a 852->859 853->859 862 49b4973-49b4976 853->862 857 49b4780-49b4783 854->857 855->857 857->840 858->785 859->789 859->858 862->852 862->859 866->798 867->798 868->845 869->845 870->780 871->780
    Memory Dump Source
    • Source File: 00000000.00000002.414674171.00000000049B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_49b0000_CVE-2022-26809.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 163a5be2719809f3b91626c0f2d54de244f43dd16f919c302d883ac10e32a01c
    • Instruction ID: 4f1dccd95952a1dfb43d67e862e0b8acb514242f8669493f45faf4da83d560ce
    • Opcode Fuzzy Hash: 163a5be2719809f3b91626c0f2d54de244f43dd16f919c302d883ac10e32a01c
    • Instruction Fuzzy Hash: 25427D74E00228DFDB54CFA9C984A9DBBF2FF48300F5181A9E859A7356D734AA81CF51
    Uniqueness

    Uniqueness Score: -1.00%

    Function 049B1668 Relevance: .5, Instructions: 491COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 872 49b1668-49b169a 873 49b169c 872->873 874 49b16a1-49b1708 872->874 873->874 961 49b170e call 23f05f6 874->961 962 49b170e call 49b1df0 874->962 963 49b170e call 49b1de0 874->963 875 49b1714-49b1759 877 49b175b 875->877 878 49b176a-49b177c 875->878 879 49b1761-49b1764 877->879 880 49b1d74-49b1d7d 877->880 881 49b177e 878->881 882 49b1783-49b180d 878->882 879->878 879->880 883 49b1d7f 880->883 884 49b1d8e-49b1da8 880->884 881->882 882->880 885 49b1812-49b1836 883->885 886 49b1d85-49b1d88 883->886 965 49b1daa call 49b20d8 884->965 966 49b1daa call 49b20c8 884->966 888 49b1838 885->888 889 49b183d-49b1857 885->889 886->884 886->885 888->889 894 49b185d-49b1896 889->894 895 49b199c-49b19ab 889->895 893 49b1db0-49b1dbb call 23f05f6 897 49b1dc1-49b1dc7 893->897 908 49b191f-49b1964 894->908 909 49b189c-49b191d 894->909 898 49b19ad 895->898 899 49b19b2-49b19cc 895->899 898->899 903 49b19d2-49b19e1 899->903 904 49b1b97-49b1c21 899->904 906 49b19e8-49b1a02 903->906 907 49b19e3 903->907 925 49b1c28-49b1c48 904->925 926 49b1c23 904->926 915 49b1aa8-49b1ab7 906->915 916 49b1a08-49b1a1d 906->916 907->906 914 49b1967-49b1997 908->914 909->914 914->880 919 49b1ab9 915->919 920 49b1abe-49b1ad8 915->920 921 49b1a1f 916->921 922 49b1a24-49b1a44 916->922 919->920 929 49b1ada-49b1ae1 920->929 930 49b1ae3-49b1af2 920->930 921->922 932 49b1a4a-49b1aa3 922->932 933 49b1b42-49b1b92 922->933 938 49b1c4e-49b1c6f 925->938 939 49b1d11-49b1d14 925->939 926->925 935 49b1b36-49b1b3f 929->935 936 49b1af9-49b1b19 930->936 937 49b1af4 930->937 932->880 944 49b1d17-49b1d1f 933->944 935->933 948 49b1b1b-49b1b22 936->948 949 49b1b24-49b1b2d 936->949 937->936 942 49b1c71-49b1cb2 938->942 943 49b1cb4-49b1d0f 938->943 939->944 942->944 943->944 946 49b1d28-49b1d34 944->946 947 49b1d21 944->947 953 49b1d36-49b1d3a 946->953 955 49b1d3c-49b1d71 946->955 952 49b1d23-49b1d26 947->952 947->953 954 49b1b30-49b1b33 948->954 949->954 952->946 952->953 953->884 953->955 954->935 955->880 961->875 962->875 963->875 965->893 966->893
    Memory Dump Source
    • Source File: 00000000.00000002.414674171.00000000049B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_49b0000_CVE-2022-26809.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 337e39b908210e6028c0380040d6643a3a6476ef797690c4d276e07cb98f3305
    • Instruction ID: 024cbbcf254db505eb051e621de8aaca62b1ff0808366abb5a9fa734e1164558
    • Opcode Fuzzy Hash: 337e39b908210e6028c0380040d6643a3a6476ef797690c4d276e07cb98f3305
    • Instruction Fuzzy Hash: 57427D74E00228DFDB54CFA9C994A9DBBF2FF48300F5481A9E809A7365D734AA85CF51
    Uniqueness

    Uniqueness Score: -1.00%

    Function 049B3060 Relevance: .5, Instructions: 488COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.414674171.00000000049B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_49b0000_CVE-2022-26809.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: dea7fd89aa0fd3cddecb4bcd65d40f182c01d122cf7c4740e607d60334e71008
    • Instruction ID: 799feeb4f501e7f050ca1281c99b1b53177da7254ef8b88aed704ac062b25379
    • Opcode Fuzzy Hash: dea7fd89aa0fd3cddecb4bcd65d40f182c01d122cf7c4740e607d60334e71008
    • Instruction Fuzzy Hash: BC32E470900258DFEB64DF99C584A8DFBF2BF49309F59C1A4C848AB611CB30E985CFA5
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00B0A42B Relevance: 1.6, APIs: 1, Instructions: 79fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 298 b0a42b-b0a4b5 303 b0a4b7-b0a4d7 WriteFile 298->303 304 b0a4f9-b0a4fe 298->304 307 b0a500-b0a505 303->307 308 b0a4d9-b0a4f6 303->308 304->303 307->308
    APIs
    • WriteFile.KERNELBASE(?,00000E2C,10DCB588,00000000,00000000,00000000,00000000), ref: 00B0A4BD
    Memory Dump Source
    • Source File: 00000000.00000002.414179811.0000000000B0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B0A000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0a000_CVE-2022-26809.jbxd
    Similarity
    • API ID: FileWrite
    • String ID:
    • API String ID: 3934441357-0
    • Opcode ID: 0b3eb54893426841e62a6dc7f35d6fc395deb7144f15114994238607c7556cd7
    • Instruction ID: 47a31c0c213c9698a40495c4f7d5bd55d42288836a16249672cce7e09fea115b
    • Opcode Fuzzy Hash: 0b3eb54893426841e62a6dc7f35d6fc395deb7144f15114994238607c7556cd7
    • Instruction Fuzzy Hash: 1821A3724097806FEB128B659D45F96BFF8EF16310F0884DBE9849B193D265A508C772
    Uniqueness

    Uniqueness Score: -1.00%

    Function 049B6A60 Relevance: 1.6, Strings: 1, Instructions: 318COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 311 49b6a60-49b6a7d 312 49b6a7f 311->312 313 49b6a84-49b6ae2 call 23f05f6 * 2 311->313 312->313 318 49b6b0d-49b6b14 313->318 319 49b6ae4-49b6afb call 23f05f6 313->319 320 49b6b1b-49b6b28 318->320 321 49b6b16 318->321 326 49b6b06-49b6b08 319->326 322 49b6b2a 320->322 323 49b6b2f-49b6b5a 320->323 321->320 322->323 329 49b6eeb-49b6f06 323->329 330 49b6b60-49b6c90 323->330 327 49b6f07-49b6f0e 326->327 329->327 355 49b6cdd-49b6de1 330->355 356 49b6c92-49b6cd8 330->356 378 49b6e0b-49b6e2f 355->378 379 49b6de3-49b6e09 355->379 356->327 384 49b6e30-49b6e9c 378->384 379->384 389 49b6e9e-49b6ec3 384->389 390 49b6ec5-49b6ee6 384->390 395 49b6ee7-49b6ee9 389->395 390->395 395->327
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.414674171.00000000049B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_49b0000_CVE-2022-26809.jbxd
    Similarity
    • API ID:
    • String ID: R8o,
    • API String ID: 0-3129325462
    • Opcode ID: f192bfeb95ef86b5abf186478f42066b875a1b94dc3926713dcb76bdb1db8938
    • Instruction ID: 5f94ce544dcc56ef9e633f29fe43bde9db06b50a4bf0b12fedff6787d88d1406
    • Opcode Fuzzy Hash: f192bfeb95ef86b5abf186478f42066b875a1b94dc3926713dcb76bdb1db8938
    • Instruction Fuzzy Hash: C5C13670A41208CFDB24DFA4D9547EEBBB2AFC9301F90806A9456B73A4DB709D81CF65
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00B0A1F4 Relevance: 1.6, APIs: 1, Instructions: 63memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 399 b0a1f4-b0a20f 400 b0a211-b0a226 399->400 401 b0a265-b0a291 399->401 402 b0a230-b0a23a 400->402 403 b0a228-b0a22b 400->403 404 b0a293-b0a2a6 VirtualProtect 401->404 405 b0a2c7-b0a2cc 401->405 403->402 406 b0a2a8-b0a2c4 404->406 407 b0a2ce-b0a2d3 404->407 405->404 407->406
    APIs
    • VirtualProtect.KERNELBASE(?,?,?,?), ref: 00B0A299
    Memory Dump Source
    • Source File: 00000000.00000002.414179811.0000000000B0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B0A000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0a000_CVE-2022-26809.jbxd
    Similarity
    • API ID: ProtectVirtual
    • String ID:
    • API String ID: 544645111-0
    • Opcode ID: f3caeb4de18cbe4a59d5bd9f06c459b92c2735ce43daa01e14bec8860b4012ce
    • Instruction ID: 72e79168719785fd133743ed70431a7ae1be1bb52f17831bec871f802d3d6fca
    • Opcode Fuzzy Hash: f3caeb4de18cbe4a59d5bd9f06c459b92c2735ce43daa01e14bec8860b4012ce
    • Instruction Fuzzy Hash: 5A2127355093C08FDB628B259850755BFB0EF12320F0D85EBD985CB6A3C22A9909DB62
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00B0A45E Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 411 b0a45e-b0a4b5 414 b0a4b7-b0a4bf WriteFile 411->414 415 b0a4f9-b0a4fe 411->415 417 b0a4c5-b0a4d7 414->417 415->414 418 b0a500-b0a505 417->418 419 b0a4d9-b0a4f6 417->419 418->419
    APIs
    • WriteFile.KERNELBASE(?,00000E2C,10DCB588,00000000,00000000,00000000,00000000), ref: 00B0A4BD
    Memory Dump Source
    • Source File: 00000000.00000002.414179811.0000000000B0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B0A000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0a000_CVE-2022-26809.jbxd
    Similarity
    • API ID: FileWrite
    • String ID:
    • API String ID: 3934441357-0
    • Opcode ID: d3f1c69a58c3d513a99683d7dc3fe9ba4c251471e1e301d7e87aa68e33ee7d46
    • Instruction ID: 9de460b7eeb8a023ba86f1699ff306b87f2a3802c9e46593e24b3dc11516f194
    • Opcode Fuzzy Hash: d3f1c69a58c3d513a99683d7dc3fe9ba4c251471e1e301d7e87aa68e33ee7d46
    • Instruction Fuzzy Hash: C111C871400300AFEB21CF55DD45F5AFFE8EF54320F14889AED459B281D274A504CB72
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00B0A23C Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 422 b0a23c-b0a291 424 b0a293-b0a2a6 VirtualProtect 422->424 425 b0a2c7-b0a2cc 422->425 426 b0a2a8-b0a2c4 424->426 427 b0a2ce-b0a2d3 424->427 425->424 427->426
    APIs
    • VirtualProtect.KERNELBASE(?,?,?,?), ref: 00B0A299
    Memory Dump Source
    • Source File: 00000000.00000002.414179811.0000000000B0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B0A000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0a000_CVE-2022-26809.jbxd
    Similarity
    • API ID: ProtectVirtual
    • String ID:
    • API String ID: 544645111-0
    • Opcode ID: f3babbe8624abfc36b5fb3601ce8acdbe9ba7e31876c5013ae4ba79553b36e81
    • Instruction ID: e6e190a15bfdc016f5ab13596e99a3485f15ce44728c624011921733d0a4533a
    • Opcode Fuzzy Hash: f3babbe8624abfc36b5fb3601ce8acdbe9ba7e31876c5013ae4ba79553b36e81
    • Instruction Fuzzy Hash: 9111A076504780AFDB228F15DC44B62FFB4EF55320F08C49EED858B662D276A818DB62
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00B0A25E Relevance: 1.5, APIs: 1, Instructions: 42memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 430 b0a25e-b0a291 431 b0a293-b0a2a6 VirtualProtect 430->431 432 b0a2c7-b0a2cc 430->432 433 b0a2a8-b0a2c4 431->433 434 b0a2ce-b0a2d3 431->434 432->431 434->433
    APIs
    • VirtualProtect.KERNELBASE(?,?,?,?), ref: 00B0A299
    Memory Dump Source
    • Source File: 00000000.00000002.414179811.0000000000B0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B0A000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b0a000_CVE-2022-26809.jbxd
    Similarity
    • API ID: ProtectVirtual
    • String ID:
    • API String ID: 544645111-0
    • Opcode ID: e3483833fc2ae58fb5d06a7dfcb1a034850b7d5bac26d9a1671b06142dea762e
    • Instruction ID: 34f1701a7ee4389455675dbc179d1d8fe79d0086a3f8cc5885951f5b639ea9a3
    • Opcode Fuzzy Hash: e3483833fc2ae58fb5d06a7dfcb1a034850b7d5bac26d9a1671b06142dea762e
    • Instruction Fuzzy Hash: 4E01BC355007408FDB208F19D884B66FFE4EF14320F18C9AEED498B691C272E418DF62
    Uniqueness

    Uniqueness Score: -1.00%

    Function 049B1DF0 Relevance: 1.4, Strings: 1, Instructions: 147COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 437 49b1df0-49b1e03 438 49b1e0a-49b1e43 call 23f05f6 call 49b2067 437->438 439 49b1e05 437->439 441 49b1e49-49b1e4f 438->441 439->438 442 49b1f27-49b1f2b 441->442 443 49b1f31-49b1f45 442->443 444 49b1e54-49b1e5a 442->444 449 49b1f67-49b1f6b 443->449 445 49b1ea5-49b1eae 444->445 447 49b1e5c-49b1e74 445->447 448 49b1eb0-49b1ebc 445->448 452 49b1e7b-49b1e91 447->452 453 49b1e76 447->453 450 49b1ebe 448->450 451 49b1ec3-49b1ed9 448->451 454 49b1f6d-49b1f73 449->454 455 49b1f47-49b1f53 449->455 450->451 461 49b1edb 451->461 462 49b1ee0-49b1ef6 451->462 465 49b1e98-49b1ea2 452->465 466 49b1e93 452->466 453->452 459 49b1f95-49b1f99 454->459 457 49b1f5a-49b1f64 455->457 458 49b1f55 455->458 457->449 458->457 463 49b1f9b-49b1fc9 459->463 464 49b1f75-49b1f81 459->464 461->462 474 49b1ef8 462->474 475 49b1efd-49b1f13 462->475 468 49b1f88-49b1f92 464->468 469 49b1f83 464->469 465->445 466->465 468->459 469->468 474->475 479 49b1f1a-49b1f24 475->479 480 49b1f15 475->480 479->442 480->479
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.414674171.00000000049B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_49b0000_CVE-2022-26809.jbxd
    Similarity
    • API ID:
    • String ID: r
    • API String ID: 0-1812594589
    • Opcode ID: 723ae93e766ce8fe2595144b1d817010bf77d34da51d73cb997eaf11fa07a419
    • Instruction ID: 4ad880a4e88e747726ae14b8f06ab0503cbc169e5a8dd251699903b2102d807d
    • Opcode Fuzzy Hash: 723ae93e766ce8fe2595144b1d817010bf77d34da51d73cb997eaf11fa07a419
    • Instruction Fuzzy Hash: D061D774900106EFC708DF99C9998ADFBB2FF48345B65C5A4D8159B365DB30EA81CF90
    Uniqueness

    Uniqueness Score: -1.00%

    Function 049B4A40 Relevance: 1.4, Strings: 1, Instructions: 147COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 484 49b4a40-49b4a53 485 49b4a5a-49b4a9f call 49b4cb7 484->485 486 49b4a55 484->486 489 49b4b77-49b4b7b 485->489 486->485 490 49b4b81-49b4b95 489->490 491 49b4aa4-49b4aaa 489->491 496 49b4bb7-49b4bbb 490->496 492 49b4af5-49b4afe 491->492 494 49b4aac-49b4ac4 492->494 495 49b4b00-49b4b0c 492->495 499 49b4acb-49b4ae1 494->499 500 49b4ac6 494->500 497 49b4b0e 495->497 498 49b4b13-49b4b29 495->498 501 49b4bbd-49b4bc3 496->501 502 49b4b97-49b4ba3 496->502 497->498 512 49b4b2b 498->512 513 49b4b30-49b4b46 498->513 508 49b4ae8-49b4af2 499->508 509 49b4ae3 499->509 500->499 506 49b4be5-49b4be9 501->506 504 49b4baa-49b4bb4 502->504 505 49b4ba5 502->505 504->496 505->504 510 49b4beb-49b4bf3 call 23f05f6 506->510 511 49b4bc5-49b4bd1 506->511 508->492 509->508 519 49b4bf9-49b4c19 510->519 515 49b4bd8-49b4be2 511->515 516 49b4bd3 511->516 512->513 520 49b4b48 513->520 521 49b4b4d-49b4b63 513->521 515->506 516->515 520->521 525 49b4b6a-49b4b74 521->525 526 49b4b65 521->526 525->489 526->525
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.414674171.00000000049B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_49b0000_CVE-2022-26809.jbxd
    Similarity
    • API ID:
    • String ID: r
    • API String ID: 0-1812594589
    • Opcode ID: 4cb373493593714812a58e539dad5372355b22b3c96c76cc8864b6ef65c11fc1
    • Instruction ID: ffe74b9f4dba5f214af21bd470a80da142a4fe9452fa06b0fcc835963eb566ba
    • Opcode Fuzzy Hash: 4cb373493593714812a58e539dad5372355b22b3c96c76cc8864b6ef65c11fc1
    • Instruction Fuzzy Hash: E961FA7490011AEFC708DF98D9848ADFBB2FF48305B65C5A4D415AB356DB30EA81DF94
    Uniqueness

    Uniqueness Score: -1.00%

    Function 049B4A30 Relevance: 1.3, Strings: 1, Instructions: 78COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 531 49b4a30-49b4a53 533 49b4a5a-49b4a9f call 49b4cb7 531->533 534 49b4a55 531->534 537 49b4b77-49b4b7b 533->537 534->533 538 49b4b81-49b4b95 537->538 539 49b4aa4-49b4aaa 537->539 544 49b4bb7-49b4bbb 538->544 540 49b4af5-49b4afe 539->540 542 49b4aac-49b4ac4 540->542 543 49b4b00-49b4b0c 540->543 547 49b4acb-49b4ae1 542->547 548 49b4ac6 542->548 545 49b4b0e 543->545 546 49b4b13-49b4b29 543->546 549 49b4bbd-49b4bc3 544->549 550 49b4b97-49b4ba3 544->550 545->546 560 49b4b2b 546->560 561 49b4b30-49b4b46 546->561 556 49b4ae8-49b4af2 547->556 557 49b4ae3 547->557 548->547 554 49b4be5-49b4be9 549->554 552 49b4baa-49b4bb4 550->552 553 49b4ba5 550->553 552->544 553->552 558 49b4beb-49b4bf3 call 23f05f6 554->558 559 49b4bc5-49b4bd1 554->559 556->540 557->556 567 49b4bf9-49b4c19 558->567 563 49b4bd8-49b4be2 559->563 564 49b4bd3 559->564 560->561 568 49b4b48 561->568 569 49b4b4d-49b4b63 561->569 563->554 564->563 568->569 573 49b4b6a-49b4b74 569->573 574 49b4b65 569->574 573->537 574->573
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.414674171.00000000049B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_49b0000_CVE-2022-26809.jbxd
    Similarity
    • API ID:
    • String ID: r
    • API String ID: 0-1812594589
    • Opcode ID: f045bceaa5bbc962730e4f82e73e218b0c73ab66d1e00eb9bb6d829850419609
    • Instruction ID: d0e606254f8340be58590b4c8dd04fa794ab0d018946b385320d5d1be109ef4f
    • Opcode Fuzzy Hash: f045bceaa5bbc962730e4f82e73e218b0c73ab66d1e00eb9bb6d829850419609
    • Instruction Fuzzy Hash: 2E314FB4A05215DFCB08CFA6C9449EEBBF6FF89301B60C4A9D44597321DB30A942DF50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 049B1DE0 Relevance: 1.3, Strings: 1, Instructions: 71COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 579 49b1de0-49b1e03 580 49b1e0a-49b1e43 call 23f05f6 call 49b2067 579->580 581 49b1e05 579->581 583 49b1e49-49b1e4f 580->583 581->580 584 49b1f27-49b1f2b 583->584 585 49b1f31-49b1f45 584->585 586 49b1e54-49b1e5a 584->586 591 49b1f67-49b1f6b 585->591 587 49b1ea5-49b1eae 586->587 589 49b1e5c-49b1e74 587->589 590 49b1eb0-49b1ebc 587->590 594 49b1e7b-49b1e91 589->594 595 49b1e76 589->595 592 49b1ebe 590->592 593 49b1ec3-49b1ed9 590->593 596 49b1f6d-49b1f73 591->596 597 49b1f47-49b1f53 591->597 592->593 603 49b1edb 593->603 604 49b1ee0-49b1ef6 593->604 607 49b1e98-49b1ea2 594->607 608 49b1e93 594->608 595->594 601 49b1f95-49b1f99 596->601 599 49b1f5a-49b1f64 597->599 600 49b1f55 597->600 599->591 600->599 605 49b1f9b-49b1fc9 601->605 606 49b1f75-49b1f81 601->606 603->604 616 49b1ef8 604->616 617 49b1efd-49b1f13 604->617 610 49b1f88-49b1f92 606->610 611 49b1f83 606->611 607->587 608->607 610->601 611->610 616->617 621 49b1f1a-49b1f24 617->621 622 49b1f15 617->622 621->584 622->621
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.414674171.00000000049B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_49b0000_CVE-2022-26809.jbxd
    Similarity
    • API ID:
    • String ID: r
    • API String ID: 0-1812594589
    • Opcode ID: 5456011ef30e55ae25780c9be1093786179cd83d6be783b0c9a6471e1f238a87
    • Instruction ID: a1e641ff7496e722d7214a0f8c97dd5250553775c8dec5535669c5c4e7854ada
    • Opcode Fuzzy Hash: 5456011ef30e55ae25780c9be1093786179cd83d6be783b0c9a6471e1f238a87
    • Instruction Fuzzy Hash: F4314B70A05205DFCB09CFA6C9588EEBBF2FF8A301B5484B9D405A7321DB31AA01CF51
    Uniqueness

    Uniqueness Score: -1.00%

    Function 049B0CE0 Relevance: .2, Instructions: 200COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1108 49b0ce0-49b0d10 1109 49b0d12 1108->1109 1110 49b0d17-49b0f3e call 23f05f6 1108->1110 1109->1110 1145 49b0f7e-49b0f84 1110->1145 1146 49b0f8d-49b0f94 1145->1146 1147 49b0f86 1145->1147 1148 49b0f88-49b0f8b 1147->1148 1149 49b0f40-49b0f53 1147->1149 1148->1146 1148->1149 1150 49b0f5a-49b0f7b 1149->1150 1151 49b0f55 1149->1151 1150->1145 1151->1150
    Memory Dump Source
    • Source File: 00000000.00000002.414674171.00000000049B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_49b0000_CVE-2022-26809.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 5843657be53bb4298999f30a791237850e092dfc373a454ce41541225cd69091
    • Instruction ID: b03f957f4f132c564cd9cf6f3adab80dbca5b93a4e4651bc997323b4694edcb6
    • Opcode Fuzzy Hash: 5843657be53bb4298999f30a791237850e092dfc373a454ce41541225cd69091
    • Instruction Fuzzy Hash: 7B91A274E012098FDB44DFA8C885ADDBBF2FF89304F218569D504BB395DA34A946CF91
    Uniqueness

    Uniqueness Score: -1.00%

    Function 049B3798 Relevance: .1, Instructions: 121COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.414674171.00000000049B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_49b0000_CVE-2022-26809.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: fa88d06338458c3ee6f34e593aaf778b77e8f5fed8f465893668404ef3d1b2e9
    • Instruction ID: 3ace5a4386b0ed7f3bb4db7f451954b31c8d8e8cdf156be93a898ede958b3146
    • Opcode Fuzzy Hash: fa88d06338458c3ee6f34e593aaf778b77e8f5fed8f465893668404ef3d1b2e9
    • Instruction Fuzzy Hash: 2C518F74E00208DFDB08DFAAD995AADBBF2BF89304F208169E815B7354DB355A45CF50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 049B0B48 Relevance: .1, Instructions: 121COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.414674171.00000000049B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_49b0000_CVE-2022-26809.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 8162bd7b54c89b336c59bca41fbfa5a0cbd83c19625ff5c1c93d07375245033d
    • Instruction ID: 321b7ac1d1df8779e5966aacbcd6172915f195691b4914b64b8bfd000492a228
    • Opcode Fuzzy Hash: 8162bd7b54c89b336c59bca41fbfa5a0cbd83c19625ff5c1c93d07375245033d
    • Instruction Fuzzy Hash: FC519E74E00208DFDB08DFAAD995AAEBBF2BF88300F208169E815A7354DB355A45CF50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 049B3789 Relevance: .1, Instructions: 110COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.414674171.00000000049B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_49b0000_CVE-2022-26809.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 1d5f6f0177800f5e635acc225ab0a59e4611c9a17041f2984231f639be4612e1
    • Instruction ID: d50c42f7513a8fdfdef49f2ffde7d0ddde19f5ee1838a2b328679ff2094d96a2
    • Opcode Fuzzy Hash: 1d5f6f0177800f5e635acc225ab0a59e4611c9a17041f2984231f639be4612e1
    • Instruction Fuzzy Hash: 1741AD74E012089FDB08DFAAD995AEEBBF2BF88300F208169E805A7364DB355945CF51
    Uniqueness

    Uniqueness Score: -1.00%

    Function 049B0B39 Relevance: .1, Instructions: 107COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.414674171.00000000049B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_49b0000_CVE-2022-26809.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 615d87949d2e251c497327c84ba7c093df547eef87701bf10c82879e6ea8bab7
    • Instruction ID: 6204754fd10449213407f306ce46348e86fe3245da25f9e42cdbd24b380fbd06
    • Opcode Fuzzy Hash: 615d87949d2e251c497327c84ba7c093df547eef87701bf10c82879e6ea8bab7
    • Instruction Fuzzy Hash: 08419D74E01208DFDB08DFAAD995A9EFBF2BF88700F208169E805A7364DB355A45CF51
    Uniqueness

    Uniqueness Score: -1.00%

    Function 049B3DB8 Relevance: .1, Instructions: 92COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.414674171.00000000049B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_49b0000_CVE-2022-26809.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: aec51a7252270fd168c90589449fd78ba94121f63496dfd0c9235fcf0407f201
    • Instruction ID: 17ece9b503113a7aa57689084e65cb0adc86e4db359d39ca8526adef38d024e3
    • Opcode Fuzzy Hash: aec51a7252270fd168c90589449fd78ba94121f63496dfd0c9235fcf0407f201
    • Instruction Fuzzy Hash: F3314871E002099FDB08CF9AD9446AEFBF2EF88304F14C06AD859A7261DB345A41CB94
    Uniqueness

    Uniqueness Score: -1.00%

    Function 049B1168 Relevance: .1, Instructions: 89COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.414674171.00000000049B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_49b0000_CVE-2022-26809.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 18a81ae7607c72edb677034d12a2a65d9193ca46c4d143cc2292bae64113e836
    • Instruction ID: a969791d9efb175b79270c97f3c6e79ed30ef0a4c5ba623ca32e491b7e6a36ae
    • Opcode Fuzzy Hash: 18a81ae7607c72edb677034d12a2a65d9193ca46c4d143cc2292bae64113e836
    • Instruction Fuzzy Hash: F83126B1E00249DFDB08CFAAD9556AEFBF3EF88304F14C069D459A7261DB345A41CB94
    Uniqueness

    Uniqueness Score: -1.00%

    Function 049B4020 Relevance: .1, Instructions: 87COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.414674171.00000000049B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_49b0000_CVE-2022-26809.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: cee99c9a2e1f64e5197ea35b0c955dfe0ad31c4c466a9d70baeb4a1ae3d73557
    • Instruction ID: 6cf354734e41a848df8764838439a6568a828c3f722cb6f26cd4eca659882862
    • Opcode Fuzzy Hash: cee99c9a2e1f64e5197ea35b0c955dfe0ad31c4c466a9d70baeb4a1ae3d73557
    • Instruction Fuzzy Hash: C73103B4E04619DFDB04DF99C981AADFBF2FB48300F24C5A9D455AB352D330AA81DB90
    Uniqueness

    Uniqueness Score: -1.00%

    Function 049B13D0 Relevance: .1, Instructions: 81COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.414674171.00000000049B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_49b0000_CVE-2022-26809.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 92a70eb10f563711869b3af9be19518fc828e8eb5b46bae21e083a9778c3db1e
    • Instruction ID: c12940c3e67c468051b63e7bf1a141346abc6e62babf0ab7b13329a0ff846ffb
    • Opcode Fuzzy Hash: 92a70eb10f563711869b3af9be19518fc828e8eb5b46bae21e083a9778c3db1e
    • Instruction Fuzzy Hash: BB31E3B4A00219DFCB04DF99C995AAEFBB2FF48340F25C5A5D419AB355D730AA80CB90
    Uniqueness

    Uniqueness Score: -1.00%

    Function 049B54A8 Relevance: .1, Instructions: 74COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.414674171.00000000049B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_49b0000_CVE-2022-26809.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: d5c9f869cea67f1bc4f1fd204aa2ebf7e600d978e0476f181065ef07a8b2236d
    • Instruction ID: 02110b8482c37a5ad4a381577173a0de31acb5c492819affd046402652a972d4
    • Opcode Fuzzy Hash: d5c9f869cea67f1bc4f1fd204aa2ebf7e600d978e0476f181065ef07a8b2236d
    • Instruction Fuzzy Hash: 25319E74D00209EFCB44DF98CA84AEDBBF1BF48319F6481A9D845A7315D771AA81CFA4
    Uniqueness

    Uniqueness Score: -1.00%

    Function 049B6A4F Relevance: .1, Instructions: 65COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.414674171.00000000049B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_49b0000_CVE-2022-26809.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 9667fc766b393e51942e356e4067af95e80d40acb33846e425d631880017c4f6
    • Instruction ID: 844b027328fe90f36142cf7ef046aae01d1b67f930239e07005c60f913b0043e
    • Opcode Fuzzy Hash: 9667fc766b393e51942e356e4067af95e80d40acb33846e425d631880017c4f6
    • Instruction Fuzzy Hash: 03115970E01218DFDB10DFAAE9457EEBBF2EF86300F50806AD055A3350DB705A86CB51
    Uniqueness

    Uniqueness Score: -1.00%

    Function 049B3EC0 Relevance: .1, Instructions: 54COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.414674171.00000000049B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_49b0000_CVE-2022-26809.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 6ffbe79ceb68894796e587d2f462c2b03f74199b01573b981c5623803765aca2
    • Instruction ID: 848dc7534d6763fde595894d0491c8e46f55cb5cf0265e78c4f4fd7b6318622b
    • Opcode Fuzzy Hash: 6ffbe79ceb68894796e587d2f462c2b03f74199b01573b981c5623803765aca2
    • Instruction Fuzzy Hash: 941166B4E012099FDB54DF9AC5819AEBBF1EF48300F618199D805A7751D734AE42CF61
    Uniqueness

    Uniqueness Score: -1.00%

    Function 049B1271 Relevance: .0, Instructions: 47COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.414674171.00000000049B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_49b0000_CVE-2022-26809.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: cd57634ec95efcd9f88d51568990ebefa39d80b61204f9e022d7d372c5b8be89
    • Instruction ID: 43596b15d6f4022d751e241ed2dceb6c32847af1819b197ceccf1e96534e8d7a
    • Opcode Fuzzy Hash: cd57634ec95efcd9f88d51568990ebefa39d80b61204f9e022d7d372c5b8be89
    • Instruction Fuzzy Hash: 9711D7B4E00249DFDB54CFA9C5819AEBBF1FF48300F6180A9D404A7721DB30AE41CB61
    Uniqueness

    Uniqueness Score: -1.00%

    Function 049B20C8 Relevance: .0, Instructions: 45COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.414674171.00000000049B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_49b0000_CVE-2022-26809.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: be4f4b972e7ecce61bbaae2617453023c166bf435f7ea626d7d71e673f7364f3
    • Instruction ID: 009055b3f7494b04c2e01c8a91ae9215af405dd659a4a72f252b4afd353ac23a
    • Opcode Fuzzy Hash: be4f4b972e7ecce61bbaae2617453023c166bf435f7ea626d7d71e673f7364f3
    • Instruction Fuzzy Hash: 10011E78A00508EFCB04DB98DA99E9DBFF5EF48300F65C1A9E5046B362D630AE41DB81
    Uniqueness

    Uniqueness Score: -1.00%

    Function 049B1308 Relevance: .0, Instructions: 44COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.414674171.00000000049B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_49b0000_CVE-2022-26809.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 369898a90eef18ad596e107d73c8781cf0de894f540e000ecb3bf3c86a1e98f7
    • Instruction ID: 82ffaa2196a6b16b35fcf8724656d4745a6de9f95032abfddda8f39698ffd1db
    • Opcode Fuzzy Hash: 369898a90eef18ad596e107d73c8781cf0de894f540e000ecb3bf3c86a1e98f7
    • Instruction Fuzzy Hash: 3F01D774E05208EFCB04DFA9D58299EBFF5FF89300F2581A9D444AB752D730AA45CB91
    Uniqueness

    Uniqueness Score: -1.00%

    Function 049B3F59 Relevance: .0, Instructions: 44COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.414674171.00000000049B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_49b0000_CVE-2022-26809.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 83023aba743f171bf15743c5091994dcde7a11564c9544e0300b56a0fca51368
    • Instruction ID: 6fa38d3bfc82f176a42d1cf5be512aedb52c3a83b5040c60f577c37f7979dc7e
    • Opcode Fuzzy Hash: 83023aba743f171bf15743c5091994dcde7a11564c9544e0300b56a0fca51368
    • Instruction Fuzzy Hash: 7E01C5B4E04208AFDB04DF99D58599DFFF5FF88300F258199D844AB356E730AA428B81
    Uniqueness

    Uniqueness Score: -1.00%

    Function 049B1280 Relevance: .0, Instructions: 43COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.414674171.00000000049B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_49b0000_CVE-2022-26809.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 3b933ff317a167e136156e2e0ce7b0be54e7b71eb208f3c046dd37bec5686225
    • Instruction ID: 8f358d8ac58c1bfd15eecc92365864ad32bd6cf9d767e1212217ce88e54b431f
    • Opcode Fuzzy Hash: 3b933ff317a167e136156e2e0ce7b0be54e7b71eb208f3c046dd37bec5686225
    • Instruction Fuzzy Hash: 291153B4E00209DFDB54DF99C5819AEBBF5EF48300F6091A9D804A7755D770AE41CBA1
    Uniqueness

    Uniqueness Score: -1.00%

    Function 049B3ED0 Relevance: .0, Instructions: 43COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.414674171.00000000049B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_49b0000_CVE-2022-26809.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: b6b9cbf5fa7613cf5f6c6bbc9d407a176f37f1f1b1ed8792f4054ca8cb92ae1c
    • Instruction ID: 68557aacbccb726c5e2da85f3674bbc155baaf6032d34d0ef62eb28674f16ce8
    • Opcode Fuzzy Hash: b6b9cbf5fa7613cf5f6c6bbc9d407a176f37f1f1b1ed8792f4054ca8cb92ae1c
    • Instruction Fuzzy Hash: 971153B4E00209DFCB54DF9AC580AAEBBF5AF48301F6181A9D808A7755D730AE41CFA1
    Uniqueness

    Uniqueness Score: -1.00%

    Function 049B5498 Relevance: .0, Instructions: 41COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.414674171.00000000049B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_49b0000_CVE-2022-26809.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 836b29b1eabaf1684048dc5028ea9b90210f5663e8c049b3612ca15728295d01
    • Instruction ID: 730b0805861480db536d628182ce068b908fc6df5aec78049491da6a2dc44a06
    • Opcode Fuzzy Hash: 836b29b1eabaf1684048dc5028ea9b90210f5663e8c049b3612ca15728295d01
    • Instruction Fuzzy Hash: 20014870905208AFDB04DFA8D9816DCBBF2FF88314F25C1A9D444A7311D730A992CBA9
    Uniqueness

    Uniqueness Score: -1.00%

    Function 049B4D18 Relevance: .0, Instructions: 41COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.414674171.00000000049B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_49b0000_CVE-2022-26809.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 713222a79dbd29443e64517e3ffbdd78744a92104e91c2c305bdddb43d2622ec
    • Instruction ID: 97398a4c90561938ec3efbdc2ace2155385bbcf31a13df0f6cb2119029a5d9bc
    • Opcode Fuzzy Hash: 713222a79dbd29443e64517e3ffbdd78744a92104e91c2c305bdddb43d2622ec
    • Instruction Fuzzy Hash: C3014F74A04108EFC705DBA9DA8AE9DBFF6EF49300F65C095E5089B362DA30EE01DB40
    Uniqueness

    Uniqueness Score: -1.00%

    Function 049B4CB7 Relevance: .0, Instructions: 37COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.414674171.00000000049B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_49b0000_CVE-2022-26809.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 7da11dd3ef9d6d2960d19c09909b446f18ac6a20d63c98ac1d22e5323e27ac14
    • Instruction ID: a04cc5727873f45306a24277e37652e2ae798e0f56edd6920e8733f2355cb307
    • Opcode Fuzzy Hash: 7da11dd3ef9d6d2960d19c09909b446f18ac6a20d63c98ac1d22e5323e27ac14
    • Instruction Fuzzy Hash: 0BF0A470904108EFD705CF65D941A9DFFF1FF89304F65C1A9D8049B262D730AA12DB80
    Uniqueness

    Uniqueness Score: -1.00%

    Function 049B2067 Relevance: .0, Instructions: 34COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.414674171.00000000049B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_49b0000_CVE-2022-26809.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 8c20d0614ca6d06336fd76d40a28043283b8963ccd81bff0bd7cd7a84f540344
    • Instruction ID: eb64684b43d27aa951236fa587402bb3d608144fb88976ec8b44d7733aa00e2a
    • Opcode Fuzzy Hash: 8c20d0614ca6d06336fd76d40a28043283b8963ccd81bff0bd7cd7a84f540344
    • Instruction Fuzzy Hash: 1AF04970904608EFCB04DFA9D988A9EFFF5EF94304F24C1B9D844AB255D730AA46DB90
    Uniqueness

    Uniqueness Score: -1.00%

    Function 049B20D8 Relevance: .0, Instructions: 31COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.414674171.00000000049B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_49b0000_CVE-2022-26809.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: b786f92965e7a4d776ad2af781812a9b2a292da4b171b6bc3168ead9de66d3e6
    • Instruction ID: 4f1762b789eeb2341d474bbe3391bf9c6439da68f8e515679d8d1fb875e44b6a
    • Opcode Fuzzy Hash: b786f92965e7a4d776ad2af781812a9b2a292da4b171b6bc3168ead9de66d3e6
    • Instruction Fuzzy Hash: 0CF09778A00108EFCB04DBA9CA89E9DBBF5EF48300F65C094E9086B365DA30EE50DB41
    Uniqueness

    Uniqueness Score: -1.00%

    Function 049B4D28 Relevance: .0, Instructions: 31COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.414674171.00000000049B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_49b0000_CVE-2022-26809.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: f40cc4d67a6248dbedbb8b963b93e443af14bcc51f7ca979317eb55817dfbc72
    • Instruction ID: 8768f38bd1f80abea5e86f6749296f21d0a0f16c5d2c1c702ea8c41955d42c9a
    • Opcode Fuzzy Hash: f40cc4d67a6248dbedbb8b963b93e443af14bcc51f7ca979317eb55817dfbc72
    • Instruction Fuzzy Hash: EEF07478A00108EFCB04DBA9DA89A9DBBF5AF48300F65C094E9086B361DA30EE05DB41
    Uniqueness

    Uniqueness Score: -1.00%

    Function 049B3FD0 Relevance: .0, Instructions: 27COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.414674171.00000000049B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_49b0000_CVE-2022-26809.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 6ac0268f87d8c6d5caeff43c0f88937a8e5cd1b782e13a1f1dd55e9647690fa8
    • Instruction ID: 34b927d75def924a777dbe8ecb48add9e704577cb1f63b20941df561f28eb978
    • Opcode Fuzzy Hash: 6ac0268f87d8c6d5caeff43c0f88937a8e5cd1b782e13a1f1dd55e9647690fa8
    • Instruction Fuzzy Hash: E5F08CB4805208EFCB05CFA4D9465ECBFB0EB05300F2080AAD84457362D7316A52CF85
    Uniqueness

    Uniqueness Score: -1.00%

    Function 023F05F6 Relevance: .0, Instructions: 27COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.414231242.00000000023F0000.00000040.00000020.00020000.00000000.sdmp, Offset: 023F0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_23f0000_CVE-2022-26809.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 9d33fb8eb8c7055722b39846b50431d2e551d11690d9a77c8080beed0b48bdf4
    • Instruction ID: 043928dd7e5e09688106dbe91ebfd68d57c84cb9b30a456db6ebf8c6a67a58ac
    • Opcode Fuzzy Hash: 9d33fb8eb8c7055722b39846b50431d2e551d11690d9a77c8080beed0b48bdf4
    • Instruction Fuzzy Hash: BAE092766406004BD650CF0AED41456F7D8EB84631B18C17FDC0D8B700D276F508CFA5
    Uniqueness

    Uniqueness Score: -1.00%

    Function 049B4119 Relevance: .0, Instructions: 26COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.414674171.00000000049B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_49b0000_CVE-2022-26809.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: a18de08901f6919aa7284a38b9716ded21e5224897cc5b5e136c41f73d0b7a66
    • Instruction ID: fd1bb9597d5512f9b1e76a78f782afe50c8c0c3632bc40623f689d5cd1406cb6
    • Opcode Fuzzy Hash: a18de08901f6919aa7284a38b9716ded21e5224897cc5b5e136c41f73d0b7a66
    • Instruction Fuzzy Hash: 8FF06D70D06258AFDB01DBA8D55669EBFB4EB41300F20C0EAD84467382E6346E45CF86
    Uniqueness

    Uniqueness Score: -1.00%

    Function 049B1380 Relevance: .0, Instructions: 25COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.414674171.00000000049B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_49b0000_CVE-2022-26809.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 4a8b52da37059853645d2a3f70f6cdae2b92576777578dc1ee3bf6beb2e1a966
    • Instruction ID: fa3761bf2f2f2988b521ed3c84333cc5bccb4446897b8deba849681135e96909
    • Opcode Fuzzy Hash: 4a8b52da37059853645d2a3f70f6cdae2b92576777578dc1ee3bf6beb2e1a966
    • Instruction Fuzzy Hash: 8EF05274806208EFCB00DBA8D199AEDBFB1EB45305F2081B8D88467310DB326A61CB81
    Uniqueness

    Uniqueness Score: -1.00%

    Function 049B14C7 Relevance: .0, Instructions: 24COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.414674171.00000000049B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_49b0000_CVE-2022-26809.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 1281bc5369a702bff6d3113e62ef361818c936d2b44056d8f862e2c0ff5e9b71
    • Instruction ID: 2660cdfb7475fd8f5aad38ab8404bdf11052afb789d1809868aa58e1d2440985
    • Opcode Fuzzy Hash: 1281bc5369a702bff6d3113e62ef361818c936d2b44056d8f862e2c0ff5e9b71
    • Instruction Fuzzy Hash: B2F03230D02208DBDB04EFA8D0957DEBBB2EB40308F6081FDC804A3341DA345A15CB42
    Uniqueness

    Uniqueness Score: -1.00%

    Function 049B1390 Relevance: .0, Instructions: 20COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.414674171.00000000049B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_49b0000_CVE-2022-26809.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: da5ac578dd6ea14bb8973cdfdb506525b4509bd3b0584f1c28a887856f28c7e9
    • Instruction ID: 7b5186fd0700429d355cfd1ce69d27ed51111e07d03f7e762ba9fd6a67606eb7
    • Opcode Fuzzy Hash: da5ac578dd6ea14bb8973cdfdb506525b4509bd3b0584f1c28a887856f28c7e9
    • Instruction Fuzzy Hash: 00E0EE74D01208EFCB04DFA8D5449ADBBB5EB48301F2081A9E84467310DB32AAA0DF85
    Uniqueness

    Uniqueness Score: -1.00%

    Function 049B14D8 Relevance: .0, Instructions: 20COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.414674171.00000000049B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_49b0000_CVE-2022-26809.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 067e1dab936663de9069ebb248d2dfcce06b28dc16ce67c85c35c57661042931
    • Instruction ID: 1a3090c24628cf84192fdd9cf794928528e648273fc61ada30ad9a302cd43df2
    • Opcode Fuzzy Hash: 067e1dab936663de9069ebb248d2dfcce06b28dc16ce67c85c35c57661042931
    • Instruction Fuzzy Hash: 1DE04630E01208EBCB04EFE8D54169EBBB9EB40304F6081B9C90463380EA30AE108B86
    Uniqueness

    Uniqueness Score: -1.00%

    Function 049B3FE0 Relevance: .0, Instructions: 20COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.414674171.00000000049B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_49b0000_CVE-2022-26809.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: fde71f82dcbd62943725efb8b3d18a3a40cf859440b7a622739b773ef2ba6a41
    • Instruction ID: a3b48d0da9bee189296e0e72b8815c3a4db6c52dfa9ec99f9ea8f678ae098afb
    • Opcode Fuzzy Hash: fde71f82dcbd62943725efb8b3d18a3a40cf859440b7a622739b773ef2ba6a41
    • Instruction Fuzzy Hash: 56E01274D0120CEFCB04DFA8E944AADBBB5FB48301F2081A9EC4467310DB31AA91DF85
    Uniqueness

    Uniqueness Score: -1.00%

    Function 049B4128 Relevance: .0, Instructions: 20COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.414674171.00000000049B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_49b0000_CVE-2022-26809.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 88f51c554c858286f28e2f9e3b03b748838e2b59a47dbf3cc077e2bfb51c17ff
    • Instruction ID: 6ae292281dfd7e8e1bcb3b2d22ec46be1f6ddff82a251990dfb24795860ce0dd
    • Opcode Fuzzy Hash: 88f51c554c858286f28e2f9e3b03b748838e2b59a47dbf3cc077e2bfb51c17ff
    • Instruction Fuzzy Hash: 6CE04630D01208ABCB00EBA8D44178EBBF4EB45300F2081A9C80463380EA30AE419F86
    Uniqueness

    Uniqueness Score: -1.00%

    Function 049B3030 Relevance: .0, Instructions: 16COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.414674171.00000000049B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_49b0000_CVE-2022-26809.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: ac3724ac44a6f4da9477f601e4d990eee76706446bfa8dd8dcfa197726e10283
    • Instruction ID: 154c89c2afe8d153751815e3e8d2d323dbd691401d59339f1426d07d22d49db1
    • Opcode Fuzzy Hash: ac3724ac44a6f4da9477f601e4d990eee76706446bfa8dd8dcfa197726e10283
    • Instruction Fuzzy Hash: E8D0A7A004A7445FCB127BA4BC0D3D47FE85B0330DF9680E1944883423DB605156CB92
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00B023F4 Relevance: .0, Instructions: 15COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.414176886.0000000000B02000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B02000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b02000_CVE-2022-26809.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 67b50a567bf181a4deb9a1bdf656e68f3d7e258911a2fef1cf3e26e482b14327
    • Instruction ID: d91b4615f31035b388b35ab25510ff4346b8eb8399cb251165ef2d6e5074a37d
    • Opcode Fuzzy Hash: 67b50a567bf181a4deb9a1bdf656e68f3d7e258911a2fef1cf3e26e482b14327
    • Instruction Fuzzy Hash: CFD05E79205A814FD3268B1CC2ADB993FD4EF91B04F4644F9EC008B7B3C368D985D200
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00B023BC Relevance: .0, Instructions: 14COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.414176886.0000000000B02000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B02000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b02000_CVE-2022-26809.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 4af9e0d4d62821a5a2c971b8f9cbe24652b3deb7c08214b5596ff1ff78cce761
    • Instruction ID: d6a3d43b4647a8d8099e5b07f4b1e0808b1376fbce92c7247b1601fad8484959
    • Opcode Fuzzy Hash: 4af9e0d4d62821a5a2c971b8f9cbe24652b3deb7c08214b5596ff1ff78cce761
    • Instruction Fuzzy Hash: 52D05E342002814FCB26DB0CD6D8F593BD4EB81B00F0644E8AC008B2A2C7B8EC85C600
    Uniqueness

    Uniqueness Score: -1.00%

    Function 049B3040 Relevance: .0, Instructions: 10COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.414674171.00000000049B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_49b0000_CVE-2022-26809.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 377c064d56c664ecbe3b05312be0ba5da792abfc7a7d23dec61886cf78ea28ea
    • Instruction ID: ddd2869ee851193420c32afe6a0288e57577614c840fe77b30014e965a5e91cf
    • Opcode Fuzzy Hash: 377c064d56c664ecbe3b05312be0ba5da792abfc7a7d23dec61886cf78ea28ea
    • Instruction Fuzzy Hash: 29C08C300006088BCA147B94BD0C3A837A86B0270EF818060940843431CF30A091CAD6
    Uniqueness

    Uniqueness Score: -1.00%