Edit tour

Windows Analysis Report
f3I38kv.exe

Overview

General Information

Sample name:	f3I38kv.exe
Analysis ID:	1582378
MD5:	71e2bab6de31ab3476ac7529a603de1c
SHA1:	ce92b47562732cb095b318f2e5cf0f5bf7fb4b68
SHA256:	c4dda91a7666f799687ecc6998b0676dd19c4545b381271d01c0400274d18c55
Tags:	exemalwaretrojanuser-Joker
Infos:

Detection

DCRat, PureLog Stealer, zgRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Schedule system process

Suricata IDS alerts for network traffic

Yara detected DCRat

Yara detected PureLog Stealer

Yara detected zgRAT

AI detected suspicious sample

Creates processes via WMI

Machine Learning detection for dropped file

Machine Learning detection for sample

Sample uses string decryption to hide its real strings

Sigma detected: Files With System Process Name In Unsuspected Locations

Uses ping.exe to check the status of other devices and networks

Uses ping.exe to sleep

Uses schtasks.exe or at.exe to add and modify task schedules

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to communicate with device drivers

Contains functionality to detect virtual machines (SLDT)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Drops PE files to the windows directory (C:\Windows)

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

File is packed with WinRar

Found WSH timer for Javascript or VBS script (likely evasive script)

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

f3I38kv.exe (PID: 7052 cmdline: "C:\Users\user\Desktop\f3I38kv.exe" MD5: 71E2BAB6DE31AB3476AC7529A603DE1C)

wscript.exe (PID: 7136 cmdline: "C:\Windows\System32\WScript.exe" "C:\blockbrowserdllCommon\KvkJOplk2GTpcDyjoXWpi6SQDRLpKp2SGwZjihDz.vbe" MD5: FF00E0480075B095948000BDC66E81F0)

cmd.exe (PID: 6280 cmdline: C:\Windows\system32\cmd.exe /c ""C:\blockbrowserdllCommon\ZUKrGOW39NDMa.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6452 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

hyperruntimemonitorCommon.exe (PID: 1832 cmdline: "C:\blockbrowserdllCommon/hyperruntimemonitorCommon.exe" MD5: 798B5560B2A2C6596A0C1A09419AD2C4)

schtasks.exe (PID: 2088 cmdline: schtasks.exe /create /tn "nGnJvqnFLoRdIZNyVoMyFn" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Microsoft\nGnJvqnFLoRdIZNyVoMyF.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 3004 cmdline: schtasks.exe /create /tn "nGnJvqnFLoRdIZNyVoMyF" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft\nGnJvqnFLoRdIZNyVoMyF.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 2144 cmdline: schtasks.exe /create /tn "nGnJvqnFLoRdIZNyVoMyFn" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Microsoft\nGnJvqnFLoRdIZNyVoMyF.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 5900 cmdline: schtasks.exe /create /tn "SIHClientS" /sc MINUTE /mo 10 /tr "'C:\Recovery\SIHClient.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 6092 cmdline: schtasks.exe /create /tn "SIHClient" /sc ONLOGON /tr "'C:\Recovery\SIHClient.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 3412 cmdline: schtasks.exe /create /tn "SIHClientS" /sc MINUTE /mo 7 /tr "'C:\Recovery\SIHClient.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 1228 cmdline: schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\dllhost.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 5252 cmdline: schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\dllhost.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 5668 cmdline: schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\dllhost.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 6504 cmdline: schtasks.exe /create /tn "nGnJvqnFLoRdIZNyVoMyFn" /sc MINUTE /mo 10 /tr "'C:\Users\user\Saved Games\nGnJvqnFLoRdIZNyVoMyF.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7144 cmdline: schtasks.exe /create /tn "nGnJvqnFLoRdIZNyVoMyF" /sc ONLOGON /tr "'C:\Users\user\Saved Games\nGnJvqnFLoRdIZNyVoMyF.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7056 cmdline: schtasks.exe /create /tn "nGnJvqnFLoRdIZNyVoMyFn" /sc MINUTE /mo 8 /tr "'C:\Users\user\Saved Games\nGnJvqnFLoRdIZNyVoMyF.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7160 cmdline: schtasks.exe /create /tn "nGnJvqnFLoRdIZNyVoMyFn" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 6472 cmdline: schtasks.exe /create /tn "nGnJvqnFLoRdIZNyVoMyF" /sc ONLOGON /tr "'C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 932 cmdline: schtasks.exe /create /tn "nGnJvqnFLoRdIZNyVoMyFn" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

cmd.exe (PID: 6372 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\qVPGMYvCwM.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7092 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 6208 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

PING.EXE (PID: 6260 cmdline: ping -n 10 localhost MD5: 2F46799D79D22AC72C241EC0322B011D)

nGnJvqnFLoRdIZNyVoMyF.exe (PID: 1880 cmdline: "C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe" MD5: 798B5560B2A2C6596A0C1A09419AD2C4)

nGnJvqnFLoRdIZNyVoMyF.exe (PID: 6328 cmdline: "C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe" MD5: 798B5560B2A2C6596A0C1A09419AD2C4)

nGnJvqnFLoRdIZNyVoMyF.exe (PID: 4228 cmdline: "C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe" MD5: 798B5560B2A2C6596A0C1A09419AD2C4)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
DCRat	DCRat is a typical RAT that has been around since at least June 2019.	No Attribution	https://axmahr.github.io/posts/asyncrat-detection/ https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/ https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html https://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus	https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat

Name	Description	Attribution	Blogpost URLs	Link
zgRAT	zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.	No Attribution	https://bazaar.abuse.ch/browse/signature/zgRAT/ https://kcm.trellix.com/corporate/index?page=content&id=KB96190&locale=en_US https://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware https://www.difesaesicurezza.com/cyber/cybercrime-rfq-dalla-turchia-veicola-agenttesla-e-zgrat/ https://www.fortinet.com/blog/threat-research/smokeloader-using-old-vulnerabilities	https://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

Threatname: DCRat

{"C2 url": "http://vds-898383.1gb.ru/pipePacketgamelocaldownloadsTemporary", "Params": {"0": "{SYSTEMDRIVE}/Users/", "1": "false", "2": "false", "3": "true", "4": "true", "5": "true", "6": "true", "7": "true", "8": "true", "9": "true", "10": "true", "11": "true", "12": "true", "13": "true", "14": "true"}}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
f3I38kv.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
f3I38kv.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security

Dropped Files

Source	Rule	Description	Author
C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Windows\BitLockerDiscoveryVolumeContents\dllhost.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Windows\BitLockerDiscoveryVolumeContents\dllhost.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Recovery\SIHClient.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Recovery\SIHClient.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Recovery\SIHClient.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Recovery\SIHClient.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Recovery\SIHClient.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Recovery\SIHClient.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Click to see the 7 entries

Memory Dumps

Source	Rule	Description	Author
00000000.00000003.1659074697.0000000005326000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000007.00000000.1936497024.0000000000A02000.00000002.00000001.01000000.0000000A.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000000.00000003.1658269779.0000000005214000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000007.00000002.1996199845.0000000013408000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: hyperruntimemonitorCommon.exe PID: 1832	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security

Unpacked PEs

Source	Rule	Description	Author
0.3.f3I38kv.exe.5262707.0.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.3.f3I38kv.exe.5262707.0.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.3.f3I38kv.exe.5374707.1.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.3.f3I38kv.exe.5374707.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
7.0.hyperruntimemonitorCommon.exe.a00000.0.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
7.0.hyperruntimemonitorCommon.exe.a00000.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.3.f3I38kv.exe.5262707.0.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.3.f3I38kv.exe.5262707.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.3.f3I38kv.exe.5374707.1.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.3.f3I38kv.exe.5374707.1.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Click to see the 5 entries

Sigma Signatures

System Summary

Sigma detected: Files With System Process Name In Unsuspected Locations

Source: File created

Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe, ProcessId: 1832, TargetFilename: C:\Windows\BitLockerDiscoveryVolumeContents\dllhost.exe

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\blockbrowserdllCommon\KvkJOplk2GTpcDyjoXWpi6SQDRLpKp2SGwZjihDz.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\blockbrowserdllCommon\KvkJOplk2GTpcDyjoXWpi6SQDRLpKp2SGwZjihDz.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\f3I38kv.exe", ParentImage: C:\Users\user\Desktop\f3I38kv.exe, ParentProcessId: 7052, ParentProcessName: f3I38kv.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\blockbrowserdllCommon\KvkJOplk2GTpcDyjoXWpi6SQDRLpKp2SGwZjihDz.vbe" , ProcessId: 7136, ProcessName: wscript.exe

Persistence and Installation Behavior

Sigma detected: Schedule system process

Source: Process started

Author: Joe Security: Data: Command: schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\dllhost.exe'" /f, CommandLine: schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\dllhost.exe'" /f, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\blockbrowserdllCommon/hyperruntimemonitorCommon.exe", ParentImage: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe, ParentProcessId: 1832, ParentProcessName: hyperruntimemonitorCommon.exe, ProcessCommandLine: schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\dllhost.exe'" /f, ProcessId: 1228, ProcessName: schtasks.exe

Suricata Signatures

ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-30T13:18:38.084470+0100	2048095	1	A Network Trojan was detected	192.168.2.4	49736	81.177.33.6	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: f3I38kv.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\qVPGMYvCwM.bat	Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Users\user\Desktop\rfYGTcKI.log	Avira: detection malicious, Label: HEUR/AGEN.1300079
Source: C:\Users\user\Desktop\ZLNiVXPn.log	Avira: detection malicious, Label: TR/Agent.jbwuj
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Users\user\Desktop\kikGqNQT.log	Avira: detection malicious, Label: HEUR/AGEN.1300079
Source: C:\Users\user\Desktop\KpbTIyuS.log	Avira: detection malicious, Label: HEUR/AGEN.1362695
Source: C:\Users\user\Desktop\DzXmKSai.log	Avira: detection malicious, Label: TR/AVI.Agent.updqb
Source: C:\Users\user\Desktop\omJXhfZJ.log	Avira: detection malicious, Label: HEUR/AGEN.1300079
Source: C:\Recovery\SIHClient.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Users\user\Desktop\yEVVDmkp.log	Avira: detection malicious, Label: HEUR/AGEN.1300079

Found malware configuration

Source: 00000007.00000002.1996199845.0000000013408000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: DCRat {"C2 url": "http://vds-898383.1gb.ru/pipePacketgamelocaldownloadsTemporary", "Params": {"0": "{SYSTEMDRIVE}/Users/", "1": "false", "2": "false", "3": "true", "4": "true", "5": "true", "6": "true", "7": "true", "8": "true", "9": "true", "10": "true", "11": "true", "12": "true", "13": "true", "14": "true"}}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\Desktop\DzXmKSai.log	ReversingLabs: Detection: 50%
Source: C:\Users\user\Desktop\JsALnyfX.log	ReversingLabs: Detection: 29%
Source: C:\Users\user\Desktop\PkdkPdkL.log	ReversingLabs: Detection: 25%
Source: C:\Users\user\Desktop\WahSOJEu.log	ReversingLabs: Detection: 29%
Source: C:\Users\user\Desktop\YTwAzGpt.log	ReversingLabs: Detection: 20%
Source: C:\Users\user\Desktop\ZLNiVXPn.log	ReversingLabs: Detection: 50%
Source: C:\Users\user\Desktop\cBDZcTPh.log	ReversingLabs: Detection: 20%
Source: C:\Users\user\Desktop\fDqHyDTc.log	ReversingLabs: Detection: 37%
Source: C:\Users\user\Desktop\kikGqNQT.log	ReversingLabs: Detection: 25%
Source: C:\Users\user\Desktop\nYbxxKQM.log	ReversingLabs: Detection: 15%
Source: C:\Users\user\Desktop\pixyxcvN.log	ReversingLabs: Detection: 25%
Source: C:\Users\user\Desktop\wKTFMmGz.log	ReversingLabs: Detection: 20%

Multi AV Scanner detection for submitted file

Source: f3I38kv.exe

ReversingLabs: Detection: 52%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.5% probability

Machine Learning detection for dropped file

Source: C:\Users\user\Desktop\JsALnyfX.log	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\wTqFwYZw.log	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\uWPwaYLB.log	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\nYbxxKQM.log	Joe Sandbox ML: detected
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\rfYGTcKI.log	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\YTwAzGpt.log	Joe Sandbox ML: detected
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\kikGqNQT.log	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\KpbTIyuS.log	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\cBDZcTPh.log	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\omJXhfZJ.log	Joe Sandbox ML: detected
Source: C:\Recovery\SIHClient.exe	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\hxFqjzFa.log	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\yEVVDmkp.log	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: f3I38kv.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000007.00000002.1996199845.0000000013408000.00000004.00000800.00020000.00000000.sdmp	String decryptor: {"0":[],"2a025748-b498-4ae9-8f8c-b763dd8b5ffc":{"_0":"Smart","_1":"False","_2":"False","_3":"False"},"a16c206c-6675-4a07-b8b3-f396ed5c6bae":{"_0":"","_1":"Block"},"31395ecd-4eed-48b9-a47f-81dbcc84ccdf":{"_0":"True","_1":"nkbihfbeogaeaoehlefnkodbefgpgknn:MetaMask\nejbalbakoplchlghecdalmeeeajnimhm:MetaMask\nibnejdfjmmkpcnlpebklmnkoeoihofec:TronLink\nfnjhmkhhmkbjkkabndcnnogagogbneec:Ronin\nkjmoohlgokccodicjjfebfomlbljgfhk:Ronin\nfhbohimaelbohpjbbldcngcnapndodjp:BinanceChain\nbfnaelmomeimhlpmgjnjophhpkkoljpa:Phantom\nnphplpgoakhhjchkkhmiggakijnkhfnd:TONWeb\nffnbelfdoeiohenkjibnmadjiehjhajb:Yoroi\nakoiaibnepcedcplijmiamnaigbepmcb:Yoroi\nafbcbjpbpfadlkmhmclhkeeodmamcflc:MathWallet\nhnfanknocfeofbddgcijnmhnfnkdnaad:Coinbase\nimloifkgjagghnncjkhggdhalmcnfklk:TrezorPM\nilgcnhelpchnceeipipijaljkblbcobl:GAuth\noeljdldpnmdbchonielidgobddffflal:EOS\ncjelfplplebdjjenllpjcblmjkfcffne:JaxxLiberty\nlgmpcpglpngdoalbgeoldeajfclnhafa:SafePal\naholpfdialjgjfhomihkjbmgjidlcdno:Exodus","_2":"All Users","_3":"True"},"8c7d95c1-4def-4a0e-952b-f3c453358f2e":{"_0":"","_1":"One directory"},"d1159ac1-2243-45e3-9bad-55df4f7732e9":{"_0":"crypto;bank;authorization;account","_1":"1500","_2":"15","_3":"True"},"ff275d84-13f9-47b8-9de6-a3dfeab3ea1e":{"_0":"System drive","_1":""}}
Source: 00000007.00000002.1996199845.0000000013408000.00000004.00000800.00020000.00000000.sdmp	String decryptor: ["4qKnNkrD0nd8G2gEcZdyULKAiXWu5YlbNxiRsEmOyvD23OSwZGj4LEJsfKE0O6IbCCuTTOVXxO9iHSGUFkVzyqPJo0wh9wA2nmz0d9cLuMH6EkkNDtunlTnWwkpdcyXA","36ee50d7d201ff2376332adc828fa2641c4dc216989787c8e03018bbdc024ca7","0","","","5","2","WyIxIiwiIiwiNSJd","WyIxIiwiV3lJaUxDSWlMQ0psZVVsM1NXcHZhV1V4VGxwVk1WSkdWRlZTVTFOV1drWm1VemxXWXpKV2VXTjVPR2xNUTBsNFNXcHZhVnB0Um5Oak1sVnBURU5KZVVscWIybGFiVVp6WXpKVmFVeERTWHBKYW05cFpFaEtNVnBUU1hOSmFsRnBUMmxLTUdOdVZteEphWGRwVGxOSk5rbHVVbmxrVjFWcFRFTkpNa2xxYjJsa1NFb3hXbE5KYzBscVkybFBhVW93WTI1V2JFbHBkMmxQUTBrMlNXNVNlV1JYVldsTVEwazFTV3B2YVdSSVNqRmFVMGx6U1dwRmQwbHFiMmxrU0VveFdsTkpjMGxxUlhoSmFtOXBaRWhLTVZwVFNYTkpha1Y1U1dwdmFXUklTakZhVTBselNXcEZla2xxYjJsa1NFb3hXbE5KYzBscVJUQkphbTlwWkVoS01WcFRTamtpWFE9PSJd"]
Source: 00000007.00000002.1996199845.0000000013408000.00000004.00000800.00020000.00000000.sdmp	String decryptor: [["http://vds-898383.1gb.ru/","pipePacketgamelocaldownloadsTemporary"]]

Source: f3I38kv.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Directory created: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe			Jump to behavior
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Directory created: C:\Program Files\Microsoft\OneDrive\ListSync\settings\de83736a915df6			Jump to behavior

Source: f3I38kv.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:

Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: f3I38kv.exe

Source: C:\Users\user\Desktop\f3I38kv.exe	Code function: 0_2_004FA69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,		0_2_004FA69B
Source: C:\Users\user\Desktop\f3I38kv.exe	Code function: 0_2_0050C220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,		0_2_0050C220

Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior

Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Code function: 4x nop then mov dword ptr [ebp-04h], 7FFFFFFFh		7_2_00007FFD9BC7CFFD
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Code function: 4x nop then jmp 00007FFD9BAD1BE6h		29_2_00007FFD9BAD19DE

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:49736 -> 81.177.33.6:80

Uses ping.exe to check the status of other devices and networks

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost

Source: hyperruntimemonitorCommon.exe, 00000007.00000002.1990215606.000000000341B000.00000004.00000800.00020000.00000000.sdmp

String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

System Summary

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\SysWOW64\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Source: C:\Users\user\Desktop\f3I38kv.exe

Code function: 0_2_004F6FAA: __EH_prolog,_wcslen,_wcslen,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,

0_2_004F6FAA

Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	File created: C:\Windows\BitLockerDiscoveryVolumeContents\dllhost.exe			Jump to behavior
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	File created: C:\Windows\BitLockerDiscoveryVolumeContents\5940a34987c991			Jump to behavior

Source: C:\Users\user\Desktop\f3I38kv.exe	Code function: 0_2_004F848E	0_2_004F848E
Source: C:\Users\user\Desktop\f3I38kv.exe	Code function: 0_2_004F40FE	0_2_004F40FE
Source: C:\Users\user\Desktop\f3I38kv.exe	Code function: 0_2_00504088	0_2_00504088
Source: C:\Users\user\Desktop\f3I38kv.exe	Code function: 0_2_005000B7	0_2_005000B7
Source: C:\Users\user\Desktop\f3I38kv.exe	Code function: 0_2_00507153	0_2_00507153
Source: C:\Users\user\Desktop\f3I38kv.exe	Code function: 0_2_005151C9	0_2_005151C9
Source: C:\Users\user\Desktop\f3I38kv.exe	Code function: 0_2_005062CA	0_2_005062CA
Source: C:\Users\user\Desktop\f3I38kv.exe	Code function: 0_2_004F32F7	0_2_004F32F7
Source: C:\Users\user\Desktop\f3I38kv.exe	Code function: 0_2_005043BF	0_2_005043BF
Source: C:\Users\user\Desktop\f3I38kv.exe	Code function: 0_2_0051D440	0_2_0051D440
Source: C:\Users\user\Desktop\f3I38kv.exe	Code function: 0_2_004FF461	0_2_004FF461
Source: C:\Users\user\Desktop\f3I38kv.exe	Code function: 0_2_004FC426	0_2_004FC426
Source: C:\Users\user\Desktop\f3I38kv.exe	Code function: 0_2_005077EF	0_2_005077EF
Source: C:\Users\user\Desktop\f3I38kv.exe	Code function: 0_2_004F286B	0_2_004F286B
Source: C:\Users\user\Desktop\f3I38kv.exe	Code function: 0_2_0051D8EE	0_2_0051D8EE
Source: C:\Users\user\Desktop\f3I38kv.exe	Code function: 0_2_005219F4	0_2_005219F4
Source: C:\Users\user\Desktop\f3I38kv.exe	Code function: 0_2_004FE9B7	0_2_004FE9B7
Source: C:\Users\user\Desktop\f3I38kv.exe	Code function: 0_2_00506CDC	0_2_00506CDC
Source: C:\Users\user\Desktop\f3I38kv.exe	Code function: 0_2_00503E0B	0_2_00503E0B
Source: C:\Users\user\Desktop\f3I38kv.exe	Code function: 0_2_004FEFE2	0_2_004FEFE2
Source: C:\Users\user\Desktop\f3I38kv.exe	Code function: 0_2_00514F9A	0_2_00514F9A
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Code function: 7_2_00007FFD9BAC0DA3	7_2_00007FFD9BAC0DA3
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Code function: 7_2_00007FFD9BC705B3	7_2_00007FFD9BC705B3
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Code function: 26_2_00007FFD9BAD0DA3	26_2_00007FFD9BAD0DA3
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Code function: 29_2_00007FFD9BADA5FA	29_2_00007FFD9BADA5FA
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Code function: 29_2_00007FFD9BACF152	29_2_00007FFD9BACF152
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Code function: 29_2_00007FFD9BAC0DA3	29_2_00007FFD9BAC0DA3
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Code function: 29_2_00007FFD9BB09A8C	29_2_00007FFD9BB09A8C
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Code function: 29_2_00007FFD9BB14562	29_2_00007FFD9BB14562
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Code function: 29_2_00007FFD9BADAD3D	29_2_00007FFD9BADAD3D
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Code function: 36_2_00007FFD9BAB0DA3	36_2_00007FFD9BAB0DA3

Source: Joe Sandbox View

Dropped File: C:\Users\user\Desktop\AOsWDEPp.log 0B093D4935BD51AC404C2CD2BB59E2C4525B97A4D925807606B04C2D3338A9BE

Source: C:\Users\user\Desktop\f3I38kv.exe	Code function: String function: 0050F5F0 appears 31 times
Source: C:\Users\user\Desktop\f3I38kv.exe	Code function: String function: 0050EC50 appears 56 times
Source: C:\Users\user\Desktop\f3I38kv.exe	Code function: String function: 0050EB78 appears 39 times

Source: f3I38kv.exe, 00000000.00000003.1662694922.0000000002E50000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamewscript.exe` vs f3I38kv.exe
Source: f3I38kv.exe	Binary or memory string: OriginalFilenameVisualStudio.Shell.Framework.dll$ vs f3I38kv.exe

Source: f3I38kv.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.evad.winEXE@35/44@0/0

Source: C:\Users\user\Desktop\f3I38kv.exe

Code function: 0_2_004F6C74 GetLastError,FormatMessageW,

0_2_004F6C74

Source: C:\Users\user\Desktop\f3I38kv.exe

Code function: 0_2_0050A6C2 FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,CreateStreamOnHGlobal,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,

0_2_0050A6C2

Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe

File created: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe

Jump to behavior

Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe

File created: C:\Users\user\Desktop\wKTFMmGz.log

Jump to behavior

Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Mutant created: NULL
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\36ee50d7d201ff2376332adc828fa2641c4dc216989787c8e03018bbdc024ca7
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6452:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7092:120:WilError_03

Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe

File created: C:\Users\user\AppData\Local\Temp\w5nv0ZNcR9

Jump to behavior

Source: C:\Windows\SysWOW64\wscript.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\blockbrowserdllCommon\ZUKrGOW39NDMa.bat" "

Source: C:\Users\user\Desktop\f3I38kv.exe	Command line argument: sfxname	0_2_0050DF1E
Source: C:\Users\user\Desktop\f3I38kv.exe	Command line argument: sfxstime	0_2_0050DF1E
Source: C:\Users\user\Desktop\f3I38kv.exe	Command line argument: STARTDLG	0_2_0050DF1E
Source: C:\Users\user\Desktop\f3I38kv.exe	Command line argument: xzT	0_2_0050DF1E

Source: f3I38kv.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: f3I38kv.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create

Source: C:\Users\user\Desktop\f3I38kv.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\Desktop\f3I38kv.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: f3I38kv.exe

ReversingLabs: Detection: 52%

Source: C:\Users\user\Desktop\f3I38kv.exe

File read: C:\Users\user\Desktop\f3I38kv.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\f3I38kv.exe "C:\Users\user\Desktop\f3I38kv.exe"
Source: C:\Users\user\Desktop\f3I38kv.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\blockbrowserdllCommon\KvkJOplk2GTpcDyjoXWpi6SQDRLpKp2SGwZjihDz.vbe"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\blockbrowserdllCommon\ZUKrGOW39NDMa.bat" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe "C:\blockbrowserdllCommon/hyperruntimemonitorCommon.exe"
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "nGnJvqnFLoRdIZNyVoMyFn" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Microsoft\nGnJvqnFLoRdIZNyVoMyF.exe'" /f
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "nGnJvqnFLoRdIZNyVoMyF" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft\nGnJvqnFLoRdIZNyVoMyF.exe'" /rl HIGHEST /f
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "nGnJvqnFLoRdIZNyVoMyFn" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Microsoft\nGnJvqnFLoRdIZNyVoMyF.exe'" /rl HIGHEST /f
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "SIHClientS" /sc MINUTE /mo 10 /tr "'C:\Recovery\SIHClient.exe'" /f
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "SIHClient" /sc ONLOGON /tr "'C:\Recovery\SIHClient.exe'" /rl HIGHEST /f
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "SIHClientS" /sc MINUTE /mo 7 /tr "'C:\Recovery\SIHClient.exe'" /rl HIGHEST /f
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\dllhost.exe'" /f
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\dllhost.exe'" /rl HIGHEST /f
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\dllhost.exe'" /rl HIGHEST /f
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "nGnJvqnFLoRdIZNyVoMyFn" /sc MINUTE /mo 10 /tr "'C:\Users\user\Saved Games\nGnJvqnFLoRdIZNyVoMyF.exe'" /f
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "nGnJvqnFLoRdIZNyVoMyF" /sc ONLOGON /tr "'C:\Users\user\Saved Games\nGnJvqnFLoRdIZNyVoMyF.exe'" /rl HIGHEST /f
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "nGnJvqnFLoRdIZNyVoMyFn" /sc MINUTE /mo 8 /tr "'C:\Users\user\Saved Games\nGnJvqnFLoRdIZNyVoMyF.exe'" /rl HIGHEST /f
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "nGnJvqnFLoRdIZNyVoMyFn" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe'" /f
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "nGnJvqnFLoRdIZNyVoMyF" /sc ONLOGON /tr "'C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe'" /rl HIGHEST /f
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "nGnJvqnFLoRdIZNyVoMyFn" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe'" /rl HIGHEST /f
Source: unknown	Process created: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe "C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe"
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\qVPGMYvCwM.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe "C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe "C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe"
Source: C:\Users\user\Desktop\f3I38kv.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\blockbrowserdllCommon\KvkJOplk2GTpcDyjoXWpi6SQDRLpKp2SGwZjihDz.vbe"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\blockbrowserdllCommon\ZUKrGOW39NDMa.bat" "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe "C:\blockbrowserdllCommon/hyperruntimemonitorCommon.exe"	Jump to behavior
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\qVPGMYvCwM.bat"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe "C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe"	Jump to behavior

Source: C:\Users\user\Desktop\f3I38kv.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3I38kv.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3I38kv.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3I38kv.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3I38kv.exe	Section loaded: <pi-ms-win-core-localization-l1-2-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3I38kv.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3I38kv.exe	Section loaded: dxgidebug.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3I38kv.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3I38kv.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3I38kv.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3I38kv.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3I38kv.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3I38kv.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3I38kv.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3I38kv.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3I38kv.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3I38kv.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3I38kv.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3I38kv.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3I38kv.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3I38kv.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3I38kv.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3I38kv.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3I38kv.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3I38kv.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3I38kv.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3I38kv.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3I38kv.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3I38kv.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3I38kv.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3I38kv.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3I38kv.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3I38kv.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3I38kv.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3I38kv.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3I38kv.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3I38kv.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3I38kv.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3I38kv.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3I38kv.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3I38kv.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3I38kv.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3I38kv.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3I38kv.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3I38kv.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3I38kv.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3I38kv.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3I38kv.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Section loaded: version.dll	Jump to behavior
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Section loaded: mscoree.dll
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Section loaded: version.dll
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Section loaded: windows.storage.dll
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Section loaded: wldp.dll
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Section loaded: profapi.dll
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Section loaded: cryptsp.dll
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Section loaded: rsaenh.dll
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Section loaded: cryptbase.dll
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: mswsock.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: dnsapi.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: winnsi.dll
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Section loaded: mscoree.dll
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Section loaded: version.dll
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Section loaded: windows.storage.dll
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Section loaded: wldp.dll
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Section loaded: profapi.dll
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Section loaded: cryptsp.dll
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Section loaded: rsaenh.dll
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Section loaded: cryptbase.dll
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Section loaded: sspicli.dll

Source: C:\Users\user\Desktop\f3I38kv.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Directory created: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe			Jump to behavior
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Directory created: C:\Program Files\Microsoft\OneDrive\ListSync\settings\de83736a915df6			Jump to behavior

Source: f3I38kv.exe

Static file information: File size 4183320 > 1048576

Source: f3I38kv.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: f3I38kv.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: f3I38kv.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: f3I38kv.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: f3I38kv.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: f3I38kv.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: f3I38kv.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: f3I38kv.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: f3I38kv.exe

Source: f3I38kv.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: f3I38kv.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: f3I38kv.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: f3I38kv.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: f3I38kv.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\f3I38kv.exe

File created: C:\blockbrowserdllCommon\__tmp_rar_sfx_access_check_5204734

Jump to behavior

Source: f3I38kv.exe

Static PE information: section name: .didat

Source: C:\Users\user\Desktop\f3I38kv.exe	Code function: 0_2_0050F640 push ecx; ret	0_2_0050F653
Source: C:\Users\user\Desktop\f3I38kv.exe	Code function: 0_2_0050EB78 push eax; ret	0_2_0050EB96
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Code function: 7_2_00007FFD9BC80C33 push cs; iretd	7_2_00007FFD9BC80C37
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Code function: 7_2_00007FFD9C1CC999 push ecx; iretd	7_2_00007FFD9C1CCB11
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Code function: 7_2_00007FFD9C1C0BA9 push ecx; iretd	7_2_00007FFD9C1C0D21
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Code function: 7_2_00007FFD9C1C7C5F push eax; retf	7_2_00007FFD9C1C7C6D
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Code function: 7_2_00007FFD9C1C4C62 push ecx; iretd	7_2_00007FFD9C1C4C63
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Code function: 7_2_00007FFD9C1C4870 push ecx; iretd	7_2_00007FFD9C1C4871
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Code function: 7_2_00007FFD9C1C746F pushad ; iretd	7_2_00007FFD9C1C749D
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Code function: 7_2_00007FFD9C1D0873 push ecx; iretd	7_2_00007FFD9C1D0874
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Code function: 7_2_00007FFD9C1C749F push eax; iretd	7_2_00007FFD9C1C74AD
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Code function: 7_2_00007FFD9C1C34F2 push ecx; iretd	7_2_00007FFD9C1C34F3
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Code function: 7_2_00007FFD9C1C2D26 push ecx; iretd	7_2_00007FFD9C1C2D27
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Code function: 7_2_00007FFD9C1C8164 push ebx; ret	7_2_00007FFD9C1C816A
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Code function: 7_2_00007FFD9C1CFDD7 push ecx; iretd	7_2_00007FFD9C1CFDD8
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Code function: 7_2_00007FFD9C1C09A8 push ecx; iretd	7_2_00007FFD9C1C09A9
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Code function: 7_2_00007FFD9C1D09E9 push ecx; iretd	7_2_00007FFD9C1D09EA
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Code function: 7_2_00007FFD9C1D0E22 push ecx; iretd	7_2_00007FFD9C1D0E23
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Code function: 7_2_00007FFD9C1D0A30 push ecx; iretd	7_2_00007FFD9C1D0A31
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Code function: 7_2_00007FFD9C1CF6B2 push ecx; iretd	7_2_00007FFD9C1CF6B3
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Code function: 7_2_00007FFD9C1C46B3 push ecx; iretd	7_2_00007FFD9C1C46B4
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Code function: 7_2_00007FFD9C1CC798 push ecx; iretd	7_2_00007FFD9C1CC799
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Code function: 7_2_00007FFD9C1C3C17 push ecx; iretd	7_2_00007FFD9C1C3C18
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Code function: 7_2_00007FFD9C1C4829 push ecx; iretd	7_2_00007FFD9C1C482A
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Code function: 7_2_00007FFD9C1C7C2F pushad ; retf	7_2_00007FFD9C1C7C5D
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Code function: 29_2_00007FFD9BAE59D6 push eax; retf	29_2_00007FFD9BAE59DC
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Code function: 29_2_00007FFD9BAE48BD push eax; iretd	29_2_00007FFD9BAE48BE
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Code function: 29_2_00007FFD9BAE48B6 push eax; iretd	29_2_00007FFD9BAE48B7
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Code function: 29_2_00007FFD9BAD31B8 push ds; ret	29_2_00007FFD9BAD31B9
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Code function: 29_2_00007FFD9BB1553C push ds; iretd	29_2_00007FFD9BB1556F
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Code function: 29_2_00007FFD9BB057E0 push cs; retf	29_2_00007FFD9BB0597F

Persistence and Installation Behavior

Creates processes via WMI

Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create

Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	File created: C:\Users\user\Desktop\omJXhfZJ.log	Jump to dropped file
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	File created: C:\Users\user\Desktop\AOsWDEPp.log	Jump to dropped file
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	File created: C:\Windows\BitLockerDiscoveryVolumeContents\dllhost.exe	Jump to dropped file
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	File created: C:\Users\user\Desktop\KxLmnhVX.log	Jump to dropped file
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	File created: C:\Users\user\Saved Games\nGnJvqnFLoRdIZNyVoMyF.exe	Jump to dropped file
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	File created: C:\Users\user\Desktop\yEVVDmkp.log	Jump to dropped file
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	File created: C:\Users\user\Desktop\kikGqNQT.log	Jump to dropped file
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	File created: C:\Users\user\Desktop\DzXmKSai.log	Jump to dropped file
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	File created: C:\Users\user\Desktop\yVcnRIer.log	Jump to dropped file
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	File created: C:\Users\user\Desktop\uWPwaYLB.log	Jump to dropped file
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	File created: C:\Users\user\Desktop\YTwAzGpt.log	Jump to dropped file
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	File created: C:\Users\user\Desktop\KpbTIyuS.log	Jump to dropped file
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	File created: C:\Users\user\Desktop\cBDZcTPh.log	Jump to dropped file
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	File created: C:\Users\user\Desktop\ZLNiVXPn.log	Jump to dropped file
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	File created: C:\Users\user\Desktop\JsALnyfX.log	Jump to dropped file
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	File created: C:\Users\user\Desktop\rfYGTcKI.log	Jump to dropped file
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	File created: C:\Users\user\Desktop\OnCcudVQ.log	Jump to dropped file
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	File created: C:\Users\user\Desktop\fDqHyDTc.log	Jump to dropped file
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	File created: C:\Users\user\Desktop\DIumuEtf.log	Jump to dropped file
Source: C:\Users\user\Desktop\f3I38kv.exe	File created: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Jump to dropped file
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	File created: C:\Users\user\Desktop\pixyxcvN.log	Jump to dropped file
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	File created: C:\Users\user\Desktop\scAOpcZD.log	Jump to dropped file
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	File created: C:\Users\user\Desktop\WahSOJEu.log	Jump to dropped file
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	File created: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Jump to dropped file
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	File created: C:\Users\user\Desktop\wTqFwYZw.log	Jump to dropped file
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	File created: C:\Users\user\Desktop\PkdkPdkL.log	Jump to dropped file
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	File created: C:\Users\user\Desktop\hxFqjzFa.log	Jump to dropped file
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	File created: C:\Users\user\Desktop\nYbxxKQM.log	Jump to dropped file
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	File created: C:\ProgramData\Microsoft\nGnJvqnFLoRdIZNyVoMyF.exe	Jump to dropped file
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	File created: C:\Recovery\SIHClient.exe	Jump to dropped file
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	File created: C:\Users\user\Desktop\wKTFMmGz.log	Jump to dropped file
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	File created: C:\Users\user\Desktop\azRqGkKl.log	Jump to dropped file

Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe

File created: C:\ProgramData\Microsoft\nGnJvqnFLoRdIZNyVoMyF.exe

Jump to dropped file

Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe

File created: C:\Windows\BitLockerDiscoveryVolumeContents\dllhost.exe

Jump to dropped file

Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	File created: C:\Users\user\Desktop\wKTFMmGz.log	Jump to dropped file
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	File created: C:\Users\user\Desktop\pixyxcvN.log	Jump to dropped file
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	File created: C:\Users\user\Desktop\nYbxxKQM.log	Jump to dropped file
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	File created: C:\Users\user\Desktop\OnCcudVQ.log	Jump to dropped file
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	File created: C:\Users\user\Desktop\DzXmKSai.log	Jump to dropped file
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	File created: C:\Users\user\Desktop\uWPwaYLB.log	Jump to dropped file
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	File created: C:\Users\user\Desktop\kikGqNQT.log	Jump to dropped file
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	File created: C:\Users\user\Desktop\azRqGkKl.log	Jump to dropped file
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	File created: C:\Users\user\Desktop\KxLmnhVX.log	Jump to dropped file
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	File created: C:\Users\user\Desktop\JsALnyfX.log	Jump to dropped file
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	File created: C:\Users\user\Desktop\AOsWDEPp.log	Jump to dropped file
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	File created: C:\Users\user\Desktop\yEVVDmkp.log	Jump to dropped file
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	File created: C:\Users\user\Desktop\rfYGTcKI.log	Jump to dropped file
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	File created: C:\Users\user\Desktop\hxFqjzFa.log	Jump to dropped file
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	File created: C:\Users\user\Desktop\YTwAzGpt.log	Jump to dropped file
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	File created: C:\Users\user\Desktop\PkdkPdkL.log	Jump to dropped file
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	File created: C:\Users\user\Desktop\wTqFwYZw.log	Jump to dropped file
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	File created: C:\Users\user\Desktop\cBDZcTPh.log	Jump to dropped file
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	File created: C:\Users\user\Desktop\KpbTIyuS.log	Jump to dropped file
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	File created: C:\Users\user\Desktop\scAOpcZD.log	Jump to dropped file
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	File created: C:\Users\user\Desktop\ZLNiVXPn.log	Jump to dropped file
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	File created: C:\Users\user\Desktop\yVcnRIer.log	Jump to dropped file
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	File created: C:\Users\user\Desktop\omJXhfZJ.log	Jump to dropped file
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	File created: C:\Users\user\Desktop\fDqHyDTc.log	Jump to dropped file
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	File created: C:\Users\user\Desktop\WahSOJEu.log	Jump to dropped file
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	File created: C:\Users\user\Desktop\DIumuEtf.log	Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe

Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "nGnJvqnFLoRdIZNyVoMyFn" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Microsoft\nGnJvqnFLoRdIZNyVoMyF.exe'" /f

Source: C:\Users\user\Desktop\f3I38kv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Uses ping.exe to sleep

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost			Jump to behavior

Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Memory allocated: 12D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Memory allocated: 1B050000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Memory allocated: 12E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Memory allocated: 1AF20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Memory allocated: 18E0000 memory reserve \| memory write watch
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Memory allocated: 1B250000 memory reserve \| memory write watch
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Memory allocated: 17A0000 memory reserve \| memory write watch
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Memory allocated: 1B100000 memory reserve \| memory write watch

Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe

Code function: 7_2_00007FFD9BC834C9 rdtsc

7_2_00007FFD9BC834C9

Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe

Code function: 29_2_00007FFD9BAE1B58 sldt word ptr [eax]

29_2_00007FFD9BAE1B58

Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\omJXhfZJ.log	Jump to dropped file
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\AOsWDEPp.log	Jump to dropped file
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\KxLmnhVX.log	Jump to dropped file
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\yEVVDmkp.log	Jump to dropped file
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\kikGqNQT.log	Jump to dropped file
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\DzXmKSai.log	Jump to dropped file
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\yVcnRIer.log	Jump to dropped file
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\uWPwaYLB.log	Jump to dropped file
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\YTwAzGpt.log	Jump to dropped file
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\KpbTIyuS.log	Jump to dropped file
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\cBDZcTPh.log	Jump to dropped file
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\ZLNiVXPn.log	Jump to dropped file
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\JsALnyfX.log	Jump to dropped file
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\rfYGTcKI.log	Jump to dropped file
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\OnCcudVQ.log	Jump to dropped file
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\fDqHyDTc.log	Jump to dropped file
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\DIumuEtf.log	Jump to dropped file
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\pixyxcvN.log	Jump to dropped file
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\scAOpcZD.log	Jump to dropped file
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\WahSOJEu.log	Jump to dropped file
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\wTqFwYZw.log	Jump to dropped file
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\PkdkPdkL.log	Jump to dropped file
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\hxFqjzFa.log	Jump to dropped file
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\nYbxxKQM.log	Jump to dropped file
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\wKTFMmGz.log	Jump to dropped file
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\azRqGkKl.log	Jump to dropped file

Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe TID: 5000	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe TID: 1888	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe TID: 4336	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe TID: 3492	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\PING.EXE	Last function: Thread delayed

Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\f3I38kv.exe	Code function: 0_2_004FA69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,		0_2_004FA69B
Source: C:\Users\user\Desktop\f3I38kv.exe	Code function: 0_2_0050C220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,		0_2_0050C220

Source: C:\Users\user\Desktop\f3I38kv.exe

Code function: 0_2_0050E6A3 VirtualQuery,GetSystemInfo,

0_2_0050E6A3

Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Thread delayed: delay time: 922337203685477

Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior

Source: wscript.exe, 00000001.00000003.1935610244.00000000034CD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\T
Source: wscript.exe, 00000001.00000003.1935610244.00000000034CD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: hyperruntimemonitorCommon.exe, 00000007.00000002.2025482603.000000001CA4C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
Source: hyperruntimemonitorCommon.exe, 00000007.00000002.2025551689.000000001CA64000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: -b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Users\user\Desktop\f3I38kv.exe

API call chain: ExitProcess graph end node

graph_0-25071

Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe

Code function: 7_2_00007FFD9BC834C9 rdtsc

7_2_00007FFD9BC834C9

Source: C:\Users\user\Desktop\f3I38kv.exe

Code function: 0_2_0050F838 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_0050F838

Source: C:\Users\user\Desktop\f3I38kv.exe

Code function: 0_2_00517DEE mov eax, dword ptr fs:[00000030h]

0_2_00517DEE

Source: C:\Users\user\Desktop\f3I38kv.exe

Code function: 0_2_0051C030 GetProcessHeap,

0_2_0051C030

Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Process token adjusted: Debug
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\f3I38kv.exe	Code function: 0_2_0050F838 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0050F838
Source: C:\Users\user\Desktop\f3I38kv.exe	Code function: 0_2_0050F9D5 SetUnhandledExceptionFilter,	0_2_0050F9D5
Source: C:\Users\user\Desktop\f3I38kv.exe	Code function: 0_2_0050FBCA SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0050FBCA
Source: C:\Users\user\Desktop\f3I38kv.exe	Code function: 0_2_00518EBD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00518EBD

Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\f3I38kv.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\blockbrowserdllCommon\KvkJOplk2GTpcDyjoXWpi6SQDRLpKp2SGwZjihDz.vbe"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\blockbrowserdllCommon\ZUKrGOW39NDMa.bat" "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe "C:\blockbrowserdllCommon/hyperruntimemonitorCommon.exe"	Jump to behavior
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\qVPGMYvCwM.bat"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe "C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe"	Jump to behavior

Source: C:\Users\user\Desktop\f3I38kv.exe

Code function: 0_2_0050F654 cpuid

0_2_0050F654

Source: C:\Users\user\Desktop\f3I38kv.exe

Code function: GetLocaleInfoW,GetNumberFormatW,

0_2_0050AF0F

Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Queries volume information: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe VolumeInformation	Jump to behavior
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Queries volume information: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Queries volume information: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe VolumeInformation
Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	Queries volume information: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe VolumeInformation

Source: C:\Users\user\Desktop\f3I38kv.exe

Code function: 0_2_0050DF1E GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle,

0_2_0050DF1E

Source: C:\Users\user\Desktop\f3I38kv.exe

Code function: 0_2_004FB146 GetVersionExW,

0_2_004FB146

Source: C:\Windows\SysWOW64\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\System32\schtasks.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\schtasks.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

Stealing of Sensitive Information

Yara detected DCRat

Source: Yara match	File source: 00000007.00000002.1996199845.0000000013408000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: hyperruntimemonitorCommon.exe PID: 1832, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: f3I38kv.exe, type: SAMPLE
Source: Yara match	File source: 0.3.f3I38kv.exe.5262707.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.f3I38kv.exe.5374707.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.hyperruntimemonitorCommon.exe.a00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.f3I38kv.exe.5262707.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.f3I38kv.exe.5374707.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.1659074697.0000000005326000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.1936497024.0000000000A02000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1658269779.0000000005214000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\BitLockerDiscoveryVolumeContents\dllhost.exe, type: DROPPED
Source: Yara match	File source: C:\Recovery\SIHClient.exe, type: DROPPED
Source: Yara match	File source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe, type: DROPPED

Yara detected zgRAT

Source: Yara match	File source: f3I38kv.exe, type: SAMPLE
Source: Yara match	File source: 0.3.f3I38kv.exe.5262707.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.f3I38kv.exe.5374707.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.hyperruntimemonitorCommon.exe.a00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.f3I38kv.exe.5262707.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.f3I38kv.exe.5374707.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\BitLockerDiscoveryVolumeContents\dllhost.exe, type: DROPPED
Source: Yara match	File source: C:\Recovery\SIHClient.exe, type: DROPPED
Source: Yara match	File source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe, type: DROPPED

Remote Access Functionality

Yara detected DCRat

Source: Yara match	File source: 00000007.00000002.1996199845.0000000013408000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: hyperruntimemonitorCommon.exe PID: 1832, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: f3I38kv.exe, type: SAMPLE
Source: Yara match	File source: 0.3.f3I38kv.exe.5262707.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.f3I38kv.exe.5374707.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.hyperruntimemonitorCommon.exe.a00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.f3I38kv.exe.5262707.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.f3I38kv.exe.5374707.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.1659074697.0000000005326000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.1936497024.0000000000A02000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1658269779.0000000005214000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\BitLockerDiscoveryVolumeContents\dllhost.exe, type: DROPPED
Source: Yara match	File source: C:\Recovery\SIHClient.exe, type: DROPPED
Source: Yara match	File source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe, type: DROPPED

Yara detected zgRAT

Source: Yara match	File source: f3I38kv.exe, type: SAMPLE
Source: Yara match	File source: 0.3.f3I38kv.exe.5262707.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.f3I38kv.exe.5374707.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.hyperruntimemonitorCommon.exe.a00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.f3I38kv.exe.5262707.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.f3I38kv.exe.5374707.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\BitLockerDiscoveryVolumeContents\dllhost.exe, type: DROPPED
Source: Yara match	File source: C:\Recovery\SIHClient.exe, type: DROPPED
Source: Yara match	File source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	11 Scripting	Valid Accounts	111 Windows Management Instrumentation	1 Scheduled Task/Job	11 Process Injection	33 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	11 Scripting	1 Scheduled Task/Job	1 Disable or Modify Tools	LSASS Memory	141 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	41 Virtualization/Sandbox Evasion	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	41 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 Remote System Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	3 Obfuscated Files or Information	Cached Domain Credentials	1 System Network Configuration Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Software Packing	DCSync	3 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	37 System Information Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
f3I38kv.exe	53%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
f3I38kv.exe	100%	Avira	VBS/Runner.VPG
f3I38kv.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Temp\qVPGMYvCwM.bat	100%	Avira	BAT/Delbat.C
C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	100%	Avira	HEUR/AGEN.1323342
C:\Users\user\Desktop\rfYGTcKI.log	100%	Avira	HEUR/AGEN.1300079
C:\Users\user\Desktop\ZLNiVXPn.log	100%	Avira	TR/Agent.jbwuj
C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	100%	Avira	HEUR/AGEN.1323342
C:\Users\user\Desktop\kikGqNQT.log	100%	Avira	HEUR/AGEN.1300079
C:\Users\user\Desktop\KpbTIyuS.log	100%	Avira	HEUR/AGEN.1362695
C:\Users\user\Desktop\DzXmKSai.log	100%	Avira	TR/AVI.Agent.updqb
C:\Users\user\Desktop\omJXhfZJ.log	100%	Avira	HEUR/AGEN.1300079
C:\Recovery\SIHClient.exe	100%	Avira	HEUR/AGEN.1323342
C:\Users\user\Desktop\yEVVDmkp.log	100%	Avira	HEUR/AGEN.1300079
C:\Users\user\Desktop\JsALnyfX.log	100%	Joe Sandbox ML
C:\Users\user\Desktop\wTqFwYZw.log	100%	Joe Sandbox ML
C:\Users\user\Desktop\uWPwaYLB.log	100%	Joe Sandbox ML
C:\Users\user\Desktop\nYbxxKQM.log	100%	Joe Sandbox ML
C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	100%	Joe Sandbox ML
C:\Users\user\Desktop\rfYGTcKI.log	100%	Joe Sandbox ML
C:\Users\user\Desktop\YTwAzGpt.log	100%	Joe Sandbox ML
C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe	100%	Joe Sandbox ML
C:\Users\user\Desktop\kikGqNQT.log	100%	Joe Sandbox ML
C:\Users\user\Desktop\KpbTIyuS.log	100%	Joe Sandbox ML
C:\Users\user\Desktop\cBDZcTPh.log	100%	Joe Sandbox ML
C:\Users\user\Desktop\omJXhfZJ.log	100%	Joe Sandbox ML
C:\Recovery\SIHClient.exe	100%	Joe Sandbox ML
C:\Users\user\Desktop\hxFqjzFa.log	100%	Joe Sandbox ML
C:\Users\user\Desktop\yEVVDmkp.log	100%	Joe Sandbox ML
C:\Users\user\Desktop\AOsWDEPp.log	3%	ReversingLabs
C:\Users\user\Desktop\DIumuEtf.log	17%	ReversingLabs	ByteCode-MSIL.Trojan.Whispergate
C:\Users\user\Desktop\DzXmKSai.log	50%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\JsALnyfX.log	29%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\Desktop\KpbTIyuS.log	17%	ReversingLabs
C:\Users\user\Desktop\KxLmnhVX.log	5%	ReversingLabs
C:\Users\user\Desktop\OnCcudVQ.log	12%	ReversingLabs
C:\Users\user\Desktop\PkdkPdkL.log	25%	ReversingLabs
C:\Users\user\Desktop\WahSOJEu.log	29%	ReversingLabs
C:\Users\user\Desktop\YTwAzGpt.log	21%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\ZLNiVXPn.log	50%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\azRqGkKl.log	9%	ReversingLabs
C:\Users\user\Desktop\cBDZcTPh.log	21%	ReversingLabs
C:\Users\user\Desktop\fDqHyDTc.log	38%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\hxFqjzFa.log	9%	ReversingLabs
C:\Users\user\Desktop\kikGqNQT.log	25%	ReversingLabs
C:\Users\user\Desktop\nYbxxKQM.log	16%	ReversingLabs
C:\Users\user\Desktop\omJXhfZJ.log	17%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\pixyxcvN.log	25%	ReversingLabs
C:\Users\user\Desktop\rfYGTcKI.log	17%	ReversingLabs
C:\Users\user\Desktop\scAOpcZD.log	8%	ReversingLabs
C:\Users\user\Desktop\uWPwaYLB.log	8%	ReversingLabs
C:\Users\user\Desktop\wKTFMmGz.log	21%	ReversingLabs
C:\Users\user\Desktop\wTqFwYZw.log	5%	ReversingLabs
C:\Users\user\Desktop\yEVVDmkp.log	4%	ReversingLabs
C:\Users\user\Desktop\yVcnRIer.log	8%	ReversingLabs

Name	Source	Malicious	Antivirus Detection	Reputation
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	hyperruntimemonitorCommon.exe, 00000007.00000002.1990215606.000000000341B000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1582378
Start date and time:	2024-12-30 13:17:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 16s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	38
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	f3I38kv.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@35/44@0/0
EGA Information:	Successful, ratio: 60%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 172.202.163.200, 184.28.90.27, 13.107.246.45
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, vds-898383.1gb.ru, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target nGnJvqnFLoRdIZNyVoMyF.exe, PID 1880 because it is empty
Execution Graph export aborted for target nGnJvqnFLoRdIZNyVoMyF.exe, PID 6328 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: f3I38kv.exe

Simulations

Behavior and APIs

Time	Type	Description
12:18:29	Task Scheduler	Run new task: dllhost path: "C:\Windows\BitLockerDiscoveryVolumeContents\dllhost.exe"
12:18:29	Task Scheduler	Run new task: dllhostd path: "C:\Windows\BitLockerDiscoveryVolumeContents\dllhost.exe"
12:18:29	Task Scheduler	Run new task: nGnJvqnFLoRdIZNyVoMyF path: "C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe"
12:18:29	Task Scheduler	Run new task: nGnJvqnFLoRdIZNyVoMyFn path: "C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe"
12:18:29	Task Scheduler	Run new task: SIHClient path: "C:\Recovery\SIHClient.exe"
12:18:29	Task Scheduler	Run new task: SIHClientS path: "C:\Recovery\SIHClient.exe"

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\Desktop\AOsWDEPp.log	XNPOazHpXF.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	3e88PGFfkf.exe	Get hash	malicious	DCRat	Browse
	9FwQYJSj4N.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	CPNSQusnwC.exe	Get hash	malicious	DCRat	Browse
	t8xf0Y1ovi.exe	Get hash	malicious	DCRat	Browse
	teh76E2k50.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	84JufgBTrA.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	kIdT4m0aa4.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse

Created / dropped Files

C:\Program Files\Microsoft\OneDrive\ListSync\settings\de83736a915df6

Download File

Process:	C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe
File Type:	ASCII text, with very long lines (862), with no line terminators
Category:	dropped
Size (bytes):	862
Entropy (8bit):	5.9081589499556735
Encrypted:	false
SSDEEP:	24:RP2Kl2RH6cl2EEwll51UgHLEtrDo5zG2CoXL8S9re8HlwzNCjG:R+M2dtL3HLEtw54S968Fsx
MD5:	860881ECF552F4435551EC827873317D
SHA1:	8F1968487C170BB587B69F2A4D66243AC42A9925
SHA-256:	3C958599CD0EFD3DF41A3D59D9174D34E9821052ED54C3250EC9EBAD40713D6D
SHA-512:	4593C9583844BDA090F3377F1876B54ACB5514AAF8E9D50276001B7574F090BEB5450C470F4233B280BF0F027D82CCE7B3DB46400F71FE5D8CCB3D799D1665CD
Malicious:	false
Preview:	j71lY8uy7tSFi8cd1vvenfyU1cbP2DctTFMSObG6xH2mpndt0RXLjMNDIhu5hf53RjwcwJPapyqgmMoN8sZkqQKG2IKqrKZSM9VG1B6qC7gugrb62g7yGUNBYpkn9iseZXTn0iW6vtituZkKrNyKNkM1wTrLbTqdOCUJXxFUJADWweR9FZ5vuiQyKb1h0LfbCEerEaw4IeAMgzFSCsFBY4tpvg866id8emUr9j4onAnPhDRVVieIFeCHUy6ic08jBCr4fYScybYXRdIrOnkXDU2AkNWKmVLwCDOeVXz7QCUoFoz1qPTzPkgqKrTSBIzcPlUOOnV1xmHBAN55XfeXCWhcgiUoDh5HM2ZeTlmC3cCmdfp6wY4fnbZ2E2rqTqxPr9zIyalv3bekU48B2Y2pnZducgZa46tMow5dphHVwJmM7ziK4px5xImRfFpSAK07sR5h8eVVQh3dxRwn7PgOIyYgKo8k1yUlSpep3BMZTcoQOIdNSCVvnmy32ZXTgudbNRLHxGt6DH4qKIRBKuSzdi7q1kxen22j8MD77WZMTYrgrHtuHVJvco8oTfQNTPSLPVs7FUEyUFgE1b9t1CWStGGUNZncFM2DGgRVZvpxQUbWI3x2fgWQ2AcIPYtpqmsHNc8UKoUFXjBYptLUlv6i0mKFEJFBB9GomTJp5cs1LQ3T8EcgMZE5pJRlR2PBiTDXcWwWjfZJCEXks0HAqjym5L8cBiYCMrT2Mf1mRG6qA42lwr2avPU8ebcRXTUBHX6VveXM9fsknImASXpUp7Q7WUXvDkO8v4in8hzRUqbQhuVWzb8Ao9VKG99aHlIZQuysk9CvhXA9fAZm8B6mlNTwjXg9hZKshB

C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe

Download File

Process:	C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3861504
Entropy (8bit):	7.835766949495404
Encrypted:	false
SSDEEP:	98304:SlFTtIkKJ8h91Zv7aphwzT8YRMR9UOu93dI:S7SF8/baTm8kMPUOu9
MD5:	798B5560B2A2C6596A0C1A09419AD2C4
SHA1:	6F18005EAACE373EE3EC23138C7D5AF9D1BCB51E
SHA-256:	93DC0D7CACC55D4965A1D55A3D163125481EE2BE7CEF9640320F58D714BD8011
SHA-512:	ED88BAD4B7E2103222EFC1864E36A6B6D9E83396361191C6D9ED0623BADB783629E87A2CC2097D4D79586D9514D02D15DF7B411C1A012BEB212009EFE2E24010
Malicious:	true
Yara Hits:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u..e..................:...........;.. ... ;...@.. .......................`;...........@...................................;.K.... ;.p....................@;...................................................... ............... ..H............text.....:.. ....:................. ..`.rsrc...p.... ;.......:.............@....reloc.......@;.......:.............@..B..................;.....H...........@.......e...D....)0.'.;......................................0..........(.... ........8........E....)...M.......q...8$...(.... ....~....{....:....& ....8....(.... ....~....{~...:....& ....8....(.... ....~....{{...9....& ....8z...*...0..<....... ........8........E............................d...8)...~....9U... ....~....{....:....& ....8....~....(#... .... .... ....s....~....('....... ....8{......... ....~....{....9a...& ....8V...8z... ....~....{....9=...& ....82...

C:\ProgramData\Microsoft\de83736a915df6

Download File

Process:	C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	292
Entropy (8bit):	5.813001917277672
Encrypted:	false
SSDEEP:	6:jF/LX6ZrGN5Z8mcSgc6OxjGfZviRTDPe4CdXDMaaLTmOcPBRCfJEy:jVX6oR8mjgcvxjGfZ6T6PXDMH6O+BRCR
MD5:	3A7527F6604144C116CAABCD12DAE3EC
SHA1:	33B634BC96EE9249A56C3A5D948C7F75FD885935
SHA-256:	6E25F6C713F1389C90BBE7272B13D3729673968C827105AE7239C33B55E609D9
SHA-512:	43170CF6ACF5601E08B5F499FF915A304979034E07C7E998D3840DC04658DC9C62F88E59B4D9B9E988EDF9B3B24B2C614710962E6C30E6B0B5B7606F0E71EB0C
Malicious:	false
Preview:	G5j4xEjXOrgIZ23CLvB8OtslQawMKD1IKj21DNaJJHvcZrg3R8elHWCXN8oWRXMLzX809B97U2yH8PLi335MiQBygenEjD1w4jmBtq3P8hQPh5Z7wFdXbAmjWJTeX4XRACMYnKzMApNB9wRlFqSdkeU46DpjXY1DJ8OftBUmPQXwwljk2sZrm3rgrRbjeQzmyJ1Bhv2EWpOTGiIVdEqo8KbPRsxbjuH9av7mtiCG0VV6pXZJJGGZjKnnsmty8aeliO3Ukfl5Bjynzfj3TnRdoraPIT4HyOIZ0tYb

C:\ProgramData\Microsoft\nGnJvqnFLoRdIZNyVoMyF.exe

Download File

Process:	C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3861504
Entropy (8bit):	7.835766949495404
Encrypted:	false
SSDEEP:	98304:SlFTtIkKJ8h91Zv7aphwzT8YRMR9UOu93dI:S7SF8/baTm8kMPUOu9
MD5:	798B5560B2A2C6596A0C1A09419AD2C4
SHA1:	6F18005EAACE373EE3EC23138C7D5AF9D1BCB51E
SHA-256:	93DC0D7CACC55D4965A1D55A3D163125481EE2BE7CEF9640320F58D714BD8011
SHA-512:	ED88BAD4B7E2103222EFC1864E36A6B6D9E83396361191C6D9ED0623BADB783629E87A2CC2097D4D79586D9514D02D15DF7B411C1A012BEB212009EFE2E24010
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u..e..................:...........;.. ... ;...@.. .......................`;...........@...................................;.K.... ;.p....................@;...................................................... ............... ..H............text.....:.. ....:................. ..`.rsrc...p.... ;.......:.............@....reloc.......@;.......:.............@..B..................;.....H...........@.......e...D....)0.'.;......................................0..........(.... ........8........E....)...M.......q...8$...(.... ....~....{....:....& ....8....(.... ....~....{~...:....& ....8....(.... ....~....{{...9....& ....8z...*...0..<....... ........8........E............................d...8)...~....9U... ....~....{....:....& ....8....~....(#... .... .... ....s....~....('....... ....8{......... ....~....{....9a...& ....8V...8z... ....~....{....9=...& ....82...

C:\Recovery\7b3bf1de107bcf

Download File

Process:	C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	177
Entropy (8bit):	5.651489963066555
Encrypted:	false
SSDEEP:	3:2v/rcEH/QgvnxEUXinWtt9Bu9KKK0RSgUC2tC6REj/WTzpPsNlLgtTNc9:yrcEHogvnOUuWL9BEKKK0bUjtC6KKF6d
MD5:	3F22C335357BAD1124110D9CA073444A
SHA1:	9958AD16003D22DF16EE26F17D4CE86EE778F218
SHA-256:	09EF76A24C66A5B6683E225838E09031F421794A34799B7A42942CC00E55AEC2
SHA-512:	FE1689C50AEBFB96A5E2AA8D6C284400073DF1C278D71AFC035E981F816AF647AB9EE55DF41F3541C65B48C1C8B67D34A54891F951B79B51E3BE25066782D8AF
Malicious:	false
Preview:	X9WAyNC0fVJB70ynMQldHxbZwFHIZOEn8dUa3IfrF8txPyvhn12SCBDkh6NsF4bQQfDdgXtEv4YIEoJ8UjehWwl6at264wlKhcgtuRBPHxgHm4g2xOYfZ34d4HDwewJ9TNllHZNCiPaiPdUgNAJpXFvniDznOOvVnhyZS4uYBW7KdVNaw

C:\Recovery\SIHClient.exe

Download File

Process:	C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3861504
Entropy (8bit):	7.835766949495404
Encrypted:	false
SSDEEP:	98304:SlFTtIkKJ8h91Zv7aphwzT8YRMR9UOu93dI:S7SF8/baTm8kMPUOu9
MD5:	798B5560B2A2C6596A0C1A09419AD2C4
SHA1:	6F18005EAACE373EE3EC23138C7D5AF9D1BCB51E
SHA-256:	93DC0D7CACC55D4965A1D55A3D163125481EE2BE7CEF9640320F58D714BD8011
SHA-512:	ED88BAD4B7E2103222EFC1864E36A6B6D9E83396361191C6D9ED0623BADB783629E87A2CC2097D4D79586D9514D02D15DF7B411C1A012BEB212009EFE2E24010
Malicious:	true
Yara Hits:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Recovery\SIHClient.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Recovery\SIHClient.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Recovery\SIHClient.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Recovery\SIHClient.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Recovery\SIHClient.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Recovery\SIHClient.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u..e..................:...........;.. ... ;...@.. .......................`;...........@...................................;.K.... ;.p....................@;...................................................... ............... ..H............text.....:.. ....:................. ..`.rsrc...p.... ;.......:.............@....reloc.......@;.......:.............@..B..................;.....H...........@.......e...D....)0.'.;......................................0..........(.... ........8........E....)...M.......q...8$...(.... ....~....{....:....& ....8....(.... ....~....{~...:....& ....8....(.... ....~....{{...9....& ....8z...*...0..<....... ........8........E............................d...8)...~....9U... ....~....{....:....& ....8....~....(#... .... .... ....s....~....('....... ....8{......... ....~....{....9a...& ....8V...8z... ....~....{....9=...& ....82...

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\hyperruntimemonitorCommon.exe.log

Download File

Process:	C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1915
Entropy (8bit):	5.363869398054153
Encrypted:	false
SSDEEP:	48:MxHKQwYHKGSI6oPtHTHhAHKKkt1qHGIs0HKjJHVHmHKlT4vHNpv:iqbYqGSI6oPtzHeqKktwmj0qV1GqZ4vb
MD5:	0C47412B6C6EF6C70D4B96E4717A5D3B
SHA1:	666FCC7898B52264D8A144600D7A3B0B59E39D66
SHA-256:	0B3F6655476FA555F55859443DE496AF7279529D291EF9745C22C5C283B648F9
SHA-512:	4E51FCBCA176BF9C5175478C23AE01445F13D9AC93771C7F73782AF9D98E8544A82BBFB5D3AA6E2F3ECF1EFB59A8466EB763A30BD795EFE78EE46429B2BEAC6C
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567f

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\nGnJvqnFLoRdIZNyVoMyF.exe.log

Download File

Process:	C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	847
Entropy (8bit):	5.354334472896228
Encrypted:	false
SSDEEP:	24:ML9E4KQwKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQwYHKGSI6oPtHTHhAHKKkb
MD5:	9F9FA9EFE67E9BBD165432FA39813EEA
SHA1:	6FE9587FB8B6D9FE9FA9ADE987CB8112C294247A
SHA-256:	4488EA75E0AC1E2DEB4B7FC35D304CAED2F877A7FB4CC6B8755AE13D709CF37B
SHA-512:	F4666179D760D32871DDF54700D6B283AD8DA82FA6B867A214557CBAB757F74ACDFCAD824FB188005C0CEF3B05BF2352B9CA51B2C55AECF762468BB8F5560DB3
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..

C:\Users\user\AppData\Local\Temp\qVPGMYvCwM.bat

Download File

Process:	C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	207
Entropy (8bit):	5.339220446711054
Encrypted:	false
SSDEEP:	6:hCRLuVFOOr+DED+4ThG5TiZKOZG1wkn23fd1:CuVEOCDED+/mff
MD5:	4FE48135BC8F73197A968E623787E1BB
SHA1:	72161B06EE84DECE3024BFC251550C9A20C1DA41
SHA-256:	AD4B4764DA58126AD7F6A1910202454A269A8946952AF04D2F59101FAC1C897D
SHA-512:	E98D6746A1C9048FB910F76187BA1D117DB477A00520CE1CA83EB340AC611EE295B20022CFD7890B6E6194286F6FADD90B0F14F81ABADABEFF55641151F705E3
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	@echo off..chcp 65001..ping -n 10 localhost > nul..start "" "C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\qVPGMYvCwM.bat"

C:\Users\user\AppData\Local\Temp\w5nv0ZNcR9

Download File

Process:	C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.213660689688185
Encrypted:	false
SSDEEP:	3:+CoGmlXBn:vm7
MD5:	B2D536C1433551564A7240B1213EEB37
SHA1:	863767E59E42C4434AFA0321AE328C6A4497E749
SHA-256:	CA62B40B0DF72A6F531C60CDBF80F7E43640F5DA056F262A8F7F8484089A0B44
SHA-512:	8302D909AFF70F1BD6AD2AADD717292F54126F48EEEA871C5B566CA940DB0296C52F3EF7EF7B850F24C05D208C3EDAA41A9ADE8E4DA95E677DCEBDB01451F6F1
Malicious:	false
Preview:	WoGjXcGpgxDaCJMcCNIMScdAm

C:\Users\user\Desktop\AOsWDEPp.log

Download File

Process:	C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	23552
Entropy (8bit):	5.529329139831718
Encrypted:	false
SSDEEP:	384:ka1bzkw+rsI7GpusgGjLtdPh39rHjN61B7oezUCb2sI:ka5z3IifgGjJdPZ9rDYjtzUmI
MD5:	8AE2B8FA17C9C4D99F76693A627307D9
SHA1:	7BABA62A53143FEF9ED04C5830CDC3D2C3928A99
SHA-256:	0B093D4935BD51AC404C2CD2BB59E2C4525B97A4D925807606B04C2D3338A9BE
SHA-512:	DEFDF8E0F950AA0808AA463363B0091C031B289709837770489E25EC07178D19425648A4109F5EFD0A080697FA3E52F63AABF005A4CCD8235DF61BB9A521D793
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Joe Sandbox View:	Filename: XNPOazHpXF.exe, Detection: malicious, Browse Filename: 3e88PGFfkf.exe, Detection: malicious, Browse Filename: 9FwQYJSj4N.exe, Detection: malicious, Browse Filename: CPNSQusnwC.exe, Detection: malicious, Browse Filename: t8xf0Y1ovi.exe, Detection: malicious, Browse Filename: teh76E2k50.exe, Detection: malicious, Browse Filename: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, Detection: malicious, Browse Filename: 84JufgBTrA.exe, Detection: malicious, Browse Filename: 4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe, Detection: malicious, Browse Filename: kIdT4m0aa4.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ...............................c....@.................................ts..W.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H........O...#...........N......................................................................................................................................................................o+.tEy...7..o.v.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\DIumuEtf.log

Download File

Process:	C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	294912
Entropy (8bit):	6.010605469502259
Encrypted:	false
SSDEEP:	6144:f5M1rY+WGzK4NGSAhWj1dVV6cTl06YX6w/xHtRoNF:fuzzAWlvYXDRoNF
MD5:	00574FB20124EAFD40DC945EC86CA59C
SHA1:	8B96C4B6F450E711085AE7B22517C195222ACFDF
SHA-256:	3A0C38E5DC41A8D668EBDD9368CEE89F4991350E6967A9715CAE8F36E0D032BB
SHA-512:	B578007ECDCEC0D7A3A09F7E5D681A724FE2749CB46B58F5D5C96E88CAAC03C4570BB67F47BC45F01B9A47966086CC08DACB691AA2D26AD0262DC1257F7CA837
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 17%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....x............... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text....v... ...x.................. ..`.rsrc................z..............@..@.reloc...............~..............@..B.......................H........y...............Z..............................................P...........W...........S...........[...........Q...........Y...........U.......A...]........@..P...........X...........T.......!...\........ ..R...........Z...........V....................`..P...........W...........S...........[...........Q...........Y...........U.......a...]........`..P...........X...........T.......1...\........0..R...........Z...........V....................`..........................

C:\Users\user\Desktop\DzXmKSai.log

Download File

Process:	C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	5.932541123129161
Encrypted:	false
SSDEEP:	1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
MD5:	F4B38D0F95B7E844DD288B441EBC9AAF
SHA1:	9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
SHA-256:	AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
SHA-512:	2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 50%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

C:\Users\user\Desktop\JsALnyfX.log

Download File

Process:	C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	5.645950918301459
Encrypted:	false
SSDEEP:	384:fRDtCEPOaiRBCSzHADW8S3YVDOy6Vgh/UaFTKqrPd62GTB7ZyTG4sTaG:fR/IMEACDoJ86/UoTKqZwJ8TG4
MD5:	E84DCD8370FAC91DE71DEF8DCF09BFEC
SHA1:	2E73453750A36FD3611D5007BBB26A39DDF5F190
SHA-256:	DD7AC164E789CAD96D30930EFE9BBA99698473EDEA38252C2C0EA44043FB1DB5
SHA-512:	77461BA74518E6AE9572EC916499058F45D0576535C20FAE74D0CB904DC79ED668B94885BFC38E24D5DEEAE7FBEF79B768216F1422B2178277DBD3209FC2AFD9
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 29%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.../6.d...........!.....x............... ........@.. ..............................<.....@....................................W.................................................................................... ............... ..H............text...4v... ...x.................. ..`.rsrc................z..............@..@.reloc...............~..............@..B........................H........e..L0...........c......................................................................................................................................................................o.<.....r%.2.D..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\KpbTIyuS.log

Download File

Process:	C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	41472
Entropy (8bit):	5.6808219961645605
Encrypted:	false
SSDEEP:	768:IUVSXpIia8xiZ7tRCoz79t6DrMhvUsJAnmboowvDG:IFXRa/Lzugszmboowb
MD5:	6CD78D07F9BD4FECC55CDB392BC5EC89
SHA1:	094DE32070BED60A811D983740509054AD017CE4
SHA-256:	16CC3B734E72A74F578B63D08D81CC75B6C2445FB631EFD19F8A70D786871AD4
SHA-512:	5E25659A66E62F368ACD69790F0CF460008CAA3BB106E45CBA4755896B1872C02438C94E6FB5576891F29B3FEA95D8AAD9BCD7659C179D9619A1CDDB240AEB32
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 17%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.................... ........@.. ....................................@.................................x...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........s...D...........r............................................................................................................................................................................9..A..%+..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\KxLmnhVX.log

Download File

Process:	C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	22016
Entropy (8bit):	5.45778554132892
Encrypted:	false
SSDEEP:	384:O+EQ5SccsLOYWRl1U/JRZA6cBrhhptFFg96lB1Cev6xTu:5NlWNU/G6cbHblt/vl
MD5:	F6BA6A3BAE64426F936CA859866F594B
SHA1:	176047CACF3E8AF31DB121ADD21E122B192D8B62
SHA-256:	4B18BEB315D1D3C80B85F77CAFBD45199C68C11F422D6657355687310929B13E
SHA-512:	C7B3E09F57481CE131F3FDC3EFFBDACB38FBB3AC22BA88B5688182846F9AE413CA543666B85961364E823341B83CBDB97E0E48649677018C99B6CA2DA9BD0E4E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 5%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....v9g...........!.....N...........l... ........@.. ....................................@.................................\|l..O.................................................................................... ............... ..H............text....L... ...N.................. ..`.rsrc................P..............@..@.reloc...............T..............@..B.................l......H........L..............XL..x...................................................................................................................................................................(h7.......5....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\OnCcudVQ.log

Download File

Process:	C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	40448
Entropy (8bit):	5.7028690200758465
Encrypted:	false
SSDEEP:	768:HjeDAXQDM/RgUK+1x85+CnTzP5KJcSdhRGPQPfnay:HjWB2CnTzUJcSdTdP/
MD5:	51B1964F31C557AE8C2B01EA164ABD9F
SHA1:	97C6E8FD1F21D644281FAF82D017969FE22423E4
SHA-256:	AF584F142A9A5A79355B212F8D7A2E3793E33FF23D50FDE591FB2F3E49BF308C
SHA-512:	5D06650D77DD2D574A31664FE9CEAD5E13941F99B2CFA8ECAD972B9E999422816E43A2BE469D9BBDF2778654C22A52656D23B9F230D2F6DF3F2305ABAE779AC3
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 12%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..."..d...........!................n.... ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text...t.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........k..@I...........k...........................................................................................................................................................................B._.@.;..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\PkdkPdkL.log

Download File

Process:	C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	64000
Entropy (8bit):	5.857602289000348
Encrypted:	false
SSDEEP:	768:TDPfhHfT/9IvAgoeA2U7dtZLr6SWB6/BYklKbz4Xgs7RlkUC4M+JVvTkgny:TD3Jbf2UQoBYHfSRRRC4BvPny
MD5:	5EE7E079F998F80293B3467CE6A5B4AE
SHA1:	3C0932D48F3542E9DFB09AD9E1FF70891A038532
SHA-256:	A3AE7E97703E694C479E3B460F89C16B4A511626E351145532D1A2F3BA051779
SHA-512:	056F03CB02A8A994461A5A26C2D738EE39E5AE49462222AD4937DD1CB9F29C6567D2E368EFB7844E8779B3EB3EB5D87DACDE5E3D24DF8227194DDC2E0556FF8D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 25%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ................N.... ... ....@.. .......................`......E.....@.....................................W.... .......................@....................................................... ............... ..H............text...T.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................0.......H...........\|...................................................................................................................................................................................7.pO`....<o ..F................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\WahSOJEu.log

Download File

Process:	C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	70144
Entropy (8bit):	5.909536568846014
Encrypted:	false
SSDEEP:	1536:3LM14SKtpfLarGzoQWaqaQ2n5YejqSRKnYdYPgh3c//npRwM:w7KtpTjNNn5YejqSRKnYdYPgJo/pRwM
MD5:	E4FA63649F1DBD23DE91861BB39C317D
SHA1:	25F9115FAF40EC6736FACF2288CAA9B0E6AF9366
SHA-256:	CB4CD707305733ADDFCC54A69DF54A0C8D47C312D969B3E8D38B93E18CCBD8E4
SHA-512:	C4B5A9D66146D98D414BC84CD5C09588E2E02B800B21CE3172042AD7F48CC4AED54772D32C891A921FF102C0C3DB1FEAF52E4D4C714ABDB15F73BAEB9A6F5A39
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 29%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .................)... ...@....@.. ..............................8.....@..................................(..S....@.......................`....................................................... ............... ..H............text...4.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H..............................................................................................................................................................................................NC>.$qK...X....J................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\YTwAzGpt.log

Download File

Process:	C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	36352
Entropy (8bit):	5.668291349855899
Encrypted:	false
SSDEEP:	384:3+GMbUL+1FjuuGWkgoCFvMiAAsSZH14gXO9XBKeRg3U7ixu8bqMle9dCe4i2+o06:3+T93kgoCFkid/O9sU7io8b1ocl+o
MD5:	94DA5073CCC14DCF4766DF6781485937
SHA1:	57300CA6033974810B71CF1AB4F047A026924A7A
SHA-256:	B81B9FA9B7017BE34F62D30CB16BAAB33757F04CC94EF4D6459C9D3BC768FD18
SHA-512:	7D539ECED2F19166F0F6FAE6E2624C0440DEC87AA9751FA82387EECEF9945997ABAE58C886494633BA360B122BCA955B3DDAE26E5256E371A0528F48DFA17871
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 21%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................................@....................................W.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......pi..T;...........g..x........................................................................................................................................................................XWJ..%.v0................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\ZLNiVXPn.log

Download File

Process:	C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	342528
Entropy (8bit):	6.170134230759619
Encrypted:	false
SSDEEP:	3072:YMRFbwlz0otnh0efcZBU/fbF+pzZDrpSToDxcLQcm+xCjNS3RaCtXAOZrNM1Ge6q:uhj/zQD9SocLQDchaUXAiNM1C3HuiH
MD5:	9DADB5C8A6FD5020275C31EE6BC61D63
SHA1:	ACE09D19F7DBB98F5C844E77F29A5D86E544CCC1
SHA-256:	80E21E05386AB5BF7BCFD745146700E2A73D808CAFDE3F1DAA256D09BCF4522F
SHA-512:	EDB9F8B4A3742AFD344B3E4957CD6A8574FA82EB49B45E75627180C42B51F9C019E241D695BAF0AAA36EE6959CE297C358BC592F2EE31B0BB5EA19FEED67FC7D
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 50%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l..d.........." .....2...........P... ...`....@.. ...................................@.................................LP..O....`............................................................................... ............... ..H............text....0... ...2.................. ..`.rsrc........`.......4..............@..@.reloc...............8..............@..B.................P......H............p..................................................................................................................................................................................GJ2....mj..R...................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\azRqGkKl.log

Download File

Process:	C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	34304
Entropy (8bit):	5.618776214605176
Encrypted:	false
SSDEEP:	768:TBS4lqbgy0+q1nyfBYUyxYIAmghwpgAaaY5:TDY0+q1noBhyufmgCgxa
MD5:	9B25959D6CD6097C0EF36D2496876249
SHA1:	535B4D0576746D88537D4E9B01353210D893F4D2
SHA-256:	4DBA0293B2BA9478EC0738BAD92F0E56CB7CF800B0CA4FDA8261EE2C0C91E217
SHA-512:	C6FA40C2DA5B12683F2785F688984754DF5E11B95170B628F2721A21CD9A6E392672166892B994B8996DC961893A57DAD815C959C6076AB4F91404FEF66141FA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 9%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....~..........n.... ........@.. ...............................G....@.....................................O.................................................................................... ............... ..H............text...t\|... ...~.................. ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........c...8...........b.......................................................................................................................................................................,....:;.....>..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\cBDZcTPh.log

Download File

Process:	C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	34816
Entropy (8bit):	5.636032516496583
Encrypted:	false
SSDEEP:	384:JS7LcTqpkHdmLrBmyOLkOPXVcqTZH0uZLSHtciyBDVGehpx3ZPyp1MoCy07G7:J+CaBoXTZH0mUfoGCzpapaFy07
MD5:	996BD447A16F0A20F238A611484AFE86
SHA1:	CB0F51CE7FEEE1B5F02D3F13E60D67AF448C478D
SHA-256:	0CB182B9F8BD0804FC3BBA016926199C536BD7491BA577E089271DC1A63B07BE
SHA-512:	80924C19FAF3916DB5F71BE5723B6CB7BB7F731DBBA05B8218746F11FB9470F746B7AC581DB398E388377637811319EF8D6841504DC8EA39C510D7CFCD25184C
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 21%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...v..d...........!..................... ........@.. ...............................[....@.................................l...O.................................................................................... ............... ..H............text....~... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........b...;...........a.......................................................................................................................................................................k.X...=.%Cu..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\fDqHyDTc.log

Download File

Process:	C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	33792
Entropy (8bit):	5.541771649974822
Encrypted:	false
SSDEEP:	768:VA51bYJhOlZVuS6c4UvEEXLeeG+NOInR:VJEx6f2EEbee/Bn
MD5:	2D6975FD1CC3774916D8FF75C449EE7B
SHA1:	0C3A915F80D20BFF0BB4023D86ACAF80AF30F98D
SHA-256:	75CE6EB6CDDD67D47FB7C5782F45FDC497232F87A883650BA98679F92708A986
SHA-512:	6B9792C609E0A3F729AE2F188DE49E66067E3808E5B412E6DC56A555BC95656DA62ECD07D931B05756303A65383B029E7862C04CA5EA879A3FDFB61789BD2580
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 38%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....\|............... ........@.. ....................................@.................................T...W.................................................................................... ............... ..H............text....z... ...\|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H.......Tl...............h..h....................................................................................................................................................................aF..g~Z........................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\hxFqjzFa.log

Download File

Process:	C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	22016
Entropy (8bit):	5.41854385721431
Encrypted:	false
SSDEEP:	384:8Np+VQupukpNURNzOLn7TcZ64vTUbqryealcpA2:bPpu0NyzOL0ZJ4bavae
MD5:	BBDE7073BAAC996447F749992D65FFBA
SHA1:	2DA17B715689186ABEE25419A59C280800F7EDDE
SHA-256:	1FAE639DF1C497A54C9F42A8366EDAE3C0A6FEB4EB917ECAD9323EF8D87393E8
SHA-512:	0EBDDE3A13E3D27E4FFDAF162382D463D8F7E7492B7F5C52D3050ECA3E6BD7A58353E8EC49524A9601CDF8AAC18531F77C2CC6F50097D47BE55DB17A387621DF
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 9%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...)..d...........!.....N...........l... ........@.. ..............................R.....@..................................l..O.................................................................................... ............... ..H............text....M... ...N.................. ..`.rsrc................P..............@..@.reloc...............T..............@..B.................l......H........L..............lL..H....................................................................................................................................................................lsx)T.,.....h.)................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\kikGqNQT.log

Download File

Process:	C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	38400
Entropy (8bit):	5.699005826018714
Encrypted:	false
SSDEEP:	768:bvTf5JA7rmkHDkK6/X7rpCA0U4oW+YcSNdb/deQoCDKmc:bTffImkjkK6/QAhaceb/dum
MD5:	87765D141228784AE91334BAE25AD743
SHA1:	442BA48B1B5BB158E2E6145B0592F81D20CB9C57
SHA-256:	9A121719F71383CF66FC36453679B36C8D24CC61EB335D0C304536E5D72AAAEB
SHA-512:	77FF7244F4E181A1F2B69A8814E1EFC0B7B55CD551B8D22F5A08039156295F6417D0E2E58265F1C07F8EA2BA3B24D9810B4B3E91B13943688C7450F736746657
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 25%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...c..d...........!..................... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......Dm...?..........<l......................................................................................................................................................................Q[..u.......;..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\nYbxxKQM.log

Download File

Process:	C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	89600
Entropy (8bit):	5.905167202474779
Encrypted:	false
SSDEEP:	1536:mspaoWV6yRfXRFHJh/fLiSI82VawF1YBJcqe:1paoWMy5XXnfXf2YSYBJcqe
MD5:	06442F43E1001D860C8A19A752F19085
SHA1:	9FBDC199E56BC7371292AA1A25CF4F8A6F49BB6D
SHA-256:	6FB2FAAC08F55BDF18F3FCEE44C383B877F416B97085DBEE4746300723F3304F
SHA-512:	3592162D6D7F0B298C2D277942F9C7E86A29078A4D7B73903183C97DACABC87E0523F0EF992F2BD7350AA8AE9D49910B3CE199BC4103F7DC268BF319293CD577
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 16%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g.........." .....V...........t... ........@.. ....................................@.................................pt..K.......l............................................................................ ............... ..H............text....T... ...V.................. ..`.rsrc...l............X..............@..@.reloc...............\..............@..B.................t......H.......H...(q..........P.........................................................................n$..Fr.....fQ...M.:..'k.m.(G.c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW....

C:\Users\user\Desktop\omJXhfZJ.log

Download File

Process:	C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	39936
Entropy (8bit):	5.629584586954759
Encrypted:	false
SSDEEP:	768:tlPaJVGYXkJSMA2we8qlmau55wC1ND5kwcDl+y5X:chQZwalKdEfDld5
MD5:	D478E398EFCD2BD9BDBFEA958F7BEE4F
SHA1:	24CAA06949CDA52DB45F487EC2A8D3DE9C3FC1FC
SHA-256:	32E821193BE1D81BB3BE97F2719D28A0C7DD2E5BD94DC581D79A1497462EAC9B
SHA-512:	0705A42D2EE234D63DBE0A252A2048D85C817D8DF404EBFC12B583BF24AD84E111621727C7CB2369D1A22538354F725AADE067F0BDC4E2EBE2D61D937C130621
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 17%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!................>.... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...D.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................ .......H........r..h?..........Lq..8....................................................................................................................................................................M..d..u7 ...jj.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\pixyxcvN.log

Download File

Process:	C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32256
Entropy (8bit):	5.631194486392901
Encrypted:	false
SSDEEP:	384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
MD5:	D8BF2A0481C0A17A634D066A711C12E9
SHA1:	7CC01A58831ED109F85B64FE4920278CEDF3E38D
SHA-256:	2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
SHA-512:	7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 25%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............\|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\rfYGTcKI.log

Download File

Process:	C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	50176
Entropy (8bit):	5.723168999026349
Encrypted:	false
SSDEEP:	768:7PCvZsxIexhaqgbv8yGk/A/4NPmAQeMeYzlP58gH8zGTCWxttXyZPM:7P4ZsxIelkY/O+DeuzYbM5xXiE
MD5:	2E116FC64103D0F0CF47890FD571561E
SHA1:	3EF08A9B057D1876C24FC76E937CDA461FAC6071
SHA-256:	25EEEA99DCA05BF7651264FA0C07E0E91D89E0DA401C387284E9BE9AFDF79625
SHA-512:	39D09DE00E738B01B6D8D423BA05C61D08E281482C83835F4C88D2F87E6E0536DDC0101872CBD97C30F977BC223DFAE9FCB3DB71DD8078B7EB5B5A4D0D5207A8
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 17%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................... .......e....@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............M...................................................................................................................................................................................Xg;.6.'.1. b9g................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\scAOpcZD.log

Download File

Process:	C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	39936
Entropy (8bit):	5.660491370279985
Encrypted:	false
SSDEEP:	768:1Q8H1q0rErIq3y48wo5iJyNJZ+pkw82VhgwgKZ:brErIqxPJRkw/VOwbZ
MD5:	240E98D38E0B679F055470167D247022
SHA1:	49888CCED719AE78EE3BAE2959402749668AA1C6
SHA-256:	C200E1BE39C35F8E57A0E1E241723FDB956089BC8EAD1235042456C7A3C4AD28
SHA-512:	93C1B6396C65C9EDACEFD6606A9563935D3C1331454DA69FA75D9B1CCE4D102A5F1B27B63FC3A7E485A083D8DAB1E6C4ECD01DD3CFED9B58DA6F4E90CC4F2998
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...n..d...........!.................... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........q...@.......... q...........................................................................................................................................................................-\|{.3.g...p................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\uWPwaYLB.log

Download File

Process:	C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	38912
Entropy (8bit):	5.679286635687991
Encrypted:	false
SSDEEP:	768:RH9nQF3DwRvGTYLOFbL79ed5l8UNebCPncg:TyDF0PybCPn
MD5:	9E910782CA3E88B3F87826609A21A54E
SHA1:	8DBC333244620EDA5D3F1C9EAA6B924455262303
SHA-256:	3B311986251EE5A303671108AFBAF43E0255C4CAE1C26CC9600BB0C7D22D3864
SHA-512:	592981359F46BBC577BE99DEFE3E2A17998BA2882AAAA20107841BCA97C2121CB97C45BC6EDBFC3F430D31450457CD855751727922AB4BB1A3C12DA050EEC057
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........k..hC...........j......................................................................................................................................................................`..~...CE.w#'..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\wKTFMmGz.log

Download File

Process:	C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	126976
Entropy (8bit):	6.057993947082715
Encrypted:	false
SSDEEP:	3072:V2IJq7YkHFJwBTZtHrC/0/FHkINvdF+nTCkjk1U+1:V2IJq7YbrFHkIrgnTQ
MD5:	16B480082780CC1D8C23FB05468F64E7
SHA1:	6FDDF86F9F0FBAA189F5CB79E44999A3F1AC2B26
SHA-256:	7A080D8BD178EC02C7F39F7F941479074C450C4FDD8E963C993D2FB5537C7708
SHA-512:	A165BB5D7972DE124F670BCAC20B4A46727B7CF27D1ED925D02F7CC7C79D7D04122D7C202C67D7EAE798348E8D481F085282EB5B89D84B902607D7EB1155BA19
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 21%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ..................... ... ....@.. .......................`......:.....@.....................................O.... .......................@....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H...........(...........<...h.........................................................@.......0.................................................................................................................................Y........;~..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................

C:\Users\user\Desktop\wTqFwYZw.log

Download File

Process:	C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	46592
Entropy (8bit):	5.870612048031897
Encrypted:	false
SSDEEP:	768:kEXtbvrhKJukN9LCewFI4eYWza7q9GYBAfNhgi2keA1RLaew5trbNM:NhKZEq4hWO7cAfN6DdA1R9w5x
MD5:	3601048DFB8C4A69313A593E74E5A2DE
SHA1:	A36A9842EA2D43D7ED024FFB936B4E9AE6E90338
SHA-256:	F5F1BA9E344B2F2E9CF90978C6D3518DFB55B316489E360874E3A1144BAC3C05
SHA-512:	B619A3D2C5CFADDEC234471FF68F96F19CFBBB5491439C3EE3593E0B2B6F995EBDC208563CC1B04FA383A983540646D02681B0CC039595C1845FE8F7941ABB23
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 5%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...j..d...........!..................... ........@.. ....................... .......h....@.....................................S.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............K...........w.................................................................................................................................................................................$A.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\yEVVDmkp.log

Download File

Process:	C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	28160
Entropy (8bit):	5.570953308352568
Encrypted:	false
SSDEEP:	384:BBOVNMHHPrq2YQGpX0dx+D4uuMig590gQDhJvoKfqeXOWnKNey/B/HM/g/6Y70FB:LOCPAEdx+vuNgD0gQ/gCYoTyn+
MD5:	A4F19ADB89F8D88DBDF103878CF31608
SHA1:	46267F43F0188DFD3248C18F07A46448D909BF9B
SHA-256:	D0613773A711634434DB30F2E35C6892FF54EBEADF49CD254377CAECB204EAA4
SHA-512:	23AA30D1CD92C4C69BA23C9D04CEBF4863A9EA20699194F9688B1051CE5A0FAD808BC27EE067A8AA86562F35C352824A53F7FB0A93F4A99470A1C97B31AF8C12
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 4%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....s.e...........!.....f..........^.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...dd... ...f.................. ..`.rsrc................h..............@..@.reloc...............l..............@..B................@.......H........X..4+...........W..(..................................................................................................................................................................._..\.....+....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\yVcnRIer.log

Download File

Process:	C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	33280
Entropy (8bit):	5.634433516692816
Encrypted:	false
SSDEEP:	384:TVyNAbQWfDL/QwV/AnmqieB2Ht50uVVxg+94HoxMttjICAQgEYhfAcGQMrygg4Ty:TKWfYwV2u3xg+94HoSbTY4f2gfcab
MD5:	0D323E1CACEA89CAA5DDEAF2F37BCA69
SHA1:	4769C3E947D02A1FD548BE64013F520D571D96E1
SHA-256:	873E7688D95DCAA5468BF94063A94C548EF0D8BE9D4111F1917DA482DBC2A64C
SHA-512:	73F4EDE6D4C62997A4F11AD09A12DFD0BFD749026209E63E52F9D979F9423FDD640E96FA59D51556001C4BE22888E59C67781970649387AF090E26AC40C0C0DE
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...k..d...........!.....z............... ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....y... ...z.................. ..`.rsrc................\|..............@..@.reloc..............................@..B........................H.......@`..(9..........._......................................................................................................................................................................V.4...W..e..&&................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Saved Games\de83736a915df6

Download File

Process:	C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe
File Type:	ASCII text, with very long lines (732), with no line terminators
Category:	dropped
Size (bytes):	732
Entropy (8bit):	5.897697801993887
Encrypted:	false
SSDEEP:	12:3TpIYvKG/tG5dZLfIIIkER6dARCyntViqXUZ0QyHaaSDS+ol+Bsp5Gll:j2YCG/EjLfVIkevtRXMVDasSvkuAll
MD5:	FC608FA44DB3F5341BAF92C43E0A591E
SHA1:	30750264377415DD45B9F3D03EC9A087565A64AA
SHA-256:	45840A6DDA3EBDFE050778E6982D4173BEEEB7BFA3582BC1BBD63F7AF95439AA
SHA-512:	C0EF542298229C00F8795C51B727A1E8B21A3D7F254FC5E4C88081E8BB00D22161A26EFDD7D6B1B0CDE8FD8A44AE17625C5A77DD48A2CBA9C77E0351F47E90FC
Malicious:	false
Preview:	3ICw54E29DBabP9NFvCsI6LOycuyKzH6GsQpLrSxMz7btqTuadrlnFk77y7cJPsK5EUt8UCYdPgT9teIIAYrHfTAHTrWtzn6HxfoVkvFbTIXiR7NTyTI1BDavTlpmponmjLMO0xiPTPxW5b0VeD5feFFuF3B8Gcwpfv9Fv9dBv3ivPD01vTImtHHeFcJ6vjJ0dI1Jcukfj3ulhUeBCJNwUJ5Xoe9T0gPMurRGLrZAsnCzXf7v7H4mVWfUNdf8vRpCoi1zCY0VuMErGFAIhOWsmn0XL73sLaPb8ALyoIsiRi1ISyNHcWah56ZArdnFfHJT7msG4LeZfxbDvrFWuvPzArgCkKHKenDJZiLpGHNQ1BBHeWPAXQUt1UTPFqftET42tSoNgZQni978pZhO5HxOSURFO5kZldMiHJXLsBd89rK2WVjqIRx7gqjZAi9kz1BFwZ0gBWf3nyOkJZt3V3QUqOBbj7LJC2IIpFF6eDpwv3Trb8PlzGP5lrZiYZ6DKW1uqG5ETwYROdiw5T9ksjT6nNg8qhiFHllZCjBVDLRDr7qHJmmEZVVlC5Gcj7YwOTKm1IuWSohgSQOqgYyD4epvQAXGcivGxfzYwDQA2QvvyyTvqa6KIU1toYW0vn3t3aswb03cIyKns47brlaBmk8cnFuYrZPPXC1XGgTzhdCUJOBtb4JJM2HScQJWGfvtj4QqCjVLRkeJinSZEA7wQFDe4i5zW7t

C:\Users\user\Saved Games\nGnJvqnFLoRdIZNyVoMyF.exe

Download File

Process:	C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3861504
Entropy (8bit):	7.835766949495404
Encrypted:	false
SSDEEP:	98304:SlFTtIkKJ8h91Zv7aphwzT8YRMR9UOu93dI:S7SF8/baTm8kMPUOu9
MD5:	798B5560B2A2C6596A0C1A09419AD2C4
SHA1:	6F18005EAACE373EE3EC23138C7D5AF9D1BCB51E
SHA-256:	93DC0D7CACC55D4965A1D55A3D163125481EE2BE7CEF9640320F58D714BD8011
SHA-512:	ED88BAD4B7E2103222EFC1864E36A6B6D9E83396361191C6D9ED0623BADB783629E87A2CC2097D4D79586D9514D02D15DF7B411C1A012BEB212009EFE2E24010
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u..e..................:...........;.. ... ;...@.. .......................`;...........@...................................;.K.... ;.p....................@;...................................................... ............... ..H............text.....:.. ....:................. ..`.rsrc...p.... ;.......:.............@....reloc.......@;.......:.............@..B..................;.....H...........@.......e...D....)0.'.;......................................0..........(.... ........8........E....)...M.......q...8$...(.... ....~....{....:....& ....8....(.... ....~....{~...:....& ....8....(.... ....~....{{...9....& ....8z...*...0..<....... ........8........E............................d...8)...~....9U... ....~....{....:....& ....8....~....(#... .... .... ....s....~....('....... ....8{......... ....~....{....9a...& ....8V...8z... ....~....{....9=...& ....82...

C:\Windows\BitLockerDiscoveryVolumeContents\5940a34987c991

Download File

Process:	C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe
File Type:	ASCII text, with very long lines (585), with no line terminators
Category:	dropped
Size (bytes):	585
Entropy (8bit):	5.888407059501936
Encrypted:	false
SSDEEP:	12:2RxUyC1c4o1TyJmfmlRjxCLX760qmVF+e8/knGyHFpFTfk9ZFLi12JpH:2RxUygcZ1T4TLVE760pVw0DHFffmhpH
MD5:	BFBDE87996E8A8435245C2E9E5EA0C12
SHA1:	349269B7FA06FD0A3BAA6B0E739029B263C8753A
SHA-256:	7A17B09C73546E31D72451AB7D937465210EB8C4CCF8D5FADA5A6A4E7DEB6CBA
SHA-512:	31E593DEC35C01A3871E8726DAF05F290989E60728CF79F574D2A8D49D92F9997CD9C1A8195256CE09B36D10DB6AFACF3A9C625A7FA2D7FD5218DFFCEB1ED3C6
Malicious:	false
Preview:	jxTdE5sp4NTPvoBIlKMzY0rpQrK5k7U0qxbinqYafv1TQP1zjF0x0PLsGoMWvwF72ci7Mde4vwTn8XZB0UWeGg9amtb8dBpsp4axq4mGl5BE5ittPLgaal1WcIVdCfbuHl7E6lV6sP3Ke5eE9rtSeORECEVhiJDFeR7Ukpxn0ksKrr1hoQeUwJP2T3C1QxXiMypN8KeT4Fb4gGWVNx3SotSVBEAqm5WDMJ83BnjdwKaqrUVNgrnc3E4dfUL3Kxr8tYrXHdTkOZgeSmorswJ5R3JHOfXrbqT8db7Sm8FDXDOdiaK3qeKXowrzPjIlGmIiGhB1oVEurGhNppjyVdA7f6UruIDD0d6v5qXBYSPUaaphOdJjATQmlKCKNTHgSB3NJwS9ShZDOqhEQxcQ8dCgNUJunMxFKtBZgbXcKKRc3MY5n84a10hz8XAzmhVFuU2eoIiyZAFyMjnA5OHpSXNULMaJbhznyLsiU3QfZFA0utnYtA4YZqxWHiTcrYX1Lc9A1EpB8mPMXWjcjBZbnaNIYWbwkxyBsJpStmhoU2axbk9u813p85NvO1men3bKxNeNrQs6euGvA

C:\Windows\BitLockerDiscoveryVolumeContents\dllhost.exe

Download File

Process:	C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3861504
Entropy (8bit):	7.835766949495404
Encrypted:	false
SSDEEP:	98304:SlFTtIkKJ8h91Zv7aphwzT8YRMR9UOu93dI:S7SF8/baTm8kMPUOu9
MD5:	798B5560B2A2C6596A0C1A09419AD2C4
SHA1:	6F18005EAACE373EE3EC23138C7D5AF9D1BCB51E
SHA-256:	93DC0D7CACC55D4965A1D55A3D163125481EE2BE7CEF9640320F58D714BD8011
SHA-512:	ED88BAD4B7E2103222EFC1864E36A6B6D9E83396361191C6D9ED0623BADB783629E87A2CC2097D4D79586D9514D02D15DF7B411C1A012BEB212009EFE2E24010
Malicious:	true
Yara Hits:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Windows\BitLockerDiscoveryVolumeContents\dllhost.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Windows\BitLockerDiscoveryVolumeContents\dllhost.exe, Author: Joe Security
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u..e..................:...........;.. ... ;...@.. .......................`;...........@...................................;.K.... ;.p....................@;...................................................... ............... ..H............text.....:.. ....:................. ..`.rsrc...p.... ;.......:.............@....reloc.......@;.......:.............@..B..................;.....H...........@.......e...D....)0.'.;......................................0..........(.... ........8........E....)...M.......q...8$...(.... ....~....{....:....& ....8....(.... ....~....{~...:....& ....8....(.... ....~....{{...9....& ....8z...*...0..<....... ........8........E............................d...8)...~....9U... ....~....{....:....& ....8....~....(#... .... .... ....s....~....('....... ....8{......... ....~....{....9a...& ....8V...8z... ....~....{....9=...& ....82...

C:\blockbrowserdllCommon\KvkJOplk2GTpcDyjoXWpi6SQDRLpKp2SGwZjihDz.vbe

Download File

Process:	C:\Users\user\Desktop\f3I38kv.exe
File Type:	data
Category:	dropped
Size (bytes):	213
Entropy (8bit):	5.80588670543794
Encrypted:	false
SSDEEP:	6:GcgwqK+NkLzWbH/PlyrFnBaORbM5nCeHJCD0Lpj:GuMCzWLHUhBaORbQCmxV
MD5:	A0282A6958AFC151A410D7128B0D80ED
SHA1:	6F4BA3C7EBAA16F6BB69594ADECB05BCCAF308FE
SHA-256:	329D081C702EB5E7F60896CECC15A5A0D2B625E93012B1FF7F7A8F64B3BAEAE2
SHA-512:	EEB9ADA5C9D533E1ED377E6D1D6B905A244BA6190FB8227967F59D37779727FDB0165C0B3AAC866A8A0BD009E9903563762FB2879E058F9E6D12452D87F5B58C
Malicious:	false
Preview:	#@~^vAAAAA==j.Y~q/4?t.V^~',Z.+mYn6(L+1O`r.?1.rwDRUtnVsE@#@&.U^DbwO UV+n2v {!ZT@#@&U+DP.ktU4+^V~',Z.nmY+}8L.mYvE.?1DbwORj4.VsJ*@#@&q/4j4+Vs "EUPr/=z8^W134MWSd+MNsV;WhhKxzJtjnDM}.f,gftl 4COr~~!B~0mVdnuDsAAA==^#~@.

C:\blockbrowserdllCommon\ZUKrGOW39NDMa.bat

Download File

Process:	C:\Users\user\Desktop\f3I38kv.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	108
Entropy (8bit):	5.124599308836479
Encrypted:	false
SSDEEP:	3:le3jT8+Lgf5kJYyQEf6yA4ISXq7LVA31faA:w3jTH0fQYqf6yA4Ik8O3hL
MD5:	DE89329E5614F1630F511924AC734AA5
SHA1:	FC499E64667F681414B952788B1220806D404E3B
SHA-256:	F8A9353FECFF5FE9131AB909940A15B593C8B74D89F4624890D30B6BAFD00931
SHA-512:	EF266DAD8204188A1CF59AFF63E0CBD1A649CBF5CE42F5F1464A7F508CE7FAAB6AA05C2D42849BD3FE1F86DECC380773A6D12F31F24762CBC8506CF1C391BF38
Malicious:	false
Preview:	%ewotC%%PJfwKZHW%..%NYbuWfgafPADIB%"C:\blockbrowserdllCommon/hyperruntimemonitorCommon.exe"%cGXtvBYCJGKgHem%

C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe

Download File

Process:	C:\Users\user\Desktop\f3I38kv.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3861504
Entropy (8bit):	7.835766949495404
Encrypted:	false
SSDEEP:	98304:SlFTtIkKJ8h91Zv7aphwzT8YRMR9UOu93dI:S7SF8/baTm8kMPUOu9
MD5:	798B5560B2A2C6596A0C1A09419AD2C4
SHA1:	6F18005EAACE373EE3EC23138C7D5AF9D1BCB51E
SHA-256:	93DC0D7CACC55D4965A1D55A3D163125481EE2BE7CEF9640320F58D714BD8011
SHA-512:	ED88BAD4B7E2103222EFC1864E36A6B6D9E83396361191C6D9ED0623BADB783629E87A2CC2097D4D79586D9514D02D15DF7B411C1A012BEB212009EFE2E24010
Malicious:	true
Yara Hits:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe, Author: Joe Security
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u..e..................:...........;.. ... ;...@.. .......................`;...........@...................................;.K.... ;.p....................@;...................................................... ............... ..H............text.....:.. ....:................. ..`.rsrc...p.... ;.......:.............@....reloc.......@;.......:.............@..B..................;.....H...........@.......e...D....)0.'.;......................................0..........(.... ........8........E....)...M.......q...8$...(.... ....~....{....:....& ....8....(.... ....~....{~...:....& ....8....(.... ....~....{{...9....& ....8z...*...0..<....... ........8........E............................d...8)...~....9U... ....~....{....:....& ....8....~....(#... .... .... ....s....~....('....... ....8{......... ....~....{....9a...& ....8V...8z... ....~....{....9=...& ....82...

\Device\Null

Download File

Process:	C:\Windows\System32\PING.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	502
Entropy (8bit):	4.630609828667227
Encrypted:	false
SSDEEP:	12:P8w5pTcgTcgTcgTcgTcgTcgTcgTcgTcgTLs4oS/AFSkIrxMVlmJHaVzvv:0ydUOAokItULVDv
MD5:	CB032DDF000B7094D5EA82C709AFE96C
SHA1:	3754ACCC5A2DAE8C62B9600778FBC224B7EC1113
SHA-256:	27C38D45A3229A073632DCA0544E3D32323237BF0A2F9794E4D7750F17FC9563
SHA-512:	8BB0C8DFE82DC0F4EF0D0B4D1275476A4FE71D4C10B4D3160F9F432F3D0308945D6E8A5B2BA0CD8BD5FE94C8E1C0612A5DCB980750065AC6CA8DDFE13BE560D1
Malicious:	false
Preview:	..Pinging 992547 [::1] with 32 bytes of data:..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ....Ping statistics for ::1:.. Packets: Sent = 10, Received = 10, Lost = 0 (0% loss),..Approximate round trip times in milli-seconds:.. Minimum = 0ms, Maximum = 0ms, Average = 0ms..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.791111156313075
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.97% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	f3I38kv.exe
File size:	4'183'320 bytes
MD5:	71e2bab6de31ab3476ac7529a603de1c
SHA1:	ce92b47562732cb095b318f2e5cf0f5bf7fb4b68
SHA256:	c4dda91a7666f799687ecc6998b0676dd19c4545b381271d01c0400274d18c55
SHA512:	d4ba63e37ba1832fceb930c3f0141321ba8a0783dd5ad862ab701ff5bddba3af5be771e26c972896cc3043224b7bf05da9b13aee10dc1a776063f7c1150d92d7
SSDEEP:	98304:yQlFTtIkKJ8h91Zv7aphwzT8YRMR9UOu93dIl:v7SF8/baTm8kMPUOu9G
TLSH:	0616F106B6915F33D1693F3194F7142E52B0EB626623DF0B3E1F20E5E9092708B566FA
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x_c.<>..<>..<>......1>.......>......$>...I..>>...I../>...I..+>...I...>..5F..7>..5F..;>..<>..)?...I...>...I..=>...I..=>...I..=>.

File Icon


Icon Hash:	1515d4d4442f2d2d

Static PE Info

General

Entrypoint:	0x41f530
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x6220BF8D [Thu Mar 3 13:15:57 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	12e12319f1029ec4f8fcbed7e82df162

Entrypoint Preview

Instruction
call 00007F1530BF060Bh
jmp 00007F1530BEFF1Dh
int3
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F1530BE2D67h
mov dword ptr [esi], 004356D0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 004356D8h
mov dword ptr [ecx], 004356D0h
ret
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 004356B8h
push eax
call 00007F1530BF33AFh
test byte ptr [ebp+08h], 00000001h
pop ecx
je 00007F1530BF00ACh
push 0000000Ch
push esi
call 00007F1530BEF669h
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
push ebp
mov ebp, esp
sub esp, 0Ch
lea ecx, dword ptr [ebp-0Ch]
call 00007F1530BE2CE2h
push 0043BEF0h
lea eax, dword ptr [ebp-0Ch]
push eax
call 00007F1530BF2E69h
int3
push ebp
mov ebp, esp
sub esp, 0Ch
lea ecx, dword ptr [ebp-0Ch]
call 00007F1530BF0028h
push 0043C0F4h
lea eax, dword ptr [ebp-0Ch]
push eax
call 00007F1530BF2E4Ch
int3
jmp 00007F1530BF48E7h
int3
int3
int3
int3
push 00422900h
push dword ptr fs:[00000000h]

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x3d070	0x34	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3d0a4	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x64000	0xdff8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x72000	0x233c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x3b11c	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x355f8	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x33000	0x278	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x3c5ec	0x120	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x31bdc	0x31c00	2831bb8b11e3209658a53131886cdf98	False	0.5909380888819096	data	6.712962136932442	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x33000	0xaec0	0xb000	042f11346230ca5aa360727d9908e809	False	0.4579190340909091	data	5.261605615899847	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3e000	0x24720	0x1000	9670b581969e508258d8bc903025de5e	False	0.451416015625	data	4.387459135575936	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.didat	0x63000	0x190	0x200	c83554035c63bb446c6208d0c8fa0256	False	0.4453125	data	3.3327310103022305	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x64000	0xdff8	0xe000	ba08fbcd0ed7d9e6a268d75148d9914b	False	0.6373639787946429	data	6.638661032196024	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x72000	0x233c	0x2400	40b5e17755fd6fdd34de06e5cdb7f711	False	0.7749565972222222	data	6.623012966548067	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
PNG	0x64650	0xb45	PNG image data, 93 x 302, 8-bit/color RGB, non-interlaced	English	United States	1.0027729636048528
PNG	0x65198	0x15a9	PNG image data, 186 x 604, 8-bit/color RGB, non-interlaced	English	United States	0.9363390441839495
RT_ICON	0x66748	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, resolution 2834 x 2834 px/m, 256 important colors	English	United States	0.47832369942196534
RT_ICON	0x66cb0	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, resolution 2834 x 2834 px/m, 256 important colors	English	United States	0.5410649819494585
RT_ICON	0x67558	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, resolution 2834 x 2834 px/m, 256 important colors	English	United States	0.4933368869936034
RT_ICON	0x68400	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2834 x 2834 px/m	English	United States	0.5390070921985816
RT_ICON	0x68868	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2834 x 2834 px/m	English	United States	0.41393058161350843
RT_ICON	0x69910	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2834 x 2834 px/m	English	United States	0.3479253112033195
RT_ICON	0x6beb8	0x3d71	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9809269502193401
RT_DIALOG	0x70588	0x286	data	English	United States	0.5092879256965944
RT_DIALOG	0x70358	0x13a	data	English	United States	0.60828025477707
RT_DIALOG	0x70498	0xec	data	English	United States	0.6991525423728814
RT_DIALOG	0x70228	0x12e	data	English	United States	0.5927152317880795
RT_DIALOG	0x6fef0	0x338	data	English	United States	0.45145631067961167
RT_DIALOG	0x6fc98	0x252	data	English	United States	0.5757575757575758
RT_STRING	0x70f68	0x1e2	data	English	United States	0.3900414937759336
RT_STRING	0x71150	0x1cc	data	English	United States	0.4282608695652174
RT_STRING	0x71320	0x1b8	data	English	United States	0.45681818181818185
RT_STRING	0x714d8	0x146	data	English	United States	0.5153374233128835
RT_STRING	0x71620	0x46c	data	English	United States	0.3454063604240283
RT_STRING	0x71a90	0x166	data	English	United States	0.49162011173184356
RT_STRING	0x71bf8	0x152	data	English	United States	0.5059171597633136
RT_STRING	0x71d50	0x10a	data	English	United States	0.49624060150375937
RT_STRING	0x71e60	0xbc	data	English	United States	0.6329787234042553
RT_STRING	0x71f20	0xd6	data	English	United States	0.5747663551401869
RT_GROUP_ICON	0x6fc30	0x68	data	English	United States	0.7019230769230769
RT_MANIFEST	0x70810	0x753	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.3957333333333333

Imports

DLL	Import
KERNEL32.dll	GetLastError, SetLastError, FormatMessageW, GetCurrentProcess, DeviceIoControl, SetFileTime, CloseHandle, CreateDirectoryW, RemoveDirectoryW, CreateFileW, DeleteFileW, CreateHardLinkW, GetShortPathNameW, GetLongPathNameW, MoveFileW, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, SetFileAttributesW, GetFileAttributesW, FindClose, FindFirstFileW, FindNextFileW, InterlockedDecrement, GetVersionExW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleFileNameW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, GetCurrentProcessId, ExitProcess, SetThreadExecutionState, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, GetProcessAffinityMask, CreateThread, SetThreadPriority, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, SetEvent, ResetEvent, ReleaseSemaphore, WaitForSingleObject, CreateEventW, CreateSemaphoreW, GetSystemTime, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, FileTimeToLocalFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, LockResource, GlobalLock, GlobalUnlock, GlobalFree, LoadResource, SizeofResource, SetCurrentDirectoryW, GetExitCodeProcess, GetLocalTime, GetTickCount, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, ExpandEnvironmentStringsW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetTimeFormatW, GetDateFormatW, GetNumberFormatW, DecodePointer, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapSize, SetStdHandle, GetProcessHeap, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineA, GetOEMCP, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, IsProcessorFeaturePresent, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, TerminateProcess, LocalFree, RtlUnwind, EncodePointer, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapAlloc, HeapReAlloc, GetStringTypeW, LCMapStringW, FindFirstFileExA, FindNextFileA, IsValidCodePage
OLEAUT32.dll	SysAllocString, SysFreeString, VariantClear
gdiplus.dll	GdipAlloc, GdipDisposeImage, GdipCloneImage, GdipCreateBitmapFromStream, GdipCreateBitmapFromStreamICM, GdipCreateHBITMAPFromBitmap, GdiplusStartup, GdiplusShutdown, GdipFree

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Target ID:	0
Start time:	07:17:56
Start date:	30/12/2024
Path:	C:\Users\user\Desktop\f3I38kv.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\f3I38kv.exe"
Imagebase:	0x4f0000
File size:	4'183'320 bytes
MD5 hash:	71E2BAB6DE31AB3476AC7529A603DE1C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000003.1659074697.0000000005326000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000003.1658269779.0000000005214000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	07:17:56
Start date:	30/12/2024
Path:	C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WScript.exe" "C:\blockbrowserdllCommon\KvkJOplk2GTpcDyjoXWpi6SQDRLpKp2SGwZjihDz.vbe"
Imagebase:	0x180000
File size:	147'456 bytes
MD5 hash:	FF00E0480075B095948000BDC66E81F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	07:18:24
Start date:	30/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\blockbrowserdllCommon\ZUKrGOW39NDMa.bat" "
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	07:18:24
Start date:	30/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	07:18:24
Start date:	30/12/2024
Path:	C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe
Wow64 process (32bit):	false
Commandline:	"C:\blockbrowserdllCommon/hyperruntimemonitorCommon.exe"
Imagebase:	0xa00000
File size:	3'861'504 bytes
MD5 hash:	798B5560B2A2C6596A0C1A09419AD2C4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000007.00000000.1936497024.0000000000A02000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000007.00000002.1996199845.0000000013408000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\blockbrowserdllCommon\hyperruntimemonitorCommon.exe, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	07:18:28
Start date:	30/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "nGnJvqnFLoRdIZNyVoMyFn" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Microsoft\nGnJvqnFLoRdIZNyVoMyF.exe'" /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	07:18:28
Start date:	30/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "nGnJvqnFLoRdIZNyVoMyF" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft\nGnJvqnFLoRdIZNyVoMyF.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	07:18:28
Start date:	30/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "nGnJvqnFLoRdIZNyVoMyFn" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Microsoft\nGnJvqnFLoRdIZNyVoMyF.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	07:18:28
Start date:	30/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "SIHClientS" /sc MINUTE /mo 10 /tr "'C:\Recovery\SIHClient.exe'" /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	07:18:28
Start date:	30/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "SIHClient" /sc ONLOGON /tr "'C:\Recovery\SIHClient.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	07:18:28
Start date:	30/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "SIHClientS" /sc MINUTE /mo 7 /tr "'C:\Recovery\SIHClient.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	07:18:28
Start date:	30/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\dllhost.exe'" /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	07:18:28
Start date:	30/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\dllhost.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	07:18:28
Start date:	30/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\dllhost.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	07:18:28
Start date:	30/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "nGnJvqnFLoRdIZNyVoMyFn" /sc MINUTE /mo 10 /tr "'C:\Users\user\Saved Games\nGnJvqnFLoRdIZNyVoMyF.exe'" /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	07:18:28
Start date:	30/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "nGnJvqnFLoRdIZNyVoMyF" /sc ONLOGON /tr "'C:\Users\user\Saved Games\nGnJvqnFLoRdIZNyVoMyF.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	07:18:28
Start date:	30/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "nGnJvqnFLoRdIZNyVoMyFn" /sc MINUTE /mo 8 /tr "'C:\Users\user\Saved Games\nGnJvqnFLoRdIZNyVoMyF.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	07:18:28
Start date:	30/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "nGnJvqnFLoRdIZNyVoMyFn" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe'" /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	07:18:28
Start date:	30/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "nGnJvqnFLoRdIZNyVoMyF" /sc ONLOGON /tr "'C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	07:18:29
Start date:	30/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "nGnJvqnFLoRdIZNyVoMyFn" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	07:18:29
Start date:	30/12/2024
Path:	C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe"
Imagebase:	0x800000
File size:	3'861'504 bytes
MD5 hash:	798B5560B2A2C6596A0C1A09419AD2C4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 100%, Joe Sandbox ML
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	07:18:29
Start date:	30/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\qVPGMYvCwM.bat"
Imagebase:	0x7ff7cf580000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	07:18:29
Start date:	30/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	07:18:29
Start date:	30/12/2024
Path:	C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe"
Imagebase:	0xd00000
File size:	3'861'504 bytes
MD5 hash:	798B5560B2A2C6596A0C1A09419AD2C4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	07:18:29
Start date:	30/12/2024
Path:	C:\Windows\System32\chcp.com
Wow64 process (32bit):	false
Commandline:	chcp 65001
Imagebase:	0x7ff70f330000
File size:	14'848 bytes
MD5 hash:	33395C4732A49065EA72590B14B64F32
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	07:18:29
Start date:	30/12/2024
Path:	C:\Windows\System32\PING.EXE
Wow64 process (32bit):	false
Commandline:	ping -n 10 localhost
Imagebase:	0x7ff618140000
File size:	22'528 bytes
MD5 hash:	2F46799D79D22AC72C241EC0322B011D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	07:18:38
Start date:	30/12/2024
Path:	C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe"
Imagebase:	0xcc0000
File size:	3'861'504 bytes
MD5 hash:	798B5560B2A2C6596A0C1A09419AD2C4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	9.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	9.3%
Total number of Nodes:	1505
Total number of Limit Nodes:	45

Executed Functions

Function 0050DF1E Relevance: 42.2, APIs: 17, Strings: 7, Instructions: 195
filesleeptimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00500863: GetModuleHandleW.KERNEL32(kernel32), ref: 0050087C
Part of subcall function 00500863: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0050088E
Part of subcall function 00500863: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 005008BF

Part of subcall function 0050A64D: GetCurrentDirectoryW.KERNEL32(?,?), ref: 0050A655

Part of subcall function 0050AC16: OleInitialize.OLE32(00000000), ref: 0050AC2F
Part of subcall function 0050AC16: GdiplusStartup.GDIPLUS(?,?,00000000), ref: 0050AC66
Part of subcall function 0050AC16: SHGetMalloc.SHELL32(00538438), ref: 0050AC70

GetCommandLineW.KERNEL32 ref: 0050DF5C
OpenFileMappingW.KERNEL32(000F001F,00000000,winrarsfxmappingfile.tmp), ref: 0050DF83
MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00007104), ref: 0050DF94
UnmapViewOfFile.KERNEL32(00000000), ref: 0050DFCE

Part of subcall function 0050DBDE: SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 0050DBF4
Part of subcall function 0050DBDE: SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 0050DC30

CloseHandle.KERNEL32(00000000), ref: 0050DFD7
GetModuleFileNameW.KERNEL32(00000000,0054EC90,00000800), ref: 0050DFF2
SetEnvironmentVariableW.KERNEL32(sfxname,0054EC90), ref: 0050DFFE
GetLocalTime.KERNEL32(?), ref: 0050E009
_swprintf.LIBCMT ref: 0050E048
SetEnvironmentVariableW.KERNEL32(sfxstime,?), ref: 0050E05A
GetModuleHandleW.KERNEL32(00000000), ref: 0050E061
LoadIconW.USER32(00000000,00000064), ref: 0050E078
DialogBoxParamW.USER32(00000000,STARTDLG,00000000,Function_0001B7E0,00000000), ref: 0050E0C9
Sleep.KERNEL32(?), ref: 0050E0F7
DeleteObject.GDI32 ref: 0050E130
DeleteObject.GDI32(?), ref: 0050E140
CloseHandle.KERNEL32 ref: 0050E183

Strings

%4d-%02d-%02d-%02d-%02d-%02d-%03d, xrefs: 0050E039
winrarsfxmappingfile.tmp, xrefs: 0050DF77
C:\Users\user\Desktop, xrefs: 0050DF33
xzT, xrefs: 0050E10B
STARTDLG, xrefs: 0050E0BE
sfxname, xrefs: 0050DFF9
sfxstime, xrefs: 0050E055

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: EnvironmentFileHandleVariable$Module$AddressCloseDeleteObjectProcView$CommandCurrentDialogDirectoryGdiplusIconInitializeLineLoadLocalMallocMappingNameOpenParamSleepStartupTimeUnmap_swprintf
String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$C:\Users\user\Desktop$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp$xzT
API String ID: 3049964643-944309655
Opcode ID: fbd5e9dfa26aeb8358dbd008a7155437b271a06fcac20ebbc15e7e815feb74a5
Instruction ID: 217b6390b1e001fa7c7c786d6c3cdd151a61110a6f28ff89035e33dc44464f0a
Opcode Fuzzy Hash: fbd5e9dfa26aeb8358dbd008a7155437b271a06fcac20ebbc15e7e815feb74a5
Instruction Fuzzy Hash: B361C671904345ABD320AB75EC4EF6F7FA8FFA6704F000429F545922E1EB789948D761

Function 0050A6C2 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 100
memorywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindResourceW.KERNEL32(?,PNG,00000000,?,?,?,0050B73D,00000066), ref: 0050A6D5
SizeofResource.KERNEL32(00000000,?,?,?,0050B73D,00000066), ref: 0050A6EC
LoadResource.KERNEL32(00000000,?,?,?,0050B73D,00000066), ref: 0050A703
LockResource.KERNEL32(00000000,?,?,?,0050B73D,00000066), ref: 0050A712
GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,0050B73D,00000066), ref: 0050A72D
GlobalLock.KERNEL32(00000000), ref: 0050A73E
CreateStreamOnHGlobal.COMBASE(00000000,00000000,?), ref: 0050A762
GlobalUnlock.KERNEL32(00000000), ref: 0050A7C6

Part of subcall function 0050A626: GdipAlloc.GDIPLUS(00000010), ref: 0050A62C

GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 0050A7A7
GlobalFree.KERNEL32(00000000), ref: 0050A7CD

Strings

FjunP, xrefs: 0050A762
PNG, xrefs: 0050A6C6

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: Global$Resource$AllocCreateGdipLock$BitmapFindFreeFromLoadSizeofStreamUnlock
String ID: FjunP$PNG
API String ID: 211097158-2194318004
Opcode ID: 9a6a0e1f367bdd2c7f92addf6ba16721d0afa65f14a8009f3db897b211178159
Instruction ID: 3fae5d86c63c7280e09810827b70fca5f5da643f0bc2f0355a88362db33abc91
Opcode Fuzzy Hash: 9a6a0e1f367bdd2c7f92addf6ba16721d0afa65f14a8009f3db897b211178159
Instruction Fuzzy Hash: 5631C275600712AFD7209F21EC88D2FBFB9FF95750B044918F805822A0EB31DC5AEBA1

Function 004FA69B Relevance: 7.6, APIs: 5, Instructions: 105
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(?,?,?,?,?,?,004FA592,000000FF,?,?), ref: 004FA6C4

Part of subcall function 004FBB03: _wcslen.LIBCMT ref: 004FBB27

FindFirstFileW.KERNELBASE(?,?,?,?,00000800,?,?,?,?,004FA592,000000FF,?,?), ref: 004FA6F2
GetLastError.KERNEL32(?,?,00000800,?,?,?,?,004FA592,000000FF,?,?), ref: 004FA6FE
FindNextFileW.KERNEL32(?,?,?,?,?,?,004FA592,000000FF,?,?), ref: 004FA728
GetLastError.KERNEL32(?,?,?,?,004FA592,000000FF,?,?), ref: 004FA734

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: FileFind$ErrorFirstLast$Next_wcslen
String ID:
API String ID: 42610566-0
Opcode ID: d3402661278f40864ea9459bcce4bc0e082b05158cedb76c96139cb026138e46
Instruction ID: bc243ea7983c825a14c382de21db1a9f4c67d3cbe909b3384c66b42fe0b4db73
Opcode Fuzzy Hash: d3402661278f40864ea9459bcce4bc0e082b05158cedb76c96139cb026138e46
Instruction Fuzzy Hash: EC418372500519ABC725EF64CC88AEEB7B8FF48350F104196E95DD3240D738AEA5CF95

Function 00517DEE Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,?,00517DC4,00000000,0052C300,0000000C,00517F1B,00000000,00000002,00000000), ref: 00517E0F
TerminateProcess.KERNEL32(00000000,?,00517DC4,00000000,0052C300,0000000C,00517F1B,00000000,00000002,00000000), ref: 00517E16
ExitProcess.KERNEL32 ref: 00517E28

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: a94fbeecab8954e0e037767e47d08ca98903531d046c4e9f4ba2ba10104da2bb
Instruction ID: 8ae24d793c86f18727942c921dcec8de60146a4bb209658204aad5769d6c8094
Opcode Fuzzy Hash: a94fbeecab8954e0e037767e47d08ca98903531d046c4e9f4ba2ba10104da2bb
Instruction Fuzzy Hash: 86E04F31000148ABDF117F24CD0E9893FB9FF59341F004494F8058A132CB39DEA6DA90

Function 004F848E Relevance: 2.5, APIs: 1, Instructions: 960COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004F8493

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 49dae722c29fe301e41e32b0a781006f342e38eafb6b1fe42be9e14c8c363f25
Instruction ID: e428ce387d56033045e0c217d1cb12ca0ae52bc1c4c68608dd920dbd9fd224a7
Opcode Fuzzy Hash: 49dae722c29fe301e41e32b0a781006f342e38eafb6b1fe42be9e14c8c363f25
Instruction Fuzzy Hash: D0821B7090414DAEDF15DB60C895BFBBBB9AF05304F0841BFEA499F242CB385A84C769

Function 0050B7E0 Relevance: 109.2, APIs: 48, Strings: 14, Instructions: 731windowfilesleepCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0050B7E5

Part of subcall function 004F1316: GetDlgItem.USER32(00000000,00003021), ref: 004F135A
Part of subcall function 004F1316: SetWindowTextW.USER32(00000000,005235F4), ref: 004F1370

SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0050B8D1
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0050B8EF
IsDialogMessageW.USER32(?,?), ref: 0050B902
TranslateMessage.USER32(?), ref: 0050B910
DispatchMessageW.USER32(?), ref: 0050B91A
GetDlgItemTextW.USER32(?,00000066,?,00000800), ref: 0050B93D
KiUserCallbackDispatcher.NTDLL(?,00000001), ref: 0050B960
GetDlgItem.USER32(?,00000068), ref: 0050B983
SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 0050B99E
SendMessageW.USER32(00000000,000000C2,00000000,005235F4), ref: 0050B9B1

Part of subcall function 0050D453: _wcschr.LIBVCRUNTIME ref: 0050D45C
Part of subcall function 0050D453: _wcslen.LIBCMT ref: 0050D47D

SetFocus.USER32(00000000), ref: 0050B9B8
_swprintf.LIBCMT ref: 0050BA24

Part of subcall function 004F4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 004F40A5

Part of subcall function 0050D4D4: GetDlgItem.USER32(00000068,0054FCB8), ref: 0050D4E8
Part of subcall function 0050D4D4: ShowWindow.USER32(00000000,00000005,?,?,?,0050AF07,00000001,?,?,0050B7B9,0052506C,0054FCB8,0054FCB8,00001000,00000000,00000000), ref: 0050D510
Part of subcall function 0050D4D4: SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 0050D51B
Part of subcall function 0050D4D4: SendMessageW.USER32(00000000,000000C2,00000000,005235F4), ref: 0050D529
Part of subcall function 0050D4D4: SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0050D53F
Part of subcall function 0050D4D4: SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 0050D559
Part of subcall function 0050D4D4: SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0050D59D
Part of subcall function 0050D4D4: SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 0050D5AB
Part of subcall function 0050D4D4: SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0050D5BA
Part of subcall function 0050D4D4: SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0050D5E1
Part of subcall function 0050D4D4: SendMessageW.USER32(00000000,000000C2,00000000,005243F4), ref: 0050D5F0

GetLastError.KERNEL32(?,00000000,00000000,00000000,?), ref: 0050BA68
GetLastError.KERNEL32(?,?,00000000,00000000,00000000,?), ref: 0050BA90
GetTickCount.KERNEL32 ref: 0050BAAE
_swprintf.LIBCMT ref: 0050BAC2
GetLastError.KERNEL32(?,00000011), ref: 0050BAF4
GetModuleFileNameW.KERNEL32(00000000,?,00000800,?,?,?,00000000,00000000,00000000,?), ref: 0050BB43
_swprintf.LIBCMT ref: 0050BB7C
CreateFileMappingW.KERNEL32(000000FF,00000000,08000004,00000000,00007104,winrarsfxmappingfile.tmp), ref: 0050BBD0
GetCommandLineW.KERNEL32 ref: 0050BBEA
MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000,?), ref: 0050BC47
ShellExecuteExW.SHELL32(0000003C), ref: 0050BC6F
Sleep.KERNEL32(00000064), ref: 0050BCB9
UnmapViewOfFile.KERNEL32(?,?,0000430C,?,00000080), ref: 0050BCE2
CloseHandle.KERNEL32(00000000), ref: 0050BCEB
_swprintf.LIBCMT ref: 0050BD1E
SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0050BD7D
SetDlgItemTextW.USER32(?,00000065,005235F4), ref: 0050BD94
GetDlgItem.USER32(?,00000065), ref: 0050BD9D
GetWindowLongW.USER32(00000000,000000F0), ref: 0050BDAC
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 0050BDBB
SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0050BE68
_wcslen.LIBCMT ref: 0050BEBE
_swprintf.LIBCMT ref: 0050BEE8
SendMessageW.USER32(?,00000080,00000001,?), ref: 0050BF32
SendDlgItemMessageW.USER32(?,0000006C,00000172,00000000,?), ref: 0050BF4C
GetDlgItem.USER32(?,00000068), ref: 0050BF55
SendMessageW.USER32(00000000,00000435,00000000,00400000), ref: 0050BF6B
GetDlgItem.USER32(?,00000066), ref: 0050BF85
SetWindowTextW.USER32(00000000,0053A472), ref: 0050BFA7
SetDlgItemTextW.USER32(?,0000006B,00000000), ref: 0050C007
SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0050C01A
DialogBoxParamW.USER32(LICENSEDLG,00000000,Function_0001B5C0,00000000,?), ref: 0050C0BD
EnableWindow.USER32(00000000,00000000), ref: 0050C197
SendMessageW.USER32(?,00000111,00000001,00000000), ref: 0050C1D9

Part of subcall function 0050C73F: __EH_prolog.LIBCMT ref: 0050C744

SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0050C1FD

Strings

%s, xrefs: 0050BED8
winrarsfxmappingfile.tmp, xrefs: 0050BBA6
hP, xrefs: 0050BCA5
^P, xrefs: 0050C1E1
<, xrefs: 0050BB84
-el -s2 "-d%s" "-sp%s", xrefs: 0050BB6B
QR, xrefs: 0050BBBC
@, xrefs: 0050BB91
PDu<P, xrefs: 0050BC6F
C:\Users\user\Desktop, xrefs: 0050BBC9
STARTDLG, xrefs: 0050B801
LICENSEDLG, xrefs: 0050C0B2
"%s"%s, xrefs: 0050BD0D
__tmp_rar_sfx_access_check_%u, xrefs: 0050BAB5

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: Message$ItemSend$Text$Window$_swprintf$File$ErrorLast$DialogH_prologLongView_wcslen$CallbackCloseCommandCountCreateDispatchDispatcherEnableExecuteFocusHandleLineMappingModuleNameParamShellShowSleepTickTranslateUnmapUser__vswprintf_c_l_wcschr
String ID: %s$"%s"%s$-el -s2 "-d%s" "-sp%s"$<$@$C:\Users\user\Desktop$LICENSEDLG$PDu<P$STARTDLG$^P$__tmp_rar_sfx_access_check_%u$hP$winrarsfxmappingfile.tmp$QR
API String ID: 3829768659-1951401641
Opcode ID: 6bf1375cc4959603f7302e65e10034717672873fb4f0f1bbbfc8555ef765cb9a
Instruction ID: 94db0e6e9d0a0cffe48a28a0f0cde039ccc5b096f5dfcec76c316acbe6c194cb
Opcode Fuzzy Hash: 6bf1375cc4959603f7302e65e10034717672873fb4f0f1bbbfc8555ef765cb9a
Instruction Fuzzy Hash: E542E670944349BAFB219BB09C8EFBE3F6CBB22704F000155F644A61E2CB795E48DB25

Function 00500863 Relevance: 98.3, APIs: 23, Strings: 33, Instructions: 316
libraryfileloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(kernel32), ref: 0050087C
GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0050088E
GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 005008BF
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00500B69
CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00500B83
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00500B93
ReadFile.KERNEL32(00000000,?,00007FFE,|<R,00000000), ref: 00500BB1
CloseHandle.KERNEL32(00000000), ref: 00500C09
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00500C1E
CompareStringW.KERNEL32(00000400,00001001,?,?,DXGIDebug.dll,?,|<R,?,00000000,?,00000800), ref: 00500C72
GetFileAttributesW.KERNELBASE(?,?,|<R,00000800,?,00000000,?,00000800), ref: 00500C9C
GetFileAttributesW.KERNEL32(?,?,D=R,00000800), ref: 00500CD8

Part of subcall function 0050081B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00500836
Part of subcall function 0050081B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,004FF2D8,Crypt32.dll,00000000,004FF35C,?,?,004FF33E,?,?,?), ref: 00500858

_swprintf.LIBCMT ref: 00500D4A
_swprintf.LIBCMT ref: 00500D96

Part of subcall function 004F4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 004F40A5

AllocConsole.KERNEL32 ref: 00500D9E
GetCurrentProcessId.KERNEL32 ref: 00500DA8
AttachConsole.KERNEL32(00000000), ref: 00500DAF
_wcslen.LIBCMT ref: 00500DC4
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000), ref: 00500DD5
WriteConsoleW.KERNEL32(00000000), ref: 00500DDC
Sleep.KERNEL32(00002710), ref: 00500DE7
FreeConsole.KERNEL32 ref: 00500DED
ExitProcess.KERNEL32 ref: 00500DF5

Strings

SetDllDirectoryW, xrefs: 00500888
dwmapi.dll, xrefs: 00500927, 00500D0D
HAR, xrefs: 00500ADA
d?R, xrefs: 005009FE
8>R, xrefs: 0050098F
h>R, xrefs: 0050099F
D=R, xrefs: 00500CB9, 00500CC9
?R, xrefs: 00500A35
>R, xrefs: 005009C7
0?R, xrefs: 005009E8
,@R, xrefs: 00500A56
4BR, xrefs: 00500B3D
SetDefaultDllDirectories, xrefs: 005008B9
AR, xrefs: 00500B1C
DXGIDebug.dll, xrefs: 005008FC, 00500C5E
T=R, xrefs: 0050093F
@R, xrefs: 00500AAE
uxtheme.dll, xrefs: 00500D17
P>R, xrefs: 00500997
|?R, xrefs: 00500A09
,<R, xrefs: 005008E7
|<R, xrefs: 00500B9E, 00500BA2
|@R, xrefs: 00500A77
kernel32, xrefs: 00500873
H?R, xrefs: 005009F3
`@R, xrefs: 00500A6C
(=R, xrefs: 0050092F
h=R, xrefs: 00500947
H@R, xrefs: 00500A61
0AR, xrefs: 00500ACF
<R, xrefs: 00500917
dAR, xrefs: 00500AE5
Please remove %s from %s folder. It is unsecure to run %s until it is done., xrefs: 00500D84

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: File$Console$HandleModule$AddressAttributesNameProcProcess_swprintf$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadPointerReadSleepStringSystemWrite__vswprintf_c_l_wcslen
String ID: (=R$,<R$,@R$0?R$0AR$4BR$8>R$D=R$DXGIDebug.dll$H?R$H@R$HAR$P>R$Please remove %s from %s folder. It is unsecure to run %s until it is done.$SetDefaultDllDirectories$SetDllDirectoryW$T=R$`@R$d?R$dAR$dwmapi.dll$h=R$h>R$kernel32$uxtheme.dll$|<R$|?R$|@R$<R$>R$?R$@R$AR
API String ID: 1207345701-4249690961
Opcode ID: 12dc977b2e28439fa8435bfaa83053bdf3715120ed162ee5ee0cd6954cb5948a
Instruction ID: ea604e2d52b9acb2c13dda6c019fedaa3ed738a6be72b6a33fe87391f8c7c9bd
Opcode Fuzzy Hash: 12dc977b2e28439fa8435bfaa83053bdf3715120ed162ee5ee0cd6954cb5948a
Instruction Fuzzy Hash: 54D160B1108394ABD3309F50E94DB9FBEE8BF86704F50491DF289961D0DB788A49CF62

Function 0050C73F Relevance: 51.2, APIs: 23, Strings: 6, Instructions: 428
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 0050C744

Part of subcall function 0050B314: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00001000), ref: 0050B3FB

Part of subcall function 0050AF98: _wcschr.LIBVCRUNTIME ref: 0050B033

_wcslen.LIBCMT ref: 0050CA0A
_wcslen.LIBCMT ref: 0050CA13
SetWindowTextW.USER32(?,?), ref: 0050CA71
_wcslen.LIBCMT ref: 0050CAB3
_wcsrchr.LIBVCRUNTIME ref: 0050CBFB
GetDlgItem.USER32(?,00000066), ref: 0050CC36
SetWindowTextW.USER32(00000000,?), ref: 0050CC46
SendMessageW.USER32(00000000,00000143,00000000,0053A472), ref: 0050CC54
SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0050CC7F

Strings

%s.%d.tmp, xrefs: 0050C940
Software\Microsoft\Windows\CurrentVersion, xrefs: 0050CB1A
P, xrefs: 0050CB24
<P, xrefs: 0050C909
ProgramFilesDir, xrefs: 0050CB45
<br>, xrefs: 0050C9D4

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: _wcslen$MessageSendTextWindow$EnvironmentExpandH_prologItemStrings_wcschr_wcsrchr
String ID: %s.%d.tmp$<br>$<P$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion$P
API String ID: 986293930-2014984662
Opcode ID: 5afed6db326bc0fef2383a77176118c3d52c43ebfa37d1c7500737aea993366c
Instruction ID: 535dea0b03490816b3da9c625ad2c79353d73512c1f5388b0e8cd466472a4505
Opcode Fuzzy Hash: 5afed6db326bc0fef2383a77176118c3d52c43ebfa37d1c7500737aea993366c
Instruction Fuzzy Hash: 13E17972900219AADF24DBA4DC85EEE7BBCBF45350F4445A5F609E7090EB749F848F60

Function 004FDA67 Relevance: 26.9, APIs: 5, Strings: 10, Instructions: 663COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004FDA70
_wcschr.LIBVCRUNTIME ref: 004FDA91
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 004FDAAC

Part of subcall function 004FC29A: _wcslen.LIBCMT ref: 004FC2A2

Part of subcall function 005005DA: _wcslen.LIBCMT ref: 005005E0

Part of subcall function 00501B84: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,004FBAE9,00000000,?,?,?,00010424), ref: 00501BA0

_wcslen.LIBCMT ref: 004FDDE9
__fprintf_l.LIBCMT ref: 004FDF1C

Strings

R, xrefs: 004FDC0C
,, xrefs: 004FDF57
@%s:, xrefs: 004FDF06, 004FDF12
*messages***, xrefs: 004FDBFA
9R, xrefs: 004FDDD0
RTL, xrefs: 004FDEDE
, xrefs: 004FDD6C
*messages***, xrefs: 004FDBC1
$%s:, xrefs: 004FDEFF
a, xrefs: 004FDC16

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: _wcslen$ByteCharFileH_prologModuleMultiNameWide__fprintf_l_wcschr
String ID: $ ,$$%s:$*messages***$*messages***$@%s:$R$RTL$a$9R
API String ID: 557298264-972840142
Opcode ID: ad9fdd03811b0d4f744f5b5ccc33dd76b809f63db02d5c4efb65bead54164ee7
Instruction ID: fc5b2181501d061cb81f69956ff862f253c783fce73fbb14dc474d9600f5c338
Opcode Fuzzy Hash: ad9fdd03811b0d4f744f5b5ccc33dd76b809f63db02d5c4efb65bead54164ee7
Instruction Fuzzy Hash: B732F07190021DABDB24EF69C845BFE7BA5FF45300F00016BFA0597291EBB99D85CB58

Function 0050D4D4 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 97
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0050B568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0050B579
Part of subcall function 0050B568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0050B58A
Part of subcall function 0050B568: IsDialogMessageW.USER32(00010424,?), ref: 0050B59E
Part of subcall function 0050B568: TranslateMessage.USER32(?), ref: 0050B5AC
Part of subcall function 0050B568: DispatchMessageW.USER32(?), ref: 0050B5B6

GetDlgItem.USER32(00000068,0054FCB8), ref: 0050D4E8
ShowWindow.USER32(00000000,00000005,?,?,?,0050AF07,00000001,?,?,0050B7B9,0052506C,0054FCB8,0054FCB8,00001000,00000000,00000000), ref: 0050D510
SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 0050D51B
SendMessageW.USER32(00000000,000000C2,00000000,005235F4), ref: 0050D529
SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0050D53F
SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 0050D559
SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0050D59D
SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 0050D5AB
SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0050D5BA
SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0050D5E1
SendMessageW.USER32(00000000,000000C2,00000000,005243F4), ref: 0050D5F0

Strings

\, xrefs: 0050D549

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: Message$Send$DialogDispatchItemPeekShowTranslateWindow
String ID: \
API String ID: 3569833718-2967466578
Opcode ID: a3c6b9a47e0b2c2e1e8ba3408e70191c6499cd1f335076b54c77616e6a25e14d
Instruction ID: 25e6efa4aa6eaf14944ff231f04f83cb917f70e59cf08673dea4b69fc4c03b36
Opcode Fuzzy Hash: a3c6b9a47e0b2c2e1e8ba3408e70191c6499cd1f335076b54c77616e6a25e14d
Instruction Fuzzy Hash: A231E171145742ABE301DF20EC5AFAF7FACEBA2359F000508F555962E0EB648B089B76

Function 0050D78F Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 184
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 0050D7AE
ShellExecuteExW.SHELL32(?), ref: 0050D8DE
ShowWindow.USER32(?,00000000), ref: 0050D91D
GetExitCodeProcess.KERNEL32(?,?), ref: 0050D959
CloseHandle.KERNEL32(?), ref: 0050D97F
ShowWindow.USER32(?,00000001), ref: 0050D9E1

Strings

hP, xrefs: 0050D92E
.exe, xrefs: 0050D989
.inf, xrefs: 0050D89A
rP, xrefs: 0050D911
PDu<P, xrefs: 0050D8DE

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: ShowWindow$CloseCodeExecuteExitHandleProcessShell_wcslen
String ID: .exe$.inf$PDu<P$hP$rP
API String ID: 36480843-38795154
Opcode ID: e9d31cc42f94adb541c5fd6ba48ffc9eb11429a6aa78e9d2c7339d3e31282889
Instruction ID: 68e979a31c28d322696c044b69f1b73f39b26b529d852479b268dc040682d4db
Opcode Fuzzy Hash: e9d31cc42f94adb541c5fd6ba48ffc9eb11429a6aa78e9d2c7339d3e31282889
Instruction Fuzzy Hash: C151CE744083849AEB309BA49844BAFBFF4BF92744F04481EF9C4971E1E7718988DB72

Function 0051A95B Relevance: 9.2, APIs: 6, Instructions: 216
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00515695,00515695,?,?,?,0051ABAC,00000001,00000001,2DE85006), ref: 0051A9B5
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0051ABAC,00000001,00000001,2DE85006,?,?,?), ref: 0051AA3B
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,2DE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0051AB35
__freea.LIBCMT ref: 0051AB42

Part of subcall function 00518E06: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0051CA2C,00000000,?,00516CBE,?,00000008,?,005191E0,?,?,?), ref: 00518E38

__freea.LIBCMT ref: 0051AB4B
__freea.LIBCMT ref: 0051AB70

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: f32462e0a34dbe209f66d839a3a760d05f785be34110acbdf1da892ba37f7adf
Instruction ID: 6f2196be2de087e8d31b4f888cb0e222f6cdc39e55cdcaeaa6a40bc2502dba4e
Opcode Fuzzy Hash: f32462e0a34dbe209f66d839a3a760d05f785be34110acbdf1da892ba37f7adf
Instruction Fuzzy Hash: AB51A072602256ABFB268E64CC45EFABBAAFF84710F154629FC05D6140EB34DCD0D691

Function 00513B72 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 63
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(00000000,?,?,?,00513C35,?,?,00552088,00000000,?,00513D60,00000004,InitializeCriticalSectionEx,00526394,InitializeCriticalSectionEx,00000000), ref: 00513C03

Strings

api-ms-, xrefs: 00513BC3

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-
API String ID: 3664257935-2084034818
Opcode ID: ec8d8de1357aa83b201d4e6fe7b75d9747a4c77bdcd7d946a4dcb27b066edba9
Instruction ID: 77ddde64d4edfc692cd2dab4d62679a59317b140890d2491ebe8d553bb29098c
Opcode Fuzzy Hash: ec8d8de1357aa83b201d4e6fe7b75d9747a4c77bdcd7d946a4dcb27b066edba9
Instruction Fuzzy Hash: 9811E735A09221ABEB318B589C55BD93F64BF12770F110160E815EB1D0F734EF8496D0

Function 0050AC16 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 34
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0050081B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00500836
Part of subcall function 0050081B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,004FF2D8,Crypt32.dll,00000000,004FF35C,?,?,004FF33E,?,?,?), ref: 00500858

OleInitialize.OLE32(00000000), ref: 0050AC2F
GdiplusStartup.GDIPLUS(?,?,00000000), ref: 0050AC66
SHGetMalloc.SHELL32(00538438), ref: 0050AC70

Strings

riched20.dll, xrefs: 0050AC1E
3Ro, xrefs: 0050AC47

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: DirectoryGdiplusInitializeLibraryLoadMallocStartupSystem
String ID: riched20.dll$3Ro
API String ID: 3498096277-3613677438
Opcode ID: 3d87c0e81d857da45779c6fa5b8c95167e4c4eaa8cfbff551a5553d905821808
Instruction ID: 770c81754fb29718ab630807f74bf879555bca4c44e69dfd25f87e468c73e6ef
Opcode Fuzzy Hash: 3d87c0e81d857da45779c6fa5b8c95167e4c4eaa8cfbff551a5553d905821808
Instruction Fuzzy Hash: AAF0F9B190020AABCB10AFA9D8499EFFFFCFF94745F00415AA415A2291DBB456058FA1

Function 004F98E0 Relevance: 7.6, APIs: 5, Instructions: 111
filetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,00000000,00000003,08000000,00000000,?,00000000,?,?,004F7760,?,00000005,?,00000011), ref: 004F995F
GetLastError.KERNEL32(?,?,004F7760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 004F996C
CreateFileW.KERNEL32(00000000,?,?,00000000,00000003,08000000,00000000,?,?,00000800,?,?,004F7760,?,00000005,?), ref: 004F99A2
GetLastError.KERNEL32(?,?,004F7760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 004F99AA
SetFileTime.KERNEL32(00000000,00000000,000000FF,00000000,?,004F7760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 004F99F9

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: File$CreateErrorLast$Time
String ID:
API String ID: 1999340476-0
Opcode ID: 5441dfc82b33b9a36f9902662eba2af0b59bdbbdf6473ec315adf2203ed6e8ec
Instruction ID: 8f7bd85ff98b864e771884a19fa1a85c48e39e37c4e908ac6803e13c149085cf
Opcode Fuzzy Hash: 5441dfc82b33b9a36f9902662eba2af0b59bdbbdf6473ec315adf2203ed6e8ec
Instruction Fuzzy Hash: 603116705447496FE7309F24CC49FABBB94BB45320F110B1EF6A1963D0D3E86945CB99

Function 0050B568 Relevance: 7.5, APIs: 5, Instructions: 38
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0050B579
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0050B58A
IsDialogMessageW.USER32(00010424,?), ref: 0050B59E
TranslateMessage.USER32(?), ref: 0050B5AC
DispatchMessageW.USER32(?), ref: 0050B5B6

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: Message$DialogDispatchPeekTranslate
String ID:
API String ID: 1266772231-0
Opcode ID: 462ca71fdbade76733d458df7bdf77318ccd3934a21a53bd6e7bdfc4da414aa5
Instruction ID: 460f73148a31ef5d3a175802d1d51d0c30a17404ade6b5202561a30917fc65d3
Opcode Fuzzy Hash: 462ca71fdbade76733d458df7bdf77318ccd3934a21a53bd6e7bdfc4da414aa5
Instruction Fuzzy Hash: 9CF0BD71A0131AABDB209BE5DC5CDDF7FBCEE153917004415B509D20A0EB74D609DBB0

Function 0050ABAB Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetClassNameW.USER32(?,?,00000050), ref: 0050ABC2
SHAutoComplete.SHLWAPI(?,00000010), ref: 0050ABF9

Part of subcall function 00501FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,004FC116,00000000,.exe,?,?,00000800,?,?,?,00508E3C), ref: 00501FD1

FindWindowExW.USER32(?,00000000,EDIT,00000000), ref: 0050ABE9

Strings

EDIT, xrefs: 0050ABCD, 0050ABD8, 0050ABE5

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: AutoClassCompareCompleteFindNameStringWindow
String ID: EDIT
API String ID: 4243998846-3080729518
Opcode ID: b04bd5e237845daa38cb4a1e3ae63ba0c2c8ab93eb795a441145ae05f4b89a3d
Instruction ID: 731202ac02d571cd38ac057efb8d897b137ef200eccee2878db56e1e16242f56
Opcode Fuzzy Hash: b04bd5e237845daa38cb4a1e3ae63ba0c2c8ab93eb795a441145ae05f4b89a3d
Instruction Fuzzy Hash: B4F0A73270032977DB2057249C0EFDF7AACAF46B51F484011BA05F31D0D760DE4995B6

Function 0050DBDE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 0050DBF4
SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 0050DC30

Strings

sfxcmd, xrefs: 0050DBEF
sfxpar, xrefs: 0050DC2B

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: EnvironmentVariable
String ID: sfxcmd$sfxpar
API String ID: 1431749950-3493335439
Opcode ID: 268e01b862d7d404a7b62711810c84c5881f7766920b4f876526d0495aecb009
Instruction ID: 891ad38259985be153faa01c624f9873ef9ce0de81c642d797fb4645bcd1f43b
Opcode Fuzzy Hash: 268e01b862d7d404a7b62711810c84c5881f7766920b4f876526d0495aecb009
Instruction Fuzzy Hash: 92F0A77240523566DB311BD4DC0ABFE3F68BF15781B040411BD85960D1E6B48D51D6B0

Function 004F9785 Relevance: 6.1, APIs: 4, Instructions: 56
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32(000000F6), ref: 004F9795
ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 004F97AD
GetLastError.KERNEL32 ref: 004F97DF
GetLastError.KERNEL32 ref: 004F97FE

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: ErrorLast$FileHandleRead
String ID:
API String ID: 2244327787-0
Opcode ID: d3db1b3f438a0addc07b7d1fdfa33f9f069dbe3cbfcf9342c0900bc4df8e4780
Instruction ID: d68e8fba5b0b35b81e7c518f74338e0d2a6dbabacd68883947ae922537c599cd
Opcode Fuzzy Hash: d3db1b3f438a0addc07b7d1fdfa33f9f069dbe3cbfcf9342c0900bc4df8e4780
Instruction Fuzzy Hash: CA11733052430CEBDF317F65C804B7A77A9BF52360F10852BE61685290D77C9E459B69

Function 0051AD34 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00513F73,00000000,00000000,?,0051ACDB,00513F73,00000000,00000000,00000000,?,0051AED8,00000006,FlsSetValue), ref: 0051AD66
GetLastError.KERNEL32(?,0051ACDB,00513F73,00000000,00000000,00000000,?,0051AED8,00000006,FlsSetValue,00527970,FlsSetValue,00000000,00000364,?,005198B7), ref: 0051AD72
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0051ACDB,00513F73,00000000,00000000,00000000,?,0051AED8,00000006,FlsSetValue,00527970,FlsSetValue,00000000), ref: 0051AD80

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 42f5faaa48b0f9a96f2c089d9bb672a511348557ba034beeeeb277375882bd9f
Instruction ID: 885dc89996a72f5e926f876be62148226556201342b2486ac6a574da7419fde6
Opcode Fuzzy Hash: 42f5faaa48b0f9a96f2c089d9bb672a511348557ba034beeeeb277375882bd9f
Instruction Fuzzy Hash: 47014C36202622ABD7338A68BC449D77F58FF267637140620F806D3550D720C84586E1

Function 0051BA27 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 91COMMON

Download Yara Rule

APIs

Part of subcall function 005197E5: GetLastError.KERNEL32(?,00531030,00514674,00531030,?,?,00513F73,00000050,?,00531030,00000200), ref: 005197E9
Part of subcall function 005197E5: _free.LIBCMT ref: 0051981C
Part of subcall function 005197E5: SetLastError.KERNEL32(00000000,?,00531030,00000200), ref: 0051985D
Part of subcall function 005197E5: _abort.LIBCMT ref: 00519863

Part of subcall function 0051BB4E: _abort.LIBCMT ref: 0051BB80
Part of subcall function 0051BB4E: _free.LIBCMT ref: 0051BBB4

Part of subcall function 0051B7BB: GetOEMCP.KERNEL32(00000000,?,?,0051BA44,?), ref: 0051B7E6

_free.LIBCMT ref: 0051BA9F
_free.LIBCMT ref: 0051BAD5

Strings

pR, xrefs: 0051BAC9

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: _free$ErrorLast_abort
String ID: pR
API String ID: 2991157371-2883592124
Opcode ID: 8a9cc6184ab7eea1d0b74f1b60d26e763dfe32f0294678dd1548f68df706d245
Instruction ID: aa864410ad8b476ca7c7265721ad49ce183de56a5c981e91639dd75cc7316c44
Opcode Fuzzy Hash: 8a9cc6184ab7eea1d0b74f1b60d26e763dfe32f0294678dd1548f68df706d245
Instruction Fuzzy Hash: 20318431904209AFFB10DBA8D445BED7FF5FF81320F254099E5049B2A2EB315D81DB50

Function 0050E532 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0050E51F

Part of subcall function 0050E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0050E8D0
Part of subcall function 0050E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0050E8E1

Strings

2P, xrefs: 0050E532
PDu<P, xrefs: 0050E519

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: 2P$PDu<P
API String ID: 1269201914-2500406688
Opcode ID: fa5257daf36aa27df89af41b256908473e2d74b6d98b73bdc7d1c3f234609d7d
Instruction ID: c5a9fa32a5cac4891e61dc61883a16b83ad914d181d512a1334fec5df6137643
Opcode Fuzzy Hash: fa5257daf36aa27df89af41b256908473e2d74b6d98b73bdc7d1c3f234609d7d
Instruction Fuzzy Hash: BAB012D22585017DB204510C2C1BD3F0D4DFBC6F113308C2FF808C00C1F8401C050431

Function 0050E528 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0050E51F

Part of subcall function 0050E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0050E8D0
Part of subcall function 0050E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0050E8E1

Strings

(P, xrefs: 0050E528
PDu<P, xrefs: 0050E519

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: (P$PDu<P
API String ID: 1269201914-2960419716
Opcode ID: c311928b7b3ff2cd8722882ee63d02f125f4031ba8e725312df4fa17b61e3b8f
Instruction ID: 71ccab0ad0b65082af25b5eeb22907cf794ff7ebfcc70f8f4f294d086710b3c9
Opcode Fuzzy Hash: c311928b7b3ff2cd8722882ee63d02f125f4031ba8e725312df4fa17b61e3b8f
Instruction Fuzzy Hash: EBB092922585416CA24451082D1BC3E4D49EAC6B113308C2FB808C00C1A8401C060431

Function 004F9F7A Relevance: 4.6, APIs: 3, Instructions: 111fileCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F5,?,?,?,?,004FD343,00000001,?,?,?,00000000,0050551D,?,?,?), ref: 004F9F9E
WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,00000000,0050551D,?,?,?,?,?,00504FC7,?), ref: 004F9FE5
WriteFile.KERNELBASE(0000001D,?,?,?,00000000,?,00000001,?,?,?,?,004FD343,00000001,?,?), ref: 004FA011

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: FileWrite$Handle
String ID:
API String ID: 4209713984-0
Opcode ID: 7e68c5a30d0a54c90b5c03c96ea56ad6d9ae7b4d12813bc5e7884053fd38c203
Instruction ID: 5dabb2474d6097961b80cdc8d57ccc8b35173957cd9f0e5c6be9348a6e5f5ebb
Opcode Fuzzy Hash: 7e68c5a30d0a54c90b5c03c96ea56ad6d9ae7b4d12813bc5e7884053fd38c203
Instruction Fuzzy Hash: 4E319F7120430AAFDB14CF20E808B7B77A5EF85715F04451AFA4597290CB79AD49CBAB

Function 004FA2B2 Relevance: 4.6, APIs: 3, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 004FC27E: _wcslen.LIBCMT ref: 004FC284

CreateDirectoryW.KERNELBASE(?,00000000,?,?,?,004FA175,?,00000001,00000000,?,?), ref: 004FA2D9
CreateDirectoryW.KERNEL32(?,00000000,?,?,00000800,?,?,?,?,004FA175,?,00000001,00000000,?,?), ref: 004FA30C
GetLastError.KERNEL32(?,?,?,?,004FA175,?,00000001,00000000,?,?), ref: 004FA329

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: CreateDirectory$ErrorLast_wcslen
String ID:
API String ID: 2260680371-0
Opcode ID: 7dac5325df2fb0ac6cf2e8ad128b70bed2db92dd756a491137dd92e9daedc707
Instruction ID: f84004a67f16cc771003a7321e877caf84efe4a135354a20dac1244216bbd36c
Opcode Fuzzy Hash: 7dac5325df2fb0ac6cf2e8ad128b70bed2db92dd756a491137dd92e9daedc707
Instruction Fuzzy Hash: F401F9B560021C59EF219B718C49BFF3388DF0A384F04045AFF05D2281D75CCA9196BB

Function 0051B893 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 0051B8B8

Strings

, xrefs: 0051B8FD

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: Info
String ID:
API String ID: 1807457897-3916222277
Opcode ID: bee4ac98695ee3b7c968663795460145c3e6ab5b3fc1049d5ef18dd156c56357
Instruction ID: 1f161bbbe0179fa7050edee51acf6660933da162594569a345f429b1419cbd29
Opcode Fuzzy Hash: bee4ac98695ee3b7c968663795460145c3e6ab5b3fc1049d5ef18dd156c56357
Instruction Fuzzy Hash: F641D87050428C9AFB228E648C84BF6BFBDFF55304F1408EDE59A86142D335AA86DF60

Function 0051AF6C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,2DE85006,00000001,?,?), ref: 0051AFDD

Strings

LCMapStringEx, xrefs: 0051AF7D, 0051AF87

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: String
String ID: LCMapStringEx
API String ID: 2568140703-3893581201
Opcode ID: 6bd78d4abc8539a25e894a128066d6a2bb4942227c9d701ffc5629c90d9d0748
Instruction ID: 6450db2f34c80bdc9900b459f6515fecaabe62a07e8b707884e07d445ac440b0
Opcode Fuzzy Hash: 6bd78d4abc8539a25e894a128066d6a2bb4942227c9d701ffc5629c90d9d0748
Instruction Fuzzy Hash: EB01023650521ABBDF129F90EC06DEE7F62FF4D750F014158FA14261A0CA368AA2AB81

Function 0051AF0A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,0051A56F), ref: 0051AF55

Strings

InitializeCriticalSectionEx, xrefs: 0051AF1B, 0051AF25

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: CountCriticalInitializeSectionSpin
String ID: InitializeCriticalSectionEx
API String ID: 2593887523-3084827643
Opcode ID: 641d945ff3f991fc3d5db879b4aa3640e9173820f144a271d315ead128e7fd14
Instruction ID: 72246dcb9f8a62eb3bffbe7c5ec2102c6584b9776445e307d38bd8d2a7df6919
Opcode Fuzzy Hash: 641d945ff3f991fc3d5db879b4aa3640e9173820f144a271d315ead128e7fd14
Instruction Fuzzy Hash: 1BF0B43564621CBBCB129F50DC07CAE7F61FF59711B004054FC08562A0DA714E51ABC5

Function 0051ADAF Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32 ref: 0051ADEE

Strings

FlsAlloc, xrefs: 0051ADC0, 0051ADCA

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: Alloc
String ID: FlsAlloc
API String ID: 2773662609-671089009
Opcode ID: dc97c3a4f8457ffff857db3d36a03685d2a0c60f5cc413206ff95bd5c80b36b2
Instruction ID: 92cb943da5ee90e7b40f19aa4bf9b27e9309fb09b975a537fe06b1fd15b403c4
Opcode Fuzzy Hash: dc97c3a4f8457ffff857db3d36a03685d2a0c60f5cc413206ff95bd5c80b36b2
Instruction Fuzzy Hash: 6EE0553064232CBBD322AB24EC079AEBF50FF5AB20B000098F80093280CD744E8296C6

Function 0050E1D1 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0050E1E3

Part of subcall function 0050E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0050E8D0
Part of subcall function 0050E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0050E8E1

Strings

P, xrefs: 0050E1DD

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: P
API String ID: 1269201914-4136404734
Opcode ID: 031ac59e3e520a557eecee9098fec5475fcb441d8d821df34431b73982a48c17
Instruction ID: b4fda5caa704d96927f24e7a4f7dab4c29aa536ea8822e403a5e2a81fe04f616
Opcode Fuzzy Hash: 031ac59e3e520a557eecee9098fec5475fcb441d8d821df34431b73982a48c17
Instruction Fuzzy Hash: 77B092A625C901AC620411556827C3F0D0CEAC2B113308C3ABC05C08C19850AC054431

Function 0050E1F6 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0050E1E3

Part of subcall function 0050E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0050E8D0
Part of subcall function 0050E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0050E8E1

Strings

P, xrefs: 0050E1DD

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: P
API String ID: 1269201914-4136404734
Opcode ID: e93c27a34f70b7b1595150d542d64b16f442cb8dd7cc0c15db0002c7c97599cf
Instruction ID: d6ab59431a995fd477014f50548cf30879ba17a27ebe1b8980866e66884ab57e
Opcode Fuzzy Hash: e93c27a34f70b7b1595150d542d64b16f442cb8dd7cc0c15db0002c7c97599cf
Instruction Fuzzy Hash: 5CB092A225D801AC620452152817C3E0D4CEAC2B11330C82ABC09C01C19850A8094831

Function 0050E1EC Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0050E1E3

Part of subcall function 0050E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0050E8D0
Part of subcall function 0050E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0050E8E1

Strings

P, xrefs: 0050E1DD

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: P
API String ID: 1269201914-4136404734
Opcode ID: afc3d1f0b3eb5e2767b35a9eccdaf10d4f832c58ffd6e2e95e87801eb3d1eeb0
Instruction ID: e1b8a3d72727d9c153712d48abd7afc3fbda75c208b8522c3bd89a7ac662d0f7
Opcode Fuzzy Hash: afc3d1f0b3eb5e2767b35a9eccdaf10d4f832c58ffd6e2e95e87801eb3d1eeb0
Instruction Fuzzy Hash: F9B092A625C901AC720451696817C3F0D4CFAC2B11330883AB809C04C19850AC054531

Function 0050E250 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0050E1E3

Part of subcall function 0050E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0050E8D0
Part of subcall function 0050E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0050E8E1

Strings

P, xrefs: 0050E1DD

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: P
API String ID: 1269201914-4136404734
Opcode ID: 23775096d1207fb149daa0ea88c81cc84f51360f96a37fcd704f9e5a697aaba0
Instruction ID: c208235e048d9f2c96489025d9ebf12bc02b6e13448083045a08a7d73885826e
Opcode Fuzzy Hash: 23775096d1207fb149daa0ea88c81cc84f51360f96a37fcd704f9e5a697aaba0
Instruction Fuzzy Hash: 6FB092B225D941AC624552152817C3E0D4DEAC2B11330892AB809C00C19850A8494431

Function 0050E246 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0050E1E3

Part of subcall function 0050E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0050E8D0
Part of subcall function 0050E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0050E8E1

Strings

P, xrefs: 0050E1DD

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: P
API String ID: 1269201914-4136404734
Opcode ID: 0aca192835326febae29d3c3a51a899c8925b452a69297b2db52341975c37506
Instruction ID: a7cc360c82e0829bd15e57a5dd3d9a761890bbcc362f487b0434b08056a7fd8d
Opcode Fuzzy Hash: 0aca192835326febae29d3c3a51a899c8925b452a69297b2db52341975c37506
Instruction Fuzzy Hash: 43B092A225D841AC620451152817C3E0D4DEAC2B11330882ABC09C00C19850A8054431

Function 0050E264 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0050E1E3

Part of subcall function 0050E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0050E8D0
Part of subcall function 0050E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0050E8E1

Strings

P, xrefs: 0050E1DD

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: P
API String ID: 1269201914-4136404734
Opcode ID: 5f79c896c02d09cadca75448928fcf9121f9cd9bd6445d8a56aefc5d6482b715
Instruction ID: 8e33f6cbb8c3eb6807aa140481a00785b54221707842cafd4b84429110d8698f
Opcode Fuzzy Hash: 5f79c896c02d09cadca75448928fcf9121f9cd9bd6445d8a56aefc5d6482b715
Instruction Fuzzy Hash: C8B092A226D841AC720451252817C3E0D8DFAC2B11330882AB80AC00C19850A8054431

Function 0050E26E Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0050E1E3

Part of subcall function 0050E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0050E8D0
Part of subcall function 0050E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0050E8E1

Strings

P, xrefs: 0050E1DD

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: P
API String ID: 1269201914-4136404734
Opcode ID: 30687e46d8d4f5a8c9aa4e5f6d91a60bc0def3c4bebbadd8ecccbb11842be9d0
Instruction ID: 861192190751e27255c47d883f6d672abb2e97019bbf24d3a5271e2eacb73383
Opcode Fuzzy Hash: 30687e46d8d4f5a8c9aa4e5f6d91a60bc0def3c4bebbadd8ecccbb11842be9d0
Instruction Fuzzy Hash: 3FB092A225C801AC620451662817C3E0D8CEAC2B11330882ABC09C00C19850A8054431

Function 0050E21E Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0050E1E3

Part of subcall function 0050E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0050E8D0
Part of subcall function 0050E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0050E8E1

Strings

P, xrefs: 0050E1DD

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: P
API String ID: 1269201914-4136404734
Opcode ID: 66b873eef37f0fdbc0a98211b8d049a584c7b0ce86da0c02fb26ad338a186963
Instruction ID: 1c953dbbfcd95e5768fc8eebe19795e52b8fb2d2577f1e062e852846c8e20d1f
Opcode Fuzzy Hash: 66b873eef37f0fdbc0a98211b8d049a584c7b0ce86da0c02fb26ad338a186963
Instruction Fuzzy Hash: 98B092B225C901AC620451152817C3E0D4CEAC2B11330882ABC09C00C19850A9054431

Function 0050E200 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0050E1E3

Part of subcall function 0050E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0050E8D0
Part of subcall function 0050E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0050E8E1

Strings

P, xrefs: 0050E1DD

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: P
API String ID: 1269201914-4136404734
Opcode ID: a8c9057f4bc76bdf21e00274251a2a9ab018e356f2d8862ffb0eaad9091fd2b3
Instruction ID: 2ab66f687ff4d4922b7b09d0fd489c3496a2b3ba43ba9d7b3417849f28d78d68
Opcode Fuzzy Hash: a8c9057f4bc76bdf21e00274251a2a9ab018e356f2d8862ffb0eaad9091fd2b3
Instruction Fuzzy Hash: 7BB092A235C941AC624552152817C3E0D4CEAC2B11330892AB809C01C19850A8494831

Function 0050E20A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0050E1E3

Part of subcall function 0050E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0050E8D0
Part of subcall function 0050E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0050E8E1

Strings

P, xrefs: 0050E1DD, 0050E20A

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: P
API String ID: 1269201914-4136404734
Opcode ID: 654cb87db6b09a81a63750021144e0aa1517226f2e6c69240a0889b0be4c3b76
Instruction ID: 0628c8545bdb036bcecb1e01d2e1373bacc7cc092387fa8034cac2061800648d
Opcode Fuzzy Hash: 654cb87db6b09a81a63750021144e0aa1517226f2e6c69240a0889b0be4c3b76
Instruction Fuzzy Hash: 3FB092A225C801AC620452152917C3E0D4CEAC2B11330882AB809C01C19860A90A4831

Function 0050E232 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0050E1E3

Part of subcall function 0050E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0050E8D0
Part of subcall function 0050E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0050E8E1

Strings

P, xrefs: 0050E1DD

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: P
API String ID: 1269201914-4136404734
Opcode ID: ab981a02f124a411a5e5a224c33c6e5c421e31406c20558dee8aa54efd98c7ec
Instruction ID: e71871dca9195df0b605157a67ca56f6067cbac75b50a818139a6517b29f036a
Opcode Fuzzy Hash: ab981a02f124a411a5e5a224c33c6e5c421e31406c20558dee8aa54efd98c7ec
Instruction Fuzzy Hash: 6FB092B225C801AC620451152917C3E0D4CEAC2B11330882AB809C00C1E850AA064431

Function 0050E23C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0050E1E3

Part of subcall function 0050E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0050E8D0
Part of subcall function 0050E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0050E8E1

Strings

P, xrefs: 0050E1DD

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: P
API String ID: 1269201914-4136404734
Opcode ID: 4a7bcfe77112e58084627a7ac8afbd79c975f77439e0fe4c8322f06e394af278
Instruction ID: f81365da1fd8bfeeaad71eaaa6ba2d8bab2ab79f48f15c3ba9da7ffb38eefbd3
Opcode Fuzzy Hash: 4a7bcfe77112e58084627a7ac8afbd79c975f77439e0fe4c8322f06e394af278
Instruction Fuzzy Hash: A8B092B225C801AC720451262817C3E0D4CFAC2B11330882AB809C00C19850A9054431

Function 0050E228 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0050E1E3

Part of subcall function 0050E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0050E8D0
Part of subcall function 0050E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0050E8E1

Strings

P, xrefs: 0050E1DD

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: P
API String ID: 1269201914-4136404734
Opcode ID: 5da0c1dcb5e6aaefdd9264a895eb87a5a355b34ed409781d088ce8c378eae771
Instruction ID: 99932ceef9a20ec3c7d7d01e23fcf2d4d945cdeb5e12a743a1b919e03194f414
Opcode Fuzzy Hash: 5da0c1dcb5e6aaefdd9264a895eb87a5a355b34ed409781d088ce8c378eae771
Instruction Fuzzy Hash: 97B092B225C901AC624551152817C3E0D4CEAC2B11330892AB809C00C19850A9454431

Function 0050EAE7 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0050EAF9

Part of subcall function 0050E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0050E8D0
Part of subcall function 0050E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0050E8E1

Strings

3Ro, xrefs: 0050EAE7, 0050EAF3

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: 3Ro
API String ID: 1269201914-1492261280
Opcode ID: 593b266668319c99d24f4da36d2030769880447477d6f9925dd016f8797e57f9
Instruction ID: d0fcf8b7bbe9348d5472c33df765ef750b3cae981658e26f6258029d924a4254
Opcode Fuzzy Hash: 593b266668319c99d24f4da36d2030769880447477d6f9925dd016f8797e57f9
Instruction Fuzzy Hash: 37B0928729A552BCA204A244291FC3E0D09FAC1B91330882AF804840E2988019060431

Function 0050E282 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0050E1E3

Part of subcall function 0050E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0050E8D0
Part of subcall function 0050E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0050E8E1

Strings

P, xrefs: 0050E1DD

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: P
API String ID: 1269201914-4136404734
Opcode ID: ca2600c530f79b8b61820d5a4f9b8228c6d7287380bba0aede2f1e3dd484e15c
Instruction ID: b3d03ab7db7c6913a81a6c4d7cc44d953489ab74d97b9cb12d1be9e9c0053013
Opcode Fuzzy Hash: ca2600c530f79b8b61820d5a4f9b8228c6d7287380bba0aede2f1e3dd484e15c
Instruction Fuzzy Hash: 5DB092B225C801AC620451562917C3E0D8CEAC2B11330882AB809C00C19850A9064431

Function 0050E546 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0050E51F

Part of subcall function 0050E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0050E8D0
Part of subcall function 0050E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0050E8E1

Strings

PDu<P, xrefs: 0050E519, 0050E546

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: PDu<P
API String ID: 1269201914-1790169076
Opcode ID: 74587ca4c5cdd5e1754682ea36be6e79e8a115c07e0a40c8991618e6096f75e7
Instruction ID: 2ba2f03672dfb3753b7eab67a92042ec9a97c6a9ba85592a087f793d5f020655
Opcode Fuzzy Hash: 74587ca4c5cdd5e1754682ea36be6e79e8a115c07e0a40c8991618e6096f75e7
Instruction Fuzzy Hash: 9AB092922586017CA20451086C1BC3E0D49EAC6B113308E2BB808C00C1A8402C490431

Function 0050E50D Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0050E51F

Part of subcall function 0050E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0050E8D0
Part of subcall function 0050E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0050E8E1

Strings

PDu<P, xrefs: 0050E519

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: PDu<P
API String ID: 1269201914-1790169076
Opcode ID: 0ffbb9bebbfb31e0c7bf17a3a02f7bff41d444b3eeabdd8fc58ebc3e3f71107f
Instruction ID: fc183e0288001211bbf50d4ed6cebe2b471c76b62859913a7123a73b4499a41b
Opcode Fuzzy Hash: 0ffbb9bebbfb31e0c7bf17a3a02f7bff41d444b3eeabdd8fc58ebc3e3f71107f
Instruction Fuzzy Hash: 47B012D32585017CB20411282C1FC3F0D0DFAC2F113308C3FF814C04C2B8401D090431

Function 0050E593 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0050E580

Part of subcall function 0050E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0050E8D0
Part of subcall function 0050E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0050E8E1

Strings

FjunP, xrefs: 0050E57A, 0050E593

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: FjunP
API String ID: 1269201914-2738844368
Opcode ID: 7332fafafbe8362eeebf5e356949fe9ae1e519ffcdb2ae87d55225cd595f67f6
Instruction ID: 7ae8ed3e8fabe16784eca67e15da073b8b8554c489213332516f19b27b174bc5
Opcode Fuzzy Hash: 7332fafafbe8362eeebf5e356949fe9ae1e519ffcdb2ae87d55225cd595f67f6
Instruction Fuzzy Hash: A0B012D22594117D720891783D1BC3F0D4DFBC1B113308D2FF808C10C1E8401C090431

Function 0050E5B1 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0050E580

Part of subcall function 0050E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0050E8D0
Part of subcall function 0050E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0050E8E1

Strings

FjunP, xrefs: 0050E57A

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: FjunP
API String ID: 1269201914-2738844368
Opcode ID: 79c44328528fa5183ee08e86dd29a2bf3d41227a235b091e71178dc206862af5
Instruction ID: 26fe7843cd3b40a4ea0759d00bb7c729765bf904c420bc5c6c3128a68d3596f7
Opcode Fuzzy Hash: 79c44328528fa5183ee08e86dd29a2bf3d41227a235b091e71178dc206862af5
Instruction Fuzzy Hash: ABB012E22595117C724891687D1BC3F0D5DFAC1B113308F2FF808C10C1EC402C490431

Function 0050E5A7 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0050E580

Part of subcall function 0050E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0050E8D0
Part of subcall function 0050E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0050E8E1

Strings

FjunP, xrefs: 0050E57A

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: FjunP
API String ID: 1269201914-2738844368
Opcode ID: 04eb1cafff0429958131841505b699718e61a5586aaf5cb756b70a6cfcc0b972
Instruction ID: 309bfef4a22767a260b8977bf7ac7336dceee6ccb208530acdda810442f74f0b
Opcode Fuzzy Hash: 04eb1cafff0429958131841505b699718e61a5586aaf5cb756b70a6cfcc0b972
Instruction Fuzzy Hash: 75B012E22594117C720891687E1BC3F0D5DFAC1B113308F2FF808C10C1EC401D1A0431

Function 0050E25F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0050E1E3

Part of subcall function 0050E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0050E8D0
Part of subcall function 0050E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0050E8E1

Strings

P, xrefs: 0050E1DD

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: P
API String ID: 1269201914-4136404734
Opcode ID: 57954297aa0625ff6f80cba51a2013789c320ec9906a229deefe1653219c4892
Instruction ID: d79b85e88b80c3dcf65ec97c1a9d3cf3ce8d4d0ef3bef9206761882a141c6ae8
Opcode Fuzzy Hash: 57954297aa0625ff6f80cba51a2013789c320ec9906a229deefe1653219c4892
Instruction Fuzzy Hash: 2FA001F62AD952BCB11962526D1BC3F0E1DEAC6B613318D2EF816C44C2A8A0A8465871

Function 0050E27D Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0050E1E3

Part of subcall function 0050E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0050E8D0
Part of subcall function 0050E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0050E8E1

Strings

P, xrefs: 0050E1DD

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: P
API String ID: 1269201914-4136404734
Opcode ID: 797d170f38f984ea00eafe81161ec4f84eb96718973fb5c20c2bdf9d4850e1fa
Instruction ID: d79b85e88b80c3dcf65ec97c1a9d3cf3ce8d4d0ef3bef9206761882a141c6ae8
Opcode Fuzzy Hash: 797d170f38f984ea00eafe81161ec4f84eb96718973fb5c20c2bdf9d4850e1fa
Instruction Fuzzy Hash: 2FA001F62AD952BCB11962526D1BC3F0E1DEAC6B613318D2EF816C44C2A8A0A8465871

Function 0050E219 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0050E1E3

Part of subcall function 0050E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0050E8D0
Part of subcall function 0050E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0050E8E1

Strings

P, xrefs: 0050E1DD

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: P
API String ID: 1269201914-4136404734
Opcode ID: 59918c126c881f1932565d43fa9b16de05ad10a258bbd6b20489360f987ae6b6
Instruction ID: d79b85e88b80c3dcf65ec97c1a9d3cf3ce8d4d0ef3bef9206761882a141c6ae8
Opcode Fuzzy Hash: 59918c126c881f1932565d43fa9b16de05ad10a258bbd6b20489360f987ae6b6
Instruction Fuzzy Hash: 2FA001F62AD952BCB11962526D1BC3F0E1DEAC6B613318D2EF816C44C2A8A0A8465871

Function 0050E2D7 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0050E1E3

Part of subcall function 0050E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0050E8D0
Part of subcall function 0050E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0050E8E1

Strings

P, xrefs: 0050E1DD

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: P
API String ID: 1269201914-4136404734
Opcode ID: c2bad6e49a20b8b6bc44571f78cc55f593309c1e590808eb2ed62a015e00c904
Instruction ID: d79b85e88b80c3dcf65ec97c1a9d3cf3ce8d4d0ef3bef9206761882a141c6ae8
Opcode Fuzzy Hash: c2bad6e49a20b8b6bc44571f78cc55f593309c1e590808eb2ed62a015e00c904
Instruction Fuzzy Hash: 2FA001F62AD952BCB11962526D1BC3F0E1DEAC6B613318D2EF816C44C2A8A0A8465871

Function 0050E2C3 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0050E1E3

Part of subcall function 0050E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0050E8D0
Part of subcall function 0050E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0050E8E1

Strings

P, xrefs: 0050E1DD

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: P
API String ID: 1269201914-4136404734
Opcode ID: 3dfaecaf18a28eb17f0173f69e124787ad9d237b6fe876bde11239c5132f021a
Instruction ID: d79b85e88b80c3dcf65ec97c1a9d3cf3ce8d4d0ef3bef9206761882a141c6ae8
Opcode Fuzzy Hash: 3dfaecaf18a28eb17f0173f69e124787ad9d237b6fe876bde11239c5132f021a
Instruction Fuzzy Hash: 2FA001F62AD952BCB11962526D1BC3F0E1DEAC6B613318D2EF816C44C2A8A0A8465871

Function 0050E2CD Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0050E1E3

Part of subcall function 0050E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0050E8D0
Part of subcall function 0050E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0050E8E1

Strings

P, xrefs: 0050E1DD

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: P
API String ID: 1269201914-4136404734
Opcode ID: 5dc3ddb33b93f993afb52ea18d9a3e50c35ff66a4a734f0f6407923471e99444
Instruction ID: d79b85e88b80c3dcf65ec97c1a9d3cf3ce8d4d0ef3bef9206761882a141c6ae8
Opcode Fuzzy Hash: 5dc3ddb33b93f993afb52ea18d9a3e50c35ff66a4a734f0f6407923471e99444
Instruction Fuzzy Hash: 2FA001F62AD952BCB11962526D1BC3F0E1DEAC6B613318D2EF816C44C2A8A0A8465871

Function 0050E291 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0050E1E3

Part of subcall function 0050E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0050E8D0
Part of subcall function 0050E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0050E8E1

Strings

P, xrefs: 0050E1DD

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: P
API String ID: 1269201914-4136404734
Opcode ID: 9579733a3faf3367803f42598ec03c2d5108239c0f4abd8b7bfd459abb9904fc
Instruction ID: d79b85e88b80c3dcf65ec97c1a9d3cf3ce8d4d0ef3bef9206761882a141c6ae8
Opcode Fuzzy Hash: 9579733a3faf3367803f42598ec03c2d5108239c0f4abd8b7bfd459abb9904fc
Instruction Fuzzy Hash: 2FA001F62AD952BCB11962526D1BC3F0E1DEAC6B613318D2EF816C44C2A8A0A8465871

Function 0050E29B Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0050E1E3

Part of subcall function 0050E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0050E8D0
Part of subcall function 0050E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0050E8E1

Strings

P, xrefs: 0050E1DD

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: P
API String ID: 1269201914-4136404734
Opcode ID: 6b67e1cebb86c88c8f37988a6ab3c58a644654ab1ae48f56285ef863711c6054
Instruction ID: d79b85e88b80c3dcf65ec97c1a9d3cf3ce8d4d0ef3bef9206761882a141c6ae8
Opcode Fuzzy Hash: 6b67e1cebb86c88c8f37988a6ab3c58a644654ab1ae48f56285ef863711c6054
Instruction Fuzzy Hash: 2FA001F62AD952BCB11962526D1BC3F0E1DEAC6B613318D2EF816C44C2A8A0A8465871

Function 0050E2B9 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0050E1E3

Part of subcall function 0050E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0050E8D0
Part of subcall function 0050E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0050E8E1

Strings

P, xrefs: 0050E1DD

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: P
API String ID: 1269201914-4136404734
Opcode ID: 53e1ed55aa10ad76db79ab41d69d882d40502b80836062a83809812355fbeade
Instruction ID: d79b85e88b80c3dcf65ec97c1a9d3cf3ce8d4d0ef3bef9206761882a141c6ae8
Opcode Fuzzy Hash: 53e1ed55aa10ad76db79ab41d69d882d40502b80836062a83809812355fbeade
Instruction Fuzzy Hash: 2FA001F62AD952BCB11962526D1BC3F0E1DEAC6B613318D2EF816C44C2A8A0A8465871

Function 0050E2A5 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0050E1E3

Part of subcall function 0050E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0050E8D0
Part of subcall function 0050E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0050E8E1

Strings

P, xrefs: 0050E1DD

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: P
API String ID: 1269201914-4136404734
Opcode ID: cc5456fb249a3aae30068dcd99b7a6e93e15e72b9462950fed166d6d1c333c64
Instruction ID: d79b85e88b80c3dcf65ec97c1a9d3cf3ce8d4d0ef3bef9206761882a141c6ae8
Opcode Fuzzy Hash: cc5456fb249a3aae30068dcd99b7a6e93e15e72b9462950fed166d6d1c333c64
Instruction Fuzzy Hash: 2FA001F62AD952BCB11962526D1BC3F0E1DEAC6B613318D2EF816C44C2A8A0A8465871

Function 0050E2AF Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0050E1E3

Part of subcall function 0050E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0050E8D0
Part of subcall function 0050E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0050E8E1

Strings

P, xrefs: 0050E1DD

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: P
API String ID: 1269201914-4136404734
Opcode ID: 19e7753c5a16446b65bf9dfda569c9efc03bc39de2433e779e8cf2a8f49818ed
Instruction ID: d79b85e88b80c3dcf65ec97c1a9d3cf3ce8d4d0ef3bef9206761882a141c6ae8
Opcode Fuzzy Hash: 19e7753c5a16446b65bf9dfda569c9efc03bc39de2433e779e8cf2a8f49818ed
Instruction Fuzzy Hash: 2FA001F62AD952BCB11962526D1BC3F0E1DEAC6B613318D2EF816C44C2A8A0A8465871

Function 0050E555 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0050E51F

Part of subcall function 0050E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0050E8D0
Part of subcall function 0050E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0050E8E1

Strings

PDu<P, xrefs: 0050E519

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: PDu<P
API String ID: 1269201914-1790169076
Opcode ID: 3295c91307fcaa54da7b01f9dc1dcfd5559abf99c1805dc0e9816a7d44004440
Instruction ID: c34b8b03805b8aba5d711604d79d105b9c9b51615f84318ba1468fe79d2107a8
Opcode Fuzzy Hash: 3295c91307fcaa54da7b01f9dc1dcfd5559abf99c1805dc0e9816a7d44004440
Instruction Fuzzy Hash: C6A011E22A8802BCB00822082C0BC3F0E0EEACAF203308C2EF802800C2B8802C020830

Function 0050E55F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0050E51F

Part of subcall function 0050E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0050E8D0
Part of subcall function 0050E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0050E8E1

Strings

PDu<P, xrefs: 0050E519

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: PDu<P
API String ID: 1269201914-1790169076
Opcode ID: 67142b52031f2d7260855fbe7469b7264bafa5db8622c0b65198de9c1f9a3f2b
Instruction ID: c34b8b03805b8aba5d711604d79d105b9c9b51615f84318ba1468fe79d2107a8
Opcode Fuzzy Hash: 67142b52031f2d7260855fbe7469b7264bafa5db8622c0b65198de9c1f9a3f2b
Instruction Fuzzy Hash: C6A011E22A8802BCB00822082C0BC3F0E0EEACAF203308C2EF802800C2B8802C020830

Function 0050E541 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0050E51F

Part of subcall function 0050E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0050E8D0
Part of subcall function 0050E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0050E8E1

Strings

PDu<P, xrefs: 0050E519

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: PDu<P
API String ID: 1269201914-1790169076
Opcode ID: a3bdc1c0e400dd7e44ab5fcf221af6052fcc75c2379b698d992d70c832fcc0f5
Instruction ID: c34b8b03805b8aba5d711604d79d105b9c9b51615f84318ba1468fe79d2107a8
Opcode Fuzzy Hash: a3bdc1c0e400dd7e44ab5fcf221af6052fcc75c2379b698d992d70c832fcc0f5
Instruction Fuzzy Hash: C6A011E22A8802BCB00822082C0BC3F0E0EEACAF203308C2EF802800C2B8802C020830

Function 0050E573 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0050E580

Part of subcall function 0050E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0050E8D0
Part of subcall function 0050E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0050E8E1

Strings

FjunP, xrefs: 0050E57A

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: FjunP
API String ID: 1269201914-2738844368
Opcode ID: 63b451f04d782e42b3ee309181c8a45fc948e7b5f039e4f08ac29f0abb7d5a3f
Instruction ID: ed6b41b26555aaca44f84d618bacc25d7b0ee1830d9900574b5ee21bfaf1cf10
Opcode Fuzzy Hash: 63b451f04d782e42b3ee309181c8a45fc948e7b5f039e4f08ac29f0abb7d5a3f
Instruction Fuzzy Hash: EAA012D21950113C700851603D0BC3F0D0DE9C1B113308E1DF400800C1684018050430

Function 0050E569 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0050E51F

Part of subcall function 0050E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0050E8D0
Part of subcall function 0050E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0050E8E1

Strings

PDu<P, xrefs: 0050E519

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: PDu<P
API String ID: 1269201914-1790169076
Opcode ID: e50af5574f079c165b6cd6ed5eff30d5f316093a71fb139827e341bf9df46ece
Instruction ID: c34b8b03805b8aba5d711604d79d105b9c9b51615f84318ba1468fe79d2107a8
Opcode Fuzzy Hash: e50af5574f079c165b6cd6ed5eff30d5f316093a71fb139827e341bf9df46ece
Instruction Fuzzy Hash: C6A011E22A8802BCB00822082C0BC3F0E0EEACAF203308C2EF802800C2B8802C020830

Function 0050E58E Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0050E580

Part of subcall function 0050E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0050E8D0
Part of subcall function 0050E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0050E8E1

Strings

FjunP, xrefs: 0050E57A

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: FjunP
API String ID: 1269201914-2738844368
Opcode ID: 5eab6cd53a1e2d184909abb962325ba17cad85febe18e2a1c673ee96c5829b8d
Instruction ID: 55429c0c7b60756424372addcc3436fff2c9995ff886d77c94071dd905026c88
Opcode Fuzzy Hash: 5eab6cd53a1e2d184909abb962325ba17cad85febe18e2a1c673ee96c5829b8d
Instruction Fuzzy Hash: 99A012D21590127C700851503D0BC3F0D0DE9C1B103308D1DF401800C1684018050430

Function 0050E5A2 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0050E580

Part of subcall function 0050E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0050E8D0
Part of subcall function 0050E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0050E8E1

Strings

FjunP, xrefs: 0050E57A

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: FjunP
API String ID: 1269201914-2738844368
Opcode ID: 4e25d9cd69d07d561dd8545f8fa3fe88540d7602272eef1f13cd97ed2be9f18a
Instruction ID: 55429c0c7b60756424372addcc3436fff2c9995ff886d77c94071dd905026c88
Opcode Fuzzy Hash: 4e25d9cd69d07d561dd8545f8fa3fe88540d7602272eef1f13cd97ed2be9f18a
Instruction Fuzzy Hash: 99A012D21590127C700851503D0BC3F0D0DE9C1B103308D1DF401800C1684018050430

Function 0051BBF0 Relevance: 3.2, APIs: 2, Instructions: 168COMMON

Download Yara Rule

APIs

Part of subcall function 0051B7BB: GetOEMCP.KERNEL32(00000000,?,?,0051BA44,?), ref: 0051B7E6

IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,0051BA89,?,00000000), ref: 0051BC64
GetCPInfo.KERNEL32(00000000,0051BA89,?,?,?,0051BA89,?,00000000), ref: 0051BC77

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: CodeInfoPageValid
String ID:
API String ID: 546120528-0
Opcode ID: 544a3329eb140045f6bbb3ec2eb7cea8e06f984ee8343356ea19d5874a0c9a90
Instruction ID: 7ae776e14ba57a15452f659bf4ff3f7102c211545d187cb836730e770eae4c1e
Opcode Fuzzy Hash: 544a3329eb140045f6bbb3ec2eb7cea8e06f984ee8343356ea19d5874a0c9a90
Instruction Fuzzy Hash: F15135749002469EFB289F35C8857FABFF5FF42304F1844AED4968B292D7349985CB90

Function 004F9A74 Relevance: 3.1, APIs: 2, Instructions: 116COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(000000FF,?,?,?,-00000870,00000000,00000800,?,004F9A50,?,?,00000000,?,?,004F8CBC,?), ref: 004F9BAB
GetLastError.KERNEL32(?,00000000,004F8411,-00009570,00000000,000007F3), ref: 004F9BB6

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: ac4a475ffad7a80844827ca2e39f39db7280d14e5dd832a7851f59b4333e654b
Instruction ID: b375855a3f1e1d36bbf3bcaced30ec76ffa7c71635f1f79846bd6d95967bb3c0
Opcode Fuzzy Hash: ac4a475ffad7a80844827ca2e39f39db7280d14e5dd832a7851f59b4333e654b
Instruction Fuzzy Hash: 5741CD30A043498BDB24DF15E58467BB7E5FFD5310F148A2FEA8183360D778BC498A59

Function 004F1E50 Relevance: 3.1, APIs: 2, Instructions: 86COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004F1E55

Part of subcall function 004F3BBA: __EH_prolog.LIBCMT ref: 004F3BBF

_wcslen.LIBCMT ref: 004F1EFD

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: H_prolog$_wcslen
String ID:
API String ID: 2838827086-0
Opcode ID: acba8541be7cc85b7efbc2a0cf5c61ce45be36bc78ef8793ecf99cd89cec13b4
Instruction ID: 9a8c86e73052a0c9738743250ba5cedb508b08e507c53706b0c0c3b576494b7a
Opcode Fuzzy Hash: acba8541be7cc85b7efbc2a0cf5c61ce45be36bc78ef8793ecf99cd89cec13b4
Instruction Fuzzy Hash: 2F316B71904209EFCF15EF99C955AEEBBF5BF48304F10006EE945A7261CB365E00CB65

Function 004F9DA2 Relevance: 3.1, APIs: 2, Instructions: 83timeCOMMON

Download Yara Rule

APIs

FlushFileBuffers.KERNEL32(?,?,?,?,?,?,004F73BC,?,?,?,00000000), ref: 004F9DBC
SetFileTime.KERNELBASE(?,?,?,?), ref: 004F9E70

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: File$BuffersFlushTime
String ID:
API String ID: 1392018926-0
Opcode ID: 4733a6c1c568a16c2cac273798cac508c63cd16c5271ed8971f0c5358d24b936
Instruction ID: 1e73a8a0e289972e0f52e461f8d18969667d5331d9cda157369eb99c78efde3e
Opcode Fuzzy Hash: 4733a6c1c568a16c2cac273798cac508c63cd16c5271ed8971f0c5358d24b936
Instruction Fuzzy Hash: EA21EE3124824AABC714CF24C895BBBBBE8AF91304F08481EF5C583681D32CED0D9B66

Function 004F966E Relevance: 3.1, APIs: 2, Instructions: 82fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,00000001,00000000,00000002,00000000,00000000,?,00000000,?,?,?,004F9F27,?,?,004F771A), ref: 004F96E6
CreateFileW.KERNEL32(?,?,00000001,00000000,00000002,00000000,00000000,?,?,00000800,?,?,004F9F27,?,?,004F771A), ref: 004F9716

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 64e1af50dc3d495845952ad83bddc38ed27acafe9b916fddbb6cf03d95095e28
Instruction ID: 212d84b40ef7b5f41d04a28be7bdb69c1c8a18a6086eade3f498f84cf9543e71
Opcode Fuzzy Hash: 64e1af50dc3d495845952ad83bddc38ed27acafe9b916fddbb6cf03d95095e28
Instruction Fuzzy Hash: 1C21CF71500348AFF3309A65CC89BB7B7DCEB59324F100A1AFA95C26D1C778AC859675

Function 004F9E80 Relevance: 3.1, APIs: 2, Instructions: 56COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(000000FF,00000000,00000000,00000001), ref: 004F9EC7
GetLastError.KERNEL32 ref: 004F9ED4

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 180097cf8dd5ea62092ccc6ad26953a93201754e6e1a59c69e150daab091bef0
Instruction ID: 3789062f2375de9b7d3e59a588ac5cd07908aaec767293aa92c15aea8b4516d8
Opcode Fuzzy Hash: 180097cf8dd5ea62092ccc6ad26953a93201754e6e1a59c69e150daab091bef0
Instruction Fuzzy Hash: 3111E930600708ABD734DA34C884BB7B7E9AB45360F50462BE253D26E0D778ED4AC765

Function 00518E54 Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00518E75

Part of subcall function 00518E06: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0051CA2C,00000000,?,00516CBE,?,00000008,?,005191E0,?,?,?), ref: 00518E38

HeapReAlloc.KERNEL32(00000000,?,?,?,00000007,00531098,004F17CE,?,?,00000007,?,?,?,004F13D6,?,00000000), ref: 00518EB1

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: Heap$AllocAllocate_free
String ID:
API String ID: 2447670028-0
Opcode ID: 84af773df39bac6b28eedb05541405b21695d49ec1a9e7927916b71b349ee06c
Instruction ID: e4809763359cb7292af7deed3c8f4080231f19a0176cbcea32f6f414a3dcdf7d
Opcode Fuzzy Hash: 84af773df39bac6b28eedb05541405b21695d49ec1a9e7927916b71b349ee06c
Instruction Fuzzy Hash: 4DF0C23260120666FB312A25AC08BFF3F5CBFD2B70F244725F914AA191DF618DC091A1

Function 0050109E Relevance: 3.0, APIs: 2, Instructions: 33COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?), ref: 005010AB
GetProcessAffinityMask.KERNEL32(00000000), ref: 005010B2

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: Process$AffinityCurrentMask
String ID:
API String ID: 1231390398-0
Opcode ID: dab2438caaf1285da5d1876a12e9cc415a7d2eaaf0a30c70944e9a11c9d5120f
Instruction ID: 6544beecc1ef766d0d532c8e9d9b43f6357d103c7a7de52265c125395b00bc70
Opcode Fuzzy Hash: dab2438caaf1285da5d1876a12e9cc415a7d2eaaf0a30c70944e9a11c9d5120f
Instruction Fuzzy Hash: 94E09A32B0094AA7CF198BA49C2D8AF7AEEFB543443208179E443E3141F934EE464AA5

Function 004FA4ED Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,004FA325,?,?,?,004FA175,?,00000001,00000000,?,?), ref: 004FA501

Part of subcall function 004FBB03: _wcslen.LIBCMT ref: 004FBB27

SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,004FA325,?,?,?,004FA175,?,00000001,00000000,?,?), ref: 004FA532

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: AttributesFile$_wcslen
String ID:
API String ID: 2673547680-0
Opcode ID: 0d1d4fbf53cefe337d286d46798ce50fcc621865f8dd350528815f7e67d3c239
Instruction ID: 328333cef3696410d7c29f8c7e7c705158faecfe5c00dc42f19d7970f2e34fed
Opcode Fuzzy Hash: 0d1d4fbf53cefe337d286d46798ce50fcc621865f8dd350528815f7e67d3c239
Instruction Fuzzy Hash: 4EF0A03220020DBBDF015F60DC09FEA376DBF14385F448051B948D5160DB35DAD9EB64

Function 004FA1E0 Relevance: 3.0, APIs: 2, Instructions: 27fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(000000FF,?,?,004F977F,?,?,004F95CF,?,?,?,?,?,00522641,000000FF), ref: 004FA1F1

Part of subcall function 004FBB03: _wcslen.LIBCMT ref: 004FBB27

DeleteFileW.KERNEL32(?,000000FF,?,00000800,?,?,004F977F,?,?,004F95CF,?,?,?,?,?,00522641), ref: 004FA21F

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: DeleteFile$_wcslen
String ID:
API String ID: 2643169976-0
Opcode ID: 0635048e8adf66184eca997ff1ba807401ff826bc940b90e75109fbaa38681cf
Instruction ID: 8603a0be111b61857d601880551fe2102c7d1d9d14c8b8b2fd6f8d9baa74b58c
Opcode Fuzzy Hash: 0635048e8adf66184eca997ff1ba807401ff826bc940b90e75109fbaa38681cf
Instruction Fuzzy Hash: F7E022312002096BEB009F20DC09FEA379CFF083C5F080062BA08D2150EB25EED9EA68

Function 0050AC7C Relevance: 3.0, APIs: 2, Instructions: 26COMMON

Download Yara Rule

APIs

GdiplusShutdown.GDIPLUS(?,?,?,?,00522641,000000FF), ref: 0050ACB0
CoUninitialize.COMBASE(?,?,?,?,00522641,000000FF), ref: 0050ACB5

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: GdiplusShutdownUninitialize
String ID:
API String ID: 3856339756-0
Opcode ID: e64ea2d697441c3b265be847a8e4c83b2250e577d0255035687df81c7938e592
Instruction ID: ded5a7b2cdde21b746613cd7c8eb97a96d4a97db64cdff89eebe2317b25bb52c
Opcode Fuzzy Hash: e64ea2d697441c3b265be847a8e4c83b2250e577d0255035687df81c7938e592
Instruction Fuzzy Hash: 6FE06D76604A50EFCB119B58DC06B49FFA8FB89B20F10426AF416D37B0CF74B801CA90

Function 004FA243 Relevance: 3.0, APIs: 2, Instructions: 25COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,?,?,004FA23A,?,004F755C,?,?,?,?), ref: 004FA254

Part of subcall function 004FBB03: _wcslen.LIBCMT ref: 004FBB27

GetFileAttributesW.KERNELBASE(?,?,?,00000800,?,004FA23A,?,004F755C,?,?,?,?), ref: 004FA280

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: AttributesFile$_wcslen
String ID:
API String ID: 2673547680-0
Opcode ID: d73f188fa2d67010de632fdb553c12f106f2b1c2ed6904e4ca4a86e94b10cb33
Instruction ID: b337e14ee19360c40400a1e5c72d8c2502fcfbf30c8e948ef85bd8b3691365b9
Opcode Fuzzy Hash: d73f188fa2d67010de632fdb553c12f106f2b1c2ed6904e4ca4a86e94b10cb33
Instruction Fuzzy Hash: 5EE09B7150011897CB20AB64CC09BE97758BB193D1F044262FE44E3290D775DD45C6E5

Function 0050DEC2 Relevance: 3.0, APIs: 2, Instructions: 25COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 0050DEEC

Part of subcall function 004F4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 004F40A5

SetDlgItemTextW.USER32(00000065,?), ref: 0050DF03

Part of subcall function 0050B568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0050B579
Part of subcall function 0050B568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0050B58A
Part of subcall function 0050B568: IsDialogMessageW.USER32(00010424,?), ref: 0050B59E
Part of subcall function 0050B568: TranslateMessage.USER32(?), ref: 0050B5AC
Part of subcall function 0050B568: DispatchMessageW.USER32(?), ref: 0050B5B6

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: Message$DialogDispatchItemPeekTextTranslate__vswprintf_c_l_swprintf
String ID:
API String ID: 2718869927-0
Opcode ID: 56cfb7b2c80465818c11cf8b5a917368ee556eb9ca101ba1c4094e8eb53a289e
Instruction ID: 4e456abd90ec69a87d72a605bf0bdcc964ba2f06edbe828f89b0c0eb08cd9f17
Opcode Fuzzy Hash: 56cfb7b2c80465818c11cf8b5a917368ee556eb9ca101ba1c4094e8eb53a289e
Instruction Fuzzy Hash: 51E09B7240034D26EF01A761DC0AFAE3B6C6B15789F440855B304D71F3D97DDA549665

Function 0050081B Relevance: 3.0, APIs: 2, Instructions: 24libraryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00500836
LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,004FF2D8,Crypt32.dll,00000000,004FF35C,?,?,004FF33E,?,?,?), ref: 00500858

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: DirectoryLibraryLoadSystem
String ID:
API String ID: 1175261203-0
Opcode ID: d5068b2deb11188c62d19fd246d7280c69deca33503b6981113dcf26ed82c607
Instruction ID: 50a35c008fe70635ba2789db39ad0bde1044669275fe22d1d0ba8c8928beb7a6
Opcode Fuzzy Hash: d5068b2deb11188c62d19fd246d7280c69deca33503b6981113dcf26ed82c607
Instruction Fuzzy Hash: 1BE012765011186ADB11A795DC09FDA7BACFF09391F0404657645D2044D678DA858AF4

Function 0050A3B9 Relevance: 3.0, APIs: 2, Instructions: 23windowCOMMON

Download Yara Rule

APIs

GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 0050A3DA
GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 0050A3E1

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: BitmapCreateFromGdipStream
String ID:
API String ID: 1918208029-0
Opcode ID: bc1efff45db0f73c66999af7831fbe9eb0a11e3fa9666d35118c97e543ffdb3a
Instruction ID: 716c82aefbdda7bbaa20153bd0d49cd06b97948fd69c934b45519ec3fc30c975
Opcode Fuzzy Hash: bc1efff45db0f73c66999af7831fbe9eb0a11e3fa9666d35118c97e543ffdb3a
Instruction Fuzzy Hash: 20E0ED71501218EBCB10DF55C9456DDBFF8FF05360F20885AA85693281E374AE04DB91

Function 00512B8C Relevance: 3.0, APIs: 2, Instructions: 19COMMON

Download Yara Rule

APIs

___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00512BAA
___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 00512BB5

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: Value___vcrt____vcrt_uninitialize_ptd
String ID:
API String ID: 1660781231-0
Opcode ID: 9fbc2cbf7098a0ccd15bd3a9a577eb9399871129a6e056e2e18a5a90625a5fe7
Instruction ID: df76f163e97f49b456e25c06af9e39eecb761067b7720d6146e399de6d4fa5d8
Opcode Fuzzy Hash: 9fbc2cbf7098a0ccd15bd3a9a577eb9399871129a6e056e2e18a5a90625a5fe7
Instruction Fuzzy Hash: EED0A93829C202187E242A70282F4C92F45BE92BB5FA0868AE420C54C1EB1190E4A211

Function 004F12F1 Relevance: 3.0, APIs: 2, Instructions: 11COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 004F1306
ShowWindow.USER32(00000000), ref: 004F130D

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: ItemShowWindow
String ID:
API String ID: 3351165006-0
Opcode ID: 587628741e4180e843c1b4ebc0cf5516cf45d51950a47bd163c0a09250a4445b
Instruction ID: 8216df5fbaefc9fd2bf7e8d8c01f328dc378b63c0af8c4d1b17136598744c707
Opcode Fuzzy Hash: 587628741e4180e843c1b4ebc0cf5516cf45d51950a47bd163c0a09250a4445b
Instruction Fuzzy Hash: 95C0123205C600BECB010BB4DC29C2BBBA8ABA5312F04C928B0A9C0060C238C114EB11

Function 004F1A04 Relevance: 1.8, APIs: 1, Instructions: 312COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004F1A09

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: df326a2390f21675804fdb052fedb2d103aa7f0a9e8feb3ec69fc49143672152
Instruction ID: 90f1ec64da93d35c58fdd48bf2634d068da590c0282ebd66740a784ccab2db98
Opcode Fuzzy Hash: df326a2390f21675804fdb052fedb2d103aa7f0a9e8feb3ec69fc49143672152
Instruction Fuzzy Hash: F6C1C630A00258DFEF15CF68C494BBA7BA5AF15310F0801BFDE459B3A2DB39A945CB65

Function 004F3BBA Relevance: 1.7, APIs: 1, Instructions: 177COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004F3BBF

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: a041fb206d6897076abaf9594880876116696293f1499d5944ea7106963d98a2
Instruction ID: 3adc6626ab5a28001ee35ff290c7adb90f76597a586da0c4f60bc6e5039498fd
Opcode Fuzzy Hash: a041fb206d6897076abaf9594880876116696293f1499d5944ea7106963d98a2
Instruction Fuzzy Hash: 3671C272500B899EDB25DF70C8559FBB7E9AF14305F40082FE3AB87241DA366684CF15

Function 004F8284 Relevance: 1.6, APIs: 1, Instructions: 114COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004F8289

Part of subcall function 004F13DC: __EH_prolog.LIBCMT ref: 004F13E1

Part of subcall function 004FA56D: FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 004FA598

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: H_prolog$CloseFind
String ID:
API String ID: 2506663941-0
Opcode ID: 2c772222917e10cffc1ce0b7f78bcc0254a6346ca77f7e7f2c36a1ec2236c363
Instruction ID: 29f70c7eb36f4f46be9d62fcaa1a38d3d9b77f857fbe97fe868011f3096e4566
Opcode Fuzzy Hash: 2c772222917e10cffc1ce0b7f78bcc0254a6346ca77f7e7f2c36a1ec2236c363
Instruction Fuzzy Hash: 0E41D67190465C9ADB24DB61CC55AFAB7B8BF00304F0404EFE68A9B193EB795EC5CB14

Function 004F13E1 Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004F13E1

Part of subcall function 004F5E37: __EH_prolog.LIBCMT ref: 004F5E3C

Part of subcall function 004FCE40: __EH_prolog.LIBCMT ref: 004FCE45

Part of subcall function 004FB505: __EH_prolog.LIBCMT ref: 004FB50A

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: f573108528189bbeffc839c8b487fbc45e5ac464a27726f28efa8778eea4b1db
Instruction ID: 18f7668a6bc39d2a5b1ef9e9e500c7581230caa62cc9032ea255ba2e88deec23
Opcode Fuzzy Hash: f573108528189bbeffc839c8b487fbc45e5ac464a27726f28efa8778eea4b1db
Instruction Fuzzy Hash: 894149B0905B45DEE724CF798885AE7FBE5BF19300F50492ED6EE83282CB356654CB14

Function 004F13DC Relevance: 1.6, APIs: 1, Instructions: 95COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004F13E1

Part of subcall function 004F5E37: __EH_prolog.LIBCMT ref: 004F5E3C

Part of subcall function 004FCE40: __EH_prolog.LIBCMT ref: 004FCE45

Part of subcall function 004FB505: __EH_prolog.LIBCMT ref: 004FB50A

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 2d4fc16dcddba5ea606fd47b8bafe22745f319802ecd010c6557e28b15f2f2e4
Instruction ID: df61f4a58e8145e09481547f654b9642a3bd8389658ceb8de51b4b5604609661
Opcode Fuzzy Hash: 2d4fc16dcddba5ea606fd47b8bafe22745f319802ecd010c6557e28b15f2f2e4
Instruction Fuzzy Hash: 184158B0905B45AEE724CF798885AE7FBE5BF19300F50492ED6FE83282CB352654CB14

Function 0050B093 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0050B098

Part of subcall function 004F13DC: __EH_prolog.LIBCMT ref: 004F13E1

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 01d887816e1edc247e3d821787f31601d4798915ce10aacf926f563f95d9eaf6
Instruction ID: 8bc1dba61dd58066f5f013f4983f03c648ffe130a704bb68a574ee20a934039c
Opcode Fuzzy Hash: 01d887816e1edc247e3d821787f31601d4798915ce10aacf926f563f95d9eaf6
Instruction Fuzzy Hash: CC316C75800249DAEB15DF65C9919FEBBB4BF09304F10449EE409B7292D779AE04CB61

Function 0051AC98 Relevance: 1.6, APIs: 1, Instructions: 65libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,?), ref: 0051ACF8

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: 23dd5743436636d494b83cf7205470442d11d70770ef5ddb48c23e05ed3ade34
Instruction ID: 78c09120e494198d6ef8cf0b4880f1d4a14df18ffa085ccb396deba64bc6e296
Opcode Fuzzy Hash: 23dd5743436636d494b83cf7205470442d11d70770ef5ddb48c23e05ed3ade34
Instruction Fuzzy Hash: 54110633A02A255FBB339E28EC418DA7B95FF8532471A4620FC15AB254E730DC8697D2

Function 004F9215 Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004F921A

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 01325629bdfbb01b47ddb35a39149ddc6fe6b652a569abb058a60a8010071c38
Instruction ID: 289006923ffadc4fded75789038adf43ccbbcb2ee68d8f7b260febc18449ad34
Opcode Fuzzy Hash: 01325629bdfbb01b47ddb35a39149ddc6fe6b652a569abb058a60a8010071c38
Instruction Fuzzy Hash: 1001A933D0052CABCF11AB69CD81AEEB776BF88744F01455AEA15B7252DA38CD04C6A4

Function 0051C479 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

Part of subcall function 0051B136: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00519813,00000001,00000364,?,00513F73,00000050,?,00531030,00000200), ref: 0051B177

_free.LIBCMT ref: 0051C4E5

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 7bcb57144d722b3f6fb3f884bcb86c333c53e20e4031edd189f970cc783d8b92
Instruction ID: 98754d8c91dd6a20a09a3a97d4f139384dde084fdff0cd4c11c428bb7ba4db91
Opcode Fuzzy Hash: 7bcb57144d722b3f6fb3f884bcb86c333c53e20e4031edd189f970cc783d8b92
Instruction Fuzzy Hash: CD0126722443066BF7318E659885DAAFFE9FBC5330F250A1DE18483281EA71A885C724

Function 0051B136 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00519813,00000001,00000364,?,00513F73,00000050,?,00531030,00000200), ref: 0051B177

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 1fc28d0106f0ec85f16d1b1c62ded881140e259dcdeb61d054f6e57eb4dcbc3a
Instruction ID: e56e79891232b1ceb6289cf38cdae3e16e300c5529c6ee3d549802f8a123ba04
Opcode Fuzzy Hash: 1fc28d0106f0ec85f16d1b1c62ded881140e259dcdeb61d054f6e57eb4dcbc3a
Instruction Fuzzy Hash: A5F0B432585225B7FB215A21AC29BDF7F48BF81760F1A8111BC089A1A0CB60DD81C2E1

Function 00513C0D Relevance: 1.5, APIs: 1, Instructions: 34libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,?), ref: 00513C3F

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: e2e3851cdc8087a45c912467f6b294c148f98fd7d8f8846e5b7869d55db2795b
Instruction ID: ba837ce6a8bdf7346d9377576ee458234691fe3b814a392f8bbd4396ce2450fb
Opcode Fuzzy Hash: e2e3851cdc8087a45c912467f6b294c148f98fd7d8f8846e5b7869d55db2795b
Instruction Fuzzy Hash: 31F08C323042179FEF119EA8EC289DA7BA9BF41B25B104124FA05E6190EB31DEA0D7D0

Function 00518E06 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0051CA2C,00000000,?,00516CBE,?,00000008,?,005191E0,?,?,?), ref: 00518E38

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 7c7eaffe9f6140bbe1d1d9e21039ac6a6042f0ffc6699a08aae8f7c446ec24e0
Instruction ID: 38d4b53ecb74b61278904e51f5083607e4224cb05f3442da495ec46cfb1d7701
Opcode Fuzzy Hash: 7c7eaffe9f6140bbe1d1d9e21039ac6a6042f0ffc6699a08aae8f7c446ec24e0
Instruction Fuzzy Hash: 1EE06D3520622666FB7126659C09BFB7F4DBF927A4F150321AC18DA191CF20DCC192E1

Function 004F5ABD Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004F5AC2

Part of subcall function 004FB505: __EH_prolog.LIBCMT ref: 004FB50A

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 3a0e21f5bf23a49e2e5c105d5fba083f707be84d918daa6b93616e5b92bd667f
Instruction ID: 5ccb9c1258cd341e383a42eafbb83a4fb9e0496f548165e29825fc0026b22d41
Opcode Fuzzy Hash: 3a0e21f5bf23a49e2e5c105d5fba083f707be84d918daa6b93616e5b92bd667f
Instruction Fuzzy Hash: 8E01DC70808695DAD724EBB8C0097EDFBE4EFA4308F50848EA456532C2CBB51B08D7A2

Function 004FA56D Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

Part of subcall function 004FA69B: FindFirstFileW.KERNELBASE(?,?,?,?,?,?,004FA592,000000FF,?,?), ref: 004FA6C4
Part of subcall function 004FA69B: FindFirstFileW.KERNELBASE(?,?,?,?,00000800,?,?,?,?,004FA592,000000FF,?,?), ref: 004FA6F2
Part of subcall function 004FA69B: GetLastError.KERNEL32(?,?,00000800,?,?,?,?,004FA592,000000FF,?,?), ref: 004FA6FE

FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 004FA598

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: Find$FileFirst$CloseErrorLast
String ID:
API String ID: 1464966427-0
Opcode ID: 5500bc37c8b6a369c5a99cb472ddad759b4b8a150a77ade2b6d38bc79e1d0b90
Instruction ID: d4d28e9f08d14610276c56828e033b7a78656c24031f31182b7cccc59d91e8e2
Opcode Fuzzy Hash: 5500bc37c8b6a369c5a99cb472ddad759b4b8a150a77ade2b6d38bc79e1d0b90
Instruction Fuzzy Hash: 59F0E271008394AACB2257B48804BEB7BD06F1A335F048A4FF2FD52296C37910A99B37

Function 00500E08 Relevance: 1.5, APIs: 1, Instructions: 21threadCOMMON

Download Yara Rule

APIs

SetThreadExecutionState.KERNEL32(00000001), ref: 00500E3D

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: ExecutionStateThread
String ID:
API String ID: 2211380416-0
Opcode ID: 46af90b39987c338908f9a320a345f60e8bca3286b67ac08a9e39d584ec9a8b1
Instruction ID: 552110591e0bfca8fa5e64fdfc640abe723e3b4c914942cee22262398adfac87
Opcode Fuzzy Hash: 46af90b39987c338908f9a320a345f60e8bca3286b67ac08a9e39d584ec9a8b1
Instruction Fuzzy Hash: D1D0C21060109956DB353339685E7FE2E0AAFD6710F0D002AB185672C2CB480886A26A

Function 0050A626 Relevance: 1.5, APIs: 1, Instructions: 16memoryCOMMON

Download Yara Rule

APIs

GdipAlloc.GDIPLUS(00000010), ref: 0050A62C

Part of subcall function 0050A3B9: GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 0050A3DA

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: Gdip$AllocBitmapCreateFromStream
String ID:
API String ID: 1915507550-0
Opcode ID: 04de48f4da0057d5573094f8f1391eb8b680834ec636c82e70e38579218699a2
Instruction ID: dc2990593fc10869b968f2ef9983d3fb16fe1069f6bbafafd16125baab013706
Opcode Fuzzy Hash: 04de48f4da0057d5573094f8f1391eb8b680834ec636c82e70e38579218699a2
Instruction Fuzzy Hash: 8FD0C97161030ABADF426B718C1BAAE7EA9FB40340F148925BD42D51D1EAB2D910A662

Function 0050DD6D Relevance: 1.5, APIs: 1, Instructions: 13windowCOMMON

Download Yara Rule

APIs

SendDlgItemMessageW.USER32(0000006A,00000402,00000000,00000000,00501B3E), ref: 0050DD92

Part of subcall function 0050B568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0050B579
Part of subcall function 0050B568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0050B58A
Part of subcall function 0050B568: IsDialogMessageW.USER32(00010424,?), ref: 0050B59E
Part of subcall function 0050B568: TranslateMessage.USER32(?), ref: 0050B5AC
Part of subcall function 0050B568: DispatchMessageW.USER32(?), ref: 0050B5B6

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: Message$DialogDispatchItemPeekSendTranslate
String ID:
API String ID: 897784432-0
Opcode ID: e9c5e7bb4d9428bc56ee80428123dfc954102040cbd0ed8dd0df1ba41269b944
Instruction ID: a25a280d509a0fa342991475331295f2ba2536b1aee545b901a9a2ab480082e6
Opcode Fuzzy Hash: e9c5e7bb4d9428bc56ee80428123dfc954102040cbd0ed8dd0df1ba41269b944
Instruction Fuzzy Hash: 6CD09E31144301BADA022B51CD0AF1E7AA2BB98B09F004554B284740F18A729D25EB11

Function 0050E5BB Relevance: 1.5, APIs: 1, Instructions: 13COMMONLIBRARYCODE

Download Yara Rule

APIs

DloadProtectSection.DELAYIMP ref: 0050E5E3

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: DloadProtectSection
String ID:
API String ID: 2203082970-0
Opcode ID: a15524c221a7eda47181ecfe4a09c37a9e3e08e86245841c0c1af9398c74ae09
Instruction ID: 65f3b467a4c40e7e940227454ac0ed8a107b533deefbca576932ce475263842f
Opcode Fuzzy Hash: a15524c221a7eda47181ecfe4a09c37a9e3e08e86245841c0c1af9398c74ae09
Instruction Fuzzy Hash: 94D0A9B00C06808AC22AEFA8AC5B71C3E60B730702FB00E01B104811D0DB624888A60D

Function 004F98BC Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(000000FF,004F97BE), ref: 004F98C8

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 384a2b4c2a51a076ef30ae197247dbf58f4e41f66203b45841ddce53227e6edd
Instruction ID: cbd4227e22ca7200090e841f90c26c6343974bca81c77d2d10f084f502424684
Opcode Fuzzy Hash: 384a2b4c2a51a076ef30ae197247dbf58f4e41f66203b45841ddce53227e6edd
Instruction Fuzzy Hash: 63C0123441010985CE34A62498481A67311AF533E57B48696C128852A1C32BCC8BEA14

Function 0050E44B Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0050E3FC

Part of subcall function 0050E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0050E8D0
Part of subcall function 0050E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0050E8E1

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 6bf392bf96c4f7da1e2238120ee4d449e62eaa83c7afcb37cff2183c45ad6f65
Instruction ID: 45c6100ce91e59079678e81ad7a9baea07f7a9bd7e3513cccc0f9c2ced1c45e4
Opcode Fuzzy Hash: 6bf392bf96c4f7da1e2238120ee4d449e62eaa83c7afcb37cff2183c45ad6f65
Instruction Fuzzy Hash: 6CB092A2259111ACA2049108281BC3F0E49FAC1B21330CC2AF818C10C1D84068090432

Function 0050E419 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0050E3FC

Part of subcall function 0050E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0050E8D0
Part of subcall function 0050E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0050E8E1

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 2f9c6cd2de4440bbe5c5763f6b0c89e73720bff1f77ac17a82f1b0321415f85e
Instruction ID: 30b06b9e5f91b87247bf05549580765d07eb3106b58152e581f053b165fe5738
Opcode Fuzzy Hash: 2f9c6cd2de4440bbe5c5763f6b0c89e73720bff1f77ac17a82f1b0321415f85e
Instruction Fuzzy Hash: 83B012E2258111BCB24451082D1BC7F0E4DFBC1B11330CC2FF918C10C1D8402C0E0433

Function 0050E423 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0050E3FC

Part of subcall function 0050E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0050E8D0
Part of subcall function 0050E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0050E8E1

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 9e66bc0324789d489142e72f6d46e749ec5ee52db9d728834e2384e59222af6c
Instruction ID: bbfe9a6fb3420a9b95042161013db934fa63b2eace76fd9c4797d70f830008a0
Opcode Fuzzy Hash: 9e66bc0324789d489142e72f6d46e749ec5ee52db9d728834e2384e59222af6c
Instruction Fuzzy Hash: 31B092A2258211BCA2049108281BC3F0E49FBC1B213308C2AF818C10C1D8406A090432

Function 0050E3EF Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0050E3FC

Part of subcall function 0050E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0050E8D0
Part of subcall function 0050E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0050E8E1

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: bd57d267016bfd71b5ae1eb16d6d877a93d5dc9adbed1bfe1937388faa29d556
Instruction ID: e833fd119954e6fa53a26f8a7509e6fb308697c1fd095ace87d1e0aeb1336bff
Opcode Fuzzy Hash: bd57d267016bfd71b5ae1eb16d6d877a93d5dc9adbed1bfe1937388faa29d556
Instruction Fuzzy Hash: 06A001E62A95627DB10862556D1BC7F0E1EFAC2B253309D2EF825A54C2AC80284A1872

Function 0050E446 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0050E3FC

Part of subcall function 0050E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0050E8D0
Part of subcall function 0050E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0050E8E1

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 7dfdd3a1007d33229506d0fe2b73b4e3a86b7bbe08da985862349a7ac87d0ccf
Instruction ID: d9bc9181c8466a94d952f4d75bb15bba938d9706df21819a16770d5bcef0ed99
Opcode Fuzzy Hash: 7dfdd3a1007d33229506d0fe2b73b4e3a86b7bbe08da985862349a7ac87d0ccf
Instruction Fuzzy Hash: 0CA001E62A9562BCB10862556D1BC7F0E1EFAC6B613309D2EF826954C2A880284A1872

Function 0050E414 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0050E3FC

Part of subcall function 0050E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0050E8D0
Part of subcall function 0050E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0050E8E1

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 415752fc28988a54fc13d1de554ed7a0588d28e08b01d2d1ba47bb6c2ab3b947
Instruction ID: d9bc9181c8466a94d952f4d75bb15bba938d9706df21819a16770d5bcef0ed99
Opcode Fuzzy Hash: 415752fc28988a54fc13d1de554ed7a0588d28e08b01d2d1ba47bb6c2ab3b947
Instruction Fuzzy Hash: 0CA001E62A9562BCB10862556D1BC7F0E1EFAC6B613309D2EF826954C2A880284A1872

Function 0050E40A Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0050E3FC

Part of subcall function 0050E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0050E8D0
Part of subcall function 0050E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0050E8E1

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 04450f3f522520f84d14068fa8d4a1e5da8345dd9a6c46ea6c2d1f8ca0c074f3
Instruction ID: d9bc9181c8466a94d952f4d75bb15bba938d9706df21819a16770d5bcef0ed99
Opcode Fuzzy Hash: 04450f3f522520f84d14068fa8d4a1e5da8345dd9a6c46ea6c2d1f8ca0c074f3
Instruction Fuzzy Hash: 0CA001E62A9562BCB10862556D1BC7F0E1EFAC6B613309D2EF826954C2A880284A1872

Function 0050E432 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0050E3FC

Part of subcall function 0050E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0050E8D0
Part of subcall function 0050E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0050E8E1

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: e6adbd173cd1501b63db2e5baac329a08038de2d39afa5372f0ca0227536a28e
Instruction ID: d9bc9181c8466a94d952f4d75bb15bba938d9706df21819a16770d5bcef0ed99
Opcode Fuzzy Hash: e6adbd173cd1501b63db2e5baac329a08038de2d39afa5372f0ca0227536a28e
Instruction Fuzzy Hash: 0CA001E62A9562BCB10862556D1BC7F0E1EFAC6B613309D2EF826954C2A880284A1872

Function 0050E43C Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0050E3FC

Part of subcall function 0050E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0050E8D0
Part of subcall function 0050E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0050E8E1

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: dfe049ab33d433899b486ae5bd0927a557a61e0010b9eda4b4cd38da32690ffd
Instruction ID: d9bc9181c8466a94d952f4d75bb15bba938d9706df21819a16770d5bcef0ed99
Opcode Fuzzy Hash: dfe049ab33d433899b486ae5bd0927a557a61e0010b9eda4b4cd38da32690ffd
Instruction Fuzzy Hash: 0CA001E62A9562BCB10862556D1BC7F0E1EFAC6B613309D2EF826954C2A880284A1872

Function 004F9F09 Relevance: 1.5, APIs: 1, Instructions: 7fileCOMMON

Download Yara Rule

APIs

SetEndOfFile.KERNELBASE(?,004F903E,?,?,-00000870,?,-000018B8,00000000,?,-000028B8,?,00000800,-000028B8,?,00000000,?), ref: 004F9F0C

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: File
String ID:
API String ID: 749574446-0
Opcode ID: 92b7feda9912ae2e9b0bb0f98bb2844365574466ae348f78e833ab1a293d336f
Instruction ID: 09a0879771245ffa0b83d7bedc369e998c3a15c47325866cc1305f79b2747bbc
Opcode Fuzzy Hash: 92b7feda9912ae2e9b0bb0f98bb2844365574466ae348f78e833ab1a293d336f
Instruction Fuzzy Hash: F6A0123004000986CE101730C90850C3710FB217C070001945006CA061C716440B9610

Function 0050AC04 Relevance: 1.5, APIs: 1, Instructions: 5COMMON

Download Yara Rule

APIs

SetCurrentDirectoryW.KERNELBASE(?,0050AE72,C:\Users\user\Desktop,00000000,0053946A,00000006), ref: 0050AC08

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: CurrentDirectory
String ID:
API String ID: 1611563598-0
Opcode ID: c18146f3d28a91b56d08ae53210702ba2a0da0c9be05b1624a564c6901d604d6
Instruction ID: 402abfea90775880551de52270409819b0bb2af8f3460e2307654a6e0cd29412
Opcode Fuzzy Hash: c18146f3d28a91b56d08ae53210702ba2a0da0c9be05b1624a564c6901d604d6
Instruction Fuzzy Hash: 7EA011302002008B83000B328F0AA0EBAAAAFA2B00F00C028A00080030CB38C8B0FA00

Function 004F9620 Relevance: 1.3, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(000000FF,?,?,004F95D6,?,?,?,?,?,00522641,000000FF), ref: 004F963B

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 15bc69ad061a33c6f6a7e6ccafb36c10484b8ef0a52d828df9edcefcba45c8f2
Instruction ID: cb078b51cf16ee91508d9a3ffafbd0de790d53047ba899e67f3fdeaaeb2bf614
Opcode Fuzzy Hash: 15bc69ad061a33c6f6a7e6ccafb36c10484b8ef0a52d828df9edcefcba45c8f2
Instruction Fuzzy Hash: 0BF0E930081B199FEB308A34C4487A377E86B12321F140B1FD2E382AE0D3686D8D8A44

Non-executed Functions

Function 0050C220 Relevance: 51.0, APIs: 25, Strings: 4, Instructions: 286timewindowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 004F1316: GetDlgItem.USER32(00000000,00003021), ref: 004F135A
Part of subcall function 004F1316: SetWindowTextW.USER32(00000000,005235F4), ref: 004F1370

SendDlgItemMessageW.USER32(?,00000066,00000171,00000000,00000000), ref: 0050C2B1
EndDialog.USER32(?,00000006), ref: 0050C2C4
GetDlgItem.USER32(?,0000006C), ref: 0050C2E0
SetFocus.USER32(00000000), ref: 0050C2E7
SetDlgItemTextW.USER32(?,00000065,?), ref: 0050C321
SendDlgItemMessageW.USER32(?,00000066,00000170,?,00000000), ref: 0050C358
FindFirstFileW.KERNEL32(?,?), ref: 0050C36E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0050C38C
FileTimeToSystemTime.KERNEL32(?,?), ref: 0050C39C
GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 0050C3B8
GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 0050C3D4
_swprintf.LIBCMT ref: 0050C404

Part of subcall function 004F4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 004F40A5

SetDlgItemTextW.USER32(?,0000006A,?), ref: 0050C417
FindClose.KERNEL32(00000000), ref: 0050C41E
_swprintf.LIBCMT ref: 0050C477
SetDlgItemTextW.USER32(?,00000068,?), ref: 0050C48A
SendDlgItemMessageW.USER32(?,00000067,00000170,?,00000000), ref: 0050C4A7
FileTimeToLocalFileTime.KERNEL32(?,?,?), ref: 0050C4C7
FileTimeToSystemTime.KERNEL32(?,?), ref: 0050C4D7
GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 0050C4F1
GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 0050C509
_swprintf.LIBCMT ref: 0050C535
SetDlgItemTextW.USER32(?,0000006B,?), ref: 0050C548
_swprintf.LIBCMT ref: 0050C59C
SetDlgItemTextW.USER32(?,00000069,?), ref: 0050C5AF

Part of subcall function 0050AF0F: GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 0050AF35
Part of subcall function 0050AF0F: GetNumberFormatW.KERNEL32(00000400,00000000,?,0052E72C,?,?), ref: 0050AF84

Strings

REPLACEFILEDLG, xrefs: 0050C247
PP, xrefs: 0050C342
%s %s %s, xrefs: 0050C3F2, 0050C527
%s %s, xrefs: 0050C469, 0050C58E

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: ItemTime$File$Text$Format$_swprintf$MessageSend$DateFindLocalSystem$CloseDialogFirstFocusInfoLocaleNumberWindow__vswprintf_c_l
String ID: %s %s$%s %s %s$PP$REPLACEFILEDLG
API String ID: 797121971-3764188928
Opcode ID: c69f3fde626c49b2654d363dedb12366dedce8a69c581fb88d104ace727a632d
Instruction ID: 1948fbc7641eabbd82ad39b74760b75b5c767cace3dbe781feb4b6a93cd35fea
Opcode Fuzzy Hash: c69f3fde626c49b2654d363dedb12366dedce8a69c581fb88d104ace727a632d
Instruction Fuzzy Hash: B491A272148349BBE3219BA0CC49FFF7BACFB9A745F004919B789C20C1D775A6089722

Function 004F6FAA Relevance: 28.3, APIs: 12, Strings: 4, Instructions: 328fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004F6FAA
_wcslen.LIBCMT ref: 004F7013
_wcslen.LIBCMT ref: 004F7084

Part of subcall function 004F7A9C: GetCurrentProcess.KERNEL32(00000020,?), ref: 004F7AAB
Part of subcall function 004F7A9C: GetLastError.KERNEL32 ref: 004F7AF1
Part of subcall function 004F7A9C: CloseHandle.KERNEL32(?), ref: 004F7B00

Part of subcall function 004FA1E0: DeleteFileW.KERNELBASE(000000FF,?,?,004F977F,?,?,004F95CF,?,?,?,?,?,00522641,000000FF), ref: 004FA1F1
Part of subcall function 004FA1E0: DeleteFileW.KERNEL32(?,000000FF,?,00000800,?,?,004F977F,?,?,004F95CF,?,?,?,?,?,00522641), ref: 004FA21F

CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000001,00000080,00000000,?,?,00000001,?), ref: 004F7139
CloseHandle.KERNEL32(00000000), ref: 004F7155
CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,02200000,00000000), ref: 004F7298

Part of subcall function 004F9DA2: FlushFileBuffers.KERNEL32(?,?,?,?,?,?,004F73BC,?,?,?,00000000), ref: 004F9DBC
Part of subcall function 004F9DA2: SetFileTime.KERNELBASE(?,?,?,?), ref: 004F9E70

Part of subcall function 004F9620: CloseHandle.KERNELBASE(000000FF,?,?,004F95D6,?,?,?,?,?,00522641,000000FF), ref: 004F963B

Part of subcall function 004FA4ED: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,004FA325,?,?,?,004FA175,?,00000001,00000000,?,?), ref: 004FA501
Part of subcall function 004FA4ED: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,004FA325,?,?,?,004FA175,?,00000001,00000000,?,?), ref: 004FA532

Strings

\??\, xrefs: 004F702B
UNC\, xrefs: 004F7051
SeRestorePrivilege, xrefs: 004F6FC2
SeCreateSymbolicLinkPrivilege, xrefs: 004F6FCC

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: File$CloseHandle$AttributesCreateDelete_wcslen$BuffersCurrentErrorFlushH_prologLastProcessTime
String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
API String ID: 3983180755-3508440684
Opcode ID: 0012f6e511a0810afa9ab43e089dfa311ac7690a9118b9eed1e28a82f38fad48
Instruction ID: 66470c7df18bad8800c51860b2fa98814ac505fbf88b84ac748ec8975cc542a4
Opcode Fuzzy Hash: 0012f6e511a0810afa9ab43e089dfa311ac7690a9118b9eed1e28a82f38fad48
Instruction Fuzzy Hash: F8C1D571904609AADB25DB74CC85FFFB7A8BF04304F00455AFA56E7282D73CAA48CB65

Function 0051D8EE Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODE

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0051DA34

Strings

1#QNAN, xrefs: 0051EC3A
1#SNAN, xrefs: 0051EC33
1#IND, xrefs: 0051EC2C
1#INF, xrefs: 0051EC41

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: aecc8b158973600450ff0c815f147bfd41e9da635c2e9f58bc34e72ac7713a55
Instruction ID: d4a042112f0702ecf712680dc2adf232249fce39c1ad98536dc947d721362604
Opcode Fuzzy Hash: aecc8b158973600450ff0c815f147bfd41e9da635c2e9f58bc34e72ac7713a55
Instruction Fuzzy Hash: 51C24A71E086298FEB25CE289D457EABBB5FB84304F1445EAD84DE7240E775AEC18F40

Function 004F32F7 Relevance: 9.4, APIs: 2, Strings: 3, Instructions: 608COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004F3300
_swprintf.LIBCMT ref: 004F36C7

Strings

h%u, xrefs: 004F36BC
hc%u, xrefs: 004F370A
CMT, xrefs: 004F3A17

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: H_prolog_swprintf
String ID: CMT$h%u$hc%u
API String ID: 146138363-3282847064
Opcode ID: 339a378b70627d99b54a3592a8b1bb3e77ba25a9dcfacacb909f500665d1229b
Instruction ID: 26bee5fd637b9e9a43e50a8eaaf833190ae9703e4157e13ee96277b2ab478d67
Opcode Fuzzy Hash: 339a378b70627d99b54a3592a8b1bb3e77ba25a9dcfacacb909f500665d1229b
Instruction Fuzzy Hash: D732E57151028C9FDF14DF74C995AFA3B95AF15304F04047EFE8A8B282DB78AA49CB24

Function 004F286B Relevance: 7.8, APIs: 3, Strings: 1, Instructions: 798COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004F2874
_strlen.LIBCMT ref: 004F2E3F

Part of subcall function 005002BA: __EH_prolog.LIBCMT ref: 005002BF

Part of subcall function 00501B84: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,004FBAE9,00000000,?,?,?,00010424), ref: 00501BA0

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004F2F91

Strings

CMT, xrefs: 004F2FBC

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: H_prolog$ByteCharMultiUnothrow_t@std@@@Wide__ehfuncinfo$??2@_strlen
String ID: CMT
API String ID: 1206968400-2756464174
Opcode ID: de8bfab32068d155e45cf94a58e61fc829eac42980b91ba71029802ef45f39db
Instruction ID: 256327d32f2d887a712ac87b8bdb03b649e5d52ec81bd7ef27d7e142a46c4a25
Opcode Fuzzy Hash: de8bfab32068d155e45cf94a58e61fc829eac42980b91ba71029802ef45f39db
Instruction Fuzzy Hash: 156207715002498FDB19DF34C9856FA3BA1BF54300F08457FEE9A8B382DBB9A945CB24

Function 0050F838 Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 0050F844
IsDebuggerPresent.KERNEL32 ref: 0050F910
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0050F930
UnhandledExceptionFilter.KERNEL32(?), ref: 0050F93A

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 03b68008ac537ae22b04bd59874b156497f1d839c831f0b370779c1b04a38244
Instruction ID: 6adc9a9b6c54c54835962c103677e8859f344ab9b4b7d7513e6eb1d268027e43
Opcode Fuzzy Hash: 03b68008ac537ae22b04bd59874b156497f1d839c831f0b370779c1b04a38244
Instruction Fuzzy Hash: 82312975D052199BDB20DFA4D9897CCBBB8BF08304F1040AAE40CAB290EB759B89DF45

Function 0050E6A3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

VirtualQuery.KERNEL32(80000000,0050E5E8,0000001C,0050E7DD,00000000,?,?,?,?,?,?,?,0050E5E8,00000004,00551CEC,0050E86D), ref: 0050E6B4
GetSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,0050E5E8,00000004,00551CEC,0050E86D), ref: 0050E6CF

Strings

D, xrefs: 0050E6C3

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: InfoQuerySystemVirtual
String ID: D
API String ID: 401686933-2746444292
Opcode ID: d62aa3717070b2a26775b02587f66de22e9827539271cc69db7d7edd240cd4c2
Instruction ID: ef5c757bc29227d557f08d6e95b49c883a33472a253e198851daf5a154e15485
Opcode Fuzzy Hash: d62aa3717070b2a26775b02587f66de22e9827539271cc69db7d7edd240cd4c2
Instruction Fuzzy Hash: E401F732600109ABDB24DF29DC09BED7BAAFFC4324F1CC620ED19D7290D638D916C680

Function 00518EBD Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 00518FB5
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00518FBF
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 00518FCC

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 3aac7e998f25bb3fd7b4bd41b0e02002b7d71b447e2a4478bd01ae91eed529c3
Instruction ID: c5f25976186370cbb87d125a42fae70f08b8065f5e228cab784aa318d4629ce7
Opcode Fuzzy Hash: 3aac7e998f25bb3fd7b4bd41b0e02002b7d71b447e2a4478bd01ae91eed529c3
Instruction Fuzzy Hash: C931D675901219ABCB21DF24DC89BDCBBB8BF48310F5041EAE41CA7290EB709F858F45

Function 0051D440 Relevance: 3.5, APIs: 2, Instructions: 464COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aeb1b63111f38c8b5239956e5f87fb8bcb0c35bf5c950da3c1a86b78fccd596c
Instruction ID: 66826c4ebad28b084e1d72f0f341a5ddfb29d4658d7df15affa81ec97648b52f
Opcode Fuzzy Hash: aeb1b63111f38c8b5239956e5f87fb8bcb0c35bf5c950da3c1a86b78fccd596c
Instruction Fuzzy Hash: 7B020B71E002199BEF14CFA9D9806EDBBF1FF88314F258269D919E7285D731AA41CB90

Function 0050AF0F Relevance: 3.0, APIs: 2, Instructions: 45COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 0050AF35
GetNumberFormatW.KERNEL32(00000400,00000000,?,0052E72C,?,?), ref: 0050AF84

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: FormatInfoLocaleNumber
String ID:
API String ID: 2169056816-0
Opcode ID: c0db03e1ebafaa2b0d09c8d96be4d5370b0be679003171fdc13922c316d8e126
Instruction ID: 783c1412e8f13a6b08f8e0aa9fc9ae78e72fb889001d5da5fe8aad593bc633d3
Opcode Fuzzy Hash: c0db03e1ebafaa2b0d09c8d96be4d5370b0be679003171fdc13922c316d8e126
Instruction Fuzzy Hash: F601713A100349AAD720DF74EC49FDA7BBCFF1A714F005022FA0597190D3709929DBA5

Function 004F6C74 Relevance: 3.0, APIs: 2, Instructions: 16windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(004F6DDF,00000000,00000400), ref: 004F6C74
FormatMessageW.KERNEL32(00001200,00000000,00000000,00000400,?,?,00000000), ref: 004F6C95

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 80675edc4e36dca245733ff42d6aa17f42b904b3cb0425b4416711490a753470
Instruction ID: c148b9807a8df5ea8bff7d6dad26cd2afc97481d44bfb826c46765ba71f796bc
Opcode Fuzzy Hash: 80675edc4e36dca245733ff42d6aa17f42b904b3cb0425b4416711490a753470
Instruction Fuzzy Hash: 48D0C931344300BFFB210B618D0AF2B7B99BF56B51F19C445B795E80E0DA78942AB72E

Function 005219F4 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,005219EF,?,?,00000008,?,?,0052168F,00000000), ref: 00521C21

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 9ed735d3009c788032387d83a07ae73a03470e2e79bb9b48b570b6362c341a9e
Instruction ID: 79e966065b4f54f9440018d65506a01024382f1f95b56e847339d2492340ce47
Opcode Fuzzy Hash: 9ed735d3009c788032387d83a07ae73a03470e2e79bb9b48b570b6362c341a9e
Instruction Fuzzy Hash: 86B14935210A189FD719CF28D48AB667FA0FF56364F258658E89ACF2E1C335ED81CB44

Function 0050F654 Relevance: 1.6, APIs: 1, Instructions: 147COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 0050F66A

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: 85477fced2d564b30b3f85d9129fa633205ba5b2373f9380ce86bfec81801fbb
Instruction ID: 4906548561abd251363d23ffef61ca89c57d6b48563f11a40202a0d017268e5e
Opcode Fuzzy Hash: 85477fced2d564b30b3f85d9129fa633205ba5b2373f9380ce86bfec81801fbb
Instruction Fuzzy Hash: 9A516DB19006198FEB24CF98E9967AEBBF4FB58314F24892AD411EB790D3749905CB50

Function 004FB146 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(?), ref: 004FB16B

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: 8ee57f97e866ab6b9884ab3e3879da6d9f9f6bc3dc155a49fb474103a11c9044
Instruction ID: 5e2463a6dfbd464e758da75f1656d7ed37a77e13a6ece4c3015b7806f433f31c
Opcode Fuzzy Hash: 8ee57f97e866ab6b9884ab3e3879da6d9f9f6bc3dc155a49fb474103a11c9044
Instruction Fuzzy Hash: EFF0B4B4E0060C8FDB28CB28ED9AAE533F5FB69304F100295D60593390C374AD89DFA5

Function 004F40FE Relevance: 1.5, Strings: 1, Instructions: 276COMMON

Download Yara Rule

Strings

gj, xrefs: 004F41BC

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID:
String ID: gj
API String ID: 0-4203073231
Opcode ID: a7d3dfe9c0aaf8ebd7b86d99e63ab3fbd1586b6b1e00405cc60075bebcb6410c
Instruction ID: 3439cc11b28fa149c8e148a9ceeb932814c10e13761175531c827bd0068f4f46
Opcode Fuzzy Hash: a7d3dfe9c0aaf8ebd7b86d99e63ab3fbd1586b6b1e00405cc60075bebcb6410c
Instruction Fuzzy Hash: C2C13776A183418FC354CF2AD88065BFBE1BFC9208F19892EE998D7311D734E945CB96

Function 0050F9D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_0001F9F0,0050F3A5), ref: 0050F9DA

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 3626c36709def11f2a88b8bbb12c95a34df6b17df360a058a9979e44a483c631
Instruction ID: 487119fdbce084e16ec837b47367b9f498de9752e5ca83fc181311a13e45aa4f
Opcode Fuzzy Hash: 3626c36709def11f2a88b8bbb12c95a34df6b17df360a058a9979e44a483c631
Instruction Fuzzy Hash:

Function 0051C030 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0051C030

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 0eb9a9906d53882635ceba36d39d56001cb3b99459f576324de95e319b46de8e
Instruction ID: 33d50757e8a556c007592f61656db3c5dd25a2299d9ac81fadf633245e5b2118
Opcode Fuzzy Hash: 0eb9a9906d53882635ceba36d39d56001cb3b99459f576324de95e319b46de8e
Instruction Fuzzy Hash: 33A011302022008BC3008F30AE8820A3BA8AA22282B08002AA008C0020EA2880A8BB00

Function 005062CA Relevance: .8, Instructions: 829COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f8113f2fe17e1fe5adf28291dd6dc1f64d00099287cbfcd1ac5a0770544dab2
Instruction ID: 8af08906bcdfb94bc8b6e7f0a22b74750b62d4f76980fcaa9ef5119cc5620bb8
Opcode Fuzzy Hash: 5f8113f2fe17e1fe5adf28291dd6dc1f64d00099287cbfcd1ac5a0770544dab2
Instruction Fuzzy Hash: 6C62B1716047859FCB25CF28C8906BDBFE1BF95304F08896DE8AA8B386D734E955CB11

Function 005077EF Relevance: .8, Instructions: 817COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb9617cfb9dcd5ed73515ceaa1cdae9c81077d575e7d9551ef57e855e6e5c47f
Instruction ID: 4418a86de34ee5292af17bd3eb2e57ba1e050a3a26428328a7683a2992e0efed
Opcode Fuzzy Hash: bb9617cfb9dcd5ed73515ceaa1cdae9c81077d575e7d9551ef57e855e6e5c47f
Instruction Fuzzy Hash: E562D871A087498FCB15CF28C4909BDBFE1BF99304F18896DE89A8B386D730E945CB55

Function 004FF461 Relevance: .7, Instructions: 694COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07bf4a65aa449dff48fd2b0c9f6b18a690921bffffe8b35fa307a18f9ecacfdb
Instruction ID: a3695c6d9982a35a69f7bd3e43b5b78274cd615a6104a64a0f0564b92aa1703d
Opcode Fuzzy Hash: 07bf4a65aa449dff48fd2b0c9f6b18a690921bffffe8b35fa307a18f9ecacfdb
Instruction Fuzzy Hash: 00524972A087018FC718CF19C891A6AF7E1FFCC304F498A2DE5959B255D334EA59CB86

Function 00507153 Relevance: .5, Instructions: 536COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1289c2301875235396db0356645a1a6aea8092f05ca485c5207dc28a13b94fa4
Instruction ID: 20ec512e4f7ee99d10d821188c1d8ae8c9bf6fa486e54b5aad6d10e3728f98f0
Opcode Fuzzy Hash: 1289c2301875235396db0356645a1a6aea8092f05ca485c5207dc28a13b94fa4
Instruction Fuzzy Hash: AC12B3B1A1870A9FC718CF28C8906BDBBE1FB98304F14492EE997C7681D374B595CB45

Function 004FC426 Relevance: .5, Instructions: 454COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbe4c478338b74971b5d8ae4ab06da2d30e627bec3c59298aca4a582e33131aa
Instruction ID: 7dd7ac8a2d49410e7e569829858995cff66910a6182fffecfcc4c9c6ea9c14cd
Opcode Fuzzy Hash: bbe4c478338b74971b5d8ae4ab06da2d30e627bec3c59298aca4a582e33131aa
Instruction Fuzzy Hash: 35F1AB71A083098FD718CF28C6C4A3ABBE1EFCA314F144A2EE685C7351D638D945CB4A

Function 00506CDC Relevance: .3, Instructions: 343COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 4586db35ed1ad9fe94f8e711b7c8a836c13938ea461272abfb3553b590968822
Instruction ID: d30b35e7b571a745a23851c53e97eab11b6459960e47827b0671df8d83040018
Opcode Fuzzy Hash: 4586db35ed1ad9fe94f8e711b7c8a836c13938ea461272abfb3553b590968822
Instruction Fuzzy Hash: F8D1D4B1A083458FDB14CF28C84475FBFE5BF89308F08496DE8899B282D774EA55CB56

Function 004FE9B7 Relevance: .3, Instructions: 320COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 478f2c8dd5c9289f4ad0cb8710e638d6e1a24da7f57e0ef2423c373be98215d3
Instruction ID: a563c967631d7b322f40d4dd4344e1b37270e08a3747666698b38d83c3ae36c4
Opcode Fuzzy Hash: 478f2c8dd5c9289f4ad0cb8710e638d6e1a24da7f57e0ef2423c373be98215d3
Instruction Fuzzy Hash: 62E12A755083949FC304CF69D89086BBFF0AFAA300F45495EF9D497352C235EA19DBA2

Function 00504088 Relevance: .3, Instructions: 270COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 099330c7f7ccdd417e25f555c4bfc52021962f4fe602807f6dd12a6fe714b0d5
Instruction ID: 037b6f2f874d6901d37c09156e86ebed79ade6b9492178f3e3b90ed0a11b9b93
Opcode Fuzzy Hash: 099330c7f7ccdd417e25f555c4bfc52021962f4fe602807f6dd12a6fe714b0d5
Instruction Fuzzy Hash: 099158F020034A9BDB24EE64D895BFE7BD5FB90304F100D2DF79A872C2EA649595CB52

Function 005043BF Relevance: .2, Instructions: 243COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24399a2ad99dde1ffdfe4095f328d7bde986876a5c10afdb0a2a788d37c48f2a
Instruction ID: 2f3db365d7366001111a8c954e9ddab0d3ea2695321d1970a21b03b99942d4f1
Opcode Fuzzy Hash: 24399a2ad99dde1ffdfe4095f328d7bde986876a5c10afdb0a2a788d37c48f2a
Instruction Fuzzy Hash: 45813DF13043465BDF24DE68C891BBD3BD4BB94304F040D2EEB8A8B1C2DA7499858B56

Function 005151C9 Relevance: .2, Instructions: 237COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 735d5049a86679d11ea98246f7e7738b5bf0c447c71f194a393bd6a0811f46e5
Instruction ID: e5254b1cbc9837459bcef13bd7c8cb8610b8bb5c3c66769f2b27ca21e57c1681
Opcode Fuzzy Hash: 735d5049a86679d11ea98246f7e7738b5bf0c447c71f194a393bd6a0811f46e5
Instruction Fuzzy Hash: 5761583A600F09D6FE345968A899BFE2F94FBC1340F540D1AE563DF281F2B19DC28611

Function 00514F9A Relevance: .2, Instructions: 214COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9fa34869b2d82e3d8411e2c45cb22e435dbce3bfada8ed8319a2114c0e74f89
Instruction ID: 3bb00bf28e72fc3f282b5abe32c161bbeb22813bc97a9b0c2756b051bda9abbc
Opcode Fuzzy Hash: b9fa34869b2d82e3d8411e2c45cb22e435dbce3bfada8ed8319a2114c0e74f89
Instruction Fuzzy Hash: 47513425604E45E7FB3545A8845EBFE2F85BBC6300F185819E882DB382F635EEC6C791

Function 004FEFE2 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2f98b8ce58dbfecf7a525dc5bf5ead8c9d031ade68ade164bab42fd7a2463d9
Instruction ID: 4c9e18d8e24f53729e5d2ac2d5895dcf0a8010e18107c3b00d7b5a1004921d93
Opcode Fuzzy Hash: d2f98b8ce58dbfecf7a525dc5bf5ead8c9d031ade68ade164bab42fd7a2463d9
Instruction Fuzzy Hash: 7651E4315083D98FD702CF25C28047EBFE0AE9A714F4909AEE5D95B243C234DA4ECB66

Function 005000B7 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25017db78002d72d7939f0d3a6db249f34ad7c0d3980c63fcb72745ea490512f
Instruction ID: bf6f487791feb75b71c76ffa5da792dc93855bdaedb8946435187792ae3575d6
Opcode Fuzzy Hash: 25017db78002d72d7939f0d3a6db249f34ad7c0d3980c63fcb72745ea490512f
Instruction Fuzzy Hash: 1751E0B1A087119FC748CF19D48065AFBE1FF88314F058A2EE899E3341D734EA59CB96

Function 00503E0B Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39963e26f0f32bb957082511270cc61aa548dbbc85140380b543ac3b2cb39bde
Instruction ID: c5390f84f50b05a1e94b216f285fd85f003c2b18ad9055e525ec995fbfe83777
Opcode Fuzzy Hash: 39963e26f0f32bb957082511270cc61aa548dbbc85140380b543ac3b2cb39bde
Instruction Fuzzy Hash: EF31E6B1A147468FCB14DF15C85126EBFE4FB95304F10452DE589C7381C778EA1ACB92

Function 004FE2E8 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 234COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 004FE30E

Part of subcall function 004F4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 004F40A5

Part of subcall function 00501DA7: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000200,00000000,00000000,?,00531030,00000200,004FD928,00000000,?,00000050,00531030), ref: 00501DC4

_strlen.LIBCMT ref: 004FE32F
SetDlgItemTextW.USER32(?,0052E274,?), ref: 004FE38F
GetWindowRect.USER32(?,?), ref: 004FE3C9
GetClientRect.USER32(?,?), ref: 004FE3D5
GetWindowLongW.USER32(?,000000F0), ref: 004FE475
GetWindowRect.USER32(?,?), ref: 004FE4A2
SetWindowTextW.USER32(?,?), ref: 004FE4DB
GetSystemMetrics.USER32(00000008), ref: 004FE4E3
GetWindow.USER32(?,00000005), ref: 004FE4EE
GetWindowRect.USER32(00000000,?), ref: 004FE51B
GetWindow.USER32(00000000,00000002), ref: 004FE58D

Strings

d, xrefs: 004FE3F5
tR, xrefs: 004FE34A
$%s:, xrefs: 004FE302
CAPTION, xrefs: 004FE4BD

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: Window$Rect$Text$ByteCharClientItemLongMetricsMultiSystemWide__vswprintf_c_l_strlen_swprintf
String ID: $%s:$CAPTION$d$tR
API String ID: 2407758923-1265446455
Opcode ID: 867f311aa0615ae55692e478fa9a59e7b9b35ad2f659301f50099b274c90b8e0
Instruction ID: b3eb1d78ea6202f8bf80de04b09882b2d3e4045baf302e479de85de36dc92b0c
Opcode Fuzzy Hash: 867f311aa0615ae55692e478fa9a59e7b9b35ad2f659301f50099b274c90b8e0
Instruction Fuzzy Hash: 4D818071508305AFD710DFB9CD89A6FBBE9EB89705F04091DFA8497250D634E909CB52

Function 0051CB22 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0051CB66

Part of subcall function 0051C701: _free.LIBCMT ref: 0051C71E
Part of subcall function 0051C701: _free.LIBCMT ref: 0051C730
Part of subcall function 0051C701: _free.LIBCMT ref: 0051C742
Part of subcall function 0051C701: _free.LIBCMT ref: 0051C754
Part of subcall function 0051C701: _free.LIBCMT ref: 0051C766
Part of subcall function 0051C701: _free.LIBCMT ref: 0051C778
Part of subcall function 0051C701: _free.LIBCMT ref: 0051C78A
Part of subcall function 0051C701: _free.LIBCMT ref: 0051C79C
Part of subcall function 0051C701: _free.LIBCMT ref: 0051C7AE
Part of subcall function 0051C701: _free.LIBCMT ref: 0051C7C0
Part of subcall function 0051C701: _free.LIBCMT ref: 0051C7D2
Part of subcall function 0051C701: _free.LIBCMT ref: 0051C7E4
Part of subcall function 0051C701: _free.LIBCMT ref: 0051C7F6

_free.LIBCMT ref: 0051CB5B

Part of subcall function 00518DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,0051C896,?,00000000,?,00000000,?,0051C8BD,?,00000007,?,?,0051CCBA,?), ref: 00518DE2
Part of subcall function 00518DCC: GetLastError.KERNEL32(?,?,0051C896,?,00000000,?,00000000,?,0051C8BD,?,00000007,?,?,0051CCBA,?,?), ref: 00518DF4

_free.LIBCMT ref: 0051CB7D
_free.LIBCMT ref: 0051CB92
_free.LIBCMT ref: 0051CB9D
_free.LIBCMT ref: 0051CBBF
_free.LIBCMT ref: 0051CBD2
_free.LIBCMT ref: 0051CBE0
_free.LIBCMT ref: 0051CBEB
_free.LIBCMT ref: 0051CC23
_free.LIBCMT ref: 0051CC2A
_free.LIBCMT ref: 0051CC47
_free.LIBCMT ref: 0051CC5F

Strings

hR, xrefs: 0051CC0E

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID: hR
API String ID: 161543041-4218471423
Opcode ID: 79b5d5f252846e5cc86771986762b0a02dfb3053a1e04693482cbf6a2bd4b028
Instruction ID: 415bbc1877f1337bff79009da02c1c0f39978b03094ec69a54261b68b17bb876
Opcode Fuzzy Hash: 79b5d5f252846e5cc86771986762b0a02dfb3053a1e04693482cbf6a2bd4b028
Instruction Fuzzy Hash: DF313C316443069FFB30AA78E84ABAA7FE9BF50314F505819E158D6191DF36ECC0CA50

Function 005196F1 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00519705

Part of subcall function 00518DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,0051C896,?,00000000,?,00000000,?,0051C8BD,?,00000007,?,?,0051CCBA,?), ref: 00518DE2
Part of subcall function 00518DCC: GetLastError.KERNEL32(?,?,0051C896,?,00000000,?,00000000,?,0051C8BD,?,00000007,?,?,0051CCBA,?,?), ref: 00518DF4

_free.LIBCMT ref: 00519711
_free.LIBCMT ref: 0051971C
_free.LIBCMT ref: 00519727
_free.LIBCMT ref: 00519732
_free.LIBCMT ref: 0051973D
_free.LIBCMT ref: 00519748
_free.LIBCMT ref: 00519753
_free.LIBCMT ref: 0051975E
_free.LIBCMT ref: 0051976C

Strings

0dR, xrefs: 005196FC

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID: 0dR
API String ID: 776569668-1608426233
Opcode ID: ae96da6894417aff9f9698a04d5eeef1a8927cb4d8b7b386b7c1af87a2e37f3e
Instruction ID: be76eb812a4c4a640ea1b75761303fab925d4046665574d0c1c599661c90a431
Opcode Fuzzy Hash: ae96da6894417aff9f9698a04d5eeef1a8927cb4d8b7b386b7c1af87a2e37f3e
Instruction Fuzzy Hash: 9C11D77510020AAFDB11EF54D846CED3FB5FF54350B1158A4FA084F162DF31EA909B84

Function 00509711 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 126memoryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00509736
_wcslen.LIBCMT ref: 005097D6
GlobalAlloc.KERNEL32(00000040,?), ref: 005097E5
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000003,?,00000000,00000000), ref: 00509806
CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 0050982D

Strings

<html>, xrefs: 00509755, 0050978E
FjunP, xrefs: 0050982D
utf-8"></head>, xrefs: 0050976B
</html>, xrefs: 005097B7
<head><meta http-equiv="content-type" content="text/html; charset=, xrefs: 00509760

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: Global_wcslen$AllocByteCharCreateMultiStreamWide
String ID: FjunP$</html>$<head><meta http-equiv="content-type" content="text/html; charset=$<html>$utf-8"></head>
API String ID: 1777411235-3750104276
Opcode ID: e14ff3ae204c6596b2cf0294c05a0b36bd0f701fbaed67d3160c01bdc0631ca4
Instruction ID: ccbc5d61da54f8aa80344259d7838fdc97d15cdab7414af594767f9c8a60c4cc
Opcode Fuzzy Hash: e14ff3ae204c6596b2cf0294c05a0b36bd0f701fbaed67d3160c01bdc0631ca4
Instruction Fuzzy Hash: 863125322087127AE725AB349C0AFAF7FACFF93310F14011DF501961D6EB649A4987A6

Function 0050D69E Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 79windowCOMMON

Download Yara Rule

APIs

GetWindow.USER32(?,00000005), ref: 0050D6C1
GetClassNameW.USER32(00000000,?,00000800), ref: 0050D6ED

Part of subcall function 00501FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,004FC116,00000000,.exe,?,?,00000800,?,?,?,00508E3C), ref: 00501FD1

GetWindowLongW.USER32(00000000,000000F0), ref: 0050D709
SendMessageW.USER32(00000000,00000173,00000000,00000000), ref: 0050D720
GetObjectW.GDI32(00000000,00000018,?), ref: 0050D734
SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0050D75D
DeleteObject.GDI32(00000000), ref: 0050D764
GetWindow.USER32(00000000,00000002), ref: 0050D76D

Strings

STATIC, xrefs: 0050D6F3

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: Window$MessageObjectSend$ClassCompareDeleteLongNameString
String ID: STATIC
API String ID: 3820355801-1882779555
Opcode ID: 03e5fcc18d53fafbc91d1aef5a7e01d5508a8b5f3fd703c80f4ddcd022e255a6
Instruction ID: 74abc8fe6e03e0fe61b80f6c0cc64ea4f6bb2fb9c5d7342a4013405e0a555f34
Opcode Fuzzy Hash: 03e5fcc18d53fafbc91d1aef5a7e01d5508a8b5f3fd703c80f4ddcd022e255a6
Instruction Fuzzy Hash: 441106725407117BE7216BB09C4EFAF7E6CFF94792F004110FA45A20E2DA658F0996B5

Function 00512E31 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 303COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 00512F50
___TypeMatch.LIBVCRUNTIME ref: 0051305E
_UnwindNestedFrames.LIBCMT ref: 005131B0
CallUnexpected.LIBVCRUNTIME ref: 005131CB
_abort.LIBCMT ref: 005131D0

Strings

csm, xrefs: 00512EDB
csm, xrefs: 00512E6E
csm, xrefs: 00512F87

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: CallFramesMatchNestedTypeUnexpectedUnwind_aborttype_info::operator==
String ID: csm$csm$csm
API String ID: 322700389-393685449
Opcode ID: 0f618735e7c67c9a9236492dcf1f485876e614f06d16fb3fea7858cca0494c35
Instruction ID: 3152cfaef0b4d561c7d455ccbe174640e7d3fb434ad0dcccae6549e4fb67fad8
Opcode Fuzzy Hash: 0f618735e7c67c9a9236492dcf1f485876e614f06d16fb3fea7858cca0494c35
Instruction Fuzzy Hash: 47B17B7580020AEFEF25DFA4C8999EEBFB6FF44310F144559E8016B212D771DAA2CB91

Function 004FAF24 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 210COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004FAF29

Strings

Name, xrefs: 004FB0B0
ROOT\CIMV2, xrefs: 004FAF5C
Windows 10, xrefs: 004FB0C2
WQL, xrefs: 004FAFDC
SELECT * FROM Win32_OperatingSystem, xrefs: 004FAFCA
nP, xrefs: 004FAFC0

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: H_prolog
String ID: Name$ROOT\CIMV2$SELECT * FROM Win32_OperatingSystem$WQL$Windows 10$nP
API String ID: 3519838083-2564686854
Opcode ID: 3886946e061c50aa611ebb22e4ece27c6866047247c72131d0ca507b4c8de04c
Instruction ID: bd633dc264ff63d6f8c853e574fd0493b7e0114e85a9ce4b5d33d189d3e98c16
Opcode Fuzzy Hash: 3886946e061c50aa611ebb22e4ece27c6866047247c72131d0ca507b4c8de04c
Instruction Fuzzy Hash: 39718E74A00219EFDB14DF64DC959BFBBB9FF49310B14015EE616A72A0CB38AD06CB60

Function 004F6FA5 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 134COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004F6FAA
_wcslen.LIBCMT ref: 004F7013
_wcslen.LIBCMT ref: 004F7084

Part of subcall function 004F7A9C: GetCurrentProcess.KERNEL32(00000020,?), ref: 004F7AAB
Part of subcall function 004F7A9C: GetLastError.KERNEL32 ref: 004F7AF1
Part of subcall function 004F7A9C: CloseHandle.KERNEL32(?), ref: 004F7B00

Strings

\??\, xrefs: 004F702B
UNC\, xrefs: 004F7051
SeRestorePrivilege, xrefs: 004F6FC2
SeCreateSymbolicLinkPrivilege, xrefs: 004F6FCC

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: _wcslen$CloseCurrentErrorH_prologHandleLastProcess
String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
API String ID: 3122303884-3508440684
Opcode ID: 7f241c9a16bb95dbcebf3ab73fa42023fa4ce97b8cb9b1e452d7892e26271e14
Instruction ID: 6e1a708e5c77eedda6e1adc3ca5dcb82ad79f2e84487c23d01d14c0dc07875cf
Opcode Fuzzy Hash: 7f241c9a16bb95dbcebf3ab73fa42023fa4ce97b8cb9b1e452d7892e26271e14
Instruction Fuzzy Hash: 8741C6B1D0835D7AEB20A7709D86FFF776CAF45304F00445BFB45A6282D67C6A888625

Function 0050B5C0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 98windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004F1316: GetDlgItem.USER32(00000000,00003021), ref: 004F135A
Part of subcall function 004F1316: SetWindowTextW.USER32(00000000,005235F4), ref: 004F1370

EndDialog.USER32(?,00000001), ref: 0050B610
SendMessageW.USER32(?,00000080,00000001,?), ref: 0050B637
SendDlgItemMessageW.USER32(?,00000066,00000172,00000000,?), ref: 0050B650
SetWindowTextW.USER32(?,?), ref: 0050B661
GetDlgItem.USER32(?,00000065), ref: 0050B66A
SendMessageW.USER32(00000000,00000435,00000000,00010000), ref: 0050B67E
SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 0050B694

Strings

LICENSEDLG, xrefs: 0050B5D4

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: MessageSend$Item$TextWindow$Dialog
String ID: LICENSEDLG
API String ID: 3214253823-2177901306
Opcode ID: 57ff9305e1c45afb5927bd3fa802944fd6aef27e57c8d8461ea86233679064f7
Instruction ID: 054f3e7cccde48ac2b88f79432ca78d7efe41b694813568dff07cee4f05f7333
Opcode Fuzzy Hash: 57ff9305e1c45afb5927bd3fa802944fd6aef27e57c8d8461ea86233679064f7
Instruction Fuzzy Hash: C421CE32604315BBE2115B66EC8EE7F3E6CFB56B86F010014F604A61E0CB539A09A635

Function 0050FD10 Relevance: 13.7, APIs: 9, Instructions: 154memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,233918A2,00000001,00000000,00000000,?,?,004FAF6C,ROOT\CIMV2), ref: 0050FD99
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,?,?,004FAF6C,ROOT\CIMV2), ref: 0050FE14
SysAllocString.OLEAUT32(00000000), ref: 0050FE1F
_com_issue_error.COMSUPP ref: 0050FE48
_com_issue_error.COMSUPP ref: 0050FE52
GetLastError.KERNEL32(80070057,233918A2,00000001,00000000,00000000,?,?,004FAF6C,ROOT\CIMV2), ref: 0050FE57
_com_issue_error.COMSUPP ref: 0050FE6A
GetLastError.KERNEL32(00000000,?,?,004FAF6C,ROOT\CIMV2), ref: 0050FE80
_com_issue_error.COMSUPP ref: 0050FE93

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: _com_issue_error$ByteCharErrorLastMultiWide$AllocString
String ID:
API String ID: 1353541977-0
Opcode ID: d0f19eae95ff75697cb5297c0bab9e676e601f52f6de81d15c34d469a1780ab5
Instruction ID: d8b749e0432092c3e51afa8768f37c4c8ee2a575866312d9e1b606f78102ee53
Opcode Fuzzy Hash: d0f19eae95ff75697cb5297c0bab9e676e601f52f6de81d15c34d469a1780ab5
Instruction Fuzzy Hash: 1D41F671A00219ABDB209F68DC4ABAEBFA8FF45710F104239F905E76D1D734A944C7A4

Function 004F9382 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 135fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004F9387
GetLongPathNameW.KERNEL32(?,?,00000800), ref: 004F93AA
GetShortPathNameW.KERNEL32(?,?,00000800), ref: 004F93C9

Part of subcall function 004FC29A: _wcslen.LIBCMT ref: 004FC2A2

Part of subcall function 00501FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,004FC116,00000000,.exe,?,?,00000800,?,?,?,00508E3C), ref: 00501FD1

_swprintf.LIBCMT ref: 004F9465

Part of subcall function 004F4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 004F40A5

MoveFileW.KERNEL32(?,?), ref: 004F94D4
MoveFileW.KERNEL32(?,?), ref: 004F9514

Strings

rtmp%d, xrefs: 004F944E

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: FileMoveNamePath$CompareH_prologLongShortString__vswprintf_c_l_swprintf_wcslen
String ID: rtmp%d
API String ID: 3726343395-3303766350
Opcode ID: a9317fdffa8ccd2724cfc1bf3182a8d0e5ef3dd9df92a5422ff77b5e14dde6af
Instruction ID: 5205fbd5e319209d9c18bd5c89ae157bd3839676b37b990c11a95b248c01136e
Opcode Fuzzy Hash: a9317fdffa8ccd2724cfc1bf3182a8d0e5ef3dd9df92a5422ff77b5e14dde6af
Instruction Fuzzy Hash: EE41727290026D75DF21ABA18D55EFF737CAF51344F0048AAB709E3151DA3C8F899B68

Function 004F1100 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 119COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 004F112B
_wcslen.LIBCMT ref: 004F1153
_wcslen.LIBCMT ref: 004F1182
_wcslen.LIBCMT ref: 004F11A9

Strings

pP, xrefs: 004F1205, 004F1233
UP, xrefs: 004F120D, 004F123B
zP, xrefs: 004F1219

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: _wcslen
String ID: UP$pP$zP
API String ID: 176396367-1396412275
Opcode ID: e94f244cf5e538f6e690c5cdf21058527a8cc4ec16be9622a480351d07c05dbd
Instruction ID: bb9b89218c4562d047960dea5f71c01c81f7e151611195844873ff0909e280bc
Opcode Fuzzy Hash: e94f244cf5e538f6e690c5cdf21058527a8cc4ec16be9622a480351d07c05dbd
Instruction Fuzzy Hash: 8341C47190066A9BCB219FA8CC5D9EF7BB8EF41311F00001AF945F7291DB34AE498BA4

Function 00509ED5 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 114COMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,00000000), ref: 00509EEE
GetWindowRect.USER32(?,00000000), ref: 00509F44
ShowWindow.USER32(?,00000005,00000000), ref: 00509FDB
SetWindowTextW.USER32(?,00000000), ref: 00509FE3
ShowWindow.USER32(00000000,00000005), ref: 00509FF9

Strings

RarHtmlClassName, xrefs: 00509FA5
P, xrefs: 00509F52, 00509F87

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: Window$Show$RectText
String ID: P$RarHtmlClassName
API String ID: 3937224194-284636800
Opcode ID: 34cf0b8967979db68e53b67c5b88fdad7c5b72c9aec9c78fc740c9236ad3844b
Instruction ID: 88a747a7d7859c0da60adecfcb598c49d559e8092ea09d3a2622e70dc115a6ed
Opcode Fuzzy Hash: 34cf0b8967979db68e53b67c5b88fdad7c5b72c9aec9c78fc740c9236ad3844b
Instruction Fuzzy Hash: F4419C31004315AFDB225F74DC5CB6BBFA8FB98742F008559F8499A096DB34D948DB61

Function 00501218 Relevance: 12.1, APIs: 8, Instructions: 125timeCOMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 0050122E

Part of subcall function 004FB146: GetVersionExW.KERNEL32(?), ref: 004FB16B

FileTimeToLocalFileTime.KERNEL32(00000003,00000000,00000003,?,00000064,00000000,00000000,?), ref: 00501251
FileTimeToSystemTime.KERNEL32(00000003,?,00000003,?,00000064,00000000,00000000,?), ref: 00501263
SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 00501274
SystemTimeToFileTime.KERNEL32(?,?), ref: 00501284
SystemTimeToFileTime.KERNEL32(?,?), ref: 00501294
FileTimeToSystemTime.KERNEL32(?,?,?), ref: 005012CF
__aullrem.LIBCMT ref: 00501379

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion__aulldiv__aullrem
String ID:
API String ID: 1247370737-0
Opcode ID: 8ed12c03e871d30e5acfb413e4280abe8cb973680fbe0fc0dab3aca466854952
Instruction ID: e8e07861b0a5946a7e45feedf71d847051ae291923ca3ce82247436852151460
Opcode Fuzzy Hash: 8ed12c03e871d30e5acfb413e4280abe8cb973680fbe0fc0dab3aca466854952
Instruction Fuzzy Hash: 624107B15083069FC710DF65C8849AFBBE9FF88314F00892EF996C2650E738E659DB56

Function 004F2210 Relevance: 11.0, APIs: 3, Strings: 3, Instructions: 468COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 004F2536

Part of subcall function 004F4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 004F40A5

Part of subcall function 005005DA: _wcslen.LIBCMT ref: 005005E0

Strings

x%u, xrefs: 004F26FD
xc%u, xrefs: 004F275A
;%u, xrefs: 004F2523

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: __vswprintf_c_l_swprintf_wcslen
String ID: ;%u$x%u$xc%u
API String ID: 3053425827-2277559157
Opcode ID: 09abd3e00cd3e8898fe2384e1776c779231b9b910b9a185b1faa52996bd0605f
Instruction ID: e12a0a48c0fcbbbb84e7755e0c8bf4549ec888e91c51b32d4b374fde693d9ccd
Opcode Fuzzy Hash: 09abd3e00cd3e8898fe2384e1776c779231b9b910b9a185b1faa52996bd0605f
Instruction Fuzzy Hash: EEF135706042889BDB14EB2486D5BBF77956F80304F08056FEE869B383CAAC9945C76A

Function 00509CFE Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 183COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00509D0A

Strings

<style>, xrefs: 00509E30
>, xrefs: 00509D4B
</style>, xrefs: 00509E52
<br>, xrefs: 00509DFE
</p>, xrefs: 00509DE8

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: _wcslen
String ID: </p>$</style>$<br>$<style>$>
API String ID: 176396367-3568243669
Opcode ID: 0d1b8895da023b27a0d84d9342e8339fd5d2438b544d2e9cf7745ad48cc5fbe5
Instruction ID: a53ad6c90a74c69e51d371dcc28c33583daf6b9cab90f94a763487117a20d243
Opcode Fuzzy Hash: 0d1b8895da023b27a0d84d9342e8339fd5d2438b544d2e9cf7745ad48cc5fbe5
Instruction Fuzzy Hash: EA514C6778072395DB309A15DC2177F7BE5FFA1790F68041AF9C18B1CAFB658C8182A1

Function 0051F68D Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,0051FE02,00000000,00000000,00000000,00000000,00000000,?), ref: 0051F6CF
__fassign.LIBCMT ref: 0051F74A
__fassign.LIBCMT ref: 0051F765
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 0051F78B
WriteFile.KERNEL32(?,00000000,00000000,0051FE02,00000000,?,?,?,?,?,?,?,?,?,0051FE02,00000000), ref: 0051F7AA
WriteFile.KERNEL32(?,00000000,00000001,0051FE02,00000000,?,?,?,?,?,?,?,?,?,0051FE02,00000000), ref: 0051F7E3

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: b47c8b56b37c55bd7470c629b5247ced55598cbb2a9bdf772312dff1374b8c5d
Instruction ID: c3e27eaba27fa7caeb855a7c36c0714800a3a63e577349687fa2645071a8bc5d
Opcode Fuzzy Hash: b47c8b56b37c55bd7470c629b5247ced55598cbb2a9bdf772312dff1374b8c5d
Instruction Fuzzy Hash: 4D51A4B5A00249AFDB10CFA8DC55AEEBFF4FF09300F14456AE555E7291D730AA85CBA0

Function 0050CE87 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 133COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000800,?), ref: 0050CE9D

Part of subcall function 004FB690: _wcslen.LIBCMT ref: 004FB696

_swprintf.LIBCMT ref: 0050CED1

Part of subcall function 004F4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 004F40A5

SetDlgItemTextW.USER32(?,00000066,0053946A), ref: 0050CEF1
_wcschr.LIBVCRUNTIME ref: 0050CF22
EndDialog.USER32(?,00000001), ref: 0050CFFE

Strings

%s%s%u, xrefs: 0050CEC6

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: DialogItemPathTempText__vswprintf_c_l_swprintf_wcschr_wcslen
String ID: %s%s%u
API String ID: 689974011-1360425832
Opcode ID: c413e2613ed754a8f5554ae89bb209e1c43e2e50b4ea6395a3f58d01a21efbb7
Instruction ID: 68f1a674d5c70db4a7e965e61dc83a5c63d84beb5d67631e7cb236785f830be3
Opcode Fuzzy Hash: c413e2613ed754a8f5554ae89bb209e1c43e2e50b4ea6395a3f58d01a21efbb7
Instruction Fuzzy Hash: 0941B0B1900659AADF219B90DC45BEE3BBCFB45300F4084A6FA09E7181EE708A44DF62

Function 00512900 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00512937
___except_validate_context_record.LIBVCRUNTIME ref: 0051293F
_ValidateLocalCookies.LIBCMT ref: 005129C8
__IsNonwritableInCurrentImage.LIBCMT ref: 005129F3
_ValidateLocalCookies.LIBCMT ref: 00512A48

Strings

csm, xrefs: 005129DD

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 3deb174e7c5b1a15194952d1a54d185cfea0155717b90833700362f6d36180e0
Instruction ID: d781ad17d8834879a5a753d60a3e72bb57bab579d177c6a57b1684e82279b658
Opcode Fuzzy Hash: 3deb174e7c5b1a15194952d1a54d185cfea0155717b90833700362f6d36180e0
Instruction Fuzzy Hash: 1641C134A00219AFDF10DF68C885AEEBFB5FF45324F148055E819AB392D771DAA5CB90

Function 00509955 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 106COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0050995E
_wcslen.LIBCMT ref: 00509993

Strings

<style>body{font-family:"Arial";font-size:12;}</style>, xrefs: 00509987
, xrefs: 005099B0
 , xrefs: 00509A21
<br>, xrefs: 005099DF

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: _wcslen
String ID: $ $<br>$<style>body{font-family:"Arial";font-size:12;}</style>
API String ID: 176396367-3743748572
Opcode ID: a55ed54d4f90f381d8bf6d5eedac16ad17d52425cf2ba36a4a91a114a5ffe66a
Instruction ID: 7e76015e7640bfc3132aa3745c02a2f9d89da1cb64569114727eaf442313e469
Opcode Fuzzy Hash: a55ed54d4f90f381d8bf6d5eedac16ad17d52425cf2ba36a4a91a114a5ffe66a
Instruction Fuzzy Hash: 6B31823274434666E630AB549C46BBF7BA4FBD0320F50881FF486472C5FB50AD8183A1

Function 0051C8A4 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0051C868: _free.LIBCMT ref: 0051C891

_free.LIBCMT ref: 0051C8F2

Part of subcall function 00518DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,0051C896,?,00000000,?,00000000,?,0051C8BD,?,00000007,?,?,0051CCBA,?), ref: 00518DE2
Part of subcall function 00518DCC: GetLastError.KERNEL32(?,?,0051C896,?,00000000,?,00000000,?,0051C8BD,?,00000007,?,?,0051CCBA,?,?), ref: 00518DF4

_free.LIBCMT ref: 0051C8FD
_free.LIBCMT ref: 0051C908
_free.LIBCMT ref: 0051C95C
_free.LIBCMT ref: 0051C967
_free.LIBCMT ref: 0051C972
_free.LIBCMT ref: 0051C97D

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: bf1448b5a367794c459becf00bdc5ad94e8d71ea07fb2ac2ae3d8aaabc3cc25b
Instruction ID: 81c02f0a9ce02debf75c760f98a40c291333e6ba815e5bb9a0b0d2f306b86fd9
Opcode Fuzzy Hash: bf1448b5a367794c459becf00bdc5ad94e8d71ea07fb2ac2ae3d8aaabc3cc25b
Instruction Fuzzy Hash: EF112CB1590B16BAF530B7B1CC4AFDB7FACBF80B00F400C19B29D66092DB66A585C750

Function 0050E5EE Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 45libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,?,0050E669,0050E5CC,0050E86D), ref: 0050E605
GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive), ref: 0050E61B
GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive), ref: 0050E630

Strings

ReleaseSRWLockExclusive, xrefs: 0050E625
AcquireSRWLockExclusive, xrefs: 0050E615
KERNEL32.DLL, xrefs: 0050E600

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
API String ID: 667068680-1718035505
Opcode ID: 2c9aaf73fae10758a1d61c579c817263e1c41c8acefa12d7d0623459ab1cac41
Instruction ID: c247fd15a7d9a1a8b4f4c2d98872d27c1587e3f51a007cf4fc57d36e2dc72c16
Opcode Fuzzy Hash: 2c9aaf73fae10758a1d61c579c817263e1c41c8acefa12d7d0623459ab1cac41
Instruction Fuzzy Hash: B1F0AF327816625BCF214E647C9BA6E2EC87F377923280C79D901D31C0FB268C5A6A94

Function 00518900 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0051891E

Part of subcall function 00518DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,0051C896,?,00000000,?,00000000,?,0051C8BD,?,00000007,?,?,0051CCBA,?), ref: 00518DE2
Part of subcall function 00518DCC: GetLastError.KERNEL32(?,?,0051C896,?,00000000,?,00000000,?,0051C8BD,?,00000007,?,?,0051CCBA,?,?), ref: 00518DF4

_free.LIBCMT ref: 00518930
_free.LIBCMT ref: 00518943
_free.LIBCMT ref: 00518954
_free.LIBCMT ref: 00518965

Strings

pR, xrefs: 00518914

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID: pR
API String ID: 776569668-2883592124
Opcode ID: cfa6a74f49f0491231ac121bb51585f539c9880aad39986d5e4179ca6e776402
Instruction ID: ac0be85d48b61785ffa37c8b10d6f8a00b80a4123d2f011639e57a3a306b49aa
Opcode Fuzzy Hash: cfa6a74f49f0491231ac121bb51585f539c9880aad39986d5e4179ca6e776402
Instruction Fuzzy Hash: F5F082798103338BDA266F14FC564A53FB5FB37722B41090AF014562B1CF35498AFB81

Function 0050146A Relevance: 9.1, APIs: 6, Instructions: 98timeCOMMON

Download Yara Rule

APIs

SystemTimeToFileTime.KERNEL32(?,?), ref: 005014C2

Part of subcall function 004FB146: GetVersionExW.KERNEL32(?), ref: 004FB16B

LocalFileTimeToFileTime.KERNEL32(?,?), ref: 005014E6
FileTimeToSystemTime.KERNEL32(?,?), ref: 00501500
TzSpecificLocalTimeToSystemTime.KERNEL32(00000000,?,?), ref: 00501513
SystemTimeToFileTime.KERNEL32(?,?), ref: 00501523
SystemTimeToFileTime.KERNEL32(?,?), ref: 00501533

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion
String ID:
API String ID: 2092733347-0
Opcode ID: ce5457fc08c1857881c5c86bc2efe9d5adb0b5676590c9d17d3dd320972f91e4
Instruction ID: 775a0fb606226da6c93801c75d76cbb3da301ff77e3a8c8580f25a9d6068398d
Opcode Fuzzy Hash: ce5457fc08c1857881c5c86bc2efe9d5adb0b5676590c9d17d3dd320972f91e4
Instruction Fuzzy Hash: DC31F875108305ABC700DFA8C88499BBBF8FF98714F004A1EF995C3250E734D619CBA6

Function 00512AFA Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00512AF1,005102FC,0050FA34), ref: 00512B08
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00512B16
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00512B2F
SetLastError.KERNEL32(00000000,00512AF1,005102FC,0050FA34), ref: 00512B81

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 2888e7f7cc4ac50b6090551960dfca2b452822de5eadf379e22d3932c2af01ac
Instruction ID: 78fcdc0e709999ad5f6aa0124f6f3500467a608afb5b6dbba14ed42833e9a332
Opcode Fuzzy Hash: 2888e7f7cc4ac50b6090551960dfca2b452822de5eadf379e22d3932c2af01ac
Instruction Fuzzy Hash: 7301DF3220C3126EF7342A747C9A9EA2F59FFA27B4F600B3AF110550E0EF114C96A244

Function 005197E5 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00531030,00514674,00531030,?,?,00513F73,00000050,?,00531030,00000200), ref: 005197E9
_free.LIBCMT ref: 0051981C
_free.LIBCMT ref: 00519844
SetLastError.KERNEL32(00000000,?,00531030,00000200), ref: 00519851
SetLastError.KERNEL32(00000000,?,00531030,00000200), ref: 0051985D
_abort.LIBCMT ref: 00519863

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 67d040411a1b030707eddb0518c83e9d17d835c032ac3f54a795e949a3ac00f2
Instruction ID: 2ae68881ead2e3a442a93a941567e270c6434fcdf480daf3803569fb16f90c3d
Opcode Fuzzy Hash: 67d040411a1b030707eddb0518c83e9d17d835c032ac3f54a795e949a3ac00f2
Instruction Fuzzy Hash: 74F0A43554070276F72233247C6EEEB1E69BFE3B71F250628F51492192FF24C88B9565

Function 0050DC3B Relevance: 9.0, APIs: 6, Instructions: 42windowsynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,0000000A), ref: 0050DC47
PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0050DC61
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0050DC72
TranslateMessage.USER32(?), ref: 0050DC7C
DispatchMessageW.USER32(?), ref: 0050DC86
WaitForSingleObject.KERNEL32(?,0000000A), ref: 0050DC91

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: Message$ObjectSingleWait$DispatchPeekTranslate
String ID:
API String ID: 2148572870-0
Opcode ID: da266163829122e8f114b0f718d762b0dfe46150dbf942e296fcea4f464c1bc0
Instruction ID: 0d3cf4fbce7f62439dd99ced7bd296d058bb39799dd130fb3c87f237d7a36ce3
Opcode Fuzzy Hash: da266163829122e8f114b0f718d762b0dfe46150dbf942e296fcea4f464c1bc0
Instruction Fuzzy Hash: F5F03C72A01319BBCB206BA5DC4CDCF7F7DFF52792B004421B50AD20A0D674864ADBB0

Function 0050A80C Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 237COMMON

Download Yara Rule

APIs

Part of subcall function 0050A699: GetDC.USER32(00000000), ref: 0050A69D
Part of subcall function 0050A699: GetDeviceCaps.GDI32(00000000,0000000C), ref: 0050A6A8
Part of subcall function 0050A699: ReleaseDC.USER32(00000000,00000000), ref: 0050A6B3

GetObjectW.GDI32(?,00000018,?), ref: 0050A83C

Part of subcall function 0050AAC9: GetDC.USER32(00000000), ref: 0050AAD2
Part of subcall function 0050AAC9: GetObjectW.GDI32(?,00000018,?), ref: 0050AB01
Part of subcall function 0050AAC9: ReleaseDC.USER32(00000000,?), ref: 0050AB99

Strings

AP, xrefs: 0050A9BA
(, xrefs: 0050A9AA
"P, xrefs: 0050A89D, 0050AAB9

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: ObjectRelease$CapsDevice
String ID: "P$($AP
API String ID: 1061551593-564177875
Opcode ID: 23408bbf00706b32859cb9a3e04f1ccfe24a511d03361b877b17a7b815353c5d
Instruction ID: 6242354a3a927050da3f8d2d5f9c96fd1374d40d3b8480faded2818ee522179a
Opcode Fuzzy Hash: 23408bbf00706b32859cb9a3e04f1ccfe24a511d03361b877b17a7b815353c5d
Instruction Fuzzy Hash: 9A91E275604355AFD720DF25C848A2BBBE8FFD9700F00491EF59AD72A0DB30A946DB62

Function 004FC0C5 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 148COMMON

Download Yara Rule

APIs

Part of subcall function 005005DA: _wcslen.LIBCMT ref: 005005E0

Part of subcall function 004FB92D: _wcsrchr.LIBVCRUNTIME ref: 004FB944

_wcslen.LIBCMT ref: 004FC197
_wcslen.LIBCMT ref: 004FC1DF

Strings

.rar, xrefs: 004FC0E1, 004FC134
.exe, xrefs: 004FC10B
.sfx, xrefs: 004FC11A

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: _wcslen$_wcsrchr
String ID: .exe$.rar$.sfx
API String ID: 3513545583-31770016
Opcode ID: 20b4a768f79fd353fb2bd69fce55be855b3e9b630efd4aad272151c20782ff52
Instruction ID: 09d1e58e89f1e15122733c5d397c441e1b88c36210e4bd0a3ce4b91521089dc1
Opcode Fuzzy Hash: 20b4a768f79fd353fb2bd69fce55be855b3e9b630efd4aad272151c20782ff52
Instruction Fuzzy Hash: E641562150032E99C735AF708A96A7F77A8FF42704F10494FFA816B2C1EB584D92C39A

Function 004FBB03 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 127COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 004FBB27
GetCurrentDirectoryW.KERNEL32(000007FF,?,?,?,?,00000000,?,?,004FA275,?,?,00000800,?,004FA23A,?,004F755C), ref: 004FBBC5
_wcslen.LIBCMT ref: 004FBC3B

Strings

UNC, xrefs: 004FBBA7
\\?\, xrefs: 004FBB52, 004FBB99, 004FBBF7, 004FBC4E

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: _wcslen$CurrentDirectory
String ID: UNC$\\?\
API String ID: 3341907918-253988292
Opcode ID: c8ac512592311b07aca06a20e5598c951f654dff18ea35152d830e371e4ec1f5
Instruction ID: de88bf5762d98e82eb7d5e39e27a8b47cb126466f08cec19e97feb5eb7f54110
Opcode Fuzzy Hash: c8ac512592311b07aca06a20e5598c951f654dff18ea35152d830e371e4ec1f5
Instruction Fuzzy Hash: 3241A33150025EA6DB21AF20CC05EFF7B69FF43394F10446BFA54A3291DB78DA918AE4

Function 0050CD58 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 103COMMON

Download Yara Rule

APIs

_wcschr.LIBVCRUNTIME ref: 0050CD84

Part of subcall function 0050AF98: _wcschr.LIBVCRUNTIME ref: 0050B033

Part of subcall function 00501FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,004FC116,00000000,.exe,?,?,00000800,?,?,?,00508E3C), ref: 00501FD1

Strings

MIN, xrefs: 0050CDF5
HIDE, xrefs: 0050CDC6
MAX, xrefs: 0050CDD9
<, xrefs: 0050CD68

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: _wcschr$CompareString
String ID: <$HIDE$MAX$MIN
API String ID: 69343711-3358265660
Opcode ID: d458fa6d53f6307a6a1daf9a4cf6f28d81aab73aa46ebac1e5e6b12c8cc8b18c
Instruction ID: 1fb8535b80930d8498daca0d4365b675321a0268e603f3454895b31e3b6e6afb
Opcode Fuzzy Hash: d458fa6d53f6307a6a1daf9a4cf6f28d81aab73aa46ebac1e5e6b12c8cc8b18c
Instruction Fuzzy Hash: 2431727290061A9ADF25CB50DC45AEE7FBCFB55350F004666E905E71C0EBB09A848FA1

Function 0050AAC9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 77COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 0050AAD2
GetObjectW.GDI32(?,00000018,?), ref: 0050AB01
ReleaseDC.USER32(00000000,?), ref: 0050AB99

Strings

-P, xrefs: 0050AB32, 0050AB3F, 0050AB73, 0050AB7F
7P, xrefs: 0050AB67

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: ObjectRelease
String ID: -P$7P
API String ID: 1429681911-3971959481
Opcode ID: ed69dac6dc0a45a3afcae435dbe4361b1c6cf8219ff37d746c7a245f6b207d30
Instruction ID: 2343409247252c83f4f4cb02b674fd91bed1b4aa558a6211b0023aed563473f2
Opcode Fuzzy Hash: ed69dac6dc0a45a3afcae435dbe4361b1c6cf8219ff37d746c7a245f6b207d30
Instruction Fuzzy Hash: 1A21FF72108304EFD3019F95DC4CD6FBFE9FB99392F040429FA4992170D7319A589B62

Function 004FB991 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 004FB9B8

Part of subcall function 004F4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 004F40A5

_wcschr.LIBVCRUNTIME ref: 004FB9D6
_wcschr.LIBVCRUNTIME ref: 004FB9E6

Strings

%c:\, xrefs: 004FB9AE

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: _wcschr$__vswprintf_c_l_swprintf
String ID: %c:\
API String ID: 525462905-3142399695
Opcode ID: 955edac7ed3227b5d574c5c5858a203e088bacd34cb924e64d846ea1aff73fc7
Instruction ID: a8d2d9e3e078e1850b7f8733492c01bbd0c8e84f435f55bf224ecb0dacd7f26a
Opcode Fuzzy Hash: 955edac7ed3227b5d574c5c5858a203e088bacd34cb924e64d846ea1aff73fc7
Instruction Fuzzy Hash: EA01F5A350031669AA306B75DC46D7BABACEFD7770B40490FF754D6282EB38D89082F5

Function 0050B270 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 62COMMON

Download Yara Rule

APIs

Part of subcall function 004F1316: GetDlgItem.USER32(00000000,00003021), ref: 004F135A
Part of subcall function 004F1316: SetWindowTextW.USER32(00000000,005235F4), ref: 004F1370

EndDialog.USER32(?,00000001), ref: 0050B2BE
GetDlgItemTextW.USER32(?,00000066,?,00000080), ref: 0050B2D6
SetDlgItemTextW.USER32(?,00000067,?), ref: 0050B304

Strings

GETPASSWORD1, xrefs: 0050B289
xzT, xrefs: 0050B2E2

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: GETPASSWORD1$xzT
API String ID: 445417207-2147243542
Opcode ID: cbd0ee8c55ea77664e9ce1dabeaf7280b11c24a95fba59693e11dbe86a954a24
Instruction ID: 8f5484d2d04f617062e76263396c74675ea5678ae6f291151ad95398b12620b0
Opcode Fuzzy Hash: cbd0ee8c55ea77664e9ce1dabeaf7280b11c24a95fba59693e11dbe86a954a24
Instruction Fuzzy Hash: AF11E132900219B6EB219A649C99FFF3B6CFF19744F100421FA45B20D0C7A49A049761

Function 0050B6DD Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58windowCOMMON

Download Yara Rule

APIs

LoadBitmapW.USER32(00000065), ref: 0050B6ED
GetObjectW.GDI32(00000000,00000018,?), ref: 0050B712
DeleteObject.GDI32(00000000), ref: 0050B744
DeleteObject.GDI32(00000000), ref: 0050B767

Part of subcall function 0050A6C2: FindResourceW.KERNEL32(?,PNG,00000000,?,?,?,0050B73D,00000066), ref: 0050A6D5
Part of subcall function 0050A6C2: SizeofResource.KERNEL32(00000000,?,?,?,0050B73D,00000066), ref: 0050A6EC
Part of subcall function 0050A6C2: LoadResource.KERNEL32(00000000,?,?,?,0050B73D,00000066), ref: 0050A703
Part of subcall function 0050A6C2: LockResource.KERNEL32(00000000,?,?,?,0050B73D,00000066), ref: 0050A712
Part of subcall function 0050A6C2: GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,0050B73D,00000066), ref: 0050A72D
Part of subcall function 0050A6C2: GlobalLock.KERNEL32(00000000), ref: 0050A73E
Part of subcall function 0050A6C2: CreateStreamOnHGlobal.COMBASE(00000000,00000000,?), ref: 0050A762
Part of subcall function 0050A6C2: GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 0050A7A7
Part of subcall function 0050A6C2: GlobalUnlock.KERNEL32(00000000), ref: 0050A7C6
Part of subcall function 0050A6C2: GlobalFree.KERNEL32(00000000), ref: 0050A7CD

Strings

], xrefs: 0050B71A

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: Global$Resource$Object$BitmapCreateDeleteLoadLock$AllocFindFreeFromGdipSizeofStreamUnlock
String ID: ]
API String ID: 1797374341-3352871620
Opcode ID: e66af11d95bda689f78fc09a61637903976c6ced6179290e617461c1e4def90f
Instruction ID: 8d62dd9e2db7cb88ea0fb753fd40b2d583297a8d754e7c4723ec2a87164eeb95
Opcode Fuzzy Hash: e66af11d95bda689f78fc09a61637903976c6ced6179290e617461c1e4def90f
Instruction Fuzzy Hash: F501C436940306A7EB1277745C5DABF7EB9FFC0792F080010F900A72E1DF218D095662

Function 0050D600 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 004F1316: GetDlgItem.USER32(00000000,00003021), ref: 004F135A
Part of subcall function 004F1316: SetWindowTextW.USER32(00000000,005235F4), ref: 004F1370

EndDialog.USER32(?,00000001), ref: 0050D64B
GetDlgItemTextW.USER32(?,00000068,00000800), ref: 0050D661
SetDlgItemTextW.USER32(?,00000066,?), ref: 0050D675
SetDlgItemTextW.USER32(?,00000068), ref: 0050D684

Strings

RENAMEDLG, xrefs: 0050D618

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: RENAMEDLG
API String ID: 445417207-3299779563
Opcode ID: 55dd17cb06a14c22918e94c35d3f404f65cf9481e7b084aa5a6a824e53dc0bcf
Instruction ID: 8bcea308c5580d035a632e24eeab5db6f998e2d6629e62d1d882cc8d2d98b56b
Opcode Fuzzy Hash: 55dd17cb06a14c22918e94c35d3f404f65cf9481e7b084aa5a6a824e53dc0bcf
Instruction Fuzzy Hash: 0D01B533284314BAD2114FA8AD0DF6F7F6DBB6AB42F110511F705A20E0C6A39908A775

Function 00517E73 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00517E24,00000000,?,00517DC4,00000000,0052C300,0000000C,00517F1B,00000000,00000002), ref: 00517E93
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00517EA6
FreeLibrary.KERNEL32(00000000,?,?,?,00517E24,00000000,?,00517DC4,00000000,0052C300,0000000C,00517F1B,00000000,00000002), ref: 00517EC9

Strings

CorExitProcess, xrefs: 00517E9E
mscoree.dll, xrefs: 00517E8C

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 96982dd64f122a7a16279fd0c9b25b8f50019253b15e14490feea8b8df904922
Instruction ID: e2148e50200fccbce000e25482459fb23dc28669470f6d557b32fde95e48cd1d
Opcode Fuzzy Hash: 96982dd64f122a7a16279fd0c9b25b8f50019253b15e14490feea8b8df904922
Instruction Fuzzy Hash: 66F04435900218FBDB219BA4DC49BDEBFB8FF49711F0041A9F805A22A0DB759E45DA90

Function 004FF2C5 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 0050081B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00500836
Part of subcall function 0050081B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,004FF2D8,Crypt32.dll,00000000,004FF35C,?,?,004FF33E,?,?,?), ref: 00500858

GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 004FF2E4
GetProcAddress.KERNEL32(005381C8,CryptUnprotectMemory), ref: 004FF2F4

Strings

CryptUnprotectMemory, xrefs: 004FF2EA
Crypt32.dll, xrefs: 004FF2CE
CryptProtectMemory, xrefs: 004FF2DE

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: AddressProc$DirectoryLibraryLoadSystem
String ID: Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory
API String ID: 2141747552-1753850145
Opcode ID: 4638b18e58dbffd6b64deefdc06322b13adf70bdcd762ec6da72eaa81481cf05
Instruction ID: af573943cc8ac5e08773881eb7be4fe0ba9ec219698fd95afdf3bf2a9dcb19f2
Opcode Fuzzy Hash: 4638b18e58dbffd6b64deefdc06322b13adf70bdcd762ec6da72eaa81481cf05
Instruction Fuzzy Hash: 89E04F709107169EC7309B34A88DB567ED47F16B04F14886EE4DA936C0EBBDD5458B50

Function 00512BDA Relevance: 7.7, APIs: 5, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 00512CA1
___AdjustPointer.LIBCMT ref: 00512CC4
_abort.LIBCMT ref: 00512D12
___AdjustPointer.LIBCMT ref: 00512D60

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: AdjustPointer$_abort
String ID:
API String ID: 2252061734-0
Opcode ID: 8b6ea8c6941308c2d45d86872e1abd6b92c649509319369c0056c4743f40cc7b
Instruction ID: de042f2e3a871ef64ae3f0776cf1d5a52a86f870e551c4a1427fbb9eb8697699
Opcode Fuzzy Hash: 8b6ea8c6941308c2d45d86872e1abd6b92c649509319369c0056c4743f40cc7b
Instruction Fuzzy Hash: 6F51D0B1600216AFFB288F14E849BEA7FA4FF54314F24452DE901476A1E731EDE1D790

Function 0051BF30 Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0051BF39
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0051BF5C

Part of subcall function 00518E06: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0051CA2C,00000000,?,00516CBE,?,00000008,?,005191E0,?,?,?), ref: 00518E38

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0051BF82
_free.LIBCMT ref: 0051BF95
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0051BFA4

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: de17d7f4d4d6c94dd06ccd95d674f2a024262dae18f463e7aade752b122b1ab9
Instruction ID: fa79a6ba5e71b984b09d4bc43f561999249e43730534c92abb9e8d0fbc9a2517
Opcode Fuzzy Hash: de17d7f4d4d6c94dd06ccd95d674f2a024262dae18f463e7aade752b122b1ab9
Instruction Fuzzy Hash: 7E015E666056157F332116765C8DCBB6F6DFEC6BA13140129B904C2141EB648D43E5B0

Function 00519869 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,005191AD,0051B188,?,00519813,00000001,00000364,?,00513F73,00000050,?,00531030,00000200), ref: 0051986E
_free.LIBCMT ref: 005198A3
_free.LIBCMT ref: 005198CA
SetLastError.KERNEL32(00000000,?,00531030,00000200), ref: 005198D7
SetLastError.KERNEL32(00000000,?,00531030,00000200), ref: 005198E0

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: ce31c8d42b611389d5c66386f4cec4fa4924ad10264a257d5730914841ed5336
Instruction ID: 12c21cabf96b2114f6e176f37aea2fdbc7654302f90b1cb15f3068506eed6981
Opcode Fuzzy Hash: ce31c8d42b611389d5c66386f4cec4fa4924ad10264a257d5730914841ed5336
Instruction Fuzzy Hash: 2601D13A2447027BF32222246CAD9EA2D69FFE3771B250539F50592192FF248C8A6221

Function 00500EED Relevance: 7.5, APIs: 5, Instructions: 43COMMON

Download Yara Rule

APIs

Part of subcall function 005011CF: ResetEvent.KERNEL32(?), ref: 005011E1
Part of subcall function 005011CF: ReleaseSemaphore.KERNEL32(?,00000000,00000000), ref: 005011F5

ReleaseSemaphore.KERNEL32(?,00000040,00000000), ref: 00500F21
CloseHandle.KERNEL32(?,?), ref: 00500F3B
DeleteCriticalSection.KERNEL32(?), ref: 00500F54
CloseHandle.KERNEL32(?), ref: 00500F60
CloseHandle.KERNEL32(?), ref: 00500F6C

Part of subcall function 00500FE4: WaitForSingleObject.KERNEL32(?,000000FF,00501206,?), ref: 00500FEA
Part of subcall function 00500FE4: GetLastError.KERNEL32(?), ref: 00500FF6

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: CloseHandle$ReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
String ID:
API String ID: 1868215902-0
Opcode ID: ff7b63a9813ceb753f2ff81cc31509c1d91ca22d5efabe50c810a92a702601e5
Instruction ID: cac2e0fd42887ec5212c2c299f8599d6c8b80c63e978005706a7dd09f1d6ba5d
Opcode Fuzzy Hash: ff7b63a9813ceb753f2ff81cc31509c1d91ca22d5efabe50c810a92a702601e5
Instruction Fuzzy Hash: A4015276100745EFC7329B64DC88BCABBA9FF09710F000929F15B521A0CB757A49DA64

Function 0051C7FF Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0051C817

Part of subcall function 00518DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,0051C896,?,00000000,?,00000000,?,0051C8BD,?,00000007,?,?,0051CCBA,?), ref: 00518DE2
Part of subcall function 00518DCC: GetLastError.KERNEL32(?,?,0051C896,?,00000000,?,00000000,?,0051C8BD,?,00000007,?,?,0051CCBA,?,?), ref: 00518DF4

_free.LIBCMT ref: 0051C829
_free.LIBCMT ref: 0051C83B
_free.LIBCMT ref: 0051C84D
_free.LIBCMT ref: 0051C85F

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 3690f7740f8d75714c8ab2c2893f2012e6ae862f0d47f1391d022da8fd08d360
Instruction ID: d2aa25fcaaf59151ae5bcb3d76c765ea6e54fd02fd9499ec58f87ab9aa69deb2
Opcode Fuzzy Hash: 3690f7740f8d75714c8ab2c2893f2012e6ae862f0d47f1391d022da8fd08d360
Instruction Fuzzy Hash: 35F01432540211ABA630AA68F8CACAA7FEDBF50B107650C19F108D7652CB71FCC0CA60

Function 00501FDD Relevance: 7.5, APIs: 5, Instructions: 39COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00501FE5
_wcslen.LIBCMT ref: 00501FF6
_wcslen.LIBCMT ref: 00502006
_wcslen.LIBCMT ref: 00502014
CompareStringW.KERNEL32(00000400,00001001,?,?,?,?,00000000,00000000,?,004FB371,?,?,00000000,?,?,?), ref: 0050202F

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: _wcslen$CompareString
String ID:
API String ID: 3397213944-0
Opcode ID: 5fd071b6f0a2431837abc0493520dd1695d1eb2254d5f9fe5f1e29718fb161cd
Instruction ID: dc8ff83925d23af7ea5180ecd34eab6dda41c57ec558f4d5f0947bc5bdf820b5
Opcode Fuzzy Hash: 5fd071b6f0a2431837abc0493520dd1695d1eb2254d5f9fe5f1e29718fb161cd
Instruction Fuzzy Hash: DFF06D32008214BBDF221F51EC0DDCE3F2AFB80760F118405F61A5E0A1CB7296A1D690

Function 005015FE Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 197COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 005017BC
_swprintf.LIBCMT ref: 0050186B

Strings

%s: %s, xrefs: 005017CB
%ls, xrefs: 00501641, 00501657

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: _swprintf
String ID: %ls$%s: %s
API String ID: 589789837-2259941744
Opcode ID: 7894b72168f005eb507bbd3338f94e1bbb268c1a533560dfacce197f3ea0c9da
Instruction ID: 89aadf003eec336cd2eaa2fe8cca42acfba269f6def2f3904205cbef9cc7af54
Opcode Fuzzy Hash: 7894b72168f005eb507bbd3338f94e1bbb268c1a533560dfacce197f3ea0c9da
Instruction Fuzzy Hash: AB51C735288F04F6F7211A908E46F3E7E65BF15B04F248D06F387648E2D9A7A5506B1F

Function 00517F6E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\f3I38kv.exe,00000104), ref: 00517FAE
_free.LIBCMT ref: 00518079
_free.LIBCMT ref: 00518083

Strings

C:\Users\user\Desktop\f3I38kv.exe, xrefs: 00517FA5, 00517FAC, 00517FDB, 00518013

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\f3I38kv.exe
API String ID: 2506810119-3643475460
Opcode ID: dfb51ebd140d3f92907dd38e79fabb47ab25136622415db313361d737d6f4fc8
Instruction ID: ab98caafe361c1f6b122cbbc1ad85b1cd8a27725cf76b1eead91f036f95eba0a
Opcode Fuzzy Hash: dfb51ebd140d3f92907dd38e79fabb47ab25136622415db313361d737d6f4fc8
Instruction Fuzzy Hash: E6318071A0021DAFEB21DF99D888DEEBFB8FB99310F104066F80497211DB718A89DB51

Function 005131D6 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 005131FB
_abort.LIBCMT ref: 00513306

Strings

MOC, xrefs: 0051320D
RCC, xrefs: 00513215

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: EncodePointer_abort
String ID: MOC$RCC
API String ID: 948111806-2084237596
Opcode ID: 2f2bcd6d75f1967af082b14dac1dd4ed3b1b4902f9513178159c06be971677a7
Instruction ID: c9ac8ca6e3a172d8dbce7486bbcc14d48882cc6406f41e494dc074ae95da71c9
Opcode Fuzzy Hash: 2f2bcd6d75f1967af082b14dac1dd4ed3b1b4902f9513178159c06be971677a7
Instruction Fuzzy Hash: F3416875900209AFEF15DF98CC81AEEBFB5BF48304F188099F914A7251D335EAA0DB54

Function 004F7401 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 103COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004F7406

Part of subcall function 004F3BBA: __EH_prolog.LIBCMT ref: 004F3BBF

GetLastError.KERNEL32(?,?,00000800,?,?,?,00000000,00000000), ref: 004F74CD

Part of subcall function 004F7A9C: GetCurrentProcess.KERNEL32(00000020,?), ref: 004F7AAB
Part of subcall function 004F7A9C: GetLastError.KERNEL32 ref: 004F7AF1
Part of subcall function 004F7A9C: CloseHandle.KERNEL32(?), ref: 004F7B00

Strings

SeSecurityPrivilege, xrefs: 004F744B
SeRestorePrivilege, xrefs: 004F7460

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: ErrorH_prologLast$CloseCurrentHandleProcess
String ID: SeRestorePrivilege$SeSecurityPrivilege
API String ID: 3813983858-639343689
Opcode ID: 57cb990a5e563c84a2e9d802a57e2334476d7d0c43f353fd20e1bb244bc14943
Instruction ID: a134b083ec6a5acf6764a36f9bd855a9eb18b40a1cbbbeb03161de0208900473
Opcode Fuzzy Hash: 57cb990a5e563c84a2e9d802a57e2334476d7d0c43f353fd20e1bb244bc14943
Instruction Fuzzy Hash: 9831EE71D0025DAADF11ABA4DC49BFF7BA8AF19304F04401AF604A7292D77C9A488B68

Function 0050AD10 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

Part of subcall function 004F1316: GetDlgItem.USER32(00000000,00003021), ref: 004F135A
Part of subcall function 004F1316: SetWindowTextW.USER32(00000000,005235F4), ref: 004F1370

EndDialog.USER32(?,00000001), ref: 0050AD98
GetDlgItemTextW.USER32(?,00000066,?,?), ref: 0050ADAD
SetDlgItemTextW.USER32(?,00000066,?), ref: 0050ADC2

Strings

ASKNEXTVOL, xrefs: 0050AD28

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: ASKNEXTVOL
API String ID: 445417207-3402441367
Opcode ID: facfba8125f6d54fae118729e48e28aefd62855a1196d55c6c23ea94b9f213f9
Instruction ID: d661e9c7549c0630fbc2aa77c456fea1f70b1f3a2b8de69df909d09593007dd7
Opcode Fuzzy Hash: facfba8125f6d54fae118729e48e28aefd62855a1196d55c6c23ea94b9f213f9
Instruction Fuzzy Hash: 8211BE33240710AFE3118F68AD49FAE3F69FB5A743F400411F241EA4F0C7629D09A72A

Function 0050DDA0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

DialogBoxParamW.USER32(GETPASSWORD1,00010424,0050B270,?,?), ref: 0050DE18

Strings

xzT, xrefs: 0050DE28
GETPASSWORD1, xrefs: 0050DE0D
rP, xrefs: 0050DDDC

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: DialogParam
String ID: GETPASSWORD1$rP$xzT
API String ID: 665744214-3788108970
Opcode ID: 8d0c70e50cda36167564ff8326cc3bb02f368b4f64561e239e2cb8af2df9eefc
Instruction ID: a627da64993afd1b4e3043224b819cb1130881858be59ba2c8a1c2ffece0e2cf
Opcode Fuzzy Hash: 8d0c70e50cda36167564ff8326cc3bb02f368b4f64561e239e2cb8af2df9eefc
Instruction Fuzzy Hash: 92113832600248AADF119A34EC05BBF3FA8BB1A355F144465BD49EB1C0C7B4AC88D374

Function 004FD8EC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67COMMON

Download Yara Rule

APIs

__fprintf_l.LIBCMT ref: 004FD954
_strncpy.LIBCMT ref: 004FD99A

Part of subcall function 00501DA7: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000200,00000000,00000000,?,00531030,00000200,004FD928,00000000,?,00000050,00531030), ref: 00501DC4

Strings

$%s, xrefs: 004FD949
@%s, xrefs: 004FD93E

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: ByteCharMultiWide__fprintf_l_strncpy
String ID: $%s$@%s
API String ID: 562999700-834177443
Opcode ID: 7a39a2fa5daa9a24aa8965a97c86974a3c13ed9cbadce85c751d43fe859d07de
Instruction ID: 2184c4296db374c82f51f59f3d6e61c3a92dbc3dfe08b9227d06edcd99901681
Opcode Fuzzy Hash: 7a39a2fa5daa9a24aa8965a97c86974a3c13ed9cbadce85c751d43fe859d07de
Instruction Fuzzy Hash: 7921967284024CAADB21DFA4CC05FEF7BE9AF06704F044423FA1096192E376D645CB56

Function 00500E46 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(00000320,00000000,?,?,?,004FAC5A,00000008,?,00000000,?,004FD22D,?,00000000), ref: 00500E85
CreateSemaphoreW.KERNEL32(00000000,00000000,00000040,00000000,?,?,?,004FAC5A,00000008,?,00000000,?,004FD22D,?,00000000), ref: 00500E8F
CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,004FAC5A,00000008,?,00000000,?,004FD22D,?,00000000), ref: 00500E9F

Strings

Thread pool initialization failed., xrefs: 00500EB7

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: Create$CriticalEventInitializeSectionSemaphore
String ID: Thread pool initialization failed.
API String ID: 3340455307-2182114853
Opcode ID: c63347f2ac8786317f99b28a260d13f3419db09c4ace7a2a84dc9fd8cb69eaa5
Instruction ID: 43a2435fc83798b8a49c862d4e465ae9c525ae8bfa06fa88af4a90a475fdb7d5
Opcode Fuzzy Hash: c63347f2ac8786317f99b28a260d13f3419db09c4ace7a2a84dc9fd8cb69eaa5
Instruction Fuzzy Hash: 43118FB16007089BC3315F6ADC88AABFBECFB65744F104C2EE1DA92280DA7599418B64

Function 004F124F Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 47COMMON

Download Yara Rule

APIs

SHGetMalloc.SHELL32(?), ref: 004F125D

Strings

2P, xrefs: 004F1292
(P, xrefs: 004F12A3
A, xrefs: 004F1285

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: Malloc
String ID: (P$2P$A
API String ID: 2696272793-1576226603
Opcode ID: 72799dc2782d0453f21b47c818585bacd0c6b7984c38c21834b82fbf293b1ae5
Instruction ID: 498d18c8c165f24399b58d3c63fe1fd3a005347172b25e573e3f634ba440a392
Opcode Fuzzy Hash: 72799dc2782d0453f21b47c818585bacd0c6b7984c38c21834b82fbf293b1ae5
Instruction Fuzzy Hash: 8C011B75901219ABCB14CFA4D8589EFBBF8AF09350B10415AE909E3350D7349A45DF94

Function 0050DCDD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON

Download Yara Rule

Strings

REPLACEFILEDLG, xrefs: 0050DD1C, 0050DD50
RENAMEDLG, xrefs: 0050DD31

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID:
String ID: RENAMEDLG$REPLACEFILEDLG
API String ID: 0-56093855
Opcode ID: 0dac316960ffff39cf7977639d030a7b21e1c1c4075438ac20ce8a0f8a184dfb
Instruction ID: d22fe1a2429d6fb5d2f13fac3c0573ae1fc5ccf9ad07c6a3608a640dfdd337c9
Opcode Fuzzy Hash: 0dac316960ffff39cf7977639d030a7b21e1c1c4075438ac20ce8a0f8a184dfb
Instruction Fuzzy Hash: 11015E7A604345AFDB158FA4FC48AAA7FB8F769398B040425F805827B0C6719858FBB0

Function 004F1316 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 004FE2E8: _swprintf.LIBCMT ref: 004FE30E
Part of subcall function 004FE2E8: _strlen.LIBCMT ref: 004FE32F
Part of subcall function 004FE2E8: SetDlgItemTextW.USER32(?,0052E274,?), ref: 004FE38F
Part of subcall function 004FE2E8: GetWindowRect.USER32(?,?), ref: 004FE3C9
Part of subcall function 004FE2E8: GetClientRect.USER32(?,?), ref: 004FE3D5

GetDlgItem.USER32(00000000,00003021), ref: 004F135A
SetWindowTextW.USER32(00000000,005235F4), ref: 004F1370

Strings

P, xrefs: 004F134A
0, xrefs: 004F1319

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: ItemRectTextWindow$Client_strlen_swprintf
String ID: P$0
API String ID: 2622349952-403496799
Opcode ID: f7f7f95873ba347bfce1b635708c612a398a0c8c626f708580e44d7dbd217b21
Instruction ID: ada5cb5f9081a73349e3bfb78372894d522bf322bcd945b1623ceb6b03ebbe1a
Opcode Fuzzy Hash: f7f7f95873ba347bfce1b635708c612a398a0c8c626f708580e44d7dbd217b21
Instruction Fuzzy Hash: E3F08C3110438CEAEF150F61880DABA3F98AF103A5F04851AFE8850AB1DB7CC994EE18

Function 00519A1E Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00519AA9
__alldvrm.LIBCMT ref: 00519CAA
__alldvrm.LIBCMT ref: 00519CCC

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 15e7b98f52cb345e5770fd34cbf54b95dbf5428e1727e1497290f0e3bad33655
Instruction ID: 72b13155d56a4b62c13fe5a05cbf6fb3e97f1b32be50bed649682f0644106a8d
Opcode Fuzzy Hash: 15e7b98f52cb345e5770fd34cbf54b95dbf5428e1727e1497290f0e3bad33655
Instruction Fuzzy Hash: FDA135769042869FFB218E28C8A17EEBFE5FF51314F28456DE4859B281C2389DC1C791

Function 004FA354 Relevance: 6.1, APIs: 4, Instructions: 127filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,?,00000800,?,004F7F69,?,?,?), ref: 004FA3FA
CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,00000800,?,?,00000800,?,004F7F69,?), ref: 004FA43E
SetFileTime.KERNEL32(?,00000800,?,00000000,?,?,00000800,?,004F7F69,?,?,?,?,?,?,?), ref: 004FA4BF
CloseHandle.KERNEL32(?,?,?,00000800,?,004F7F69,?,?,?,?,?,?,?,?,?,?), ref: 004FA4C6

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: File$Create$CloseHandleTime
String ID:
API String ID: 2287278272-0
Opcode ID: e3e181723f6de369b91cdaa2881c4a834ddb9c6c24d4857f51da9c83c3c1527f
Instruction ID: 1f3ac2018c0b93483d342d1e70525bee6d823be6ec1c4a9d026ab6415c6ef3c6
Opcode Fuzzy Hash: e3e181723f6de369b91cdaa2881c4a834ddb9c6c24d4857f51da9c83c3c1527f
Instruction Fuzzy Hash: BC41B2712483859AD731DF24DC49BAFBBE4AF85300F04091EB6D9932C0D6A89A5CDB57

Function 0051C988 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,005191E0,?,00000000,?,00000001,?,?,00000001,005191E0,?), ref: 0051C9D5
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0051CA5E
GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00516CBE,?), ref: 0051CA70
__freea.LIBCMT ref: 0051CA79

Part of subcall function 00518E06: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0051CA2C,00000000,?,00516CBE,?,00000008,?,005191E0,?,?,?), ref: 00518E38

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 3bcd7730033c84117beb69a278a284d11f7eb86dcd57a2b6af2af73f004e5e8e
Instruction ID: a7cad7888bb1186b49bcbabb1b851848f88b0a4a2d7370101120663b4c39cbe1
Opcode Fuzzy Hash: 3bcd7730033c84117beb69a278a284d11f7eb86dcd57a2b6af2af73f004e5e8e
Instruction Fuzzy Hash: 33319C72A0021AABEB25DF64DC45DEE7FA6FF41310F144268E804A6290EB36DD95DB90

Function 0050A663 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 0050A666
GetDeviceCaps.GDI32(00000000,00000058), ref: 0050A675
GetDeviceCaps.GDI32(00000000,0000005A), ref: 0050A683
ReleaseDC.USER32(00000000,00000000), ref: 0050A691

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: e91901a931ab2eac8be4715296e819104f764f61fa6f3f3f9e4a17e88fcf3378
Instruction ID: b8b40efad7369eaf427139cac2d042ebdbe1860a073e3298969b4e64ff99289e
Opcode Fuzzy Hash: e91901a931ab2eac8be4715296e819104f764f61fa6f3f3f9e4a17e88fcf3378
Instruction Fuzzy Hash: 6CE01D31952721B7D7515B607C1DB9B3E54AB25B93F010101F609951F0DB7487089B91

Function 0050D06A Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 278COMMON

Download Yara Rule

APIs

_wcschr.LIBVCRUNTIME ref: 0050D11B

Strings

dP, xrefs: 0050D3C5
.lnk, xrefs: 0050D2F7, 0050D307

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: _wcschr
String ID: .lnk$dP
API String ID: 2691759472-3456662748
Opcode ID: 2544d4703a31ec6af30697c05d994cd370b17cc24b3bfb7f7a7567244fbd1f64
Instruction ID: 6cac1d9d86ae12b00f9a449be385f63441eebe509da61258517f4ec24866f0d2
Opcode Fuzzy Hash: 2544d4703a31ec6af30697c05d994cd370b17cc24b3bfb7f7a7567244fbd1f64
Instruction Fuzzy Hash: 5DA1517690022A96DF24DBA0DD49EFF77FCAF44304F0885A6B509E7181EE359B848B71

Function 004F75DE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137timeCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004F75E3

Part of subcall function 005005DA: _wcslen.LIBCMT ref: 005005E0

Part of subcall function 004FA56D: FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 004FA598

SetFileTime.KERNEL32(?,?,?,?,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 004F777F

Part of subcall function 004FA4ED: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,004FA325,?,?,?,004FA175,?,00000001,00000000,?,?), ref: 004FA501
Part of subcall function 004FA4ED: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,004FA325,?,?,?,004FA175,?,00000001,00000000,?,?), ref: 004FA532

Strings

:, xrefs: 004F7654

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: File$Attributes$CloseFindH_prologTime_wcslen
String ID: :
API String ID: 3226429890-336475711
Opcode ID: ce2c42cb08beca68213b380c6bcff0ddb0ad71d25078fb9d4757f92837f3fbe6
Instruction ID: 2b882ce2d8d4b99e80cea4a3d0ea2a1cb453ce75966b983e33c8d8465573bc91
Opcode Fuzzy Hash: ce2c42cb08beca68213b380c6bcff0ddb0ad71d25078fb9d4757f92837f3fbe6
Instruction Fuzzy Hash: F3416E7180015CAAEB25EB65CC59EFFB778EF45304F0040ABA709A2192DB7C5F85CB65

Function 004FB37A Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 127COMMON

Download Yara Rule

APIs

_wcschr.LIBVCRUNTIME ref: 004FB438
_wcschr.LIBVCRUNTIME ref: 004FB478

Strings

*, xrefs: 004FB38A

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: _wcschr
String ID: *
API String ID: 2691759472-163128923
Opcode ID: 7bad681d56ae6b9dc73e850eb2b638c2dc5c1d79ace2b0c7f461199713523c32
Instruction ID: f05cdf8e994ed672d0f7ff0ffe2cdb9da1bac955cba1aa1f0b59366d49edd9ca
Opcode Fuzzy Hash: 7bad681d56ae6b9dc73e850eb2b638c2dc5c1d79ace2b0c7f461199713523c32
Instruction Fuzzy Hash: DF3116261443199A9A30AE14CB0267B73E9DF93B14F14851FFF8447283E72D8C8292EA

Function 0050B48E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0050B4E3
_wcslen.LIBCMT ref: 0050B4FE

Strings

}, xrefs: 0050B4D6

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: _wcslen
String ID: }
API String ID: 176396367-4239843852
Opcode ID: 79f463cecbc444c182ea568b1cc41fd018c47e18aae80602feffd682fef45e04
Instruction ID: 73e09a38574f3842b992b1152f7184232495394b2f7d94e7b0a0b13c37d2a78e
Opcode Fuzzy Hash: 79f463cecbc444c182ea568b1cc41fd018c47e18aae80602feffd682fef45e04
Instruction Fuzzy Hash: CC2107725043065AE730DA64DC89E6EBBDCFF81710F04082AF540C3181F7659E8883A2

Function 004FF344 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 004FF2C5: GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 004FF2E4
Part of subcall function 004FF2C5: GetProcAddress.KERNEL32(005381C8,CryptUnprotectMemory), ref: 004FF2F4

GetCurrentProcessId.KERNEL32(?,?,?,004FF33E), ref: 004FF3D2

Strings

CryptProtectMemory failed, xrefs: 004FF389
CryptUnprotectMemory failed, xrefs: 004FF3CA

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: AddressProc$CurrentProcess
String ID: CryptProtectMemory failed$CryptUnprotectMemory failed
API String ID: 2190909847-396321323
Opcode ID: 4b5a1d9ec7c9f946f3bf85ffa9d7bb50e10aaa38bd8aca10048b55e04c620670
Instruction ID: 7eb62c510fa98e49a79ad44903137ea09160e9c34f6e589d137fba8037d39a21
Opcode Fuzzy Hash: 4b5a1d9ec7c9f946f3bf85ffa9d7bb50e10aaa38bd8aca10048b55e04c620670
Instruction Fuzzy Hash: AB11333160062DABDF299B21DC46A3F3B54FF11B20B01402BFD415B391DA7C9E0A9699

Function 0050101F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00010000,00501160,?,00000000,00000000), ref: 00501043
SetThreadPriority.KERNEL32(?,00000000), ref: 0050108A

Part of subcall function 004F6C36: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 004F6C54

Part of subcall function 004F6DCB: _wcschr.LIBVCRUNTIME ref: 004F6E0A
Part of subcall function 004F6DCB: _wcschr.LIBVCRUNTIME ref: 004F6E19

Strings

CreateThread failed, xrefs: 0050104F

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: Thread_wcschr$CreatePriority__vswprintf_c_l
String ID: CreateThread failed
API String ID: 2706921342-3849766595
Opcode ID: 89b67c43ab1c6555e97a257cebed181ac4ec17317491ed4920447822865af488
Instruction ID: d71ba5b168a98285562f2ae4fa6f0308a711cc9713c5e7071cb42b52aa2f3d11
Opcode Fuzzy Hash: 89b67c43ab1c6555e97a257cebed181ac4ec17317491ed4920447822865af488
Instruction Fuzzy Hash: 4C0149B63007496FD3345F34EC9AB7A7BA8FB50750F20042EF6C3522D0CAA16885862D

Function 004FC058 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48COMMON

Download Yara Rule

APIs

_wcschr.LIBVCRUNTIME ref: 004FC080

Strings

<9R, xrefs: 004FC076
?*<>|", xrefs: 004FC06D, 004FC07F

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: _wcschr
String ID: <9R$?*<>|"
API String ID: 2691759472-2207903549
Opcode ID: f0d7c8802fc505dba60fa9c5b74de986a0b2f953e4fc6591b7945d4a16933089
Instruction ID: 84f80607387045cd1e49f990837c2e8a047c657475f6c3b47a1ce08d31908cbe
Opcode Fuzzy Hash: f0d7c8802fc505dba60fa9c5b74de986a0b2f953e4fc6591b7945d4a16933089
Instruction Fuzzy Hash: 7EF0A21394530E89C7341EA4AA41733A3E4EF92720F24081FE6C4873C2EAA988C28259

Function 0050DB4B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0050DBAC

Strings

Software\WinRAR SFX, xrefs: 0050DB95
P, xrefs: 0050DB9F

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: _wcslen
String ID: Software\WinRAR SFX$P
API String ID: 176396367-3520587227
Opcode ID: c79dc550c74c9559442199a69065c756e3cc731e1cc567f04a2b07dbbbc60d22
Instruction ID: a7ec87e9d4b4d1e941b0e007d7d0d2f57062ddd757d6832b438aa3b671b9c3a7
Opcode Fuzzy Hash: c79dc550c74c9559442199a69065c756e3cc731e1cc567f04a2b07dbbbc60d22
Instruction Fuzzy Hash: E7012871900228BAEF229B95DC0EFDF7F7CFB55791F000052B549A10E1E7B19A98DAA1

Function 0050AE2F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46COMMON

Download Yara Rule

APIs

Part of subcall function 004FC29A: _wcslen.LIBCMT ref: 004FC2A2

Part of subcall function 00501FDD: _wcslen.LIBCMT ref: 00501FE5
Part of subcall function 00501FDD: _wcslen.LIBCMT ref: 00501FF6
Part of subcall function 00501FDD: _wcslen.LIBCMT ref: 00502006
Part of subcall function 00501FDD: _wcslen.LIBCMT ref: 00502014
Part of subcall function 00501FDD: CompareStringW.KERNEL32(00000400,00001001,?,?,?,?,00000000,00000000,?,004FB371,?,?,00000000,?,?,?), ref: 0050202F

Part of subcall function 0050AC04: SetCurrentDirectoryW.KERNELBASE(?,0050AE72,C:\Users\user\Desktop,00000000,0053946A,00000006), ref: 0050AC08

_wcslen.LIBCMT ref: 0050AE8B

Strings

C:\Users\user\Desktop, xrefs: 0050AE68
<P, xrefs: 0050AEC4

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: _wcslen$CompareCurrentDirectoryString
String ID: <P$C:\Users\user\Desktop
API String ID: 521417927-84081874
Opcode ID: b168c456ca30e66b5fc8277b41103a4a44a2a0616cbe46db5758eea9fe0361df
Instruction ID: 5941d0aa101eebc04ef1576487cf848cdc6c27355a091b7b862900ddc1b30b61
Opcode Fuzzy Hash: b168c456ca30e66b5fc8277b41103a4a44a2a0616cbe46db5758eea9fe0361df
Instruction Fuzzy Hash: 4C014C71D0035A65EF20ABA4DD0EEDE7BACBF48344F000465B605E21D1E6B496858BA5

Function 0051BB4E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 005197E5: GetLastError.KERNEL32(?,00531030,00514674,00531030,?,?,00513F73,00000050,?,00531030,00000200), ref: 005197E9
Part of subcall function 005197E5: _free.LIBCMT ref: 0051981C
Part of subcall function 005197E5: SetLastError.KERNEL32(00000000,?,00531030,00000200), ref: 0051985D
Part of subcall function 005197E5: _abort.LIBCMT ref: 00519863

_abort.LIBCMT ref: 0051BB80
_free.LIBCMT ref: 0051BBB4

Strings

pR, xrefs: 0051BBAB

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: ErrorLast_abort_free
String ID: pR
API String ID: 289325740-2883592124
Opcode ID: a5ac2dab4f47bd08a1dd6926edc768817bb28b6648b2f31d3cf61c9cc00f56cc
Instruction ID: 387086e1a469093b4e0375cf2566f8eb15005748929d1ce998274857c6232b3c
Opcode Fuzzy Hash: a5ac2dab4f47bd08a1dd6926edc768817bb28b6648b2f31d3cf61c9cc00f56cc
Instruction Fuzzy Hash: 8201D231D05632DBFB31AF6898426ADBFB1BF54B21B15010AE82467AD5CB356DC28FC1

Function 0050B425 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45COMMON

Download Yara Rule

APIs

SHGetMalloc.SHELL32(?), ref: 0050B42F

Strings

(P, xrefs: 0050B457
ZP, xrefs: 0050B441

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: Malloc
String ID: (P$ZP
API String ID: 2696272793-4232729863
Opcode ID: 6556d41109959d2721cfe5ef900f75a1e75c5ea28c6a1287d11d20f1f994f4f0
Instruction ID: 31b57788939c68b0b17b0f664bc67a79afca926716ec46fc4e7cf9c676f63311
Opcode Fuzzy Hash: 6556d41109959d2721cfe5ef900f75a1e75c5ea28c6a1287d11d20f1f994f4f0
Instruction Fuzzy Hash: 7B014B76640208FFDF059FB0DD59CAEBB6DFF143457100155B906D7160E631AA48EB60

Function 00518268 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

Part of subcall function 0051BF30: GetEnvironmentStringsW.KERNEL32 ref: 0051BF39
Part of subcall function 0051BF30: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0051BF5C
Part of subcall function 0051BF30: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0051BF82
Part of subcall function 0051BF30: _free.LIBCMT ref: 0051BF95
Part of subcall function 0051BF30: FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0051BFA4

_free.LIBCMT ref: 005182AE
_free.LIBCMT ref: 005182B5

Strings

0"U, xrefs: 0051829B

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: _free$ByteCharEnvironmentMultiStringsWide$Free
String ID: 0"U
API String ID: 400815659-1738137561
Opcode ID: a9c1e2c54327abda3b23a0722a9152729e70828470e024e273bc3785a8500dbd
Instruction ID: 485700849ff4aff36f1a71c042a3e7dc1132af2740b88a3dfd61179d6cc3a298
Opcode Fuzzy Hash: a9c1e2c54327abda3b23a0722a9152729e70828470e024e273bc3785a8500dbd
Instruction Fuzzy Hash: 2EE0E52FA05A5341B67232393C5AAFB0E407FD6339F540B1AF930870D3CF2088C646A2

Function 00500FE4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF,00501206,?), ref: 00500FEA
GetLastError.KERNEL32(?), ref: 00500FF6

Part of subcall function 004F6C36: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 004F6C54

Strings

WaitForMultipleObjects error %d, GetLastError %d, xrefs: 00500FFF

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: ErrorLastObjectSingleWait__vswprintf_c_l
String ID: WaitForMultipleObjects error %d, GetLastError %d
API String ID: 1091760877-2248577382
Opcode ID: 4f6a8c68040bf205ff1132c015d7f6f570a0a18d71f42cf4d0424af86cea93be
Instruction ID: ae56128ba6a60f19ef34a0847e0a03bb04ddf1d55f73aea5418d41d85f3e0483
Opcode Fuzzy Hash: 4f6a8c68040bf205ff1132c015d7f6f570a0a18d71f42cf4d0424af86cea93be
Instruction Fuzzy Hash: 95D0C23150452427D62022286C0EC7E3D04AF22731B110709F1B9501E1CA18098666AA

Function 004FE29E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,004FDA55,?), ref: 004FE2A3
FindResourceW.KERNEL32(00000000,RTL,00000005,?,004FDA55,?), ref: 004FE2B1

Strings

RTL, xrefs: 004FE2AB

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: FindHandleModuleResource
String ID: RTL
API String ID: 3537982541-834975271
Opcode ID: 9680cae16fe645244faf1b705effb263eed4944dd13060793b6b01fffe425971
Instruction ID: d17ac957d1f298983fa596e9f445d010b7c66dfe7c6ccaa689ebda6459724563
Opcode Fuzzy Hash: 9680cae16fe645244faf1b705effb263eed4944dd13060793b6b01fffe425971
Instruction Fuzzy Hash: CFC0123134071066E73017657C0DB436E585F12B11F050459B281E92D1D6ADC54596B0

Function 0050E455 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0050E467

Part of subcall function 0050E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0050E8D0
Part of subcall function 0050E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0050E8E1

Strings

UP, xrefs: 0050E455
zP, xrefs: 0050E461

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: UP$zP
API String ID: 1269201914-138241527
Opcode ID: bafc012e7323749fb13f6a8a7b037816d20ff92063e2c317bcbc93b068114a7b
Instruction ID: 905d97c30192998f6749e5bb1877ccc0899d66e0502d9fadca60cafcc3183d0b
Opcode Fuzzy Hash: bafc012e7323749fb13f6a8a7b037816d20ff92063e2c317bcbc93b068114a7b
Instruction Fuzzy Hash: 2EB092922581017CB20411142D1BC3E0E09EAC1B51330C82ABA05800D2A8801A0A0432

Function 0050E470 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0050E467

Part of subcall function 0050E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0050E8D0
Part of subcall function 0050E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0050E8E1

Strings

pP, xrefs: 0050E470
zP, xrefs: 0050E461

Memory Dump Source

Source File: 00000000.00000002.1663198576.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1663182131.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663222171.0000000000523000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.000000000052E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000535000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663243291.0000000000552000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1663291759.0000000000553000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_f3I38kv.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: pP$zP
API String ID: 1269201914-4294329954
Opcode ID: 3703d756b2df55fa9574a6ad0dbafbf29ec5e88080e8bafedaf2afa3dcd3ede3
Instruction ID: 2d6f76b6e51dcdef317c4c82a4d0773d8b49960ee2cad88cec54317e1b7988df
Opcode Fuzzy Hash: 3703d756b2df55fa9574a6ad0dbafbf29ec5e88080e8bafedaf2afa3dcd3ede3
Instruction Fuzzy Hash: 60B09282259141ACB20491182C1BC3E0D49EAC1BA1330882AB809C00C2D880580A0432

Analysis Process: hyperruntimemonitorCommon.exePID: 1832, Parent PID: 6280COMMON

Execution Graph

Execution Coverage:	5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	12
Total number of Limit Nodes:	0

Executed Functions

Function 00007FFD9BAC0DA3 Relevance: .3, Instructions: 290COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2026772978.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9bac0000_hyperruntimemonitorCommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8327b387a1f729acdf2a78b45c510034180ef92e62a30485d3876f13977b9a4c
Instruction ID: 13a63934847e0adb1974025e47e686924b1214dfd46ab7a3f015474eefb4a4ea
Opcode Fuzzy Hash: 8327b387a1f729acdf2a78b45c510034180ef92e62a30485d3876f13977b9a4c
Instruction Fuzzy Hash: 37A1B271A19A8D8FE7A8EF68C8657A97BE1FF55714F4002BEE048D72E6CB781801C740

Function 00007FFD9BC80208 Relevance: 1.7, APIs: 1, Instructions: 157
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResumeThread.KERNEL32 ref: 00007FFD9BC80301

Memory Dump Source

Source File: 00000007.00000002.2029460942.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9bc70000_hyperruntimemonitorCommon.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 259829118693a579cd9a455533ec2eb81627fdde950b0cac03a30ad918bc8395
Instruction ID: 77c271b0433a712a289b8267cffc18d59b78f38d3152183c4d43747eaff2d939
Opcode Fuzzy Hash: 259829118693a579cd9a455533ec2eb81627fdde950b0cac03a30ad918bc8395
Instruction Fuzzy Hash: BA516C7090D78C8FDB95DFA8D895AEDBBF0EF56310F0441ABD049DB292DA385846CB11

Function 00007FFD9BC7E9FD Relevance: 1.6, APIs: 1, Instructions: 141
threadinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SuspendThread.KERNEL32 ref: 00007FFD9BC7EAD1

Memory Dump Source

Source File: 00000007.00000002.2029460942.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9bc70000_hyperruntimemonitorCommon.jbxd

Similarity

API ID: SuspendThread
String ID:
API String ID: 3178671153-0
Opcode ID: 908194582654c3a62dafa727b247906f0dce2a4c3411ee4b3fb903e67463feff
Instruction ID: 73e494ae2fff19e998b5fc780f7494319dd7708be70f2aaa5a4a756d35df0024
Opcode Fuzzy Hash: 908194582654c3a62dafa727b247906f0dce2a4c3411ee4b3fb903e67463feff
Instruction Fuzzy Hash: 21415D70E0864D8FDF98DFA8D895AEDBBF0FF5A310F10416AD049E7292DA74A845CB41

Function 00007FFD9BC82065 Relevance: 1.6, APIs: 1, Instructions: 135
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesW.KERNEL32 ref: 00007FFD9BC82132

Memory Dump Source

Source File: 00000007.00000002.2029460942.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9bc70000_hyperruntimemonitorCommon.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 07a23fb8167e3ee434bbcd03f31b32b03e306326c6d4943090bdd521b9c4cc84
Instruction ID: fff6016a9360e6637247e102806d27bc09012d217cae554ef2f38b42569b7935
Opcode Fuzzy Hash: 07a23fb8167e3ee434bbcd03f31b32b03e306326c6d4943090bdd521b9c4cc84
Instruction Fuzzy Hash: 4C412A70E08A0C8FDB98DF98D899BEDBBF0EB5A310F10416AD049E7252DA719845CB40

Function 00007FFD9C1CFBC8 Relevance: 1.4, Strings: 1, Instructions: 156
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

, xrefs: 00007FFD9C1CFC42

Memory Dump Source

Source File: 00000007.00000002.2038723965.00007FFD9C1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9c1c0000_hyperruntimemonitorCommon.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: cef2e100d63a6aab4200bb8577165f883d35aa603106cd38728dd860f99c0119
Instruction ID: 485503109fb5aea224a5ccb90ac6195249a68b4a9bff061618afa1836517e4c2
Opcode Fuzzy Hash: cef2e100d63a6aab4200bb8577165f883d35aa603106cd38728dd860f99c0119
Instruction Fuzzy Hash: B7514E32E4860E8FDB69EB98C4655BDB7B1FF58340F1041BAE01AF7296CB356905CB44

Function 00007FFD9C1C3A08 Relevance: 1.4, Strings: 1, Instructions: 154
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

, xrefs: 00007FFD9C1C3A82

Memory Dump Source

Source File: 00000007.00000002.2038723965.00007FFD9C1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9c1c0000_hyperruntimemonitorCommon.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: c98636ab45c61c70536dc00d515de35582cd4a8fb6b12e6e250da73b81f3be32
Instruction ID: 6a654a9ba076ff33754f51690b37d3cf7935c11b887cc922c1b61bb00ea138e8
Opcode Fuzzy Hash: c98636ab45c61c70536dc00d515de35582cd4a8fb6b12e6e250da73b81f3be32
Instruction Fuzzy Hash: 7C517E32E0864E8FDB69EB98C4625FCB7B1FF58340F5041BEE00AE7296CA346905CB04

Function 00007FFD9BC80369 Relevance: 1.4, APIs: 1, Instructions: 146
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CloseHandle.KERNEL32 ref: 00007FFD9BC80441

Memory Dump Source

Source File: 00000007.00000002.2029460942.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9bc70000_hyperruntimemonitorCommon.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 66c97041a14785dd1f5718e4d65f2c55caf0b285c769c967064fb091d60803e6
Instruction ID: 3b49f562ebeb45c404c142ee0e36bbd2186ca2c013c6f562cf71dae7c12edea5
Opcode Fuzzy Hash: 66c97041a14785dd1f5718e4d65f2c55caf0b285c769c967064fb091d60803e6
Instruction Fuzzy Hash: E5416C70D0865C8FDB58DFA8D894BEDBBF0FF5A310F1041AAD049D7292DA74A885CB41

Function 00007FFD9C1C1980 Relevance: .7, Instructions: 687
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000007.00000002.2038723965.00007FFD9C1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9c1c0000_hyperruntimemonitorCommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57cedc8dd42b250684c9d3601b5465854b21c36e0e1bc186af7fb706a9573858
Instruction ID: 52f0003ca3d99a3237e783600d0eff92a1bf4e6003465cc212393115b57f3738
Opcode Fuzzy Hash: 57cedc8dd42b250684c9d3601b5465854b21c36e0e1bc186af7fb706a9573858
Instruction Fuzzy Hash: AC329731B58A1A8FDB6CEB58C865AB873F1FF54350B6041B9E00ED7292DE24EC45CB85

Function 00007FFD9C1CD7D5 Relevance: .5, Instructions: 455
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000007.00000002.2038723965.00007FFD9C1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9c1c0000_hyperruntimemonitorCommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a354ad1faf4e70aa898e30a7642be46e6d69806a706eec9f707a411d7663d32a
Instruction ID: 3d5e3e16eaffa0a647b047a5b40ef7b3068eb285efb860a6ea242a3ceaf6b285
Opcode Fuzzy Hash: a354ad1faf4e70aa898e30a7642be46e6d69806a706eec9f707a411d7663d32a
Instruction Fuzzy Hash: BBE1F622B4DA4B4FE7A5FB68846467877F1EF99350B4901BBE00DD72E2DE28AC05C345

Function 00007FFD9C1C3C7F Relevance: .4, Instructions: 422
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000007.00000002.2038723965.00007FFD9C1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9c1c0000_hyperruntimemonitorCommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d70780d1746bd746d99ea2bd0588904d2b02451d632d8b5c67c6f68f688b6d3f
Instruction ID: 1b18d9901fcbf3b4b5452e3f38732ef15722a29dcb5b66def9dc2603f6aff79e
Opcode Fuzzy Hash: d70780d1746bd746d99ea2bd0588904d2b02451d632d8b5c67c6f68f688b6d3f
Instruction Fuzzy Hash: EEF1D4316586468FEB68DF58C0E56F437B1FF48310B5445BDE84A8B68BCA38F881CB45

Function 00007FFD9C1C4CC1 Relevance: .4, Instructions: 407
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000007.00000002.2038723965.00007FFD9C1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9c1c0000_hyperruntimemonitorCommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67debf4fb825b6e3ff4da6a362c396fc806aacd5faaff5afa4007f9e825c864f
Instruction ID: 4579f6adb1bdf6e24ef24fad3885b6aeae093066d13cd3cf3a66674b0c3c0163
Opcode Fuzzy Hash: 67debf4fb825b6e3ff4da6a362c396fc806aacd5faaff5afa4007f9e825c864f
Instruction Fuzzy Hash: 23D1F232B4CB474FE379EB68D0A15B577F1FF54340B1045BEE48AC3682DA29B8428799

Function 00007FFD9C1C0E39 Relevance: .4, Instructions: 352
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000007.00000002.2038723965.00007FFD9C1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9c1c0000_hyperruntimemonitorCommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cf7023b21d81678feb062c76c7254dd63e980636c35d5b4e2332618df9200ea
Instruction ID: ef52583215f2d312151dd04156c572ef8c06da20bfb77d584807e8c18751a1dd
Opcode Fuzzy Hash: 5cf7023b21d81678feb062c76c7254dd63e980636c35d5b4e2332618df9200ea
Instruction Fuzzy Hash: 1B414923F8C65386F7387AF864714F867609F157A9B280AB6F48E9A1D7CD1D384093C9

Function 00007FFD9C1C3C9F Relevance: .3, Instructions: 334
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000007.00000002.2038723965.00007FFD9C1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9c1c0000_hyperruntimemonitorCommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30e71fc3b4857280386ceefcc76b69f9bdac6d4730dc32fc193e7a2f8f42aceb
Instruction ID: 0f861a1a3b3ab8f7f55326b803fb4f2216c5be658f0d442bb98d2653ee2b5f09
Opcode Fuzzy Hash: 30e71fc3b4857280386ceefcc76b69f9bdac6d4730dc32fc193e7a2f8f42aceb
Instruction Fuzzy Hash: 67C1D1316586468BEB2DDF48C0E55F137B1FF49340B5445BDE84A8B68BCA38F842CB49

Function 00007FFD9C1CCCFC Relevance: .3, Instructions: 326
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000007.00000002.2038723965.00007FFD9C1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9c1c0000_hyperruntimemonitorCommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d4043d7169169d76c9e833b4ae3ba58d5d7fd72077f727044e211121157dfcf
Instruction ID: 0e2326b30965830ce3a1960055c363d4dbc8dad91fd5361cca155cdb3dccb0bc
Opcode Fuzzy Hash: 8d4043d7169169d76c9e833b4ae3ba58d5d7fd72077f727044e211121157dfcf
Instruction Fuzzy Hash: D5317F22E4C55B8EE779FBA894715F876B0EF583A5F1401BAE00EE61C6CD286C408789

Function 00007FFD9C1C3532 Relevance: .3, Instructions: 326
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000007.00000002.2038723965.00007FFD9C1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9c1c0000_hyperruntimemonitorCommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2778cc4584037f27ec066bb47cb4e5e2556bddfe4cae3a50705cc03bb5490bdd
Instruction ID: 072ed5497d8d72149406e2b5a57b2c76078eb93c7d030fa47be46addaaaadaaf
Opcode Fuzzy Hash: 2778cc4584037f27ec066bb47cb4e5e2556bddfe4cae3a50705cc03bb5490bdd
Instruction Fuzzy Hash: ABC1E471B08A478FE759EB58C0A26E4B7B0FF59340F944179E04EC7A86DB28F851CB84

Function 00007FFD9C1CBEC0 Relevance: .3, Instructions: 301
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000007.00000002.2038723965.00007FFD9C1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9c1c0000_hyperruntimemonitorCommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5eba2f0d4ea6bd796c755b50ca2972ec80ed1a5a7f5ca6d311da3fb6939497f5
Instruction ID: 8ff218998cb08d4e834857345a6e2d220859698fcdc149cbc38866c88b68e8ab
Opcode Fuzzy Hash: 5eba2f0d4ea6bd796c755b50ca2972ec80ed1a5a7f5ca6d311da3fb6939497f5
Instruction Fuzzy Hash: 6A91A531718A1E8FDB58EB58C8959B9B3F2FF59314B1481A9D04ED7292DA35FC82CB40

Function 00007FFD9C1C0EF7 Relevance: .3, Instructions: 296COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2038723965.00007FFD9C1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9c1c0000_hyperruntimemonitorCommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d77c6451dc003bfbeb1203e0532de76fba75686a53a37a6964b402dcab13f90
Instruction ID: b2e1efca8618975df8e93ffd25e33a304853eaf47ebcb1d31b7fc463e1d17876
Opcode Fuzzy Hash: 8d77c6451dc003bfbeb1203e0532de76fba75686a53a37a6964b402dcab13f90
Instruction Fuzzy Hash: 9421D313FCD2978AF77C76B418320F91BB05F126A4F2806BAF04DA61D7CC0C28445389

Function 00007FFD9C1D0EA7 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2038723965.00007FFD9C1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9c1c0000_hyperruntimemonitorCommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3abb6e627148a8dc89684aa21706e97bd1de3bfab051fd150c1f8c909ee96fc
Instruction ID: 16883d81736d38822a1e7193b729ef55d48c9bf9992ee6cedf37814067bbd623
Opcode Fuzzy Hash: d3abb6e627148a8dc89684aa21706e97bd1de3bfab051fd150c1f8c909ee96fc
Instruction Fuzzy Hash: 05A1CC31E09B478FE368DA64D1A057577F1FF44360B60467EC08EC7A92EA29B842CB45

Function 00007FFD9C1CFF55 Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2038723965.00007FFD9C1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9c1c0000_hyperruntimemonitorCommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a10ccb692fec8c89f56cccc08dce5268d1baf94a61b874cf232001d20cc01f0b
Instruction ID: 1a02cebde811407e0eabdeb4146235ccf9df5dd6a0424b6fa836ecd1cfedeedc
Opcode Fuzzy Hash: a10ccb692fec8c89f56cccc08dce5268d1baf94a61b874cf232001d20cc01f0b
Instruction Fuzzy Hash: 28B1B031A195568FEB68CF58C0E05B437B1FF49350BA442BDD85BCB69AD638F881CB84

Function 00007FFD9C1C2A66 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2038723965.00007FFD9C1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9c1c0000_hyperruntimemonitorCommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03b368a04096a9d8ca02a014b785fe282b415001339f9609c110abeb6d959c3c
Instruction ID: 319d4bc5f406e61717d89b5f0642590133b8edf0e8a12f9a9f3d1f026117e71f
Opcode Fuzzy Hash: 03b368a04096a9d8ca02a014b785fe282b415001339f9609c110abeb6d959c3c
Instruction Fuzzy Hash: 80811532B4DB478FE338AA68946157977F0EF95390B15057EF08BD3283DE29B8028749

Function 00007FFD9C1CEC36 Relevance: .3, Instructions: 262COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2038723965.00007FFD9C1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9c1c0000_hyperruntimemonitorCommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 008d27cc2d582c64b3ce69cdb3b64a41637aeabac94f751fcc38c39aa795ccb2
Instruction ID: a036e8a377708e96042b4ae6496bfdee468a4a892f33b6277b86f4e2edf9f79a
Opcode Fuzzy Hash: 008d27cc2d582c64b3ce69cdb3b64a41637aeabac94f751fcc38c39aa795ccb2
Instruction Fuzzy Hash: 16811532B8CA078FE738AAA8946557977F0EF453D0B14057EF48ED3182DE29B8428749

Function 00007FFD9C1CC999 Relevance: .2, Instructions: 247COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2038723965.00007FFD9C1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9c1c0000_hyperruntimemonitorCommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fb4f7fdb1aeae1a055221f08234cbd68d2049c792ca5376caddf866756c87f4
Instruction ID: 1dfc2f8f76634575cbbf36387b4e9d9bc95a9a1048a5a7360f4fb3667115cd39
Opcode Fuzzy Hash: 4fb4f7fdb1aeae1a055221f08234cbd68d2049c792ca5376caddf866756c87f4
Instruction Fuzzy Hash: EC710772B4C44B4FE778EA98887A5B537E0EF583D0B0402B9F05ED7652ED18EC068785

Function 00007FFD9C1C0BA9 Relevance: .2, Instructions: 247COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2038723965.00007FFD9C1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9c1c0000_hyperruntimemonitorCommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d465a250337fa55bf76b52c1f58a937277be1d8ac87e671f6c361267385ef353
Instruction ID: da7b916d220820208e288bc7a1deed7817f9d840a9f76b8f7ed9ac8be072a16e
Opcode Fuzzy Hash: d465a250337fa55bf76b52c1f58a937277be1d8ac87e671f6c361267385ef353
Instruction Fuzzy Hash: 9C714532A4C54B4FE778FA5888665B937E0FF48350B5002B9F49ED75B2DD18A8068789

Function 00007FFD9C1CBC0B Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2038723965.00007FFD9C1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9c1c0000_hyperruntimemonitorCommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e11528a1135b38c5c98da053a8a4612792c416658fd672cf9c9ded637b055401
Instruction ID: 6f4def78998b4f0877d27b9908416b2fb8b0763fedc7e572108e70ad1608e5d7
Opcode Fuzzy Hash: e11528a1135b38c5c98da053a8a4612792c416658fd672cf9c9ded637b055401
Instruction Fuzzy Hash: A771C332E5C54F8EEB78EBA484646FC77B1EF59384F1045BAE00EE71C1DE2868818749

Function 00007FFD9C1C176B Relevance: .2, Instructions: 235COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2038723965.00007FFD9C1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9c1c0000_hyperruntimemonitorCommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b15f824b968311cccdb8dbdff17839c7fbaaa84bde28d4898a7fb0a6c21390c2
Instruction ID: 6447c355af4d080f4415e90d56c04f01e90a0f9e96d3f6fc4b1e2843a405f0c1
Opcode Fuzzy Hash: b15f824b968311cccdb8dbdff17839c7fbaaa84bde28d4898a7fb0a6c21390c2
Instruction Fuzzy Hash: DA71B432E9C64F8EEB6CEBA488646FD7BB1EF45340F6005B9E00EE71D5DE2868518744

Function 00007FFD9C1C06F2 Relevance: .2, Instructions: 231COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2038723965.00007FFD9C1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9c1c0000_hyperruntimemonitorCommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 703ca0c850a76cc7b83492b9414b3cfb57c23de97b052b2279fdab50abe522d8
Instruction ID: fa0873a33b18cc73af6a91438011a3ee5de3f51fc3944dbe4af288697f367e7a
Opcode Fuzzy Hash: 703ca0c850a76cc7b83492b9414b3cfb57c23de97b052b2279fdab50abe522d8
Instruction Fuzzy Hash: 07716B73E0D69A4FE725EBB8DCA04E93BB0EF15318B1405F6E0899B193EE246415C744

Function 00007FFD9C1CF84E Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2038723965.00007FFD9C1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9c1c0000_hyperruntimemonitorCommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 263b5d56c5a42f3c1c843ac6fa31854973db1cdbdcc677a9a610f0f04be5ccb5
Instruction ID: 027af6b9ffa2b9c05af66aa16bee97c6398009e58c363f0e2820635fe51e3aa4
Opcode Fuzzy Hash: 263b5d56c5a42f3c1c843ac6fa31854973db1cdbdcc677a9a610f0f04be5ccb5
Instruction Fuzzy Hash: 41712631A0CA4B9FE759EF68D0A06A4B7B0FF15350F5441BAE04EC7A87CB28B851C785

Function 00007FFD9C1CFE5A Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2038723965.00007FFD9C1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9c1c0000_hyperruntimemonitorCommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: acc61a1b46617e1a0e0ae08b4ed351023a8cff1f5731e2750856ed5d7933e274
Instruction ID: 652d1be891d70cdd857ffb1c68fe914a4ab336ae15563e39964a3fa5bc7dfbc4
Opcode Fuzzy Hash: acc61a1b46617e1a0e0ae08b4ed351023a8cff1f5731e2750856ed5d7933e274
Instruction Fuzzy Hash: 47610032A195478BEB2D8F44D4B05B13BB1FF46340B5886BEE44B8B19BDA38E841CB45

Function 00007FFD9C1D01D0 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2038723965.00007FFD9C1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9c1c0000_hyperruntimemonitorCommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11ff5517ff1333ff4ffcec94d7a7be69770e328ed552f31a978454c8f2541734
Instruction ID: 7b0d636a6ff37c1f2bc1bdaab6a4a8419b55771632d293c8de856b15781ac425
Opcode Fuzzy Hash: 11ff5517ff1333ff4ffcec94d7a7be69770e328ed552f31a978454c8f2541734
Instruction Fuzzy Hash: 9851E531E1D55A8EEBB8D65884607F877B1FF58340F5042BAD04ED71A6EE386981CB41

Function 00007FFD9C1C07FA Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2038723965.00007FFD9C1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9c1c0000_hyperruntimemonitorCommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f2bc20ae2f23f8ccb64f6dfa4d24b69dc728083df8a5b9a2518f32bcbdbacab
Instruction ID: 08331465cb56e2ac7cf279165aea43b121b87b0514859148c113cd0c9e8a8f53
Opcode Fuzzy Hash: 2f2bc20ae2f23f8ccb64f6dfa4d24b69dc728083df8a5b9a2518f32bcbdbacab
Instruction Fuzzy Hash: A4410A32E4D69B8FDB65EBA8D8A04E87FB0EF15354F4401B6E089E71A3DD286811C745

Function 00007FFD9BAC0960 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2026772978.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9bac0000_hyperruntimemonitorCommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f468f70469e6be602bc9d263538cdc11a80c9cca3852c27192dbf1f9ccb3e7d
Instruction ID: c5369dfcd1b2decdcb7c5c64086f683e985e4073233af8b7f5834bdf88225c9c
Opcode Fuzzy Hash: 1f468f70469e6be602bc9d263538cdc11a80c9cca3852c27192dbf1f9ccb3e7d
Instruction Fuzzy Hash: 0C412931E1891D8FDB94FF98D895AED77E1FF68319F10027AE41DD7296CA34A8418B80

Function 00007FFD9BAC0908 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2026772978.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9bac0000_hyperruntimemonitorCommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7502fe47e49d3b9bfbf8c274368a4cd68d5b82c1f975b8b8a734c080b0882edc
Instruction ID: 64e36ca25d815415e7cd2751e0ab372d1423509aaef4a368e69bae96ad6db628
Opcode Fuzzy Hash: 7502fe47e49d3b9bfbf8c274368a4cd68d5b82c1f975b8b8a734c080b0882edc
Instruction Fuzzy Hash: E7517C70A0490E9FCF84EF98D494EEDBBF1FF58325B054269E419E7260DA74E990CB90

Function 00007FFD9C1C52E7 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2038723965.00007FFD9C1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9c1c0000_hyperruntimemonitorCommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9dd161b1cadb949fd6ee5406f7c25c3a696f6704e2a96a2cd5938ec34acf23eb
Instruction ID: fc37ecf3c422a21157a01c25415d80dc164f9ef547b67ec58eefe64708c92b57
Opcode Fuzzy Hash: 9dd161b1cadb949fd6ee5406f7c25c3a696f6704e2a96a2cd5938ec34acf23eb
Instruction Fuzzy Hash: 3C41643260C9098FDFA8EB18D465DA4B3E1FBA8320B0441A9E04ED7597DE35F845DB81

Function 00007FFD9C1D1437 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2038723965.00007FFD9C1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9c1c0000_hyperruntimemonitorCommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3bae43501a3cd14ac0bbd1662904249568626e445955c91dd3224114c1d318d
Instruction ID: 402310cdf33514a76bbae3a6181e90e0bf5929a006bcad827186d84e84f31e26
Opcode Fuzzy Hash: f3bae43501a3cd14ac0bbd1662904249568626e445955c91dd3224114c1d318d
Instruction Fuzzy Hash: E841763260C9098FDFACEF58C455DA477E1FFA8320714026AE04ED7192DE35E855CB85

Function 00007FFD9C1CD420 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2038723965.00007FFD9C1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9c1c0000_hyperruntimemonitorCommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8901fa4ff69fcad0119662ace73487933229e7e31dabf7a4cc120beaa18f694
Instruction ID: ef4711161d6a161ce7c55d6a9c23f7d858bfe6e63443470e7385d9bcba474b28
Opcode Fuzzy Hash: d8901fa4ff69fcad0119662ace73487933229e7e31dabf7a4cc120beaa18f694
Instruction Fuzzy Hash: 64412762E2C56B8FE778865884706B877F1FF94340F2446BAD04EE71C6EE28A9C5C744

Function 00007FFD9C1D14E1 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2038723965.00007FFD9C1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9c1c0000_hyperruntimemonitorCommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20bd806ead2250f015d4048c422d3b0b3c990288687290859f7bb690f20821be
Instruction ID: 669c0603b8526b95384e5d3f11857ded43c56355eb2641f8da081b12e6efab68
Opcode Fuzzy Hash: 20bd806ead2250f015d4048c422d3b0b3c990288687290859f7bb690f20821be
Instruction Fuzzy Hash: 1D31823160C9498FDFADEB28C465DA477E1FFA932071402AAE44AD7192DE34E844CB85

Function 00007FFD9C1C5391 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2038723965.00007FFD9C1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9c1c0000_hyperruntimemonitorCommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74b2dafac7485545d0adddc964f5603397a1bf53d08196fb5f4c9a440e50ae44
Instruction ID: 2019f842de05ab48360174244f6d826420728a30a4217d44ffe8396d95517437
Opcode Fuzzy Hash: 74b2dafac7485545d0adddc964f5603397a1bf53d08196fb5f4c9a440e50ae44
Instruction Fuzzy Hash: 0931513160C9498FDBACEB18C465DA4B3E1EBAC320B0402A9E45AD7597CE34E845CB81

Function 00007FFD9C1D147B Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2038723965.00007FFD9C1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9c1c0000_hyperruntimemonitorCommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 285bc56eacc2685b3bbd66b3f0959d73a62e5c755a120e43be2d9e94609a125f
Instruction ID: 408e0121cf73ff123185fd220c50ffd180d6494384e605c47bfeb32eb86052f4
Opcode Fuzzy Hash: 285bc56eacc2685b3bbd66b3f0959d73a62e5c755a120e43be2d9e94609a125f
Instruction Fuzzy Hash: EB31633260C9499FDFACEF68C465DA477E1FFA931071402A9E04ED7292DE34E845CB85

Function 00007FFD9C1C532B Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2038723965.00007FFD9C1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9c1c0000_hyperruntimemonitorCommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a6c9edd609a56faad72d54e6c34f02c9efa28758daa44b3aa1c0bd0207fbe2b
Instruction ID: 1d3d06b7573fb7c1343aad32e0e6a6b8665050d43137c154fb5ab9f1b00bb672
Opcode Fuzzy Hash: 7a6c9edd609a56faad72d54e6c34f02c9efa28758daa44b3aa1c0bd0207fbe2b
Instruction Fuzzy Hash: 2C314F3160C9498FDFACEB18D465DA4B3E1FB68310B0442A9E05AD7597DE34E845DB81

Function 00007FFD9BAC0998 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2026772978.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9bac0000_hyperruntimemonitorCommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bfbf2438fd9cf4c5275f715a57b284caa8d5ba9a92c4b78c42465a686dab12e
Instruction ID: 4531f97fb012d3f5dc15a390e3ce0818b8dae21ff6d345f8238a7c5dfdfc2858
Opcode Fuzzy Hash: 6bfbf2438fd9cf4c5275f715a57b284caa8d5ba9a92c4b78c42465a686dab12e
Instruction Fuzzy Hash: 89410830E1491D8FDB94EF98C895AEDBBF1FFA8315F11016AE40DE32A5DA34A941CB41

Function 00007FFD9C1CD68A Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2038723965.00007FFD9C1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9c1c0000_hyperruntimemonitorCommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d65c21027ed57cb26864446670eea9e096e5b97164d85f0d20676530aac4fb67
Instruction ID: 3e0f9e19ab9f2b28491086afce0f331ca75f8ef159c02e15126e34d0adb27318
Opcode Fuzzy Hash: d65c21027ed57cb26864446670eea9e096e5b97164d85f0d20676530aac4fb67
Instruction Fuzzy Hash: 19313412A4EBCB4FE7267BB858215A57FB0EF52284F0901FAE088970E7DD29B815C341

Function 00007FFD9C1C244D Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2038723965.00007FFD9C1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9c1c0000_hyperruntimemonitorCommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efa46f16703a01a5ee162e508f051f8754c03fbd94b14141a1e1077af03bdba9
Instruction ID: fd71fb4a06b37d59a9023b4586f1f406ad48697b16e63aca440c5817920bca59
Opcode Fuzzy Hash: efa46f16703a01a5ee162e508f051f8754c03fbd94b14141a1e1077af03bdba9
Instruction Fuzzy Hash: 6E317672F1991A8FDB58EA58D4A29B8B3B1FF58310B154139D05ED3692CF247812CB84

Function 00007FFD9C1C250A Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2038723965.00007FFD9C1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9c1c0000_hyperruntimemonitorCommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf93ceb0fc81cdb023424cf2e4f26f37ff58aa3770f8c374b17f65d764fb3fef
Instruction ID: b9aa59439c521ab34bcfd0f395135b90e9561c17caaf311c74ffac9b025ea116
Opcode Fuzzy Hash: bf93ceb0fc81cdb023424cf2e4f26f37ff58aa3770f8c374b17f65d764fb3fef
Instruction Fuzzy Hash: B631E762F1DA4B8FE768A798C8721E9B3E1FF58350F540179E01ED71C3EE1468028685

Function 00007FFD9C1CE63B Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2038723965.00007FFD9C1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9c1c0000_hyperruntimemonitorCommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c18f7016376ebe6adf23c4e326cb6bf98976d1db0760446559bf5303cd6dc1fc
Instruction ID: e4ef270f3976b76f561f8fbfa92bc59cd5ce13a7b42544311526ce0bf6705c99
Opcode Fuzzy Hash: c18f7016376ebe6adf23c4e326cb6bf98976d1db0760446559bf5303cd6dc1fc
Instruction Fuzzy Hash: 2C310472B5991B8FDB64EB98C4A15A9F3B1FF54390B114139E05AE3681CF34BC12CB84

Function 00007FFD9C1C2389 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2038723965.00007FFD9C1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9c1c0000_hyperruntimemonitorCommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f0c3f73034e22e0c11bca333bdcd956e6b42810da239c0a3bf9c47b98bebca7
Instruction ID: 1a6a96037e9498df01037d5f2c72e9ffa5d96610c2f5a6b4140f775ab0eedd41
Opcode Fuzzy Hash: 6f0c3f73034e22e0c11bca333bdcd956e6b42810da239c0a3bf9c47b98bebca7
Instruction Fuzzy Hash: 0D215B23B0DA9B4FE778A6A848646F937B1EF5A380F010076F449E72D3CD286C028354

Function 00007FFD9C1C50F5 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2038723965.00007FFD9C1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9c1c0000_hyperruntimemonitorCommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60d9bb2b2b20b25dee51fcfda7f2ab5863021fc8dc64bc8dbbbfc5164a9cef38
Instruction ID: 3cb736a7b874ab1e8c530a6428e2ff752e5e3ea7eb7826f3bd26aa866a5205ca
Opcode Fuzzy Hash: 60d9bb2b2b20b25dee51fcfda7f2ab5863021fc8dc64bc8dbbbfc5164a9cef38
Instruction Fuzzy Hash: 72314C32F5854B8FEB78EB8484695BD7BB1FF45340F54007AE01EE6581DB396800A745

Function 00007FFD9C1CDCB5 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2038723965.00007FFD9C1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9c1c0000_hyperruntimemonitorCommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbf45396f727279cd922f88ea10257b5ab4b28717d6b75055457c3b5bbccd0fb
Instruction ID: 33facf68255e25ca630de1470c7bb90d1815d7f78faf268826708be30868b78c
Opcode Fuzzy Hash: fbf45396f727279cd922f88ea10257b5ab4b28717d6b75055457c3b5bbccd0fb
Instruction Fuzzy Hash: FC317C31E4864E8FDB65EBA8D8605BD7BB1FF58350F54057AE00AE7291DA346805CB14

Function 00007FFD9BAC0C25 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2026772978.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9bac0000_hyperruntimemonitorCommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ad8fb6fe3ac9b7d94e9b89e9cb9dfe8bdf76261ee21be95ed7160dfdc396dbb
Instruction ID: 30758255fe3fd0dfcfb2da251a729db5d3d9d5b25821e297b73030a1ecb1f36c
Opcode Fuzzy Hash: 6ad8fb6fe3ac9b7d94e9b89e9cb9dfe8bdf76261ee21be95ed7160dfdc396dbb
Instruction Fuzzy Hash: 19310771A0E68E8FE722ABA4CC202F97B70EF52315F0642B7C055971E3CA781605CB95

Function 00007FFD9BAC4CFA Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2026772978.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9bac0000_hyperruntimemonitorCommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0415d877ae811f5d5610e056baaebefd47a4f2c3d0e7b5292fc7800a6a0f07c
Instruction ID: c8394a2bac9753406a52dc37022223b61b9f1e2af6fa45bd704bc170c38af462
Opcode Fuzzy Hash: a0415d877ae811f5d5610e056baaebefd47a4f2c3d0e7b5292fc7800a6a0f07c
Instruction Fuzzy Hash: 5331A730A0862C8FDFA9EB54C854BA9B3F5EB64715F1051EA904EF32A4CB756B84CF41

Function 00007FFD9C1D12B5 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2038723965.00007FFD9C1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9c1c0000_hyperruntimemonitorCommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e32b30a8371ba9f402be7394820fdc7497b51a0c2be096b96b2845ece5932d16
Instruction ID: d53f6fd7f3ea79b1e5097cbf597e2319e9c165c49ff0ed5ba10f3c571bd96d73
Opcode Fuzzy Hash: e32b30a8371ba9f402be7394820fdc7497b51a0c2be096b96b2845ece5932d16
Instruction Fuzzy Hash: 3B310932E0854BDFDB68DB9484A15BD77B1FF483A0F60427AD40EE6980EA39A9408745

Function 00007FFD9C1C3FE1 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2038723965.00007FFD9C1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9c1c0000_hyperruntimemonitorCommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ec3b1439a9f10a42add6276ecacad1da86fc3b7dfbf1b8b8ab71e220bd25a6d
Instruction ID: c56cdfb29fd8d5cc9e210ebbbab36b9000d60373e4f4763039b41677ad5485e2
Opcode Fuzzy Hash: 2ec3b1439a9f10a42add6276ecacad1da86fc3b7dfbf1b8b8ab71e220bd25a6d
Instruction Fuzzy Hash: D9315B12B9C2D78AE33AA25884745F07F71EF51341B184BBAF0869B4C7C42CF845835E

Function 00007FFD9C1D01A0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2038723965.00007FFD9C1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9c1c0000_hyperruntimemonitorCommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3141792074dfd33414d88900e9aad2451f8aac3cec4bd744de8c17d1ae1a9b2a
Instruction ID: 3a6af728cc0aab101be399f00388ae5cad1abf4b8c953f938a5f7d7767e5e076
Opcode Fuzzy Hash: 3141792074dfd33414d88900e9aad2451f8aac3cec4bd744de8c17d1ae1a9b2a
Instruction Fuzzy Hash: 35319B21E1E0AB8AE37A825458705B47B71FF56380B5843BBE087DF0E7E42CA981C380

Function 00007FFD9C1CE6F5 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2038723965.00007FFD9C1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9c1c0000_hyperruntimemonitorCommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b77d346a0f5a83e051802dee04ff49db661901fc216c67f76d8a0327e8096522
Instruction ID: e7a34b7dc9bded1249e0e86cccd54da9ff6a29c41542ec7f86d6c46c9b19443c
Opcode Fuzzy Hash: b77d346a0f5a83e051802dee04ff49db661901fc216c67f76d8a0327e8096522
Instruction Fuzzy Hash: F021B673F59B4B4FEB78E7A844225E8B7E1EF59390F540179E01DD22C2ED18681187C5

Function 00007FFD9C1CE092 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2038723965.00007FFD9C1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9c1c0000_hyperruntimemonitorCommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cca55c579969a0324497647da984e5679cf3647bcd1e8b9b9d29740f0ba5caa6
Instruction ID: a31008e3a46b760175969ba5568f8ea872479c013d91cb885efabdc92debcc43
Opcode Fuzzy Hash: cca55c579969a0324497647da984e5679cf3647bcd1e8b9b9d29740f0ba5caa6
Instruction Fuzzy Hash: CA21F931E1891D9FDFA8EB58C465AECB7B1FF58350F0041AEE04EE3291CA35A991CB40

Function 00007FFD9C1C13E2 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2038723965.00007FFD9C1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9c1c0000_hyperruntimemonitorCommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba89298c10d27d376877d70555a30758f41fd5670be4876c2367a3848f97c754
Instruction ID: 0de3dfa07174046f56f27c056a8fffc27bb30b798a66344a174ac90c2d2e8530
Opcode Fuzzy Hash: ba89298c10d27d376877d70555a30758f41fd5670be4876c2367a3848f97c754
Instruction Fuzzy Hash: 9021E731A489199FDFACEB58C465AE8B7B1FF58310F1001AAE04EE7691CA35A981CB00

Function 00007FFD9BAC0B87 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2026772978.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9bac0000_hyperruntimemonitorCommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c5762a040d3cc00cc6587294e0bedee6bab711bd95564046877740c81fc1b7e
Instruction ID: 1d176b9179fab521f62273bf1cbf8fa431b3c26ca040b74d99ef3bf23839b4b0
Opcode Fuzzy Hash: 7c5762a040d3cc00cc6587294e0bedee6bab711bd95564046877740c81fc1b7e
Instruction Fuzzy Hash: B521CF3161964ECFDB55EF68D8559EA77A0FF48318F010276E85DC31A1DB30A664CB81

Function 00007FFD9BACA7A2 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2026772978.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9bac0000_hyperruntimemonitorCommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc25f6d2f881323968c3a639cd128b6861a135f0681e2bd3b6c362899a673540
Instruction ID: bdec2f08a9f1484f9495a96a8cba927ee1547538a82a1c96116b8264b2978783
Opcode Fuzzy Hash: cc25f6d2f881323968c3a639cd128b6861a135f0681e2bd3b6c362899a673540
Instruction Fuzzy Hash: 60319770D09A2D8EEBA4EB54C8547F8B6F1EB14301F1150E9D00EA32A1DEB96AC4CF44

Function 00007FFD9C1C4010 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2038723965.00007FFD9C1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9c1c0000_hyperruntimemonitorCommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4098ddb26ab8880c4d61696ac8c464c9d176febd02ecc208faed5339288b87fb
Instruction ID: e073c4d489374da0a9bebfe1483f64d3d82b2eccf565b0ade366bf266adb1b12
Opcode Fuzzy Hash: 4098ddb26ab8880c4d61696ac8c464c9d176febd02ecc208faed5339288b87fb
Instruction Fuzzy Hash: 5C112711B9C567C6E738A28880749F47772FF94341B244B79F04B9B4CAC828F895979D

Function 00007FFD9BACA854 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2026772978.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9bac0000_hyperruntimemonitorCommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b05466824eba0e7756de322d1a53c316c4daf8730f0984a174968da76dc768e
Instruction ID: 6e3125daaa12fd4d6756ce8a4c480ab47a963c3afd49fed4630ed0fa3907b911
Opcode Fuzzy Hash: 2b05466824eba0e7756de322d1a53c316c4daf8730f0984a174968da76dc768e
Instruction Fuzzy Hash: FA319870E0962D8EEBA8EB54C8587B8B6F1EB58341F5140E9D00DE72A5DE786BC48F04

Function 00007FFD9C1CDD91 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2038723965.00007FFD9C1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9c1c0000_hyperruntimemonitorCommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7eb0032ff44249e4e6ac18c091d5e77aeb8c6412ce9e0d459dea2ca5924f3dfa
Instruction ID: 6a1cd8d9976adb4c85d3fd66adf5d77930a62c4a6d2a7aa436a99ee83a251ce6
Opcode Fuzzy Hash: 7eb0032ff44249e4e6ac18c091d5e77aeb8c6412ce9e0d459dea2ca5924f3dfa
Instruction Fuzzy Hash: F511BC13F8D1978BF23976E418724BD6770AF653A0F1802BAF44EA60C6DC0C3851A39A

Function 00007FFD9C1C3090 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2038723965.00007FFD9C1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9c1c0000_hyperruntimemonitorCommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1adec7cf2d47861dee5a02f0b19a79e0333fbe5fa29b18c027109d9748173a67
Instruction ID: 74f6666492fa41f6a7ac57036a6b5be5ef9882ccd77bbd2e3f99c331b7a84d58
Opcode Fuzzy Hash: 1adec7cf2d47861dee5a02f0b19a79e0333fbe5fa29b18c027109d9748173a67
Instruction Fuzzy Hash: DE11C122B09A0E4FEB68BB6494218F973E0EF59364B40063AE04FC71D2DE28B9058790

Function 00007FFD9C1CF250 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2038723965.00007FFD9C1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9c1c0000_hyperruntimemonitorCommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a99e9356a646b6640561fee94239b312520c8fab821b582c78e5e73c9553688e
Instruction ID: 1b146c4182b1318ce53f3815cd6cfdb0addcbf5c0caebef1ea4995f251ae4e19
Opcode Fuzzy Hash: a99e9356a646b6640561fee94239b312520c8fab821b582c78e5e73c9553688e
Instruction Fuzzy Hash: A0110422B18A0B4FEB68FB6484608F973B0EF55391F10063AE04FC75C2CE28B9068280

Function 00007FFD9BAC0C38 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2026772978.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9bac0000_hyperruntimemonitorCommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0207bce6e56fb1b3499b44974c5039d49d00b97843d278ce759aa45f7717f91f
Instruction ID: ea04e5644c55e8097ed7acb28a601589841de07b12e6d3f6ea044aabc194fd8e
Opcode Fuzzy Hash: 0207bce6e56fb1b3499b44974c5039d49d00b97843d278ce759aa45f7717f91f
Instruction Fuzzy Hash: 1D110832B0E69D8EE322A768CC212F97B70EB52311F0646B3D051DB1E3CA781605CB95

Function 00007FFD9C1CF0CE Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2038723965.00007FFD9C1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9c1c0000_hyperruntimemonitorCommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b606481a4e23ab6d2d891cb02fc6b4cb4ce6bd2836b99f11c61e29c13471660
Instruction ID: c9e8827ee26aac7bec92a7ec40281d59f38d797565248b72bb21f9cc72c122a3
Opcode Fuzzy Hash: 3b606481a4e23ab6d2d891cb02fc6b4cb4ce6bd2836b99f11c61e29c13471660
Instruction Fuzzy Hash: 49116B3374950B8FE728AA98D460AF933A0EF65391F11023BE80EC32C1DF29A9518790

Function 00007FFD9C1C2F0E Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2038723965.00007FFD9C1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9c1c0000_hyperruntimemonitorCommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63f871a9dc9a2381a545eef9cd68b67bec67b3b79590528fc734a7ba0ee1bfb9
Instruction ID: daacc77fc9ab1893114464ef2ff92613e011300466544bc63fb299f643acf085
Opcode Fuzzy Hash: 63f871a9dc9a2381a545eef9cd68b67bec67b3b79590528fc734a7ba0ee1bfb9
Instruction Fuzzy Hash: 22112B3374990F8FE729AA58D4656F933A0EF69351F11423BE50EC32D2DE29A950C780

Function 00007FFD9BAC0C40 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2026772978.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9bac0000_hyperruntimemonitorCommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3684b0f91924beffab93fb0bc2a32d5446edadb23272e298855c36717578252c
Instruction ID: 6146a032acdfc0d4b07076bcd3ec472bc546666b7947a3a9ebd51baa9541223e
Opcode Fuzzy Hash: 3684b0f91924beffab93fb0bc2a32d5446edadb23272e298855c36717578252c
Instruction Fuzzy Hash: 8811E731A0D69D8EE322AB64CC202FA7B70EB52311F0645B3D051DB1E3CA381605CB55

Function 00007FFD9C1C83C8 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2038723965.00007FFD9C1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9c1c0000_hyperruntimemonitorCommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da548b0f8afd01e5f7c415475369f36bf8ff3f893ee35c0c8d147e6844707ef7
Instruction ID: d37316b1728836565a707ae103532e9cdeecc27fcc8ce344fb84e3afaf2dd3b1
Opcode Fuzzy Hash: da548b0f8afd01e5f7c415475369f36bf8ff3f893ee35c0c8d147e6844707ef7
Instruction Fuzzy Hash: 2801F172E0864E5FFB74A6A844286BD3AF5DF4A3C0F010576F00AF7192ED696C468284

Function 00007FFD9BACA6E9 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2026772978.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9bac0000_hyperruntimemonitorCommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1db9fffd24f3d5bfb26da34fa4658816c67e152174c0d4499cbd238e28fff9a9
Instruction ID: f62dfe3775ff58c6917e75969ea85db560bb26c810b96b62568f600c98d66d9a
Opcode Fuzzy Hash: 1db9fffd24f3d5bfb26da34fa4658816c67e152174c0d4499cbd238e28fff9a9
Instruction Fuzzy Hash: 2F11E770E0962D8AEFB4EB54C8657B8B2F1EB18341F1151F9D00DE32A5DEB86A848F44

Function 00007FFD9C1CCABE Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2038723965.00007FFD9C1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9c1c0000_hyperruntimemonitorCommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eeb2fd880524d5009ec777109d19b0eb8b58b13096868ea6845b07da869aa7ed
Instruction ID: c413cda4525f7ecb246e4553f2fa7f861b01d73d09d7f79bd74eaac88d9c8ce3
Opcode Fuzzy Hash: eeb2fd880524d5009ec777109d19b0eb8b58b13096868ea6845b07da869aa7ed
Instruction Fuzzy Hash: FCF02871F0CA094FE79CEB68582A6B873D1EF98365B10013FE04FC32A2DE216C424381

Function 00007FFD9BAC0C48 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2026772978.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9bac0000_hyperruntimemonitorCommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 890decece96ca97724cc677c83741bdacb91ebdb8e3ce402f6af1cd729cf32d0
Instruction ID: 803fac4ce849f47b091fb74205c2e1febeb5fba4fc0bf379ec43a1ece7d71ef3
Opcode Fuzzy Hash: 890decece96ca97724cc677c83741bdacb91ebdb8e3ce402f6af1cd729cf32d0
Instruction Fuzzy Hash: 5111E571A0D28D8FE322AB64CC202AA7B70EB43311F0641A7D051DB1E3CA381604CB95

Function 00007FFD9BACA757 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2026772978.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9bac0000_hyperruntimemonitorCommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f570a401db46c56a818a654d23e24a0cf32f1d1db6177a4f34a1988f678213f
Instruction ID: 091fe91949120833c78d5aa8ba202dca1b0ea07c53dcd911e8d6568434dc3176
Opcode Fuzzy Hash: 2f570a401db46c56a818a654d23e24a0cf32f1d1db6177a4f34a1988f678213f
Instruction Fuzzy Hash: FC11B670E0962D8AEBB5EB54C8647B8B2F1EB18741F1151E9C00DA32A5DEB86AC48F44

Function 00007FFD9BAC0C50 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2026772978.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9bac0000_hyperruntimemonitorCommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75202f4cf33ffebf01ac887c29a4adf2ea748f493271b68e7abb96848933df12
Instruction ID: 21909358f7d245b621b36fd58c88e9dfbab9e5a104fd905ac2ff5500a32bd341
Opcode Fuzzy Hash: 75202f4cf33ffebf01ac887c29a4adf2ea748f493271b68e7abb96848933df12
Instruction Fuzzy Hash: 3E01D271A0E28E8FE722ABA4CC242BA7B70EF47315F0641A3D051DB1E3CA781604CB55

Function 00007FFD9C1CD61B Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2038723965.00007FFD9C1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9c1c0000_hyperruntimemonitorCommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 640a19bc31a455694686feede304ad451cf8bd52523907732b5576bfae1657d6
Instruction ID: e7efde51245d802084043a77fc318f160688894569c22089732c9ee1000d3772
Opcode Fuzzy Hash: 640a19bc31a455694686feede304ad451cf8bd52523907732b5576bfae1657d6
Instruction Fuzzy Hash: 90F03C63F5885B4AEB68FAD884649FD77B0FF58358F500135F00DA6299CE2478038A40

Function 00007FFD9C1C16F2 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2038723965.00007FFD9C1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9c1c0000_hyperruntimemonitorCommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a30e6de1cacb1cd7fd95736e2a48de50217055f51a6cd44fe131d5bf0bb28af
Instruction ID: f649fde0008135657c1dd2c891508fa1628f0fc4543b67acec5d3e0a84691974
Opcode Fuzzy Hash: 1a30e6de1cacb1cd7fd95736e2a48de50217055f51a6cd44fe131d5bf0bb28af
Instruction Fuzzy Hash: 08F0623298E3C69FD726DBB088655D57FB4AF42214B2900F6E04A870A2C56D161AC761

Function 00007FFD9C1C13B3 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2038723965.00007FFD9C1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9c1c0000_hyperruntimemonitorCommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d22a8e422b156d5809998a2f26626c4b4fdbf4edca1dfab634183af3fc6a9455
Instruction ID: fb18dddd758f36bbf10ce767d60f151e7f74f906af857af7f2d427c65a9bcf4d
Opcode Fuzzy Hash: d22a8e422b156d5809998a2f26626c4b4fdbf4edca1dfab634183af3fc6a9455
Instruction Fuzzy Hash: B1010070A5992D8FDFA9EB48C8A4BA8B7B1FB68305F1041D9800EE3650CB319A84CF05

Function 00007FFD9BAC06AD Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2026772978.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9bac0000_hyperruntimemonitorCommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f853e97bf0826e1003ca3f20af8ea7869ef7500a22e3a6126a24846951f9110
Instruction ID: 2bc825edc7f02ecfbbf218c3003d67e2e9a3e7893f08dccb5f6028ab0a55d4c2
Opcode Fuzzy Hash: 3f853e97bf0826e1003ca3f20af8ea7869ef7500a22e3a6126a24846951f9110
Instruction Fuzzy Hash: 62F01D30A0564E9EEBA0EF98D4596FE77A0FF94314F114537F41CC21A0DAB46294CB84

Function 00007FFD9C1C23EA Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2038723965.00007FFD9C1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9c1c0000_hyperruntimemonitorCommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be408df01aacdb96ecdd3ff8e43f57de41e27010f1def3d28125f0710b3e947d
Instruction ID: 1c13cc58e340742cea8d1e12029a10b3aff30dc64e6eed5c781cdd71deb03ce0
Opcode Fuzzy Hash: be408df01aacdb96ecdd3ff8e43f57de41e27010f1def3d28125f0710b3e947d
Instruction Fuzzy Hash: 5EF0F022A0D2C34FDB32AFA48CA11A83FB0EF0734070C4AFAD4848B0D3C6683425D329

Function 00007FFD9C1CD629 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2038723965.00007FFD9C1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9c1c0000_hyperruntimemonitorCommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfba36932688c6da5d486041e62b7c5f1e93bdf14c5eec1d7f858d2721153114
Instruction ID: 27ba1fb7a90ee876154a51bc9dde3b90ff96f695861d2e67ec95bf2f1a6a4ba4
Opcode Fuzzy Hash: cfba36932688c6da5d486041e62b7c5f1e93bdf14c5eec1d7f858d2721153114
Instruction Fuzzy Hash: 37F0FE32E5481E8BEB64FB98D4605BDB7B1FF98358F500135E00DA6695CE2468428B40

Function 00007FFD9BAC06D0 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2026772978.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9bac0000_hyperruntimemonitorCommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a1649f39fc17f7bf0455d9a66c558d3249437cf20e21c77dfb3e878a1b0e291
Instruction ID: 6de935b2ed774e7ef712522c3767d7e7efef1117e2fe3e83171b0df287ed59c0
Opcode Fuzzy Hash: 3a1649f39fc17f7bf0455d9a66c558d3249437cf20e21c77dfb3e878a1b0e291
Instruction Fuzzy Hash: 2EF0123091564E9FDB90EFA4C8496EE77E0FF54304F114566F81CD21A0DA70A6A4CB80

Function 00007FFD9BAC8B70 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2026772978.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9bac0000_hyperruntimemonitorCommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37a46e2a384aa077baf2983c8a7bc998b0c90f5ccab626579c352a78ccb57f7d
Instruction ID: cfd69c4265c2c8c3364f8d86c1089c607a2793c03d7a910f304295d35a5e96c0
Opcode Fuzzy Hash: 37a46e2a384aa077baf2983c8a7bc998b0c90f5ccab626579c352a78ccb57f7d
Instruction Fuzzy Hash: 1EF0B270E0A52D8EEBB4EB54D8647B9B3B0EB58301F1194E9844DA3291CEB86B858F44

Function 00007FFD9C1CC712 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2038723965.00007FFD9C1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9c1c0000_hyperruntimemonitorCommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e339f20e5e48b914703db6273be165b7b115bef3b756a7ab6dc62454010bf8a
Instruction ID: 7be1de02a24639c90569f6001c011d10770ede9e56e2747794da22b230e879ec
Opcode Fuzzy Hash: 8e339f20e5e48b914703db6273be165b7b115bef3b756a7ab6dc62454010bf8a
Instruction Fuzzy Hash: 2CE0C932E6861FCEDFA4EB94C8615FEB671FF88390F5005B5E01EE2181DB2829509B54

Function 00007FFD9C1CBC45 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2038723965.00007FFD9C1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9c1c0000_hyperruntimemonitorCommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74c065fb97fb7d9b49e6c0306eed1e0c2d7b9b663f16cc28f0aeb43a6d96bc70
Instruction ID: 41291b80e9041731637cae388296fb899d8980f39b9223239dc8adcc5b326545
Opcode Fuzzy Hash: 74c065fb97fb7d9b49e6c0306eed1e0c2d7b9b663f16cc28f0aeb43a6d96bc70
Instruction Fuzzy Hash: C1E0DF3289D68ACFDB71EB6089660EC7F70BF00380F5441E7F409A61C2DF656648A2CA

Function 00007FFD9C1CE5D7 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2038723965.00007FFD9C1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9c1c0000_hyperruntimemonitorCommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc478f81338339a9e7b67b68587f1a7342221ffdb81ed51880d121482f6afd1c
Instruction ID: e8cd65709fc99d99db9bebb3f870392a39b5de62fc2bfbbd3d60d34c46e9ea43
Opcode Fuzzy Hash: bc478f81338339a9e7b67b68587f1a7342221ffdb81ed51880d121482f6afd1c
Instruction Fuzzy Hash: B2E0C202B4D3C34BF7365BB808710282FA08F073C4B0509F7E1869A1C3C8583C059359

Function 00007FFD9C1CF0AB Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2038723965.00007FFD9C1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9c1c0000_hyperruntimemonitorCommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e15335fce2a005867354f12403eebba08cd1e7d2ccb225504393dcaf98379df
Instruction ID: c40cf456356f1be3f41a4bacd99590fc3e4df598358da5447052b2ce8faccd4c
Opcode Fuzzy Hash: 2e15335fce2a005867354f12403eebba08cd1e7d2ccb225504393dcaf98379df
Instruction Fuzzy Hash: 21D0C92AB8D61785F33976C1803033A11B26F00B80F60403EF55F629C1CF1DF916A20B

Function 00007FFD9C1C2EEB Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2038723965.00007FFD9C1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9C1C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9c1c0000_hyperruntimemonitorCommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 445811cac002c9797581079496545b8161e7237ed3f51e2590f8b1d6af6e8d22
Instruction ID: bcb2a66a895c787f11f82a8a980f47f45af60065839a6dac8f19c0dd652cf3a7
Opcode Fuzzy Hash: 445811cac002c9797581079496545b8161e7237ed3f51e2590f8b1d6af6e8d22
Instruction Fuzzy Hash: 53D01257B8D55B8AF37CB6C2413167D65B08F09380EA0047EF09F718D6CD1DB901A619

Non-executed Functions

Function 00007FFD9BC7CFFD Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2029460942.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9bc70000_hyperruntimemonitorCommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95ef5629ce1bccd08a89323ff04574e5cd045fe9973a558ceaea86ca7f7795a9
Instruction ID: bc03124914b1fa2befb18201d212cd5c0d5e18464ccd50089dd3a6ee66e965ab
Opcode Fuzzy Hash: 95ef5629ce1bccd08a89323ff04574e5cd045fe9973a558ceaea86ca7f7795a9
Instruction Fuzzy Hash: 0831F670E18A1DCFCF84DF98D491AEDBBF1FB69300F60116AD419E3291CA35A941CB44

Function 00007FFD9BC834C9 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2029460942.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9bc70000_hyperruntimemonitorCommon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebb158bac23c883a25e138dbc5d3f50fe1447e85c54bf13eea66cd092a1f58e4
Instruction ID: 23f4f46785523fdd546a9aa543b4e7179214d686b2664c2e76c3972a987d4dde
Opcode Fuzzy Hash: ebb158bac23c883a25e138dbc5d3f50fe1447e85c54bf13eea66cd092a1f58e4
Instruction Fuzzy Hash: 5ED01207B1B97713E57174AE68B25FD1740EFD09B9B9AA133E15D460932C2EA6470050

Function 00007FFD9BAC09B0 Relevance: 5.2, Strings: 4, Instructions: 182COMMON

Download Yara Rule

Strings

!k9, xrefs: 00007FFD9BAC0B4E
"s9, xrefs: 00007FFD9BAC0B46
#{9, xrefs: 00007FFD9BAC0B3E
c9, xrefs: 00007FFD9BAC0B56

Memory Dump Source

Source File: 00000007.00000002.2026772978.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9bac0000_hyperruntimemonitorCommon.jbxd

Similarity

API ID:
String ID: c9$!k9$"s9$#{9
API String ID: 0-1692736845
Opcode ID: cffe3f7790561c7d5580bef8b8bb27a7d2a8360f80f20ebc3f78de5ee12ebd44
Instruction ID: f5e71a5ccbc74444670a9ebf0b8951558bac5ee9fef493e3804ac383fd9071cb
Opcode Fuzzy Hash: cffe3f7790561c7d5580bef8b8bb27a7d2a8360f80f20ebc3f78de5ee12ebd44
Instruction Fuzzy Hash: 0E415C16B0942A45E329B7FD78219FD6B448FA933FB0843B7F85E8D0C78D086081C2E9

Analysis Process: nGnJvqnFLoRdIZNyVoMyF.exePID: 6328, Parent PID: 1044COMMON

Executed Functions

Function 00007FFD9BAD0DA3 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2189357233.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffd9bad0000_nGnJvqnFLoRdIZNyVoMyF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83d8dec71b2d9442843c1f76601452eeedd494613814b4336dddb12e4ba32525
Instruction ID: 13eb0fe832505ca29079dd7f5447c723054221b11cf2f34b1a94e5b8e4424323
Opcode Fuzzy Hash: 83d8dec71b2d9442843c1f76601452eeedd494613814b4336dddb12e4ba32525
Instruction Fuzzy Hash: F9A1D271A19A4D8FE798DB68C8657A97FE1FF9A310F5102BED048D72E6CB741801C741

Function 00007FFD9BAD0960 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2189357233.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffd9bad0000_nGnJvqnFLoRdIZNyVoMyF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85c854b7106670faf94da1dd8d61d6c9e98cffaf61162683931575d415075284
Instruction ID: d2c7d6a31be2b13867037fb3546975a4ac7137167e74c0df0ff773d058b566c5
Opcode Fuzzy Hash: 85c854b7106670faf94da1dd8d61d6c9e98cffaf61162683931575d415075284
Instruction Fuzzy Hash: 21417131E0891D8FDB54EF98D895AEDB7A1FF68315F00067AE40DD729ACE34A841CB80

Function 00007FFD9BAD0908 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2189357233.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffd9bad0000_nGnJvqnFLoRdIZNyVoMyF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c883b9597618560b6ddc45b1f2ea82b95da67328e7116394b6e3a39befd97ff9
Instruction ID: 872dcf6319c581b7a188638450100e47a4bc6f05ead5a5c81d67ce6201956ef8
Opcode Fuzzy Hash: c883b9597618560b6ddc45b1f2ea82b95da67328e7116394b6e3a39befd97ff9
Instruction Fuzzy Hash: 93517C30A0490E9FCF84EF98D494EEDBBF1FF58325B054169E419E7260DA74E990CB90

Function 00007FFD9BAD0998 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2189357233.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffd9bad0000_nGnJvqnFLoRdIZNyVoMyF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94ba018f4cd19a907138d27162c901e38801a8a3266840c1d667342c4ecfb975
Instruction ID: a1579337e21d09d75e9544cde22d6f020fa7a182b38d7db61e8338f6aac6796c
Opcode Fuzzy Hash: 94ba018f4cd19a907138d27162c901e38801a8a3266840c1d667342c4ecfb975
Instruction Fuzzy Hash: BD41F970E1491D8FDB94EF98C495AEDBBF1FFA8315F11016AE409E32A5DB34A9418B80

Function 00007FFD9BAD0C25 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2189357233.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffd9bad0000_nGnJvqnFLoRdIZNyVoMyF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 868fd24cca17bbafc27c8d09fd18dbda0f767269970ca0126eb08a3d61451cac
Instruction ID: 110a45e894db654bdebbd842deb146474ac4a6d4e224da31c07fef8474ff877d
Opcode Fuzzy Hash: 868fd24cca17bbafc27c8d09fd18dbda0f767269970ca0126eb08a3d61451cac
Instruction Fuzzy Hash: 90310471A0E68E4FE3229BA4CC312FD7B70EF92315F0646B7D055871E2CA782605CB95

Function 00007FFD9BAD4CFA Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2189357233.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffd9bad0000_nGnJvqnFLoRdIZNyVoMyF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e09ff128d693b28ecdeb0b31c7e19e43996d5569b46b2c39a2b7046903f91f12
Instruction ID: f475ae8c2d23760179604fd9242b69c071d08abc766e80abe80277201f468087
Opcode Fuzzy Hash: e09ff128d693b28ecdeb0b31c7e19e43996d5569b46b2c39a2b7046903f91f12
Instruction Fuzzy Hash: E831A830A0861C8FDFA9DB54C854BA9B3F5EB64715F1052EA904EF22A4CB756B84CF41

Function 00007FFD9BAD0B87 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2189357233.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffd9bad0000_nGnJvqnFLoRdIZNyVoMyF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 594421b93bcff01351bb3549926af63c198f7f3d14fe721e90564faabf4d13d3
Instruction ID: fd1e05b9b4b58b0218966809081288b6465ca77dd70559f28171140827c5652c
Opcode Fuzzy Hash: 594421b93bcff01351bb3549926af63c198f7f3d14fe721e90564faabf4d13d3
Instruction Fuzzy Hash: D921D13161864ECFDB55EF6CD8559EA77A0FF48318F010276E85DC31A0DB30A664CB82

Function 00007FFD9BADA7A2 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2189357233.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffd9bad0000_nGnJvqnFLoRdIZNyVoMyF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d04a31bad1d38841d680e454b40d7134050f3290e16a0dfbeb78cf503ef4057f
Instruction ID: 37e71ce85fea7d762c95570a5dd71c17501ad0cc14149a0bf35829ccd0a620fe
Opcode Fuzzy Hash: d04a31bad1d38841d680e454b40d7134050f3290e16a0dfbeb78cf503ef4057f
Instruction Fuzzy Hash: 9F31B674D09A2D8EEBA4DB54C8647ECB6B1EB58301F0151E9D40EA22A1DEB96AC4CF04

Function 00007FFD9BADA854 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2189357233.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffd9bad0000_nGnJvqnFLoRdIZNyVoMyF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2211fa655e11fee369eb53d1acdd5eec610e03de7bc04414935552b19148266b
Instruction ID: cc86c9f660fe0e523944eeec931776c70f15765cbbf60cb2aba4f33708000515
Opcode Fuzzy Hash: 2211fa655e11fee369eb53d1acdd5eec610e03de7bc04414935552b19148266b
Instruction Fuzzy Hash: 8F31CB74E0962D8EEBA4EF14C8687E8B6F1EB58341F4141E9D40DE62A1DE786BC4CF04

Function 00007FFD9BAD0C38 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2189357233.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffd9bad0000_nGnJvqnFLoRdIZNyVoMyF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70b9d345aea9e37a472a4f17347ddda521751499fcb40b6f44d277fe37020542
Instruction ID: ed5cd68d097567c09a2b742e7f66e0cb21a669275417d960174a21fc8f119415
Opcode Fuzzy Hash: 70b9d345aea9e37a472a4f17347ddda521751499fcb40b6f44d277fe37020542
Instruction Fuzzy Hash: 06110831B0D68D4EE322A7A4CC312EA7B70EF93311F0646B3D055DB1E2CA781605CB95

Function 00007FFD9BAD0C40 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2189357233.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffd9bad0000_nGnJvqnFLoRdIZNyVoMyF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24007ab8871cc55d47fb43eb38440fd23c9bba248f44afc0a99b7c3da8ef4b0b
Instruction ID: f8c725c34fce945242f14476277e2b3ccdf9d2836e8436682975cebfbd7c312d
Opcode Fuzzy Hash: 24007ab8871cc55d47fb43eb38440fd23c9bba248f44afc0a99b7c3da8ef4b0b
Instruction Fuzzy Hash: 4D11A331A0D68D4EE322AB64CC352EA7B70EF93311F0646B7D055DB1E2CA781609CB95

Function 00007FFD9BADA6E9 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2189357233.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffd9bad0000_nGnJvqnFLoRdIZNyVoMyF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41cde79a243e3b7f26b2d49ddb3ae21a139d030094b9017837ad0c2caa537af0
Instruction ID: e3140cbebad7c7792b8033b539f25f07912cc3a09847d5df23b8014d5ee62b94
Opcode Fuzzy Hash: 41cde79a243e3b7f26b2d49ddb3ae21a139d030094b9017837ad0c2caa537af0
Instruction Fuzzy Hash: 45111D70E0962D8EEBB4DB54C8647A8B2F4EB58340F1152F9D50DE2291DEB82B848F04

Function 00007FFD9BAD0C48 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2189357233.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffd9bad0000_nGnJvqnFLoRdIZNyVoMyF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d39d9e241b1998fac164b443f95039c14d3345b9a925db96af5f261e35e2067b
Instruction ID: 2fd229e6c704c137a5ae25d736e899f26f1d6e01962093c785894d68ac6982f2
Opcode Fuzzy Hash: d39d9e241b1998fac164b443f95039c14d3345b9a925db96af5f261e35e2067b
Instruction Fuzzy Hash: 3B110831A0D28D8FE322AB64CC242EA7B70EF83311F0642B7D051DB1F2CA381604CB55

Function 00007FFD9BADA757 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2189357233.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffd9bad0000_nGnJvqnFLoRdIZNyVoMyF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f570a401db46c56a818a654d23e24a0cf32f1d1db6177a4f34a1988f678213f
Instruction ID: d89d57fcc4d11948116a0b0bd6a0f72b47ba74ca5b7ba1efe4b4d0b683d3d9dc
Opcode Fuzzy Hash: 2f570a401db46c56a818a654d23e24a0cf32f1d1db6177a4f34a1988f678213f
Instruction Fuzzy Hash: 1811EA70D0962D8EEBB4DB50C8647ECB2F1EB58341F0152E9C40DA22A1DEB86BC4CF04

Function 00007FFD9BAD0C50 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2189357233.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffd9bad0000_nGnJvqnFLoRdIZNyVoMyF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6371ddffaa6b6cbaf8a479bc9fe4d488454df70bb2bd5dafe193751b7d09bc0b
Instruction ID: 91ebe51270005802982c8e4da9618795a40cb5288da7dbe74369a4e0c826a211
Opcode Fuzzy Hash: 6371ddffaa6b6cbaf8a479bc9fe4d488454df70bb2bd5dafe193751b7d09bc0b
Instruction Fuzzy Hash: 9201D631A0D28D8FE322A764CC342AA7B70EF93305F0642A7D055D71E3CA781604CB55

Function 00007FFD9BAD06AD Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2189357233.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffd9bad0000_nGnJvqnFLoRdIZNyVoMyF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec989a2d8297febcb9342c26aef7a86120de6e319249ab02e74d8534777295eb
Instruction ID: 556ca806bb16223f4f59b9427622a1430ba7403b3e07443edc89acfc30fc1709
Opcode Fuzzy Hash: ec989a2d8297febcb9342c26aef7a86120de6e319249ab02e74d8534777295eb
Instruction Fuzzy Hash: ECF03030A0564E9FEBA0EF98D4596EE77A0FF94314F114537F41CC21A0DAB46294CB84

Function 00007FFD9BAD06D0 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2189357233.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffd9bad0000_nGnJvqnFLoRdIZNyVoMyF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d8e7ec7bae53bb1dfbe93fd16878d391cd6eda4676ee76a2ec09c178d95600d
Instruction ID: 03aa5ae6f3330171b6aebaeeb704ebc8c0e5497d9697c2360386a34c40c2de18
Opcode Fuzzy Hash: 0d8e7ec7bae53bb1dfbe93fd16878d391cd6eda4676ee76a2ec09c178d95600d
Instruction Fuzzy Hash: F2F0123091564E9FDB90EFA8C8596EE77E0FF54304F514566F81CD21A0DA70A6A4CB80

Function 00007FFD9BAD8B70 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2189357233.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffd9bad0000_nGnJvqnFLoRdIZNyVoMyF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37a46e2a384aa077baf2983c8a7bc998b0c90f5ccab626579c352a78ccb57f7d
Instruction ID: 7a98f91d8d1e9c4c3c363ac777dbfbb1de92fb0086ef718813767c1af8348104
Opcode Fuzzy Hash: 37a46e2a384aa077baf2983c8a7bc998b0c90f5ccab626579c352a78ccb57f7d
Instruction Fuzzy Hash: 3AF0B670E0A52D8EEBB4DB54D8647ADB3B0FB94301F1195E9844DA2291CEB85B84CF40

Non-executed Functions

Function 00007FFD9BAD09B0 Relevance: 5.2, Strings: 4, Instructions: 179COMMON

Download Yara Rule

Strings

!k9, xrefs: 00007FFD9BAD0B4E
"s9, xrefs: 00007FFD9BAD0B46
#{9, xrefs: 00007FFD9BAD0B3E
c9, xrefs: 00007FFD9BAD0B56

Memory Dump Source

Source File: 0000001A.00000002.2189357233.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffd9bad0000_nGnJvqnFLoRdIZNyVoMyF.jbxd

Similarity

API ID:
String ID: c9$!k9$"s9$#{9
API String ID: 0-1692736845
Opcode ID: c8fea02b6ae30050f34ef7dbb9d2496a8146291ee4face339af37c253529ba8f
Instruction ID: ad064be8f1c79cc623040a9e0cfba2f896195135b00ec5b6977b0cfcfb8bf4d9
Opcode Fuzzy Hash: c8fea02b6ae30050f34ef7dbb9d2496a8146291ee4face339af37c253529ba8f
Instruction Fuzzy Hash: A841A002B0942605E23A77FD78228F96B44DFA937FB4843B7F45E8D0EB4D196085C2D5

Analysis Process: nGnJvqnFLoRdIZNyVoMyF.exePID: 4228, Parent PID: 1044COMMON

Execution Graph

Execution Coverage:	4.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	6
Total number of Limit Nodes:	0

Executed Functions

Function 00007FFD9BADAD3D Relevance: 2.2, Instructions: 2222
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000001D.00000002.2188275475.00007FFD9BADA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BADA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9bada000_nGnJvqnFLoRdIZNyVoMyF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d80912c434298fcb134b1d87cc14bbb198e6606af58c98ac682c7a79da9797ab
Instruction ID: eaffc0b43df644e185e8719fff968a7357657a5a7023db6e0e275ca41a0dc374
Opcode Fuzzy Hash: d80912c434298fcb134b1d87cc14bbb198e6606af58c98ac682c7a79da9797ab
Instruction Fuzzy Hash: 8F130E70E1991D8FDBA8EF58C8A5BA8B7B1FF98310F5042E9D00DD7295DA746A81CF40

Function 00007FFD9BB09A8C Relevance: .4, Instructions: 450
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000001D.00000002.2188275475.00007FFD9BB09000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB09000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9bb09000_nGnJvqnFLoRdIZNyVoMyF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 856d808c7b1ff8c5066bfb2ca50477f331089f1235b3e884ddea6a1d270bf1b3
Instruction ID: 5cf61e3f1b27680cccc9ce9f7698501e70c6514e77e884b84bcc4140f18fbd9a
Opcode Fuzzy Hash: 856d808c7b1ff8c5066bfb2ca50477f331089f1235b3e884ddea6a1d270bf1b3
Instruction Fuzzy Hash: 6C12F470E0421D8FDB18CFA8C495AECBBF2FF48304F148569D45AEB29ADA34A945CF50

Function 00007FFD9BAC0DA3 Relevance: .3, Instructions: 290
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000001D.00000002.2188275475.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9bac0000_nGnJvqnFLoRdIZNyVoMyF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 094041faf89b47ba8849169e8a21811d21d719c97607624241549468238461da
Instruction ID: e2186fd997528d8cc48caed7dc5bdc10cef730a1429f95697b6d23488eec6621
Opcode Fuzzy Hash: 094041faf89b47ba8849169e8a21811d21d719c97607624241549468238461da
Instruction Fuzzy Hash: 32A1C171A19A4D8FE7A8EF6CC8657A97BE1FF55314F0002BEE049D72E6CA781941C740

Function 00007FFD9BAD1C8E Relevance: 1.7, APIs: 1, Instructions: 190
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE ref: 00007FFD9BAD1DCA

Memory Dump Source

Source File: 0000001D.00000002.2188275475.00007FFD9BACA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BACA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9baca000_nGnJvqnFLoRdIZNyVoMyF.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 30c38c8afa9d2393d127744b3e9607556b295ea1cca14408fde9820181c3ae07
Instruction ID: e0ceca59687e29b2a23946b1458780d41c7dff60d1499514f1786ebe5b8554fa
Opcode Fuzzy Hash: 30c38c8afa9d2393d127744b3e9607556b295ea1cca14408fde9820181c3ae07
Instruction Fuzzy Hash: AE517D30D0864D8FDB54DFA8C845AEDBBF1FB6A310F1042AAD049E3252DB74A885CB81

Function 00007FFD9BAD367D Relevance: 1.4, APIs: 1, Instructions: 187
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE ref: 00007FFD9BAD379F

Memory Dump Source

Source File: 0000001D.00000002.2188275475.00007FFD9BACA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BACA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9baca000_nGnJvqnFLoRdIZNyVoMyF.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 29ab4cfc330cbaec7bd1e4833b0281c9ca92b17d34f870e48b0cceebe031acb4
Instruction ID: fd949d3861fb485d9e2bb18a464a6117140eb64bdce53346273c7516a7c0e1c5
Opcode Fuzzy Hash: 29ab4cfc330cbaec7bd1e4833b0281c9ca92b17d34f870e48b0cceebe031acb4
Instruction Fuzzy Hash: 28512870908A5C8FDF94EF68C845BE9BBF1FB69310F1042AAD04DE3255DB75A9858B80

Function 00007FFD9BB11970 Relevance: 1.4, Strings: 1, Instructions: 117
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

*H_^, xrefs: 00007FFD9BB11A01

Memory Dump Source

Source File: 0000001D.00000002.2188275475.00007FFD9BB09000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB09000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9bb09000_nGnJvqnFLoRdIZNyVoMyF.jbxd

Similarity

API ID:
String ID: *H_^
API String ID: 0-565342550
Opcode ID: 2c34c2d26a67b99feb55541274d29093d7459ee50e5509fbceb41436003bbe3a
Instruction ID: bc1de680310d16575e0a7e5a7f80b0315c2e8abed6d9e2e6e80e535497ca44b8
Opcode Fuzzy Hash: 2c34c2d26a67b99feb55541274d29093d7459ee50e5509fbceb41436003bbe3a
Instruction Fuzzy Hash: A7310536A0C15A4EDB14FBACA8A19E93BA0DF1933EB0802F7E49D8D0D7DD246145C780

Function 00007FFD9BB119C0 Relevance: 1.3, Strings: 1, Instructions: 81
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

*H_^, xrefs: 00007FFD9BB11A01

Memory Dump Source

Source File: 0000001D.00000002.2188275475.00007FFD9BB09000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB09000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9bb09000_nGnJvqnFLoRdIZNyVoMyF.jbxd

Similarity

API ID:
String ID: *H_^
API String ID: 0-565342550
Opcode ID: 6842391f182527e4cbca24b3e9220816db6e0ce56cb8c0afd2f43127a0c8c009
Instruction ID: cb4a5a04079d420b919091ea566bbff6ed7ace6648d2517cc3bb753490b4a3c5
Opcode Fuzzy Hash: 6842391f182527e4cbca24b3e9220816db6e0ce56cb8c0afd2f43127a0c8c009
Instruction Fuzzy Hash: 0321D635A0845A4FDB14FFACA8A59E97BA0EF1932EF0802B7E45DCA1D7DD245541C780

Function 00007FFD9BB119E0 Relevance: 1.3, Strings: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

*H_^, xrefs: 00007FFD9BB11A01

Memory Dump Source

Source File: 0000001D.00000002.2188275475.00007FFD9BB09000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB09000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9bb09000_nGnJvqnFLoRdIZNyVoMyF.jbxd

Similarity

API ID:
String ID: *H_^
API String ID: 0-565342550
Opcode ID: 413b5757003e9714f1989ac78d8af5f3fa6fa6d2aedf25fa61bfdfd524880957
Instruction ID: 6b5bd3db8cdb1131a668c96f311ad1c6150d707c26ff433fb3656d49f3e95829
Opcode Fuzzy Hash: 413b5757003e9714f1989ac78d8af5f3fa6fa6d2aedf25fa61bfdfd524880957
Instruction Fuzzy Hash: A411063490854D4FDB15FFA898A59ED3BA0EF1931EF0801B7F45D8A1D7CE246550C780

Function 00007FFD9BB0D179 Relevance: 1.3, Strings: 1, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

U, xrefs: 00007FFD9BB0D18A

Memory Dump Source

Source File: 0000001D.00000002.2188275475.00007FFD9BB09000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB09000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9bb09000_nGnJvqnFLoRdIZNyVoMyF.jbxd

Similarity

API ID:
String ID: U
API String ID: 0-3372436214
Opcode ID: 2a7c670d78255dd8e9c00ae608c15e336120337c35d40553dc4ce4068ce74e25
Instruction ID: 3507969f5b9817716021cd108251b620ac9955275e7170a22cce42a279f7ea4d
Opcode Fuzzy Hash: 2a7c670d78255dd8e9c00ae608c15e336120337c35d40553dc4ce4068ce74e25
Instruction Fuzzy Hash: C0015E3091868D8FCB45EF28C858AD97FB0FF19305F0541AAE849C72A2CB34A554CB81

Function 00007FFD9BB13A1C Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2188275475.00007FFD9BB09000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB09000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9bb09000_nGnJvqnFLoRdIZNyVoMyF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f953df6990f90dd18da125cd765488a8eec4995396b564ed846e5ea832c7a512
Instruction ID: 43b8d0b750b75250e2625769a48628f59826742d9044bf359ae8fc4b540ebf41
Opcode Fuzzy Hash: f953df6990f90dd18da125cd765488a8eec4995396b564ed846e5ea832c7a512
Instruction Fuzzy Hash: 3151EE70E1955D8EEBA4EF58C8A5BADB7A1FF58314F4482F5D00CD3292DA346A84CB41

Function 00007FFD9BAD8499 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2188275475.00007FFD9BAD6000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9bad6000_nGnJvqnFLoRdIZNyVoMyF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 991d6fd81392ba6c59414d8714a2dd232d358651b15d91e364f0f3d39489b5f9
Instruction ID: 5632572ac1bcb0f37abc539c8b5ffcda5eef267b5dd63f31c533aa9c3164a694
Opcode Fuzzy Hash: 991d6fd81392ba6c59414d8714a2dd232d358651b15d91e364f0f3d39489b5f9
Instruction Fuzzy Hash: 7C519170A0964D9FCF84EF98D494AED7BF1FF58324B0501A6E419E7261D774E990CB80

Function 00007FFD9BAC0C21 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2188275475.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9bac0000_nGnJvqnFLoRdIZNyVoMyF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 195d7c298a0cdfa1181caed04c68d35d1c803a02132386589fd9819a31fade7f
Instruction ID: d7a33d1e00d574644566d639163e7c1631b47c56dd4400484885db631b91c86c
Opcode Fuzzy Hash: 195d7c298a0cdfa1181caed04c68d35d1c803a02132386589fd9819a31fade7f
Instruction Fuzzy Hash: 36310771A0E68E8FE722ABA4CC202F97B70EF52315F0642B7D055971E3CA781605CB95

Function 00007FFD9BADF310 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2188275475.00007FFD9BADA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BADA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9bada000_nGnJvqnFLoRdIZNyVoMyF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73ffed46c0a8eda754faf7c587873d5f7fc0e9ef6a41b02131aaf6c530489df9
Instruction ID: 33f64f479f8863b82fb5e70d5f5ebaa0ee27fc1709a973fcc6b8eace8d8755c8
Opcode Fuzzy Hash: 73ffed46c0a8eda754faf7c587873d5f7fc0e9ef6a41b02131aaf6c530489df9
Instruction Fuzzy Hash: 7B3131A284E7C54FD7438B748C36695BFB0AF53214B0F81EBD484CB4A3D1589A1AC763

Function 00007FFD9BAC4CFA Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2188275475.00007FFD9BAC4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC4000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9bac4000_nGnJvqnFLoRdIZNyVoMyF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70818582fa2eff05601efde689e2510fbb1f8ee6ba0a3f03d537fcdbdefca804
Instruction ID: 9f2ce03924283ccce931ffc4b1dd62ed894bbec4f3d296ae8546a5c429c70141
Opcode Fuzzy Hash: 70818582fa2eff05601efde689e2510fbb1f8ee6ba0a3f03d537fcdbdefca804
Instruction Fuzzy Hash: AD31A730A0862C8FDFA9EB54C854BA9B3F5EB64715F1051EA904EF32A4CB756B84CF41

Function 00007FFD9BAD8129 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2188275475.00007FFD9BAD6000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9bad6000_nGnJvqnFLoRdIZNyVoMyF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e12978a5082d4430c14cbc6eb4f7b0174c074bbe5826205bf26bc6bfb88264ce
Instruction ID: a2d7887ef07b2a852438d0f4a5119e61007e1206ad14df1ff29b9a3bc8ee167b
Opcode Fuzzy Hash: e12978a5082d4430c14cbc6eb4f7b0174c074bbe5826205bf26bc6bfb88264ce
Instruction Fuzzy Hash: 77318030A0964D8FCB55DF58C8A5AFD7BB1FF58314F06026AE849E3291CB74E944CB81

Function 00007FFD9BB0B3EE Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2188275475.00007FFD9BB09000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB09000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9bb09000_nGnJvqnFLoRdIZNyVoMyF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0222a62bf4c3043dbd78cda897fea0b64d6c6d288dbf4469fd75aab098b0d4d6
Instruction ID: 566a52d82d4b1786b42976a3016d859a005757052fa0c7dfa31e5658a2d507c3
Opcode Fuzzy Hash: 0222a62bf4c3043dbd78cda897fea0b64d6c6d288dbf4469fd75aab098b0d4d6
Instruction Fuzzy Hash: BF313670E0A50E8EEBB8DF9884757BCB7A1FF58315F1101BAD04DA22D5CF386A818B41

Function 00007FFD9BB16B20 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2188275475.00007FFD9BB09000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB09000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9bb09000_nGnJvqnFLoRdIZNyVoMyF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cedb426d22e9f9a758e10bfacb91647dbea4aefae528c16bb0df841e8b5da09a
Instruction ID: 05126af1e94b24871a6a8373e08dfd245edc439a3141d1f8b66659123823955c
Opcode Fuzzy Hash: cedb426d22e9f9a758e10bfacb91647dbea4aefae528c16bb0df841e8b5da09a
Instruction Fuzzy Hash: 77211D70E0961D8EEB64EE9884657FDB7A1FF58315F1190BAD00EE2291DE342A848B41

Function 00007FFD9BB0AA79 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2188275475.00007FFD9BB09000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB09000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9bb09000_nGnJvqnFLoRdIZNyVoMyF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4889a8802628d269c79d15ed4e0fe94940d6285c51a247a242405b244342769c
Instruction ID: cfd03abb2d81f615f2628b7e7e94c0f1dca521c95dead6f054b8b0d4753870ed
Opcode Fuzzy Hash: 4889a8802628d269c79d15ed4e0fe94940d6285c51a247a242405b244342769c
Instruction Fuzzy Hash: 16118931A0964D8FDF95EF98C8A5AF97BB0FF28304F0505A6D449C71E2DA34A945CB40

Function 00007FFD9BAC0C38 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2188275475.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9bac0000_nGnJvqnFLoRdIZNyVoMyF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7973b72569d129c4643908018ed4de1cd65a2022f842c9efa7997f55be09d0cd
Instruction ID: ea04e5644c55e8097ed7acb28a601589841de07b12e6d3f6ea044aabc194fd8e
Opcode Fuzzy Hash: 7973b72569d129c4643908018ed4de1cd65a2022f842c9efa7997f55be09d0cd
Instruction Fuzzy Hash: 1D110832B0E69D8EE322A768CC212F97B70EB52311F0646B3D051DB1E3CA781605CB95

Function 00007FFD9BB142D1 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2188275475.00007FFD9BB09000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB09000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9bb09000_nGnJvqnFLoRdIZNyVoMyF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de7dc49df6c570a7e04a2fceff3006521adb6493d0a771d6a6517d27ecf1cc09
Instruction ID: 0f68481496fe00727e2440716e32cbe975e7f694c7f79986a09cd29f64db6e16
Opcode Fuzzy Hash: de7dc49df6c570a7e04a2fceff3006521adb6493d0a771d6a6517d27ecf1cc09
Instruction Fuzzy Hash: 97117C31A0964D9FDBA4EFA8C8A56ED7BB0FF55304F0101BAE41DD32A1DB35AA44CB40

Function 00007FFD9BB0AB51 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2188275475.00007FFD9BB09000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB09000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9bb09000_nGnJvqnFLoRdIZNyVoMyF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee89e4f37fe153a9a599b377ad5635f24d80d561a65b973e96312f9d8dffa554
Instruction ID: 69cc6e4db473a01b243ae9e8a166c76eebdef1d42e4624bef5fc4497ba1994c5
Opcode Fuzzy Hash: ee89e4f37fe153a9a599b377ad5635f24d80d561a65b973e96312f9d8dffa554
Instruction Fuzzy Hash: 7111CE31A0958D8FDB54EFA884A96FD7BB1FF54304F0504AAD40CC71A6EB35AA44CB40

Function 00007FFD9BAE0E67 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2188275475.00007FFD9BADA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BADA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9bada000_nGnJvqnFLoRdIZNyVoMyF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b99dd7ce5f1236576489fa0ccb590503d59858e32a4598deb7cdc0dce0fa0f2a
Instruction ID: b0e534170784b42aad9eb90ab865dc10c607df44574831e649cab45401f850a7
Opcode Fuzzy Hash: b99dd7ce5f1236576489fa0ccb590503d59858e32a4598deb7cdc0dce0fa0f2a
Instruction Fuzzy Hash: F611E730E1921E8EEB70DFA988556ADB7B0EF58701F21457AD009D31A2DB786A818F04

Function 00007FFD9BB0AAD9 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2188275475.00007FFD9BB09000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB09000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9bb09000_nGnJvqnFLoRdIZNyVoMyF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 555545cc59542836d941fa4fcacbcfae7bca05d8cebbe3fe4e1abd9c5854b9dc
Instruction ID: 4bc322d221715934d567d8d3ecacb5e150ed2817dfab456c486cb846ec56a06b
Opcode Fuzzy Hash: 555545cc59542836d941fa4fcacbcfae7bca05d8cebbe3fe4e1abd9c5854b9dc
Instruction Fuzzy Hash: 4C115E7090868D8FCF45EF68C858AAE7BF0FF28304F0105AAD849C71A1D7349954CB40

Function 00007FFD9BB05059 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2188275475.00007FFD9BB04000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB04000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9bb04000_nGnJvqnFLoRdIZNyVoMyF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 476b51ccef371af35f176906ea2ce59e1fb1b31e9770ca1c783ac8dc14278573
Instruction ID: 02ef6c921264e54bb75a72e7311fdc232f903396815612de6ac4b81a271de296
Opcode Fuzzy Hash: 476b51ccef371af35f176906ea2ce59e1fb1b31e9770ca1c783ac8dc14278573
Instruction Fuzzy Hash: 76113C3090968D8FDF85EF68C899AED7BF0FF29304F0505AAD459C71A1DB34A994CB81

Function 00007FFD9BAC0C48 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2188275475.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9bac0000_nGnJvqnFLoRdIZNyVoMyF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d9d956e3fa56ceb4bbbe470e9fa0e052f949b4b90d157669c182fb331e56549
Instruction ID: 803fac4ce849f47b091fb74205c2e1febeb5fba4fc0bf379ec43a1ece7d71ef3
Opcode Fuzzy Hash: 7d9d956e3fa56ceb4bbbe470e9fa0e052f949b4b90d157669c182fb331e56549
Instruction Fuzzy Hash: 5111E571A0D28D8FE322AB64CC202AA7B70EB43311F0641A7D051DB1E3CA381604CB95

Function 00007FFD9BB0C559 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2188275475.00007FFD9BB09000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB09000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9bb09000_nGnJvqnFLoRdIZNyVoMyF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 295a8a1cbc3c4ac8507a3c216905c7d46573b9dde40a5facc06d20dc4f130b5c
Instruction ID: 101358242becbb272a3f63fe37a225f99ec3a32d7bffa69eae22dff6d409eeb6
Opcode Fuzzy Hash: 295a8a1cbc3c4ac8507a3c216905c7d46573b9dde40a5facc06d20dc4f130b5c
Instruction Fuzzy Hash: 77011E7450868C8FCF45EF68C899AE97BF0FF69305F05019AE449C71A1DB34E954CB41

Function 00007FFD9BAD82C1 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2188275475.00007FFD9BAD6000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9bad6000_nGnJvqnFLoRdIZNyVoMyF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca0e4fa3f7bd62362bb1c7bb015cc971349a4b7e5dd5377c2f43b5a948acfc88
Instruction ID: f77f9c610f536f9c41224c1ea7ce6634793eba9a9f69da54c347bc061dcba754
Opcode Fuzzy Hash: ca0e4fa3f7bd62362bb1c7bb015cc971349a4b7e5dd5377c2f43b5a948acfc88
Instruction Fuzzy Hash: CF015631A18A8CCFCB84EF18C896AD93BE0FF58314F0502AAE848C3261D734E950CB81

Function 00007FFD9BB1579C Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2188275475.00007FFD9BB09000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB09000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9bb09000_nGnJvqnFLoRdIZNyVoMyF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffc3f6c5acf72fd5cdee2cc682efb1b7a6d2679e9768d6a3b7dd5bda05421cb7
Instruction ID: 0b6b7305ce1281b1786d670bce10c12aca5643c666601961c5bec0474839fe56
Opcode Fuzzy Hash: ffc3f6c5acf72fd5cdee2cc682efb1b7a6d2679e9768d6a3b7dd5bda05421cb7
Instruction Fuzzy Hash: 0E01CC70918A4D8FDF94EF58C859AE97BF0FF68305F00456AE819D7260DB71A554CB80

Function 00007FFD9BB15878 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2188275475.00007FFD9BB09000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB09000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9bb09000_nGnJvqnFLoRdIZNyVoMyF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3089ad4c4f82b93a49c3e4e08a7dbaf8e652f7bd2d6831ec2745f1f1fcc46a5a
Instruction ID: dc406a0fe007a8f25ed0427e6c384fd07e814f2ee58efc2ca093318b5c8ec6dc
Opcode Fuzzy Hash: 3089ad4c4f82b93a49c3e4e08a7dbaf8e652f7bd2d6831ec2745f1f1fcc46a5a
Instruction Fuzzy Hash: 3101ED3490894D8FDF94EF68C859AE97BF0FF68305F00456AE819D3290DB70A550CB80

Function 00007FFD9BAD87B5 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2188275475.00007FFD9BAD6000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9bad6000_nGnJvqnFLoRdIZNyVoMyF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77a0e5980f39aeabbaac996e6d317bdfd99b9549b79889b37f0b25003fa82244
Instruction ID: 727e68301eb02f30852f8a3f3a66797ca398689f164395894510055467cac20f
Opcode Fuzzy Hash: 77a0e5980f39aeabbaac996e6d317bdfd99b9549b79889b37f0b25003fa82244
Instruction Fuzzy Hash: 66018B3091978D8FDB48EF18C8516E93BE0FF68710F0102AAE85887291D738EA94CB81

Function 00007FFD9BB157A0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2188275475.00007FFD9BB09000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB09000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9bb09000_nGnJvqnFLoRdIZNyVoMyF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86e9c6a92cb6c57d9643e7db33b8c7a938a605e46efe8926cd4a46c93cbe10c5
Instruction ID: f97d1b2cada97ca60de4e3ee6d78366cd5cac770487b7a1626be54ce0d8bdc46
Opcode Fuzzy Hash: 86e9c6a92cb6c57d9643e7db33b8c7a938a605e46efe8926cd4a46c93cbe10c5
Instruction Fuzzy Hash: 19019670914A4D9FDF84EF68C849AEA7BF0FB68305F00456AA819D3260DB71A594CB81

Function 00007FFD9BB0ABB9 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2188275475.00007FFD9BB09000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB09000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9bb09000_nGnJvqnFLoRdIZNyVoMyF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eee235282e883cf8c1e1312aa93ffd0e5d22ee43e441f3a60fa8dd2444618071
Instruction ID: bc5a60bab1faae853a44280d5cb3ced97ab8ddb71d6b666fdf26fc544529b346
Opcode Fuzzy Hash: eee235282e883cf8c1e1312aa93ffd0e5d22ee43e441f3a60fa8dd2444618071
Instruction Fuzzy Hash: 7201713090968C8FCF45DF24C864AA97FB1FF25300F0540DBD448C71A2DA349994CB80

Function 00007FFD9BB12771 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2188275475.00007FFD9BB09000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB09000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9bb09000_nGnJvqnFLoRdIZNyVoMyF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc8b428e840567c8aca828f2c2516d545feb9651fd20ac84f9d47d40fe0c912d
Instruction ID: 3c8bd3b2419eb138ddb5608b3ec025197eb9d35e2ca9a2f9c40254c07315beb1
Opcode Fuzzy Hash: cc8b428e840567c8aca828f2c2516d545feb9651fd20ac84f9d47d40fe0c912d
Instruction Fuzzy Hash: 4401887190954D8FDF54DF94C4559AD7BB0FF54308F14406DD419C31A0DB359950CF81

Function 00007FFD9BB162D9 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2188275475.00007FFD9BB09000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB09000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9bb09000_nGnJvqnFLoRdIZNyVoMyF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6d5ef09b568faffe9c8dafb37f9e8f6a9401d906eb5e624f4f4b47f10ca7d38
Instruction ID: 4284a67b2b3fd9b193184ea2f17cc036f65c91d0c5b32747dfbdfbe55d927b57
Opcode Fuzzy Hash: d6d5ef09b568faffe9c8dafb37f9e8f6a9401d906eb5e624f4f4b47f10ca7d38
Instruction Fuzzy Hash: C8014C3090CA8D8FCF85EF58C859AAA7BF0FF65300F0505AAD459C71A1D7349554CB80

Function 00007FFD9BB15880 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2188275475.00007FFD9BB09000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB09000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9bb09000_nGnJvqnFLoRdIZNyVoMyF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70e6ec3c01ba7926c98e0133aff7ebd6643306ecc8763a2204b9ad61b711632a
Instruction ID: 1c52c4941571fa9bb36309773c6e3706c76e04433562bfb7e50589a00c9df1e1
Opcode Fuzzy Hash: 70e6ec3c01ba7926c98e0133aff7ebd6643306ecc8763a2204b9ad61b711632a
Instruction Fuzzy Hash: 7B019670914A4D9FDF84EF68C849AEA7BF0FB68305F10456AA819D32A0DB31A594CB81

Function 00007FFD9BAE1D28 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2188275475.00007FFD9BADA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BADA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9bada000_nGnJvqnFLoRdIZNyVoMyF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da5aa6e4e750def8eb93efda6ef0fa8144436c03b755f68c89d30c8ca46f32a9
Instruction ID: ab50bcb466ae5bbe038a9d5ec919d490cc9ba3be374d295506c264207a74aafa
Opcode Fuzzy Hash: da5aa6e4e750def8eb93efda6ef0fa8144436c03b755f68c89d30c8ca46f32a9
Instruction Fuzzy Hash: F301C830914A0D8FDF84EF58C849AEE7BF0FB68305F10066AA819D32A0DB31A554CB80

Function 00007FFD9BB127A9 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2188275475.00007FFD9BB09000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB09000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9bb09000_nGnJvqnFLoRdIZNyVoMyF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48017f4bace785127978adbfb8bd57ffe173f50bcc873313f973eedad526f607
Instruction ID: df727ff321460b84881b9dcba24a38328df4a27f5a382b936054837914180fd1
Opcode Fuzzy Hash: 48017f4bace785127978adbfb8bd57ffe173f50bcc873313f973eedad526f607
Instruction Fuzzy Hash: 6B01623090968D8FCB45DF64C865A997FB0FF59305F0540EAD419C71A2D7359954CF41

Function 00007FFD9BB191B9 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2188275475.00007FFD9BB09000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB09000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9bb09000_nGnJvqnFLoRdIZNyVoMyF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c442de586f21388d39c070d1700225e11e327b333ef1abd24a74a89c1f8c776
Instruction ID: be0390a4789a07fcb0042b42625fdc09f7784ca54a0174a93551e6dad346cc30
Opcode Fuzzy Hash: 5c442de586f21388d39c070d1700225e11e327b333ef1abd24a74a89c1f8c776
Instruction Fuzzy Hash: 9D013C3090894D8FDF94EF68C858AADBBF0FF28305F0005AAE42DD32A0DB719690CB40

Function 00007FFD9BB0D190 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2188275475.00007FFD9BB09000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB09000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9bb09000_nGnJvqnFLoRdIZNyVoMyF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 458d31564ce0fd33e939eb7633f0ff7afe77a6e043c7fd8a0b61c6cc97e2a960
Instruction ID: 5714cd6be089a8b578266f421f0c39313a5e8bacba07198dac27e2f03162b656
Opcode Fuzzy Hash: 458d31564ce0fd33e939eb7633f0ff7afe77a6e043c7fd8a0b61c6cc97e2a960
Instruction Fuzzy Hash: 5BF0EC30914A4D9FDF44EF58C859AE97BF0FB68305F00456AA80DD32A0DB30E694CB81

Function 00007FFD9BAE03DA Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2188275475.00007FFD9BADA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BADA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9bada000_nGnJvqnFLoRdIZNyVoMyF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16d56b574c9d7ba46d08372df68cb65157d87042bc0849329cd805125fbfd6cc
Instruction ID: 41fe3bc54fbdb5130be81dcaf38e56b7b3ba5995e33f9effe0f47268be899674
Opcode Fuzzy Hash: 16d56b574c9d7ba46d08372df68cb65157d87042bc0849329cd805125fbfd6cc
Instruction Fuzzy Hash: 18014B71E0850E8BDB6CEF88C4A65BE77B1FF54711F01013ED41AE22A1CE746A418B44

Function 00007FFD9BB0B781 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2188275475.00007FFD9BB09000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB09000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9bb09000_nGnJvqnFLoRdIZNyVoMyF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad67488b5407a2e2f0afe85c76224cd29b2e9894e2c85d4355d61598ea6d1798
Instruction ID: 6d5f28a931d370be912f687109cc14baa7754ae4bda7a9faada3d3ca3a22cde2
Opcode Fuzzy Hash: ad67488b5407a2e2f0afe85c76224cd29b2e9894e2c85d4355d61598ea6d1798
Instruction Fuzzy Hash: 3F011E30E0565D8FEB74DB44C8A47FC77A1FB54319F0082B9C459972D5CB786A858F41

Function 00007FFD9BB12C8C Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2188275475.00007FFD9BB09000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB09000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9bb09000_nGnJvqnFLoRdIZNyVoMyF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a557629389f622bd7f18bdff4df4b417511be6871e6f1458a1648f5dba72558e
Instruction ID: f78597262a3324fbddef3aaed67c7606fd5ab004e4573bc78f595eddc310109d
Opcode Fuzzy Hash: a557629389f622bd7f18bdff4df4b417511be6871e6f1458a1648f5dba72558e
Instruction Fuzzy Hash: E5011D7090454E8FDF84EF58C854AEE7BF0FF68308F10056AD419D32A0DB709650CB80

Function 00007FFD9BB0ABD0 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2188275475.00007FFD9BB09000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB09000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9bb09000_nGnJvqnFLoRdIZNyVoMyF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d55053ccedf6aa7fd26c8269a5b03ba4c3c49c9bdc99e6ddf595699f1f80659
Instruction ID: 5052896cf9c45c0072ee010abfb806d0ce9501ef268f2d1c60c0158d167258dd
Opcode Fuzzy Hash: 3d55053ccedf6aa7fd26c8269a5b03ba4c3c49c9bdc99e6ddf595699f1f80659
Instruction Fuzzy Hash: 66F0BD3091494D9FDF84EF58C458AAA7BF1FF68305F10459AA41DD31A4DB319694CB80

Function 00007FFD9BB14348 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2188275475.00007FFD9BB09000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB09000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9bb09000_nGnJvqnFLoRdIZNyVoMyF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 673bc2ccacbc7252679ee6ba5e23e29644c93a5ac1cb4101f6fe1d85e11e56e9
Instruction ID: 3cf514fa055465dc4948cd36c08f1d3aaae902b3c5b8d4881d928bb8b05bf0e3
Opcode Fuzzy Hash: 673bc2ccacbc7252679ee6ba5e23e29644c93a5ac1cb4101f6fe1d85e11e56e9
Instruction Fuzzy Hash: 8AF0F97091464DCFCF84EF68C958AAEB7B4FB68305F0405AAE419D32A5DB30AA54CB50

Function 00007FFD9BB173E0 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2188275475.00007FFD9BB09000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB09000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9bb09000_nGnJvqnFLoRdIZNyVoMyF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d12fe7276b57d06a981e14bad3e3119e320bcaf1714d66b65bb090b0a1f8624
Instruction ID: 1ab1243337dd52ad334a7aa751609154464f458cad8597caafbb38258c408afc
Opcode Fuzzy Hash: 2d12fe7276b57d06a981e14bad3e3119e320bcaf1714d66b65bb090b0a1f8624
Instruction Fuzzy Hash: 45F0BD3091494D9FDF94EF58C454AEEBBB0FF69305F1041AAE41DD32A0DB31A694CB81

Function 00007FFD9BB11A30 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2188275475.00007FFD9BB09000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB09000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9bb09000_nGnJvqnFLoRdIZNyVoMyF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 061471be7ddf296362897edad65caa95234647a40ab67afc25c9b4b4822eec0d
Instruction ID: 73ae3eb41b28a8b298fd631ba163b4825c68b5325be95fab8e0cb66c60976ada
Opcode Fuzzy Hash: 061471be7ddf296362897edad65caa95234647a40ab67afc25c9b4b4822eec0d
Instruction Fuzzy Hash: A9F0BD3091494D9FDF94EF94C454AAE7BB0FF58309F1041AAE41DD72A0DB31AA94CF91

Function 00007FFD9BAD77AD Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2188275475.00007FFD9BAD6000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9bad6000_nGnJvqnFLoRdIZNyVoMyF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66ff4c6e36e13b870d3062263520603ae6bfbc7ad04d13caca969b89fe3e673f
Instruction ID: 0724e471f34a21cb7f9be0013f183fd920a619764ba6d3534b24b09016de99b3
Opcode Fuzzy Hash: 66ff4c6e36e13b870d3062263520603ae6bfbc7ad04d13caca969b89fe3e673f
Instruction Fuzzy Hash: F0F05E3060868DCFCB95EF18C855ADA3FA0FF69300F4501AAE55CC72A5D775D964CB81

Function 00007FFD9BAD7FCD Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2188275475.00007FFD9BAD6000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9bad6000_nGnJvqnFLoRdIZNyVoMyF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9af923bab8332dcc2b6bf378bad3e3bdc9089731628c91774f63e34b05bae995
Instruction ID: 1d25c49db33490b54e44f3e8f9caa0d743a1a58b72a6b69ab94a5781980473eb
Opcode Fuzzy Hash: 9af923bab8332dcc2b6bf378bad3e3bdc9089731628c91774f63e34b05bae995
Instruction Fuzzy Hash: 65F0BE3550D68DCFCB95EF18C894ADA3BA0FF69300F0101AAE50CC72A5D774D9A4CB81

Function 00007FFD9BAD7605 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2188275475.00007FFD9BAD6000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9bad6000_nGnJvqnFLoRdIZNyVoMyF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d87d745898530472af0e843b31e0eb3e028e9a2386937090123defbb6f4246e
Instruction ID: 2ad9341f46e91808ace5236cbe6e4245e3daf9474269a463494ef24bffd7f82a
Opcode Fuzzy Hash: 7d87d745898530472af0e843b31e0eb3e028e9a2386937090123defbb6f4246e
Instruction Fuzzy Hash: 0EF0A03095928C9FCB01AB78C86C6AD7FB0FF19304F0545E6E448C60A2EA349664CB02

Function 00007FFD9BB05FFD Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2188275475.00007FFD9BB04000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB04000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9bb04000_nGnJvqnFLoRdIZNyVoMyF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54db5442be4a605ffe9cece4cae75d674e6ca601e1c4cb01c7964f8cfafc9d38
Instruction ID: 703bd02439c8400d8690986eeccdf6d9bff8947bb2b37f669e5b8855710d3341
Opcode Fuzzy Hash: 54db5442be4a605ffe9cece4cae75d674e6ca601e1c4cb01c7964f8cfafc9d38
Instruction Fuzzy Hash: ABF0E270D5D68D8FEB50EF6488696E9BFF0FF04300F4601EAD848C61E2EA349694CB01

Function 00007FFD9BB12825 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2188275475.00007FFD9BB09000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB09000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9bb09000_nGnJvqnFLoRdIZNyVoMyF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 476e25572d8c3e0b76455c68fce2e1570c825c965235a3088c877cb4ff178933
Instruction ID: 0fa69918e65a652575239e039dc3759b7898e53399fdf4f16fe3fbb2c323721a
Opcode Fuzzy Hash: 476e25572d8c3e0b76455c68fce2e1570c825c965235a3088c877cb4ff178933
Instruction Fuzzy Hash: A6F03032A0954DAFDF199EA4C8708AD7724FF75318B1A04A6D01E8B1A5CE21E915CB51

Function 00007FFD9BAD7B65 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2188275475.00007FFD9BAD6000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9bad6000_nGnJvqnFLoRdIZNyVoMyF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bf2c2ea3ff26a4fbb2a8be4a1e7125f787730d7666da5c40d282c87065cbced
Instruction ID: 9521cb2babd781f8b2491011389f49b292cbce2c333d80d2c3fd9afac5178aa2
Opcode Fuzzy Hash: 5bf2c2ea3ff26a4fbb2a8be4a1e7125f787730d7666da5c40d282c87065cbced
Instruction Fuzzy Hash: 28E04820E1D1098AE7149B9494514FDB7F4DF85210F115671D51D932DADD7426554B40

Function 00007FFD9BAC8B70 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2188275475.00007FFD9BAC4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC4000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9bac4000_nGnJvqnFLoRdIZNyVoMyF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f760eb22b4a8045c0b419d4a697f41138c9ac31c433d9c632826590f3f94d12f
Instruction ID: 79eda0a65c8478445d6fa81f022a7171b1edf442a45a571b775bceccb64cab11
Opcode Fuzzy Hash: f760eb22b4a8045c0b419d4a697f41138c9ac31c433d9c632826590f3f94d12f
Instruction Fuzzy Hash: 55E0E270E0A62D8AEB70AB44D8647AAB2B0EB54301F1060A9C50EA32C0DBB85B81CF05

Non-executed Functions

Function 00007FFD9BAE1B58 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2188275475.00007FFD9BADA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BADA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ffd9bada000_nGnJvqnFLoRdIZNyVoMyF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5b472ddaa6490788ac8adb42a6b1f5855bea206774cdecdff60904a8288d1dc
Instruction ID: 85552d8e9a7fbe991005305e95317d737736c18954d3711c16aadf6b9aaaa665
Opcode Fuzzy Hash: b5b472ddaa6490788ac8adb42a6b1f5855bea206774cdecdff60904a8288d1dc
Instruction Fuzzy Hash: EB31C0A244E7D15FD3038B709C76A927FB0AE53214B0F85CBC4C18F4B3E6585A6AD762

Analysis Process: nGnJvqnFLoRdIZNyVoMyF.exePID: 1880, Parent PID: 6372COMMON

Executed Functions

Function 00007FFD9BAB0DA3 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.2186207189.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9bab0000_nGnJvqnFLoRdIZNyVoMyF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 321d3ada1cf343ff9b050079b01249d03ab83b42deaf7e6b3095e26ba9563d3f
Instruction ID: ae21e57d571753751d02abb9c45dc2f8225195a0ff500563fc0879b9e2183cb0
Opcode Fuzzy Hash: 321d3ada1cf343ff9b050079b01249d03ab83b42deaf7e6b3095e26ba9563d3f
Instruction Fuzzy Hash: FCA1D571A19A5D8FE7A8EF68C8657A97BE1FF59314F4001BED058D72E6CBB81801CB40

Function 00007FFD9BAB0960 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.2186207189.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9bab0000_nGnJvqnFLoRdIZNyVoMyF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7f84e5db1b369d08e51ba9dd4c1c84f2ec55cf8f058397a28b7b8ed171cc323
Instruction ID: f1ea5d3070e1b70746b9bdf84776b4af8252d74dd18f5804985151e1bb89ab54
Opcode Fuzzy Hash: d7f84e5db1b369d08e51ba9dd4c1c84f2ec55cf8f058397a28b7b8ed171cc323
Instruction Fuzzy Hash: AD416031E1891D8FDB58FF98D895AED77A1FF68319F00027AE40DD7296CE34A8418B80

Function 00007FFD9BAB0908 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.2186207189.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9bab0000_nGnJvqnFLoRdIZNyVoMyF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 401c87b61a76a5d8cb2b61d3b9af3ba76e5353b05bc3dad619d51d370deba9db
Instruction ID: 01f8f7957894cd4d5edbaeffc23bafb35376d5535ab9784a6c78ed1dcc0a105b
Opcode Fuzzy Hash: 401c87b61a76a5d8cb2b61d3b9af3ba76e5353b05bc3dad619d51d370deba9db
Instruction Fuzzy Hash: E7517C30A0490E9FCF84EF98D494EEDBBF1FF58325B054169E419E7260DA74E990CB90

Function 00007FFD9BAB0998 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.2186207189.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9bab0000_nGnJvqnFLoRdIZNyVoMyF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e55412cdc63a551b4cd6627af3379cb9550b534c0434703ccd752433fbe86ef7
Instruction ID: 332bff084e8bc304f83a85ebb5dee6c4bb2a10d5005e0d39cedcdd0f6bb98fbd
Opcode Fuzzy Hash: e55412cdc63a551b4cd6627af3379cb9550b534c0434703ccd752433fbe86ef7
Instruction Fuzzy Hash: EB412930E1491D8FDB98EF98C894AEDBBF1FF68315F10016AE409E32A5DB34A9418B40

Function 00007FFD9BAB0C25 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.2186207189.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9bab0000_nGnJvqnFLoRdIZNyVoMyF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec49e86fe5c8c6108f75d95d092e1353979fd42dac98822aa268696fd52d7db0
Instruction ID: 7e7a9ca77b5777c89c024cb70a4dabf2aa396f9ccbf291356499ffb9946404c8
Opcode Fuzzy Hash: ec49e86fe5c8c6108f75d95d092e1353979fd42dac98822aa268696fd52d7db0
Instruction Fuzzy Hash: D031F571A0D69E4FE3229BA5CC212A97B70EF52315F0641B7C065871E2C6781605CF95

Function 00007FFD9BAB4CFA Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.2186207189.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9bab0000_nGnJvqnFLoRdIZNyVoMyF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be2a29a2b2b1400236dc163ea62bfb29c1951869bc3b368a4837459d34acb2ff
Instruction ID: e2e49407a052556a11f2ccb5ebd9bc1edcbd2eba20a5d4692eb6d74d6917f481
Opcode Fuzzy Hash: be2a29a2b2b1400236dc163ea62bfb29c1951869bc3b368a4837459d34acb2ff
Instruction Fuzzy Hash: A931C630A0862C8FDFA9DB54C854BA9B3F4EB64715F1051EA900EE22A4CB746B84CF41

Function 00007FFD9BAB0B87 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.2186207189.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9bab0000_nGnJvqnFLoRdIZNyVoMyF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a789e8b057f786dd46d2ab72bd568d419346fb8245cefad58477e14c9d4ac94
Instruction ID: 1e9f78c57be2d230849409c9b7d382e2a7427dfeeb82fb4cab621cc035c1fba3
Opcode Fuzzy Hash: 7a789e8b057f786dd46d2ab72bd568d419346fb8245cefad58477e14c9d4ac94
Instruction Fuzzy Hash: 1521BE3161864ECFDB50EF68D855AEA7BA0FF48318F01017AE85DC31A1DB30AA64CB81

Function 00007FFD9BABA7A2 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.2186207189.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9bab0000_nGnJvqnFLoRdIZNyVoMyF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d311577c1f376f4ab74af780d2f6683e28fb29f3a00d6b8bd4ae6d7c2f5d8d73
Instruction ID: 89aa4bdb630b0c02112d6daff87513fe46270ca7008270601dbd82a99a9710a7
Opcode Fuzzy Hash: d311577c1f376f4ab74af780d2f6683e28fb29f3a00d6b8bd4ae6d7c2f5d8d73
Instruction Fuzzy Hash: 0D319670D09A2D8EEBA4DF55C8647E8B6B1EB18301F1150E9D01EA22A1DEB96AC4CF44

Function 00007FFD9BABA854 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.2186207189.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9bab0000_nGnJvqnFLoRdIZNyVoMyF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69e983e06a327f11c908f3f6cc9bb73d7da00e56d35014a8b34ae8561a299669
Instruction ID: a5b143af24e11d611d3cd3c89709039212826ce258b9ea92110d08c7d8a437b7
Opcode Fuzzy Hash: 69e983e06a327f11c908f3f6cc9bb73d7da00e56d35014a8b34ae8561a299669
Instruction Fuzzy Hash: 5631CB70E0962D8EEBA4EF55C8687E8B6F1EB58341F4140E9D01DE66A1DE786BC4CF04

Function 00007FFD9BAB0C38 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.2186207189.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9bab0000_nGnJvqnFLoRdIZNyVoMyF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0e54dcc13d4bd27dbb74f9076a3cf50b5197a2a66667f7cd00786023580c317
Instruction ID: de0555d304f482a748c5b2ceb71c75bd121ca0a9bbe7c4a166e222e460f3d592
Opcode Fuzzy Hash: a0e54dcc13d4bd27dbb74f9076a3cf50b5197a2a66667f7cd00786023580c317
Instruction Fuzzy Hash: 7111B631B0D6AD4FE32297A4CC212E97B70EB53311F0645B3D055DB1E2DA7816058B95

Function 00007FFD9BAB0C40 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.2186207189.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9bab0000_nGnJvqnFLoRdIZNyVoMyF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41d8b9aaab29f6336c2a3186d356ab5810afe7b32b63438c980c36c496fdf0d6
Instruction ID: 39840133765c4f7a15ae66afd83418ae196590d1fa56fcbc24c6cd6bb60bc52f
Opcode Fuzzy Hash: 41d8b9aaab29f6336c2a3186d356ab5810afe7b32b63438c980c36c496fdf0d6
Instruction Fuzzy Hash: F111E331A0D69D8FE3229BA4CC212EA7B70EB53311F0645B3D061DB1E2CA781609CF95

Function 00007FFD9BABA6E9 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.2186207189.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9bab0000_nGnJvqnFLoRdIZNyVoMyF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ed31683bdc458ef1b1e9cd71494a6682adca04843025376789fe21e03c728c6
Instruction ID: bb1f6ed4cb0ba2828cc5243b5e6726e0970c87e1a486d9d7560e71b6c071d598
Opcode Fuzzy Hash: 5ed31683bdc458ef1b1e9cd71494a6682adca04843025376789fe21e03c728c6
Instruction Fuzzy Hash: A511F670E0962D8EEBB4DB54C8647A8B2F1EB18341F1141FAD01DE26A1DFB86AC59F44

Function 00007FFD9BAB0C48 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.2186207189.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9bab0000_nGnJvqnFLoRdIZNyVoMyF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b74d0c5366af54f0f603ce972bada933b40cb2f0a737ea05a30ac878460530fb
Instruction ID: 6303c25bccf1f8626a02e0b31dfe00269c753e09dc5ad2b776becfeb182f5d98
Opcode Fuzzy Hash: b74d0c5366af54f0f603ce972bada933b40cb2f0a737ea05a30ac878460530fb
Instruction Fuzzy Hash: F211E531A0D29D8FE3229BA4CC202AA7B70EB43311F0641A7D061DB1E2CA785604CB95

Function 00007FFD9BABA757 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.2186207189.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9bab0000_nGnJvqnFLoRdIZNyVoMyF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f570a401db46c56a818a654d23e24a0cf32f1d1db6177a4f34a1988f678213f
Instruction ID: 516ec203f226229b6fd4553a0c892acde46d0c53e045923c3b721f64090433c7
Opcode Fuzzy Hash: 2f570a401db46c56a818a654d23e24a0cf32f1d1db6177a4f34a1988f678213f
Instruction Fuzzy Hash: EF11E470E0962D8EEBB4DB50C8647E8B2F1EB18741F0141E9C01DA26A1DEB86BC4CF04

Function 00007FFD9BAB0C50 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.2186207189.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9bab0000_nGnJvqnFLoRdIZNyVoMyF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae42c287ae0debaed2fff584abd1b71c9c36d7cb70ca052486a0b6dfea2a43f3
Instruction ID: ce64ef4d7b2502f168d6a197f528c18899840a61adde0b2da3c74f617fd07cd0
Opcode Fuzzy Hash: ae42c287ae0debaed2fff584abd1b71c9c36d7cb70ca052486a0b6dfea2a43f3
Instruction Fuzzy Hash: 0701D631A0D2DD8FE32297A4CC242AA7B70EF53305F0641A3D461D71E7CA785604CB55

Function 00007FFD9BAB06AD Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.2186207189.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9bab0000_nGnJvqnFLoRdIZNyVoMyF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31b18ecf03db7eb57ce71b996552f630904ed6f5264c70d143d7a174dacba93d
Instruction ID: ebea9459066c39b5ca7997600d25e6341f7660a581a2f62221aa5d65227cc5fe
Opcode Fuzzy Hash: 31b18ecf03db7eb57ce71b996552f630904ed6f5264c70d143d7a174dacba93d
Instruction Fuzzy Hash: 99F03030A0565E9FEBA0EF98D4596FE77A0FF54314F110437E41CC21A0DAB462948B84

Function 00007FFD9BAB06D0 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.2186207189.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9bab0000_nGnJvqnFLoRdIZNyVoMyF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec32b5fadc3e5efcddf46f1eb3752cc28e4e468e0da37c1d005b8993d19c6bdb
Instruction ID: 918fb757a8a5fed15d371b3f3b9ba74df2140fe77fb6110144e127c3f8a9d0f1
Opcode Fuzzy Hash: ec32b5fadc3e5efcddf46f1eb3752cc28e4e468e0da37c1d005b8993d19c6bdb
Instruction Fuzzy Hash: AEF0123091564E9FDB90EFA4C8496FE77E0FF14304F114466F81CD31A0DA70A6A4CB80

Function 00007FFD9BAB8B70 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.2186207189.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9bab0000_nGnJvqnFLoRdIZNyVoMyF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37a46e2a384aa077baf2983c8a7bc998b0c90f5ccab626579c352a78ccb57f7d
Instruction ID: 7046f4a0c441ee1185466a9695da7bba2e471740fd0a675a727f4e605d634c45
Opcode Fuzzy Hash: 37a46e2a384aa077baf2983c8a7bc998b0c90f5ccab626579c352a78ccb57f7d
Instruction Fuzzy Hash: 0CF0B270E0A52D8EEBB4DB54D8647A9B3B0FB58301F1194E9845DA2291CEB86B848F40

Non-executed Functions

Function 00007FFD9BAB09B0 Relevance: 5.2, Strings: 4, Instructions: 182COMMON

Download Yara Rule

Strings

#{9, xrefs: 00007FFD9BAB0B3E
"s9, xrefs: 00007FFD9BAB0B46
c9, xrefs: 00007FFD9BAB0B56
!k9, xrefs: 00007FFD9BAB0B4E

Memory Dump Source

Source File: 00000024.00000002.2186207189.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9bab0000_nGnJvqnFLoRdIZNyVoMyF.jbxd

Similarity

API ID:
String ID: c9$!k9$"s9$#{9
API String ID: 0-1692736845
Opcode ID: 4ad26bc006d43e1125277a7c3a640f4a996b13463a7e064adc4560c2a96d1686
Instruction ID: 7a98fe504e4b652f2e3866e502560d60fe4d2ec725d366523fac8ff41e7fa38b
Opcode Fuzzy Hash: 4ad26bc006d43e1125277a7c3a640f4a996b13463a7e064adc4560c2a96d1686
Instruction Fuzzy Hash: 39418F17B0953645E33973FD78219E95B848F6927FB0847B7F56E8D0C78C486481C2D9

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report f3I38kv.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: DCRat

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files\Microsoft\OneDrive\ListSync\settings\de83736a915df6

C:\Program Files\Microsoft\OneDrive\ListSync\settings\nGnJvqnFLoRdIZNyVoMyF.exe

C:\ProgramData\Microsoft\de83736a915df6

C:\ProgramData\Microsoft\nGnJvqnFLoRdIZNyVoMyF.exe

C:\Recovery\7b3bf1de107bcf

C:\Recovery\SIHClient.exe

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\hyperruntimemonitorCommon.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\nGnJvqnFLoRdIZNyVoMyF.exe.log

C:\Users\user\AppData\Local\Temp\qVPGMYvCwM.bat

C:\Users\user\AppData\Local\Temp\w5nv0ZNcR9

C:\Users\user\Desktop\AOsWDEPp.log

Windows Analysis Report
f3I38kv.exe